1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
Internet Protocol Security (IP Sec)
Akshat Sharma Samarth Shah
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
802.1x EAP Authentication Protocols
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Protected Extensible Authentication Protocol
IEEE Wireless Local Area Networks (WLAN’s).
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
CONTEXT BINDING: An Emerging Problem in Cryptographic Protocols Catherine Meadows Naval Research Laboratory Code 5543 Washington, DC 20375
Georgy Melamed Eran Stiller
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Mobile and Wireless Communication Security By Jason Gratto.
Remedies Use of encrypted tunneling protocols (e.g. IPSec, Secure Shell) for secure data transmission over an insecure networktunneling protocolsIPSecSecure.
WIRELESS LAN SECURITY Using
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Wireless and Security CSCI 5857: Encoding and Encryption.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Eugene Chang EMU WG, IETF 70
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Chapter 21 Distributed System Security Copyright © 2008.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
2003/12/291 Security Aspects of 3G-WLAN Interworking 組別: 2 組員: 陳俊文 , 李奇勇 , 黃弘光 , 林柏均
KAIS T Wireless Network Security and Interworking Minho Shin, et al. Proceedings of the IEEE, Vol. 94, No. 2, Feb Hyeongseop Shim NS Lab, Div. of.
Cellular Access Control and Charging for Mobile Operator Wireless Local Area Networks H. Haverinen, J. Mikkonen and T. Takamaki, Nokia Wei-Jen, Lin Advanced.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),
March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation (
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
PPP Configuration.
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
3GPP GBA Overview Adrian Escott.
Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.
Wireless Network Security CSIS 5857: Encoding and Encryption.
N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center
Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
Analysis of SIP security Ashwini Sanap ( ) Deepti Agashe ( )
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
1 Authentication Celia Li Computer Science and Engineering York University.
Wired Equivalent Privacy. INTRODUCTION Wired Equivalent Privacy (WEP) is a security algorithm for IEEE wireless networks. Introduced as part of.
1. Introduction In this presentation, we will review ,802.1x and give their drawbacks, and then we will propose the use of a central manager to replace.
November 18, 2002 IETF #55, ATLANTA1 Problem with Compound Authentication Methods Jesse Walker Intel Corporation (
MAC Address Hijacking Problem
Presentation transcript:

1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI, KAISA NYBERG Nokia Research Center

2 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Remote Authentication Methods Two network access scenarios Subscription based – there is a home network Alternative access based – there is no home network In both cases the local authentication agent (e.g., AAAL) contacts some back-end authentication server to verify authenticity of mobile client

3 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Remote Authentication Methods Two cryptographic scenarios Public key based Secret key based In both cases authenticity of mobile client is based on some secrets it has

4 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Remote Authentication Methods At least two session key scenarios Session credentials for mobile client – goal is service level session security, or session connection security with a different party Session connection security, e.g., communication security in link, transport and/or network layer … In all cases session keys are derived as a result of successful authentication between mobile client and an authentication agent

5 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Remote Authentication Methods - EAP Extensible Authentication Protocol (EAPblack boxeneral protocol framework that supports multiple authentication mechanisms allows a back-end server to implement the actual mechanism authenticator simply passes authentication signaling through EAP was initially designed for use with PPP network access But has been adapted by for many types of access authentication WLAN (IEEE 802.1X), Bluetooth, … And even other applications charging, authorization EAP consists of several Request/Response pairs; Requests are sent by network starts with EAP-Request/Identity sent by network ends with EAP-Success or EAP-Failure sent by network But drawbacks of EAP prompted attempts to secure it

6 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Confidentiality of the identity of the mobile client on the air interface Prevention of linking between pairs of authentication messages involving the same mobile client Confidentiality against radio interface eavesdropping for data exchanged during the authentication protocol Existing EAP based authentication methods fail… Privacy requirements

7 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Different session key derivation methods Many legacy protocols for mobile client authentication Encapsulated in EAP types EAP does not provide a standard way for deriving session keys that can be used for message authentication or encryption Examples: 1. One-time passwords – totally insecure if not protected. Typically tunnelled through TLS. Session keys derived from TLS (proprietary to PEAP or TTLS). 2. EAP/SIM – proprietary protection methods - network authentication, session key derivation A consistent method of session key derivation is desirable

8 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Protecting EAP- the PEAP approach Designed to protect any EAP method for client authentication. Provides client anonymity. Backend server authenticated to client based on public key of server. Designed to provide mutual authentication. EAP protocol runs within a protected TLS tunnel. Designed to provide unified method for session key derivation. Session keys derived from TLS: e.g., protection of subsequent session is based on the same secrets as the TLS tunnel.

