Secure Pre-Shared Key Authentication for IKE

Slides:



Advertisements
Similar presentations
Securing Passwords against Dictionary Attacks
Advertisements

Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Doc.: IEEE /1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: Authors:
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
EAP-Only Authentication in IKEv2 draft-eronen-ipsec-ikev2-eap-auth
Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
Lecture 5: Cryptographic Hashes
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Strong Password Protocols
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Solutions for Secure and Trustworthy Authentication Ramesh Kesanupalli
Lecture 11: Strong Passwords
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
RADIUS Shared Secret Security Amplification A practical approach to improved security draft-funk-radiusext-shared-secret-amp-00.txt.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Doc.: IEEE /0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: Authors:
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.
Submission doc.: IEEE /1128r1 September 2015 Dan Harkins, Aruba Networks (an HP company)Slide 1 Opportunistic Wireless Encryption Date:
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Doc.: IEEE /0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure Authentication Using Only A Password Date:
Thoughts on KeySec John Viega
Doc.: IEEE /0315r4 Submission July 2009 Dan Harkins, Aruba NetworksSlide 1 Enhanced Security Date: Authors:
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
August 2, 2005IETF63 EAP WG AAA-Key Derivation with Lower-Layer Parameter Binding (draft-ohba-eap-aaakey-binding-01.txt) Yoshihiro Ohba (Toshiba) Mayumi.
Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Doc.: IEEE /0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: Authors:
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Submission doc.: IEEE r1 March 2012 Dan Harkins, Aruba NetworksSlide 1 The Pitfalls of Hacking and Grafting Date: Authors:
CS201 Tech-Talk Two: Cryptography Michael Hsu CSULA.
Enhanced Security Date: Authors: May 2009 May 2009
Secure PSK Authentication
draft-harkins-emu-eap-pwd-01
Enhanced Security Features for
Outline Desirable characteristics of ciphers Uses of cryptography
Enhanced Security Features for
Outline Desirable characteristics of ciphers Uses of cryptography
Secure PSK Authentication
Opportunistic Wireless Encryption
Security Properties Straw Polls
Password Authenticated Key Exchange
Password Authenticated Key Exchange
Presentation transcript:

Secure Pre-Shared Key Authentication for IKE draft-harkins-spsk-auth-00.txt Dan Harkins Aruba Networks

Use of PSKs Today The shared key “needs to contain as much unpredictability as the strongest key being negotiated” (§ 2.15). In other words long, hard to remember and error-prone to provision: 128 bits of unpredictability is going to be a user-generated string whose length is over 100 characters from a 94 character alphabet! (see NIST SP 800-63) Humans have a hard time entering a string of more than 12 characters repeatedly without error. Where shared key authentication is used with IKE today it is (with high probability) insecure because no one does long, hard to remember, and error prone very well. Simple shared keys are very popular and will continue to be used because they are easy to provision. The easiest and most appealing use of PSKs with IKE is insecure.

Why is the Existing Scheme Insecure? The problem is both IKEv1 and IKEv2 are not resistant to dictionary attack. The exchange leaks information about the secret. An attacker need see only one exchange to have enough information to run through all possible pre-shared keys until it she finds the right one. Making the pre-shared key a uniformly random 128-bit blob only makes the dictionary attack unlikely to succeed, it does not make the protocol resistant to a dictionary attack. Moore’s law implies these attacks will take less and less time and the years go on. Security is based on assumptions about the expertise of administrators (not good practice). IKEv1 doesn’t really do PSK authentication well.

The Solution: Zero Knowledge Proof An active attack leaks a single bit of information: whether the guess of the PSK was right or wrong. A passive attack leaks nothing. Advantage is achieved through interaction and not computation– resistant to dictionary attack! The attacker gets one and only one guess at the pre-shared key per active attack. Failed active attacks are trivially noticed and countermeasures can be taken. Moore’s law does not affect this. Security can be achieved even in the presence of weak PSKs, such as user-generated passwords.

What are the Practical Effects? Imagine a randomly-chosen 4 character PSK using only lower-case English letters: 264-- or 456,976-- different possible PSKs. Existing PSK authentication: one attack and a couple minutes of number crunching to find PSK Secure PSK authentication: tens of thousands of active attacks necessary before a significant chance of finding the PSK. Countermeasures can make this take months, or even make it highly improbable, to succeed. Robust and misuse-resistant cryptography! The security is no longer based on unrealistic assumptions about the expertise of administrators. Security can be achieved even when deployed “incorrectly”. PSKs can be used practically and realistically. Provisioning UI can be simple.

Secure PSK Authentication in IKEv2 HDR, SAi1, KEi, Ni HDR, SAr1, KEr, Nr HDR, SK {IDi, Commit [, IDr], SAi2, TSi, TSr } HDR, SK {IDr, Commit, Confirm} HDR, SK {Confirm, AUTH} HDR, SK {AUTH, SAr2, TSi, TSr}

Why Not Just Use EAP? For use cases in § 1.1.1 and 1.1.2 EAP is a client-server protocol. If both sides can initiate there are no strict client and server roles. Need to implement both client-side and server-side EAP. There is no “User” as shown in draft-eronen-ipsec-ikev2-eap-auth. Each side must possess the shared secret– no AAA server for scaling benefit. AAA servers don’t operate as EAP clients. Security is based on “I know the secret” not “I know someone who knows someone who knows the secret.” EAP would just be a pointless encapsulation Implementations would be forced to implement both EAP client and EAP server state machines. More, unnecessary, messages (12 vs. 6). EAP fragmentation? EAP is still an option for other use cases For any asymmetric authentication or authentication using a credential other than a secret shared by both IKE peers. Where there are client and server roles and/or a AAA server is probable. Where there is a “User”.

OK, But Why? This should be done… …in this working group The existing PSK mode of IKE(v2) is (becoming more) insecure. With this proposal security becomes an integral part of IKE(v2) and not a contingency that is dependent on how the protocol is deployed. This is a secure alternative that uses PSKs in the natural manner in which we all know they are, and will continue to be, used. Even if large random numbers are used as the PSK, this is still a better, more secure, exchange. …in this working group There are choices to make that would benefit from the cryptographic and implementer expertise in this group It needs vetting by the group to ensure that it solves the problem in the best possible way. The devil is in the details and there are important details that this WG should work on to ensure it’s done right.

Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.