Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious...
-
Upload
laurel-hoover -
Category
Documents
-
view
215 -
download
3
description
Transcript of Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious...
![Page 1: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/1.jpg)
May 2007
Robert Moskowitz, ICSAlabs
Slide 1
doc.: IEEE 802.11-07/0793r0
Submission
PSK a Serious Risk for Mesh Formation Control
Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11.
Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair [email protected] as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <[email protected]>.
Date: 2007-05-15Authors:Name Company Address Phone emailRobertMoskowitz
ICSAlabs/Cybertrust
Oak Park, MI 248 968-9809 [email protected]
![Page 2: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/2.jpg)
May 2007
Robert Moskowitz, ICSAlabs
Slide 2
doc.: IEEE 802.11-07/0793r0
Submission
Abstract
• This submissions analyzes the security of the PSK option for the Mesh Key Hierarchy. It shows that if any element in the key hierarchy can be attacked, discovering part of the key will in many cases expose the original PSK value.
![Page 3: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/3.jpg)
May 2007
Robert Moskowitz, ICSAlabs
Slide 3
doc.: IEEE 802.11-07/0793r0
Submission
Motivation
• The is a major demand for a Mesh keying methodology that does not require 802.1X and an EAP method.– The classic approach is to allow for keying material to be provided
“out of band”, e.g. Manually entered into an admin gui.– The PSK solution used in IEEE 802.11i was shown to be very
vulnerable to a dictionary attack, and this attack is now standardly available.
• An analysis is needed to establish if the PSK methodology is as vulnerable as in 802.11i.– And if so, is there an alternative PSK methodology that would be
'strong enough'.
![Page 4: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/4.jpg)
May 2007
Robert Moskowitz, ICSAlabs
Slide 4
doc.: IEEE 802.11-07/0793r0
Submission
PSK risk model
• In 802.11i, an attack on the PSK permits the inclusion of an unauthorized STA– Or the creation of a rouge AP.
• In 802.11s, an attack on the PSK permits an undetectable insertion of a rogue MP.
• Conclusion:– In 802.11i, a cracked PSK opens the wireless network
to an outsider.– In 802.11s, a cracked PSK opens the mesh
infrastructure to an outsider. This is considered a catastrophic attack against the mesh.
![Page 5: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/5.jpg)
doc.: IEEE 802.11-07/0793r0
Submission
802.11s Mesh key derivations
• The key derivations provided in sec 8.8 included:– PMK-MKD = KDF-256(PSK, “MKD Key Derivation”,
MeshIDlength || MeshID || MKDD-ID || SPA)– PMK-MA = KDF-256(PMK-MKD, “MA Key Derivation”, PMK-
MKDName || MA-ID || SPA)– PTK = KDF-PTKLen(PMK-MA, “Mesh PTK Key derivation”,
SNonce || ANonce || SPA || MA-ID || PMK-MAName)– KDK = KDF-256(PSK, “Mesh Key Distribution Key”,
MeshIDLength || MeshID || MKDD-ID || MA-ID)– PTK-KD = KDF-256(KDK, “Mesh PTK-KD Key”, MA-Nonce ||
MKD-Nonce || MA-ID || MKDID)
![Page 6: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/6.jpg)
doc.: IEEE 802.11-07/0793r0
Submission
802.11s PSK as attackable as in 802.11i
• The PTK derivation is identical in 802.11i and 802.11s– Thus the PSK attack is the same for both environments
• That is open to a dictionary attack.
• A common user supplied PSK of 8 characters has an attack space of 223
– See: http://www.smat.us/sanity/pwdilemma.html
• Without strong user guidance, PSK values will be weak and thus open to attack– Further, 802.11s requires a PSK per MP!– Too much to expect a user to create lots of strong PSKs.
![Page 7: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/7.jpg)
doc.: IEEE 802.11-07/0793r0
Submission
Does the PSK per MP provide mitigation?
