1 / 7

Secure PSK Authentication

Secure PSK Authentication. Authors:. Date: 2010-07-14. Abstract. This presentation presents the problems with D0.1’s use of PSKs and a solution to them. What’s the Problem?. PSKs are being used for authentication in a PBSS It is difficult to provision a “strong” PSK.

india
Download Presentation

Secure PSK Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure PSK Authentication Authors: Date: 2010-07-14 Dan Harkins, Aruba Networks

  2. Abstract This presentation presents the problems with D0.1’s use of PSKs and a solution to them. Dan Harkins, Aruba Networks

  3. What’s the Problem? • PSKs are being used for authentication in a PBSS • It is difficult to provision a “strong” PSK. • Strength is a function of entropy in the PSK. • For a character-based PSK there is approximately 1.5 bits of entropy per character. • Generating a key suitable for use with GCM implies a character string of around 100 characters. • Humans have a hard time entering a string of 20 characters repeatedly with a low probability of error. • Weak PSKs will be used because doing otherwise is prohibitive and problematic for operators and users. • Need a robust protocol to use PSKs properly, can’t just mandate all PSKs are uniformly random binary strings of sufficient length. Dan Harkins, Aruba Networks

  4. Okay, So What’s the Problem? • The PSK is leaked when used in Draft 0.1 • Using the PSK directly in the 4-Way Handshake has known and well-published problems. Cracking tools available on the Internet. • A PSKID, based on a hash of the PSK, is included in beacons. • Protocols using the PSK are susceptible to an off-line dictionary attack • An attacker has all information needed to run through a dictionary of potential passwords until the correct one is found. • This attack is not detectable by legitimate members of the PBSS. • Learning the PSK allows an attacker to recover all past and future traffic. • The strength of the PSK determines the strength of the GCM key and that’s not strong enough (see previous slide). Dan Harkins, Aruba Networks

  5. What’s the Solution? • A protocol that uses a PSK that is resistant to attack • Each active attack leaks a single bit of information– whether the singular guess was correct or not. Passive attack is not possible. • Probability of guessing the PSK is 1/(S-x) after x guesses of the PSK from a pool of possible PSKs of size S. • Perfect Forward Secrecy is achieved. • A protocol which can produce a cryptographically strong key suitable for use with GCM • An entropy amplifier! • The strength of the PSK does not determine the strength of the GCM key. • A robust, misuse-resistant protocol • A protocol called SAE from the 11s draft Dan Harkins, Aruba Networks

  6. SAE • Based upon the Dragonfly key exchange. • Secure against active, passive and dictionary attack • Uses public key cryptography to produce a strong GCM key that is authenticated with a (potentially weak) PSK. • An RSNA authentication protocol for 802.11. • Uses 802.11 authentication frames (not data frames). • Free, open source (BSD licensed) reference implementation available: http://sourceforge.net/projects/authsae Dan Harkins, Aruba Networks

  7. References • 11-10-0884-00-00ad-secure-psk-authentication.doc Dan Harkins, Aruba Networks

More Related