Protocol analysis, wireless networking, and mobility

Protocol analysis, wireless networking, and mobility John Mitchell Stanford University

Many security Protocols • Challenge-response • ISO 9798-1,2,3; Needham-Schroeder, … • Authentication • Kerberos • Key Exchange • SSL handshake, IKE, JFK, IKEv2, • Wireless and mobile computing • Mobile IP, WEP, 802.11i • Electronic commerce • Contract signing, SET, electronic cash, …

IPv6 Mobile IPv6 Architecture • Authentication is a requirement • Early proposals weak Mobile Node (MN) Direct connection via binding update Corresponding Node (CN) Home Agent (HA)

802.11i Wireless Authentication

Transport (TCP) Internet (IP) Network interface Physical layer TLS protocol layer over TCP/IP http ftp telnet Application nntp SSL/TLS

SSL/TLS ClientHello S C ServerHello, [Certificate], [ServerKeyExchange], [CertificateRequest], ServerHelloDone [Certificate], ClientKeyExchange, [CertificateVerify] Finished switch to negotiated cipher switch to negotiated cipher Finished

Handshake Protocol ClientHelloCSC, VerC, SuiteC, NC ServerHelloS  CVerS, SuiteS, NS,signCA{S, KS} ClientVerify C  SsignCA{ C, VC} {VerC, SecretC} signC {Hash(Master(NC, NS, SecretC) + Pad2 + Hash(Msgs + C + Master(NC, NS, SecretC) + Pad1)) } (Change to negotiated cipher) ServerFinished S  C{ Hash(Master(NC, NS, SecretC) + Pad2 + Hash(Msgs + S + Master(NC, NS, SecretC) + Pad1)) } ClientFinishedC  S{ Hash(Master(NC, NS, SecretC) + Pad2 + Hash( Msgs + C + Master(NC, NS, SecretC) + Pad1)) } KS Master(NC, NS, SecretC) Master(NC, NS, SecretC)

m1 m2 IKE subprotocol from IPSEC A, (ga mod p) B, (gb mod p) , signB(m1,m2) signA(m1,m2) A B Result: A and B share secret gab mod p Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks

Explicit Intruder Method Informal Protocol Description Formal Protocol Intruder Model Analysis Tool Find error

Initiate Respond Attacker C D Run of protocol B A Correct if no security violation in any run

Automated Finite-State Analysis • Define finite-state system • Bound on number of steps • Finite number of participants • Nondeterministic adversary with finite options • Pose correctness condition • Can be simple: authentication and secrecy • Can be complex: contract signing • Exhaustive search using “verification” tool • Error in finite approximation  Error in protocol • No error in finite approximation  ???

Murj [Dill et al.] • Describe finite-state system • State variables with initial values • Transition rules • Communication by shared variables • Scalable: choose system size parameters • Automatic exhaustive state enumeration • Space limit: hash table to avoid repeating states • Research and industrial protocol verification

Applying Murj to security protocols • Formulate protocol • Assume finite participants • Example: 2 clients, 2 servers • Assume finite message space • Represent random numbers by r1, r2, r3, … • Do not allow unbounded encrypt(encrypt(encrypt(…))) • Add adversary • Control over “network” (shared variables) • Possible actions • Intercept any message • Remember parts of messages • Generate new messages, using observed data and initial knowledge (e.g. public keys)

Needham-Schroeder in Murj(1) const NumInitiators: 1; -- number of initiators NumResponders: 1; -- number of responders NumIntruders: 1; -- number of intruders NetworkSize: 1; -- max. outstanding msgs in network MaxKnowledge: 10; -- number msgs intruder can remember type InitiatorId: scalarset (NumInitiators); ResponderId: scalarset (NumResponders); IntruderId: scalarset (NumIntruders); AgentId: union {InitiatorId, ResponderId, IntruderId};

