Analysis of the i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable Software Lab at KAIST
2/22 Dependable S/W Lab Contents Conclusion Countermeasures Problem Statement 4-way Handshake Introduction
3/22 Dependable S/W Lab Introduction 취약점
4/22 Dependable S/W Lab IEEE i Introduction Ratified on June 24, 2004 Secure Data Communication over Wireless links WEP(Wired Equivalent Privacy) TKIP(Temporal Key Integrity Protocol) CCMP(Counter-mode/CBC-MAC Protocol) RSNA(Robust Security Network Association) Conversation Handshake Three Entities of RSN Supplicant Authenticator Authentication Server Station Access Point RADIUS
5/22 Dependable S/W Lab RSNA Conversation IEEE & 11i IEEE 802.1x IEEE i Handshake IEEE i MSK PTK Introduction MSK PMK
6/22 Dependable S/W Lab RSNA Conversation 4-Way Handshake Authentication Server SupplicantAuthenticator UnAuth/UnAssoc 802.1X Blocked No Key UnAuth/UnAssoc 802.1X Blocked No Key
7/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked No Key Auth/Assoc 802.1X Blocked No Key Association 4-Way Handshake
8/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked MSK Auth/Assoc 802.1X Blocked No KeyMSK Association EAP/802.1X/RADIUS Authentication 4-Way Handshake
9/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake
10/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake
11/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked GTK Auth/Assoc 802.1X UnBlocked GTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake 4-Way Handshake
12/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Auth/Assoc 802.1X UnBlocked PTK/GTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake Data Communication 4-Way Handshake
13/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake {AA, ANonce, sn, msg1, PMKID} {SPA, SNonce, sn, msg2, MIC, RSN IE} {AA, ANonce, sn+1, msg3, MIC, AA RSN IE, GTK} {SPA, sn+1, msg4, MIC} AA/SPA: MAC Address Nonce: random value sn: sequence number MIC:Message Integrity Code 4-Way Handshake
14/22 Dependable S/W Lab Simplified 4-Way Handshake Problem Statement SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTK {ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} Murφ Modeling Finite-State Verification Modeling Result Ignored filed PMKID RSN IE GTK Necessary field Message Flag Nonce Redundant field Sequence Number MAC address Exclusive supplicant and authenticator Fresh Nonce
15/22 Dependable S/W Lab DoS Attack Problem Statement Supplicant Authenticator Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMK {ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} PTK Derived {AA, Anonce, msg1} Attack 802.1X UnBlocked PTK 802.1X UnBlocked PTK PTK’ Derived PTK’ ≠ PTK Blocked & Fail
16/22 Dependable S/W Lab DoS Attack Problem Statement Solution? Store TPTK / PTK Can not correctly verify the MIC in Msg3 Keep all states for every Msg1 Mess Forged Attack (Mem/CPU exhaustion) Inherent cause of Attack Authenticator can discard an unexpected response Supplicant can not do so Cause deadlock and block the protocol Supplicant must allow any Msg1 (Parallel Instance) Limitation of Attack Dynamic PMKID attacker can forge Msg1 after reading Msg1 EAPOL-Key format limit the attacks to occur only before the first PTK establishment Attack can be occurred only after reading Msg1 and before establishing the first handshake
17/22 Dependable S/W Lab Random-Drop Queue Countermeasures Randomly replaced by the new state if queue is filled
18/22 Dependable S/W Lab Message 1 Authentication Countermeasures Add a MIC to msg1 Reuse shared PMK Set Nonce to specific value(e.g.,0) Derive a trivial PTK Calculate the MIC with derived PTK Limitation If PSK or cached PMK? Vulnerable to Reply attack Repaired Countermeasure Add SN increasing monotonically Use local time as SN Weakness of this countermeasure Modification on Packet format
19/22 Dependable S/W Lab Nonce Re-use Countermeasures Reuse Nonce Supplicant reuse the value of SNonce until a legitimate handshake is completed successfully Not update Nonce No requirement for Authenticator to reuse ANonce Eliminate the memory DoS Attack Limitation More computation on the supplicant side Fixed SNonce – easy guessing the PMK Weakness of this countermeasure CPU exhaustion attack
20/22 Dependable S/W Lab Proposal Countermeasures Combination of countermeasures Reuse SNonce Store PTK and ANonce of the first Msg1 If stored ANonce = received ANonce in Msg3, use PTK If stored ANonce ≠ received ANonce in Msg3, calculate new PTK {AA, ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} PTK Derived Store PTK, ANonce PTK Derived {AA, ANonce, msg1} Attack ANonce ≠ ANonce PTK’ Derived, Use derived PTK Anonce = Anonce Use stored PTK Calculate MIC
21/22 Dependable S/W Lab Proposal Countermeasures Combination of countermeasures Reuse SNonce Store PTK and ANonce of the first Msg1 Eliminate the Memory Exhaustion Attack If stored ANonce = received ANonce, use PTK If stored ANonce ≠ received ANonce, calculate new PTK Eliminate the CPU Exhaustion Attack No Modification on Packet format Adopted by TGi
22/22 Dependable S/W Lab IEEE i Conclusions RSNA conversation Simplified Protocol by using Murφ DoS Attack 3 Countermeasures and the their effectiveness Proposed solution Combined Reuse Nonce Solution Advantages Conclusion