1. Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell Stanford University (Ante Derek, Changhua He, Mukund Sundararajan) UIUC, MIT, Stanford, UCSB, UCLA MURI: 3-Year Review June 22, 2005 Sponsored by DDR&E and AFOSR Program manager Lt Col Sharon Heise

2. Communications/Verifica tion Robotic Vehicles Computing & Verification Control & Information Theory Communications

3. Computational models Timed Probabilistic State-transition models Logic-based models Basic Asynchronous Hybrid Program-based models Features Approaches

4.  State-transition models  Finite-state machines, Turing machines  I/O automata  Logic-based models  Before/after conditions  Temporal logic  First-order state predicates:        Modal operators: Always , Eventually   Program-based models  Process calculi

5. Security Analysis at Stanford  State-transition Models  Murphi model-checking [Mitchell, Shmatikov et al]  Logic-based Models  Protocol Logic [Datta, Derek, Durgin, Mitchell, Pavlovic]  Composition theorems (assume-guarantee paradigm)  Relationship to Lynch’s project (compositional reasoning)  Computational Protocol Logic [Datta, Derek, Mitchell, Shmatikov, Turuani]  Probability, complexity  Symbolic reasoning about complexity-theoretic cryptography  Program-based Models  Probabilistic Polytime Process Calculus [Mitchell, Ramanathan, Scedrov, Teague]  Relationship to Lynch’s project (I/O Automata) – preliminary results [Datta, Kuesters, Mitchell, Ramanathan]

6. Secure Wireless Networking  Wireless Security Overview  Wireless threats  IEEE 802.11i  Murphi Analysis of 4-Way Handshake [He, Mitchell]  Breaking and Fixing IEEE 802.11i Standard  Modular Proof of 802.11i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell]  802.11i and Ad Hoc Routing Security [He, Mitchell]

7. Human Interface Devices Synchronization Dial-Up Networking Printing Cellular Network Mobile Data Services WiMAX 802.11 WLAN Bluetooth PAN Public Internet Home/Office Hands-free Speakerphone Hands-free Headset Wireless Everything Outdoor 802.16 BS

8. Wireless Threats  Passive Eavesdropping/Traffic Analysis  Easy, most wireless NICs have promiscuous mode, cheap man-made antenna can enlarge the signal range greatly  Message Injection/Active Eavesdropping  Easy, some techniques to gen. any packet with common NIC, exploit MAC cooperation to interfere in a timely way  Message Deletion and Interception  Possible, interfere packet reception with directional antennas  Masquerading and Malicious AP  Easy, MAC address forgeable and software available (HostAP)  Session Hijacking  Man-in-the-Middle  Denial-of-Service (DoS)

9. Wireless Security Evolution [Walker00], [Wagner01], [Arbaugh et al 01], [Arbaugh02], [FMS01] …  802.11 WEP (Wired Equivalent Protocol)  Authentication: Open System (SSID) or Shared Key  Authorization: some vendor use MAC address filtering  Confidentiality/Integrity: RC4 + CRC  Completely insecure – bad use of good crypto  WPA: Wi-Fi Protected Access  Authentication: 802.1X  Confidentiality/Integrity: TKIP  Reuse the legacy hardware, still problematic  IEEE 802.11i (Ratified on June 24, 2004 )  Mutual authentication, e.g., EAP- TLS/802.1X/RADIUS  Data confidentiality and integrity: CCMP (believed secure)  Key management protocols

10. Authentica- tion Server (RADIUS) No Key Authenticator UnAuth/UnAssoc 802.1X Blocked No Key Supplicant UnAuth/UnAssoc 802.1X Blocked No Key Supplicant Auth/Assoc 802.1X Blocked No Key Authenticator Auth/Assoc 802.1X Blocked No Key Authentica- tion Server (RADIUS) No Key 802.11 Association EAP/802.1X/RADIUS Authentication Supplicant Auth/Assoc 802.1X Blocked MSK Authenticator Auth/Assoc 802.1X Blocked No Key Authentica- tion Server (RADIUS) MSK Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK Authentica- tion Server (RADIUS) No Key 4-Way Handshake Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key Group Key Handshake Supplicant Auth/Assoc 802.1X UnBlocked New GTK Authenticator Auth/Assoc 802.1X UnBlocked New GTK Authentica- tion Server (RADIUS) No Key 802.11i: RSNA Procedures Data Communication Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key