9 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Protecting EAP – the PEAP approach

10 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Protecting EAP – the PIC approach Bootstraps IKE (JFK etc) from any EAP protocol – intended for remote access to VPN gateways Designed to protect any EAP method for client authentication especially password-based authentication Provides client anonymity Server authenticated to client based on public key of server. Provides unified method for credential transport Tunnel protocol: simplified unilateral version of ISAKMP (Layer 3) Session credentials for IPSec SA created by Back-end server transported to client through the protected tunnel A main design goal is not to require changes to legacy protocols

11 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Protecting EAP – the PIC approach

12 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) PIC and PEAP - Open issues If it can be done, at what cost and under what assumptions on the use of PK? DoS attacks on access network? DoS attacks on radio interface? Additional roundtrip necessary? How to obtain network’s public key and link it to network’s identity? How can user verify network’s certificate? What about revocation?

13 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) PEAP/AKA- How it works

14 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) PIC EAP/AKA- How it works

15 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) PEAP/AKA- How it can fail

16 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) PIC EAP/AKA- How it can fail

17 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Analysis of the problem Outer protocol (e.g., TLS) and inner protocol (e.g., EAP AKA) are both secure! It is the composition that is insecure. Inner protocol is a legacy remote client authentication protocol (EAP/SIM, EAP/AKA) –typically used also without TLS tunnelling, also without ANY tunnelling MitM can initiate untunnelled authentication with the client: e.g., set up a false cellular base station to ask for IMSI and then for RES. Even if inner protocol is used exclusively in tunnelled mode, authentication of tunnel relies solely upon client. E.g., user may accept an unknown certificate! This is not acceptable to network operators. Session keys are derived from tunnel protocol only (e.g., TLS Master Key generated using tunnel protocol; same key as used to create tunnel). Keys derived in inner protocol (e.g., AKA Master Keys) are not used.

18 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Impacts of failure Under passive (eavesdropping) attacks: Tunnelling provides some protection of user identity – however link-layer addresses are revealed anyway! Under active (man-in-the-middle) attacks: Tunnelled authentication protocols fail to protect user identity (e.g., IMSI in EAP AKA or EAP SIM) allow attacker to masquerade as the victim (e.g., and hijack her WLAN link) risk link confidentiality with EAP SIM as auth. protocol, are weaker than plain EAP SIM with EAP AKA as auth. protocol, are much weaker than plain EAP/AKA

19 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Conditions for failure A tunnelled authentication protocol is insecure unless if the outer protocol does perform mutual authentication not true for PEAP in server-authenticated mode, or PIC. if the keys used for a particular subscription are not used in the legacy untunnelled mode (even if other subscriptions may be used in this mode) not true for integrated terminals (e.g., GPRS/WLAN) not true when the same general purpose smartcard (SIM/UICC) is used with separate single-purpose terminals (e.g., WLAN, GPRS)

20 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) General model of tunnelled authentication Terminology tunnel endpoint is authentication ”agent” authentication protocol endpoint is authentication ”server” ”front-end” authenticator is a pass-through server Agent and Server may be co-located Client Authentication Agent Authentication Server Tunneling protocol Server authenticated secure tunnel establishment Authentication protocol Client authentication secure tunnel Front-end authenticator

21 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Proposed solution Create cryptographic binding between tunnelling protocol and authentication protocol: METHOD 1: Use a one-way function to compute session keys from tunnel secrets (e.g.TLS master key) and auth. protocol secrets (e.g. IK,CK). METHOD 2: Compute a MAC over client-specific text (e.g, challenge, PIC credential request, …), using a MAC key derived as session key in Method 1. MAC is verified by agent or server. Now tunnel is secure for handling of session keys or credentials. In both methods, auth. protocol secrets must be sent from server to agent (or tunnel secrets must be sent from agent to server) Both methods rely on the authentication protocol producing a session key as well (under some assumptions, also possible to use a long-term key)

22 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Why is cryptographic binding needed? To secure weak inner authentication protocols that use a weak key 1. they MUST be used within a server authenticated tunnel, and 2. they MUST NOT be used outside such a tunnel Assumption #2 drastically reduces use of legacy auth. protocols it MUST NOT be imposed on protocols that use strong keys Tunneling protocols (PEAP, POTLS, PIC etc.) address issue #1 But they treat the inner protocol as a blackbox (any EAP type) Therefore tunnelling protocols SHOULD allow optional cryptographic binding of the outer and inner protocols This allows tunnelling protocols to generic: handle both weak and strong authentication protocols secure: avoid MitM attack non-invasive: NOT have to impose unnecessary restrictions on good protocols

23 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Conclusions Composing two secure protocols may result in an insecure protocol Using tunnelling to “improve” a remote authentication protocol is very common Known vulnerable combinations: HTTP Digest authentication and TLS PEAP and any EAP subtype PIC and any EAP subtype POTLS (v0.0) and any EAP subtype … (obviously not limited to the examples in these slides) The proposed solutions can be used to fix the problem the exact fix needs to be tailored to the specific protocols.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.