Needham-Schroeder in Murj(2) MessageType : enum { --types of messages M_NonceAddress, --{Na, A}Kb nonce and addr M_NonceNonce, --{Na,Nb}Ka two nonces M_Nonce --{Nb}Kbone nonce }; Message : record source: AgentId; --source of message dest: AgentId; --intended destination of msg key: AgentId; --key used for encryption mType: MessageType; --type of message nonce1: AgentId; --nonce1 nonce2: AgentId; --nonce2 OR sender id OR empty end;

Needham-Schroeder in Murj(3) -- intruder i sends recorded message ruleset i: IntruderId do --arbitrary choice of choose j: int[i].messages do --recorded message ruleset k: AgentId do --destination rule "intruder sends recorded message" !ismember(k, IntruderId) & --not to intruders multisetcount (l:net, true) < NetworkSize ==> var outM: Message; begin outM := int[i].messages[j]; outM.source := i; outM.dest := k; multisetadd (outM,net); end; end; end; end;

Run of Needham-Schroeder • Find error after 1.7 seconds exploration • Output: trace leading to error state • Murj times after correcting error:

State Reduction on N-S Protocol

Security Protocols in Mur • Standard “benchmark” protocols • Needham-Schroeder, TMN, … • Kerberos • Study of Secure Sockets Layer (SSL) • Versions 2.0 and 3.0 of handshake protocol • Include protocol resumption • Tool optimization • Additional protocols • Contract-signing • Wireless networking … ADD YOUR PRODUCT HERE …

CS259 Term Projects Homework

Changhua He Wireless Threats • Passive Eavesdropping/Traffic Analysis • Easy, most wireless NICs have promiscuous mode • Message Injection/Active Eavesdropping • Easy, some techniques to gen. any packet with common NIC • Message Deletion and Interception • Possible, interfere packet reception with directional antennas • Masquerading and Malicious AP • Easy, MAC address forgeable and s/w available (HostAP) • Session Hijacking • Man-in-the-Middle • Denial-of-Service: cost related evaluation

Wireless Security Evolution • 802.11 (Wired Equivalent Protocol) • Authentication: Open system (SSID) and Shared Key • Authorization: some vendor use MAC address filtering • Confidentiality/Integrity: RC4 + CRC • Completely insecure • WPA: Wi-Fi Protected Access • Authentication: 802.1X • Confidentiality/Integrity: TKIP • Reuse the legacy hardware, still problematic • IEEE 802.11i (Ratified on June 24, 2004 ) • Mutual authentication • Data confidentiality and integrity: CCMP • Key management • Availability

Supplicant UnAuth/UnAssoc 802.1X Blocked No Key Supplicant Auth/Assoc 802.1X Blocked No Key Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK Supplicant Auth/Assoc 802.1X Blocked MSK Supplicant Auth/Assoc 802.1X UnBlocked New GTK Supplicant Auth/Assoc 802.1X Blocked PMK Supplicant Auth/Assoc 802.1X UnBlocked PTK/GTK AuthenticatorAuth/Assoc 802.1X UnBlocked New GTK AuthenticatorAuth/Assoc 802.1X Blocked No Key AuthenticatorAuth/Assoc 802.1X UnBlocked PTK/GTK AuthenticatorAuth/Assoc 802.1X UnBlocked PTK/GTK AuthenticatorUnAuth/UnAssoc 802.1X Blocked No Key AuthenticatorAuth/Assoc 802.1X Blocked PMK AuthenticatorAuth/Assoc 802.1X Blocked No Key Authentica-tion Server(RADIUS) No Key Authentica-tion Server(RADIUS) No Key Authentica-tion Server(RADIUS) No Key Authentica-tion Server(RADIUS) MSK Authentica-tion Server(RADIUS) No Key Authentica-tion Server(RADIUS) No Key Authentica-tion Server(RADIUS) No Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake Data Communication RSNA Conversations

