Doc.: IEEE 802.11-03/657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.

Slides:

Advertisements

Similar presentations

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Advertisements

Analysis of the i 4-Way Handshake Changhua He, John C Mitchell Stanford University WiSE, Oct. 1, 2004.

Doc.: IEEE /0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date:

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

MIS Week 12 Site:

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.

Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

1 IEEE i Overview v0.1 Summary by Uthman Baroudi Nancy Cam-Winget, Cisco Systems Tim Moore, Microsoft Dorothy Stanley, Agere Systems Jesse Walker,

IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.

Submission August 2001 Nancy Cam-Winget, Atheros Slide 1 Rapid Re-keying WEP a recommended practice to improve WLAN Security Nancy Cam-Winget, Atheros.

Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

IEEE MEDIA INDEPENDENT HANDOVER DCN: srho

Doc.: IEEE /0039r0 Submission NameAffiliationsAddressPhone Robert Sun; Yunbo Li Edward Au; Phil Barber Junghoon Suh; Osama Aboul-Magd Huawei.

Doc.: IEEE /0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks

Doc.: IEEE /0476r2 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation.

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

Security in Wireless Networks IEEE i Presented by Sean Goggin March 1, 2005.

Doc.: IEEE /0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: Authors:

Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.

Doc.: IEEE /0566r1 Submission May 2006 Sood, Walker, Cam-Winget, CalhounSlide 1 TGr Security Architecture Notice: This document has been prepared.

Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.

Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.

Doc.: IEEE /0707r0 Submission July 2003 N. Cam-Winget, et alSlide 1 Establishing PTK liveness during re-association Nancy Cam-Winget, Cisco Systems.

IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004

Doc.: IEEE /1062r0 Submission September 2004 F. Bersani, France Telecom R&DSlide 1 Dominos, bonds and watches: discussion of some security requirements.

Doc.: IEEE /200 Submission September 2000 Ron Brockmann, Intersil Plug-n-Play Security in the Home & Small Business Ron Brockmann Intersil.

Shambhu Upadhyaya Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)

Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN

Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.

Doc.: r Submission March 2006 AllSlide 1 A method to refresh the keys hierarchy periodically Notice: This document has been prepared to.

Wireless Network Security CSIS 5857: Encoding and Encryption.

Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,

Protocol Coexistence Issue in MSA Subsequent Authentication

Doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.

History and Implementation of the IEEE 802 Security Architecture

Module 48 (Wireless Hacking)

Robust Security Network (RSN) Service of IEEE

CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)

History and Implementation of the IEEE 802 Security Architecture

Authentication and handoff protocols for wireless mesh networks

Lecture 29 Security in IEEE Dr. Ghalib A. Shah

Some LB 62 Motions January 13, 2003 January 2004

Keying for Fast Roaming

Motions to Address Some Letter Ballot 52 Comments

Mesh Security Proposal

Wireless Network Security

Use of EAPOL-Key messages during pre-auth

PEKM (Post-EAP Key Management Protocol)

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec

TAP & JIT Key Hierarchy Notes

802.1X/ Issues Nancy Cam-Winget, Cisco Systems

Jesse Walker and Emily Qi Intel Corporation

Pre-Association Negotiation of Management Frame Protection (PANMFP)

Fast Roaming Compromise Proposal

WLAN Extended Multicast for TGu

Mesh Security Proposal

TGr Security Architecture

Fast Roaming Compromise Proposal

Fast Roaming Compromise Proposal

Keying for Fast Roaming

Jesse Walker, Intel Corporation Russ Housley, Vigil Security

Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc

Presentation transcript:

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 2 Key Naming Current draft specifies: PMKID = HMAC-SHA1-128(PMK, “PMK Name” || BSSID || STA-MAC-Addr) PTK = HMAC-SHA1-128(PTK, “PTK Name” || SSID)

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 3 PMK Name PMK Name may be vulnerable to offline dictionary attacks if it is low entropy (like PSKs) PMK Name does not need to be keyed from PMK There are alternatives to current derivation: –Use the MS-MPPE-Send-Key as the key to HMAC- SHA1: PMKID = HMAC-SHA1-128(MS-MPPE-Send-Key, “PMK Name” || BSSID || STA-MAC-Addr)

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 4 PMK Name (cont’d) Do we need to name PSK’s? Not clear there is a use for this, but if needed, we can extend the the Password-to-key hash function to generate 64 octets vs. 32, can use the extra 32 octets as the 32 octets as the MS-MPPE-Send-Key for: PMKID = HMAC-SHA1-128(MS-MPPE-Send-Key, “PMK Name” || BSSID || STA-MAC-Addr)

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 5 PTK Name can be derived from hierarchy: Pairwise Master Key (PMK) Pairwise Transient Key (PTK) (X bits) EAPOL-Key Key Confirmation Key L(PTK,0,128) (KCK) EAPOL-Key Key Encryption Key L(PTK,128,1 28) (KEK) Temporal Key TKIP: L(PTK,256,256) CCMP: L(PTK,256,128) (TK) PTKID L(PTK,XXX,1 28) (PTKID) Or, from the PMKID: PTKID = HMAC-SHA1-128(PMKID, 0 32 || “PTK Name” || SNonce || ANonce)

