Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jesse Walker, 802.11 keying requirements1 Suggested 802.11 Keying Requirements Jesse Walker Intel Corporation

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Jesse Walker, 802.11 keying requirements1 Suggested 802.11 Keying Requirements Jesse Walker Intel Corporation"— Presentation transcript:

1 Jesse Walker, 802.11 keying requirements1 Suggested 802.11 Keying Requirements Jesse Walker Intel Corporation jesse.walker@intel.com

2 Jesse Walker, 802.11 keying requirements2 Goal and agenda Goal: –Help establish requirements for future development Agenda –Review of 802.11 Authentication and Keying today –Analysis –Requirements

3 Jesse Walker, 802.11 keying requirements3 802.11i review Data protection 802.1X authentication 802.1X key management RADIUS-based key distribution Security capabilities discovery Authentication Server Access Point Station 802.11i Review Authentication and Keying Today

4 Jesse Walker, 802.11 keying requirements4 802.11i review: 802.1X authentication 802.1X (EAPOL) Authentication Server Access Point 802.11 Wireless Station EAP Method (e.g., EAP-TLS) EAP EAP Transport (e.g. RADIUS) TCP/UDP/IP 802.11i Review Authentication and Keying Today

5 Jesse Walker, 802.11 keying requirements5 802.11i review: EAP authentication 802.1X (EAP-Request Identity) 802.1X (EAP-Response Identity) EAP Transport (EAP-Response Identity) EAP type specific mutual authentication EAP Transport (EAP-Success, PMK) 802.1X (EAP-Success) Derive Pairwise Master Key (PMK) AS AP STA 802.1XRADIUS 802.11i Review Authentication and Keying Today

6 Jesse Walker, 802.11 keying requirements6 Problem 1: Who is the other guy? STA never learns it is communicating with the AP the AS is communicating with under EAP –AP never advertises its authenticated identity to STA –BSSID is the only identifier the AP exposes to the STA AP never learns it is communicating with the STA the AS is communicating in under EAP –STA never advertises its authenticated identity to AP –STA MAC address is the only identifier the STA exposes to the STA Although AP can peak inside the EAP-Response/Identity And the STA could use its MAC address to identify itself The gap is closed by faith Problem Statement Analysis

7 Jesse Walker, 802.11 keying requirements7 Problem 2: Inconsistent contract 802.11i goes to great trouble to prevent PMK reuse across different APs –Compromise of one AP must not compromise STA’s traffic at another AP –Only mechanism STA has to detect conformance is the AP’s BSSID Modern switched APs present a dilemma –PMK is kept at switch, so does not cross crypto boundaries if reused at different APs belonging to same switch –But the STA has no way to distinguish this (correct) usage from abuse at classical APs The PMK is not used consistently by infrastructure and this is visible to the STA Problem Statement Analysis

8 Jesse Walker, 802.11 keying requirements8 Problem 3: Expiry time AAA protocols deliver the PMK expiry time to the AP, but not the STA EAP doesn’t deliver PMK expiry time to the AP, either PMK expiry a surprise to the STA, or else STAs need more predictable PMK usage to make caching work Problem Statement Analysis

9 Jesse Walker, 802.11 keying requirements9 Problem 4: Performance v. security Only mechanisms 802.11i defines to populate PMK at AP are authentication after association and pre-authentication Authentication after association too slow for real-time applications Pre-authentication enables new DoS attack –A single STA can flood pre-authentication requests to every AP –In a sufficiently large network, a small number of STAs can allocate all PMK caches at all APs Problem Statement Analysis

10 Jesse Walker, 802.11 keying requirements10 802.11i Keying abstractly STA AP AS Goal: Establish session key K between STA and AP Technique: Use on-line trusted 3rd party AS as an intermediary Explicit Assumptions: STA and AS can mutually authenticate and derive a session key PMK AP and AS share a key encryption key KB1 and a data authentication key KB2 AS delivers a fresh PMK to the AP EAP Authentication + Session Key PMK derivation A,{PMK} KB1, MIC KB2 802.11i Deployment Requirements Analysis

11 Jesse Walker, 802.11 keying requirements11 EAP Authentication + Session Key PMK derivation What can we do without? STA AP AS No mutual authentication enables MITM attack between STA, AS No end-to-end data authentication key enables MITM attack between AP, AS No end-to-end key encryption key enables PMK theft PMK freshness still a matter of faith to the AP STA,{PMK} KB1, MIC KB2 AP/AS/STA STA,{PMK} KB1, MIC KB2 802.11i Deployment Requirements Analysis

12 Jesse Walker, 802.11 keying requirements12 802.11i Authentication concretely STA AP AS Goal: Establish a session key PMK between STA and AP Technique: Use an on-line trusted third party AS as an intermediary Explicit Assumptions: STA and AS can mutually authenticate and derive a session key PMK AP and AS share a key encryption key KB1 and a data authentication key KB2 Note path via AP allows replay attacks against AP STA,{PMK} KB1, MIC KB2 EAP Authentication + Session Key PMK derivation 802.11i Deployment Requirements Analysis

