Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password Authenticated Key Exchange

Published byDavid Malone Modified over 6 years ago

Similar presentations

Presentation on theme: "Password Authenticated Key Exchange"— Presentation transcript:

1 Password Authenticated Key Exchange
March 2008 doc.: IEEE /0045r3 March 2008 Password Authenticated Key Exchange Date: Authors: Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

2 March 2008 doc.: IEEE /0045r3 March 2008 Abstract A key exchange authenticated with a password (which may be cryptographically weak) is presented. Dan Harkins, Aruba Networks Dan Harkins, Aruba Networks

3 Pre-shared Key Authentication in 11s
March 2008 Pre-shared Key Authentication in 11s Required for certain use cases. Current proposal is unrealistic Pre-shared key is assumed to be cryptographically strong Pre-shared key is pairwise. Pre-shared keys are deployed problematically for a reason Pairwise keys doesn’t scale: give an administrator a choice between O(n) and O(1) s/he will choose the latter. Pre-shared keys will be shared. Experience shows that things will be used insecurely if that’s easier to deploy that way. If n is a non-trivial amount (i.e. at least one-half dozen) the pre-shared key must be something that can be repeatedly entered with a low probability of errors– i.e. it probably won’t be cryptographically strong. Design of Key Hierarchy assumes root key is unique Sharing of pre-shared keys voids a fundamental security assumption The pre-shared key is used directly in the MSA 4-way handshake Dan Harkins, Aruba Networks

4 This Poses Severe Problems in a Mesh
March 2008 This Poses Severe Problems in a Mesh Using the pre-shared key (or key trivially derived from pre-shared key) with MSA authentication is susceptible to attack. There are downloadable scripts available that can crack an i PSK in minutes! They could easily to the same for an s PSK The attack in 11s is far worse than the attack in 11i Attacking i PSK allows access to the network behind an AP for attackers within earshot of the AP. Attacking s PSK would allow the mesh to grow unbounded to unauthorized MPs and clients Successful attacks cause the mesh to grow, further increasing unauthorized traffic being sent onto the wired network behind the mesh. the larger the mesh the more opportunity for more attackers to see the mesh and attack it. It’s a vicious downward spiral. Uniqueness of mesh makes pre-shared key usage problematic A mesh introduces more opportunities for attack (more MPs!) than an infrastructure network Successful attack of one node compromises the mesh allows for exposure of prior traffic sent to/from the compromised MP and forgery of traffic to/from the compromised MP. Dan Harkins, Aruba Networks

5 March 2008 Mesh is used in a warehouse It gets attacked, mesh grows
when unauthorized mesh point authenticates with the PSK. Bigger mesh is visible to more people who attack it, further growing the mesh …and it keeps growing as it keeps getting attacked. Dan Harkins, Aruba Networks

6 March 2008 How to Fix this Problem We need to ensure mesh security regardless of deployment. We need to ensure that the key used in the MSA 4-way handshake is unique and cryptographically strong. We cannot do that by issuing a fiat in the draft. We need a way to turn a cryptographically weak, and possibly shared, pre-shared secret into a unique and cryptographically strong key. This technique must be: Resistant to active attack Resistant to passive attack Resistant to dictionary attack We need to ensure that the technique used to generate a cryptographically strong key is appropriate for mesh. There cannot be any notion of an “initiator” and a “responder” We need simultaneous authentication of equals Dan Harkins, Aruba Networks

7 Simultaneous Authentication of Equals
March 2008 Simultaneous Authentication of Equals A protocol for authentication and key derivation using a, presumably weak, pre-shared secret Initially both parties share: Knowledge of identity of self and each other’s identity-- “Alice” and “Bob”. A secret that need not be cryptographically strong– password. A public ordering function, L, that returns the “greater” of two strings A public random function, H The definition of a finite cyclic group. For an elliptic curve group Ε, base point is G, order is r. (Notation: a point is uppercase, Z, and a scalar is lowercase, z). A bijective function, F() that maps an element from the group to an integer. For an elliptic curve group, F() merely takes the x component of the point. For a prime modulus group the bijective function is the identity function. Upon completion: Peers are authenticated Peers share an authenticated (master) key that will be suitable for use with the Abbreviated Handshake. Dan Harkins, Aruba Networks

