Cooperative Networked Control of Dynamical Peer-to-Peer Vehicle Systems: Computing and Verification Secure Wireless Networking Anupam Datta, John C. Mitchell Stanford University (Ante Derek, Changhua He, Mukund Sundararajan) UIUC, MIT, Stanford, UCSB, UCLA MURI: 3-Year Review June 22, 2005 Sponsored by DDR&E and AFOSR Program manager Lt Col Sharon Heise
Communications/Verifica tion Robotic Vehicles Computing & Verification Control & Information Theory Communications
Computational models Timed Probabilistic State-transition models Logic-based models Basic Asynchronous Hybrid Program-based models Features Approaches
State-transition models Finite-state machines, Turing machines I/O automata Logic-based models Before/after conditions Temporal logic First-order state predicates: Modal operators: Always , Eventually Program-based models Process calculi
Security Analysis at Stanford State-transition Models Murphi model-checking [Mitchell, Shmatikov et al] Logic-based Models Protocol Logic [Datta, Derek, Durgin, Mitchell, Pavlovic] Composition theorems (assume-guarantee paradigm) Relationship to Lynch’s project (compositional reasoning) Computational Protocol Logic [Datta, Derek, Mitchell, Shmatikov, Turuani] Probability, complexity Symbolic reasoning about complexity-theoretic cryptography Program-based Models Probabilistic Polytime Process Calculus [Mitchell, Ramanathan, Scedrov, Teague] Relationship to Lynch’s project (I/O Automata) – preliminary results [Datta, Kuesters, Mitchell, Ramanathan]
Secure Wireless Networking Wireless Security Overview Wireless threats IEEE i Murphi Analysis of 4-Way Handshake [He, Mitchell] Breaking and Fixing IEEE i Standard Modular Proof of i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell] i and Ad Hoc Routing Security [He, Mitchell]
Human Interface Devices Synchronization Dial-Up Networking Printing Cellular Network Mobile Data Services WiMAX WLAN Bluetooth PAN Public Internet Home/Office Hands-free Speakerphone Hands-free Headset Wireless Everything Outdoor BS
Wireless Threats Passive Eavesdropping/Traffic Analysis Easy, most wireless NICs have promiscuous mode, cheap man-made antenna can enlarge the signal range greatly Message Injection/Active Eavesdropping Easy, some techniques to gen. any packet with common NIC, exploit MAC cooperation to interfere in a timely way Message Deletion and Interception Possible, interfere packet reception with directional antennas Masquerading and Malicious AP Easy, MAC address forgeable and software available (HostAP) Session Hijacking Man-in-the-Middle Denial-of-Service (DoS)
Wireless Security Evolution [Walker00], [Wagner01], [Arbaugh et al 01], [Arbaugh02], [FMS01] … WEP (Wired Equivalent Protocol) Authentication: Open System (SSID) or Shared Key Authorization: some vendor use MAC address filtering Confidentiality/Integrity: RC4 + CRC Completely insecure – bad use of good crypto WPA: Wi-Fi Protected Access Authentication: 802.1X Confidentiality/Integrity: TKIP Reuse the legacy hardware, still problematic IEEE i (Ratified on June 24, 2004 ) Mutual authentication, e.g., EAP- TLS/802.1X/RADIUS Data confidentiality and integrity: CCMP (believed secure) Key management protocols
Authentica- tion Server (RADIUS) No Key Authenticator UnAuth/UnAssoc 802.1X Blocked No Key Supplicant UnAuth/UnAssoc 802.1X Blocked No Key Supplicant Auth/Assoc 802.1X Blocked No Key Authenticator Auth/Assoc 802.1X Blocked No Key Authentica- tion Server (RADIUS) No Key Association EAP/802.1X/RADIUS Authentication Supplicant Auth/Assoc 802.1X Blocked MSK Authenticator Auth/Assoc 802.1X Blocked No Key Authentica- tion Server (RADIUS) MSK Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK Authentica- tion Server (RADIUS) No Key 4-Way Handshake Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key Group Key Handshake Supplicant Auth/Assoc 802.1X UnBlocked New GTK Authenticator Auth/Assoc 802.1X UnBlocked New GTK Authentica- tion Server (RADIUS) No Key i: RSNA Procedures Data Communication Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key
Roadmap Wireless Security Overview Wireless threats IEEE i Murphi Analysis of 4-Way Handshake [He, Mitchell] Breaking and Fixing IEEE i Standard Modular Proof of i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell] i and Ad Hoc Routing Security [He, Mitchell]
Murphi Protocol Verification Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Find error/Diagnose Mur j code RFC, IEEE Std. Mur j code, similar for all protocols Set initial states, specify security conditions, run Mur j
The 4-Way Handshake AssociationEAP/802.1X/RADIUS Authentication Group Key Handshake Data Communication MSK {AA, ANonce, sn, msg1, PMKID} {SPA, SNonce, SPA RSN IE, sn, msg2, MIC} {AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC} {SPA, sn+1, msg4, MIC} Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Authenticator Auth/Assoc 802.1X UnBlocked PTK/GTK Authentica- tion Server (RADIUS) No Key
AA, ANonce, sn, msg1 4-Way Handshake Blocking AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC PTK Derived Random GTK PTK and GTK 802.1X Unblocked PTK and GTK 802.1X Unblocked Supplicant Auth/Assoc 802.1X Blocked PMK Authenticator Auth/Assoc 802.1X Blocked PMK SPA, sn+1, msg4, MIC AA, ANonce, sn, msg1 SPA, SNonce, SPA RSN IE, sn, msg2, MIC AA, ANonce, sn, msg1 AA, ANonce[1], sn, msg1 AA, ANonce[n], sn, msg1
4-Way Blocking Attack Requirement: Must allow wireless station to start more than one session to provide robustness against packet loss. Problem: Message 1 can be forged (not authenticated) Attacker can start many sessions by sending forged message 1’s to wireless station Memory DoS attack: memory exhausted by state maintained for these sessions Similar to TCP SYN flooding attack
4-Way Blocking: Solution Solution Wireless station (supplicant) re-uses its nonce No additional state per session Store one entry of ANonce and PTK for the first Message 1 If nonce in Message 3 matches the entry, use PTK directly; otherwise compute PTK again and use it. Advantages Eliminates the memory DoS attack Ensures performance in “friendly” scenarios Only minor modification to the Supplicant algorithm No modification to the packet format Adopted by IEEE TGi Simple solution, but not immediate
Summary of Vulnerabilities ATTACKSSOLUTIONS 4-way handshake blocking re-use supplicant nonce, eliminate memory DoS. Adopted by IEEE TGi. reflection attack each participant plays the role of either authenticator or supplicant; if both, use different PMKs. Important for deployment in ad hoc network setting. attack on Michael countermeasure s cease connections for a specific time instead of re-key and deauthentication; update TSC before MIC and after FCS, ICV are validated. RSN IE poisoning Authenticate Beacon and Probe Response frame; Confirm RSN IE in an earlier stage; Relax the condition of RSN IE confirmation. security rollback supplicant manually chooses security; authenticator restrict pre-RSNA to only insensitive data.
