1 / 23

Analysis of the 802.11i 4-Way Handshake

Analysis of the 802.11i 4-Way Handshake. Changhua He, John C Mitchell 2004 ACM International Workshop on Wireless Security (WiSe'04). Sang-Rok Kim Dependable Software Lab at KAIST 2006. 9. 14. Contents. Introduction. 4-way Handshake. Problem Statement. Countermeasures. Conclusion.

naiya
Download Presentation

Analysis of the 802.11i 4-Way Handshake

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of the 802.11i 4-Way Handshake Changhua He, John C Mitchell2004 ACM International Workshop on Wireless Security (WiSe'04) Sang-Rok KimDependable Software Lab at KAIST2006. 9. 14

  2. Contents Introduction 4-way Handshake Problem Statement Countermeasures Conclusion

  3. Introduction Introduction 취약점 취약점

  4. Station Access Point RADIUS IEEE 802.11i Introduction • Ratified on June 24, 2004 • Secure Data Communication over Wireless links • WEP(Wired Equivalent Privacy) • TKIP(Temporal Key Integrity Protocol) • CCMP(Counter-mode/CBC-MAC Protocol) • RSNA(Robust Security Network Association) Conversation • Handshake • Three Entities of RSN • Supplicant • Authenticator • Authentication Server

  5. PTK PTK PMK PMK MSK MSK RSNA Conversation Introduction IEEE 802.11 & 11i IEEE 802.1x IEEE 802.11i Handshake IEEE 802.11i

  6. RSNA Conversation 4-Way Handshake Supplicant Authenticator Authentication Server UnAuth/UnAssoc 802.1X Blocked No Key UnAuth/UnAssoc 802.1X Blocked No Key No Key

  7. RSNA Conversation 4-Way Handshake Supplicant Authenticator Authentication Server Auth/Assoc 802.1X Blocked No Key Auth/Assoc 802.1X Blocked No Key No Key 802.11 Association

  8. RSNA Conversation 4-Way Handshake Supplicant Authenticator Authentication Server Auth/Assoc 802.1X Blocked MSK Auth/Assoc 802.1X Blocked No Key MSK 802.11 Association EAP/802.1X/RADIUS Authentication

  9. RSNA Conversation 4-Way Handshake Supplicant Authenticator Authentication Server Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMK No Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK

  10. RSNA Conversation 4-Way Handshake Supplicant Authenticator Authentication Server Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTK No Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake

  11. RSNA Conversation 4-Way Handshake Supplicant Authenticator Authentication Server Auth/Assoc 802.1X UnBlocked GTK Auth/Assoc 802.1X UnBlocked GTK No Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake

  12. RSNA Conversation 4-Way Handshake Supplicant Authenticator Authentication Server Auth/Assoc 802.1X UnBlocked PTK/GTK Auth/Assoc 802.1X UnBlocked PTK/GTK No Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake Group Key Handshake Data Communication

  13. {AA, ANonce, sn, msg1, PMKID} {SPA, SNonce, sn, msg2, MIC, RSN IE} {AA, ANonce, sn+1, msg3, MIC, AA RSN IE, GTK} {SPA, sn+1, msg4, MIC} RSNA Conversation 4-Way Handshake Supplicant Authenticator Authentication Server Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTK No Key 802.11 Association EAP/802.1X/RADIUS Authentication MSK 4-Way Handshake AA/SPA: MAC Address Nonce: random value sn: sequence number MIC:Message Integrity Code

  14. {ANonce, msg1} {SNonce, msg2, MIC} {msg4, MIC} Simplified 4-Way Handshake Problem Statement • Murφ Modeling • Finite-State Verification • Modeling Result • Ignored filed • PMKID • RSN IE • GTK • Necessary field • Message Flag • Nonce • Redundant field • Sequence Number • MAC address • Exclusive supplicant and authenticator • Fresh Nonce Supplicant Authenticator Auth/Assoc 802.1X UnBlocked PTK Auth/Assoc 802.1X UnBlocked PTK {ANonce, msg3, MIC}

  15. {ANonce, msg1} {SNonce, msg2, MIC} DoS Attack Problem Statement Authenticator Supplicant Auth/Assoc 802.1X Blocked PMK Auth/Assoc 802.1X Blocked PMK PTK Derived {AA, Anonce, msg1} PTK Derived Attack PTK’ Derived {ANonce, msg3, MIC} PTK’≠ PTK {msg4, MIC} Blocked & Fail 802.1X UnBlocked PTK 802.1X UnBlocked PTK

  16. DoS Attack Problem Statement • Solution? • Store TPTK / PTK • Can not correctly verify the MIC in Msg3 • Keep all states for every Msg1 • Mess Forged Attack (Mem/CPU exhaustion) • Inherent cause of Attack • Authenticator can discard an unexpected response • Supplicant can not do so • Cause deadlock and block the protocol • Supplicant must allow any Msg1 (Parallel Instance) • Limitation of Attack • Dynamic PMKID • attacker can forge Msg1 after reading Msg1 • EAPOL-Key format • limit the attacks to occur only before the first PTK establishment Attack can be occurred only after reading Msg1 and before establishing the first handshake

  17. Random-Drop Queue Countermeasures Randomly replaced by the new state if queue is filled

  18. Message 1 Authentication Countermeasures • Add a MIC to msg1 • Reuse shared PMK • Set Nonce to specific value(e.g.,0) • Derive a trivial PTK • Calculate the MIC with derived PTK • Limitation • If PSK or cached PMK? Vulnerable to Reply attack • Repaired Countermeasure • Add SN increasing monotonically • Use local time as SN • Weakness of this countermeasure • Modification on Packet format

  19. Nonce Re-use Countermeasures • Reuse Nonce • Supplicant reuse the value of SNonce until a legitimate handshake is completed successfully • Not update Nonce • No requirement for Authenticator to reuse ANonce • Eliminate the memory DoS Attack • Limitation • More computation on the supplicant side • Fixed SNonce – easy guessing the PMK • Weakness of this countermeasure • CPU exhaustion attack

  20. {AA, ANonce, msg1} {SNonce, msg2, MIC} Proposal Countermeasures • Combination of countermeasures • Reuse SNonce • Store PTK and ANonce of the first Msg1 • If stored ANonce = received ANonce in Msg3, use PTK • If stored ANonce ≠ received ANonce in Msg3, calculate new PTK PTK Derived Store PTK, ANonce PTK Derived ANonce ≠ ANonce PTK’ Derived, Use derived PTK {AA, ANonce, msg1} Attack {ANonce, msg3, MIC} Calculate MIC Anonce=Anonce Use stored PTK {msg4, MIC}

  21. Proposal Countermeasures • Combination of countermeasures • Reuse SNonce • Store PTK and ANonce of the first Msg1 Eliminate the Memory Exhaustion Attack • If stored ANonce = received ANonce, use PTK • If stored ANonce ≠ received ANonce, calculate new PTK Eliminate the CPU Exhaustion Attack No Modification on Packet format • Adopted by TGi

  22. IEEE 802.11i Conclusion • Conclusions • RSNA conversation • Simplified Protocol by using Murφ • DoS Attack • 3 Countermeasures and the their effectiveness • Proposed solution • Combined Reuse Nonce Solution • Advantages

  23. Thank You !

More Related