Presentation is loading. Please wait.

Presentation is loading. Please wait.

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

Published byVivian Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba"— Presentation transcript:

1 EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba bernarda@microsoft.com

2 Observations Some EAP methods derive keys, some don’t Where keys are derived, strength varies widely The type of keys derived varies as well –Some methods derive ciphersuite-specific “session keys” –Some methods derive ciphersuite-independent “master keys” Some methods describe key hierarchy, some don’t

3 Goals and Objectives To describe basic concepts of EAP To describe the EAP keying architecture To point out pitfalls in design of EAP methods that derive keys To identify problems that require solution

4 Why Derive Keys? Key derivation not required in all uses –EAP can be used for authentication only Where EAP methods derive keys, it is possible to “bind” the authentication to: –Subsequent data packets encrypted/integrity protected with those keys –Subsequent EAP methods running within a sequence –The tunnel within which EAP runs –To accomplish these things, it is necessary to define a “key hierarchy”

5 EAP Terms Peer – desires network access NAS – provides network access AAA server (optional) provides centralized authentication, authorization and accounting for NASes

6 EAP Overview +-+-+-+-+-+ | | | Cipher- | | Suite | | | +-+-+-+-+-+ ^ ^ | | V V +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+ | | EAP | | | | | | Conversation | | | | | | | AAA | | Peer | | NAS/ | | Server | | |==============>| |<=======| | | | Keys | | Keys | | | | (Optional) | | | | +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+ ^ ^ | | | EAP API | EAP API | | V V +-+-+-+-+-+ | | | EAP | | Method | | | +-+-+-+-+-+

7 Assumptions of the Architecture EAP methods –EAP methods are implemented on the peer and AAA server –NAS does not implement EAP methods except perhaps the mandatory method –NAS typically “passes through” the authentication –NAS may not have knowledge of the EAP method selected by the peer and AAA server –Peer and AAA server typically negotiate the EAP method Ciphersuites –NAS & Peer negotiate and implement ciphersuites –Ciphersuites may be negotiated before or after EAP authentication, depending on the media PPP, 802.11i pre-auth: ciphersuite negotiated after authentication 802.1X: ciphersuite negotiated before authentication –AAA server may not have knowledge of the selected ciphersuite –EAP method residing on the peer or AAA server may not have knowledge of the selected ciphersuite

8 Corollaries EAP key derivation should be ciphersuite independent Key derivation separated into two phases: –Master session key derivation (occurs on AAA server, peer) MSK derivation is EAP method-specific MSKes sent from AAA server to NAS via AAA protocol –Session key derivation from MSKes (occurs on NAS, peer) Session key hierarchy is ciphersuite specific Reasons –Method may not know what the selected ciphersuite is at the time of key derivation –If key derivation is ciphersuite dependent, then EAP method will need to be revised each time a new ciphersuite comes out New EAP methods coming along all the time (36 so far, and counting) New media adopting EAP New ciphersuites being defined Matrix of ciphersuites times methods is big!

9 What is a Key Hierarchy? A description of how the session keys required by a particular cipher are derived from the keying material provided by the EAP methods –Implies that you need a hierarchy per ciphersuite/media Desirable characteristics –Key strength (64 bits typically not enough) –“Cryptographic separation” between keys used for different purposes (encryption, authentication/integrity, unicast/multicast, etc.)

10 Hierarchy Overview +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+--- | | | | ^ | Is a raw master key | | Can a pseudo-master key | | | available or can | | be derived from | | | the PRF operate on it? | | the master key? | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | K | K' | | | | V V | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | EAP | | Master Session Key | Method | | Derivation | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | Master Session Key Outputs | | | | | V V | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | Key and IV Derivation | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | P->A | A->P | P->A | A->P | P->A | A->P EAP V | Enc. | Enc. | Auth. | Auth. | IV | IV API ---+--- | Key | Key | Key | Key | | ^ | (PMK) | | | | | AAA | | | | | | | Keys V V V V V V V ---+--- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ | | | | Ciphersuite-Specific Key Hierarchy | NAS | | | | | | V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+---

11 Example Key Hierarchy (802.11i) Pairwise Master Key (PMK) PRF-X(PMK, “Pairwise key expansion”, Min(AA,SA) || Max(AA,SA) || Min(ANonce,SNonce) || Max(ANonce,SNonce)) Pairwise Transient Key (PTK) (X bits) EAPOL-Key MIC Key L(PTK,0,128) (MK) EAPOL-Key Encrption Key L(PTK,128,128) (EK) Temporal Key 1 L(PTK,256,128) (TK 1) …

12 Pitfalls for the Unwary Arbitrary AAA EAP key attributes –Transport keys derived by EAP methods –Critical to EAP interoperability: NAS expects MSK, not session key –Can encourage bad practices: ciphersuite-specific EAP methods Improper key hierarchies –Loops can dilute key strength –Early 802.11i proposals had this problem EAP methods generating keys without sufficient entropy –802.11i assumes a 256-bit PMK! –Issue for EAP SIM and EAP GSS EAP methods without nonce exchanges –May not be able to generate required crytographic separation without a subsequent nonce exchange –Could cause method to work only on some media (e.g. 802.11 vs. PPP) –Issue for EAP SRP

13 Summary Secure key derivation is important to a number of uses of EAP –Secure ciphers lose their security when combined with insecure key derivation EAP key derivation architecture currently not well understood –Current EAP methods exhibit a number of problems relating to key derivation Secure key hierarchy derivation is a complex subject, best left to experts Need to consider hierarchy when designing EAP method

14 EAP GSS Draft-aboba-pppext-eapgss-12.txt Bernard Aboba bernarda@microsoft.com

15 Intended Purpose Integrated network/Kerberos login –Depends on IAKERB GSS-API method Media: PPP, IEEE 802 –Kerberos vulnerable to dictionary attack on IEEE 802.11 –Key derivation may not meet 802.11i criteria Requested Track: Experimental

16 Security Claims Mechanism: Depends on GSS-API mechanism (Kerberos: Passwords, Certs, Token cards) Mutual/one-way auth: typically mutual (Kerberos: Mutual) Key derivation 1. Supported: yes 2. Key size: depends on GSS-API method negotiated 3. Key hierarchy description: no Dictionary attack resistance: depends on method (Kerberos: no) Identity hiding: Depends on method (Kerberos: no) Protection 1. Method negotiation: Yes (SPNEGO) 2. Ciphersuite negotiation: No 3. Success/failure indication: No 4. Method packets: Yes Fast reconnect: depends on method (Kerberos: no)

17 Issues Scope –Does exchange end with AS_REP? TGT_REP? AP_REP? Security –Dictionary attack on AS_REQ/AS_REP Keying –How are tickets transmitted from peer to NAS? –Key derivation: initial draft did not include a nonce exchange, -12 does –Key derivation: Master key cannot be retrieved via GSS-API; need to derive “pseudo master key” via GSS_WRAP() calls –Key strength: depends on negotiated GSS-API method

Download ppt "EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba"

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-sec Title: IEEE 802.11r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
IEEE 802.11i: A Retrospective Bernard Aboba Microsoft March 2004.

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Ariel Eizenberg arielez@cs.huji.ac.il PPP Security Features Ariel Eizenberg arielez@cs.huji.ac.il.

Ariel Eizenberg PPP Security Features Ariel Eizenberg
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,

Similar presentations

Ads by Google