![Page 1: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/1.jpg)
A Modular Security Analysis ofEAP and IEEE 802.11PhD defense
Håkon JacobsenDepartment of Information Security andCommunication Technology
October 25, 2017
![Page 2: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/2.jpg)
IEEE 802.11 – WPA2-PSK
Client Access point
Server
Internet
2 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 3: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/3.jpg)
WPA2-Enterprise
• Used in large organizations
– infeasible to share a singleshared key
– user authenticationcentrally managed
• Example: eduroam
3 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 4: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/4.jpg)
WPA2-Enterprise
Client Authenticator Server
EAP-TLS
Key Transport
IEEE 802.11
WPA2Enterprise
Thm 1: 3P-AKEweak forward secrecyThm 2: 3P-AKE
full forward secrecy
Thm 3: 2P-AKEfull forward secrecy
Thm 4: 2P-AKEno forward secrecy
[JKSS12, KPW13, BFS+13,KSS13, LSY+14, . . . ]:
2P-ACCE
4 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 5: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/5.jpg)
Thesis goal
Conduct a formal computational security analysis of the EAPframework, including:
1. the WPA2-Enterprise framework
2. the EAP-TLS key exchange protocol
3. the 802.11 protocol
4. meta-goal: establish the results in a modular fashion; reusingexisting analyses whenever possible
5 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 6: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/6.jpg)
Thesis goal
Conduct a formal computational security analysis of the EAPframework, including:
1. the WPA2-Enterprise framework
2. the EAP-TLS key exchange protocol
3. the 802.11 protocol
4. meta-goal: establish the results in a modular fashion; reusingexisting analyses whenever possible
5 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 7: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/7.jpg)
Acknowledgments
Chris BrzuskaHamburg University of Technology
Douglas StebilaMcMaster University, Hamilton
6 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 8: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/8.jpg)
Our formal security model
Extended Bellare-Rogaway model adapted from [BPR00]
Adversary A can:
• Control all networkcommunication
• Learn session keys sk
• Learn long-term keys
• Cannot learn internalrandomness
AπA
π′A
πB πC
πD
7 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 9: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/9.jpg)
Our formal security model
Extended Bellare-Rogaway model adapted from [BPR00]
Adversary A can:
• Control all networkcommunication
• Learn session keys sk
• Learn long-term keys
• Cannot learn internalrandomness
AπA
π′A
πB πC
πD
7 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 10: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/10.jpg)
Our formal security model
Extended Bellare-Rogaway model adapted from [BPR00]
Adversary A can:
• Control all networkcommunication
• Learn session keys sk
• Learn long-term keys
• Cannot learn internalrandomness
AπA
π′A
πB πC
πD
7 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 11: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/11.jpg)
Our formal security model
Extended Bellare-Rogaway model adapted from [BPR00]
Adversary A can:
• Control all networkcommunication
• Learn session keys sk
• Learn long-term keys
• Cannot learn internalrandomness
AπA
π′A
πB πC
πD
7 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 12: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/12.jpg)
Our formal security model
Extended Bellare-Rogaway model adapted from [BPR00]
Adversary A can:
• Control all networkcommunication
• Learn session keys sk
• Learn long-term keys
• Cannot learn internalrandomness
AπA
π′A
πB πC
πD
7 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 13: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/13.jpg)
Authenticated key exchange (AKE) security goals
• Key-secrecy: attacker should learn nothing about sk for a freshsession πU
• Authentication: sk should only be shared with πU ’s intendedpeer
• Key-confirmation: the intended peer actually computed sk
8 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 14: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/14.jpg)
Authenticated key exchange (AKE) security goals
• Key-secrecy: attacker should learn nothing about sk for a freshsession πU
• Authentication: sk should only be shared with πU ’s intendedpeer
• Key-confirmation: the intended peer actually computed sk
8 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 15: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/15.jpg)
Forward secrecy
πU
• Loss of a long-term key should not compromise previouslyestablished session keys
– Full forward secrecy: adversary A can get long-term keys afterπU completed
– Weak forward secrecy: A can get long-term keys after πUcompleted—but only if A was passive
– No forward secrecy: A cannot get long-term keys
9 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 16: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/16.jpg)
Forward secrecy
πU
• Loss of a long-term key should not compromise previouslyestablished session keys