8 Simultaneous Authentication of Equals
March 2008 Simultaneous Authentication of Equals Uses authentication frames for authentication! High-order bit of AuthAlg determines SAE when set and non-SAE authentication (there are remaining algorithms reserved) when clear. Remaining 15 bits of AuthAlg, when high-order bit is set, determine the finite cyclic group to use. The specific group is taken from a number-space managed by IANA for RFC2409 (IKE) “Diffie-Hellman groups”. There are approximately 35 different groups currently defined. See RFC5114 for the latest batch of group definitions. Such a construct allows for cryptographic agility without having to update the standard each time a new group is defined. Dan Harkins, Aruba Networks

9 Simultaneous Authentication of Equals
March 2008 Simultaneous Authentication of Equals Assumptions Function H is a “random oracle”. An adversary is given access to a black box which upon input of data known to the adversary returns either random bits or the output of H. The adversary is unable to distinguish between the two and any advantage the adversary can gain is negligible and is solely through repeated interaction with the black box. For H: {0,1}*  {0,1}k each of the 2k possible outputs has an equal probability of being the output for some input. H is one-way. Given y = H(x) it is infeasible to determine x. The finite cyclic group is one for which the discrete logarithm problem is hard: given y = gx for some element of the group (the generator) g, it is infeasible to determine x. Equivalently for an elliptic curve group, given Y = x*G for some point on the curve (the generator) G, it is infeasible to determine x. Dan Harkins, Aruba Networks

10 Simultaneous Authentication of Equals
March 2008 Simultaneous Authentication of Equals Necessary to “fix” a password element in the finite cyclic group using the password. This is done once, when password is configured. For an elliptic curve group a random point is selected on the curve in a hunt-and-peck fashion. counter = 0 do { counter++; pwd-seed = H(password | counter) pwd-value = KDF(pwd-seed, “SAE Hunting and Pecking”) x = pwd-value y = solve_equation(curve, x) if (is_odd(pwd-seed) PWE = (x, -y) else PWE = (x,y) } while (!on_curve(PWE) For a prime modulus group the password element is fixed by hashing and exponentiation, where r is the order of the group. pwd-seed = H(password) pwe = pwd_seed ^ ((p-1)/r) mod p Dan Harkins, Aruba Networks

11 Simultaneous Authentication of Equals
March 2008 Simultaneous Authentication of Equals if L(Alice, Bob) == Alice then q = H(Alice | Bob) else q = H(Bob | Alice) Z = q*PWE Alice Bob Choose random a, u A = -(u*Z), m = (a + u) mod r Choose random b, v B = -(v*Z), n = (b + v) mod r m,A n,B Compute K = a*(n*Z + B) = a*b*q*PWE Compute k = F(K) Compute x = H(k | A | m | B | n) Compute K = b*(m*Z + A) = b*a*q*PWE Compute k = F(K) Compute y = H(k | B | n | A | m) x y Verify y Verify x Authenticated Master Key = H(k | F(A+B) | (n+m)mod r) Dan Harkins, Aruba Networks

12 Simultaneous Authentication of Equals
March 2008 Simultaneous Authentication of Equals This protocol can also be described using finite cyclic groups based on exponentiation modulus a prime. Such a group would have a generator g, a prime p, an optional order r, and exponentiation would be i = g^j mod p. A couple of caveats: The bijective function becomes trivial: F(x) = x. It will be eliminated from the description. If the order of the generator of the group, r, is not provided as part of the group definition it will be taken to be (p-1)/2. This will serve the purpose of effectively reducing the sum of the two random numbers while not changing the resulting computation of k. Fixing the password element is: pwd-seed = H(password) pwe = pwd-seed ((p-1)/r) mod p Dan Harkins, Aruba Networks