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 6 DLP Key Establishment 4.a EAPOL Key STA1-STA2 GTK 4.b EAPOL Key STA1-STA2 GTK 5.a EAPOL Key Confirm 5.b EAPOL Key Confirm STA1 STA2 1a DLP Request 2b DLP Response 3. EAPOL Key Request STA1-STA2 Link 1b DLP Request 2b DLP Response

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 7 DLP Establishment (cont’d) How do STA1 and STA2 know when they both have the same STA1-STA2 GTK? –DLP confirm message between STA’s is required to prove GTK liveness. –DLP abort message required to allow 3-party protocol to resync How does a STA distinguish it’s multicast rekey of GTK from DLP GTK? There is a race condition between STA1 and STA2 since neither know when they have the key plumbed There is no proof between STA1 and STA2 that they have a live key: DLP confirm message can resolve this Each can commence protected transmission, but if decrypt errors occur, they have no way to know if it is due to a race condition, liveness, rekey synchronization errors (as each one could trigger a rekey and become desynchronized)

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 8 A better alternative: DLP is a 3 party protocol STA1 STA2 1a DLP Request New Link 2b DLP Response include STA1-STA2 GTK) 3. DLP AP Confirm( confirm STA1-STA2 GTK) 1b DLP Request ( include STA1-STA2 GTK) 2b DLP Response( confirm STA1-STA2 GTK) DLP Live ( STA1-MACAddr, STA2-MACAddr, nonce1, MIC) DLP Confirm (nonce1, MIC)

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 9 How are the STA-STA GTK’s consumed? Does the AP generate a unique STA-STA GTK for every DLP request? This is not specified in the draft! Who defines the GTK lifetime? Who revokes and renews it? If not, the STA-STA link must invoke a 4-way handshake, or something similar to establish fresh and unique STA-STA link keys. AP should embed the GTK for the intended DLP channel in the DLP response versus a separate GTK exchange to better bind the security association. DLP Live/Confirm exchange between STA’s must be a minimum requirement to ensure the STA’s are communicating with the intended DLP channel

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 10 IBSS, why 2 4-way handshakes? 4-way handshake is intended to establish the unicast keys to protect STA-STA link GTK handshake is intended to establish the group keys to protect authenticator-supplicant link. In an IBSS, there does not need to be strict enforcement of authenticator-supplicant roles when distributing keys: –Single 4-way handshake is sufficient to establish the STA-STA link –2 GTK handshakes can be used to establish the group keys: initiator of GTK handshake is the “authenticator”, each STA must initiate it’s own GTK handshake

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 11 Why 2 distinct 4-way handshakes? STA’s establishing IBSS connection may simultaneously commence the 4- way handshakes. Which one wins? –Spec indicates to use PTK of STA with the lower MAC address. However, if EAP authentication is used, each STA is invoking a full security association which results in 2 PMKs, so the STA with the lower MAC will still have 2 PTKs. –Is the intention to have the STA with the lower MAC address be the sole Authenticator and void the 4-way handshake initiated from the higher MAC address STA? If so, then it proves that only a single 4-way handshake is needed! Two concurrent 4-way handshakes will lead to conflicting PTKs. Two concurrent 4-way handshakes will confuse security policy negotiation: what if one STA negotiates TKIP in its 4-way handshake but the other initiates its 4-way handshake with WEP for unicast? For multicast? Only a single security negotiation (e.g. 4-way handshake) should be required If one finally specifies this, then there is no reason whatsoever for the 4-Way Handshake initiated by the STA with the higher MAC address; it is simply gratuitous.

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 12 Simplifying IBSS Each STA behaves as both authenticator and supplicant. A single 4-way handshake is used, lower MAC- Address can be the initiator. Since both sides have derived a common PTK (and KEK), each party can use this to distribute it’s own GTK. Each STA initiates it’s own GTK handshake to plumb it’s group key to the receiving STA.

doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 13 Pre-Authentication Is a useful concept but draft has only introduced the concept: –TGi uses 802.1X as a Layer 2 protocol; pre-authentication requires either Layer 2 AP to AP which is not scalable or a switch of roles from bridging to routing. –802.1aa will not address it in its PAR; group had stated it will not address it either. –Security model must be reviewed as pre-authentication now allows access of a wireless node either via the air or wired medium. –Authenticator port access must now control access via both the wireless and wired layer, this breaks the –MN’s not associated to target AP and thus no rate capability and other distribution service capabilities are negotiated. Thus, at minimum, pre- authentication allows MNs to flood APs with 802.1X traffic. –Richer security context is required for an MN, because MN can now pre- authenticate via wired or wireless medium. When does the PMK lifetime commence? At the time of pre-authentication or at association? –How does the session accounting and other L3 context become affected?