– Full forward secrecy: adversary A can get long-term keys afterπU completed
– Weak forward secrecy: A can get long-term keys after πUcompleted—but only if A was passive
– No forward secrecy: A cannot get long-term keys
9 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 17: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/17.jpg)
Forward secrecy
πU
• Loss of a long-term key should not compromise previouslyestablished session keys
– Full forward secrecy: adversary A can get long-term keys afterπU completed
– Weak forward secrecy: A can get long-term keys after πUcompleted—but only if A was passive
– No forward secrecy: A cannot get long-term keys
9 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 18: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/18.jpg)
Forward secrecy
πU
• Loss of a long-term key should not compromise previouslyestablished session keys
– Full forward secrecy: adversary A can get long-term keys afterπU completed
– Weak forward secrecy: A can get long-term keys after πUcompleted—but only if A was passive
– No forward secrecy: A cannot get long-term keys
9 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 19: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/19.jpg)
Main results
1. EAP is a secure 3P-AKE protocol with weak forward secrecy
2. EAP + key-confirmation is a secure 3P-AKE protocol with fullforward secrecy
3. EAP-TLS is a secure 2P-AKE protocol (with full forward secrecy)
4. 802.11 handshake protocol (WPA2-PSK) is a secure 2P-AKEprotocol with no forward secrecy
5. WPA2-Enterprise is a secure3P-AKE protocol with fullfull secrecy
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
IEEE 802.11
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
10 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 20: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/20.jpg)
Main results
1. EAP is a secure 3P-AKE protocol with weak forward secrecy
2. EAP + key-confirmation is a secure 3P-AKE protocol with fullforward secrecy
3. EAP-TLS is a secure 2P-AKE protocol (with full forward secrecy)
4. 802.11 handshake protocol (WPA2-PSK) is a secure 2P-AKEprotocol with no forward secrecy
5. WPA2-Enterprise is a secure3P-AKE protocol with fullfull secrecy
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
Key confirmation
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
10 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 21: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/21.jpg)
Main results
1. EAP is a secure 3P-AKE protocol with weak forward secrecy
2. EAP + key-confirmation is a secure 3P-AKE protocol with fullforward secrecy
3. EAP-TLS is a secure 2P-AKE protocol (with full forward secrecy)
4. 802.11 handshake protocol (WPA2-PSK) is a secure 2P-AKEprotocol with no forward secrecy
5. WPA2-Enterprise is a secure3P-AKE protocol with fullfull secrecy
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
IEEE 802.11
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
10 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 22: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/22.jpg)
Main results
1. EAP is a secure 3P-AKE protocol with weak forward secrecy
2. EAP + key-confirmation is a secure 3P-AKE protocol with fullforward secrecy
3. EAP-TLS is a secure 2P-AKE protocol (with full forward secrecy)
4. 802.11 handshake protocol (WPA2-PSK) is a secure 2P-AKEprotocol with no forward secrecy
5. WPA2-Enterprise is a secure3P-AKE protocol with fullfull secrecy
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
IEEE 802.11
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
10 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 23: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/23.jpg)
Main results
1. EAP is a secure 3P-AKE protocol with weak forward secrecy
2. EAP + key-confirmation is a secure 3P-AKE protocol with fullforward secrecy
3. EAP-TLS is a secure 2P-AKE protocol (with full forward secrecy)
4. 802.11 handshake protocol (WPA2-PSK) is a secure 2P-AKEprotocol with no forward secrecy
5. WPA2-Enterprise is a secure3P-AKE protocol with fullfull secrecy
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
IEEE 802.11
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
10 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 24: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/24.jpg)
Our results – caveats
• Being “secure” is not an unconditional statement
• All results are relative to our model of the protocol and relies onvarious assumptions
• Model might not completely cover practice
11 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 25: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/25.jpg)
Extensible Authentication Protocol (EAP)
12 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 26: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/26.jpg)
Extensible Authentication Protocol (EAP)
• Generic authentication framework underlying WPA2-Enterprise
• Specifies:
1. a three-party architecture consisting of a client, a server and anauthenticator
2. a way of encapsulating concrete authentication mechanismsinside EAP methods
— EAP-TLS— EAP-TTLS— EAP-IKEv2— EAP-PWD— EAP-PSK
— EAP-SIM— EAP-AKA— EAP-GTC— PEAP— LEAP
— EAP-FAST— EAP-POTP— EAP-EKE— EAP-MD5— ...
