150 likes | 172 Views
Password Authenticated Key Exchange. Authors:. Date: 2008-01-12. Abstract. A key exchange authenticated with a password (which may be cryptographically weak) is presented. Pre-shared Key Authentication in 11s. Required for certain use cases. Current proposal is unrealistic
E N D
Password Authenticated Key Exchange Authors: Date: 2008-01-12 Dan Harkins, Aruba Networks
Abstract A key exchange authenticated with a password (which may be cryptographically weak) is presented. Dan Harkins, Aruba Networks
Pre-shared Key Authentication in 11s • Required for certain use cases. • Current proposal is unrealistic • Pre-shared key is assumed to be cryptographically strong • Pre-shared key is pairwise. • Pre-shared keys are deployed problematically for a reason • Pairwise keys doesn’t scale: give an administrator a choice between O(n) and O(1) s/he will choose the latter. • Pre-shared keys will be shared. Experience shows that things will be used insecurely if that’s easier to deploy that way. • If n is a non-trivial amount (i.e. at least one-half dozen) the pre-shared key must be something that can be repeatedly entered with a low probability of errors– i.e. it probably won’t be cryptographically strong. • Design of Key Hierarchy assumes root key is unique • Sharing of pre-shared keys voids a fundamental security assumption • The pre-shared key is used directly in the MSA 4-way handshake Dan Harkins, Aruba Networks
This Poses Severe Problems in a Mesh • Using the pre-shared key (or key trivially derived from pre-shared key) with MSA authentication is susceptible to attack. • There are downloadable scripts available that can crack an 802.11i PSK in minutes! They could easily to the same for an 802.11s PSK • The attack in 11s is far worse than the attack in 11i • Attacking 802.11i PSK allows access to the network behind an AP for attackers within earshot of the AP. • Attacking 802.11s PSK would allow the mesh to grow unbounded to unauthorized MPs and clients • Successful attacks cause the mesh to grow, further increasing unauthorized traffic being sent onto the wired network behind the mesh. • the larger the mesh the more opportunity for more attackers to see the mesh and attack it. It’s a vicious downward spiral. • Uniqueness of mesh makes pre-shared key usage problematic • A mesh introduces more opportunities for attack (more MPs!) than an infrastructure network • Successful attack of one node compromises the mesh allows for exposure of prior traffic sent to/from the compromised MP and forgery of traffic to/from the compromised MP. Dan Harkins, Aruba Networks
Mesh is used in a warehouse It gets attacked, mesh grows when unauthorized mesh point authenticates with the PSK. Bigger mesh is visible to more people who attack it, further growing the mesh …and it keeps growing as it keeps getting attacked. Dan Harkins, Aruba Networks
How to Fix this Problem • We need to ensure mesh security regardless of deployment. • We need to ensure that the key used in the MSA 4-way handshake is unique and cryptographically strong. We cannot do that by issuing a fiat in the draft. • We need a way to turn a cryptographically weak, and possibly shared, pre-shared secret into a unique and cryptographically strong key. This technique must be: • Resistant to active attack • Resistant to passive attack • Resistant to dictionary attack • We need to ensure that the technique used to generate a cryptographically strong key is appropriate for mesh. • There cannot be any notion of an “initiator” and a “responder” • We need simultaneous authentication of equals Dan Harkins, Aruba Networks
Simultaneous Authentication of Equals • A protocol for authentication and key derivation using a, presumably weak, pre-shared secret • Initially both parties share: • Knowledge of identity of self and each other’s identity-- “Alice” and “Bob”. • A secret that need not be cryptographically strong– password. • A public ordering function, L, that returns the “greater” of two strings • A public random function, H • The definition of a finite cyclic group. For an elliptic curve group Ε, base point is G, order is r. (Notation: a point is uppercase, Z, and a scalar is lowercase, z). • A bijective function, F() that maps an element from the group to an integer. For an elliptic curve group, F() merely takes the x component of the point. • Upon completion: • Peers are authenticated • Peers share an authenticated (master) key that will be suitable for use with the MSA 4-way handshake. Dan Harkins, Aruba Networks
