Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
Analysis of the i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.
Security Analysis and Improvements for IEEE i
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
Security Analysis and Improvements for IEEE i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.
Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell.
802.11i Security Analysis: Can we build a secure WLAN? Changhua He Stanford University March 24 th, 2005
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
802.11i Wireless Networking Authentication Protocol J. Mitchell CS 259.
Analysis of 4-way handshake protocol in IEEE i Changhua He Stanford University Mar. 04, 2004.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Wireless and Security CSCI 5857: Encoding and Encryption.
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
Doc.: IEEE /0039r0 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li Edward Au; Phil Barber Junghoon Suh; Osama Aboul-Magd Huawei.
Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
WEP Protocol Weaknesses and Vulnerabilities
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Security in Wireless Networks IEEE i Presented by Sean Goggin March 1, 2005.
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.
WLANs & Security Standards (802.11) b - up to 11 Mbps, several hundred feet g - up to 54 Mbps, backward compatible, same frequency a.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.
IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004
Doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
Shambhu Upadhyaya Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University Australia.
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
Doc.: r Submission March 2006 AllSlide 1 A method to refresh the keys hierarchy periodically Notice: This document has been prepared to.
Doc.: IEEE /0848-r2 Submission July 2006 K.HayesSlide 1 RSC Pools for Mgmt Frames Notice: This document has been prepared to assist IEEE
802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Network Security Celia Li Computer Science and Engineering York University.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
CS259: Security Analysis of Network Protocols, Winter 2008
Keying for Fast Roaming
Motions to Address Some Letter Ballot 52 Comments
TGai FILS Authentication Protocol
Mesh Security Proposal
PEKM (Post-EAP Key Management Protocol)
Beacon Protection Date: Authors: July 2018 July 2018
Jesse Walker and Emily Qi Intel Corporation
Overview of Changes to Key Holder Frame Formats
Mesh Security Proposal
Beacon Protection Date: Authors: July 2018 July 2018
Keying for Fast Roaming
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
Overview of Improvements to Key Holder Protocols
Overview of Improvements to Key Holder Protocols
Sept 2003 PMK “sharing” Tim Moore Tim Moore, Microsoft.
Presentation transcript:

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004

Outline  IEEE i  RSNA (Robust Security Network Association)  4-Way Handshake (our focus !)  Murφ Verification  Murφ Modeling  Clarifications of the protocol  Forged Message 1 attack  DoS attack & countermeasures  DoS attack in practical implementation  3 possible countermeasures  Conclusion & Future work

IEEE i Standard  Ratified on June 24, 2004  Components  RSNA and Pre-RSNA algorithms  WEP, TKIP included for backward compatibility  CCMP as a long-term solution with hardware upgrade  RSNA Establishment Procedures  Network and Security Capability Discovery  Open System Authentication and Association  EAP/802.1X/RADIUS Authentication  4-Way Handshake  Group Key Handshake  Secure Data Communications

Authentica- tion Server (RADIUS) No Key Authenticator UnAuth/UnAssoc 802.1X Blocked No Key Supplicant UnAuth/UnAssoc 802.1X Blocked No Key Supplicant Auth/Assoc 802.1X Blocked No Key Authenticator Auth/Assoc 802.1X Blocked No Key Authentica- tion Server (RADIUS) No Key Association EAP/802.1X/RADIUS Authentication Supplicant Auth/Assoc 802.1X Blocked MSK Authenticator Auth/Assoc 802.1X Blocked No Key Authentica- tion Server (RADIUS) MSK Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK Authentica- tion Server (RADIUS) No Key 4-Way Handshake Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key Group Key Handshake Supplicant Auth/Assoc 802.1X UnBlocked New GTK Authenticator Auth/Assoc 802.1X UnBlocked New GTK Authentica- tion Server (RADIUS) No Key Data Communication Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key RSNA Conversations

Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK Authentica- tion Server (RADIUS) No Key The 4-Way Handshake AssociationEAP/802.1X/RADIUS Authentication Group Key Handshake Data Communication MSK {AA, ANonce, sn, msg1, PMKID} {SPA, SNonce, SPA RSN IE, sn, msg2, MIC} {AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC} {SPA, sn+1, msg4, MIC} Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key