13 Backup m,A n,B x y Alice Bob Choose random b, v
March 2008 Backup if L(Alice, Bob) == Alice then q = H(Alice | Bob ) else q = H(Bob | Alice ) z = pweq mod p Alice Bob Choose random a, u A = z -u mod p m = (a + u) mod r Choose random b, v B = z -v mod p n = (b + v) mod r m,A n,B Compute k = (zn mod p * B)a mod p = pweb*q*a mod p Compute x = H(k | A | m | B | n) Compute k = (zm mod p * A)b mod p = pwea*q*b mod p Compute y = H(k | B | n | A | m) x y Verify y Verify x Authenticated Master Key = H(k | (A+B) mod r | (n+m)mod r) Dan Harkins, Aruba Networks

14 Simultaneous Authentication of Equals
March 2008 Simultaneous Authentication of Equals Alice Bob Peer-to-peer protocol, not lock-step No notion of “initiator” and “responder”; “supplicant” and “authenticator” or “client” and “server”. Initial messages are not dependent on each other; final messages are dependent on initial messages, not each other. Each side can “initiate” or both can “initiate” simultaneously and the resulting protocol instances are identical Alice initiates first Bob initiates first Both initiate simultaneously Dan Harkins, Aruba Networks

15 Simultaneous Authentication of Equals
March 2008 Simultaneous Authentication of Equals Attractive security properties Perfect Forward Secrecy for keys. Key is authenticated in addition to the mesh points being authenticated. Resistant to active attack, passive attack, and dictionary attack. Uniquely appropriate for a mesh No roles– initiator/responder or supplicant/authenticator Either party can initiate first or both can initiate at the same time Addresses numerous comments: 1345, 1614, 1615, 1616, 1622, 2975, 2980, 4750*, and 4758, some of which were rejected out of lack of consensus on a solution. This can be that consensus. * my personal favorite. Dan Harkins, Aruba Networks

16 password authenticated
March 2008 How to Fix this Problem pre-shared key Authentication Server (IEEE 802.1X Authentication only) cryptographically weak password authenticated key exchange cryptographically strong cryptographically strong PMK-MA AKCK and AKEK Temporal key (TK) Dan Harkins, Aruba Networks

17 Simultaneous Authentication of Equals
March 2008 Simultaneous Authentication of Equals Running code! Implementation of SAE using authentication frames per s-password-authentication-for-mesh-points.doc. Three elliptic curve groups supported (trivial to add more) Implementation required modifications to madwifi driver to support the receiving and sending of authentication frames. I plan on releasing a reference implementation as soon as I polish it up. Demo? Dan Harkins, Aruba Networks

18 Simultaneous Authentication of Equals
March 2008 Simultaneous Authentication of Equals I’d like to make a motion! Instruct the editor to include the text from: s-password-authentication-for-mesh-points.doc into the 11s draft. Dan Harkins, Aruba Networks

Download ppt "Password Authenticated Key Exchange"

Similar presentations

Doc.: IEEE 802.11-09/0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced 802.11 Security Date: 2009-03-13 Authors:

Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Doc.: IEEE 802.11-08/1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: 2008-11-10 Authors:

Doc.: IEEE /1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: Authors:
Doc.: IEEE 802.11-09/1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: 2009-09-15 Authors:

Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Secure Pre-Shared Key Authentication for IKE

Secure Pre-Shared Key Authentication for IKE
Doc.: IEEE 802.11-08/0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: 2008-07-13 Authors:

Doc.: IEEE /0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: Authors:
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Strong Password Protocols

Strong Password Protocols
Chapter 21 Public-Key Cryptography and Message Authentication.

Chapter 21 Public-Key Cryptography and Message Authentication.
Doc.: IEEE 802.11-11/1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: 2012-01-09 Authors:

Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
Public key ciphers 2 Session 6.

Public key ciphers 2 Session 6.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Doc.: IEEE 802.11-10/0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: 2010-03-08 Authors:

Doc.: IEEE /0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: Authors:
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Submission doc.: IEEE 802.11-15/1128r1 September 2015 Dan Harkins, Aruba Networks (an HP company)Slide 1 Opportunistic Wireless Encryption Date: 2015-09-13.

Submission doc.: IEEE /1128r1 September 2015 Dan Harkins, Aruba Networks (an HP company)Slide 1 Opportunistic Wireless Encryption Date:

Similar presentations

Ads by Google