Presentation is loading. Please wait.

Presentation is loading. Please wait.

March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation (

Published byChristal Floyd Modified over 8 years ago

Similar presentations

Presentation on theme: "March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation ("— Presentation transcript:

1 March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation ( jose.p.puthenkulam@intel.com ) jose.p.puthenkulam@intel.com ACKNOWLEDGEMENTS: ASHWIN PALEKAR, DAN SIMON, BERNARD ABOBA – MICROSOFT VICTOR LORTZ, FARID ADRANGI, JESSE WALKER - INTEL CORPORATION N.ASOKAN, KAISA NYBERG, VALTTERI NIEMI, HENRY HAVERINEN - NOKIA JOE SALOWEY, NANCY CAM-WINGET – CISCO, JARI ARKKO – ERICSSON MOHAN PARTHASARATHY – TAHOE NETWORKS Copyright © 2003, The Internet Society

2 March 17, 2003 IETF #56, SAN FRANCISCO2 Agenda Compound Methods Motivation Problem Summary Solutions Conclusion/Next Steps

3 March 17, 2003 IETF #56, SAN FRANCISCO3 Compound Methods Definition: Multiple authentication methods used in concert for a single purpose –Tunneled methods –Sequenced methods Typical Purposes –Network access authentication & authorization –Security Association establishment for protecting data traffic –Service access authentication & authorization –…

4 March 17, 2003 IETF #56, SAN FRANCISCO4 Motivation for Compound Methods using Tunnels Securing legacy methods in new environments Ease of deployment for securing legacy methods Providing consistent security properties and other features for different methods Securing multiple credentials in sequences

5 March 17, 2003 IETF #56, SAN FRANCISCO5 Problem = Man-in-the-Middle Attacks Focus is on Compound Tunneled Methods that support –single inner method –sequence of inner methods Non-tunneled Compound Sequences are also potentially vulnerable but not addressed –problem space unbounded? further study needed

6 March 17, 2003 IETF #56, SAN FRANCISCO6 Example WLAN Attack Scenario EAP/Identity Request EAP/Identity Response (anonymous@realm) Tunnel establishment EAP/Identity Request EAP/Identity Response (user id@realm) EAP/ Request / Method Challenge EAP/Response/ Method Response EAP/ Success EAP-Method in Tunnel WLAN Session Stolen Tunnel Keys ClientMitM Home AAA Server Tunnel Server AP Inner EAP Method Keys Derived & Not used Tunnel Keys Derived Inner Method Keys Derived

7 March 17, 2003 IETF #56, SAN FRANCISCO7 Problem Conditions Dual role man-in-the-middle attacker (rogue authenticator + rogue supplicant) Credential and authentication method re- use with and without tunnels Use of one-way server authenticated tunnel Use of tunnel session keys alone and no inner method session keys All conditions have to be true for the attack

8 March 17, 2003 IETF #56, SAN FRANCISCO8 Solution Requirements Fixes to existing EAP methods not ok Fixes to new EAP methods maybe ok Fixes to Tunnel methods ok Should work for different tunnel termination models Should not bring new requirements for other protocols (eg. RADIUS ) Forward Evolution for protocols with fix Backwards compatibility for fixed protocols Simplicity for fix (low compute costs & roundtrips) Upgraded EAP Base protocol maybe ok

9 March 17, 2003 IETF #56, SAN FRANCISCO9 Solution Concepts All methods –Use separate credentials inside and outside tunnels –Use methods inside tunnels always Key deriving methods –Can use cryptographic binding Binding can provide stronger authentication & session keys Avoids policy synchronization issues Preserves deployment convenience of one-way authenticated tunnels

10 March 17, 2003 IETF #56, SAN FRANCISCO10 Solution Mechanisms Recommended Policy restrictions –For non-key deriving methods client & server policy Use separate credentials inside/outside tunnels Use methods inside tunnels always Cryptographic Binding –Compound Keyed MACs Keyed MACs computed from safe one-way derivation from keys of all inner methods and tunnel method Additional mutual authentication round trip (binding phase exchange) with keyed MACs –Compound Session Keys Bound Key derived using safe one-way derivation from keys of all inner methods and tunnel method

