Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.

Published byEsteban Kinsey Modified over 9 years ago

Similar presentations

Presentation on theme: "Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004."— Presentation transcript:

1 Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004

2 Outline  IEEE 802.11i  RSNA (Robust Security Network Association)  4-Way Handshake (our focus !)  Murφ Verification  Murφ Modeling  Clarifications of the protocol  Forged Message 1 attack  DoS attack & countermeasures  DoS attack in practical implementation  3 possible countermeasures  Conclusion & Future work

3 IEEE 802.11i Standard  Ratified on June 24, 2004  Components  RSNA and Pre-RSNA algorithms  WEP, TKIP included for backward compatibility  CCMP as a long-term solution with hardware upgrade  RSNA Establishment Procedures  Network and Security Capability Discovery  802.11 Open System Authentication and Association  EAP/802.1X/RADIUS Authentication  4-Way Handshake  Group Key Handshake  Secure Data Communications

4 Authentica- tion Server (RADIUS) No Key Authenticator UnAuth/UnAssoc 802.1X Blocked No Key Supplicant UnAuth/UnAssoc 802.1X Blocked No Key Supplicant Auth/Assoc 802.1X Blocked No Key Authenticator Auth/Assoc 802.1X Blocked No Key Authentica- tion Server (RADIUS) No Key 802.11 Association EAP/802.1X/RADIUS Authentication Supplicant Auth/Assoc 802.1X Blocked MSK Authenticator Auth/Assoc 802.1X Blocked No Key Authentica- tion Server (RADIUS) MSK Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK Authentica- tion Server (RADIUS) No Key 4-Way Handshake Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key Group Key Handshake Supplicant Auth/Assoc 802.1X UnBlocked New GTK Authenticator Auth/Assoc 802.1X UnBlocked New GTK Authentica- tion Server (RADIUS) No Key Data Communication Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key RSNA Conversations

5 Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK Authentica- tion Server (RADIUS) No Key The 4-Way Handshake 802.11 AssociationEAP/802.1X/RADIUS Authentication Group Key Handshake Data Communication MSK {AA, ANonce, sn, msg1, PMKID} {SPA, SNonce, SPA RSN IE, sn, msg2, MIC} {AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC} {SPA, sn+1, msg4, MIC} Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key

6 Problem Statement  Assumption  PMK is shared between the Supplicant and the Authenticator  The AS “move” the key materials to the Authenticator  Handshake Goals  Confirm the possession of PMK  Derive a fresh session key for data transmission PTK=PRF{PMK, AA||SPA||ANonce||SNonce}  Analysis  Based on the existing specifications of the 4-way handshake  Mur j verification using “rationale reconstruction”

7 Finite-State Verification... Correctness condition violated  Murφ rules for protocol participants and the intruder define a nondeterministic state transition graph  Murφ will exhaustively enumerate all graph nodes  Murφ will verify whether specified security conditions hold in every reachable node  If not, the path to the violating node will describe the attack

8 Running Murφ Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error Mur j code RFC, IEEE Std. Mur j code, similar for all protocols Specify security conditions and run Mur j

9 Modeling the 4-Way Handshake  Authenticators/Supplicants:  Each authenticator maintain one association with each supplicant, and vice versa  Each association has a uniquely shared PMK  Multiple sequential legitimate handshakes in one association  Intruder  Impersonate both supplicant and authenticator  Eavesdrop, intercept and replay messages  Compose messages with known nonce and MIC  Forge fresh Message 1  Predict and replay nonces for pre-computation of MIC  Rationale reconstruction  Turn on/off fields: nonce, sequence, msg, address

10 Simplified 4-Way Handshake AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC SPA, sn+1, msg4, MIC PTK Derived Random GTK PTK and GTK 802.1X Unblocked PTK and GTK 802.1X Unblocked Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK AA, ANonce, sn, msg1 SPA, SNonce, SPA RSN IE, sn, msg2, MIC

11 Protocol Clarifications  Sequence number, AA, SPA  Essentially redundant  Message flag  Nessary to be included and protected  otherwise could ambiguously use Msg 2 as 3, or vice versa  Exclusive supplicant and authenticator  Otherwise reflection attacks  Fresh nonces  globally unique and unpredictable  Otherwise pre-computation attacks and replay attacks

12 Forged Message 1 Attack AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC SPA, sn+1, msg4, MIC PTK Derived Random GTK PTK and GTK 802.1X Unblocked PTK and GTK 802.1X Unblocked Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK AA, ANonce, sn, msg1 SPA, SNonce, SPA RSN IE, sn, msg2, MIC AA, ANonce, sn, msg1

13 DoS attack  TPTK/PTK solution  Proposed in the documentation  not work for all cases  Keep states for every incoming Message 1  DoS attack: Memory/CPU exhaustion  Like a TCP SYN flooding attack  Interleaving handshakes  Authenticator could only accept expected messages  Supplicant could not do so, must accept Msg 1 in all stages  Parallel handshake instances exist

14 Countermeasures (1) Random-Drop Queue: Randomly drop a stored entry to adopt the state for the incoming Message 1 if the queue is filled. Not so effective

15 Countermeasures (2)  Authenticate Message 1  To reuse the algorithms/hardware, set nonces to special values, e.g., 0, and derive PTK.  Calculate MIC for Msg 1 using the derived PTK  Good solution if PMK is fresh  If PSK and cached PMK, replay attacks !  Add a monotonically increasing global sequence counter  Use local time in authenticator side  Sufficient space in Message 1 ( 8-octet sequence field )  No worry about time synchronization Modifications on packet format

16 Countermeasures (3)  Re-Use Nonce  Supplicant re-use SNonce until one 4-way handshake completes successfully  Derive correct PTK from Message 3  Authenticator may (or may not) re-use ANonce  Solve the problem, but  Attacker might gather more infomation about PMK by playing with Message 1, recall PTK=PRF{PMK, AA||SPA||ANonce||SNonce}  More computations in the supplicant Performance Degradation

17 Our Proposal  Combined solution  Supplicant re-use SNonce  Store one entry of ANonce and PTK for the first Message 1  If nonce in Message 3 matches the entry, use PTK directly; otherwise derive PTK again and use it.  Advantages  Eliminate the memory DoS attack  Ensure performance in “friendly” scenarios  Only minor modifications on the algorithm in the Supplicant No modifications on the packet format  Adopted by TGi  Documentation will be updated once a chance

18 Conclusion & Future Work  Conclusions  Simplified protocol and several clarifications  Parallel instances exist => Forged Message 1 attack  Keep all states => Denial-of-Service attack  3 countermeasures and the effectiveness  Proposed solution Supplicant re-use SNonce to eliminate the vulnerability Supplicant may store one entry of PTK for performance no modifications on the packet format, adopted by TGi  Future Work  A full study of the 802.11i correctness

Download ppt "Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
IEEE 802.11i: A Retrospective Bernard Aboba Microsoft March 2004.

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.
Security Analysis and Improvements for IEEE i

Security Analysis and Improvements for IEEE i
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE 802.11i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
Security Analysis and Improvements for IEEE 802.11i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.

Security Analysis and Improvements for IEEE i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell.

Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell.
802.11i Security Analysis: Can we build a secure WLAN? Changhua He Stanford University March 24 th, 2005

802.11i Security Analysis: Can we build a secure WLAN? Changhua He Stanford University March 24 th, 2005
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Doc.: IEEE 802.11-11/0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
15 November 2004 1 Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.

15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
802.11i Wireless Networking Authentication Protocol J. Mitchell CS 259.

802.11i Wireless Networking Authentication Protocol J. Mitchell CS 259.

Similar presentations

Ads by Google