doc.: IEEE /1429r0 Submission November 2011 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:

doc.: IEEE /1429r0 Submission November 2011 Dan Harkins, Aruba NetworksSlide 2 Abstract This presentation describes a proposed FILS authentication protocol.

doc.: IEEE /1429r0 Submission Background: Otway-Rees Classic 3-party protocol Players: –Alice, a client/peer with identity A –Bob, a server/peer with identity B –Trent, the trusted 3 rd party with identity T Assumptions: –Alice shares a key with Trent, K at –Bob shares a key with Trent, K bt Notation: –{X}y is wrapping message X with key y –g x is a Diffie-Hellman exponential, generator g raised to power x –Nx is a nonce, a random number, contributed by party x –sess is a session identifier –X  Y means X sends to Y November 2011 Dan Harkins, Aruba NetworksSlide 3

doc.: IEEE /1429r0 Submission Background: Otway-Rees A  B: A, B, sess, {Na, A, B, sess} K at B  T: B, A, sess, {Na, A, B, sess} K at, {Nb, B, A, sess} K bt B  T: sess, {Na, K ab }K at, {Nb, K ab }K bt A  B: sess, {Na, K ab }K at Now Alice and Bob share a secret key, K ab, and a session identifier, sess. November 2011 Dan Harkins, Aruba NetworksSlide 4

doc.: IEEE /1429r0 Submission Background: Otway-Rees Nonces provide a proof of “liveness” to the resulting shared key If sess is reused a cut-and-paste attack could result in one party thinking protocol finished successfully and the other thinking it failed– not a good result Trent, the trusted third party, is a key distributor –Someone else besides Alice and Bob know their secret –Trent is solely responsible for creating the secret Alice and Bob really haven’t authenticated each other! –They share a key with the other party but have not proven to each other that the other party knows it We could add an Otway-Rees-like exchange, but…. November 2011 Dan Harkins, Aruba NetworksSlide 5

doc.: IEEE /1429r0 Submission FILS Authentication Using a TTP Use Diffie-Hellman to derive a unique session key Use Trent to authenticate the exchange, not be a key distributor Add a proof-of-possession upon completion of the exchange Embed Alice’s message for/from Trent inside Bob’s to mitigate cut-and-paste issues November 2011 Dan Harkins, Aruba NetworksSlide 6

doc.: IEEE /1429r0 Submission FILS Authentication Using a TTP A  B: A, sess, Na, {A, B, sess, g a } K at B  T: B, sess, {B, A, sess, g b, {A, B, sess, g a }K at } K bt B  T: sess, {B, A, sess, g b, g a, {A, B, sess, g a, g b }K at }K bt, A  B: sess, Nb, {A, B, sess, g a, g b }K at (g b ) a = g ab = (g b ) a K ab-mac | PMK = KDF(Na | Nb, g ab ) A  B: HMAC(K ab-mac, sess | MAC-A | MAC-B) B  A: HMAC(K ab-mac, sess | MAC-B | MAC-A) K ab-ccm = KDF(PMK, sess, min(MACS), max(MACS)) November 2011 Dan Harkins, Aruba NetworksSlide 7

doc.: IEEE /1429r0 Submission FILS Authentication Using a TTP Diffie-Hellman exponentials in wrapped content provide the “liveness” proof to the exchange Embedding messages from/for Alice into Bob’s messages helps thwart cut-and-paste attacks Alice knows Bob created g b and Bob knows Alice created g a (because Trent said so), and they both know that the only entities that can know g ab are themselves Final two messages provide proof-of-possession of g ab Generation of a CCMP (GCMP!) key for initial use and a PMK for subsequent use November 2011 Dan Harkins, Aruba NetworksSlide 8

doc.: IEEE /1429r0 Submission Putting FILS Authentication Using a TTP Into Authenticated Diffie-Hellman between Alice and Bob is four messages– two for the interaction with Trent, and two to prove possession of the resulting shared secret. –Use authentication frames for first two –Use association frames for second two Fits in nicely with state machine –Discovery is through Beacons and Probe responses –State 0 to State 1 transition is using authentication frames –State 1 to State 2 transition is using association frames –STA could associate with multiple APs while associated with another Can put other things, like DHCP Request/Response, into Association Request/Response November 2011 Dan Harkins, Aruba NetworksSlide 9

doc.: IEEE /1429r0 Submission Putting FILS Authentication Using a TTP Into November 2011 Dan Harkins, Aruba NetworksSlide beacon/probe response authentication request authentication response association request association response FILS-TTP authentication request FILS-TTP authentication response STAid, sess, {blob}sta-ttp TTPid, APid APid, sess, {blob}ap-ttp sess, {blob}ap-ttp sess, {blob}sta-ttp H(K, sess | MAC-STA | MAC-AP) H(K, sess | MAC-AP | MAC-STA) STAAPTTP

doc.: IEEE /1429r0 Submission Putting FILS Authentication Using a TTP Into Fast! –Only operations using asymmetric cryptography invole the Diffie- Hellman key exchange –The TTP does not do any computationally intensive action! Use state-of-the-art crypto –Use RFC 5297 for wrapping/unwrapping of blobs –Use RFC 5869-style “extract-the-expand” KDF –Works with elliptic curve as well as finite field cryptography Communication with Trent: –SME: this is the way 11r punted the R0-R1-AP communication issue –ERP: could craft this req/resp into an EAP/Initiate-Reauth and EAP/Finish-Reauth, will work with RADIUS and Diameter (!) –or other IETF? November 2011 Dan Harkins, Aruba NetworksSlide 11

