Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.
Analysis of the i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.
Security Analysis and Improvements for IEEE i
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Security Analysis and Improvements for IEEE i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
WEP and i J.W. Pope 5/6/2004 CS 589 – Advanced Topics in Information Security.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
802.11i Security Analysis: Can we build a secure WLAN? Changhua He Stanford University March 24 th, 2005
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE Wireless Local Area Networks (WLAN’s).
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.
WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
802.11i Wireless Networking Authentication Protocol J. Mitchell CS 259.
IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.
Analysis of 4-way handshake protocol in IEEE i Changhua He Stanford University Mar. 04, 2004.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Mobile and Wireless Communication Security By Jason Gratto.
Remedies Use of encrypted tunneling protocols (e.g. IPSec, Secure Shell) for secure data transmission over an insecure networktunneling protocolsIPSecSecure.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Wireless and Security CSCI 5857: Encoding and Encryption.
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.
Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
WEP Protocol Weaknesses and Vulnerabilities
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004
Lecture 24 Wireless Network Security
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 24 “Wireless Network Security”.
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University Australia.
Wireless security Wi–Fi (802.11) Security
802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Lecture 7 (Chapter 17) Wireless Network Security Prepared by Dr. Lamiaa M. Elshenawy 1.
EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Robust Security Network (RSN) Service of IEEE
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
History and Implementation of the IEEE 802 Security Architecture
Wireless Protocols WEP, WPA & WPA2.
Lecture 29 Security in IEEE Dr. Ghalib A. Shah
CS259: Security Analysis of Network Protocols, Winter 2008
CSE 4905 Network Security Overview
Mesh Security Proposal
PEKM (Post-EAP Key Management Protocol)
Presentation transcript:

Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell Stanford University (Ante Derek, Changhua He, Mukund Sundararajan) UIUC, MIT, Stanford, UCSB, UCLA MURI: 3-Year Review June 22, 2005 Sponsored by DDR&E and AFOSR Program manager Lt Col Sharon Heise

Communications/Verifica tion Robotic Vehicles Computing & Verification Control & Information Theory Communications

Computational models Timed Probabilistic State-transition models Logic-based models Basic Asynchronous Hybrid Program-based models Features Approaches

 State-transition models  Finite-state machines, Turing machines  I/O automata  Logic-based models  Before/after conditions  Temporal logic  First-order state predicates:        Modal operators: Always , Eventually   Program-based models  Process calculi

Security Analysis at Stanford  State-transition Models  Murphi model-checking [Mitchell, Shmatikov et al]  Logic-based Models  Protocol Logic [Datta, Derek, Durgin, Mitchell, Pavlovic]  Composition theorems (assume-guarantee paradigm)  Relationship to Lynch’s project (compositional reasoning)  Computational Protocol Logic [Datta, Derek, Mitchell, Shmatikov, Turuani]  Probability, complexity  Symbolic reasoning about complexity-theoretic cryptography  Program-based Models  Probabilistic Polytime Process Calculus [Mitchell, Ramanathan, Scedrov, Teague]  Relationship to Lynch’s project (I/O Automata) – preliminary results [Datta, Kuesters, Mitchell, Ramanathan]

Secure Wireless Networking  Wireless Security Overview  Wireless threats  IEEE i  Murphi Analysis of 4-Way Handshake [He, Mitchell]  Breaking and Fixing IEEE i Standard  Modular Proof of i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell]  i and Ad Hoc Routing Security [He, Mitchell]

Human Interface Devices Synchronization Dial-Up Networking Printing Cellular Network Mobile Data Services WiMAX WLAN Bluetooth PAN Public Internet Home/Office Hands-free Speakerphone Hands-free Headset Wireless Everything Outdoor BS

Wireless Threats  Passive Eavesdropping/Traffic Analysis  Easy, most wireless NICs have promiscuous mode, cheap man-made antenna can enlarge the signal range greatly  Message Injection/Active Eavesdropping  Easy, some techniques to gen. any packet with common NIC, exploit MAC cooperation to interfere in a timely way  Message Deletion and Interception  Possible, interfere packet reception with directional antennas  Masquerading and Malicious AP  Easy, MAC address forgeable and software available (HostAP)  Session Hijacking  Man-in-the-Middle  Denial-of-Service (DoS)

