IEEE 802.11i: A Retrospective Bernard Aboba Microsoft March 2004.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Doc.: IEEE /553r0 Submission September 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.
Submission doc.: IEEE /0789r3 NameAffiliationsAddressPhone George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,
Doc.: IEEE /253 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 WEP2 Security Analysis Bernard Aboba Microsoft.
Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.
Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
TGai FILS Authentication Protocol
Security Analysis and Improvements for IEEE i Changhua He, John C Mitchell Stanford University NDSS’05, Feb. 03, 2005.
Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Doc.: IEEE /0976r1 Submission July 2011 Hitoshi Morioka, ROOT INC.Slide 1 TGai Authentication Protocol Proposal Date: Authors: NameAffiliationsAddressPhone .
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
Doc.: IEEE /0039r0 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li Edward Au; Phil Barber Junghoon Suh; Osama Aboul-Magd Huawei.
Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
WEP Protocol Weaknesses and Vulnerabilities
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Doc.: IEEE /562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 24 “Wireless Network Security”.
Doc.: IEEE /1281r1 Submission NameAffiliationsAddressPhone Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
Doc.: IEEE /278r0 Submission NameAffiliationsAddressPhone Ping Fang Huawei Technologies Co., Ltd. Bldg 7, Vision Software Park, Road Gaoxin.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE k Submission July 2004 Bernard Aboba, MicrosoftSlide 1 IEEE k Security: A Conceptual Model Bernard Aboba Microsoft.
Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Submission doc.: IEEE /313r1 March 2016 Guido R. Hiertz, Ericsson et al.Slide 1 The benefits of Opportunistic Wireless Encryption Date:
EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Doc.: IEEE /0199r0 Submission March 2005 Kapil Sood, Intel; Bob O’Hara, AirespaceSlide 1 Policy Enforcement For Resources and Security Notice:
Robust Security Network (RSN) Service of IEEE
Advanced Penetration testing
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
Lecture 29 Security in IEEE Dr. Ghalib A. Shah
Some LB 62 Motions January 13, 2003 January 2004
Keying for Fast Roaming
Chapter 24 Wireless Network Security
Advanced Penetration testing
TGai FILS Authentication Protocol
Mesh Security Proposal
Wireless Network Security
Use of EAPOL-Key messages during pre-auth
PEKM (Post-EAP Key Management Protocol)
Pre-Association Security Negotiation (PASN) for 11az
Just-in-time Transition Setup
July 2002 Threat Model Tim Moore Tim Moore, Microsoft.
IEEE k Security: A Conceptual Model
Jesse Walker and Emily Qi Intel Corporation
Pre-Association Negotiation of Management Frame Protection (PANMFP)
Mechanism to update current session parameters
Fast Roaming Compromise Proposal
Policy Enforcement For Resources and Security
Options for Protecting Management Frames
Mesh Security Proposal
Fast Roaming Compromise Proposal
Fast Roaming Compromise Proposal
Keying for Fast Roaming
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
Comment Resolution Motions
Presentation transcript:

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004

Outline What was/was not accomplished Threat Model Performance Model Discovery EAP methods State Machine Authenticated Key Management

What Was Accomplished… Cooperation by multiple standards bodies: IEEE 802, IETF, 3GPP, 3GPP2, GSMA, etc. New ciphersuites defined: TKIP, AES CCMP Flexible key management scheme adopted (based on EAP) Integration with existing network access authentication, authorization and accounting mechanisms (RADIUS & Diameter) Widespread vendor support

What Is Missing… Denial of service vulnerabilities partially addressed No mandatory-to-implement authentication or key management scheme Vulnerabilities found in proposed authentication and key management schemes Widespread interoperability, deployment problems reported Improvements in roaming latency needed Proprietary enhancements often needed to fill in the holes

Threat Model IEEE i does not include an explicit threat model –Result: endless discussions of which threats were worth addressing, no way to know when the specification was done. –TKIP rejected in many mission critical applications due to DoS vulnerabilities How to do better –Discuss the threat model early on –Identify the usage scenarios, draw simple pictures –Distinguish between DoS attacks Attacks from afar worse than attacks requiring proximity Leveraged attacks more serious than unleveraged ones References –RFC 3748 (EAP) threat model –EAP Key Management Framework (work in progress)

Phases - ESS STA … Probe Requests Probe Responses Pre-authentication Exchange Re-association Response 4-way handshake IAPP Discovery Reauthentication/ Reassociatation New AP Beacon APs Discovery Phase –STA scans for APs Passive (Beacon) Active (Probe Request/Response) –80-90% of roaming time spent in discovery Reauthentication phase –Authentication occurs prior to association –If already associated to another AP, STA can pre- authenticate to one or more APs Reassociation Phase –STA attempts to associate/reassociate to preferred AP Re-association Request ] IEEE i security only

