must add a new assumption that A recognizes the format of RB (i.e. A|â¡ Ï (RB)) ... believes that the base station B once said the digital signature part of the ...
An Attack on Aziz-Diffie Security Protocol Mohamed A. Abdelshafy1, Mahmoud S. Elsaholy1, and Mohamed G. Darwish2
ABSTRACT: In this paper, we use the Gong, Needham, and Yahalom (GNY) logic to assess Aziz-Diffie security protocol [1]. We found out that the protocol has a security flaw that may lead to a denial of service for the authorized wireless station. Accordingly, we have proposed a modification to the protocol that eliminates this security flaw. Keywords: Computer Networks, Wireless LANs Security, Authentication, Logical Analysis. 1. INTRODUCTION In areas where cabling is difficult or nearly impossible to install as well as expensive, Wireless Local Area Networks (WLANs) are a definite option. In the past several years there has been a wide span of network architectures developed from over 20 WLAN vendors which have data rates ranging from 1-20 Mbps [2]. There are two major types of WLANs: radio-based WLANs and Infrared-based WLANs. i) Radio-Based WLANs The most widely sold wireless LAN products use radio waves as a medium between computers and peripherals. The wireless network products are authorized to operate in Industrial, Scientific, and Medical (ISM) bands. An advantage of radio waves over the other forms of wireless connectivity is that they propagate through walls and other obstructions with fairly little 1. Higher Technological Institute, Tenth of Ramadan City. 2. Faculty of Computers & Information, Cairo University. 1
attenuation. With radio-LAN products, a user with a portable computer can move freely while accessing data from a server or running an application [3]. A disadvantage of using radio waves, however, is that an organization must manage the radio waves along with other electromagnetic propagation by determining whether potential interference is present before installing a radio-based LAN. Because radio waves penetrate walls, security may also be a problem. Unauthorized people from outside the controlled areas could receive sensitive information. Almost all radio-based WLANs use Spread Spectrum Technology. There are two modes of Spread Spectrum Technology: Direct Sequence Spread Spectrum and Frequency Hopping Spread Spectrum. Direct Sequence Spread Spectrum combines a data signal at the sending station with a higher data rate bit sequence, which is referred to as a chipping code (also known as processing gain). Hence when this combined signal is modulated and transmitted, it occupies – and is said to be spread over – a proportionately wider frequency band than the original source data bandwidth, which makes the signal appear as noise to other users of the same frequency band. A high processing gain increases the signal’s resistance to interference. The minimum linear processing gain that the FCC allows is 10, and most products operate under 20. The IEEE 802.11 Working Group has set their minimum processing gain requirements at 11 [3]. Frequency Hopping Spread Spectrum seems to be the wireless industries’ choice [4]. Frequency Hopping takes the data signal and modulates it with a carrier signal that hops from frequency-to-frequency as a function of time (about every 500ms) over a wide band of frequencies [4]. A hopping code determines the frequencies the radio will transmit and in which order. The frequency hopping technique provides a form of security because the hopping sequence is hard to trace [5]. It also reduces interference because the propagation from narrow band systems will only affect the spread spectrum signal when it is using the frequency of the narrow band signal. Thus, the aggregate interference will be very low, resulting in little or no bit errors. According to the IEEE 802.11 standard, frequency hopping spread spectrum WLANs have a data rate of 1-2 Mbps [5]. ii) Infrared-Based WLANs Infrared light is an alternative to using radio waves for wireless LAN interconnectivity. Infrared-based WLANs aims towards relatively in-door areas. There are three types of infrared-based WLANs: Point-to-Point: Used in areas where a direct line of sight is available between two stations [5]. The typical range is 0.5 miles with a data rate 10 Mbps [6].
