Doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements.

Slides:

Advertisements

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.

Advertisements

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /2441r2 Submission SA Teardown Protection for w Date:

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.

Fast roaming in WPA T. Wolniewicz PIONIER. Events causing access-point switching Moving wireless client Metwork card switching in search of better conditions.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

Doc.: IEEE /0976r0 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,

Michal Rapco 05, 2005 Security issues in Wireless LANs.

Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Cryptography and Network Security (CS435)

Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September

By: Alex Feldman.  A mobile station is connected to the network wirelessly through another device.  In case of WiFi (IEEE ) this would be an access.

Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks

Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

Doc.: IEEE /0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: Authors:

Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

Submission doc.: IEEE 11-14/0062r0 January 2014 Dan Harkins, Aruba NetworksSlide 1 PMK Caching for FILS Date: Authors:

Doc.: IEEE /1867r1 Submission November r Security TeamSlide 1 TGr Security Requirements Notice: This document has been prepared to.

July 16, 2003AAA WG, IETF 571 EAP Keying Framework Draft-aboba-pppext-key-problem-07.txt EAP WG IETF 57 Vienna,

Doc.: IEEE b Submission January 2005 Robert Cragie, Jennic Ltd.Slide 1 Project: IEEE P Working Group for Wireless Personal Area.

1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.

Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.

EAP-PSK v8 IETF 63 – Paris, France August EAP-PSK: an independent submission to IESG Requested EAP method type number allocation Reviewed June 2005.

Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.

Doc.: IEEE /0623r0 Submission May 2006 Sood, Walker, ZhaoSlide 1 A Method to Protect TGr Reservation Scheme Notice: This document has been prepared.

Doc.: IEEE /200 Submission September 2000 Ron Brockmann, Intersil Plug-n-Play Security in the Home & Small Business Ron Brockmann Intersil.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client.

Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN

September 2004Rudolf, Carlton and TGr Marian Rudolf, Alan Carlton - InterDigital doc: IEEE /1052r0.

Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.

Doc.: IEEE /0315r4 Submission July 2009 Dan Harkins, Aruba NetworksSlide 1 Enhanced Security Date: Authors:

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

Key Management in AAA Russ Housley Incoming Security Area Director.

Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.

Doc.: IEEE /376 Submission November 2000 S. Watanabe et al, Seiko Epson Corp. Slide 1 Proposal to use KPS to Enhance Security of MAC Layer Shinichiro.

Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.

Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.

Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,

Doc.: IEEE /1212r0 Submission September 2011 IEEE Slide 1 The Purpose and Justification of WAPI Comparing Apples to Apples, not Apples to.

Doc.: IEEE /1145r1 Submission August WG Slide 1 Mutual Authentication Date: Authors: Slide 1.

Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,

Doc.: IEEE /01097r0 Submission November 2005 N. Cam-Winget, K. Sood, and J. WalkerSlide 1 EAPKIE Replay Counters and MIC Notice: This document.

OAuth WG Conference Call, 11th Jan. 2013

Pre-Shared Key EAP methods & EAP-PSK

Keying for Fast Roaming

Pre-association Security Negotiation for 11az SFD Follow up

Motions to Address Some Letter Ballot 52 Comments

Pre-association Security Negotiation for 11az SFD Follow up

MAC Address Hijacking Problem

PEKM (Post-EAP Key Management Protocol)

Jesse Walker and Emily Qi Intel Corporation

Florent Bersani, France Telecom R&D

Keying for Fast Roaming

Fast Roaming Observations

Presentation transcript:

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements for TGr Florent Bersani, France Telecom R&D

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 2 Goal of this presentation Loren Adams once said: "What is understood need not be discussed" This presentation is about discussing some tentative security requirements listed in document IEEE /10048r0: –Sharing of the PMK –Binding of the PMK –Timeliness of messages... and make sure 09/13 discussion is captured

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 3 Sharing of the PMK Sharing of the PMK is explicitly prohibited by IEEE i: –Page 38, clause item 5 "An IEEE 802.1X AS never exposes the common symmetric key to any party except the AP with which the STA is currently communicating. (...)"