Security Level Rollback Attack Authenticator RSNA enabled Pre-RSNA enabled Supplicant RSNA enabled Pre-RSNA enabled Bogus Beacon (Pre-RSNA only) Beacon + AA RSN IE Probe Request Bogus Probe Response (Pre-RSNA only) Probe Response + AA RSN IE 802.11 Authentication Request 802.11 Authentication Response Bogus Association Request (Pre-RSNA only) Association Request + SPA RSN IE 802.11 Association Response Pre-RSNA Connections

Solutions • Security Level Rollback Attack • Similar to general version rollback attack • Destroy security since WEP is insecure • Not vulnerability of 802.11i standard, but an implementation problem • Solutions • Allow only RSNA connections: secure, but too strict for common networks, where Transient Security Network is more convenient • Deploy both, but • Supplicant manually choose to deny or accept • Authenticator limit pre-RSNA connections to only insensitive data

Reflection Attack Adversary Impersonates Communicating Peers Legitimate Devices Authenticator and Supplicant {A1, Nonce1, sn, msg1} {A2, Nonce1, sn, msg1} {A1, Nonce2, RSN IE, sn, msg2, MIC} {A2, Nonce2, RSN IE, sn, msg2, MIC} {A1, Nonce1, RSN IE, GTK, sn+1, msg3, MIC} {A2, Nonce1, RSN IE, GTK, sn+1, msg3, MIC} {A1, sn+1, msg4, MIC} {SPA, sn+1, msg4, MIC} Peers Authenticated Bogus Authentication

Reflection Solutions • Possible in ad hoc networks • Violates mutual authentication • Solutions: • Restrict each entity to single role • Access point is not wireless station • Allow one entity to have two roles • But require different pairwise master keys (PMK)

802.11i Availability • Not an original design objective • Physical Layer DoS attacks • Inevitable but detectable, not our focus • Network and upper Layer DoS attack • Depend on protocols, not our focus • Link Layer attack • Flooding attack: Lots of traffic and power req’d • Some Known DoS attacks in 802.11 networks • DoS attack on Michael algorithm in TKIP • RSN IE Poisoning/Spoofing • 4-Way Handshake Blocking • Failure Recovery

AA, ANonce, sn, msg1 SPA, SNonce, SPA RSN IE, sn, msg2, MIC AA, ANonce, sn, msg1 AA, ANonce, sn, msg1 4-Way Handshake Blocking Supplicant Auth/Assoc 802.1X Blocked PMK AuthenticatorAuth/Assoc 802.1X Blocked PMK PTK Derived PTK Derived Random GTK AA, ANonce, AA RSN IE, GTK, sn+1, msg3, MIC SPA, sn+1, msg4, MIC PTK and GTK 802.1X Unblocked PTK and GTK 802.1X Unblocked

Countermeasures • Random-Drop Queue • Randomly drop a stored entry if the queue is full • Not so effective • Authenticate Message 1 • Use the share PMK; must modify the packet format • Reuse supplicant nonce • Reuse SNonce, derive correct PTK from Message 3 • Performance degradation, more computation in supplicant • Combined solution • Supplicant reuses SNonce • Store one entry of ANonce and PTK for the first Message 1 • If nonce in Message 3 matches the entry, use PTK directly • Eliminate memory DoS, only minor change to algorithm • Adopted by TGi

Failure Recovery • Failure recovery is important • Can reduce but not eliminate DoS vulnerabilities • Current 802.11i method • When failure, restart everything: inefficient • A better failure approach • If 802.1X does not finish, restart everything • Otherwise restart from nearest completed subprotocol • Channel scanning time is significantly larger than the protocol execution time

Improved 802.11i Stage 1: Network and Security Capability Discovery Stage 2: 802.1X authentication (mutual authentication, shared secret, cipher suite) 802.1X Failure Stage 3: Secure Association (management frames protected) Association Failure Stage 4: 4-Way Handshake (PMK confirmation, PTK derivation, and GTK distribution) 4-Way Handshake Timout Stage 5: Group Key Handshake Group Key Handshake Timout Stage 6: Secure Data Communications Michael MIC Failure or Other Security Failures

