Presentation is loading. Please wait.

Presentation is loading. Please wait.

N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center

Published byDwight Snow Modified over 9 years ago

Similar presentations

Presentation on theme: "N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center"— Presentation transcript:

1 N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center
Man-in-the-middle in Tunnelled Authentication Cambridge Security Protocols Workshop, April 2003 N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center

2 A tale of two protocols In the beginning..
an authentication method is designed and deployed for some need user credentials are provisioned, at great expense ..then a framework protocol is developed; to transparently support multiple authentication methods authentication methods are plugged in to the framework .. new applications arise; framework doesn’t quite do the job missing bits: session keys, mutual authentication, identity privacy designing a new protocol is not a desirable option provisioning new credentials is even less desirable Use it with another protocol that provides missing features

3 AKA and EAP/AKA: example authentication protocol
AKA: authentication and key agreement protocol for 3GPP mutual authentication, session key derivation EAP: an authentication framework supports multiple authentication mechanisms EAP/AKA: plugging AKA into EAP allows WLAN access authentication using cellular credentials User Equipment Serving Network Home Environment IMSI Request IMSI IMSI RAND K SQN RAND K AUTN RAND,AUTN,XRES,IK,CK RAND, AUTN XRES AUTN CK IK Is SQN fresh? RES RES SQN CK IK RES = XRES?

4 PEAP: example of tunnelled authentication
Ciphersuite (for link layer) Ciphersuite (for link layer) Server-authenticated tunnel Client NAS Backend Server EAP conversation over PPP or link Keys Trust EAP API EAP API EAP Method EAP Method

5 Tunnelled authentication
Client Front-end authenticator Backend Server (Tunnel authentication) Backend Server (Legacy authentication) Tunnelling protocol Server authenticated secure tunnel establishment secure tunnel Authentication protocol Client authentication

6 The same tale in different guises
PIC - ISAKMP and EAP: provisioning credentials based on legacy authentication IKEv2 Secure Legacy Authentication PANA over TLS: Authentication for Network Access HTTP Digest Authentication and TLS

7 PEAP with EAP/AKA NAS Backend Backend Client Server Server
(Front-end authenticator) Backend Server (TLS Authentication) Backend Server (AKA Authentication) Establishing a PEAP tunnel (server authenticated) EAP-Request/Identity PEAP Part 1 – TLS based on server certificate secured by PEAP TLS tunnel TLS(EAP-Request/Identity) TLS(EAP-Response/Identity(IMSI)) IMSI [e.g., over DIAMETER] RAND,AUTN,XRES,IK,CK [e.g., over DIAMETER] TLS(EAP-Request/AKA-Challenge (RAND, AUTN)) TLS(EAP-Response/AKA-Challenge (RES, …)) WLAN master session key (based on TLS tunnel key) Data traffic on secured link

8 MitM against PEAP+EAP/AKA
Client MitM NAS (Front-end Authenticator) Backend Server (TLS Authentication) Backend Server (AKA Authentication) Establishing a PEAP tunnel (server authenticated) EAP-Request/Identity PEAP Part 1 – TLS based on server certificate secured by PEAP TLS tunnel TLS(EAP-Request/Identity) IMSI Request IMSI TLS(EAP-Response/Identity(IMSI)) IMSI [e.g., over DIAMETER] RAND,AUTN,XRES,IK,CK [e.g., over DIAMETER] TLS(EAP-Request/AKA-Challenge (RAND, AUTN)) RAND, AUTN RES TLS(EAP-Response/AKA-Challenge (RES)) WLAN master session key (based on TLS tunnel key only) Stolen WLAN link

9 Conditions for failure
Same credential used in both tunnelled & untunnelled modes Tunnelling protocol does not perform mutual authentication Keys from authentication protocol not used for subsequent protection

10 Fixing the problem Enforcing that same credential is not used in both modes maybe feasible in some cases not exactly “legacy authentication” anymore server authentication brings in new problems unnecessary restriction on strong authentication methods Require mutual authentication in tunnelling protocol if that is possible, no need for tunnelling in the first place Cryptographically bind tunnelling and authentication protocol binding can be explicit or implicit requires authentication protocol to provide a key to be used in binding requires changes to tunnelling protocol or framework does not improve the security of weak authentication protocols

11 Current status Some authors of tunnel proposals informed in October 2002 General agreement that this is indeed a problem opinions differ on what the solution should be Subsequent changes to several proposals to reduce the impact of the problem EAP/AKA (v-05) PEAP (v-06) IKEv2 (v-05) PANA over TLS (v-01)  PANA (v-00) EAP SIM GMM  EAP binding

12 Are there any lessons here?
This is all obvious, at least in hindsight So why did it happen? re-use of credentials is unavoidable in practice re-use of protocols is also unavoidable in practice framework equalizes all authentication methods mutual authentication, key agreement etc. not visible tools for/knowledge of protocol validation not accessible to designers

Download ppt "N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center"

Similar presentations

Authentication.

Authentication.
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Company Confidential 1 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Pre-Shared Key TLS with GBA support Thesis presentation 22.4.2008 ESPOO, Finland.

Company Confidential 1 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Pre-Shared Key TLS with GBA support Thesis presentation ESPOO, Finland.
Myagmar, Gupta UIUC 2001 1 3G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.

Myagmar, Gupta UIUC G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate

SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate
1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.

1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.
Ubiquitous Access Control Workshop 1 7/17/06 Access Control and Authentication for Converged Networks Z. Judy Fu John Strassner Motorola Labs {judy.fu,

Ubiquitous Access Control Workshop 1 7/17/06 Access Control and Authentication for Converged Networks Z. Judy Fu John Strassner Motorola Labs {judy.fu,
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Protected Extensible Authentication Protocol

Protected Extensible Authentication Protocol
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP 802.3802.5802.11 802.1x EAP API.

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
CONTEXT BINDING: An Emerging Problem in Cryptographic Protocols Catherine Meadows Naval Research Laboratory Code 5543 Washington, DC 20375

CONTEXT BINDING: An Emerging Problem in Cryptographic Protocols Catherine Meadows Naval Research Laboratory Code 5543 Washington, DC 20375

Similar presentations

Ads by Google