Wireless Security Evolution [Walker00], [Wagner01], [Arbaugh et al 01], [Arbaugh02], [FMS01] …  WEP (Wired Equivalent Protocol)  Authentication: Open System (SSID) or Shared Key  Authorization: some vendor use MAC address filtering  Confidentiality/Integrity: RC4 + CRC  Completely insecure – bad use of good crypto  WPA: Wi-Fi Protected Access  Authentication: 802.1X  Confidentiality/Integrity: TKIP  Reuse the legacy hardware, still problematic  IEEE i (Ratified on June 24, 2004 )  Mutual authentication, e.g., EAP- TLS/802.1X/RADIUS  Data confidentiality and integrity: CCMP (believed secure)  Key management protocols

Authentica- tion Server (RADIUS) No Key Authenticator UnAuth/UnAssoc 802.1X Blocked No Key Supplicant UnAuth/UnAssoc 802.1X Blocked No Key Supplicant Auth/Assoc 802.1X Blocked No Key Authenticator Auth/Assoc 802.1X Blocked No Key Authentica- tion Server (RADIUS) No Key Association EAP/802.1X/RADIUS Authentication Supplicant Auth/Assoc 802.1X Blocked MSK Authenticator Auth/Assoc 802.1X Blocked No Key Authentica- tion Server (RADIUS) MSK Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK Authentica- tion Server (RADIUS) No Key 4-Way Handshake Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key Group Key Handshake Supplicant Auth/Assoc 802.1X UnBlocked New GTK Authenticator Auth/Assoc 802.1X UnBlocked New GTK Authentica- tion Server (RADIUS) No Key i: RSNA Procedures Data Communication Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key

Roadmap  Wireless Security Overview  Wireless threats  IEEE i  Murphi Analysis of 4-Way Handshake [He, Mitchell]  Breaking and Fixing IEEE i Standard  Modular Proof of i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell]  i and Ad Hoc Routing Security [He, Mitchell]

Murphi Protocol Verification Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error/Diagnose Mur j code RFC, IEEE Std. Mur j code, similar for all protocols Set initial states, specify security conditions, run Mur j

The 4-Way Handshake AssociationEAP/802.1X/RADIUS Authentication Group Key Handshake Data Communication MSK {AA, ANonce, sn, msg1, PMKID} {SPA, SNonce, SPA RSN IE, sn, msg2, MIC} {AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC} {SPA, sn+1, msg4, MIC} Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key

AA, ANonce, sn, msg1 4-Way Handshake Blocking AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC PTK Derived Random GTK PTK and GTK 802.1X Unblocked PTK and GTK 802.1X Unblocked Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK SPA, sn+1, msg4, MIC AA, ANonce, sn, msg1 SPA, SNonce, SPA RSN IE, sn, msg2, MIC AA, ANonce, sn, msg1 AA, ANonce[1], sn, msg1 AA, ANonce[n], sn, msg1

4-Way Blocking Attack  Requirement:  Must allow wireless station to start more than one session to provide robustness against packet loss.  Problem:  Message 1 can be forged (not authenticated)  Attacker can start many sessions by sending forged message 1’s to wireless station  Memory DoS attack: memory exhausted by state maintained for these sessions  Similar to TCP SYN flooding attack

4-Way Blocking: Solution  Solution  Wireless station (supplicant) re-uses its nonce  No additional state per session  Store one entry of ANonce and PTK for the first Message 1  If nonce in Message 3 matches the entry, use PTK directly; otherwise compute PTK again and use it.  Advantages  Eliminates the memory DoS attack  Ensures performance in “friendly” scenarios  Only minor modification to the Supplicant algorithm  No modification to the packet format  Adopted by IEEE TGi  Simple solution, but not immediate

Summary of Vulnerabilities ATTACKSSOLUTIONS 4-way handshake blocking re-use supplicant nonce, eliminate memory DoS. Adopted by IEEE TGi. reflection attack each participant plays the role of either authenticator or supplicant; if both, use different PMKs. Important for deployment in ad hoc network setting. attack on Michael countermeasure s cease connections for a specific time instead of re-key and deauthentication; update TSC before MIC and after FCS, ICV are validated. RSN IE poisoning Authenticate Beacon and Probe Response frame; Confirm RSN IE in an earlier stage; Relax the condition of RSN IE confirmation. security rollback supplicant manually chooses security; authenticator restrict pre-RSNA to only insensitive data.