Simultaneous Authentication of Equals • Assumptions • Function H is a “random oracle”. An adversary is given access to a black box which upon input of data known to the adversary returns either random bits or the output of H. The adversary is unable to distinguish between the two and any advantage the adversary can gain is negligible and is solely through repeated interaction with the black box. • For H: {0,1}* {0,1}k each of the 2k possible outputs has an equal probability of being the output for some input. • H is one-way. Given y = H(x) it is infeasible to determine x. • The finite cyclic group is one for which the discrete logarithm problem is hard: given y = gx for some element of the group (the generator) g, it is infeasible to determine x. Equivalently for an elliptic curve group, given Y = x*G for some point on the curve (the generator) G, it is infeasible to determine x. Dan Harkins, Aruba Networks
Simultaneous Authentication of Equals • if L(Alice, Bob) == Alice then • q = H(Alice | Bob | password) • else • q = H(Bob | Alice | password) • P = q*G Bob Alice • Choose random b • Compute V=b*G, v = F(V) • B = -(v*P), n = (b + v) mod r • Choose random a • Compute U=a*G, u = F(U) • A = -(u*P), m = (a + u) mod r m,A n,B • Compute K = a*(n*P + B) • = a*b*p*G • Compute k = F(K) • Compute x = H(k | A | m | B | n) • Compute K = b*(m*P + A) • = b*a*p*G • Compute k = F(K) • Compute y = H(k | B | n | A | m) x y • Verify y • Verify x Authenticated Master Key = H(k | F(A+B) | (n+m)mod r) Dan Harkins, Aruba Networks
Simultaneous Authentication of Equals Bob Alice • Peer-to-peer protocol, not lock-step • No notion of “initiator” and “responder”; “supplicant” and “authenticator” or “client” and “server”. • Initial messages are not dependent on each other; final messages are dependent on initial messages, not each other. • Each side can “initiate” or both can “initiate” simultaneously and the resulting protocol instances are identical Alice initiates first Bob initiates first Both initiate simultaneously Dan Harkins, Aruba Networks
Simultaneous Authentication of Equals • Attractive security properties • Perfect Forward Secrecy for keys. Key is authenticated in addition to the mesh points being authenticated. • Resistant to active attack, passive attack, and dictionary attack. • Uniquely appropriate for a mesh • No roles– initiator/responder or supplicant/authenticator • Either party can initiate first or both can initiate at the same time • Addresses numerous comments: 1345, 1614, 1615, 1616, 1622, 2975, 2980, 4750*, and 4758 • Security proof? I’m working on it. Hope to have something for the next meeting. * my personal favorite. Dan Harkins, Aruba Networks
How to Fix this Problem pre-shared key Authentication Server (IEEE 802.1X Authentication only) cryptographically weak password authenticated key exchange cryptographically strong cryptographically strong Mesh Key Distributor Mesh Authenticator A Derives PTK-A Mesh Authenticator B Derives PTK-B Dan Harkins, Aruba Networks
Simultaneous Authentication of Equals • What’s the plan? • Socialize the idea within the 802.11s Working Group • Solicit input on how to most harmoniously incorporate this protocol into the 802.11s draft • Have some normative text ready for a motion very soon • Please come see me or email me: • If any of the PSK-related comments are your’s • If you think this is a good idea • If you think this is a bad idea • If you have crypto people at work who typically review standards please have them look at this and please send any comments to me. Dan Harkins, Aruba Networks
Backup • This protocol can also be described using finite cyclic groups based on exponentiation modulus a prime. • Such a group would have a generator g, a prime r, and exponentiation would be i = g^j mod r. • A couple of caveats: • The bijective function becomes trivial: F(x) = x. It will be eliminated from the description. • The order of the generator of the group is not necessarily (r -1) but it will serve the purpose of effectively reducing the sum of the two random numbers while not changing the resulting computation of k. If the order is part of the group definition it should be used instead to reduce a+u (b+v). Dan Harkins, Aruba Networks
Backup • if L(Alice, Bob) == Alice then • q = H(Alice | Bob | password) • else • q = H(Bob | Alice | password) • p = g^q mod r Bob Alice • Choose random b • Compute v = g^b mod r • B = 1/g^v mod r • n = (b + v) mod (r-1) • Choose random a • Compute u = g^a mod r • A = 1/g^u mod r • m = (a + u) mod (r-1) m,A n,B • Compute k = (p^n mod r * B)^a mod r • = g^(b*p*a) mod r • Compute x = H(k | A | m | B | n) • Compute k = (p^m mod r * A)^b mod r • = g^(a*p*b) mod r • Compute y = H(k | B | n | A | m) x y • Verify y • Verify x Authenticated Master Key = H(k | (A+B) mod (r-1) | (n+m)mod (r-1)) Dan Harkins, Aruba Networks