eap keying problem draft aboba pppext key problem 03 txt
Download
Skip this Video
Download Presentation
EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt

Loading in 2 Seconds...

play fullscreen
1 / 17

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt - PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt. Bernard Aboba [email protected] Observations. Some EAP methods derive keys, some don’t Where keys are derived, strength varies widely The type of keys derived varies as well

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt' - zelia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
observations
Observations
  • Some EAP methods derive keys, some don’t
  • Where keys are derived, strength varies widely
  • The type of keys derived varies as well
    • Some methods derive ciphersuite-specific “session keys”
    • Some methods derive ciphersuite-independent “master keys”
  • Some methods describe key hierarchy, some don’t
goals and objectives
Goals and Objectives
  • To describe basic concepts of EAP
  • To describe the EAP keying architecture
  • To point out pitfalls in design of EAP methods that derive keys
  • To identify problems that require solution
why derive keys
Why Derive Keys?
  • Key derivation not required in all uses
    • EAP can be used for authentication only
  • Where EAP methods derive keys, it is possible to “bind” the authentication to:
    • Subsequent data packets encrypted/integrity protected with those keys
    • Subsequent EAP methods running within a sequence
    • The tunnel within which EAP runs
    • To accomplish these things, it is necessary to define a “key hierarchy”
eap terms
EAP Terms
  • Peer – desires network access
  • NAS – provides network access
  • AAA server (optional) provides centralized authentication, authorization and accounting for NASes
eap overview
EAP Overview

+-+-+-+-+-+ +-+-+-+-+-+

| | | |

| | | |

| Cipher- | | Cipher- |

| Suite | | Suite |

| | | |

+-+-+-+-+-+ +-+-+-+-+-+

^ ^

| |

| |

| |

V V

+-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+

| | EAP | | | |

| | Conversation | | | |

| |<================================>| AAA |

| Peer | | NAS/ | | Server |

| |==============>| |<=======| |

| | Keys | | Keys | |

| | (Optional) | | | |

+-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+

^ ^

| |

| EAP API | EAP API

| |

V V

+-+-+-+-+-+ +-+-+-+-+-+

| | | |

| | | |

| EAP | | EAP |

| Method | | Method |

| | | |

+-+-+-+-+-+ +-+-+-+-+-+

assumptions of the architecture
Assumptions of the Architecture
  • EAP methods
    • EAP methods are implemented on the peer and AAA server
    • NAS does not implement EAP methods except perhaps the mandatory method
    • NAS typically “passes through” the authentication
    • NAS may not have knowledge of the EAP method selected by the peer and AAA server
    • Peer and AAA server typically negotiate the EAP method
  • Ciphersuites
    • NAS & Peer negotiate and implement ciphersuites
    • Ciphersuites may be negotiated before or after EAP authentication, depending on the media
      • PPP, 802.11i pre-auth: ciphersuite negotiated after authentication
      • 802.1X: ciphersuite negotiated before authentication
    • AAA server may not have knowledge of the selected ciphersuite
    • EAP method residing on the peer or AAA server may not have knowledge of the selected ciphersuite
corollaries
Corollaries
  • EAP key derivation should be ciphersuite independent
  • Key derivation separated into two phases:
    • Master session key derivation (occurs on AAA server, peer)
      • MSK derivation is EAP method-specific
      • MSKes sent from AAA server to NAS via AAA protocol
    • Session key derivation from MSKes (occurs on NAS, peer)
      • Session key hierarchy is ciphersuite specific
  • Reasons
    • Method may not know what the selected ciphersuite is at the time of key derivation
    • If key derivation is ciphersuite dependent, then EAP method will need to be revised each time a new ciphersuite comes out
      • New EAP methods coming along all the time (36 so far, and counting)
      • New media adopting EAP
      • New ciphersuites being defined
      • Matrix of ciphersuites times methods is big!
what is a key hierarchy
What is a Key Hierarchy?
  • A description of how the session keys required by a particular cipher are derived from the keying material provided by the EAP methods
    • Implies that you need a hierarchy per ciphersuite/media
  • Desirable characteristics
    • Key strength (64 bits typically not enough)
    • “Cryptographic separation” between keys used for different purposes (encryption, authentication/integrity, unicast/multicast, etc.)
hierarchy overview
Hierarchy Overview