11 March 17, 2003 IETF #56, SAN FRANCISCO11 Binding Phase Exchange with Compound Keyed MACs Binding Request B1 Binding Response B2 [VERSION,S_NONCE,……….. B1_MAC] [VERSION,C_NONCE,……….. B2_MAC] CMK_B1 (B1_MAC Key) Compound MAC Key Derivation S_NONCE TSK ISK1….ISKn Compound MAC Key Derivation S_NONCE C_NONCE TSK ISK1….ISKn CMK_B2 (B2_MAC Key) TSK = Tunnel Session Keys ISKi = Inner Session Keys for each method ‘i’ where i = 1..n C_NONCE = 256 bit random number derived on client S_NONCE = 256 bit random number derived on server Note: Sufficiency of 2-way handshake is based on binding using fresh session keys

12 March 17, 2003 IETF #56, SAN FRANCISCO12 Thwarting the attack with binding EAP/Identity Request EAP/Identity Response (anonymous@realm) TLS Session establishment EAP/Identity Request EAP/Identity Response (user id@realm) EAP/ Request / Method Challenge EAP/Response/ Method Response EAP/ Success EAP-Method in TLS Protected Session No Keys Sent ClientMitM Home AAA Server Tunnel Server AP Inner EAP Method KeysBinding Request B1 (B1 MAC) Binding Response B2 (B2 MAC) Attack Detected No WLAN Access Crypto Binding Inner EAP Method Keys Tunnel Keys Derived Binding Phase Exchange Crypto Binding

13 March 17, 2003 IETF #56, SAN FRANCISCO13 Solution Approaches Add Binding Phase to EAP base protocol or Tunnel Protocol –Already need for protected success/failure indication identified –Binding Phase exchange can also include the protected success/failure indication –Method Key export interface available –Cryptographic binding can give stronger keys Add Policy rules to Client and Server –Provides fix for non-key deriving methods

14 March 17, 2003 IETF #56, SAN FRANCISCO14 Conclusion/Next Steps Conclusion –Request approval for draft as EAP working group item Next Steps –Close on some of the outstanding Issues on EAP Issues list –Catalog new issues from comments on mailing list

15 March 17, 2003 IETF #56, SAN FRANCISCO15 References “Compound Authentication Binding Problem”, Puthenkulam, J., Lortz, V., Palekar, A., Simon, D., http://www.ietf.org/internet-drafts/draft- puthenkulam-eap-binding-02.txthttp://www.ietf.org/internet-drafts/draft- puthenkulam-eap-binding-02.txt “Man-in-the-Middle in Tunnelled Authentication Protocols”, Asokan, N.,Niemi, V., Nyberg, K., http://eprint.iacr.org/2002/163/ http://eprint.iacr.org/2002/163/

16 March 17, 2003 IETF #56, SAN FRANCISCO16 Backup

17 March 17, 2003 IETF #56, SAN FRANCISCO17 Tunneled Methods Generic Model Terminology Tunnel endpoint is authentication ”agent” Authentication protocol endpoint is authentication ”server” ”Front-end” authenticator is end of access link to be authenticated Agent and Server may be co-located ClientAuthenticationAgentAuthenticationServer Stage 1: Tunnel Method Server authenticated for secure tunnel establishment Stage 2: Client Authentication Method Performs Client/User Authentication secure tunnel Front-endauthenticator Ciphered Link Tunnel Keys

18 March 17, 2003 IETF #56, SAN FRANCISCO18 Sequenced Methods Generic Model ClientAuthentication Agent 1 Authentication Agent 2 Protocol Sequence 1 Client AND/OR Server Authentication Protocol Sequence 2 Client AND/OR Server Authentication Front-endauthenticatorAuthenticationServer Protocol Sequence N Client AND/OR Server Authentication …. … Session Keys (Which method ?) Ciphered Link Terminology ”Front-end” authenticator is end of access link to be authenticated Intermediate endpoint in sequence is an authentication ”agent” Final authentication endpoint is authentication ”server” Agents and Server may be co-located.

Download ppt "March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation ("

Similar presentations

Authentication.

Authentication.
Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-00/087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
Version 1 of EAP-TTLS draft-ietf-pppext-eap-ttls-05.txt Paul Funk Funk Software.

Version 1 of EAP-TTLS draft-ietf-pppext-eap-ttls-05.txt Paul Funk Funk Software.
Omniran-13-0040-00-0000 1 3GPP Trusted WLAN Access to EPC Use Case Analysis Date: 2013-05-15 Authors: NameAffiliationPhoneEmail Max RiegelNSN+49 173 293.

Omniran GPP Trusted WLAN Access to EPC Use Case Analysis Date: Authors: NameAffiliationPhone Max RiegelNSN
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network.

Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.

1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Jesse Walker, 802.11 keying requirements1 Suggested 802.11 Keying Requirements Jesse Walker Intel Corporation

Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).

Similar presentations

Ads by Google