Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,"— Presentation transcript:

1 1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI, KAISA NYBERG Nokia Research Center

2 2 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Remote MN Authentication Methods Two network access scenarios Subscription based – there is a home network Alternative access based – there is no home network In both cases AAAL contacts some back-end authentication server to verify authenticity of MN

3 3 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Remote MN Authentication Methods Two cryptographic scenarios Public key based Secret key based In both cases authenticity of MN is based on some secrets MN has

4 4 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Remote MN Authentication Methods At least two session key scenarios Session credentials for MN – goal is service level session security, or session connection security with a different party Session connection security, e.g., communication security in link, transport and/or network layer … In all cases session keys are derived as a result of successful authentication between MN and AAAL

5 5 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Remote MN Authentication Methods - EAP Extensible Authentication Protocol (EAP) is a general protocol framework that supports multiple authentication mechanisms allows a back-end server to implement the actual mechanism authenticator simply passes authentication signaling through EAP was initially designed for use with PPP network access But has been adapted by for many types of access authentication WLAN (IEEE 802.1X), Bluetooth, … And even other applications charging, authorization EAP consists of several Request/Response pairs; Requests are sent by network starts with EAP-Request/Identity sent by network ends with EAP-Success or EAP-Failure sent by network But drawbacks of EAP prompted attempts to secure it

6 6 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Confidentiality of the identity of the MN on the air interface Prevention of linking between pairs of authentication messages involving the same MN Confidentiality against radio interface eavesdropping for data exchanged during the authentication protocol Existing EAP based authentication methods fail… Privacy requirements

7 7 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Different session key derivation methods Many legacy protocols for MN authentication Encapsulated in EAP types EAP does not provide a standard way for deriving session keys that can be used for message authentication or encryption Examples: 1. One-time passwords – totally insecure if not protected. Typically tunnelled through TLS. Session keys derived from TLS (proprietary to PEAP or TTLS). 2. EAP/SIM – proprietary protection methods - network authentication, session key derivation A consistent method of session key derivation is desirable (EAP WG needs to specify a key derivation framework)

8 8 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Protecting EAP- the PEAP approach Designed to protect any EAP method for terminal authentication. Designed to protect terminal anonymity. Authenticates network to terminal based on public key of network. Designed to provide mutual authentication. Makes use of TLS as the tunnel protocol: EAP protocol runs in TLS tunnel. Designed to provide unified method for session key derivation. Session keys derived from TLS: Protection of WLAN link is based on the same secrets as the TLS tunnel.

9 9 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Protecting EAP – the PEAP approach

10 10 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Protecting EAP – the PIC approach Bootstraps IKE (JFK etc) from any EAP protocol – intended for remote access to VPN gateways Protects any EAP method for MN authentication Provides MN anonymity Authenticates network (Back-end server or its agent) to MN Provides unified method for credential transport Tunnel protocol: simplified unilateral version of ISAKMP (Layer 3) Session credentials for IPSec SA created by Back- end server transported to MN through the protected tunnel Session communication protected by the L3 tunnel – currently no protection on L2 (MAC addresses)

11 11 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Protecting EAP – the PIC approach

12 12 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) PIC and PEAP - Open issues If it can be done, at what cost and under what assumptions on the use of PK? DoS attacks on access network? DoS attacks on radio interface? Additional roundtrip necessary? How to obtain network’s public key and link it to network’s identity? How can user verify network’s certificate? What about revocation?

13 13 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) PEAP/AKA- How it works

14 14 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) PIC EAP/AKA- How it works

15 15 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) PEAP/AKA- How it can fail

16 16 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) PIC EAP/AKA- How it can fail

17 17 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Analysis of the problem Inner protocol is a legacy remote client authentication protocol (EAP/SIM, EAP/AKA) –typically used also without TLS tunnelling, also without ANY tunnelling MitM can set up a false cellular base station to ask for IMSI and subsequently, for RES. Even if EAP protocol is used exclusively in tunnelled mode, authentication of tunnel relies solely upon the terminal. Terminal user may accept an unknown certificate! This is not acceptable to network operators. Session keys are derived from TLS Master Key generated using tunnel protocol (same key as used to create tunnel). Keys derived in the EAP protocol (EAP SIM or UMTS AKA Master Keys) are not used.

18 18 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Impacts of failure Under passive (eavesdropping) attacks: Tunneling provides some protection of user identity – however temporary identities that are managed on the home network can provide protection against both passive and active attacks Under active (man-in-the-middle) attacks: Tunnelled authentication protocols fail to protect user identity (e.g., IMSI in EAP AKA or EAP SIM) allow attacker to masquerade as the victim (e.g., and hijack her WLAN link) risk link confidentiality with EAP SIM as auth. protocol, are weaker than plain EAP SIM with EAP AKA as auth. protocol, are much weaker than plain EAP/AKA

19 19 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Proposed solution Create cryptographic binding between tunneling protocol and MN authentication protocol: METHOD 1: Use a one-way function to compute session keys from tunnel secrets (e.g.TLS master key) and EAP secrets (e.g. IK,CK). METHOD 2: Compute a MAC over the protected EAP-response and credential request, using a MAC key derived as session key in Method 1. MAC is verified by AAAL or AAAH. Now tunnel is secure for handling of session keys or credentials. In both methods, EAP secrets must be sent from AAAH to AAAL (or tunnel secrets must be sent from AAAL to AAAH) Both methods rely on the MN authentication protocol producing a session key as well.

20 20 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) Conclusions Composing two secure protocols may result in an insecure protocol Don’t fix something that isn’t broken! Using tunnelling to “improve” a remote authentication protocol is very common Known vulnerable combinations: HTTP Digest authentication and TLS PEAP and any EAP subtype PIC and any EAP subtype … The proposed solutions can be used to fix the problem the exact fix needs to be tailored to the specific protocols.

Download ppt "1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,"

Similar presentations

Authentication.

Authentication.
1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P1619.3 April 11, 2007 Andrea Doherty.

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security.

World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.

1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Protected Extensible Authentication Protocol

Protected Extensible Authentication Protocol
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).

Similar presentations

Ads by Google