Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Pre-Shared Key Authentication for IKE

Published byAlexis Martinez Modified over 10 years ago

Similar presentations

Presentation on theme: "Secure Pre-Shared Key Authentication for IKE"— Presentation transcript:

1 Secure Pre-Shared Key Authentication for IKE
draft-harkins-spsk-auth-00.txt Dan Harkins Aruba Networks

2 Use of PSKs Today The shared key “needs to contain as much unpredictability as the strongest key being negotiated” (§ 2.15). In other words long, hard to remember and error-prone to provision: 128 bits of unpredictability is going to be a user-generated string whose length is over 100 characters from a 94 character alphabet! (see NIST SP ) Humans have a hard time entering a string of more than 12 characters repeatedly without error. Where shared key authentication is used with IKE today it is (with high probability) insecure because no one does long, hard to remember, and error prone very well. Simple shared keys are very popular and will continue to be used because they are easy to provision. The easiest and most appealing use of PSKs with IKE is insecure.

3 Why is the Existing Scheme Insecure?
The problem is both IKEv1 and IKEv2 are not resistant to dictionary attack. The exchange leaks information about the secret. An attacker need see only one exchange to have enough information to run through all possible pre-shared keys until it she finds the right one. Making the pre-shared key a uniformly random 128-bit blob only makes the dictionary attack unlikely to succeed, it does not make the protocol resistant to a dictionary attack. Moore’s law implies these attacks will take less and less time and the years go on. Security is based on assumptions about the expertise of administrators (not good practice). IKEv1 doesn’t really do PSK authentication well.

4 The Solution: Zero Knowledge Proof
An active attack leaks a single bit of information: whether the guess of the PSK was right or wrong. A passive attack leaks nothing. Advantage is achieved through interaction and not computation– resistant to dictionary attack! The attacker gets one and only one guess at the pre-shared key per active attack. Failed active attacks are trivially noticed and countermeasures can be taken. Moore’s law does not affect this. Security can be achieved even in the presence of weak PSKs, such as user-generated passwords.

5 What are the Practical Effects?
Imagine a randomly-chosen 4 character PSK using only lower-case English letters: or 456,976-- different possible PSKs. Existing PSK authentication: one attack and a couple minutes of number crunching to find PSK Secure PSK authentication: tens of thousands of active attacks necessary before a significant chance of finding the PSK. Countermeasures can make this take months, or even make it highly improbable, to succeed. Robust and misuse-resistant cryptography! The security is no longer based on unrealistic assumptions about the expertise of administrators. Security can be achieved even when deployed “incorrectly”. PSKs can be used practically and realistically. Provisioning UI can be simple.

6 Secure PSK Authentication in IKEv2
HDR, SAi1, KEi, Ni HDR, SAr1, KEr, Nr HDR, SK {IDi, Commit [, IDr], SAi2, TSi, TSr } HDR, SK {IDr, Commit, Confirm} HDR, SK {Confirm, AUTH} HDR, SK {AUTH, SAr2, TSi, TSr}

7 Why Not Just Use EAP? For use cases in § 1.1.1 and 1.1.2
EAP is a client-server protocol. If both sides can initiate there are no strict client and server roles. Need to implement both client-side and server-side EAP. There is no “User” as shown in draft-eronen-ipsec-ikev2-eap-auth. Each side must possess the shared secret– no AAA server for scaling benefit. AAA servers don’t operate as EAP clients. Security is based on “I know the secret” not “I know someone who knows someone who knows the secret.” EAP would just be a pointless encapsulation Implementations would be forced to implement both EAP client and EAP server state machines. More, unnecessary, messages (12 vs. 6). EAP fragmentation? EAP is still an option for other use cases For any asymmetric authentication or authentication using a credential other than a secret shared by both IKE peers. Where there are client and server roles and/or a AAA server is probable. Where there is a “User”.

8 OK, But Why? This should be done… …in this working group
The existing PSK mode of IKE(v2) is (becoming more) insecure. With this proposal security becomes an integral part of IKE(v2) and not a contingency that is dependent on how the protocol is deployed. This is a secure alternative that uses PSKs in the natural manner in which we all know they are, and will continue to be, used. Even if large random numbers are used as the PSK, this is still a better, more secure, exchange. …in this working group There are choices to make that would benefit from the cryptographic and implementer expertise in this group It needs vetting by the group to ensure that it solves the problem in the best possible way. The devil is in the details and there are important details that this WG should work on to ensure it’s done right.

9 Thank You!

Download ppt "Secure Pre-Shared Key Authentication for IKE"

Similar presentations

Securing Passwords against Dictionary Attacks

Securing Passwords against Dictionary Attacks
Doc.: IEEE 802.11-09/0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced 802.11 Security Date: 2009-03-13 Authors:

Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Doc.: IEEE 802.11-08/1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: 2008-11-10 Authors:

Doc.: IEEE /1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: Authors:
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
EAP-Only Authentication in IKEv2 draft-eronen-ipsec-ikev2-eap-auth

EAP-Only Authentication in IKEv2 draft-eronen-ipsec-ikev2-eap-auth
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE 802.11-02/689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.

Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.

Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: 2012-10-30 Authors:

Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Similar presentations

Ads by Google