Improved EAP-SRP in Wireless Network Authentication

WirelessLAN

Security

Ajay K MathiasGovind MJohnes Jose

M120445CSM120432CSM120088CS

Introduction

WEP

EAP

Authenticated KEP

Conclusion

Overview

Wireless Networks Extension of Wired networks, without using

wires. IEEE 802.11 (1997)

802.11b (1999), 802.11g (2003), 802.11n (2009)

802.11i (2004) 2 Types : Adhoc & Infrastructural WLAN

Ad Hoc WLAN

• Connect with whichever station• Hop Hop.. Hop Hop..• No device in the middle.

Infrastructure WLAN

Parties Involved Wireless Station Access Point (AP) Ground Station

Terms BSS / ESS SSID Beacon Probe Request,

Response Associate Frame

Request, Response

Security in WLAN Main Point of Concern Multiple Options exists in Wired

Networks. SSID / MAC based Authentication was

used, both of which were spoof-able. Common Attacks Possible

Masquerading Man in the middle Dictionary Attacks

Requirement : Privacy Equivalent to that in Wired Networks

Wired Equivalent Privacy (WEP)

Challenge Response Protocol

Access Point

Station

Random Nonce, C

Response, RInitialization Vector, IV

R = C + KEYSTREAM(S, IV)O

But…..! WEP had the following security Issues

Monitor Challenge Response to compute Keystream.

Obtain S, using Dictionary Attack One side Authentication

Thus….. A better protocol was required WPA

Post WEP security WPA (TKIP) – Temporal Key Integrity

Protocol WPA 2 (CCMP) – Counter mode CBC MAC

Protocol The authentication in both schemes same Authentication same as in 802.11i Former uses RC4 key-stream encryption Latter uses AES with cipher block chaining

AUTHENTICATION IN WPA 3 entities

Supplication (Station) Authenticator (AP – Access Point) Authentication Server (AS)

EAP (Extensible Authentication Protocol) Authentication, Authorization &

Accounting

802.11 Association

EAP/802.1X/RADIUS Authentication

MSK

Authenticator

4-Way Handshake

Group Key Handshake

802.11i Protocol

Data Communication

Supplicant

Authentication Server

AUTHENTICATION METHODS EAP – MD5 EAP – TLS EAP – TTLS EAP – PEAP

EAP – MD5 Basic form Challenge is to send MD5 of password Password not known to AP, AS Drawbacks:

Replay attack possible with MD5(password)

AP is not verified to the supplicant

EAP-TLS Uses SSL/TLS All Entities have Certificates & Pvt. keys Drawbacks:

Infeasible for all stations to have certificates

PKI required to communicate

EAP-TTLS Requires AP to have certificates AP can be verified by AS, supplicants Forms a secure tunnel through which

password can be sent

EAP-PEAP Similar to EAP-TTLS Forms a secure tunnel Authentication of station to AS

independent

KEY AGREEMENT Two types of keys:

TK (Temporal Key) [128] GTK (Group Transient Key) [128]

PMK can be replaced by PSK (Pre Shared Key) [256], but not secure

TK and other keys are derived from PMK (Pairwise Master Key) [256] by 4-way handshake protocol

KEY HIERARCHY

MSK [256] : AS & StationPMK [256] : AP (derived from MSK)PTK = f(PMK) [512]PTK -> TK [128]PTK -> KCK [128]PTK -> KEK [128]

FOUR WAY HANDSHAKE

PTK = prf (PMK,NA,NB,MACA,MACS) PTK = (TK, KCK, KEK)

Calculate PTK

Calculate PTK

EAP-SPEKE

Simple Password-Authenticated Exponential Key Exchange

Diffie-Hellman based Authentication with session key

negotiation Mutual Authentication Withstands Man in the middle attack Withstands Replay attack

Supplicant Authenticator

A = gXa mod pg = f(pd) Xa = secret key

AB = gXb mod pXb = secret key

B

S = H(BXa mod p)n1 = nonce

S(n1)S = H(AXb mod p)n2 = nonce

S(n1, n2)

Verify n1 Verify n2S(n2)

EAP - SRP

EAP-Secure Remote Password Borrows elements from other key

exchange protocol User ID and password-based

authentication

Supplicant Authenticator

A = gXa mod pg = f(pd) Xa = secret key

ID = identifier

A, IDB = (V+gXb) mod pXb = secret key

V = gx mod p x = H(Salt, pd)

Salt,B

x = H(Salt, pd) u = H(A, B) S = (B-gx)Xa+ux mod p K = H(S)

Ma=H(H(pd) + H(g),

H(ID), Salt, A, B, K) u = H(A, B)S = (AVu) Xbmod pK = H(S)Mb=H( Ma, A, K)

Verify n1

Improved EAP-SRP

A = gXa mod p

Ma = H(H(Pd) Xor H(g), H(ID), A) B = (v + gXb) mod

pU = H(A, B)S = (A.Vu)Xb mod pK = H(s)Mb = H(A, B, Ma, k)

A,ID,Ma

Salt, Mb, BU = H(A,B)

S = (B-gx)(Xa+Ux) mod p K = H(S)Mc = H(B, Mb, K) Mc

Session KeyMutual Authentication

Pro

s • Mutual Authentication• No Cleartext

Password Exchange• Works against

Dictionary Attacks, Password Sniffing and Network Traffic Analysis Attacks

• Easier to setup, than Dig Cert based Authentication.

Con

s • Computationally Intensive (Comparitively)

• Narrow domain of choosing primes.

(eg. Reqd : Prime p,q such that p = 2q+1)

References

1. An Efficient Password Authenticated Key Exchange Protocol for WLAN and WIMAX, AK Rai, V Kumar, S Mishra, ICWETT 2011

2. Extensible authentication protocol, Adoba, B., Blunk, L., Vollbrecht, J., Carlson, J. & Levkowetz, E., RFC 3748 2004

3. The SRP Authentication and Key Exchange System, T. Wu, RFC 2945 2000

4. Cryptography and Network Security, Bernard Menesez, Cengage Solutions

Thank You…!