N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Company Confidential 1 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Pre-Shared Key TLS with GBA support Thesis presentation ESPOO, Finland.
Myagmar, Gupta UIUC G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate
1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.
Ubiquitous Access Control Workshop 1 7/17/06 Access Control and Authentication for Converged Networks Z. Judy Fu John Strassner Motorola Labs {judy.fu,
802.1x EAP Authentication Protocols
Protected Extensible Authentication Protocol
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
IEEE Wireless Local Area Networks (WLAN’s).
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
CONTEXT BINDING: An Emerging Problem in Cryptographic Protocols Catherine Meadows Naval Research Laboratory Code 5543 Washington, DC 20375
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
EAP Mutual Cryptographic Binding draft-ietf-karp-ops-model-03 draft-ietf-karp-ops-model-03 S. Hartman M. Wasserman D. Zhang.
Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
WIRELESS LAN SECURITY Using
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Security in GSM/GPRS and UMTS
Eugene Chang EMU WG, IETF 70
EMU BOF EAP Method Requirements Bernard Aboba Microsoft Thursday, November 10, 2005 IETF 64, Vancouver, CA.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
Network Smart Card Performing U(SIM) Functionalities in AAA Protocol Architectures Joaquin Torres, A. Izquierdo, M. Carbonell and J.M. Sierra Carlos III.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
2003/12/291 Security Aspects of 3G-WLAN Interworking 組別: 2 組員: 陳俊文 , 李奇勇 , 黃弘光 , 林柏均
KAIS T Wireless Network Security and Interworking Minho Shin, et al. Proceedings of the IEEE, Vol. 94, No. 2, Feb Hyeongseop Shim NS Lab, Div. of.
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
Wireless Network Security and Interworking
PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG
後卓越計畫 進度報告 楊舜仁老師實驗室 GPP-WLAN Interworking (collaboration with ICL/ITRI)
EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),
All Rights Reserved © Alcatel-Lucent 2007, ##### 1 | Presentation Title | January 2007 UMB Security Evolution Proposal Abstract: This contribution proposes.
November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.
EAP-FAST Version 2 draft-zhou-emu-eap-fastv2-00.txt Hao Zhou Nancy Cam-Winget Joseph Salowey Stephen Hanna March 2011.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation (
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)
1 Replay protection method for CAVE based AKA Anand Palanigounder Qualcomm Inc.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
1 3GPP2 GBA Overview Adrian Escott Chair, TSG-S WG4 24 May 2006.
3GPP GBA Overview Adrian Escott.
Wireless Unification Theory William Arbaugh University of Maryland College Park.
Key Management in AAA Russ Housley Incoming Security Area Director.
Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.
RFC 2716bis Wednesday, July 12, 2006 Draft-simon-emu-rfc2716bis-02.txt Dan Simon Bernard Aboba IETF 66, Montreal, Canada.
San Diego, August 2004 IETF 60 th – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-01) Gerardo Giaretta.
KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.
Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.
1 Rogue Mobile Shell Problem Verizon Wireless October 26, 2000 Christopher Carroll.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
November 18, 2002 IETF #55, ATLANTA1 Problem with Compound Authentication Methods Jesse Walker Intel Corporation (
The Tunneled Extensible Authentication Method (TEAM)
January doc.: IEEE xx/xxxx January 2006
Presentation transcript:

N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center Man-in-the-middle in Tunnelled Authentication Cambridge Security Protocols Workshop, April 2003 N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center

A tale of two protocols In the beginning.. an authentication method is designed and deployed for some need user credentials are provisioned, at great expense ..then a framework protocol is developed; to transparently support multiple authentication methods authentication methods are plugged in to the framework .. new applications arise; framework doesn’t quite do the job missing bits: session keys, mutual authentication, identity privacy designing a new protocol is not a desirable option provisioning new credentials is even less desirable Use it with another protocol that provides missing features

AKA and EAP/AKA: example authentication protocol AKA: authentication and key agreement protocol for 3GPP mutual authentication, session key derivation EAP: an authentication framework supports multiple authentication mechanisms EAP/AKA: plugging AKA into EAP allows WLAN access authentication using cellular credentials User Equipment Serving Network Home Environment IMSI Request IMSI IMSI RAND K SQN RAND K AUTN RAND,AUTN,XRES,IK,CK RAND, AUTN XRES AUTN CK IK Is SQN fresh? RES RES SQN CK IK RES = XRES?