11. Roadmap  Wireless Security Overview  Wireless threats  IEEE 802.11i  Murphi Analysis of 4-Way Handshake [He, Mitchell]  Breaking and Fixing IEEE 802.11i Standard  Modular Proof of 802.11i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell]  802.11i and Ad Hoc Routing Security [He, Mitchell]

12. Murphi Protocol Verification Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error/Diagnose Mur j code RFC, IEEE Std. Mur j code, similar for all protocols Set initial states, specify security conditions, run Mur j

13. The 4-Way Handshake 802.11 AssociationEAP/802.1X/RADIUS Authentication Group Key Handshake Data Communication MSK {AA, ANonce, sn, msg1, PMKID} {SPA, SNonce, SPA RSN IE, sn, msg2, MIC} {AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC} {SPA, sn+1, msg4, MIC} Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key

14. AA, ANonce, sn, msg1 4-Way Handshake Blocking AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC PTK Derived Random GTK PTK and GTK 802.1X Unblocked PTK and GTK 802.1X Unblocked Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK SPA, sn+1, msg4, MIC AA, ANonce, sn, msg1 SPA, SNonce, SPA RSN IE, sn, msg2, MIC AA, ANonce, sn, msg1 AA, ANonce[1], sn, msg1 AA, ANonce[n], sn, msg1

15. 4-Way Blocking Attack  Requirement:  Must allow wireless station to start more than one session to provide robustness against packet loss.  Problem:  Message 1 can be forged (not authenticated)  Attacker can start many sessions by sending forged message 1’s to wireless station  Memory DoS attack: memory exhausted by state maintained for these sessions  Similar to TCP SYN flooding attack

16. 4-Way Blocking: Solution  Solution  Wireless station (supplicant) re-uses its nonce  No additional state per session  Store one entry of ANonce and PTK for the first Message 1  If nonce in Message 3 matches the entry, use PTK directly; otherwise compute PTK again and use it.  Advantages  Eliminates the memory DoS attack  Ensures performance in “friendly” scenarios  Only minor modification to the Supplicant algorithm  No modification to the packet format  Adopted by IEEE TGi  Simple solution, but not immediate

17. Summary of Vulnerabilities ATTACKSSOLUTIONS 4-way handshake blocking re-use supplicant nonce, eliminate memory DoS. Adopted by IEEE TGi. reflection attack each participant plays the role of either authenticator or supplicant; if both, use different PMKs. Important for deployment in ad hoc network setting. attack on Michael countermeasure s cease connections for a specific time instead of re-key and deauthentication; update TSC before MIC and after FCS, ICV are validated. RSN IE poisoning Authenticate Beacon and Probe Response frame; Confirm RSN IE in an earlier stage; Relax the condition of RSN IE confirmation. security rollback supplicant manually chooses security; authenticator restrict pre-RSNA to only insensitive data.

18. Roadmap  Wireless Security Overview  Wireless threats  IEEE 802.11i  Murphi Analysis of 4-Way Handshake [He, Mitchell]  Breaking and Fixing IEEE 802.11i Standard  Modular Proof of 802.11i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell]  802.11i and Ad Hoc Routing Security [He, Mitchell]

19. Protocol Composition Logic  Cord calculus  Protocol programming language  Execution model (Symbolic/Dolev-Yao)  Protocol logic  Expressing security properties  Proof system  Axiomatically proving security properties  Soundness Theorem – every provable formula is true

