Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-10/0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: 2010-07-14 Authors:

Similar presentations


Presentation on theme: "Doc.: IEEE 802.11-10/0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: 2010-07-14 Authors:"— Presentation transcript:

1 doc.: IEEE 802.11-10/0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: 2010-07-14 Authors:

2 doc.: IEEE 802.11-10/0899r2 Submission July 2010 Dan Harkins, Aruba NetworksSlide 2 Abstract This presentation presents the problems with D0.1’s use of PSKs and a solution to them.

3 doc.: IEEE 802.11-10/0899r2 Submission July 2010 Dan Harkins, Aruba NetworksSlide 3 What’s the Problem? PSKs are being used for authentication in a PBSS It is difficult to provision a “strong” PSK. –Strength is a function of entropy in the PSK. –For a character-based PSK there is approximately 1.5 bits of entropy per character. –Generating a key suitable for use with GCM implies a character string of around 100 characters. –Humans have a hard time entering a string of 20 characters repeatedly with a low probability of error. Weak PSKs will be used because doing otherwise is prohibitive and problematic for operators and users. –Need a robust protocol to use PSKs properly, can’t just mandate all PSKs are uniformly random binary strings of sufficient length.

4 doc.: IEEE 802.11-10/0899r2 Submission Okay, So What’s the Problem? The PSK is leaked when used in Draft 0.1 –Using the PSK directly in the 4-Way Handshake has known and well- published problems. Cracking tools available on the Internet. –A PSKID, based on a hash of the PSK, is included in beacons. Protocols using the PSK are susceptible to an off-line dictionary attack –An attacker has all information needed to run through a dictionary of potential passwords until the correct one is found. –This attack is not detectable by legitimate members of the PBSS. Learning the PSK allows an attacker to recover all past and future traffic. The strength of the PSK determines the strength of the GCM key and that’s not strong enough (see previous slide). July 2010 Dan Harkins, Aruba NetworksSlide 4

5 doc.: IEEE 802.11-10/0899r2 Submission What’s the Solution? A protocol that uses a PSK that is resistant to attack –Each active attack leaks a single bit of information– whether the singular guess was correct or not. Passive attack is not possible. –Probability of guessing the PSK is 1/(S-x) after x guesses of the PSK from a pool of possible PSKs of size S. –Perfect Forward Secrecy is achieved. A protocol which can produce a cryptographically strong key suitable for use with GCM –An entropy amplifier! –The strength of the PSK does not determine the strength of the GCM key. A robust, misuse-resistant protocol A protocol called SAE from the 11s draft July 2010 Dan Harkins, Aruba NetworksSlide 5

6 doc.: IEEE 802.11-10/0899r2 Submission SAE Based upon the Dragonfly key exchange. –Secure against active, passive and dictionary attack Uses public key cryptography to produce a strong GCM key that is authenticated with a (potentially weak) PSK. An RSNA authentication protocol for 802.11. Uses 802.11 authentication frames (not data frames). Free, open source (BSD licensed) reference implementation available: http://sourceforge.net/projects/authsae July 2010 Dan Harkins, Aruba NetworksSlide 6

7 doc.: IEEE 802.11-10/0899r2 Submission July 2010 Dan Harkins, Aruba NetworksSlide 7 References 11-10-0884-00-00ad-secure-psk-authentication.doc

8 doc.: IEEE 802.11-10/0899r2 Submission Backup Is PSK insecurity really a big deal? In a word: yes. –The Church of WiFi-- http://www.churchofwifi.org/ -- has released DVDs containing all permutations of the 1,000 most popular SSIDs and the 1,000,000 most popular passwords.http://www.churchofwifi.org/ –There are off-the-shelf tools to crack PSKs aircrack-ng – available for Windows and Linux coWPAtty – available for Windows and Linux –Don’t have the wherewithal to run off-the-shelf tools with easily obtained DVDs? Don’t worry! WPA Cracker offers a cloud cracking service: http://www.wpacracker.com/index.html August 2010 Dan Harkins, Aruba NetworksSlide 8

9 doc.: IEEE 802.11-10/0899r2 Submission Backup WPA Cracker –Available with both English and German dictionaries! –The “standard” English dictionary has 136 million PSKs in it. The “extended” English dictionary has an addition 284 million PSKs. The “numbers” dictionary has an additional 100 million PSKs. Combine them all for an aggregate dictionary of 520 million PSKs! –It takes an average of 20 minutes and costs only $17 “Simply upload your network capture, start your job, and WPA Cracker will email you the results within minutes!” –With 11ad all an attacker needs is a beacon to give to WPA Cracker! August 2010 Dan Harkins, Aruba NetworksSlide 9

10 doc.: IEEE 802.11-10/0899r2 Submission Backup PSK problems have generated considerable bad press and problems for IEEE Std 802.11. –"Weakness in Passphrase Choice in WPA Interface". 04 Nov 2003 http://wifinetnews.com/archives/002452.html, Bob Moskowitz http://wifinetnews.com/archives/002452.html –“Hacking WEP and WPA-PSK”, 20 Mar 2008 http://www.cwnp.com/index/cwnp_wifi_blog/5066 http://www.cwnp.com/index/cwnp_wifi_blog/5066 –The Chinese government has proposed a replacement for 802.11 at ISO (JTC1/SC6) and the security issues with PSK are the justification they’re using– “802.11 is insecure, WAPI fixes it” Do you really want to see the following headlines? –“New wireless gigabit standard broken already” –“A red carpet to hackers, the latest offering from 802.11” August 2010 Dan Harkins, Aruba NetworksSlide 10


Download ppt "Doc.: IEEE 802.11-10/0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: 2010-07-14 Authors:"

Similar presentations


Ads by Google