Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-10/0980r0 Submission August 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 1 Summary & Comments FIA Security Analysis Bob Moskowitz Date:

Published byMoses Alexander Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-10/0980r0 Submission August 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 1 Summary & Comments FIA Security Analysis Bob Moskowitz Date:"— Presentation transcript:

1 doc.: IEEE 802.11-10/0980r0 Submission August 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 1 Summary & Comments FIA Security Analysis Bob Moskowitz Date: 2010-08-11 Authors:

2 doc.: IEEE 802.11-10/0980r0 Submission August 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 2 Abstract This document summarizes comments from Robert Moskowitz to FIA security. Comments were captured from the FIA E-Mail reflector. Comments captured as of August 11, 2010.

3 doc.: IEEE 802.11-10/0980r0 Submission August 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 3 Key Comments and Conclusions There are some potential risks in using Yaholom, especially as it is likely to be used in situations where it is not intended to be used (long data transfers) and its usage is hard to be prevented Alternative: HIP –“It would be easy for me to present HIP, both BEX and DEX, to run over the 802.11 Authentication frames, though I am NOT sure that 11 Auth can go 2 round trips (too long since I have delved into.11). Though there is some concern about packet sizes and perhaps the need of a 'compressed' format. Also EAP CAN be run within HIP“ –“HIP can provide Security Associations for the MAC, IP, and TLS/DTLS; that is one KMS for all needs” –Streamlined with IETF –HIP requires 4 message exchanges (=2 round trips), see https://mentor.ieee.org/802.15/dcn/10/15-10-0412-06- wng0-key-negotiation-using-diet-hip.ppthttps://mentor.ieee.org/802.15/dcn/10/15-10-0412-06- wng0-key-negotiation-using-diet-hip.ppt –  Technical feasibility that there are secure mechanisms for alternative protocols Piggy backing DHCP with new/fast security during link-set up –There are some technical details to be worked out (see actual mail) but: –„So I think a lot can be done in streamlining the 802.11 setup process. And in such a manner that it really works.“ FIA is not proposing a specific technology, but the idea / concept to make the initial link set-up faster. Robert Moskowitz’ comments on ideas on HIP in combination w/ piggy backing show that there is technical feasibility for achieving this goal in a secure manner.  Detailed technical discussion should be left to working group upon approval.  The PAR&5C will mandate a security review of the amendment assuring that security is not compromised by added security mechanisms.

4 doc.: IEEE 802.11-10/0980r0 Submission August 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 4 Detailed comments: Feedback Yaholom Assumptions: K(BS) either strong or B-S exchange run over secure channel (e.g. ESP, TLS, DTLS) K(AS) strong against dictionary attack (potentially created by S at registration time) K(AB) == 802.11i PTK Concerns Strengthened Yaholom Protocol NOT analyzed since '01. Have new network attack models provided new weaknesses? No distribution of GTK, but easy to add by encrypting with K(AB) in B -> A transmission. Assumes PTK and GTK are NOT 'used up' during lifetime of connection. That is there is no rekeying without reauthenticating. No flooding attacks will occur (and symmetric crypto able to deal with such). No failures in authentication (presentation does not show failure handling). Stateless, that is any time A connects to B, this protocol WILL be used. FIA will only be used for short-lived 802.11 connections. Back to no rekeying. ------------------------------------------------------------------------------------------------------------------------------------------------------------ I perceive a couple of flaws in FIA assumptions and design. Once FIA is available, it will become widely used, not just its recommended use. In some implementations S will be implemented inside of B (this may not be an issue). More importantly, rekeying WILL be necessary for both K(AB) and GTK. What is the mechanism for this, 802.11i PTK and GTK MUST NOT be used directly (no concept of MK). Implementations will tend to allow for weak K(AS) values opening up a major dictionary attack. There is no way to design into this protocol or specification strong K(AS) values. As FIA is presented, it does not mutually authenticate A and B. This could be improved on by how FIA is run. As FIA is presented, it does not mutually authenticate A and S. This cannot be improved on in FIA. S DOES present A with proof on K(AS) ownership, though. N(A) does assure freshness of S response to A. There is no concept of Identity in FIA. Or rather the Identity is a weak string, perhaps a MAC address. Of most concern to me is the potential to wide-spread usage of FIA, particularly in SmartGrid, ie constrained devices, scenarios. -- FIA reflector August 6, 2010 ---

