A Modular Security Analysis of EAP and IEEE 802.11

Brzuska, Chris; Jacobsen, Håkon

doi:10.1007/978-3-662-54388-7_12

Cited by 9 publications

(4 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Computational security proofs for real world protocols have a long history (e.g., [11,13,14,16,27,30]). As described earlier, due to the usage of the channel key in the handshake of TLS 1.2, the ACCE model was introduced by Jager et al [23] (which was later also used in [3,6,8,9]) as a proof of key indistinguishability was impossible without considering a modified protocol variant. To further analyze the security of TLS 1.2 without client authentication, Krawczyk et al [27] and Kohlar et al [26] independently proposed a variant of the ACCE model.…”

Section: Related Workmentioning

confidence: 99%

“…In case (b), the sender's long-term DH share is encrypted under the current key k and the resulting ciphertext is hashed into h and sent to the partner (lines 12-13). 6 If (c) a DH secret is computed, the current ck together with this DH secret are given as input to an invocation of the KDF (lines 5,9,14). For each encryption during the handshake in which a key k was already computed, a ciphertext under this current key k is derived by encrypting a payload m or (if no payload exists yet) an empty string .…”

Section: Noise Protocol Patternsmentioning

confidence: 99%

See 1 more Smart Citation

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Dowling

Rösler

Schwenk

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The Noise protocol framework is a suite of channel establishment protocols, of which each individual protocol ensures various security properties of the transmitted messages, but keeps specification, implementation, and configuration relatively simple. Implementations of the Noise protocols are themselves, due to the employed primitives, very performant. Thus, despite its relative youth, Noise is already used by large-scale deployed applications such as WhatsApp and Slack. Though the Noise specification describes and claims the security properties of the protocol patterns very precisely, there has been no computational proof yet. We close this gap. Noise uses only a limited number of cryptographic primitives which makes it an ideal candidate for reduction-based security proofs. Due to its patterns' characteristics as channel establishment protocols, and the usage of established keys within the handshake, the authenticated and confidential channel establishment (ACCE) model (Jager et al. CRYPTO 2012) seems to perfectly fit for an analysis of Noise. However, the ACCE model strictly divides protocols into two non-overlapping phases: the preaccept phase (i.e., the channel establishment) and post-accept phase (i.e., the channel). In contrast, Noise allows the transmission of encrypted messages as soon as any key is established (for instance, before authentication between parties has taken place), and then incrementally increases the channel's security guarantees. By proposing a generalization of the original ACCE model, we capture security properties of such staged channel establishment protocols flexibly-comparably to the multi-stage key exchange model (Fischlin and Günther CCS 2014). We give security proofs for eight of the 15 basic Noise patterns in the full version (EPRINT 2019/436) and exemplify them by the proof of the XK pattern in this article.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Noise Protocol Patternsmentioning

confidence: 99%

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Dowling

Rösler

Schwenk

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…We also do not consider distinctions between e.g., the User Plane, Control Plane, Radio Resource Control, Access Stratum, and Non-Access Stratum, except where these make a difference to the 5G-AKA protocol's behaviour. We do not model the EAP-AKA protocol (described in [5, §6.1.3.1] and RFC 5448 [10]) as it and the very closely related EAP-AKA protocol have been studied in depth elsewhere [8], [14], [22]. Integrating a model of EAP-AKA into our models of 5G-AKA would be useful future work: analysing their composition would be useful and non-trivial, as EAP-AKA also makes use of the same long-term key K.…”

Section: Modelling Limitationsmentioning

confidence: 99%

Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion

Cremers

Dehnel-Wild

2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The 5G mobile telephony standards are nearing completion; upon adoption these will be used by billions across the globe. Ensuring the security of 5G communication is of the utmost importance, building trust in a critical component of everyday life and national infrastructure. We perform fine-grained formal analysis of 5G's main authentication and key agreement protocol (AKA), and provide the first models to explicitly consider all parties defined by the protocol specification. Our analysis reveals that the security of 5G-AKA critically relies on unstated assumptions on the inner workings of the underlying channels. In practice this means that following the 5G-AKA specification, a provider can easily and 'correctly' implement the standard insecurely, leaving the protocol vulnerable to a security-critical race condition. We provide the first models and analysis considering component and channel compromise in 5G, whose results further demonstrate the fragility and subtle trust assumptions of the 5G-AKA protocol. We propose formally verified fixes to the encountered issues, and have worked with 3GPP to ensure these fixes are adopted. Køien [19] proposes improvements to 4G's AKA, achieving full mutual online authentication. Previous AKA protocols delegate authority from the home network to a serving network by forwarding up to 5 irrevocable authentication vectors, allowing the home network to be offline during the challengeresponse phase of the protocol: this requires too high a level of trust between network operators, hence they propose a modified protocol which is fully online for all parties. 5G-AKA now only forwards one authentication vector at a time. Arapinis et al. [9] analyse 3G's authentication protocols, discovering attacks against the privacy and linkability of subscriber

show abstract

“…Other approaches to delegated or proxied AKE protocols exist. Composition-centric approaches, such as those of Brzuska et al [11], [10] and Jacobsen [24] capture the threeparty handshake usually deployed in WLANs (also called the 4-way-handshake protocol). The main goals of that work is to prove that a handshake consisting of three separate executions of different AKE protocols, relying on different credentials, can still yield a secure channel.…”

Section: Prototype Implementationmentioning

confidence: 99%

A Formal Treatment of Accountable Proxying Over TLS

Bhargavan

Boureanu

Delignat-Lavaud

et al. 2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Much of Internet traffic nowadays passes through active proxies, whose role is to inspect, filter, cache, or transform data exchanged between two endpoints. To perform their tasks, such proxies modify channel-securing protocols, like TLS, resulting in serious vulnerabilities. Such problems are exacerbated by the fact that middleboxes are often invisible to one or both endpoints, leading to a lack of accountability. A recent protocol, called mcTLS, pioneered accountability for proxies, which are authorized by the endpoints and given limited read/write permissions to application traffic.Unfortunately, we show that mcTLS is insecure: the protocol modifies the TLS protocol, exposing it to a new class of middlebox-confusion attacks. Such attacks went unnoticed mainly because mcTLS lacked a formal analysis and security proofs. Hence, our second contribution is to formalize the goal of accountable proxying over secure channels. Third, we propose a provably-secure alternative to soon-to-be-standardized mcTLS: a generic and modular protocol-design that carefully composes generic secure channel-establishment protocols, which we prove secure. Finally, we present a proof-of-concept implementation of our design, instantiated with unmodified TLS 1.3 draft 23, and evaluate its overheads.

show abstract

A Modular Security Analysis of EAP and IEEE 802.11

Cited by 9 publications

References 22 publications

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion

A Formal Treatment of Accountable Proxying Over TLS

Contact Info

Product

Resources

About