Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.
CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
Security Analysis and Improvements for IEEE i
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
TGai FILS Authentication Protocol
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Security Analysis and Improvements for IEEE i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.
Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
802.11i Security Analysis: Can we build a secure WLAN? Changhua He Stanford University March 24 th, 2005
Design of Efficient and Secure Multiple Wireless Mesh Network Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date: 2005/06/28.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE Wireless Local Area Networks (WLAN’s).
15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
802.11i Wireless Networking Authentication Protocol J. Mitchell CS 259.
Analysis of 4-way handshake protocol in IEEE i Changhua He Stanford University Mar. 04, 2004.
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Wireless and Security CSCI 5857: Encoding and Encryption.
Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized.
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Doc.: IEEE /0039r0 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li Edward Au; Phil Barber Junghoon Suh; Osama Aboul-Magd Huawei.
Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Security in Wireless Networks IEEE i Presented by Sean Goggin March 1, 2005.
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
WLANs & Security Standards (802.11) b - up to 11 Mbps, several hundred feet g - up to 54 Mbps, backward compatible, same frequency a.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.
IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004
Shambhu Upadhyaya Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University Australia.
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
Doc.: r Submission March 2006 AllSlide 1 A method to refresh the keys hierarchy periodically Notice: This document has been prepared to.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,
Doc.: IEEE r1 Submission March 2008 Charles Fan,Amy Zhang, HuaweiSlide 1 Authentication and Key Management of MP with multiple radios Date:
Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
M. Kassab, A. Belghith, J. Bonnin, S. Sassi
CS259: Security Analysis of Network Protocols, Winter 2008
TGai FILS Authentication Protocol
Mesh Security Proposal
PEKM (Post-EAP Key Management Protocol)
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Beacon Protection Date: Authors: May 2018 January 2018
Jesse Walker and Emily Qi Intel Corporation
Fast Roaming Compromise Proposal
TGr Security Architecture
Fast Roaming Compromise Proposal
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
Overview of Improvements to Key Holder Protocols
Overview of Improvements to Key Holder Protocols
Sept 2003 PMK “sharing” Tim Moore Tim Moore, Microsoft.
Presentation transcript:

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok Kim Dependable Software Lab at KAIST

2/22 Dependable S/W Lab Contents Conclusion Countermeasures Problem Statement 4-way Handshake Introduction

3/22 Dependable S/W Lab Introduction 취약점

4/22 Dependable S/W Lab IEEE i Introduction  Ratified on June 24, 2004  Secure Data Communication over Wireless links  WEP(Wired Equivalent Privacy)  TKIP(Temporal Key Integrity Protocol)  CCMP(Counter-mode/CBC-MAC Protocol)  RSNA(Robust Security Network Association) Conversation  Handshake  Three Entities of RSN  Supplicant  Authenticator  Authentication Server Station Access Point RADIUS

5/22 Dependable S/W Lab RSNA Conversation IEEE & 11i IEEE 802.1x IEEE i Handshake IEEE i MSK PTK Introduction MSK PMK

6/22 Dependable S/W Lab RSNA Conversation 4-Way Handshake Authentication Server SupplicantAuthenticator UnAuth/UnAssoc 802.1X Blocked No Key UnAuth/UnAssoc 802.1X Blocked No Key

7/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked No Key Auth/Assoc 802.1X Blocked No Key Association 4-Way Handshake

8/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked MSK Auth/Assoc 802.1X Blocked No KeyMSK Association EAP/802.1X/RADIUS Authentication 4-Way Handshake

9/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake

10/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake

11/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked GTK Auth/Assoc 802.1X UnBlocked GTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake 4-Way Handshake

12/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Auth/Assoc 802.1X UnBlocked PTK/GTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake Data Communication 4-Way Handshake

