1 © nokia mitm.ppt/ 6/2/2015 / kaisa nyberg (nrc/mnw), n.asokan (nrc/com) the insecurity of...

1 © NOKIA MitM.PPT/ 04/18/23 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM)

The Insecurity of Tunnelled Authentication Protocols

N. ASOKAN, VALTTERI NIEMI, KAISA NYBERG

Nokia Research Center


Remote MN Authentication Methods

• Two network access scenarios•Subscription based – there is a home network

•Alternative access based – there is no home network

In both cases the local authentication agent (e.g., AAAL) contacts some back-end authentication server to verify authenticity of MN



• Two cryptographic scenarios•Public key based •Secret key based

In both cases authenticity of MN is based on some secrets MN has



• At least two session key scenarios•Session credentials for MN – goal is service level session security, or session connection security with a different party

•Session connection security, e.g., communication security in link, transport and/or network layer

•…

In all cases session keys are derived as a result of successful authentication between MN and a front-end authentication agent (e.g., AAAL)


Remote MN Authentication Methods - EAP

• Extensible Authentication Protocol (EAP) is a general protocol framework that supports

• multiple authentication mechanisms • allows a back-end server to implement the actual

mechanism• authenticator simply passes authentication signaling through

• EAP was initially designed for use with PPP network access• But has been adapted by for many types of access

authentication• WLAN (IEEE 802.1X), Bluetooth, …

• And even other applications• charging, authorization

• EAP consists of • several Request/Response pairs; Requests are sent by

network• starts with EAP-Request/Identity sent by network

• ends with EAP-Success or EAP-Failure sent by network

• But drawbacks of EAP prompted attempts to secure it


• Confidentiality of the identity of the MN on the air interface

• Prevention of linking between pairs of authentication messages involving the same MN

• Confidentiality against radio interface eavesdropping for data exchanged during the authentication protocol

Existing EAP based authentication methods fail…

Privacy requirements


Different session key derivation methods

• Many legacy protocols for MN authentication• Encapsulated in EAP types

• EAP does not provide a standard way for deriving session keys that can be used for message authentication or encryption

• Examples: 1. One-time passwords – totally insecure if not

protected. Typically tunnelled through TLS. Session keys derived from TLS (proprietary to PEAP or TTLS).

2. EAP/SIM – proprietary protection methods - network authentication, session key derivation

A consistent method of session key derivation is desirable


Protecting EAP- the PEAP approach

• Designed to protect any EAP method for terminal authentication.

• Designed to protect terminal anonymity.• Authenticates network to terminal based on

public key of network.• Designed to provide mutual authentication.• Makes use of TLS as the tunnel protocol: EAP

protocol runs in TLS tunnel.• Designed to provide unified method for session

key derivation. • Session keys derived from TLS: Protection of

WLAN link is based on the same secrets as the TLS tunnel.


Protecting EAP – the PEAP approach

+-+-+-+-+-+ +-+-+-+-+-+ | | | | | | | | | Cipher- | | Cipher- | | Suite | | Suite | | | | | +-+-+-+-+-+ +-+-+-+-+-+ ^ ^ | | | | | | V V +-+-+-+-+-+ +-+-+-+-+-+ Trust +-+-+-+-+-+ | | | |<======>| | | | EAP Conver |sation | | | | |<================================>| Backend | | Client | (over PPP, | 802.11, |etc.) | Server | | | | |<=======| | | | | NAS | Keys | | | | | | | | +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+ ^ ^ | | | EAP API | EAP API | | V V +-+-+-+-+-+ +-+-+-+-+-+ | | | | | | | | | EAP | | EAP | | Method | | Method | | | | | +-+-+-+-+-+ +-+-+-+-+-+


Protecting EAP – the PIC approach

• Bootstraps IKE (JFK etc) from any EAP protocol – intended for remote access to VPN gateways

• Protects any EAP method for MN authentication• Provides MN anonymity• Authenticates network (Back-end server or its agent)

to MN• Provides unified method for credential transport • Tunnel protocol: simplified unilateral version of

ISAKMP (Layer 3)• Session credentials for IPSec SA created by Back-end

server transported to MN through the protected tunnel

• Session communication protected by the L3 tunnel – currently no protection on L2 (MAC addresses)


Protecting EAP – the PIC approach

|====| |======================| |====| AS |=====| Back-End Auth Server | || |====| || |======================| || || || || || || |====| || || |== (Optional) ===| CA | || || |====| || || ========== || (optional | Client |===|| link) ========== || || || |====| |====| GW | |====|


PIC and PEAP - Open issues

• If it can be done, at what cost and under what assumptions on the use of PK?

•DoS attacks on access network?•DoS attacks on radio interface?•Additional roundtrip necessary?•How to obtain network’s public key and link it to network’s identity?

•How can user verify network’s certificate?•What about revocation?