2
Focused Beam: Slightly divergent infrared beams reflected off surfaces such as walls and ceilings [5]. The typical range is 300 feet with a data rate of 1-2 Mbps [6]. Diffused: A more divergent infrared beam is used. Again, walls and ceilings act as reflective surfaces [5]. The typical range 20 feet with a data rate of 1-2 Mbps [6]. In comparison to radio waves, infrared light offers higher degrees of security and performance. These LANs are more secure because infrared light does not propagate through opaque objects, such as walls, keeping the data signals contained within a room or building. Also, common noise sources such as microwave ovens and radio transmitters will not interfere with the light signal. In terms of performance, infrared light has a great deal of bandwidth, making infrared light possible to operate at very high data rates. Infrared light, however, is not as suitable as radio waves for mobile applications because of its limited coverage. Regardless of the communication links of the WLANs, they are more vulnerable to active and passive attacks than their wired counterparts. Consequently, a significant requirement for the WLANs published by US Government [7] is security. According to these requirements, the following security features are to be provided: Confidentiality Integrity Authentication Availability Accountability In this sense, WLANs are expected to constitute one of the largest segments in the market for wireless products [8]. Security is a critical issue in WLANs, both for the users and providers of such systems. Although the same may be said for the wired LAN, the wireless LANs have special requirements and vulnerabilities, and are therefore of special concern. The protocols used at the start of a communications session are known as authentication protocols or key establishment protocols. The goals of these protocols typically include verifying that the identity of some party involved is the same as that claimed, and establishing a session key for use in conjunction with chosen cryptographic algorithms to secure the subsequent session. Most cryptographic protocols are designed to function under very adverse conditions [9]. In general, it is assumed that the intruder has complete control of all communication channels, and thus can read all traffic, destroy or alter traffic, and generate traffic of its own. It is also usually assumed that some principals are cooperating with the intruder, and thus the intruder will be able to perform operations such as encryption that are available to honest users of the network. The rest of this paper is organized as follows. Section 2 describes Aziz-Diffie security protocol, the advantages and the disadvantages of the 3
protocol. Section 3 uses the logical analysis to assess the protocol and determine its security flaw, and provides a modification that overcomes this security flaw. Section 4 concludes the paper. 2. AZIZ-DIFFIE SECURITY PROTOCOL Aziz-Diffie security protocol [1] was proposed in 1994. The design goals of the protocol are to allow both ends of the wireless link (the wireless station and the base station) to mutually authenticate each other, and to efficiently establish a shared session key during authentication. The protocol uses public key and shared key cryptography to achieve authenticity and privacy respectively. The protocol also uses a challenge-response system for authentication. Each participant in the protocol generates a public key/private key pair. The private key is kept securely by the owner of the key-pair. The public key is submitted over an authenticated channel to a trusted Certification Authority (CA). The CA will then issue a certificate to that participant which contains a binding between the public key and a logical identifier of the machine, in the form of a document digitally signed using the CA’s private key. The most important part of a certificate is the machine public key, so we can neglect the rest of the certificate components from the protocol representation. The certificate contents are the following information: {Serial Number, Validity Period, Machine Name, Machine Public Key, CA Name}
and is issued as follows: Cert {Certificate contents,{H(Certificate contents)} -1 Ks
where Ks-1 is the CA private key. 2.1. PROTOCOL DESCRIPTION In the following, SKCS list denotes a list of Shared-Key CryptoSystem algorithms used by the wireless station. Chosen SKCS represents the particular algorithm selected by the base station from the SKCS list. The selected algorithm is subsequently employed for encryption of data once the protocol is completed and a session key is established between the wireless station A and the base station B. The protocol runs as follows: 1. A B : Cert A , N a , SKCSlist 2.B A : Cert B , SKCSchosen,{RB }K a ,{H ( N a ,{RB }K a , SKCSlist, SKCSchosen)}
K b1
3. A B : {RA}Kb ,{H ({RA}Kb ,{RB }K a )}
K a1
4
Where Ks and Ks-1 are the public key and the private key of the certifying authority S respectively. The public keys of A and B are denoted as K a and Kb respectively; the corresponding private keys are denoted as Ka-1 and Kb-1 respectively. CertA and CertB denote the public-key certificates of A and B respectively. Na is a challenge generated by A; RA and RB denote the two halves of the session key chosen by A and B respectively. The session key Kab is calculated as RA RB, where denotes the XOR operation. The base, upon receipt of the first message, will attempt to verify the signature on CertA. A valid signature establishes that the public key in the certificate belongs to a certified wireless station but at this point the base does not know if the certificate actually belongs to the wireless station that submitted it. If the certificate is not valid, the base rejects the connection attempt. If the certificate is valid, the base will reply with its Certificate, a random number RB encrypted under the public key of the wireless station Ka and the Shared Key CryptoSystem (SKCS) that the base chose out of the list presented by the wireless station. The base will save RB internally for later use. For purposes of computing the message signature, the base will add both the challenge value N a and the list of shared key cryptosystems to the message that it sends out. The wireless station, upon receipt of the second message, now validates the certificate of the base CertB. If the certificate is valid, then the wireless station will verify under the public key of the base station K b the signature on the message. The signature is verified by taking the base’s message and appending to it Na and the list of shared key algorithms that the wireless station sent in the first message. The inclusion of the list for the purposes of signature verification allows the first message to be sent unsigned. If an attacker weakens the list of shared key algorithms, by jamming the original message and interjecting his own list this will be detected by the wireless station on receipt of the second message. If the signature matches then the base is deemed to be authentic. Else, the base is deemed an imposter or the original message is suspected of being tampered with and the wireless station will abort the connection attempt. The value RB is obtained in the wireless station by decrypting the third message component under the private key of the wireless station. The wireless station then generates another random number R A and will use the value (RA RB) as the session key. To complete the authentication phase and to communicate the second half of the key RA to the base, the wireless station will encrypt under Kb the value RA and send this in a message, including the original encrypted R B value it obtained in the second message. The inclusion of the encryption of R B in the third message serves to authenticate the wireless station, because a signature is computed on it, using the station’s private key. 5
The base, upon receipt of the third message, will verify the signature of the message using Ka obtained from CertA in the first message. If the signature verifies, then the wireless station is deemed an authentic host. Otherwise the wireless station is deemed an intruder and the base will reject the connection attempt. Prior to entering that data transfer phase, the base will decrypt the encryption of RA using its own private key. It will also then use (RA RB) as the session key. Fig. 1. Illustrates the message exchange in Aziz-Diffie protocol.