13/22 Dependable S/W Lab RSNA Conversation Authentication Server SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTKNo Key Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake {AA, ANonce, sn, msg1, PMKID} {SPA, SNonce, sn, msg2, MIC, RSN IE} {AA, ANonce, sn+1, msg3, MIC, AA RSN IE, GTK} {SPA, sn+1, msg4, MIC} AA/SPA: MAC Address Nonce: random value sn: sequence number MIC:Message Integrity Code 4-Way Handshake

14/22 Dependable S/W Lab Simplified 4-Way Handshake Problem Statement SupplicantAuthenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTK {ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC}  Murφ Modeling  Finite-State Verification  Modeling Result  Ignored filed PMKID RSN IE GTK  Necessary field Message Flag Nonce  Redundant field Sequence Number MAC address  Exclusive supplicant and authenticator  Fresh Nonce

15/22 Dependable S/W Lab DoS Attack Problem Statement Supplicant Authenticator Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMK {ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} PTK Derived {AA, Anonce, msg1} Attack 802.1X UnBlocked PTK 802.1X UnBlocked PTK PTK’ Derived PTK’ ≠ PTK Blocked & Fail

16/22 Dependable S/W Lab DoS Attack Problem Statement  Solution?  Store TPTK / PTK Can not correctly verify the MIC in Msg3  Keep all states for every Msg1 Mess Forged Attack (Mem/CPU exhaustion)  Inherent cause of Attack  Authenticator can discard an unexpected response  Supplicant can not do so Cause deadlock and block the protocol  Supplicant must allow any Msg1 (Parallel Instance)  Limitation of Attack  Dynamic PMKID attacker can forge Msg1 after reading Msg1  EAPOL-Key format limit the attacks to occur only before the first PTK establishment Attack can be occurred only after reading Msg1 and before establishing the first handshake

17/22 Dependable S/W Lab Random-Drop Queue Countermeasures Randomly replaced by the new state if queue is filled

18/22 Dependable S/W Lab Message 1 Authentication Countermeasures  Add a MIC to msg1  Reuse shared PMK  Set Nonce to specific value(e.g.,0)  Derive a trivial PTK  Calculate the MIC with derived PTK  Limitation  If PSK or cached PMK? Vulnerable to Reply attack  Repaired Countermeasure  Add SN increasing monotonically  Use local time as SN  Weakness of this countermeasure  Modification on Packet format

19/22 Dependable S/W Lab Nonce Re-use Countermeasures  Reuse Nonce  Supplicant reuse the value of SNonce until a legitimate handshake is completed successfully  Not update Nonce  No requirement for Authenticator to reuse ANonce  Eliminate the memory DoS Attack  Limitation  More computation on the supplicant side  Fixed SNonce – easy guessing the PMK  Weakness of this countermeasure  CPU exhaustion attack

20/22 Dependable S/W Lab Proposal Countermeasures  Combination of countermeasures  Reuse SNonce  Store PTK and ANonce of the first Msg1  If stored ANonce = received ANonce in Msg3, use PTK  If stored ANonce ≠ received ANonce in Msg3, calculate new PTK {AA, ANonce, msg1} {SNonce, msg2, MIC} {ANonce, msg3, MIC} {msg4, MIC} PTK Derived Store PTK, ANonce PTK Derived {AA, ANonce, msg1} Attack ANonce ≠ ANonce PTK’ Derived, Use derived PTK Anonce = Anonce Use stored PTK Calculate MIC

21/22 Dependable S/W Lab Proposal Countermeasures  Combination of countermeasures  Reuse SNonce  Store PTK and ANonce of the first Msg1 Eliminate the Memory Exhaustion Attack  If stored ANonce = received ANonce, use PTK  If stored ANonce ≠ received ANonce, calculate new PTK Eliminate the CPU Exhaustion Attack No Modification on Packet format  Adopted by TGi

22/22 Dependable S/W Lab IEEE i  Conclusions  RSNA conversation  Simplified Protocol by using Murφ  DoS Attack  3 Countermeasures and the their effectiveness  Proposed solution Combined Reuse Nonce Solution Advantages Conclusion

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.