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 4 Sharing of the PMK Sharing of the PMK is explicitly prohibited by IEEE i: –Page 38, clause item 5 ctd. "It implies that the AS itself is never compromised. It also implies that the IEEE 802.1X AS is embedded in the AP, or the AP is physically secure and the AS and the AP lie entirely within the same administrative domain."

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 5 Sharing of the PMK Yet practice does not seem to comply with this requirement (e.g., RADIUS proxying), should TG r? Possible rationale for this requirement: –The domino effect –Sound cryptographic practice

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 6 Sharing of the PMK This is reflected in document IEEE /10048r0, requirements: –#2: "In particular, the pairs and must have cryptographically independent PMKs, or all the i security claims are voided. This rules out sharing PMKs among different APs." –#7: "A PMK shall never be shared between APs"

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 7 Sharing of the PMK The domino effect –Housley, R., "Key Management in AAA", Presentation to the AAA WG at IETF 56, –"Compromise of a single authenticator cannot compromise any other part of the system, including session keys and long-term secrets."

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 8 Sharing of the PMK The domino effect –Compromise of long term secrets would be really painful... but PMKs are not long term (except in PSK mode) –Domino protection is useful when the network has the possibility to inform STA of the compromised AP Could also very well do it for PMKID... if it is not "too broadly shared"

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 9 Sharing of the PMK Sound cryptographic practice –Reusing a nonce can void security properties (e.g., Counter mode) However, if nonce is random then collision probability can be bounded –A key has limited lifetime Sharing it, speeds up burning out. For 128 bit block length, assuming 54 Mbit/s, 0.4*10**14 s with 1 AP –PMK is generally for a short period of time and used in a somewhat conservative scheme

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 10 Sharing of the PMK Anyway what is an AP? Not particularly advocating sharing the PMKs... just debating!

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 11 Binding the PMK This "requirement" appeared during discussion of IEEE /10048r0 Perhaps alluded to in requirement #9 "The only visible identifier seems to be BSSID." The idea would be that: –A PMK should only be used by a pair –This restriction should be "incorporated" in the PMK

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 12 Binding the PMK Is the PTK bound to something? –It incorporates nonces and MAC addresses... –Yet this does not per se preclude sharing of the PTK! How can we prevent two parties that have agreed to do so to abuse a key usage??? What does "binding the keys" mean? –EAP channel binding?

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 13 Timeliness of messages This is reflected in document IEEE /10048r0, requirements –#11 "An AP shall test the liveness of the mobile STA at reassociation when the mobile STA does a secure fast transition to it. This is required to synchronize replay counters." –#12. "A mobile STA shall test the liveness of the AP at reassociation when it does a secure fast transition to a new AP. This is required to synchronize replay counters"

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 14 Timeliness of messages The attack scenario: CCMP protected frame, PN=23: "Sell stocks, now!" Attacker delays the frame (and possibly subsequent traffic) This is not a replay: client only sees the delayed frame once CCMP protected frame, PN=23: "Sell stocks, now!"

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 15 Timeliness of messages i does not include such a feature, why: –Hard to do? (timestamps,...) –Not necessary? (client won't stay associated with big delays) Should TGr? –What if pre-auth is allowed to go up to deriving a PTK: there can be some time between derivation and usage –Avoid DoS and black-holes

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 16 Timeliness of messages Solution alluded to to provided timeliness: periodically make a protected resynch of replay counters –Kind of a key confirmation –Tradeoff between the frequency of this resynch and the "timeliness" protection

doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 17 Conclusion TG r PAR: "Security must not be decreased as a result of the enhancement." To what extent has TG r to comply with TG i? –Is there an objective measure of security diminution? –TG r can break some of TG i assumptions, yet prove that it remains secure... H2 make Apples to apples comparison between securtiy of the proposals?