1 / 20

Proving IEEE 802.11i Secure

CS259: Security Analysis of Network Protocols, Winter 2008. Proving IEEE 802.11i Secure. Mukund Sundararajan Joint work with Changhua He, Arnab Roy, Anupam Datta, Ante Derek, John Mitchell. 802.11i Key Management. TLS: Uses Certificates, provides authentication. 4WAY Handshake:

esma
Download Presentation

Proving IEEE 802.11i Secure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS259: Security Analysis of Network Protocols, Winter 2008 Proving IEEE 802.11i Secure Mukund Sundararajan Joint work with Changhua He, Arnab Roy, Anupam Datta, Ante Derek, John Mitchell

  2. 802.11i Key Management TLS: Uses Certificates, provides authentication 4WAY Handshake: Creates keys for data communication Group key handshake: Keys for broadcast communication Data protection: AES based Auth Server Laptop Access Point (Shared Secret-PMK)

  3. Properties of 802.11i Key Mgt. • Roughly • Only authorized devices can join n/w • Devices do not join rogue n/w • Peer device is alive • Keys set up for data and group communication are fresh and secret

  4. Proof of 802.11i security A Formal Proof in Protocol Composition Logic (PCL) of : • On execution of an 802.11i role, properties listed in the standard are satisfied. • Attacker model (perfect crypto) • Intercept, read, reorder, delete any message on the n/w • Construct, send messages

  5. Why a Proof? • [He Mitchell] analyzed 4Way Handshake using Murphi • Found a DoS attack • But did not find any security flaws • [Mitchell Shmatikov] analyzed TLS • ‘Finite’ state analysis does not guarantee security

  6. Model Checking does’nt Scale EAP-TLS Server EAP-TLS Client 4WAY Supplicant 4WAY Authenticator Group key Supplicant Laptop A.P. A.S. Group key Authenticator 802.11i

  7. TLS Server Role receive C, S, nc, suiteC //Hello new ns send S, C, ns, suiteS //Resp receive C, S, {sec}Ks , SIGC(hshk1) //Xfer check SIGC(hshk1) decrypt {sec}Ks send S, C, hashsec(hshk2) //ServerView

  8. Security Properties of TLS • The client and the server agree on • Value of the secret • Version and crypto suite • Identities (mutual authentication) • Protocol completion status • The secret term is not known to a principal who is not the client or the server (shared secret)

  9. Matching Conversations Honest(C) [TLS Server]SC. Send ( C, Hello) Receive ( S, Hello ) Receive ( S, Hello )  Send ( S, Resp) Send ( S, Resp)  Receive( C, Resp) Receive( C, Resp)  Send ( C, KeyXfer)  Send ( C, KeyXfer) Receive ( S, KeyXfer)  Receive ( S, KeyXfer) Send( S,ServerView)

  10. Proof Sketch 1. S sees SIGC(hshk1) concludes C constructed it 4. If honest C constructed SIGC(hshk1), then it executed actions consistent with TLS Client role 5. Order actions based on freshness of nonces

  11. Some Axioms Used in the Proof

  12. Program Invariant used in Proof

  13. Proof of TLS Authentication

  14. Matching Conversations!

  15. Proof Structure EAP-TLS Server EAP-TLS Client 4WAY Supplicant 4WAY Authenticator Group key Supplicant Pre-conditions Local Reasoning Based on actions And cryptography Program Invariants Group key Authenticator

  16. Protocol Insights • 802.11i is secure • Other modes are safe • Using Cached PMKs and Pre-shared Keys is safe • Safe under error handling • Protocols can share certificates with TLS as long as conditions listed in paper are satisfied

  17. Evolution of WLAN Security • Wired Equivalent Privacy • Incorrect use of cryptography • WEP lacks key mgt • 802.11i is designed to fix these issues (June 2004) • [He Mitchell] uncovers DoS attacks • Fix adopted by standards committee • Security Proof of 802.11i

  18. Error Handling [HM05] Stage 1: Network and Security Capability Discovery Stage 2: 802.1X Authentication (mutual authentication, shared secret, cipher suite) 802.1X Failure Stage 3: Secure Association (management frames protected) Association Failure Stage 4: 4-Way Handshake (PMK confirmation, PTK derivation, and GTK distribution) 4-Way Handshake Timeout Stage 5: Group Key Handshake Group Key Handshake Timeout Stage 6: Secure Data Communications Michael MIC Failure or Other Security Failures

  19. Interactions can cause Flaws • Exercise: Construct two protocols. Each does something reasonable. Each is secure in isolation. • But, if any principal executes both protocols, one of the two protocols is insecure. • Chosen protocol attack (Wagner et.al.)

  20. Thanks!

More Related