Distributing a Symmetric FMIPv6 Handover Key using SEND
description
Transcript of Distributing a Symmetric FMIPv6 Handover Key using SEND
![Page 1: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/1.jpg)
Distributing a Symmetric FMIPv6 Handover Key using
SENDChris Brigham
Tom Wang
![Page 2: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/2.jpg)
Security Properties
• Mobile Node Authentication– If honest AR finishes the protocol and
believes it is talking to honest MN, then the MN believes it is talking to the AR.
![Page 3: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/3.jpg)
Security Properties
• Access Router Authentication– If honest MN finishes the protocol and
believes it is talking to honest AR, then the AR believes it is talking to the MN.
![Page 4: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/4.jpg)
Security Properties
• Handover Key Secrecy– The intruder cannot learn the handover key
until MN sends the FBU to AR.
![Page 5: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/5.jpg)
Analysis Overview
• Full Protocol• Deconstructed Protocols
– Reduce signature scope– Remove nonce option– Remove CGA option
![Page 6: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/6.jpg)
Full Protocol Model
![Page 7: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/7.jpg)
Full Protocol Model
• Request (RtSolPr)– MN=>AR:
{CGAMN, EPKMN, NMN}[SigMN]
![Page 8: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/8.jpg)
Full Protocol Model
• Request (RtSolPr)– MN=>AR:
{CGAMN, EPKMN, NMN}[SigMN]
• Response (PrRtAdv)– AR=>MN:
{CGAAR, {HK}EPK_MN, NMN}[SigAR]
![Page 9: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/9.jpg)
Full Protocol Model
• Request (RtSolPr)– MN=>AR:
{CGAMN, EPKMN, NMN}[SigMN]• Response (PrRtAdv)
– AR=>MN: {CGAAR, {HK}EPK_MN, NMN}[SigAR]
• Fast Binding Update– MN=>AR:
{CGAMN, HK}
![Page 10: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/10.jpg)
Full Model - Results
• Attack found!– “Access Router authenticated” invariant fails
• Man-in-the-middle attack– Similar to NS problem– Intended destination not checked for
response message
MN ARE
![Page 11: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/11.jpg)
Full Model – Attack Trace
• MN sends request to AR. E intercepts.• E sends new request to AR, using MN’s nonce
and handover key encryption key.• AR sends response to E, and E forwards
response to MN.– AR actually generated handover key for E, though E
cannot read the handover key at this point.• When MN sends FBU to AR with handover key,
handover fails.
![Page 12: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/12.jpg)
Valid Attack?
![Page 13: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/13.jpg)
Valid Attack?
• In specification draft section 3.2:– “The SEND signature covers all fields in the
PrRtAdv, including the 128 bit source and destination addresses …”
• Model was missing signature on source and destination addresses
• All invariants passed on revised model.
![Page 14: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/14.jpg)
On to Decomposition
• Protocol is sufficient to enforce required security properties
• Are the features of SEND overkill for handover key distribution?
![Page 15: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/15.jpg)
Reduced Signature Scope
• Remove source/destination addresses from the signed portion of each message– Decomposition is identical to the original,
broken, full model.
![Page 16: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/16.jpg)
No “Noncense”
• How will the protocol behave if signature on nonce is removed?
• Replay attack found– “Access Router authenticated” invariant fails
![Page 17: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/17.jpg)
No “Noncense” – Trace
• MN and AR complete first session as usual, but E records AR’s response from previous session.
• MN reconnects to same AR.• MN sends request for handover with new
nonce. E intercepts.• E sends MN AR’s previous response with
new nonce.• FBU fails since handover key is not valid.
![Page 18: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/18.jpg)
Removing CGAs
• How will the protocol behave if CGAs are removed and replaced with real IPv6 addresses?
• Worst case attack found– Access Router authentication invariant fails– Mobile Node authentication invariant fails– Secrecy fails
![Page 19: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/19.jpg)
Removing CGAs - Trace
• MN sends AR request for handover, but E intercepts.
• E forges the signature, creates his own handover key encryption key and nonce, and sends request to AR. E pretends to be MN.
• AR generates handover key and sends it to MN.• E intercepts AR’s response.• E can now issue FBU and get packets meant for
MN!
![Page 20: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/20.jpg)
Our Conclusion
• The SEND options used for handover key distribution are necessary and sufficient
![Page 21: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/21.jpg)
Our Conclusion
• The SEND options used for handover key distribution are necessary and sufficient
• We should have known:– From draft, section 13.0:– “The authors would like to thank John C.
Mitchell and Arnab Roy, of Stanford University, for their review of the design and suggestions for improving it.”
![Page 22: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.fdocuments.in/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/22.jpg)
Questions?