PEAP: example of tunnelled authentication Ciphersuite (for link layer) Ciphersuite (for link layer) Server-authenticated tunnel Client NAS Backend Server EAP conversation over PPP or 802.11 link Keys Trust EAP API EAP API EAP Method EAP Method

Tunnelled authentication Client Front-end authenticator Backend Server (Tunnel authentication) Backend Server (Legacy authentication) Tunnelling protocol Server authenticated secure tunnel establishment secure tunnel Authentication protocol Client authentication

The same tale in different guises PIC - ISAKMP and EAP: provisioning credentials based on legacy authentication IKEv2 Secure Legacy Authentication PANA over TLS: Authentication for Network Access HTTP Digest Authentication and TLS

PEAP with EAP/AKA NAS Backend Backend Client Server Server (Front-end authenticator) Backend Server (TLS Authentication) Backend Server (AKA Authentication) Establishing a PEAP tunnel (server authenticated) EAP-Request/Identity PEAP Part 1 – TLS based on server certificate secured by PEAP TLS tunnel TLS(EAP-Request/Identity) TLS(EAP-Response/Identity(IMSI)) IMSI [e.g., over DIAMETER] RAND,AUTN,XRES,IK,CK [e.g., over DIAMETER] TLS(EAP-Request/AKA-Challenge (RAND, AUTN)) TLS(EAP-Response/AKA-Challenge (RES, …)) WLAN master session key (based on TLS tunnel key) Data traffic on secured link

MitM against PEAP+EAP/AKA Client MitM NAS (Front-end Authenticator) Backend Server (TLS Authentication) Backend Server (AKA Authentication) Establishing a PEAP tunnel (server authenticated) EAP-Request/Identity PEAP Part 1 – TLS based on server certificate secured by PEAP TLS tunnel TLS(EAP-Request/Identity) IMSI Request IMSI TLS(EAP-Response/Identity(IMSI)) IMSI [e.g., over DIAMETER] RAND,AUTN,XRES,IK,CK [e.g., over DIAMETER] TLS(EAP-Request/AKA-Challenge (RAND, AUTN)) RAND, AUTN RES TLS(EAP-Response/AKA-Challenge (RES)) WLAN master session key (based on TLS tunnel key only) Stolen WLAN link

Conditions for failure Same credential used in both tunnelled & untunnelled modes Tunnelling protocol does not perform mutual authentication Keys from authentication protocol not used for subsequent protection

Fixing the problem Enforcing that same credential is not used in both modes maybe feasible in some cases not exactly “legacy authentication” anymore server authentication brings in new problems unnecessary restriction on strong authentication methods Require mutual authentication in tunnelling protocol if that is possible, no need for tunnelling in the first place Cryptographically bind tunnelling and authentication protocol binding can be explicit or implicit requires authentication protocol to provide a key to be used in binding requires changes to tunnelling protocol or framework does not improve the security of weak authentication protocols

Current status Some authors of tunnel proposals informed in October 2002 General agreement that this is indeed a problem opinions differ on what the solution should be Subsequent changes to several proposals to reduce the impact of the problem EAP/AKA (v-05) PEAP (v-06) IKEv2 (v-05) PANA over TLS (v-01)  PANA (v-00) EAP SIM GMM  EAP binding …

Are there any lessons here? This is all obvious, at least in hindsight So why did it happen? re-use of credentials is unavoidable in practice re-use of protocols is also unavoidable in practice framework equalizes all authentication methods mutual authentication, key agreement etc. not visible tools for/knowledge of protocol validation not accessible to designers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.