Summary of larger study

802.11i correctness proof in PCL • EAP-TLS • Between Supplicant and Authentication Server • Authorizes supplicant and establishes access key (PMK) • 4-Way Handshake • Between Access Point and Supplicant • Checks authorization, establish key (PTK) for data transfer • Group Key Protocol • AP distributes group key (GTK) using KEK to supplicants • AES based data protection using established keys Our proof covers subprotocols 1, 2, 3 alone and in various combinations

SSL/TLS ClientHello S C ServerHello, [Certificate], [ServerKeyExchange], [CertificateRequest], ServerHelloDone [Certificate], ClientKeyExchange, [CertificateVerify] Finished switch to negotiated cipher switch to negotiated cipher Finished

TLS Protocol: Client The TLS Server actions also defined by a straight-line sequential process (cord)

TLS Properties • Authentication: client and the server agree on • Master secret • Protocol version and crypto suite • Each other’s identities • Protocol completion status • Secrecy • The master secret must not be known to any other principal

Theorems: Agreement and Secrecy • Client is guaranteed: • there exists a session of the intended server • this server session agrees on the values of all messages • all actions viewed in same order by client and server • there exists exactly one such server session Similar specification for server

Invariants required by TLS Server Side Recommendation: If the server reuses Public Key in a protocol different from TLS, then it should not send decryptions of incoming messages

4-Way handshake: Authenticator Supplicant actions also defined by a straight-line sequential process (cord)

4-Way Handshake properties • The pairwise key (PTK) is fresh and correctly generated from the PMK • Messages 2 and 4 assure authenticator that supplicant messages are current (not replay) • Message 3 assures supplicant that authenticator messages are current (not replay) • Pairwise key PTK derivation produces shared secret between supplicant and authenticator

4-way Handshake Properties Similar specification for server

4-Way : Relating invariants to deployment Recommendation: One Principal should not act as both authenticator and supplicant ! Otherwise, reflection attack. Consider careful deployment in Sensor Network scenarios

Group-Key Protocol

Group key handshake • Authenticator guarantee: If principal has the group key, then it must have a shared PTK with the authenticator • Supplicant guarantee: the GTK received was transmitted by the Access Point, and correctly supersedes any GTK from earlier handshakes (4-Way or Group Key) Observation: For assurance of GTK freshness, important that the first handshake uses 4-Way protocol; one principal should not be authenticator and supplicant, as in the 4-way handshake.

Composition • All necessary invariants are satisfied by basic blocks of all the sub-protocols • The postconditions of TLS imply the preconditions of the 4-Way handshake • The postconditions of 4-Way handshake imply the preconditions of the Group Key protocol

Complex Control Flows Simple Flow Complex Flow

Arnab Roy And what about mobility … ? • IPv4: Triangle routing • All traffic routed through home agent • IPv6: Binding update • Mobile node sends new “care-of address” • Many risks • Attacker can subvert existing connection • Announce false care-of address • Also, can send lots of packets to target • Announce that target is new care-of address for many connections

X, Y, H 1 Y, X, n Y, H, m, X 2 2 2 2 X, Y, hash(m, n, H, X) 4 1 4 3 H, X, m, Y 3 Representative protocol Corresponding node Y X H Mobile node Home agent

Protocol analysis, wireless networking, and mobility

Protocol analysis, wireless networking, and mobility

Presentation Transcript

Wireless Networking

Mobility Assisted Networking

Wireless Networking

Wireless Networking

Wireless Networking

Wireless Networking

Wireless and Mobility

Wireless Networking

Wireless Networking

Mobility and Multicast Protocol Design and Analysis

Mobility-Aware MAC Protocol for Wireless Sensor Network

Wireless Networking

Wireless Networking

Mobility and Networking

Wireless Networking

Wireless Networking

Wireless Networking

Wireless and Mobility

Networking Protocol

Wireless Networking

802.11i Wireless Networking Authentication Protocol

Wireless networking