doc.: IEEE /1429r0 Submission Properties of FILS Authentication Using a TTP Perfect Forward Secrecy: Yes Mutual Authentication: Yes Key Generation: Yes Identity Protection: No Protection against DDOS attacks: No Crypto-agility: Yes Negotiation of crypto capabilities: Yes November 2011 Dan Harkins, Aruba NetworksSlide 12

doc.: IEEE /1429r0 Submission FILS Authentication, without Online Third Party Uses Ephemeral Diffie-Hellmann to derive a unique session key Uses Signatures to Authenticate Exchanged DH- exponents Uses Message Authentication Code to provide key confirmation and complete exchange November 2011 Slide 13

doc.: IEEE /1429r0 Submission FILS Authentication Without a Third Party Protocol Flows: A  B: Na, xG, Cert CA (Id A, aG), Id sess A  B: Nb, yG, Cert CA (Id A, bG), Id sess K = h (xy)G = (hx)Y = (hy)X, where X:=xG, Y:=yG K ab-mac | PMK = kdf(Na | Nb, K | Id A | Id B | Id sess ) A  B: MAC kab-mac (flow AB, Id A, Id B ), Sig A (yG, xG, Id A, Id B, Id sess ) A  B: MAC kab-mac (flow BA, Id B, Id A ), Sig B (xG, yG, Id B, Id A, Id sess ) K ab-ccm = KDF(PMK, Id sess, min(MACS), max(MACS)) Cryptographic Schemes: (1)Ephemeral Diffie-Hellmann CDH(1,1): NIST SP a (2)Signature Scheme ECDSA: FIPS (3)Key Derivation: Draft NIST SP C (4)Curve: P-256 h=1 (FIPS 186-2); SHA-256 (FIPS 180-2) November 2011 Slide 14

doc.: IEEE /1429r0 Submission Putting FILS Authentication Without a Third Party Into November 2011 Slide beacon/probe response authentication request authentication response association request association response xG, Cert CA (STA, aG), Id sess yG, Cert CA (AP, bG), Id sess STA AP TTP MAC ka (#3, STA, AP), Sig STA (yG, xG, STA, AP, Id sess ) MAC ka (#4, AP, STA), Sig AP (xG, yG, AP, STA, Id sess ) Possible to include AP key contribution in Beacon/probe, at cost of loosing perfect Forward secrecy; but does slim down #flows

doc.: IEEE /1429r0 Submission Properties of FILS Authentication Without a Third Party Perfect Forward Secrecy: Yes Mutual Authentication: Yes Key Generation: Yes Identity Protection: No Protection against DDOS attacks: No, but not a threat if ECC implemented with some hardware support Crypto-agility: Yes Negotiation of crypto capabilities: Possible November 2011 Slide 16

doc.: IEEE /1429r0 Submission FILS Authentication Using a Simple Password (ala SAE) A  B: Na, sess, scalar a, element a A  B: Nb, sess, scalar b, element b (PWE scalarb * element b ) a = K = (PWE scalara * element a ) b K ab-mac | PMK = KDF(Na | Nb, K) A  B: HMAC(K ab-mac, sess | scalar a | scalar b | MAC-A | MAC-B) B  A: HMAC(K ab-mac, sess | scalar b | scalar a | MAC-B | MAC-A) K ab-ccm = KDF(PMK, sess, (scalar a + scalar b ) | min(MACS), max(MACS)) November 2011 Dan Harkins, Aruba NetworksSlide 17

doc.: IEEE /1429r0 Submission Putting FILS Authentication Using a Simple Password Into November 2011 Slide beacon/probe response authentication request authentication response association request association response Na, scalar a, element a, Id sess STA AP Nb, scalar b, element b, Id sess H(K, Id sess | MAC-STA | MAC-AP) H(K, Id sess | MAC-AP| MAC-STA)

doc.: IEEE /1429r0 Submission Properties of FILS Authentication Using a Simple Password (ala SAE) Perfect Forward Secrecy: Yes Mutual Authentication: Yes Key Generation: Yes Identity Protection: No Protection against DDOS attacks: No Crypto-agility: Yes Negotiation of crypto capabilities: Yes November 2011 Slide 19

doc.: IEEE /1429r0 Submission FILS Authentication Two Message Exchange supports many options –Authentication using symmetric keys and a trusted third party –Authentication using certificates without a trusted third party –Authentication using passwords without a trusted third party Many desirable security properties –Mutual authentication –Perfect Forward Secrecy –Key Generation –Crypto-agility Use state-of-the-art cryptography November 2011 Dan Harkins, Aruba NetworksSlide 20

doc.: IEEE /1429r0 Submission Conformance with TGai PAR & 5C November 2011 Slide 21 Conformance QuestionResponse Does the proposal degrade the security offered by Robust Security Network Association (RSNA) already defined in ? No Does the proposal change the MAC SAP interface?No Does the proposal require or introduce a change to the architecture? No Does the proposal introduce a change in the channel access mechanism? No Does the proposal introduce a change in the PHY?No Which of the following link set-up phases is addressed by the proposal? (1) AP Discovery (2) Network Discovery (3) Link (Re-)establishment, exchange of security related messages (4) Higher layer aspects, e.g. IP address assignment. 3

doc.: IEEE /1429r0 Submission November 2011 Dan Harkins, Aruba NetworksSlide 22 References