Cert A , N a , List of SKCS
Wire le s s Station A
Cert B , Chosen SKCS , { R B }K a , { H ( N a , { R B }K a , List of SKCS, Chosen SKCS )} 1 K b
Bas e Station B
{ R A }K b , { H ({ R A }K b , { R B }K a )} 1 K a
FIGURE 1. AZIZ-DIFFIE SECURITY PROTOCOL. 2.2. PROTOCOL FEATURES An important advantage of Aziz-Diffie protocol is that the session key is constructed using two random values RA RB (as opposed to simply using RA for the key). This limits the damage that can occur if the private key of one of the wireless stations gets compromised. Another advantage of the protocol is the signature on the second message that serves three distinct purposes: authenticate the second message, a challenge response to the first message, and authenticate the first message (by including the List of SKCSs in it). This has the result of minimizing the (computationally expensive) use of the public key cryptosystem, thereby optimizing the protocol to run on platforms with limited computational resources. The computationally expensive portion of a public key cryptosystems is typically the private key operations. Public key cryptosystems such as RSA typically pick the keys so as to minimize the signature verification process and public key encryption process. Therefore, in order to assess the efficiency of the protocol, we count the total number of private key operations. The wireless station performs two private key operations, the first one in order to decrypt R B and the second one to sign the third message. The base also performs two 6
private key operations, the first one to sign the second message and the second one to decrypt RA from the third message. Thus, the total computationally expensive (private key) operations are four. This is a major disadvantage of the protocol. 3. THE PROTOCOL LOGICAL ANALYSIS AND MODIFICATION Next, we use the GNY logical analysis [10] to determine the security flaws of the protocol and propose the proper modifications to overcome these security flaws. The second message, is mapped to an assertion that B once said that RB was a good half key for communication between A and B. But, how does A arrive at this fact? A decrypts the first part of the message and verifies that it has a recognizable format. From the format, and from the fact that it was encrypted with A’s key, A concludes that the message was intended for itself and that it is a message saying that R B is a good half key for communication between A and B. A also verifies the signature on the encrypted message so that it knows that B sent the message. Now A is able to conclude that it was B who said that RB is a good half key for communication between A and B. We found out that a key drawback of the protocol is that the wireless station A cannot distinguish whether the sender of the second message is the base station or an intruder. In this case, one can play the following attack, where I is an intruder and IX denotes the intruder impersonating X: 1. A B : Cert A , N a , SKCSlist 2.I C B : Cert C , N a , SKCSlist 3.B C : Cert B , SKCSchosen, {R B } Kc , {H ( N a , {R B } Kc , SKCSlist, SKCSchosen)}
Kb1
4.I B A : Cert B , SKCSchosen, {R B } Kc , {H ( N a , {R B } Kc , SKCSlist, SKCSchosen)} 5. A B : {R A } Kb , {H ({R A } Kb , {R B } Kc )}
Kb1
K a1
An intruder C intercepts the first message of the protocol and sends to B the nonce Na and the SKCS list included in the intercepted message combined with the intruder certificate. After receiving the response, the intruder C plays the role of B and sends the received message from B to A. A checks the signature and verifies that the message is fresh since the signature includes the nonce Na originated by itself in the current session. A then applies its private key to {RB}Kc to obtain {{RB}Kc}Ka-1 , which it then thinks is the key. We note that this attack results at worst in a denial of service. We deduce that in order to properly operate this security protocol, we must add a new assumption that A recognizes the format of RB (i.e. A| (RB)) which is missing condition in the original protocol that may lead to the above intrusion. We formally prove the addition of this new assumption as follows: 7
The GNY message interpretation rule I4 states that the wireless station A believes that the base station B once said the digital signature part of the second message if all the following conditions are hold: (1) A sees this message encrypted with B’s private key; (2) A possesses the corresponding B’s public key; (3) A believes that the public key is B’s; (4) A believes that this message is recognizable which is the dominant condition in our proof. K
