EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Ariel Eizenberg PPP Security Features Ariel Eizenberg
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE Wireless Local Area Networks (WLAN’s).
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Wireless and Security CSCI 5857: Encoding and Encryption.
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
EMU BOF EAP Method Requirements Bernard Aboba Microsoft Thursday, November 10, 2005 IETF 64, Vancouver, CA.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.
Maryland Information Systems Security Lab D EPARTMENT OF C OMPUTER S CIENCE EAP Password Authenticated eXchange (PAX) T. Charles Clancy William A. Arbaugh.
July 16, 2003AAA WG, IETF 571 EAP Keying Framework Draft-aboba-pppext-key-problem-07.txt EAP WG IETF 57 Vienna,
Doc.: IEEE /524r0 Submission November 2001 Bernard Aboba, MicrosoftSlide 1 Secure Remote Password (SRP) Bernard Aboba Dan Simon Tim Moore Microsoft.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
EAP-FAST Version 2 draft-zhou-emu-eap-fastv2-00.txt Hao Zhou Nancy Cam-Winget Joseph Salowey Stephen Hanna March 2011.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Thoughts on KeySec John Viega
Doc.: IEEE /104r0 Submission January 2002 Bernard Aboba/Microsoft EAP Keying Overview Bernard Aboba Microsoft.
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
Doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies.
Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Key Management in AAA Russ Housley Incoming Security Area Director.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.
1 EAP-MAKE2: EAP method for Mutual Authentication and Key Establishment, v2 EMU BoF Michaela Vanderveen IETF 64 November 2005.
1 SECMECH BOF EAP Methods IETF-63 Jari Arkko. 2 Outline Existing EAP methods Technical requirements EAP WG process for new methods Need for new EAP methods.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-05.txt Bernard Aboba Microsoft IETF 62, Minneapolis, MN.
Authentication and handoff protocols for wireless mesh networks
RADEXT WG RADIUS Attributes for WLAN Draft-aboba-radext-wlan-00.txt
ERP extension for EAP Early-authentication Protocol (EEP)
IETF-70 EAP Method Update (EMU)
The Tunneled Extensible Authentication Method (TEAM)
SECMECH BOF EAP Methods
Mesh Security Proposal
PEKM (Post-EAP Key Management Protocol)
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
A Joint Proposal for Security
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
TGr Authentication Framework
Link Setup Flow July 2011 Date: Authors: Name Company
Presentation transcript:

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

Observations Some EAP methods derive keys, some don’t Where keys are derived, strength varies widely The type of keys derived varies as well –Some methods derive ciphersuite-specific “session keys” –Some methods derive ciphersuite-independent “master keys” Some methods describe key hierarchy, some don’t

Goals and Objectives To describe basic concepts of EAP To describe the EAP keying architecture To point out pitfalls in design of EAP methods that derive keys To identify problems that require solution

Why Derive Keys? Key derivation not required in all uses –EAP can be used for authentication only Where EAP methods derive keys, it is possible to “bind” the authentication to: –Subsequent data packets encrypted/integrity protected with those keys –Subsequent EAP methods running within a sequence –The tunnel within which EAP runs –To accomplish these things, it is necessary to define a “key hierarchy”

EAP Terms Peer – desires network access NAS – provides network access AAA server (optional) provides centralized authentication, authorization and accounting for NASes

EAP Overview | | | Cipher- | | Suite | | | ^ ^ | | V V | | EAP | | | | | | Conversation | | | | | | | AAA | | Peer | | NAS/ | | Server | | |==============>| |<=======| | | | Keys | | Keys | | | | (Optional) | | | | ^ ^ | | | EAP API | EAP API | | V V | | | EAP | | Method | | |

Assumptions of the Architecture EAP methods –EAP methods are implemented on the peer and AAA server –NAS does not implement EAP methods except perhaps the mandatory method –NAS typically “passes through” the authentication –NAS may not have knowledge of the EAP method selected by the peer and AAA server –Peer and AAA server typically negotiate the EAP method Ciphersuites –NAS & Peer negotiate and implement ciphersuites –Ciphersuites may be negotiated before or after EAP authentication, depending on the media PPP, i pre-auth: ciphersuite negotiated after authentication 802.1X: ciphersuite negotiated before authentication –AAA server may not have knowledge of the selected ciphersuite –EAP method residing on the peer or AAA server may not have knowledge of the selected ciphersuite

Corollaries EAP key derivation should be ciphersuite independent Key derivation separated into two phases: –Master session key derivation (occurs on AAA server, peer) MSK derivation is EAP method-specific MSKes sent from AAA server to NAS via AAA protocol –Session key derivation from MSKes (occurs on NAS, peer) Session key hierarchy is ciphersuite specific Reasons –Method may not know what the selected ciphersuite is at the time of key derivation –If key derivation is ciphersuite dependent, then EAP method will need to be revised each time a new ciphersuite comes out New EAP methods coming along all the time (36 so far, and counting) New media adopting EAP New ciphersuites being defined Matrix of ciphersuites times methods is big!

