Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of 4-way handshake protocol in IEEE 802.11i Changhua He Stanford University Mar. 04, 2004.

Published byDaniela Ramsey Modified over 9 years ago

Similar presentations

Presentation on theme: "Analysis of 4-way handshake protocol in IEEE 802.11i Changhua He Stanford University Mar. 04, 2004."— Presentation transcript:

1 Analysis of 4-way handshake protocol in IEEE 802.11i Changhua He Stanford University Mar. 04, 2004

2 Scenario: 802.11 An example of a 802.11 wireless local area network Wired Network Security !

3 History of Security Concerns u802.11b (WEP) Wired Equivalent Protocol Many attacks found uWPA: Wi-Fi Protected Access Proposed by Wi-Fi Alliance Short-term solution based on 802.1x u802.11i Standards approved Oct. 2003 Long-term solution, may need hardware upgrades This project focus on part of the authentication protocol in the standard

4 Terms uAuthenticator: Entities implemented in AP uSupplicant: Entities implemented in Laptop uAuthentication Server uPMK: Pair-wise Master Key uPTK: Pair-wise Transient Key uMIC: Message Integrity Code uANonce: nonce generated by authenticator uSNonce: nonce generated by supplicant uAA: Authenticator Address (MAC) uSPA: Supplicant Address (MAC)

5 802.11i Authentication 802.11 Association802.1x/Radius/EAP-TLSSecured Data Channel4-way Key managementGroup Key management Ethernet Access Point Radius Server Laptop computer Wireless

6 Idealized 4-way Handshake Ethernet Access Point Laptop computer Wireless Channel {AA, ANonce, n, msg1} PMK Known, Last Seen < n PMK Known, Counter = n {AA, ANonce, n+1, msg3, MIC PTK (ANonce, n+1, msg3)} {SPA, SNonce, n, msg2, MIC PTK (SNonce, n, msg2)} {SPA, n+1, msg4, MIC PTK (n+1, msg4)} PTK=PRF{PMK,AA||STA||Anonce||Snonce} Derive PTK, Counter = n+1 Install PTK, Last Seen = n+1 Install PTK, Counter = n+2

7 Description uPrior to 4-way handshake, we assume: PMK only known to Supplicant and Authenticator, never transmitted over network uObjectives: Generate PTK and confirm the procession and freshness of PTK uMethodology: Use Mur j to model the protocol from simplest version, find out attacks, add fields step by step to defense the attacks, get complete one. Can make clear the function of each fields, and find out attacks for the complete protocol.

8 Murφ Modeling uAuthenticators/Supplicants: Each authenticator maintain associations with each supplicant, and vice versa Each association has a unique PMK Several sessions can happen in one association sequentially uIn each run: Turn on/off fields: nonce, sequence, mtype, address

9 Intruder uImpersonate both supplicant and authenticator Forge MAC address in each message Can not get PMK for associations uIntercepts all messages uReplay all messages uForge messages with known nonce and MIC uCompose message 1 with known nonces uActively predict nonces and ask the supplicant to pre-compute MIC Model attacks when nonces are predictable or not globally unique

10 Invariant invariant "PTKs are consistent and fresh" forall i: AuthenticatorId do forall j: SupplicantId do aut[i].associations[j].session.state = A_DONE -> (sup[j].associations[i].session.state = S_DONE & ptkEqual(aut[i].associations[j].session.ptk, sup[j].associations[i].session.ptk) & aut[i].associations[j].sid = sup[j].associations[i].sid) | (sup[j].associations[i].session.state = S_PTKSA & aut[i].associations[j].sid <= sup[j].associations[i].sid) end end;

11 Achieved protocol {ANonce, msg1} {ANonce, msg3, MIC PTK (ANonce, msg3)} {SNonce, msg2, MIC PTK (SNonce, msg2)} {msg4, MIC PTK (msg4)} Ethernet Access Point Laptop computer Wireless Channel PTK=PRF{PMK,Anonce||Snonce}

12 Summary of fields uNonces is necessary for fresh PTK uMtype Necessary, otherwise can fool supplicant to calculate msg 3, or vice versa uSequence Not necessary here Defense msg 3 replay, but it is harmless uAA, SPA Bind PTK to the physical device, not necessary here, but need to be considered with PMK

13 Implementation error Ethernet Access Point Laptop computer Wireless Channel {AA, ANonce, n, msg1} {AA, ANonce, n+1, msg3, MIC PTK (ANonce, n+1, msg3)} {SPA, SNonce, n, msg2, MIC PTK (SNonce, n, msg2)} {SPA, n+1, msg4, MIC PTK (n+1, msg4)} {AA, Nonce, n, msg1} The standard adopts TPTK & PTK: not work

14 DoS attack Intruder keep sending msg. 1 to Supplicant, supplicant needs to keep all the states No CPU exhaustion attack assume hash is easy to compute But maybe memory exhaustion attack –Not consume much memory for each state –But so easy for the attacker to flooding msg 1 Possible Solution –Send Anonce together with Snonce in msg 3 –Sequence acts to defense replay –Need to change packet formats

15 Conclusions uMurphi Modelling Suitable for finite state verification Inspiration for finding attacks, but need to model attacks correctly Can not model DoS attacks u802.11i 4-way handshake protocol Fortunately, well-designed & secure Some fields are redundant for this part Implementation error (corresponding to DoS attack)

Download ppt "Analysis of 4-way handshake protocol in IEEE 802.11i Changhua He Stanford University Mar. 04, 2004."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.
CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.
Security Analysis and Improvements for IEEE i

Security Analysis and Improvements for IEEE i
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE 802.11i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Security Analysis and Improvements for IEEE 802.11i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.

Security Analysis and Improvements for IEEE i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.

Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.
802.11i Security Analysis: Can we build a secure WLAN? Changhua He Stanford University March 24 th, 2005

802.11i Security Analysis: Can we build a secure WLAN? Changhua He Stanford University March 24 th, 2005
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).

Similar presentations

Ads by Google