May 2007

Robert Moskowitz, ICSAlabs

Slide 1

doc.: IEEE 802.11-07/0793r0

Submission

PSK a Serious Risk for Mesh Formation Control

Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.

Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11.

Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair stuart@ok-brit.com as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <patcom@ieee.org>.

Date: 2007-05-15Authors:Name Company Address Phone emailRobertMoskowitz

ICSAlabs/Cybertrust

Oak Park, MI 248 968-9809 Rgm@ICSAlabs.com

May 2007

Robert Moskowitz, ICSAlabs

Slide 2

doc.: IEEE 802.11-07/0793r0

Submission

Abstract

• This submissions analyzes the security of the PSK option for the Mesh Key Hierarchy. It shows that if any element in the key hierarchy can be attacked, discovering part of the key will in many cases expose the original PSK value.

May 2007

Robert Moskowitz, ICSAlabs

Slide 3

doc.: IEEE 802.11-07/0793r0

Submission

Motivation

• The is a major demand for a Mesh keying methodology that does not require 802.1X and an EAP method.– The classic approach is to allow for keying material to be provided

“out of band”, e.g. Manually entered into an admin gui.– The PSK solution used in IEEE 802.11i was shown to be very

vulnerable to a dictionary attack, and this attack is now standardly available.

• An analysis is needed to establish if the PSK methodology is as vulnerable as in 802.11i.– And if so, is there an alternative PSK methodology that would be

'strong enough'.

May 2007

Robert Moskowitz, ICSAlabs

Slide 4

doc.: IEEE 802.11-07/0793r0

Submission

PSK risk model

• In 802.11i, an attack on the PSK permits the inclusion of an unauthorized STA– Or the creation of a rouge AP.

• In 802.11s, an attack on the PSK permits an undetectable insertion of a rogue MP.

• Conclusion:– In 802.11i, a cracked PSK opens the wireless network

to an outsider.– In 802.11s, a cracked PSK opens the mesh

infrastructure to an outsider. This is considered a catastrophic attack against the mesh.

doc.: IEEE 802.11-07/0793r0

Submission

802.11s Mesh key derivations

• The key derivations provided in sec 8.8 included:– PMK-MKD = KDF-256(PSK, “MKD Key Derivation”,

MeshIDlength || MeshID || MKDD-ID || SPA)– PMK-MA = KDF-256(PMK-MKD, “MA Key Derivation”, PMK-

MKDName || MA-ID || SPA)– PTK = KDF-PTKLen(PMK-MA, “Mesh PTK Key derivation”,

SNonce || ANonce || SPA || MA-ID || PMK-MAName)– KDK = KDF-256(PSK, “Mesh Key Distribution Key”,

MeshIDLength || MeshID || MKDD-ID || MA-ID)– PTK-KD = KDF-256(KDK, “Mesh PTK-KD Key”, MA-Nonce ||

MKD-Nonce || MA-ID || MKDID)

doc.: IEEE 802.11-07/0793r0

Submission

802.11s PSK as attackable as in 802.11i

• The PTK derivation is identical in 802.11i and 802.11s– Thus the PSK attack is the same for both environments

• That is open to a dictionary attack.

• A common user supplied PSK of 8 characters has an attack space of 223

– See: http://www.smat.us/sanity/pwdilemma.html

• Without strong user guidance, PSK values will be weak and thus open to attack– Further, 802.11s requires a PSK per MP!– Too much to expect a user to create lots of strong PSKs.

doc.: IEEE 802.11-07/0793r0

Submission

Does the PSK per MP provide mitigation?

• It seems not– It is easy for the attacker to gain the name of the MP whose PSK it

has cracked.– There is no way for the MKD to recognize two distinct MPs, using

the same name and of course PSK.• Complicated when there are multiple copies of the MDK within the

mesh.

• Could this be fix?– Perhaps.

• Consider a identity-based protocol between the MA and MKD like HIP. But how would the Host Identity be securely registered in the MKD?

doc.: IEEE 802.11-07/0793r0

Submission

IS there a better Key Derivation with PSK?

• Consider the accepted method of expanding a key to enough bits and slicing the result for all needed keys.– E.G. KCK-KD and KEK-KD from PTK-KD

• Initially expand the PSK and use pieces of the expansion for each sub derivation.– PSK-Expand = KDF-1024(PSK, “MKD Key Derivation”,

MeshIDlength || MeshID || MKDD-ID || SPA)– PMK-MKD = KDF-256(L(PSK-Expand, 256, 256), “MKD Key

Derivation”, MeshIDlength || MeshID || MKDD-ID || SPA)

• Potentially 2(1024-256) PSKs can provide the PTK-MKD!

doc.: IEEE 802.11-07/0793r0

Submission

Non-Rigorous Proof of Attack

• Claim: If a PSK is successfully cracked via a dictionary attack, this IS the real PSK out of the 2(1024-256) possible values.

• Can a human create a 'near-collision'?– KDF-1024(X)=ABCDEFGH– KDF-1024(Y)=ABCDEXYZ

• X and Y collide in first 256 bits• X and Y do not collide in last 768 bits

• Not believed possible

doc.: IEEE 802.11-07/0793r0

Submission

Can a near-collision be found for a document?

• User creates 2 documents that produce the same truncated hash and signs both hashes.

• User can the repudiate document1 with document2.• No proof of this for SHA-1, but concern it is only a

matter of time. A strong hash (e.g. SHA-256) will put this attack further in the future.

doc.: IEEE 802.11-07/0793r0

Submission

THUS:

• If a dictionary attack against the PSK as derived above can be solved, then the cracked PSK IS the real one and will properly generate all of the key hierarchy.– If the cracked value is 'Wireless' the probability that the user really

used, say 'W1reiess' is vanishingly small. (i.e. Improbable)– Note that the whole dictionary needs to be tested, as there really

MIGHT be multiple collisions in dictionary space.

• THAT IS, THERE IS NO MAGIC

doc.: IEEE 802.11-07/0793r0

Submission

Conclusions

• Best action is to totally remove PSK from 802.11s– Use an EAP PSK method instead to meet this goal– Advantage of an EAP PSK method is that a single PSK could be

used for the whole mesh, rather than a PSK per MP.

• Add to 802.11s a PSK strength test and require compliant implementations to enforce PSK strength.– Market may well ignore this based on historical experience.

doc.: IEEE 802.11-07/0793r0

Submission

Conclusions

• Add an Identity protocol like HIP between the MKD and MA.– Even is PSK is cracked, it cannot be used, as the HI would prevent

its use by rogue MP.– Author likes this solution, but recognizes the effort to gain

acceptance.

• Add a PMK-MKD-Expand step to provide a degree of separation between the elements of the key hierarchy and require test of PSK strength.– Probably the ore likely acceptable answer, despite the attacks.

doc.: IEEE 802.11-07/0793r0

Submission

THANK YOUFor your time.