Performance Model IEEE i decided that a backward compatible cipher (TKIP) was needed, but: –Performance criteria not thought through Lead to adoption of low quality MIC (MICHAEL), adoption of countermeasures –All the transition issues not considered Virtual AP support typically required in some form to allow co-existence Result: –Countermeasures unacceptable in many mission critical applications –Reasonable performance, higher quality (proprietary) MIC widely adopted instead Alternative shipped even by the MICHAEL proponents! –Many deployments blocked pending release of transition functionality How to do better –Think through the required performance and hardware implications explicitly –Think through the transition/deployment model –Remember that hardware price/performance continually improves, standards take longer than expected –Remember that while retrofits are technically possible, vendors may implement only on new equipment

Discovery IEEE i does not secure management or control frames: –Beacon/Probe Request/Response frames –Association/Reassociation/Disassociation/Deauthentication –Control frames face severe time constraints (ACK) Result: DoS vulnerabilities –Power mgmt. attacks on the TIM, Rate attacks, attacks on measurement frames, vendor specific attributes, etc. Result: Fixes required after the fact –Beacon IEs can now (optionally) be included in 4-way handshake –IEEE k now looking to secure measurement frames How to do better –Think through the discovery threats beforehand –Think through the performance model Some frame types may not be protectable, depending on the required performance

Discovery Questions What does the discovery exchange look like? Which frames are unicast, which are multicast? When can discovery frames be sent? –Before authentication? After authentication? Is the information in discovery frames integrity protected? If yes, then: –Is the whole frame protected? Or just individual Information Elements? –Is information protected when sent? With group or unicast keys? –Or is the information protected after the fact? With group/unicast keys? How big can discovery frames get? –Who will use them, and for what? –Is fragmentation possible?

EAP Methods Flaws –No mandatory to implement EAP method in IEEE i –Authentication server needed in simplest deployments –Fix: PSK mode Inability to use standard EAP key naming schemes Vulnerability to dictionary attack –EAP method requirements defined late in the process Results –Explosion in proprietary EAP methods lacking adequate review Flaws found in many proposals Interoperability problems widespread –PSK mode implementations often crackable –Method rewrites required to meet the method requirements –Deployments using unacceptable methods less secure than WEP! How to do better –Define a mandatory to implement method –Define EAP method requirements early on –Leverage IETF standardization process References –Draft-walker-ieee802-req-00.txt

State 1 Unauthenticated, Unassociated State 2 Authenticated, Unassociated State 3 Authenticated, and Associated Successful Authentication Successful Association or Reassociation Disassociation Notification DeAuthentication Notification Deauthentication notification Class 1 Frames Class 1 & 2 Frames Class 1, 2 & 3 Frames State Machine

State Machine Issues Flaws –Association/Reassociation/Disassociation/ Deauthenticate messages not protected. Cant base a security protocol on a state machine governed by insecure frames, so… Functionality duplicated in the IEEE i authenticated key management (AKM) protocol Results –Denial of service attacks at a distance –Confusion between standards (IEEE F vs i) –Excessive complexity How to do better –Think through the basic state machine early on –Keep it simple!

State 1 Unauthenticated, Unassociated State 2 Authenticated, Unassociated State 3 Authenticated, and Associated PMK Install PTK Install PTK Delete PMK Delete PTK/PMK Delete Class 1 Frames Class 1 & 2 Frames Class 1, 2 & 3 Frames How This Probably Should Have Worked

IEEE i Authenticated Key Mgmt Supplicant Authenticator Key (PMK) is Known Generate SNonce Key (PMK) is Known Generate ANonce Derive PTK If needed, generate GTK Install PTK and GTK Install PTK Message 1: EAPOL-Key(ANonce, Unicast) Message 2: EAPOL-Key(SNonce, Unicast, MIC) Message 3: EAPOL-Key(Install PTK, Unicast, MIC, GTK) Message 4: EAPOL-Key(Unicast, MIC)

AKM Issues Flaws –Too many exchanges Handshake is 6-way when Association/Reassociation exchange included (for PMK negotiation) 4-way handshake initiated by authenticator, not supplicant –GTK transport is uni-directional How to do better –Remember that keys needed to be deleted as well as installed –Remember that state needs to be synchronized on both sides –Draw simple box and arrow diagrams before diving into details References –EAP Key Management Framework

How STA-Initiated AKM Might Work Supplicant Authenticator Key (PMK) is Known Generate SNonce Key (PMK) is Known Generate ANonce Derive PTK, Generate GTK Derive PTK, Generate GTK Install PTK and GTK Message 1: EAPOL-Key(SNonce, Unicast) Message 2: EAPOL-Key(ANonce, Unicast, MIC, GTK) Message 3: EAPOL-Key(Install PTK & GTK, Unicast, MIC, GTK) Message 4: EAPOL-Key(Unicast, MIC)

Feedback?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.