13 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 27: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/27.jpg)
Extensible Authentication Protocol (EAP)
• Generic authentication framework underlying WPA2-Enterprise
• Specifies:
1. a three-party architecture consisting of a client, a server and anauthenticator
2. a way of encapsulating concrete authentication mechanismsinside EAP methods
— EAP-TLS— EAP-TTLS— EAP-IKEv2— EAP-PWD— EAP-PSK
— EAP-SIM— EAP-AKA— EAP-GTC— PEAP— LEAP
— EAP-FAST— EAP-POTP— EAP-EKE— EAP-MD5— ...
13 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 28: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/28.jpg)
Extensible Authentication Protocol (EAP)
• Generic authentication framework underlying WPA2-Enterprise
• Specifies:
1. a three-party architecture consisting of a client, a server and anauthenticator
2. a way of encapsulating concrete authentication mechanismsinside EAP methods
— EAP-TLS— EAP-TTLS— EAP-IKEv2— EAP-PWD— EAP-PSK
— EAP-SIM— EAP-AKA— EAP-GTC— PEAP— LEAP
— EAP-FAST— EAP-POTP— EAP-EKE— EAP-MD5— ...
13 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 29: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/29.jpg)
Extensible Authentication Protocol (EAP)
• Generic authentication framework underlying WPA2-Enterprise
• Specifies:
1. a three-party architecture consisting of a client, a server and anauthenticator
2. a way of encapsulating concrete authentication mechanismsinside EAP methods
— EAP-TLS— EAP-TTLS— EAP-IKEv2— EAP-PWD— EAP-PSK
— EAP-SIM— EAP-AKA— EAP-GTC— PEAP— LEAP
— EAP-FAST— EAP-POTP— EAP-EKE— EAP-MD5— ...
13 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 30: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/30.jpg)
EAP framework
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
Key confirmation
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
14 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 31: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/31.jpg)
Composition Theorem 1
15 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 32: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/32.jpg)
Modeling EAP without key-confirmation
C A
B
S
EAP method, “C”, “A”
“C”+“C”+
“B” +“B” +
← KDF( , “C”, “A”)← KDF( , “C”, “A”)
← KDF( , “C”, “B”)
Theorem 1: EAP is a secure 3P-AKE protocol with weak forwardsecrecy
16 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 33: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/33.jpg)
An attack
C A B S
EAP method, “C”, “A”
“C”+“C”+
“B” +“B” +
← KDF( , “C”, “A”)← KDF( , “C”, “A”)
← KDF( , “C”, “B”)
Theorem 1: EAP is a secure 3P-AKE protocol with weak forwardsecrecy
16 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 34: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/34.jpg)
An attack
C A B S
EAP method, “C”,��XX“A” “B”
“C”+“C”+ “B” +“B” +
← KDF( , “C”, “A”)← KDF( , “C”, “A”)
← KDF( , “C”, “B”)
Theorem 1: EAP is a secure 3P-AKE protocol with weak forwardsecrecy
16 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 35: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/35.jpg)
An attack
C A B S
EAP method, “C”,��XX“A” “B”
“C”+“C”+
“B” +“B” +
← KDF( , “C”, “A”)← KDF( , “C”, “A”)
← KDF( , “C”, “B”)
Theorem 1: EAP is a secure 3P-AKE protocol with weak forwardsecrecy
16 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 36: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/36.jpg)
Channel binding
C A
B
S
EAP method, “C”, “A”
“C”+“C”+
“B” +“B” +
← KDF( , “C”, “A”)← KDF( , “C”, “A”)
← KDF( , “C”, “B”)
Theorem 1: EAP is a secure 3P-AKE protocol with weak forwardsecrecy
16 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 37: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/37.jpg)
Channel binding
C A
B
S
EAP method, “C”, “A”
“C”+“C”+
“B” +“B” +
← KDF( , “C”, “A”)
← KDF( , “C”, “A”)
← KDF( , “C”, “B”)
Theorem 1: EAP is a secure 3P-AKE protocol with weak forwardsecrecy
16 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 38: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/38.jpg)
Channel binding
C A B S
EAP method, “C”,��XX“A” “B”
“C”+“C”+ “B” +“B” +
← KDF( , “C”, “A”)← KDF( , “C”, “A”)
← KDF( , “C”, “B”)
Theorem 1: EAP is a secure 3P-AKE protocol with weak forwardsecrecy
