1 / 9

Secure 802.11 Authentication Using Only A Password

Secure 802.11 Authentication Using Only A Password. Authors:. Date: 2009-01-19. Abstract. Authentication using a password or pre-shared key has not been done properly in 802.11. As a result there is no way to use these credentials to secure a WLAN. Password Authentication.

coreyp
Download Presentation

Secure 802.11 Authentication Using Only A Password

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Secure 802.11 Authentication Using Only A Password Authors: Date: 2009-01-19 Dan Harkins, Aruba Networks

  2. Abstract Authentication using a password or pre-shared key has not been done properly in 802.11. As a result there is no way to use these credentials to secure a WLAN. Dan Harkins, Aruba Networks

  3. Password Authentication • Passwords are the pre-eminent credential used for network access today. • The concept is simple to grasp for unsophisticated users. • They are easy to configure and easy to manage • They therefore tend to be: • Something easy to remember • Something that can be entered repeatedly with a low probability of error. • Weak, and problematic if not used properly. • Passwords are used today and will continue to be used tomorrow. Dan Harkins, Aruba Networks

  4. Problems with Passwords in 802.11 • Shared key authentication • Used a statically configured key in an authentication protocol. • Uses 802.11 authentication frames, if you can’t get authenticated you can’t associate. • Fundamentally flawed. Broken in a matter of seconds. • (WPA) PSK authentication • Hashes a password with the SSID to create a key to use in a cryptographic handshake for authentication. • Uses data frames, first you do open authentication, then association, and then you exchange data frames. • Susceptible to passive, guessing attack. Broken in a matter of minutes to a matter of hours depending on how “strong” the password is Dan Harkins, Aruba Networks

  5. Problems with Passwords in 802.11 • These issues cause continued bad press for 802.11. A simple search turns up: • “Unsafe at any key length” • “Wireless security’s broken skeleton in the closet” • “Networks suffer from wireless insecurity” • “Wireless connectivity can breed wireless insecurity” • The ease of use of passwords means they will continue to be used. • There is no way to securely use them in the standard today! Dan Harkins, Aruba Networks

  6. Secure Password-based Authentication • TGs has a peer-to-peer protocol for using a password to authenticate mesh points. • While designed for mesh, it is suitable for STA to AP communication, IBSS, and any other peer-to-peer application. • Uses 802.11 authentication frames in a cryptographically secure protocol. Can be used to protect subsequent authentication! • Provides security against passive attack, active attack, and dictionary attack. • Resistance to attack obviates password management rules that make passwords harder to use– passwords can be “weaker” and can be shared and still not be susceptible to attack. • It fits nicely into the 802.11 state machine– authentication using authentication frames! Dan Harkins, Aruba Networks

  7. Secure Password-based Authentication • Each side exchanges two messages, a commitment (to a guess of the password), and a confirmation (of knowledge of the password). • Uses a “zero knowledge proof” • The only information leaked by the exchange is whether you know the password or not. • Unlike (WPA)PSK an attacker cannot learn anything about the password by passively watching the exchange • An attacker gets one guess and one guess only per active attack. Countermeasures deal with repeated active attacks. • I have a proposal to add this to the base document but it needs vetting. Dan Harkins, Aruba Networks

  8. Straw Poll • “A secure password-based authentication protocol should become part of the base 802.11 standard” Yes: No: Don’t know: Dan Harkins, Aruba Networks

  9. References • Simultaneous Authentication of Equals: A Secure, Password-Based Key Exchange for Mesh Networks, D. Harkins, sensorcomm, pp. 839-844, Proceedings of the 2008 Second International Conference on Sensor Technologies and Applications, 2008 Dan Harkins, Aruba Networks

More Related