distributing a symmetric fmipv6 handover key using send
DESCRIPTION
Distributing a Symmetric FMIPv6 Handover Key using SEND. Chris Brigham Tom Wang. Security Properties. Mobile Node Authentication If honest AR finishes the protocol and believes it is talking to honest MN, then the MN believes it is talking to the AR. Security Properties. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/1.jpg)
Distributing a Symmetric FMIPv6 Handover Key using
SENDChris Brigham
Tom Wang
![Page 2: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/2.jpg)
Security Properties
• Mobile Node Authentication– If honest AR finishes the protocol and
believes it is talking to honest MN, then the MN believes it is talking to the AR.
![Page 3: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/3.jpg)
Security Properties
• Access Router Authentication– If honest MN finishes the protocol and
believes it is talking to honest AR, then the AR believes it is talking to the MN.
![Page 4: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/4.jpg)
Security Properties
• Handover Key Secrecy– The intruder cannot learn the handover key
until MN sends the FBU to AR.
![Page 5: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/5.jpg)
Analysis Overview
• Full Protocol• Deconstructed Protocols
– Reduce signature scope– Remove nonce option– Remove CGA option
![Page 6: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/6.jpg)
Full Protocol Model
![Page 7: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/7.jpg)
Full Protocol Model
• Request (RtSolPr)– MN=>AR:
{CGAMN, EPKMN, NMN}[SigMN]
![Page 8: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/8.jpg)
Full Protocol Model
• Request (RtSolPr)– MN=>AR:
{CGAMN, EPKMN, NMN}[SigMN]
• Response (PrRtAdv)– AR=>MN:
{CGAAR, {HK}EPK_MN, NMN}[SigAR]
![Page 9: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/9.jpg)
Full Protocol Model
• Request (RtSolPr)– MN=>AR:
{CGAMN, EPKMN, NMN}[SigMN]• Response (PrRtAdv)
– AR=>MN: {CGAAR, {HK}EPK_MN, NMN}[SigAR]
• Fast Binding Update– MN=>AR:
{CGAMN, HK}
![Page 10: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/10.jpg)
Full Model - Results
• Attack found!– “Access Router authenticated” invariant fails
• Man-in-the-middle attack– Similar to NS problem– Intended destination not checked for
response message
MN ARE
![Page 11: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/11.jpg)
Full Model – Attack Trace
• MN sends request to AR. E intercepts.• E sends new request to AR, using MN’s nonce
and handover key encryption key.• AR sends response to E, and E forwards
response to MN.– AR actually generated handover key for E, though E
cannot read the handover key at this point.• When MN sends FBU to AR with handover key,
handover fails.
![Page 12: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/12.jpg)
Valid Attack?
![Page 13: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/13.jpg)
Valid Attack?
• In specification draft section 3.2:– “The SEND signature covers all fields in the
PrRtAdv, including the 128 bit source and destination addresses …”
• Model was missing signature on source and destination addresses
• All invariants passed on revised model.
![Page 14: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/14.jpg)
On to Decomposition
• Protocol is sufficient to enforce required security properties
• Are the features of SEND overkill for handover key distribution?
![Page 15: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/15.jpg)
Reduced Signature Scope
• Remove source/destination addresses from the signed portion of each message– Decomposition is identical to the original,
broken, full model.
![Page 16: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/16.jpg)
No “Noncense”
• How will the protocol behave if signature on nonce is removed?
• Replay attack found– “Access Router authenticated” invariant fails
![Page 17: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/17.jpg)
No “Noncense” – Trace
• MN and AR complete first session as usual, but E records AR’s response from previous session.
• MN reconnects to same AR.• MN sends request for handover with new
nonce. E intercepts.• E sends MN AR’s previous response with
new nonce.• FBU fails since handover key is not valid.
![Page 18: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/18.jpg)
Removing CGAs
• How will the protocol behave if CGAs are removed and replaced with real IPv6 addresses?
• Worst case attack found– Access Router authentication invariant fails– Mobile Node authentication invariant fails– Secrecy fails
![Page 19: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/19.jpg)
Removing CGAs - Trace
• MN sends AR request for handover, but E intercepts.
• E forges the signature, creates his own handover key encryption key and nonce, and sends request to AR. E pretends to be MN.
• AR generates handover key and sends it to MN.• E intercepts AR’s response.• E can now issue FBU and get packets meant for
MN!
![Page 20: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/20.jpg)
Our Conclusion
• The SEND options used for handover key distribution are necessary and sufficient
![Page 21: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/21.jpg)
Our Conclusion
• The SEND options used for handover key distribution are necessary and sufficient
• We should have known:– From draft, section 13.0:– “The authors would like to thank John C.
Mitchell and Arnab Roy, of Stanford University, for their review of the design and suggestions for improving it.”
![Page 22: Distributing a Symmetric FMIPv6 Handover Key using SEND](https://reader035.vdocuments.net/reader035/viewer/2022062520/56816044550346895dcf66c5/html5/thumbnails/22.jpg)
Questions?