PEAP/AKA- How it works

Secured by TLS tunnel

2. TLS(EAP-Response/AKA-challenge (RES))

Establishing a PEAP tunnel (server authenticated)

Terminal WLAN Server

HSS

2. TLS(EAP-Response/Identity (IMSI))

1. (…, EAP-Request/Identity message, …)

2a. MAP(Send_Auth Params: IMSI) [or DIAMETER]

2b. MAP (AKA authentication quintuplets)

3. TLS(EAP-Request/AKA-challenge (RAND, AUTN))

TLS-protocol based on network certificate

AP

WLAN_Master_session_keys (based on TLS tunnel keys)


PIC EAP/AKA- How it works

Secured by PIC SA

2. PIC(CREDENTIAL-REQUEST(PKCS-10 req), EAP-Response/AKA-challenge (RES))

2c. PKCS-10 req

Establishing a PIC SA (server authenticated)

UE Au HSS CA

2. PIC(EAP-Response/Identity (IMSI))



2b. MAP (AKA authentication quintuplets) 3. PIC(EAP-Request/AKA-challenge (RAND, AUTN))

2d. cert 3. PIC(CREDENTIAL-RESPONSE(cert), EAP-Success)


PEAP/AKA- How it can fail

Secured by TLS tunnel (only server authenticated)

2. TLS(EAP-Response/AKA-challenge (RES))

Establishing a PEAP tunnel (server authenticated)

Terminal WLAN Server

HSS

2. TLS(EAP-Response/Identity (IMSI))



2b. MAP (AKA authentication quintuplets) 3. TLS(EAP-Request/AKA-challenge (RAND, AUTN))

MitM

3. RAND, AUTN

2. RES

TLS-protocol based on network certificate

IMSI_Request

IMSI

AP

WLAN_Master_session_keys (based on TLS tunnel keys)

Stolen WLAN link


PIC EAP/AKA- How it can fail

Secured by PIC SA (only server authenticated)

2. PIC(CREDENTIAL-REQUEST(PKCS-10 req), EAP-Response/AKA-challenge (RES))

2c. PKCS-10 req

Establishing a PIC SA (server authenticated)

UE Au HSS CA

2. PIC(EAP-Response/Identity (IMSI))



2b. MAP (AKA authentication quintuplets) 3. PIC(EAP-Request/AKA-challenge (RAND, AUTN))

2d. cert 3. PIC(CREDENTIAL-RESPONSE(cert), EAP-Success)

MitM

RAND, AUTN

RES

IMSI Request

IMSI


Analysis of the problem

• Inner protocol is a legacy remote client authentication protocol (EAP/SIM, EAP/AKA) –typically used also without TLS tunnelling, also without ANY tunnelling

• MitM can set up a false cellular base station to ask for IMSI and subsequently, for RES.

• Even if EAP protocol is used exclusively in tunnelled mode, authentication of tunnel relies solely upon the terminal. Terminal user may accept an unknown certificate! This is not acceptable to network operators.

• Session keys are derived from TLS Master Key generated using tunnel protocol (same key as used to create tunnel).

• Keys derived in the EAP protocol (EAP SIM or UMTS AKA Master Keys) are not used.


Impacts of failure

• Under passive (eavesdropping) attacks:• Tunneling provides some protection of user identity

– however WLAN MAC addresses are revealed anyway!

• Under active (man-in-the-middle) attacks: Tunnelled authentication protocols

• fail to protect user identity (e.g., IMSI in EAP AKA or EAP SIM)

• allow attacker to masquerade as the victim (e.g., and hijack her WLAN link)

• risk link confidentiality • with EAP SIM as auth. protocol, are weaker than

plain EAP SIM • with EAP AKA as auth. protocol, are much weaker

than plain EAP/AKA


Conditions for failure

• A tunnelled authentication protocol is insecure unless

• if the outer protocol does perform mutual authentication

• not true for PEAP in server-authenticated mode, or PIC.

• if the keys used for a particular subscription are not used in the legacy untunnelled mode (even if other subscriptions may be used in this mode)

• not true for integrated terminals (e.g., GPRS/WLAN)

• not true when the same general purpose smartcard (SIM/UICC) is used with separate single-purpose terminals (e.g., WLAN, GPRS)


Proposed solution

• Create cryptographic binding between tunneling protocol and MN authentication protocol:

METHOD 1: Use a one-way function to compute session keys from tunnel secrets (e.g.TLS master key) and EAP secrets (e.g. IK,CK).

METHOD 2: Compute a MAC over the protected EAP-response and credential request, using a MAC key derived as session key in Method 1. MAC is verified by AAAL or AAAH. Now tunnel is secure for handling of session keys or credentials.

• In both methods, EAP secrets must be sent from AAAH to AAAL (or tunnel secrets must be sent from AAAL to AAAH)

• Both methods rely on the MN authentication protocol producing a session key as well (under some assumptions, also possible to use a long-term key)


Conclusions

• Composing two secure protocols may result in an insecure protocol

• Using tunnelling to “improve” a remote authentication protocol is very common

• Known vulnerable combinations:•HTTP Digest authentication and TLS•PEAP and any EAP subtype•PIC and any EAP subtype•…

• The proposed solutions can be used to fix the problem

•the exact fix needs to be tailored to the specific protocols.

1 © nokia mitm.ppt/ 6/2/2015 / kaisa nyberg (nrc/mnw), n.asokan (nrc/com) the insecurity of...

Documents

message authentication

eap types eap

kaisa nyberg nrcmnw

end authentication server

end authentication agent

eap method

local authentication

authenticity of mn slide