Download presentation
Presentation is loading. Please wait.
Published byDavis Bushnell Modified over 10 years ago
1
Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable Software Lab at KAIST 2006. 9. 14
2
2/22 Dependable S/W Lab Contents Conclusion Countermeasures Problem Statement 4-way Handshake Introduction
3
3/22 Dependable S/W Lab Introduction 취약점
4
4/22 Dependable S/W Lab IEEE 802.11i Introduction Ratified on June 24, 2004 Secure Data Communication over Wireless links WEP(Wired Equivalent Privacy) TKIP(Temporal Key Integrity Protocol) CCMP(Counter-mode/CBC-MAC Protocol) RSNA(Robust Security Network Association) Conversation Handshake Three Entities of RSN Supplicant Authenticator Authentication Server Station Access Point RADIUS
5
5/22 Dependable S/W Lab RSNA Conversation IEEE 802.11 & 11i IEEE 802.1x IEEE 802.11i Handshake IEEE 802.11i MSK PTK Introduction MSK PMK
6
6/22 Dependable S/W Lab RSNA Conversation 4-Way Handshake Authentication Server SupplicantAuthenticator UnAuth/UnAssoc 802.1X Blocked No Key UnAuth/UnAssoc 802.1X Blocked No Key
7
7/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked No Key Auth/Assoc 802.1X Blocked No Key 802.11 Association 4-Way Handshake
8
8/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked MSK Auth/Assoc 802.1X Blocked No KeyMSK 802.11 Association EAP/802.1X/RADIUS Authentication 4-Way Handshake
9
9/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMKNo Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake
10
10/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTKNo Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake
11
11/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked GTK Auth/Assoc 802.1X UnBlocked GTKNo Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake 4-Way Handshake
12
12/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Auth/Assoc 802.1X UnBlocked PTK/GTKNo Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake Data Communication 4-Way Handshake
13
13/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTKNo Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake {AA, ANonce, sn, msg1, PMKID} {SPA, SNonce, sn, msg2, MIC, RSN IE} {AA, ANonce, sn+1, msg3, MIC, AA RSN IE, GTK} {SPA, sn+1, msg4, MIC} AA/SPA: MAC Address Nonce: random value sn: sequence number MIC:Message Integrity Code 4-Way Handshake
14
14/22 Dependable S/W Lab Simplified 4-Way Handshake Problem Statement SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTK {ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} Murφ Modeling Finite-State Verification Modeling Result Ignored filed PMKID RSN IE GTK Necessary field Message Flag Nonce Redundant field Sequence Number MAC address Exclusive supplicant and authenticator Fresh Nonce
15
15/22 Dependable S/W Lab DoS Attack Problem Statement Supplicant Authenticator Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMK {ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} PTK Derived {AA, Anonce, msg1} Attack 802.1X UnBlocked PTK 802.1X UnBlocked PTK PTK’ Derived PTK’ ≠ PTK Blocked & Fail
16
16/22 Dependable S/W Lab DoS Attack Problem Statement Solution? Store TPTK / PTK Can not correctly verify the MIC in Msg3 Keep all states for every Msg1 Mess Forged Attack (Mem/CPU exhaustion) Inherent cause of Attack Authenticator can discard an unexpected response Supplicant can not do so Cause deadlock and block the protocol Supplicant must allow any Msg1 (Parallel Instance) Limitation of Attack Dynamic PMKID attacker can forge Msg1 after reading Msg1 EAPOL-Key format limit the attacks to occur only before the first PTK establishment Attack can be occurred only after reading Msg1 and before establishing the first handshake
17
17/22 Dependable S/W Lab Random-Drop Queue Countermeasures Randomly replaced by the new state if queue is filled
18
18/22 Dependable S/W Lab Message 1 Authentication Countermeasures Add a MIC to msg1 Reuse shared PMK Set Nonce to specific value(e.g.,0) Derive a trivial PTK Calculate the MIC with derived PTK Limitation If PSK or cached PMK? Vulnerable to Reply attack Repaired Countermeasure Add SN increasing monotonically Use local time as SN Weakness of this countermeasure Modification on Packet format
19
19/22 Dependable S/W Lab Nonce Re-use Countermeasures Reuse Nonce Supplicant reuse the value of SNonce until a legitimate handshake is completed successfully Not update Nonce No requirement for Authenticator to reuse ANonce Eliminate the memory DoS Attack Limitation More computation on the supplicant side Fixed SNonce – easy guessing the PMK Weakness of this countermeasure CPU exhaustion attack
20
20/22 Dependable S/W Lab Proposal Countermeasures Combination of countermeasures Reuse SNonce Store PTK and ANonce of the first Msg1 If stored ANonce = received ANonce in Msg3, use PTK If stored ANonce ≠ received ANonce in Msg3, calculate new PTK {AA, ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} PTK Derived Store PTK, ANonce PTK Derived {AA, ANonce, msg1} Attack ANonce ≠ ANonce PTK’ Derived, Use derived PTK Anonce = Anonce Use stored PTK Calculate MIC
21
21/22 Dependable S/W Lab Proposal Countermeasures Combination of countermeasures Reuse SNonce Store PTK and ANonce of the first Msg1 Eliminate the Memory Exhaustion Attack If stored ANonce = received ANonce, use PTK If stored ANonce ≠ received ANonce, calculate new PTK Eliminate the CPU Exhaustion Attack No Modification on Packet format Adopted by TGi
22
22/22 Dependable S/W Lab IEEE 802.11i Conclusions RSNA conversation Simplified Protocol by using Murφ DoS Attack 3 Countermeasures and the their effectiveness Proposed solution Combined Reuse Nonce Solution Advantages Conclusion
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.