Analysis of 4-way handshake protocol in IEEE 802.11i Changhua He Stanford University Mar. 04, 2004.

Slides:

Advertisements

Similar presentations

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Advertisements

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.

Security Analysis and Improvements for IEEE i

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Security Analysis and Improvements for IEEE i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.

802.11i Security Analysis: Can we build a secure WLAN? Changhua He Stanford University March 24 th, 2005

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

IEEE Wireless Local Area Networks (WLAN’s).

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

Wireless Security Issues Implementing a wireless LAN without compromising your network Marshall Breeding Director for Innovative Technologies and Research.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

802.11i Wireless Networking Authentication Protocol J. Mitchell CS 259.

IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

WIRELESS NETWORKING. What are the advantages to wireless networking? How has society changed?

A Methodology for Evaluating Wireless Network Security Protocols David Rager Kandaraj Piamrat.

Michal Rapco 05, 2005 Security issues in Wireless LANs.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Wireless and Security CSCI 5857: Encoding and Encryption.

Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized.

IEEE MEDIA INDEPENDENT HANDOVER DCN: srho

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

WEP Protocol Weaknesses and Vulnerabilities

WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.

Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

Security in Wireless Networks IEEE i Presented by Sean Goggin March 1, 2005.

Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)

Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.

Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.

Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.

IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004

Lecture 24 Wireless Network Security

Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

Shambhu Upadhyaya Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)

Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN

Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.

Doc.: r Submission March 2006 AllSlide 1 A method to refresh the keys hierarchy periodically Notice: This document has been prepared to.

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.

Wireless Network Security CSIS 5857: Encoding and Encryption.

Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.

Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.

Cracking WPA/WPA2 in the Cloud

Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,

EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Wireless Authentication Protocol Presented By: Tasmiah Tamzid Anannya Student Id:

CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)

Lecture 29 Security in IEEE Dr. Ghalib A. Shah

CS259: Security Analysis of Network Protocols, Winter 2008

Mesh Security Proposal

Overview of Improvements to Key Holder Protocols

Overview of Improvements to Key Holder Protocols

Presentation transcript:

Analysis of 4-way handshake protocol in IEEE i Changhua He Stanford University Mar. 04, 2004

Scenario: An example of a wireless local area network Wired Network Security !

History of Security Concerns u802.11b (WEP) Wired Equivalent Protocol Many attacks found uWPA: Wi-Fi Protected Access Proposed by Wi-Fi Alliance Short-term solution based on 802.1x u802.11i Standards approved Oct Long-term solution, may need hardware upgrades This project focus on part of the authentication protocol in the standard

Terms uAuthenticator: Entities implemented in AP uSupplicant: Entities implemented in Laptop uAuthentication Server uPMK: Pair-wise Master Key uPTK: Pair-wise Transient Key uMIC: Message Integrity Code uANonce: nonce generated by authenticator uSNonce: nonce generated by supplicant uAA: Authenticator Address (MAC) uSPA: Supplicant Address (MAC)

802.11i Authentication Association802.1x/Radius/EAP-TLSSecured Data Channel4-way Key managementGroup Key management Ethernet Access Point Radius Server Laptop computer Wireless

Idealized 4-way Handshake Ethernet Access Point Laptop computer Wireless Channel {AA, ANonce, n, msg1} PMK Known, Last Seen < n PMK Known, Counter = n {AA, ANonce, n+1, msg3, MIC PTK (ANonce, n+1, msg3)} {SPA, SNonce, n, msg2, MIC PTK (SNonce, n, msg2)} {SPA, n+1, msg4, MIC PTK (n+1, msg4)} PTK=PRF{PMK,AA||STA||Anonce||Snonce} Derive PTK, Counter = n+1 Install PTK, Last Seen = n+1 Install PTK, Counter = n+2

Description uPrior to 4-way handshake, we assume: PMK only known to Supplicant and Authenticator, never transmitted over network uObjectives: Generate PTK and confirm the procession and freshness of PTK uMethodology: Use Mur j to model the protocol from simplest version, find out attacks, add fields step by step to defense the attacks, get complete one. Can make clear the function of each fields, and find out attacks for the complete protocol.

Murφ Modeling uAuthenticators/Supplicants: Each authenticator maintain associations with each supplicant, and vice versa Each association has a unique PMK Several sessions can happen in one association sequentially uIn each run: Turn on/off fields: nonce, sequence, mtype, address

Intruder uImpersonate both supplicant and authenticator Forge MAC address in each message Can not get PMK for associations uIntercepts all messages uReplay all messages uForge messages with known nonce and MIC uCompose message 1 with known nonces uActively predict nonces and ask the supplicant to pre-compute MIC Model attacks when nonces are predictable or not globally unique

Invariant invariant "PTKs are consistent and fresh" forall i: AuthenticatorId do forall j: SupplicantId do aut[i].associations[j].session.state = A_DONE -> (sup[j].associations[i].session.state = S_DONE & ptkEqual(aut[i].associations[j].session.ptk, sup[j].associations[i].session.ptk) & aut[i].associations[j].sid = sup[j].associations[i].sid) | (sup[j].associations[i].session.state = S_PTKSA & aut[i].associations[j].sid <= sup[j].associations[i].sid) end end;

Achieved protocol {ANonce, msg1} {ANonce, msg3, MIC PTK (ANonce, msg3)} {SNonce, msg2, MIC PTK (SNonce, msg2)} {msg4, MIC PTK (msg4)} Ethernet Access Point Laptop computer Wireless Channel PTK=PRF{PMK,Anonce||Snonce}

Summary of fields uNonces is necessary for fresh PTK uMtype Necessary, otherwise can fool supplicant to calculate msg 3, or vice versa uSequence Not necessary here Defense msg 3 replay, but it is harmless uAA, SPA Bind PTK to the physical device, not necessary here, but need to be considered with PMK

Implementation error Ethernet Access Point Laptop computer Wireless Channel {AA, ANonce, n, msg1} {AA, ANonce, n+1, msg3, MIC PTK (ANonce, n+1, msg3)} {SPA, SNonce, n, msg2, MIC PTK (SNonce, n, msg2)} {SPA, n+1, msg4, MIC PTK (n+1, msg4)} {AA, Nonce, n, msg1} The standard adopts TPTK & PTK: not work

DoS attack Intruder keep sending msg. 1 to Supplicant, supplicant needs to keep all the states No CPU exhaustion attack assume hash is easy to compute But maybe memory exhaustion attack –Not consume much memory for each state –But so easy for the attacker to flooding msg 1 Possible Solution –Send Anonce together with Snonce in msg 3 –Sequence acts to defense replay –Need to change packet formats

Conclusions uMurphi Modelling Suitable for finite state verification Inspiration for finding attacks, but need to model attacks correctly Can not model DoS attacks u802.11i 4-way handshake protocol Fortunately, well-designed & secure Some fields are redundant for this part Implementation error (corresponding to DoS attack)