Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKEX issue in ai Date: Authors: September 2016

Published byTabitha Green Modified over 6 years ago

Similar presentations

Presentation on theme: "PKEX issue in ai Date: Authors: September 2016"— Presentation transcript:

1 PKEX issue in 802.11ai Date: 2016-09-13 Authors: September 2016
doc.: IEEE /1261r0 September 2016 PKEX issue in ai Date: Authors: Dan Harkins, HPE Dan Harkins, HPE

2 Abstract This presentation discusses the PKEX issues. September 2016
doc.: IEEE /1261r0 September 2016 Abstract This presentation discusses the PKEX issues. Dan Harkins, HPE Dan Harkins, HPE

3 September 2016 doc.: IEEE /1261r0 September 2016 PKEX Exchange Intended to allow two parties to exchange a “raw” public key for use with FILS public key authentication Uses a password to authenticate the exchange and encrypt the exchanged public keys Dan Harkins, HPE Dan Harkins, HPE

4 PKEX Exchange September 2016 sA PA = sA*G sB PB = sB*G Alice Bob
shared secret pw Pwe = F(pw) mA = H(macA) CA = PA + mA*Pwe Pwe = F(pw) mB = H(macB) CB = PB + mB*Pwe CA CB m’B = H(macB) P’B = CB - m’B*Pwe if (min(nonceA, nonceB) == nonceA x = H(nonceB|| nonceA) k = Kdf(x, "PKEX Key Confirmation", CB || CA || macB || macA || F(S)) else x = H(nonceA || nonceB) CA || CB || macA || macB || F(S)) checkA = HMAC(k, PA || P’B || macA|| macB) m’A = H(macA) P’A = CA - m’A*Pwe if (min(nonceB, nonceA) == nonceB x = H(nonceA || nonceB) k = Kdf(x, "PKEX Key Confirmation", CA || CB || macA || macB || F(S)) else x = H(nonceB|| nonceA) k = Kdf(x, "PKEX Key Confirmation", CB || CA || macB || macA || F(S)) checkB = HMAC(k, PB || P’A || macB|| macA) checkA checkB Validate checkB == HMAC(k, PB || PA || macB|| macA) Validate checkA == HMAC(k, PA || P’B || macA|| macB) After the exchange: - Alice has Bob’s public key PB and has validated its ownership to that of the owner of the shared secret - Bob has Alice’s public key PA and has validated its ownership to that of the owner of the shared secret September 2016 Dan Harkins, HPE

5 September 2016 doc.: IEEE /1261r0 September 2016 What’s the Problem? Only truly secure when the same public key is not used in multiple PKEX runs Running PKEX multiple times with the same public key opens up two attacks: Off-line dictionary attack to determine the password(s) used Man-in-the-middle attack to insert an adversary’s public key Dan Harkins, HPE Dan Harkins, HPE

6 Off-line Dictionary Attack
September 2016 Off-line Dictionary Attack Adversary watches two exchanges in which she knows that the same public key was used both times (let’s say from “Alice”) CA1 = PA + QA1 = PA + (mA*Pwe1) CA2 = PA + QA2 = PA + (mA*Pwe2) Therefore, adversary knows CA1 - CA2 = QA1 - QA2 Adversary can go offline and check all N2 password combinations where N is number of possible passwords Birthday paradox makes this an O(N) attack not O(N2) Dan Harkins, HPE

7 Off-line Dictionary Attack
September 2016 Off-line Dictionary Attack If the adversary learns the password after the exchange is over the so what? Keys are exchanged, nothing is subverted If dictionary attack can be done in real-time though, the exchange can be subverted by inserting the adversary’s public key into the exchange Dictionary attacks are getting faster and faster Dan Harkins, HPE

8 Man-in-The-Middle Attack
September 2016 Man-in-The-Middle Attack Adversary knows that the same key is being used a second time (let’s say by “Bob”) Adversary gets C1, modifies C2 = C = PB + QB by determining QB (knows PB) and inserts adversary’s key But adversary cannot decrypt PA to complete attack because she doesn’t know QA To determine QA, it is necessary to take a discrete logarithm from an unknown root An Nth root equation where N is a 256-bit number! Extremely unlikely this compute power is readily available But the fix is easy, add the password to the KDF Dan Harkins, HPE

9 Man-in-The-Middle Attack
September 2016 Man-in-The-Middle Attack There is an easier attack but it requires both parties to exchange the same key multiple times There is really no reason why people would do PKEX twice with the same keys– if they exchanged their keys once what’s the point? Somewhat of a contrived attack, but the fix is the same, add the password to the KDF Dan Harkins, HPE

10 Conclusion The Man-In-The-Middle attack is an easy fix
September 2016 Conclusion The Man-In-The-Middle attack is an easy fix The dictionary attack is more severe has a history of releasing security protocols with flaws– PSK mode, WEP It is possible to replace PKEX with something that does not suffer from the problems presented here PKEX is not critical to FILS, it’s optional and it’s still possible exchange “raw” public keys in a manner outside the scope of the standard. Let’s just get rid of PKEX Dan Harkins, HPE

11 References September 2016 doc.: IEEE 802.11-16/1261r0 September 2016
Dan Harkins, HPE Dan Harkins, HPE

Download ppt "PKEX issue in ai Date: Authors: September 2016"

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
Secure Pre-Shared Key Authentication for IKE

Secure Pre-Shared Key Authentication for IKE
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.

1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Doc.: IEEE 802.11-11/1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2012-01-09 Authors:

Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?

Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.

1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Submission doc.: IEEE 802.11-15/1128r1 September 2015 Dan Harkins, Aruba Networks (an HP company)Slide 1 Opportunistic Wireless Encryption Date: 2015-09-13.

Submission doc.: IEEE /1128r1 September 2015 Dan Harkins, Aruba Networks (an HP company)Slide 1 Opportunistic Wireless Encryption Date:
Chapter 1 – Introduction Part 4 1. Message Authentication Codes Allows for Alice and Bob to have data integrity, if they share a secret key. Given a message.

Chapter 1 – Introduction Part 4 1. Message Authentication Codes Allows for Alice and Bob to have data integrity, if they share a secret key. Given a message.
Doc.: IEEE 802.11-09/0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure 802.11 Authentication Using Only A Password Date: 2009-01-19.

Doc.: IEEE /0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure Authentication Using Only A Password Date:
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Diffie-Hellman Key Exchange Color Mixing Example Rick Stroud 21 September 2015 CSCE 522.

Diffie-Hellman Key Exchange Color Mixing Example Rick Stroud 21 September 2015 CSCE 522.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

Similar presentations

Ads by Google