Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements.

Published byBasil Wiggins Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements."— Presentation transcript:

1 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements for TGr Florent Bersani, France Telecom R&D florent.bersani@francetelecom.com

2 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 2 Goal of this presentation Loren Adams once said: "What is understood need not be discussed" This presentation is about discussing some tentative security requirements listed in document IEEE 802.11-04/10048r0: –Sharing of the PMK –Binding of the PMK –Timeliness of messages... and make sure 09/13 discussion is captured

3 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 3 Sharing of the PMK Sharing of the PMK is explicitly prohibited by IEEE 802.11i: –Page 38, clause 8.1.4 item 5 "An IEEE 802.1X AS never exposes the common symmetric key to any party except the AP with which the STA is currently communicating. (...)"

4 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 4 Sharing of the PMK Sharing of the PMK is explicitly prohibited by IEEE 802.11i: –Page 38, clause 8.1.4 item 5 ctd. "It implies that the AS itself is never compromised. It also implies that the IEEE 802.1X AS is embedded in the AP, or the AP is physically secure and the AS and the AP lie entirely within the same administrative domain."

5 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 5 Sharing of the PMK Yet practice does not seem to comply with this requirement (e.g., RADIUS proxying), should TG r? Possible rationale for this requirement: –The domino effect –Sound cryptographic practice

6 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 6 Sharing of the PMK This is reflected in document IEEE 802.11- 04/10048r0, requirements: –#2: "In particular, the pairs and must have cryptographically independent PMKs, or all the 802.11i security claims are voided. This rules out sharing PMKs among different APs." –#7: "A PMK shall never be shared between APs"

7 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 7 Sharing of the PMK The domino effect –Housley, R., "Key Management in AAA", Presentation to the AAA WG at IETF 56, http://www.ietf.org/proceedings/03mar/slides/aaa-5/index.html –"Compromise of a single authenticator cannot compromise any other part of the system, including session keys and long-term secrets."

8 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 8 Sharing of the PMK The domino effect –Compromise of long term secrets would be really painful... but PMKs are not long term (except in PSK mode) –Domino protection is useful when the network has the possibility to inform STA of the compromised AP Could also very well do it for PMKID... if it is not "too broadly shared"

9 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 9 Sharing of the PMK Sound cryptographic practice –Reusing a nonce can void security properties (e.g., Counter mode) However, if nonce is random then collision probability can be bounded –A key has limited lifetime Sharing it, speeds up burning out. For 128 bit block length, assuming 54 Mbit/s, 0.4*10**14 s with 1 AP –PMK is generally for a short period of time and used in a somewhat conservative scheme

10 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 10 Sharing of the PMK Anyway what is an AP? Not particularly advocating sharing the PMKs... just debating!

11 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 11 Binding the PMK This "requirement" appeared during discussion of IEEE 802.11-04/10048r0 Perhaps alluded to in requirement #9 "The only visible identifier seems to be BSSID." The idea would be that: –A PMK should only be used by a pair –This restriction should be "incorporated" in the PMK

12 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 12 Binding the PMK Is the PTK bound to something? –It incorporates nonces and MAC addresses... –Yet this does not per se preclude sharing of the PTK! How can we prevent two parties that have agreed to do so to abuse a key usage??? What does "binding the keys" mean? –EAP channel binding?

13 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 13 Timeliness of messages This is reflected in document IEEE 802.11- 04/10048r0, requirements –#11 "An AP shall test the liveness of the mobile STA at reassociation when the mobile STA does a secure fast transition to it. This is required to synchronize replay counters." –#12. "A mobile STA shall test the liveness of the AP at reassociation when it does a secure fast transition to a new AP. This is required to synchronize replay counters"

14 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 14 Timeliness of messages The attack scenario: CCMP protected frame, PN=23: "Sell stocks, now!" Attacker delays the frame (and possibly subsequent traffic) This is not a replay: client only sees the delayed frame once CCMP protected frame, PN=23: "Sell stocks, now!"

15 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 15 Timeliness of messages 802.11i does not include such a feature, why: –Hard to do? (timestamps,...) –Not necessary? (client won't stay associated with big delays) Should TGr? –What if pre-auth is allowed to go up to deriving a PTK: there can be some time between derivation and usage –Avoid DoS and black-holes

16 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 16 Timeliness of messages Solution alluded to to provided timeliness: periodically make a protected resynch of replay counters –Kind of a key confirmation –Tradeoff between the frequency of this resynch and the "timeliness" protection

17 doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 17 Conclusion TG r PAR: "Security must not be decreased as a result of the enhancement." To what extent has TG r to comply with TG i? –Is there an objective measure of security diminution? –TG r can break some of TG i assumptions, yet prove that it remains secure... H2 make Apples to apples comparison between securtiy of the proposals?

Download ppt "Doc.: IEEE 802.11-04/1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements."

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P1619.3 April 11, 2007 Andrea Doherty.

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-sec Title: IEEE 802.11r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE 802.11-07/2441r2 Submission SA Teardown Protection for 802.11w Date: 2007-11-05.

Doc.: IEEE /2441r2 Submission SA Teardown Protection for w Date:
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.
Fast roaming in WPA T. Wolniewicz PIONIER. Events causing access-point switching Moving wireless client Metwork card switching in search of better conditions.

Fast roaming in WPA T. Wolniewicz PIONIER. Events causing access-point switching Moving wireless client Metwork card switching in search of better conditions.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Jesse Walker, 802.11 keying requirements1 Suggested 802.11 Keying Requirements Jesse Walker Intel Corporation

Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
Doc.: IEEE 802.11-11/0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Doc.: IEEE 802.11-11/0976r0 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r0 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
Michal Rapco 05, 2005 Security issues in Wireless LANs.

Michal Rapco 05, 2005 Security issues in Wireless LANs.
Doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail.

Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
Comparative studies on authentication and key exchange methods for 802.11 wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Cryptography and Network Security (CS435)

Cryptography and Network Security (CS435)

Similar presentations

Ads by Google