• It seems not– It is easy for the attacker to gain the name of the MP whose PSK it
has cracked.– There is no way for the MKD to recognize two distinct MPs, using
the same name and of course PSK.• Complicated when there are multiple copies of the MDK within the
mesh.
• Could this be fix?– Perhaps.
• Consider a identity-based protocol between the MA and MKD like HIP. But how would the Host Identity be securely registered in the MKD?
![Page 8: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/8.jpg)
doc.: IEEE 802.11-07/0793r0
Submission
IS there a better Key Derivation with PSK?
• Consider the accepted method of expanding a key to enough bits and slicing the result for all needed keys.– E.G. KCK-KD and KEK-KD from PTK-KD
• Initially expand the PSK and use pieces of the expansion for each sub derivation.– PSK-Expand = KDF-1024(PSK, “MKD Key Derivation”,
MeshIDlength || MeshID || MKDD-ID || SPA)– PMK-MKD = KDF-256(L(PSK-Expand, 256, 256), “MKD Key
Derivation”, MeshIDlength || MeshID || MKDD-ID || SPA)
• Potentially 2(1024-256) PSKs can provide the PTK-MKD!
![Page 9: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/9.jpg)
doc.: IEEE 802.11-07/0793r0
Submission
Non-Rigorous Proof of Attack
• Claim: If a PSK is successfully cracked via a dictionary attack, this IS the real PSK out of the 2(1024-256) possible values.
• Can a human create a 'near-collision'?– KDF-1024(X)=ABCDEFGH– KDF-1024(Y)=ABCDEXYZ
• X and Y collide in first 256 bits• X and Y do not collide in last 768 bits
• Not believed possible
![Page 10: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/10.jpg)
doc.: IEEE 802.11-07/0793r0
Submission
Can a near-collision be found for a document?
• User creates 2 documents that produce the same truncated hash and signs both hashes.
• User can the repudiate document1 with document2.• No proof of this for SHA-1, but concern it is only a
matter of time. A strong hash (e.g. SHA-256) will put this attack further in the future.
![Page 11: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/11.jpg)
doc.: IEEE 802.11-07/0793r0
Submission
THUS:
• If a dictionary attack against the PSK as derived above can be solved, then the cracked PSK IS the real one and will properly generate all of the key hierarchy.– If the cracked value is 'Wireless' the probability that the user really
used, say 'W1reiess' is vanishingly small. (i.e. Improbable)– Note that the whole dictionary needs to be tested, as there really
MIGHT be multiple collisions in dictionary space.
• THAT IS, THERE IS NO MAGIC
![Page 12: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/12.jpg)
doc.: IEEE 802.11-07/0793r0
Submission
Conclusions
• Best action is to totally remove PSK from 802.11s– Use an EAP PSK method instead to meet this goal– Advantage of an EAP PSK method is that a single PSK could be
used for the whole mesh, rather than a PSK per MP.
• Add to 802.11s a PSK strength test and require compliant implementations to enforce PSK strength.– Market may well ignore this based on historical experience.
![Page 13: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/13.jpg)
doc.: IEEE 802.11-07/0793r0
Submission
Conclusions
• Add an Identity protocol like HIP between the MKD and MA.– Even is PSK is cracked, it cannot be used, as the HI would prevent
its use by rogue MP.– Author likes this solution, but recognizes the effort to gain
acceptance.
• Add a PMK-MKD-Expand step to provide a degree of separation between the elements of the key hierarchy and require test of PSK strength.– Probably the ore likely acceptable answer, despite the attacks.
![Page 14: Doc.: IEEE 802.11-07/0793r0 Submission May 2007 Robert Mosko witz, ICSAla bs Slide 1 PSK a Serious Risk for Mesh Formation Control Notice: This document.](https://reader036.fdocuments.us/reader036/viewer/2022083119/5a4d1adb7f8b9ab059974e69/html5/thumbnails/14.jpg)
doc.: IEEE 802.11-07/0793r0
Submission
THANK YOUFor your time.