16 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 39: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/39.jpg)
Channel binding
C A B S
EAP method, “C”,��XX“A” “B”
“C”+“C”+ “B” +“B” +
← KDF( , “C”, “A”)
← KDF( , “C”, “A”)
← KDF( , “C”, “B”)
Theorem 1: EAP is a secure 3P-AKE protocol with weak forwardsecrecy
16 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 40: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/40.jpg)
Channel binding
C A B S
EAP method, “C”,��XX“A” “B”
“C”+“C”+
“B” +“B” +
← KDF( , “C”, “A”)← KDF( , “C”, “A”)← KDF( , “C”, “B”)
Theorem 1: EAP is a secure 3P-AKE protocol with weak forwardsecrecy
16 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 41: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/41.jpg)
Composition Theorem 1
C A
B
S
EAP method, “C”, “A”
“C”+“C”+
“B” +“B” +
← KDF( , “C”, “A”)
← KDF( , “C”, “A”)
← KDF( , “C”, “B”)
Theorem 1: EAP is a secure 3P-AKE protocol with weak forwardsecrecy
16 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 42: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/42.jpg)
Composition Theorem 2
17 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 43: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/43.jpg)
Composition Theorem 2
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
IEEE 802.11
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
Theorem 2: EAP + key-confirmation is a secure 3P-AKE protocolwith full forward secrecy
18 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 44: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/44.jpg)
Composition Theorem 2
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
Key confirmation
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
Theorem 2: EAP + key-confirmation is a secure 3P-AKE protocolwith full forward secrecy
18 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 45: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/45.jpg)
Composition Theorem 2
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
Key confirmation
WPA2Enterprise
EAP
TLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
Theorem 2: EAP + key-confirmation is a secure 3P-AKE protocolwith full forward secrecy
18 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 46: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/46.jpg)
Composition Theorem 2
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
Key confirmation
WPA2Enterprise
EAP
TLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
Theorem 2: EAP + key-confirmation is a secure 3P-AKE protocolwith full forward secrecy
18 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 47: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/47.jpg)
EAP-TLS
19 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 48: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/48.jpg)
EAP-Transport Layer Security
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
Key confirmation
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
• EAP-TLS = certificate-based TLS encapsulated inside EAP
20 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 49: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/49.jpg)
EAP-Transport Layer Security
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
IEEE 802.11
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
• EAP-TLS = certificate-based TLS encapsulated inside EAP
20 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 50: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/50.jpg)
EAP-Transport Layer Security
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
IEEE 802.11
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
• EAP-TLS = certificate-based TLS encapsulated inside EAP
20 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 51: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/51.jpg)
EAP-Transport Layer Security
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
IEEE 802.11
WPA2Enterprise
EAP
TLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
• EAP-TLS = certificate-based TLS encapsulated inside EAP
20 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 52: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/52.jpg)
Proving that EAP-TLS is a secure 2-party AKE protocol