20. 802.11i:Staged Composition  Control Flow  Intended run is sequential  Different Failure Recovery mechanisms can be implemented for efficiency  Periodically update Group Key, PTK, PMK (omit here)  Hybrid modes  Pre-Shared Key (PSK) used directly instead of EAP authentication methods  Cached PMK might be used for mobile users  Alternatives for EAP-TLS, e.g., PEAP, LEAP Data Transmission Group Key 4-Way EAP-TLS PMK PTK GTK

21. 802.11i Proof Structure Step 1.  i,  j |- θ i [P i ] X  i Separate proof of individual components TLS, 4-Way, and Group Key Handshake; Step 2.  i, j, Q i |-  j Necessary invariants are satisfied by all components; Step 3.  i,  i  θ i+1 The postcondition of TLS implies precondition of 4-Way; postcondition of 4-Way implies precondition of Group Key; Step 4.  i, θ i [B] X θ i The preconditions of each component are preserved by subsequent components. Applying the Staged Composition Theorem, 802.11i is secure.

22. Roadmap  Wireless Security Overview  Wireless threats  IEEE 802.11i  Murphi Analysis of 4-Way Handshake [He, Mitchell]  Breaking and Fixing IEEE 802.11i Standard  Modular Proof of 802.11i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell]  802.11i and Ad Hoc Routing Security [He, Mitchell]

23. Ad Hoc Routing Security  Secure routing is important in ad hoc networks  Previous work: common routing + cryptographic improvements  Most proposals based on on-demand (reactive) routing  No false route accepted  Common problems  Many secure routing protocols are complicated  Some attacks are still possible  Assume everyone shares keys prior to routing  Thought  802.11i is supposed to be widely deployed, can we take advantage of that?

24. Observations  802.11i provides hop-by-hop security  Neighborhood authentication + Identity Binding  IPsec or other protocols to provide end-to-end security  If all good nodes, common routing protocol works  Compromised nodes can cause problems  Link layer security => Local Attacker model  Eliminate outside attacker, only inside attacker  Reduce global attacker to local attacker B S D F A T C E

25. Summary  Security Analysis Methods:  Murφ and PCL effective for analyzing industrial security protocols  Paradigms:  Compositional reasoning  Symbolic reasoning about cryptography  IEEE 802.11i case study  Automated study led to improved standard  Deployment recommendations also  IEEE 802.11i and ad hoc routing security  Goal: simplify the design of secure routing protocols using link layer security  More ongoing case studies:  Mobile IPv6, IEEE 802.16e

26. Questions?

27. Project Goals  Establish theory, scalable control algorithms and protocols  Performance and correctness verifiable with robustness to  External uncertainty  Malicious attack  Rapidly evolving environment

28. Failure Recovery  Failure recovery is important  Can reduce but not eliminate DoS vulnerabilities  802.11i adopts a simple scheme  Whenever failure, restart from the beginning, inefficient !  A better failure recovery for 802.11i  If 802.1X does not finish, restart everything  Otherwise restart from nearest completed components  Difficult to forge an 802.1X authentication  User moves to another AP after 802.1X authentication ?  Not a problem since channel scanning time is significantly larger than the protocol execution time

29. Improved 802.11i Architecture Stage 1: Network and Security Capability Discovery Stage 2: 802.1X Authentication (mutual authentication, shared secret, cipher suite) Stage 3: Secure Association (management frames protected) Stage 4: 4-Way Handshake (PMK confirmation, PTK derivation, and GTK distribution) Stage 5: Group Key Handshake Stage 6: Secure Data Communications Michael MIC Failure or Other Security Failures Group Key Handshake Timout 4-Way Handshake Timout Association Failure 802.1X Failure

30. Local Attacker Model  Local Attacker Model  Compromised node or geographic limitations  Attacker can only touch its neighbors  A weaker attacker model  Network is not controlled by the attacker  If the attacker wants to control the network, it will try to attract all traffic passing through itself  Secure routing under local attacker model  Find good route with high probability  Idea (informal)  Link security + secure routing under local attacker model gives secure routing under global attacker model  Advantages  Decompose secure routing to two problems  “Simplify” the secure routing design (802.11i already done)  No need for key pre-distribution among everybody