5 doc.: IEEE 802.11-10/0980r0 Submission Detailed comments: Usability of HIP Disclaimer: My own agenda Now I have my own agenda. I am proposing HIP for 802.15 usage, pretty much across the board. I have a HIP Interest Group meeting in Hawaii. HIP Diet EXchange (specifically designed for contrained devices) was presented at 802.15 wng in July. It was presented to 6lowpan at IETF and mentioned at core. HIP can provide Security Associations for the MAC, IP, and TLS/DTLS; that is one KMS for all needs. See: https://mentor.ieee.org/802.15/dcn/10/15-10-0412-06-wng0-key-negotiation-using-diet-hip.ppt http://www.ietf.org/id/draft-moskowitz-hip-rg-dex-02.txt The 6lowpan presentation can be found within http://www.ietf.org/proceedings/78/slides/6lowpan-0.pdf The HIP-RG presentiation can be found at: http://www.ietf.org/proceedings/78/slides/HIPRG-6.ppt Note that from 802.15 to HIP-RG understanding of how to address MK and PTK concerns 'jelled'. It would be easy for me to present HIP, both BEX and DEX, to run over the 802.11 Authentication frames, though I am NOT sure that 11 Auth can go 2 round trips (too long since I have delved into.11). Though there is some concern about packet sizes and perhaps the need of a 'compressed' format. Also EAP CAN be run within HIP, see: http://tools.ietf.org/id/draft-varjonen-hip-eap-00.txt The advantage of HIP BEX and DEX is they fit directly into the MK, PTK, GTK model of 802.11i with very little addtional parameters in HIP. So high traffic connections that require rekeying will work and can use either the 802.11i rekeying or HIP UPDATE rekeying that will be used for 802.15. Thus though I am willing to look at the FIA proposal, I have my hands full with HIP for constrained devices and will need to focus on that. Unless FIA wants to consider HIP. August 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 5

6 doc.: IEEE 802.11-10/0980r0 Submission HIP (combining with association) and Piggy Backing The Host Identity Protocol (HIP) workgroup was rechartered to update HIP and move it to IETF Standards track. There currently are a full set of Internet Drafts labled -bis and work will move quickly. The revised HIP Base EXchange (BEX) would be of interest for 802.11 devices, which are all quite capable of the crypto used in BEX-bis. For constrained devices like you find in 802.15, there is the new HIP Diet EXchange (DEX). Both BEX and DEX use the same state machine and the same packets, with differing sets of parameters. The HIP state machine is fully peer-to-peer and was designed to operate on a Malicious network, where bad things are trying to suborn the process. I can point participants here to information on HIP. There are currently 3 public implementations of RFC 5201.Now as far as streamlining the MAC security setup and Upper Layer configuration, I have thought a bit on this during my years working on 802.11i and currently within 802.15. Per sec 7.2.3 the Management Frame Body can be up to 2312 octets. This is a LOT! But as Henning Schulzrinne said on the core list: "A basic law of protocol design: all messages start out small, but they never get smaller. Corollary: even if you believe that you need only small messages, somebody else will think of a good application for larger ones - and won't be discouraged by the fact that you tell him that the protocol wasn't designed for that.” So if we put the keying mechanism into the Authentication exchange, how would we add an adaptation layer for chaining a few such exchanges to transmit one Keying Packet? I should note that HIP datagrams NORMALLY would fit easily into this size. But if one of the TLVs used by an implementation is for X.509 certs, all bets are off! The Authentication would establish Identity and Authorization and create (or confirm) a MK and create a PTK. Possibly the GTK would be sent in the final Authentication accept message. Note that HIP is strongly P2P but fully supports reversal of rolls, so an AP could always for the situation where it is the Responder whereas AdHoc would not 'care'. The Association Response frame is a good place for GTK distribution. Actually the Association Request could contain a HIP UPDATE payload that requests the GTK, and the AP would then deliver it. But more importantly, the Response could contain the V6 RA (directly or relayed) or the proper DHCP packet (don't have that info in front of me right now). Again will all this fit into 2312 octets? And do you want management frames that large? Then the first data frame would be any finishing packets to IP address assignment. So I think a lot can be done in streamlining the 802.11 setup process. And in such a manner that it really works. -- August 9, 2010, FIA reflector -- August 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 6