• Idea: modify existing proofs of TLS to work for EAP-TLS
• Problem: not modular
• Alternative: use existing results on TLS to prove EAP-TLS
• Problem: TLS is not a secure authenticated key exchange (AKE)protocol, but rather a secure channel establishment protocol
21 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 53: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/53.jpg)
Proving that EAP-TLS is a secure 2-party AKE protocol
• Idea: modify existing proofs of TLS to work for EAP-TLS
• Problem: not modular
• Alternative: use existing results on TLS to prove EAP-TLS
• Problem: TLS is not a secure authenticated key exchange (AKE)protocol, but rather a secure channel establishment protocol
21 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 54: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/54.jpg)
Proving that EAP-TLS is a secure 2-party AKE protocol
• Idea: modify existing proofs of TLS to work for EAP-TLS
• Problem: not modular
• Alternative: use existing results on TLS to prove EAP-TLS
• Problem: TLS is not a secure authenticated key exchange (AKE)protocol, but rather a secure channel establishment protocol
21 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 55: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/55.jpg)
Proving that EAP-TLS is a secure 2-party AKE protocol
• Idea: modify existing proofs of TLS to work for EAP-TLS
• Problem: not modular
• Alternative: use existing results on TLS to prove EAP-TLS
• Problem: TLS is not a secure authenticated key exchange (AKE)protocol, but rather a secure channel establishment protocol
21 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 56: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/56.jpg)
Authenticated and Confidential Channel Establishment(ACCE) protcols [JKSS12]
• All-in-one-definition: authenticated key exchange (AKE) protocol+ encryption algorithm
• Security goal: session key established by the AKE should besafe to use for encryption algorithm
• Less stringent requirement than AKE
• Many results showing that TLSv1.2 is a secure ACCE protocol([JKSS12, KPW13, KSS13, BFS+13, LSY+14])
22 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 57: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/57.jpg)
Our result
“A secure ACCE =⇒ a secure AKE”
23 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 58: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/58.jpg)
Our result
Theorem 3:
a secure TLS-like ACCE protocol+
a key-collision resistant KDF =⇒ a secure AKE+
a random oracle
23 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 59: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/59.jpg)
IEEE 802.11
24 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 60: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/60.jpg)
IEEE 802.11
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
Key confirmation
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
25 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 61: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/61.jpg)
IEEE 802.11
Client Authenticator Server
EAP method
Key transportEAP
EAP-TLS
IEEE 802.11
WPA2Enterprise
EAPTLS
EAP packets
, NC , NS , NC , NS
← KDF( , NC‖NS)
25 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 62: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/62.jpg)
Wi-Fi Protected Access 2 (WPA2)
• Protocol used to protect Wi-Fi networks
• Consists of:1. a 2-party key exchange protocol (4-Way Handshake)
2. an encryption algorithm (CCMP)
3. a group key exchange protocol
26 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 63: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/63.jpg)
Wi-Fi Protected Access 2 (WPA2)
• Protocol used to protect Wi-Fi networks
• Consists of:1. a 2-party key exchange protocol (4-Way Handshake)
2. an encryption algorithm (CCMP)
3. a group key exchange protocol
26 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 64: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/64.jpg)
802.11 4-Way Handshake (WPA2-PSK)
C AP
NAP
NC ,MAC( ,NC )
NAP ,MAC( ,NAP)
MAC( , “Finished”)
NAP ← {0, 1}256NC ← {0, 1}256← KDF( ,NC‖NAP)
← KDF( ,NC‖NAP)
Theorem 4: The 4-Way Handshake is a secure 2P-AKE protocol withno forward secrecy