Roadmap  Wireless Security Overview  Wireless threats  IEEE i  Murphi Analysis of 4-Way Handshake [He, Mitchell]  Breaking and Fixing IEEE i Standard  Modular Proof of i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell]  i and Ad Hoc Routing Security [He, Mitchell]

Protocol Composition Logic  Cord calculus  Protocol programming language  Execution model (Symbolic/Dolev-Yao)  Protocol logic  Expressing security properties  Proof system  Axiomatically proving security properties  Soundness Theorem – every provable formula is true

802.11i:Staged Composition  Control Flow  Intended run is sequential  Different Failure Recovery mechanisms can be implemented for efficiency  Periodically update Group Key, PTK, PMK (omit here)  Hybrid modes  Pre-Shared Key (PSK) used directly instead of EAP authentication methods  Cached PMK might be used for mobile users  Alternatives for EAP-TLS, e.g., PEAP, LEAP Data Transmission Group Key 4-Way EAP-TLS PMK PTK GTK

802.11i Proof Structure Step 1.  i,  j |- θ i [P i ] X  i Separate proof of individual components TLS, 4-Way, and Group Key Handshake; Step 2.  i, j, Q i |-  j Necessary invariants are satisfied by all components; Step 3.  i,  i  θ i+1 The postcondition of TLS implies precondition of 4-Way; postcondition of 4-Way implies precondition of Group Key; Step 4.  i, θ i [B] X θ i The preconditions of each component are preserved by subsequent components. Applying the Staged Composition Theorem, i is secure.

Roadmap  Wireless Security Overview  Wireless threats  IEEE i  Murphi Analysis of 4-Way Handshake [He, Mitchell]  Breaking and Fixing IEEE i Standard  Modular Proof of i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell]  i and Ad Hoc Routing Security [He, Mitchell]

Ad Hoc Routing Security  Secure routing is important in ad hoc networks  Previous work: common routing + cryptographic improvements  Most proposals based on on-demand (reactive) routing  No false route accepted  Common problems  Many secure routing protocols are complicated  Some attacks are still possible  Assume everyone shares keys prior to routing  Thought  i is supposed to be widely deployed, can we take advantage of that?

Observations  i provides hop-by-hop security  Neighborhood authentication + Identity Binding  IPsec or other protocols to provide end-to-end security  If all good nodes, common routing protocol works  Compromised nodes can cause problems  Link layer security => Local Attacker model  Eliminate outside attacker, only inside attacker  Reduce global attacker to local attacker B S D F A T C E

Summary  Security Analysis Methods:  Murφ and PCL effective for analyzing industrial security protocols  Paradigms:  Compositional reasoning  Symbolic reasoning about cryptography  IEEE i case study  Automated study led to improved standard  Deployment recommendations also  IEEE i and ad hoc routing security  Goal: simplify the design of secure routing protocols using link layer security  More ongoing case studies:  Mobile IPv6, IEEE e

Questions?

Project Goals  Establish theory, scalable control algorithms and protocols  Performance and correctness verifiable with robustness to  External uncertainty  Malicious attack  Rapidly evolving environment

Failure Recovery  Failure recovery is important  Can reduce but not eliminate DoS vulnerabilities  i adopts a simple scheme  Whenever failure, restart from the beginning, inefficient !  A better failure recovery for i  If 802.1X does not finish, restart everything  Otherwise restart from nearest completed components  Difficult to forge an 802.1X authentication  User moves to another AP after 802.1X authentication ?  Not a problem since channel scanning time is significantly larger than the protocol execution time

Improved i Architecture Stage 1: Network and Security Capability Discovery Stage 2: 802.1X Authentication (mutual authentication, shared secret, cipher suite) Stage 3: Secure Association (management frames protected) Stage 4: 4-Way Handshake (PMK confirmation, PTK derivation, and GTK distribution) Stage 5: Group Key Handshake Stage 6: Secure Data Communications Michael MIC Failure or Other Security Failures Group Key Handshake Timout 4-Way Handshake Timout Association Failure 802.1X Failure

Local Attacker Model  Local Attacker Model  Compromised node or geographic limitations  Attacker can only touch its neighbors  A weaker attacker model  Network is not controlled by the attacker  If the attacker wants to control the network, it will try to attract all traffic passing through itself  Secure routing under local attacker model  Find good route with high probability  Idea (informal)  Link security + secure routing under local attacker model gives secure routing under global attacker model  Advantages  Decompose secure routing to two problems  “Simplify” the secure routing design (802.11i already done)  No need for key pre-distribution among everybody