7 doc.: IEEE 802.11-10/0980r0 Submission Combination of security messages w/ authentication frames During the development of 802.11i, there were a number of debates to run 802.1X over the Authentication frames. If I remember correctly the resistance to this was the structure of the MLME and it would take changing it to get 1X to work over Authentication frames and changing the MLME was not in 11i's PAR. By the end of the work, there were work-arounds this limitation, but it was 'too late'. I bring this up as the problem, whatever it was ( :) ) is still there. Things to think about are how would IPv6 Routing Announcements be relayed over Association frames. Perhaps on receipt of the RA, the information is placed in a MIB variable that is available to the Association generation process. My view of the current security model in 802.11 is for a STA to authenticate to the DS then aquire Security Associations (and keys) to the AP. This model limits public access networks, for example. I take a different view for FIA. The STA establishes a SA to the AP and optionally authenticates the AP/DS. Optionally the AP may authenticate the STA. The model you use will drive the complexity of the solution. -- FIA reflector: August 10, 2010 --- August 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 7

Download ppt "Doc.: IEEE 802.11-10/0980r0 Submission August 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 1 Summary & Comments FIA Security Analysis Bob Moskowitz Date:"

Similar presentations

Doc.: IEEE 802.11-10/1125r0 Submission September 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 1 How does the (new) Fast Initial Link Set- Up PAR address.

Doc.: IEEE /1125r0 Submission September 2010 Marc Emmelmann, Fraunhofer FOKUSSlide 1 How does the (new) Fast Initial Link Set- Up PAR address.
Submission doc.: IEEE 802.11-11/1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: 2011-08-16 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE /1167r0 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data IE Date: Authors: NameAffiliationsAddressPhone .
Doc.: IEEE 802.11-11/1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: 2012-01-17 Authors:

Doc.: IEEE /1521r2 Submission January 2012 Marc Emmelmann, FOKUSSlide 1 AP and Network Discovery Enhancements Date: Authors:
Doc.: IEEE 802.11-11/0357r0 Submission March 2011 Marc Emmelmann, Fraunhofer FOKUSSlide 1 A focused path torwards TGai D1.0 Date: 2011-03-14 Authors:

Doc.: IEEE /0357r0 Submission March 2011 Marc Emmelmann, Fraunhofer FOKUSSlide 1 A focused path torwards TGai D1.0 Date: Authors:
OSI MODEL Maninder Kaur www.eazynotes.com.

OSI MODEL Maninder Kaur
Doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: 2009-07 Authors: Russ Housley (Vigil Security), et.

Doc.: IEEE /770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: Authors: Russ Housley (Vigil Security), et.
Doc.: IEEE 15-13-0677-02-0009-tg9-proposed-document-changes Submission Nov 2013 Robert Moskowitz, VerizonSlide 1 Project: IEEE P802.15 Working Group for.

Doc.: IEEE tg9-proposed-document-changes Submission Nov 2013 Robert Moskowitz, VerizonSlide 1 Project: IEEE P Working Group for.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Doc.: IEEE 802.11-11/0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: 2011-07-17 Authors: NameAffiliationsAddressPhoneemail.

Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
Module 4 - Networking MIS5122: Enterprise Architecture for the IT Auditor.

Module 4 - Networking MIS5122: Enterprise Architecture for the IT Auditor.
Doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail.

Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
Submission doc.: IEEE 802.11-11/1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r1 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
Presentation on Osi & TCP/IP MODEL

Presentation on Osi & TCP/IP MODEL
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Submission doc.: IEEE 11-12/0589r2 July 2012 Donald Eastlake 3rd, Huawei R&D USASlide 1 General 802.11 Links Date: 2012-05-08 Authors:

Submission doc.: IEEE 11-12/0589r2 July 2012 Donald Eastlake 3rd, Huawei R&D USASlide 1 General Links Date: Authors:
Submission doc.: IEEE 11-12/0273r8 May 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Upper Layers Date: 2012-05-14 Authors: NameAffiliationsAddressPhoneemail.

Submission doc.: IEEE 11-12/0273r8 May 2012 Hiroki Nakano, Trans New Technology, Inc.Slide 1 SFD Text for Upper Layers Date: Authors: NameAffiliationsAddressPhone .
Concerns about designating the MAG as a Default Router James Kempf NETLMM Interim Sept. 27, 2006.

Concerns about designating the MAG as a Default Router James Kempf NETLMM Interim Sept. 27, 2006.
Prefix Delegation Protocol Selection T.J. Kniveton MEXT Working Group IETF 70 - December ’07 - Vancouver.

Prefix Delegation Protocol Selection T.J. Kniveton MEXT Working Group IETF 70 - December ’07 - Vancouver.
1 DHCP Authentication Discussion INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms.

1 DHCP Authentication Discussion INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms.

Similar presentations

Ads by Google