Problem Statement  Assumption  PMK is shared between the Supplicant and the Authenticator  The AS “move” the key materials to the Authenticator  Handshake Goals  Confirm the possession of PMK  Derive a fresh session key for data transmission PTK=PRF{PMK, AA||SPA||ANonce||SNonce}  Analysis  Based on the existing specifications of the 4-way handshake  Mur j verification using “rationale reconstruction”

Finite-State Verification... Correctness condition violated  Murφ rules for protocol participants and the intruder define a nondeterministic state transition graph  Murφ will exhaustively enumerate all graph nodes  Murφ will verify whether specified security conditions hold in every reachable node  If not, the path to the violating node will describe the attack

Running Murφ Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error Mur j code RFC, IEEE Std. Mur j code, similar for all protocols Specify security conditions and run Mur j

Modeling the 4-Way Handshake  Authenticators/Supplicants:  Each authenticator maintain one association with each supplicant, and vice versa  Each association has a uniquely shared PMK  Multiple sequential legitimate handshakes in one association  Intruder  Impersonate both supplicant and authenticator  Eavesdrop, intercept and replay messages  Compose messages with known nonce and MIC  Forge fresh Message 1  Predict and replay nonces for pre-computation of MIC  Rationale reconstruction  Turn on/off fields: nonce, sequence, msg, address

Simplified 4-Way Handshake AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC SPA, sn+1, msg4, MIC PTK Derived Random GTK PTK and GTK 802.1X Unblocked PTK and GTK 802.1X Unblocked Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK AA, ANonce, sn, msg1 SPA, SNonce, SPA RSN IE, sn, msg2, MIC

Protocol Clarifications  Sequence number, AA, SPA  Essentially redundant  Message flag  Nessary to be included and protected  otherwise could ambiguously use Msg 2 as 3, or vice versa  Exclusive supplicant and authenticator  Otherwise reflection attacks  Fresh nonces  globally unique and unpredictable  Otherwise pre-computation attacks and replay attacks

Forged Message 1 Attack AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC SPA, sn+1, msg4, MIC PTK Derived Random GTK PTK and GTK 802.1X Unblocked PTK and GTK 802.1X Unblocked Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK AA, ANonce, sn, msg1 SPA, SNonce, SPA RSN IE, sn, msg2, MIC AA, ANonce, sn, msg1

DoS attack  TPTK/PTK solution  Proposed in the documentation  not work for all cases  Keep states for every incoming Message 1  DoS attack: Memory/CPU exhaustion  Like a TCP SYN flooding attack  Interleaving handshakes  Authenticator could only accept expected messages  Supplicant could not do so, must accept Msg 1 in all stages  Parallel handshake instances exist

Countermeasures (1) Random-Drop Queue: Randomly drop a stored entry to adopt the state for the incoming Message 1 if the queue is filled. Not so effective

Countermeasures (2)  Authenticate Message 1  To reuse the algorithms/hardware, set nonces to special values, e.g., 0, and derive PTK.  Calculate MIC for Msg 1 using the derived PTK  Good solution if PMK is fresh  If PSK and cached PMK, replay attacks !  Add a monotonically increasing global sequence counter  Use local time in authenticator side  Sufficient space in Message 1 ( 8-octet sequence field )  No worry about time synchronization Modifications on packet format

Countermeasures (3)  Re-Use Nonce  Supplicant re-use SNonce until one 4-way handshake completes successfully  Derive correct PTK from Message 3  Authenticator may (or may not) re-use ANonce  Solve the problem, but  Attacker might gather more infomation about PMK by playing with Message 1, recall PTK=PRF{PMK, AA||SPA||ANonce||SNonce}  More computations in the supplicant Performance Degradation

Our Proposal  Combined solution  Supplicant re-use SNonce  Store one entry of ANonce and PTK for the first Message 1  If nonce in Message 3 matches the entry, use PTK directly; otherwise derive PTK again and use it.  Advantages  Eliminate the memory DoS attack  Ensure performance in “friendly” scenarios  Only minor modifications on the algorithm in the Supplicant No modifications on the packet format  Adopted by TGi  Documentation will be updated once a chance

Conclusion & Future Work  Conclusions  Simplified protocol and several clarifications  Parallel instances exist => Forged Message 1 attack  Keep all states => Denial-of-Service attack  3 countermeasures and the effectiveness  Proposed solution Supplicant re-use SNonce to eliminate the vulnerability Supplicant may store one entry of PTK for performance no modifications on the packet format, adopted by TGi  Future Work  A full study of the i correctness