Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.

Similar presentations


Presentation on theme: "Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable."— Presentation transcript:

1 Analysis of the i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable Software Lab at KAIST

2 2/22 Dependable S/W Lab Contents Conclusion Countermeasures Problem Statement 4-way Handshake Introduction

3 3/22 Dependable S/W Lab Introduction 취약점

4 4/22 Dependable S/W Lab IEEE i Introduction  Ratified on June 24, 2004  Secure Data Communication over Wireless links  WEP(Wired Equivalent Privacy)  TKIP(Temporal Key Integrity Protocol)  CCMP(Counter-mode/CBC-MAC Protocol)  RSNA(Robust Security Network Association) Conversation  Handshake  Three Entities of RSN  Supplicant  Authenticator  Authentication Server Station Access Point RADIUS

5 5/22 Dependable S/W Lab RSNA Conversation IEEE & 11i IEEE 802.1x IEEE i Handshake IEEE i MSK PTK Introduction MSK PMK

6 6/22 Dependable S/W Lab RSNA Conversation 4-Way Handshake Authentication Server SupplicantAuthenticator UnAuth/UnAssoc 802.1X Blocked No Key UnAuth/UnAssoc 802.1X Blocked No Key

7 7/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked No Key Auth/Assoc 802.1X Blocked No Key Association 4-Way Handshake

8 8/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked MSK Auth/Assoc 802.1X Blocked No KeyMSK Association EAP/802.1X/RADIUS Authentication 4-Way Handshake

9 9/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake

10 10/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake

11 11/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked GTK Auth/Assoc 802.1X UnBlocked GTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake 4-Way Handshake

12 12/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Auth/Assoc 802.1X UnBlocked PTK/GTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake Data Communication 4-Way Handshake

13 13/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake {AA, ANonce, sn, msg1, PMKID} {SPA, SNonce, sn, msg2, MIC, RSN IE} {AA, ANonce, sn+1, msg3, MIC, AA RSN IE, GTK} {SPA, sn+1, msg4, MIC} AA/SPA: MAC Address Nonce: random value sn: sequence number MIC:Message Integrity Code 4-Way Handshake

14 14/22 Dependable S/W Lab Simplified 4-Way Handshake Problem Statement SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTK {ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC}  Murφ Modeling  Finite-State Verification  Modeling Result  Ignored filed PMKID RSN IE GTK  Necessary field Message Flag Nonce  Redundant field Sequence Number MAC address  Exclusive supplicant and authenticator  Fresh Nonce

15 15/22 Dependable S/W Lab DoS Attack Problem Statement Supplicant Authenticator Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMK {ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} PTK Derived {AA, Anonce, msg1} Attack 802.1X UnBlocked PTK 802.1X UnBlocked PTK PTK’ Derived PTK’ ≠ PTK Blocked & Fail

16 16/22 Dependable S/W Lab DoS Attack Problem Statement  Solution?  Store TPTK / PTK Can not correctly verify the MIC in Msg3  Keep all states for every Msg1 Mess Forged Attack (Mem/CPU exhaustion)  Inherent cause of Attack  Authenticator can discard an unexpected response  Supplicant can not do so Cause deadlock and block the protocol  Supplicant must allow any Msg1 (Parallel Instance)  Limitation of Attack  Dynamic PMKID attacker can forge Msg1 after reading Msg1  EAPOL-Key format limit the attacks to occur only before the first PTK establishment Attack can be occurred only after reading Msg1 and before establishing the first handshake

17 17/22 Dependable S/W Lab Random-Drop Queue Countermeasures Randomly replaced by the new state if queue is filled

18 18/22 Dependable S/W Lab Message 1 Authentication Countermeasures  Add a MIC to msg1  Reuse shared PMK  Set Nonce to specific value(e.g.,0)  Derive a trivial PTK  Calculate the MIC with derived PTK  Limitation  If PSK or cached PMK? Vulnerable to Reply attack  Repaired Countermeasure  Add SN increasing monotonically  Use local time as SN  Weakness of this countermeasure  Modification on Packet format

19 19/22 Dependable S/W Lab Nonce Re-use Countermeasures  Reuse Nonce  Supplicant reuse the value of SNonce until a legitimate handshake is completed successfully  Not update Nonce  No requirement for Authenticator to reuse ANonce  Eliminate the memory DoS Attack  Limitation  More computation on the supplicant side  Fixed SNonce – easy guessing the PMK  Weakness of this countermeasure  CPU exhaustion attack

20 20/22 Dependable S/W Lab Proposal Countermeasures  Combination of countermeasures  Reuse SNonce  Store PTK and ANonce of the first Msg1  If stored ANonce = received ANonce in Msg3, use PTK  If stored ANonce ≠ received ANonce in Msg3, calculate new PTK {AA, ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} PTK Derived Store PTK, ANonce PTK Derived {AA, ANonce, msg1} Attack ANonce ≠ ANonce PTK’ Derived, Use derived PTK Anonce = Anonce Use stored PTK Calculate MIC

21 21/22 Dependable S/W Lab Proposal Countermeasures  Combination of countermeasures  Reuse SNonce  Store PTK and ANonce of the first Msg1 Eliminate the Memory Exhaustion Attack  If stored ANonce = received ANonce, use PTK  If stored ANonce ≠ received ANonce, calculate new PTK Eliminate the CPU Exhaustion Attack No Modification on Packet format  Adopted by TGi

22 22/22 Dependable S/W Lab IEEE i  Conclusions  RSNA conversation  Simplified Protocol by using Murφ  DoS Attack  3 Countermeasures and the their effectiveness  Proposed solution Combined Reuse Nonce Solution Advantages Conclusion

23


Download ppt "Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable."

Similar presentations


Ads by Google