Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.

Published byDavis Bushnell Modified over 10 years ago

Similar presentations

Presentation on theme: "Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable."— Presentation transcript:

1 Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable Software Lab at KAIST 2006. 9. 14

2 2/22 Dependable S/W Lab Contents Conclusion Countermeasures Problem Statement 4-way Handshake Introduction

3 3/22 Dependable S/W Lab Introduction 취약점

4 4/22 Dependable S/W Lab IEEE 802.11i Introduction  Ratified on June 24, 2004  Secure Data Communication over Wireless links  WEP(Wired Equivalent Privacy)  TKIP(Temporal Key Integrity Protocol)  CCMP(Counter-mode/CBC-MAC Protocol)  RSNA(Robust Security Network Association) Conversation  Handshake  Three Entities of RSN  Supplicant  Authenticator  Authentication Server Station Access Point RADIUS

5 5/22 Dependable S/W Lab RSNA Conversation IEEE 802.11 & 11i IEEE 802.1x IEEE 802.11i Handshake IEEE 802.11i MSK PTK Introduction MSK PMK

6 6/22 Dependable S/W Lab RSNA Conversation 4-Way Handshake Authentication Server SupplicantAuthenticator UnAuth/UnAssoc 802.1X Blocked No Key UnAuth/UnAssoc 802.1X Blocked No Key

7 7/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked No Key Auth/Assoc 802.1X Blocked No Key 802.11 Association 4-Way Handshake

8 8/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked MSK Auth/Assoc 802.1X Blocked No KeyMSK 802.11 Association EAP/802.1X/RADIUS Authentication 4-Way Handshake

9 9/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMKNo Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake

10 10/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTKNo Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake

11 11/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked GTK Auth/Assoc 802.1X UnBlocked GTKNo Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake 4-Way Handshake

12 12/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Auth/Assoc 802.1X UnBlocked PTK/GTKNo Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake Data Communication 4-Way Handshake

13 13/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTKNo Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake {AA, ANonce, sn, msg1, PMKID} {SPA, SNonce, sn, msg2, MIC, RSN IE} {AA, ANonce, sn+1, msg3, MIC, AA RSN IE, GTK} {SPA, sn+1, msg4, MIC} AA/SPA: MAC Address Nonce: random value sn: sequence number MIC:Message Integrity Code 4-Way Handshake

14 14/22 Dependable S/W Lab Simplified 4-Way Handshake Problem Statement SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTK {ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC}  Murφ Modeling  Finite-State Verification  Modeling Result  Ignored filed PMKID RSN IE GTK  Necessary field Message Flag Nonce  Redundant field Sequence Number MAC address  Exclusive supplicant and authenticator  Fresh Nonce

15 15/22 Dependable S/W Lab DoS Attack Problem Statement Supplicant Authenticator Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMK {ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} PTK Derived {AA, Anonce, msg1} Attack 802.1X UnBlocked PTK 802.1X UnBlocked PTK PTK’ Derived PTK’ ≠ PTK Blocked & Fail

16 16/22 Dependable S/W Lab DoS Attack Problem Statement  Solution?  Store TPTK / PTK Can not correctly verify the MIC in Msg3  Keep all states for every Msg1 Mess Forged Attack (Mem/CPU exhaustion)  Inherent cause of Attack  Authenticator can discard an unexpected response  Supplicant can not do so Cause deadlock and block the protocol  Supplicant must allow any Msg1 (Parallel Instance)  Limitation of Attack  Dynamic PMKID attacker can forge Msg1 after reading Msg1  EAPOL-Key format limit the attacks to occur only before the first PTK establishment Attack can be occurred only after reading Msg1 and before establishing the first handshake

17 17/22 Dependable S/W Lab Random-Drop Queue Countermeasures Randomly replaced by the new state if queue is filled

18 18/22 Dependable S/W Lab Message 1 Authentication Countermeasures  Add a MIC to msg1  Reuse shared PMK  Set Nonce to specific value(e.g.,0)  Derive a trivial PTK  Calculate the MIC with derived PTK  Limitation  If PSK or cached PMK? Vulnerable to Reply attack  Repaired Countermeasure  Add SN increasing monotonically  Use local time as SN  Weakness of this countermeasure  Modification on Packet format

19 19/22 Dependable S/W Lab Nonce Re-use Countermeasures  Reuse Nonce  Supplicant reuse the value of SNonce until a legitimate handshake is completed successfully  Not update Nonce  No requirement for Authenticator to reuse ANonce  Eliminate the memory DoS Attack  Limitation  More computation on the supplicant side  Fixed SNonce – easy guessing the PMK  Weakness of this countermeasure  CPU exhaustion attack

20 20/22 Dependable S/W Lab Proposal Countermeasures  Combination of countermeasures  Reuse SNonce  Store PTK and ANonce of the first Msg1  If stored ANonce = received ANonce in Msg3, use PTK  If stored ANonce ≠ received ANonce in Msg3, calculate new PTK {AA, ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} PTK Derived Store PTK, ANonce PTK Derived {AA, ANonce, msg1} Attack ANonce ≠ ANonce PTK’ Derived, Use derived PTK Anonce = Anonce Use stored PTK Calculate MIC

21 21/22 Dependable S/W Lab Proposal Countermeasures  Combination of countermeasures  Reuse SNonce  Store PTK and ANonce of the first Msg1 Eliminate the Memory Exhaustion Attack  If stored ANonce = received ANonce, use PTK  If stored ANonce ≠ received ANonce, calculate new PTK Eliminate the CPU Exhaustion Attack No Modification on Packet format  Adopted by TGi

22 22/22 Dependable S/W Lab IEEE 802.11i  Conclusions  RSNA conversation  Simplified Protocol by using Murφ  DoS Attack  3 Countermeasures and the their effectiveness  Proposed solution Combined Reuse Nonce Solution Advantages Conclusion

23

Download ppt "Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
IEEE 802.11i: A Retrospective Bernard Aboba Microsoft March 2004.

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.
CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
Security Analysis and Improvements for IEEE i

Security Analysis and Improvements for IEEE i
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE 802.11i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
TGai FILS Authentication Protocol

TGai FILS Authentication Protocol
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Security Analysis and Improvements for IEEE 802.11i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.

Security Analysis and Improvements for IEEE i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell.

Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
802.11i Security Analysis: Can we build a secure WLAN? Changhua He Stanford University March 24 th, 2005

802.11i Security Analysis: Can we build a secure WLAN? Changhua He Stanford University March 24 th, 2005
Design of Efficient and Secure Multiple Wireless Mesh Network Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date: 2005/06/28.

Design of Efficient and Secure Multiple Wireless Mesh Network Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date: 2005/06/28.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
15 November 2004 1 Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.

15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.

Similar presentations

Ads by Google