Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS259: Security Analysis of Network Protocols, Winter 2008

Published byMartina Pope Modified over 6 years ago

Similar presentations

Presentation on theme: "CS259: Security Analysis of Network Protocols, Winter 2008"— Presentation transcript:

1 CS259: Security Analysis of Network Protocols, Winter 2008
Proving IEEE i Secure Mukund Sundararajan Joint work with Changhua He, Arnab Roy, Anupam Datta, Ante Derek, John Mitchell

2 802.11i Key Management Auth Server Laptop Access Point
TLS: Uses Certificates, provides authentication (Shared Secret-PMK) 4WAY Handshake: Creates keys for data communication Todays wireless networks Group key handshake: Keys for broadcast communication Data protection: AES based

3 Properties of 802.11i Key Mgt. Roughly
Only authorized devices can join n/w Devices do not join rogue n/w Peer device is alive Keys set up for data and group communication are fresh and secret

4 Proof of i security A Formal Proof in Protocol Composition Logic (PCL) of : On execution of an i role, properties listed in the standard are satisfied. Attacker model (perfect crypto) Intercept, read, reorder, delete any message on the n/w Construct, send messages Properties and attacker model, two levels of security rework properties

5 Why a Proof? [He Mitchell] analyzed 4Way Handshake using Murphi
Found a DoS attack But did not find any security flaws [Mitchell Shmatikov] analyzed TLS ‘Finite’ state analysis does not guarantee security

6 Model Checking does’nt Scale
Laptop A.P. A.S. EAP-TLS Client EAP-TLS Server 4WAY Supplicant 4WAY Authenticator Change edge color Group key Supplicant Group key Authenticator 802.11i

7 TLS Server Role receive C, S, nc, suiteC //Hello new ns
send S, C, ns, suiteS //Resp receive C, S, {sec}Ks , SIGC(hshk1) //Xfer check SIGC(hshk1) decrypt {sec}Ks send S, C, hashsec(hshk2) //ServerView

8 Security Properties of TLS
The client and the server agree on Value of the secret Version and crypto suite Identities (mutual authentication) Protocol completion status The secret term is not known to a principal who is not the client or the server (shared secret) Must make nice repeatable diagram

9 Matching Conversations
Honest(C) [TLS Server]S C. Send ( C, Hello)  Receive ( S, Hello )  Receive ( S, Hello )  Send ( S, Resp)  Send ( S, Resp)  Receive( C, Resp)  Receive( C, Resp)  Send ( C, KeyXfer)  Send ( C, KeyXfer)  Receive ( S, KeyXfer)  Receive ( S, KeyXfer)  Send( S,ServerView) Fix the font

10 Proof Sketch 1. S sees SIGC(hshk1) concludes C constructed it
4. If honest C constructed SIGC(hshk1), then it executed actions consistent with TLS Client role 5. Order actions based on freshness of nonces Fix the font color

11 Some Axioms Used in the Proof

12 Program Invariant used in Proof

13 Proof of TLS Authentication

14 Matching Conversations!

15 Proof Structure EAP-TLS Client EAP-TLS Server Group key Authenticator
Pre-conditions 4WAY Authenticator Local Reasoning Based on actions And cryptography Program Invariants Fails for the 4-Way handshake – reflection attack Group key Authenticator 4WAY Supplicant Group key Supplicant

16 Protocol Insights 802.11i is secure Other modes are safe
Using Cached PMKs and Pre-shared Keys is safe Safe under error handling Protocols can share certificates with TLS as long as conditions listed in paper are satisfied

17 Evolution of WLAN Security
Wired Equivalent Privacy Incorrect use of cryptography WEP lacks key mgt 802.11i is designed to fix these issues (June 2004) [He Mitchell] uncovers DoS attacks Fix adopted by standards committee Security Proof of i

18 Error Handling [HM05] Stage 1: Network and Security Capability Discovery Stage 2: 802.1X Authentication (mutual authentication, shared secret, cipher suite) Stage 3: Secure Association (management frames protected) Stage 4: 4-Way Handshake (PMK confirmation, PTK derivation, and GTK distribution) Stage 5: Group Key Handshake Stage 6: Secure Data Communications Michael MIC Failure or Other Security Failures Group Key Handshake Timeout 4-Way Handshake Timeout Association Failure 802.1X Failure

19 Interactions can cause Flaws
Exercise: Construct two protocols. Each does something reasonable. Each is secure in isolation. But, if any principal executes both protocols, one of the two protocols is insecure. Chosen protocol attack (Wagner et.al.) Scaling issues

20 Thanks!

Download ppt "CS259: Security Analysis of Network Protocols, Winter 2008"

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.
Chapter 07 Designing and Implementing Security for WLAN

Chapter 07 Designing and Implementing Security for WLAN
CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE 802.11i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Security Analysis and Improvements for IEEE 802.11i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.

Security Analysis and Improvements for IEEE i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.
Doc.: Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network.

Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell.

Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
WLAN security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Analysis of 4-way handshake protocol in IEEE 802.11i Changhua He Stanford University Mar. 04, 2004.

Analysis of 4-way handshake protocol in IEEE i Changhua He Stanford University Mar. 04, 2004.

Similar presentations

Ads by Google