27 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 65: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/65.jpg)
802.11 4-Way Handshake (WPA2-PSK)
C AP
NAP
NC ,MAC( ,NC )
NAP ,MAC( ,NAP)
MAC( , “Finished”)
NAP ← {0, 1}256NC ← {0, 1}256← KDF( ,NC‖NAP)
← KDF( ,NC‖NAP)
Theorem 4: The 4-Way Handshake is a secure 2P-AKE protocol withno forward secrecy
27 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 66: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/66.jpg)
Putting it all together: WPA2-Enterprise
Client Authenticator Server
EAP-TLS
Key Transport
4-Way Handshake
WPA2Enterprise
Thm 1: 3P-AKEweak forward secrecyThm 2: 3P-AKE
full forward secrecy
Thm 3: 2P-AKEfull forward secrecy
Thm 4: 2P-AKEno forward secrecy
[JKSS12, KPW13, BFS+13,KSS13, LSY+14, . . . ]:
2P-ACCE
Theorem: WPA2-Enterprise is a secure 3P-AKE protocol with fullforward secrecy
28 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 67: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/67.jpg)
Putting it all together: WPA2-Enterprise
Client Authenticator Server
EAP-TLS
Key Transport
4-Way Handshake
WPA2Enterprise
Thm 1: 3P-AKEweak forward secrecy
Thm 2: 3P-AKEfull forward secrecy
Thm 3: 2P-AKEfull forward secrecy
Thm 4: 2P-AKEno forward secrecy
[JKSS12, KPW13, BFS+13,KSS13, LSY+14, . . . ]:
2P-ACCE
Theorem: WPA2-Enterprise is a secure 3P-AKE protocol with fullforward secrecy
28 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 68: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/68.jpg)
Putting it all together: WPA2-Enterprise
Client Authenticator Server
EAP-TLS
Key Transport
4-Way Handshake
WPA2Enterprise
Thm 1: 3P-AKEweak forward secrecyThm 2: 3P-AKE
full forward secrecy
Thm 3: 2P-AKEfull forward secrecy
Thm 4: 2P-AKEno forward secrecy
[JKSS12, KPW13, BFS+13,KSS13, LSY+14, . . . ]:
2P-ACCE
Theorem: WPA2-Enterprise is a secure 3P-AKE protocol with fullforward secrecy
28 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 69: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/69.jpg)
Putting it all together: WPA2-Enterprise
Client Authenticator Server
EAP-TLS
Key Transport
4-Way Handshake
WPA2Enterprise
Thm 1: 3P-AKEweak forward secrecyThm 2: 3P-AKE
full forward secrecy
Thm 3: 2P-AKEfull forward secrecy
Thm 4: 2P-AKEno forward secrecy
[JKSS12, KPW13, BFS+13,KSS13, LSY+14, . . . ]:
2P-ACCE
Theorem: WPA2-Enterprise is a secure 3P-AKE protocol with fullforward secrecy
28 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 70: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/70.jpg)
Putting it all together: WPA2-Enterprise
Client Authenticator Server
EAP-TLS
Key Transport
4-Way Handshake
WPA2Enterprise
Thm 1: 3P-AKEweak forward secrecyThm 2: 3P-AKE
full forward secrecy
Thm 3: 2P-AKEfull forward secrecy
Thm 4: 2P-AKEno forward secrecy
[JKSS12, KPW13, BFS+13,KSS13, LSY+14, . . . ]:
2P-ACCE
Theorem: WPA2-Enterprise is a secure 3P-AKE protocol with fullforward secrecy
28 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 71: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/71.jpg)
Putting it all together: WPA2-Enterprise
Client Authenticator Server
EAP-TLS
RADIUS
4-Way Handshake
WPA2Enterprise
Thm 1: 3P-AKEweak forward secrecyThm 2: 3P-AKE
full forward secrecy
Thm 3: 2P-AKEfull forward secrecy
Thm 4: 2P-AKEno forward secrecy
[JKSS12, KPW13, BFS+13,KSS13, LSY+14, . . . ]:
2P-ACCE
Theorem: WPA2-Enterprise is a secure 3P-AKE protocol with fullforward secrecy
28 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 72: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/72.jpg)
Putting it all together: WPA2-Enterprise
Client Authenticator Server
EAP-TLS
RADIUS-over-TLS
4-Way Handshake
WPA2Enterprise
Thm 1: 3P-AKEweak forward secrecyThm 2: 3P-AKE
full forward secrecy
Thm 3: 2P-AKEfull forward secrecy
Thm 4: 2P-AKEno forward secrecy
[JKSS12, KPW13, BFS+13,KSS13, LSY+14, . . . ]:
2P-ACCE
Theorem: WPA2-Enterprise is a secure 3P-AKE protocol with fullforward secrecy
28 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 73: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/73.jpg)
Putting it all together: WPA2-Enterprise
Client Authenticator Server
EAP-TLS
RADIUS-over-TLS
4-Way Handshake
WPA2Enterprise
Thm 1: 3P-AKEweak forward secrecyThm 2: 3P-AKE
full forward secrecy