13 Jesse Walker, 802.11 keying requirements13 Design Hueristics Some prudent engineering practices for cryptographic protocols (Abadi and Needham, 1995) –Use explicit communication: Every message should say what it means –Specify the semantics: The conditions for a message to be acted upon should be spelled out –Name entities: If the identity of a principal is essential to the meaning of the message, include the name explicitly –Make trust assumptions explicit: The protocol designer should know which trust assumptions and dependencies are necessary 802.11i Authentication Requirements Requirements

14 Jesse Walker, 802.11 keying requirements14 802.11 keying requirements New Peer-NAS-Server key binding protocol –Make keying explicit by client request instead of implicit Complement EAP but independent of EAP –Allow the STA to request AAA-Key by name –Piggyback keying messages with EAP messages –Allow client to rekey the AP PMK cache without reauthentication Use the existing AAA-Key Bind authenticated identities of STA and AP to the AAA-Key Binding must provide freshness guarantee –Allow the AP to determine response freshness Allow specification or negotiation of PMK expiry time 802.11i Authentication Requirements Requirements

15 Jesse Walker, 802.11 keying requirements15 Rationale Explicit Peer-NAS-Server key binding protocol –Address open problems before they are exploited Complement EAP but independent of EAP –Key binding is a 3-party problem, while EAP is a 2-party problem –Piggy-backing messages with EAP allows client to request key during EAP authentication –Protocol independent of EAP allows client to rekey AP PMK cache without reauthenticating Use the existing AAA-Key –Keying draft consensus has been hard enough Bind authenticated identities of STA and AP to the AAA-Key –This is all the AS knows –The AS is the only party that both the STA and AP trust, so it must do the binding Binding must provide freshness guarantee –AP needs to know message delivering PMK is fresh Allow specification or negotiation of PMK expiry time –Make PMK cache usage consistent to the STA 802.11i Authentication Requirements Requirements

16 Jesse Walker, 802.11 keying requirements16 Example protocol PeerNASServer Requirements Peer generates random number R P R P || AAA-Key-ID NAS generates random number R N R P || AAA-Key-ID || R N Server computes  = AAA-Key-ID || Id P || Id NAS || T || MAC(TEK P, R P || AAA-Key-ID || Id P || Id NAS || T) Server computes  =  || W || AAA-Key-ID || Id P || Id NAS || T || MAC(KAK, R N ||  || W || AAA-Key-ID || Id P || Id NAS || T) Server encrypts W = E(KEK, AAA-Key)  ||  

17 Jesse Walker, 802.11 keying requirements17 How would 802.11 use this? 802.11 must advertise the AP’s identity to the STA –Or the binding is not meaningful to the STA –e.g., insert hash of AP’s authenticated identity into Beacons, Probe Responses, and/or Reassociation Response msgs Must advertise STA’s identity to the AP –Or the binding is not meaningful to the AP –e.g., insert hash of STA’s identity into Reassociation Requests AP, STA both verify bound identity matches advertised identity 802.11i key derivation modified to include bound identities in the PTK derivation AP cache timeout rules somehow conveyed to the STA 802.11i Authentication Requirements Requirements

18 Jesse Walker, 802.11 keying requirements18 Does this solve anything? These changes identify AP to STA and vice versa –Both parties trust AS to attest to the identity of the other –Both parties advertise their authenticated identities –Problem 1 solved Key usage identified by device’s crypto boundary, not by MAC addresses –Changes impose a consistent “contract” between AP and STA –Problem 2 solved Both STA and AP learn the PMK expiry time –Enables 802.11 to solve Problem 3 STA can efficiently fill the AP’s PMK cache without reauthentication and before AP-to-AP transition –Problem 4 solved 802.11i Authentication Requirements Requirements

19 Jesse Walker, 802.11 keying requirements19 Call to Action Key distribution enjoys a “troubled history” –Bellare and Rogaway, “Provably secure session key distribution: the three party case,” Proc 27 th Symp on Theory of Computing, 1995 Existing design has vulnerabilities that can be exploited There is no reason to believe we can avoid consequences of these vulnerabilities any better than prior protocols solving the 3-party problems –Wide-Mouth Frog, Denning-Sacco, Woo-Lam, Lu- Sundareshan, etc. Work to solve the problem

20 Jesse Walker, 802.11 keying requirements20 Feedback?

Download ppt "Jesse Walker, 802.11 keying requirements1 Suggested 802.11 Keying Requirements Jesse Walker Intel Corporation"

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
1 IEEE 802.11i Overview v0.1 Summary by Uthman Baroudi Nancy Cam-Winget, Cisco Systems Tim Moore, Microsoft Dorothy Stanley, Agere Systems Jesse Walker,

1 IEEE i Overview v0.1 Summary by Uthman Baroudi Nancy Cam-Winget, Cisco Systems Tim Moore, Microsoft Dorothy Stanley, Agere Systems Jesse Walker,
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Michal Rapco 05, 2005 Security issues in Wireless LANs.

Michal Rapco 05, 2005 Security issues in Wireless LANs.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.

Similar presentations

Ads by Google