What is a Key Hierarchy? A description of how the session keys required by a particular cipher are derived from the keying material provided by the EAP methods –Implies that you need a hierarchy per ciphersuite/media Desirable characteristics –Key strength (64 bits typically not enough) –“Cryptographic separation” between keys used for different purposes (encryption, authentication/integrity, unicast/multicast, etc.)

Hierarchy Overview | | | | ^ | Is a raw master key | | Can a pseudo-master key | | | available or can | | be derived from | | | the PRF operate on it? | | the master key? | | | | | | | | | | | | K | K' | | | | V V | | | | EAP | | Master Session Key | Method | | Derivation | | | | | | | | | | Master Session Key Outputs | | | | | V V | | | | | | Key and IV Derivation | | | | | | | P->A | A->P | P->A | A->P | P->A | A->P EAP V | Enc. | Enc. | Auth. | Auth. | IV | IV API | Key | Key | Key | Key | | ^ | (PMK) | | | | | AAA | | | | | | | Keys V V V V V V V ^ | | | | Ciphersuite-Specific Key Hierarchy | NAS | | | | | | V

Example Key Hierarchy (802.11i) Pairwise Master Key (PMK) PRF-X(PMK, “Pairwise key expansion”, Min(AA,SA) || Max(AA,SA) || Min(ANonce,SNonce) || Max(ANonce,SNonce)) Pairwise Transient Key (PTK) (X bits) EAPOL-Key MIC Key L(PTK,0,128) (MK) EAPOL-Key Encrption Key L(PTK,128,128) (EK) Temporal Key 1 L(PTK,256,128) (TK 1) …

Pitfalls for the Unwary Arbitrary AAA EAP key attributes –Transport keys derived by EAP methods –Critical to EAP interoperability: NAS expects MSK, not session key –Can encourage bad practices: ciphersuite-specific EAP methods Improper key hierarchies –Loops can dilute key strength –Early i proposals had this problem EAP methods generating keys without sufficient entropy –802.11i assumes a 256-bit PMK! –Issue for EAP SIM and EAP GSS EAP methods without nonce exchanges –May not be able to generate required crytographic separation without a subsequent nonce exchange –Could cause method to work only on some media (e.g vs. PPP) –Issue for EAP SRP

Summary Secure key derivation is important to a number of uses of EAP –Secure ciphers lose their security when combined with insecure key derivation EAP key derivation architecture currently not well understood –Current EAP methods exhibit a number of problems relating to key derivation Secure key hierarchy derivation is a complex subject, best left to experts Need to consider hierarchy when designing EAP method

EAP GSS Draft-aboba-pppext-eapgss-12.txt Bernard Aboba

Intended Purpose Integrated network/Kerberos login –Depends on IAKERB GSS-API method Media: PPP, IEEE 802 –Kerberos vulnerable to dictionary attack on IEEE –Key derivation may not meet i criteria Requested Track: Experimental

Security Claims Mechanism: Depends on GSS-API mechanism (Kerberos: Passwords, Certs, Token cards) Mutual/one-way auth: typically mutual (Kerberos: Mutual) Key derivation 1. Supported: yes 2. Key size: depends on GSS-API method negotiated 3. Key hierarchy description: no Dictionary attack resistance: depends on method (Kerberos: no) Identity hiding: Depends on method (Kerberos: no) Protection 1. Method negotiation: Yes (SPNEGO) 2. Ciphersuite negotiation: No 3. Success/failure indication: No 4. Method packets: Yes Fast reconnect: depends on method (Kerberos: no)

Issues Scope –Does exchange end with AS_REP? TGT_REP? AP_REP? Security –Dictionary attack on AS_REQ/AS_REP Keying –How are tickets transmitted from peer to NAS? –Key derivation: initial draft did not include a nonce exchange, -12 does –Key derivation: Master key cannot be retrieved via GSS-API; need to derive “pseudo master key” via GSS_WRAP() calls –Key strength: depends on negotiated GSS-API method