Thm 3: 2P-AKEfull forward secrecy
Thm 4: 2P-AKEno forward secrecy
[JKSS12, KPW13, BFS+13,KSS13, LSY+14, . . . ]:
2P-ACCE
Theorem: WPA2-Enterprise is a secure 3P-AKE protocol with fullforward secrecy
28 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 74: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/74.jpg)
Putting it all together: WPA2-Enterprise
Client Authenticator Server
EAP-TLS
RADIUS-over-TLS
4-Way Handshake
WPA2Enterprise
Thm 1: 3P-AKEweak forward secrecyThm 2: 3P-AKE
full forward secrecy
Thm 3: 2P-AKEfull forward secrecy
Thm 4: 2P-AKEno forward secrecy
[JKSS12, KPW13, BFS+13,KSS13, LSY+14, . . . ]:
2P-ACCE
Theorem: WPA2-Enterprise is a secure 3P-AKE protocol with fullforward secrecy
28 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 75: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/75.jpg)
KRACK attack on WPA2
29 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 76: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/76.jpg)
KRACK attack on WPA2
29 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 77: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/77.jpg)
KRACK attack on WPA2
29 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 78: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/78.jpg)
KRACK attack on WPA2
29 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 79: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/79.jpg)
KRACK and our results
• Does not invalidate our proofs
• Attack does not break the key exchange protocol (4-WayHandshake) nor the encryption algorithm (CCMP) individually,but rather when combined
• Points out a discrepancy between our formal model and thereal-world protocol
• After patches, real-world protocol is now in line with our model!
30 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 80: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/80.jpg)
KRACK and our results
• Does not invalidate our proofs
• Attack does not break the key exchange protocol (4-WayHandshake) nor the encryption algorithm (CCMP) individually,but rather when combined
• Points out a discrepancy between our formal model and thereal-world protocol
• After patches, real-world protocol is now in line with our model!
30 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 81: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/81.jpg)
The end
Thank you
31 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 82: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/82.jpg)
Christina Brzuska, Marc Fischlin, Nigel P. Smart, BogdanWarinschi, and Stephen C. Williams.Less is more: relaxed yet composable security notions for keyexchange.International Journal of Information Security, 12(4):267–297,2013.
Mihir Bellare, David Pointcheval, and Phillip Rogaway.Authenticated key exchange secure against dictionary attacks.In Bart Preneel, editor, EUROCRYPT 2000, volume 1807 ofLNCS, pages 139–155. Springer, Heidelberg, May 2000.
Tibor Jager, Florian Kohlar, Sven Schäge, and Jörg Schwenk.On the security of TLS-DHE in the standard model.In Reihaneh Safavi-Naini and Ran Canetti, editors,CRYPTO 2012, volume 7417 of LNCS, pages 273–293. Springer,Heidelberg, August 2012.
Hugo Krawczyk, Kenneth G. Paterson, and Hoeteck Wee.On the security of the TLS protocol: A systematic analysis.
31 / 31 Intro AKE models EAP EAP-TLS 802.11
![Page 83: A Modular Security Analysis of EAP and IEEE 802.11 - PhD ... · A Modular Security Analysis of EAP and IEEE 802.11 PhD defense Håkon Jacobsen ... Client Access point Server Internet](https://reader035.vdocuments.us/reader035/viewer/2022062923/5f0b629c7e708231d4304231/html5/thumbnails/83.jpg)
In Ran Canetti and Juan A. Garay, editors, CRYPTO 2013, Part I,volume 8042 of LNCS, pages 429–448. Springer, Heidelberg,August 2013.
Florian Kohlar, Sven Schäge, and Jörg Schwenk.On the security of TLS-DH and TLS-RSA in the standard model.Cryptology ePrint Archive, Report 2013/367, 2013.http://eprint.iacr.org/2013/367.
Yong Li, Sven Schäge, Zheng Yang, Florian Kohlar, and JörgSchwenk.On the security of the pre-shared key ciphersuites of TLS.In Hugo Krawczyk, editor, PKC 2014, volume 8383 of LNCS,pages 669–684. Springer, Heidelberg, March 2014.
31 / 31 Intro AKE models EAP EAP-TLS 802.11