b B, A | ( H ( N ,{R } A {H ( N a ,{RB }K a )} 1 , A Kb , A | a B K a )) K b
A | B | ~ H ( N a ,{RB }K a )
But, the GNY recognizability rule R5 states that A believes that the one-way function of the second message is recognizable if A believes that this message is recognizable and A also possesses that message. A | ( N a ,{RB }K a ), A ( N a ,{RB }K a ) A | ( H ( N a ,{RB }K a ))
And the GNY recognizability rule R1 states that A believes that it can recognize the components of the second message (Na, {RB}Ka) if A believes that it can recognize the component {RB}Ka of the second message. A | ({RB }K a )
A | ( N a ,{RB }K a )
Thus, if we want to satisfy the recognizability of this component, the GNY recognizability rule R3 states that A believes that the encryption of R B with a public key Ka is recognizable if A believes that RB is recognizable and A possesses the public key Ka. A | ( RB ), A K a A | ({RB }K a )
Based on the above analysis, we suggest modifying the original protocol by adding the assumption that A recognizes the format of R B to overcome the previously introduced security flaw. 4. CONCLUSIONS We used the GNY logic to analyze Aziz-Diffie security protocol. We found out that the protocol has a security flaw where the wireless station A cannot distinguish the ID of the sender of the second message. This flaw may lead to a denial of service for the authorized wireless station. To overcome this security flaw, we suggested that the wireless station A recognize the format of
8
the half key sent by the base station B. This means that the wireless station A believes that the base station B once said the second message. REFERENCES [1] A. Aziz and W. Diffie, “Privacy and Authentication for Wireless Local Area
Networks”, IEEE Personal Communications, Vol. 1, No. 1, 1994, pp. 25-31. [2] C.J. Mathias, “Wireless LANs: The Top 10 Challenges”, Business Communications Review, Vol. 24, No. 8, 1994, pp.42-45. [3] J. Geier, Wireless Networking Handbook, New Riders, first edition, 1996. [4] L. Marion, “A New Standard Brings Wireless LANs to Market”, Electronic Business Buyer, Vol. 21, No. 1, 1995, pp. 39-42. [5] A. Flatman, “Wireless LANs: Development in Technology and Standards”, Computing & Control Engineering Journal, Vol. 5, No. 5, 1994, pp. 219224. [6] S. Dastangoo, R. Eftekari, H. Tran, “Wireless LAN Technologies and Applications”, MILCOM’ 93, 1993, pp. 497-501. [7] Federal Wireless Policy Committee, “Current and Future Functional Requirements for Federal Wireless Services in the United States”, 1994. [8] K. Pahlavan and A.H. Levesque, “Wireless Information Networks”, Wiley, 1995. [9] A.M. Basyouni and S.E. Tavares, “Public Key versus Private Key in Wireless Authentication Protocols”, Proceedings of the Canadian Workshop on Information Theory, 1997, pp. 41-44. [10] L. Gong, R. Needham, and R. Yahalom, “Reasoning about Belief in Cryptographic Protocols”, Proceedings of the 1991 IEEE Symposium on Research in Security and Privacy, 1991, pp. 234-248. [11] M. Burrows, M. Abadi, and R. Needham, “A Logic of Authentication”, ACM Transactions on Computer Systems, Vol. 8, No. 1, 1990, pp. 18-36. [12] W. Diffie, and M.E. Hellman, “New Directions in Cryptography”, IEEE Transactions on Information Theory, Vol. IT-22, No. 6, 1976, pp. 644-654. [13] J. Clark, “Attacking Authentication Protocols”, High Integrity Systems, Vol. 1, No. 5, 1996. [14] R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung, “Systematic Design of a family of Attack-Resistant Authentication Protocols”, IEEE Journal on Selected Areas in Communications, Vol. 11, No. 5, 1993, pp. 679-693. [15] G. Lowe, “Some New Attacks upon Security Protocols”, Information Processing Letters, 1996. [16] W. Mao and C. Boyd, “Towards Formal Analysis of Security Protocols”, Proceedings of the Computer Security Foundations Workshop VI, IEEE Computer Society Press, IEEE Computer Society Press, 1993, pp. 147-158. 9
[17] C.A. Meadows, “Applying Formal Methods to the Analysis of a Key
Management Protocol”, Journal of Computer Security, Vol. 1, No. 1, 1992, pp. 5-35. [18] B. Schneier, Applied Cryptography, second edition, John Wiley & Sons, 1996. [19] W. Stallings, Cryptography and Network Security: Principles and Practice, second edition, Prentice-Hall, 1999.
10
