July 2010 doc IEEE 802 11 100899 r

July 2010 doc. : IEEE 802. 11 -10/0899 r 0 Secure PSK Authentication Date: 2010 -07 -14 Authors: Submission Slide 1 Dan Harkins, Aruba Networks

July 2010 doc. : IEEE 802. 11 -10/0899 r 0 Abstract This presentation presents the problems with D 0. 1’s use of PSKs and a solution to them. Submission Slide 2 Dan Harkins, Aruba Networks

July 2010 doc. : IEEE 802. 11 -10/0899 r 0 What’s the Problem? • PSKs are being used for authentication in a PBSS • It is difficult to provision a “strong” PSK. – Strength is a function of entropy in the PSK. – For a character-based PSK there is approximately 1. 5 bits of entropy per character. – Generating a key suitable for use with GCM implies a character string of around 100 characters. – Humans have a hard time entering a string of 20 characters repeatedly with a low probability of error. • Weak PSKs will be used because doing otherwise is prohibitive for operators and users. – Need a robust protocol to use PSKs properly, can’t just mandate all PSKs are uniformly random binary strings of sufficient length. Submission Slide 3 Dan Harkins, Aruba Networks

July 2010 doc. : IEEE 802. 11 -10/0899 r 0 Okay, So What’s the Problem? • The PSK is leaked when used in Draft 0. 1 – Using the PSK directly in the 4 -Way Handshake has known and wellpublished problems. – A PSKID, based on a hash of the PSK, is included in beacons. • Protocols using the PSK are susceptible to an off-line dictionary attack – An attacker has all information needed to run through a dictionary of potential passwords until the correct one is found. – This attack is not detectable by legitimate members of the PBSS. • Learning the PSK allows an attacker to recover all past and future traffic. • The strength of the PSK determines the strength of the GCM key and that’s not strong enough (see previous slide). Submission Slide 4 Dan Harkins, Aruba Networks

July 2010 doc. : IEEE 802. 11 -10/0899 r 0 What’s the Solution? • A protocol that uses a PSK that is resistant to attack – Each active attack leaks a single bit of information– whether the singular guess was correct or not. Passive attack is not possible. – Probability of guessing the PSK is 1/(S-x) after x guesses of the PSK from a pool of possible PSKs of size S. – Perfect Forward Secrecy is achieved. • A protocol which can produce a cryptographically strong key suitable for use with GCM – An entropy amplifier! – The strength of the PSK does not determine the strength of the GCM key. • A protocol called SAE from the 11 s draft Submission Slide 5 Dan Harkins, Aruba Networks

July 2010 doc. : IEEE 802. 11 -10/0899 r 0 SAE • Based upon the Dragonfly key exchange. • Uses public key cryptography to produce a strong GCM key that is authenticated with a (potentially weak) PSK. • An RSNA authentication protocol for 802. 11. • Uses 802. 11 authentication frames (not data frames). • Free, open source (BSD licensed) reference implementation available: http: //sourceforge. net/projects/authsae Submission Slide 6 Dan Harkins, Aruba Networks

July 2010 doc. : IEEE 802. 11 -10/0899 r 0 References • 11 -10 -0884 -00 -00 ad-secure-psk-authentication. doc Submission Slide 7 Dan Harkins, Aruba Networks