Roadmap Wireless Security Overview Wireless threats IEEE i Murphi Analysis of 4-Way Handshake [He, Mitchell] Breaking and Fixing IEEE i Standard Modular Proof of i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell] i and Ad Hoc Routing Security [He, Mitchell]
Protocol Composition Logic Cord calculus Protocol programming language Execution model (Symbolic/Dolev-Yao) Protocol logic Expressing security properties Proof system Axiomatically proving security properties Soundness Theorem – every provable formula is true
802.11i:Staged Composition Control Flow Intended run is sequential Different Failure Recovery mechanisms can be implemented for efficiency Periodically update Group Key, PTK, PMK (omit here) Hybrid modes Pre-Shared Key (PSK) used directly instead of EAP authentication methods Cached PMK might be used for mobile users Alternatives for EAP-TLS, e.g., PEAP, LEAP Data Transmission Group Key 4-Way EAP-TLS PMK PTK GTK
802.11i Proof Structure Step 1. i, j |- θ i [P i ] X i Separate proof of individual components TLS, 4-Way, and Group Key Handshake; Step 2. i, j, Q i |- j Necessary invariants are satisfied by all components; Step 3. i, i θ i+1 The postcondition of TLS implies precondition of 4-Way; postcondition of 4-Way implies precondition of Group Key; Step 4. i, θ i [B] X θ i The preconditions of each component are preserved by subsequent components. Applying the Staged Composition Theorem, i is secure.
Roadmap Wireless Security Overview Wireless threats IEEE i Murphi Analysis of 4-Way Handshake [He, Mitchell] Breaking and Fixing IEEE i Standard Modular Proof of i using Protocol Logic [He, Sundararajan, Datta, Derek, Mitchell] i and Ad Hoc Routing Security [He, Mitchell]
Ad Hoc Routing Security Secure routing is important in ad hoc networks Previous work: common routing + cryptographic improvements Most proposals based on on-demand (reactive) routing No false route accepted Common problems Many secure routing protocols are complicated Some attacks are still possible Assume everyone shares keys prior to routing Thought i is supposed to be widely deployed, can we take advantage of that?
Observations i provides hop-by-hop security Neighborhood authentication + Identity Binding IPsec or other protocols to provide end-to-end security If all good nodes, common routing protocol works Compromised nodes can cause problems Link layer security => Local Attacker model Eliminate outside attacker, only inside attacker Reduce global attacker to local attacker B S D F A T C E
Summary Security Analysis Methods: Murφ and PCL effective for analyzing industrial security protocols Paradigms: Compositional reasoning Symbolic reasoning about cryptography IEEE i case study Automated study led to improved standard Deployment recommendations also IEEE i and ad hoc routing security Goal: simplify the design of secure routing protocols using link layer security More ongoing case studies: Mobile IPv6, IEEE e
Questions?
Project Goals Establish theory, scalable control algorithms and protocols Performance and correctness verifiable with robustness to External uncertainty Malicious attack Rapidly evolving environment
Failure Recovery Failure recovery is important Can reduce but not eliminate DoS vulnerabilities i adopts a simple scheme Whenever failure, restart from the beginning, inefficient ! A better failure recovery for i If 802.1X does not finish, restart everything Otherwise restart from nearest completed components Difficult to forge an 802.1X authentication User moves to another AP after 802.1X authentication ? Not a problem since channel scanning time is significantly larger than the protocol execution time
Improved i Architecture Stage 1: Network and Security Capability Discovery Stage 2: 802.1X Authentication (mutual authentication, shared secret, cipher suite) Stage 3: Secure Association (management frames protected) Stage 4: 4-Way Handshake (PMK confirmation, PTK derivation, and GTK distribution) Stage 5: Group Key Handshake Stage 6: Secure Data Communications Michael MIC Failure or Other Security Failures Group Key Handshake Timout 4-Way Handshake Timout Association Failure 802.1X Failure
Local Attacker Model Local Attacker Model Compromised node or geographic limitations Attacker can only touch its neighbors A weaker attacker model Network is not controlled by the attacker If the attacker wants to control the network, it will try to attract all traffic passing through itself Secure routing under local attacker model Find good route with high probability Idea (informal) Link security + secure routing under local attacker model gives secure routing under global attacker model Advantages Decompose secure routing to two problems “Simplify” the secure routing design (802.11i already done) No need for key pre-distribution among everybody