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+---

| | | | ^

| Is a raw master key | | Can a pseudo-master key | |

| available or can | | be derived from | |

| the PRF operate on it? | | the master key? | |

| | | | |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |

| | |

| K | K\' |

| | |

V V |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |

| | EAP |

| Master Session Key | Method |

| Derivation | |

| | |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |

| | |

| Master Session Key Outputs | |

| | |

V V |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |

| | |

| Key and IV Derivation | |

| | |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |

| P->A | A->P | P->A | A->P | P->A | A->P EAP V

| Enc. | Enc. | Auth. | Auth. | IV | IV API ---+---

| Key | Key | Key | Key | | ^

| (PMK) | | | | | AAA |

| | | | | | Keys V

V V V V V V ---+---

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^

| | |

| Ciphersuite-Specific Key Hierarchy | NAS |

| | |

| | V

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---+---

example key hierarchy 802 11i

Pairwise Master Key (PMK)

  • PRF-X(PMK, “Pairwise key expansion”, Min(AA,SA) || Max(AA,SA) || Min(ANonce,SNonce) || Max(ANonce,SNonce))

Pairwise Transient Key (PTK)

(X bits)

EAPOL-Key MIC Key L(PTK,0,128) (MK)

EAPOL-Key Encrption Key L(PTK,128,128) (EK)

Temporal Key 1 L(PTK,256,128) (TK 1)

Example Key Hierarchy (802.11i)
pitfalls for the unwary
Pitfalls for the Unwary
  • Arbitrary AAA EAP key attributes
    • Transport keys derived by EAP methods
    • Critical to EAP interoperability: NAS expects MSK, not session key
    • Can encourage bad practices: ciphersuite-specific EAP methods
  • Improper key hierarchies
    • Loops can dilute key strength
    • Early 802.11i proposals had this problem
  • EAP methods generating keys without sufficient entropy
    • 802.11i assumes a 256-bit PMK!
    • Issue for EAP SIM and EAP GSS
  • EAP methods without nonce exchanges
    • May not be able to generate required crytographic separation without a subsequent nonce exchange
    • Could cause method to work only on some media (e.g. 802.11 vs. PPP)
    • Issue for EAP SRP
summary
Summary
  • Secure key derivation is important to a number of uses of EAP
    • Secure ciphers lose their security when combined with insecure key derivation
  • EAP key derivation architecture currently not well understood
    • Current EAP methods exhibit a number of problems relating to key derivation
  • Secure key hierarchy derivation is a complex subject, best left to experts
  • Need to consider hierarchy when designing EAP method
intended purpose
Intended Purpose
  • Integrated network/Kerberos login
    • Depends on IAKERB GSS-API method
  • Media: PPP, IEEE 802
    • Kerberos vulnerable to dictionary attack on IEEE 802.11
    • Key derivation may not meet 802.11i criteria
  • Requested Track: Experimental
security claims
Security Claims

Mechanism: Depends on GSS-API mechanism (Kerberos: Passwords, Certs, Token cards)

Mutual/one-way auth: typically mutual (Kerberos: Mutual)

Key derivation

1. Supported: yes

2. Key size: depends on GSS-API method negotiated

3. Key hierarchy description: no

Dictionary attack resistance: depends on method (Kerberos: no)

Identity hiding: Depends on method (Kerberos: no)

Protection

1. Method negotiation: Yes (SPNEGO)

2. Ciphersuite negotiation: No

3. Success/failure indication: No

4. Method packets: Yes

Fast reconnect: depends on method (Kerberos: no)

issues
Issues
  • Scope
    • Does exchange end with AS_REP? TGT_REP? AP_REP?
  • Security
    • Dictionary attack on AS_REQ/AS_REP
  • Keying
    • How are tickets transmitted from peer to NAS?
    • Key derivation: initial draft did not include a nonce exchange, -12 does
    • Key derivation: Master key cannot be retrieved via GSS-API; need to derive “pseudo master key” via GSS_WRAP() calls
    • Key strength: depends on negotiated GSS-API method
ad