ISBN 978-82-326-2649-6 (electronic ver.) ISBN 978-82-326-2649-6(electronic ISBN 978-82-326-2648-9(print ISSN 1503-8181 ISSN ed ver.) on Jacobsen on Håk Doctoral theses at NTNU, 2017:290 NTNU, at theses Doctoral NTNU Norwegian University of Science and Technology Thesis for the Degree of Philosophiae Doctor Faculty of Information Technology and Electrical Engineering Department of Information Security and Doctoral thesis Communication Technology EAP andIEEE802.11 of A ModularSecurityAnalysis Jacobsen Håkon Doctoral thesesatNTNU,2017:290 Håkon Jacobsen A Modular Security Analysis of EAP and IEEE 802.11 Thesis for the Degree of Philosophiae Doctor Trondheim, October 2017 Norwegian University of Science and Technology Faculty of Information Technology and Electrical Engineering Department of Information Security and Communication Technology NTNU Norwegian University of Science and Technology Thesis for the Degree of Philosophiae Doctor Faculty of Information Technology and Electrical Engineering Department of Information Security and Communication Technology © Håkon Jacobsen ISBN 978-82-326-2648-9 (printed ver.) ISBN 978-82-326-2649-6 (electronic ver.) ISSN 1503-8181 Doctoral theses at NTNU, 2017:290 Printed by NTNU Grafisk senter Abstract This thesis presents a computational reduction-based security analysis of the Extensible Authentication Protocol (EAP) and the IEEE 802.11 protocol. EAP is a widely used authentication framework while IEEE 802.11 is the most com- monly used standard for creating wireless local area networks (WLANs), better known as Wi-Fi. The typical use case of EAP is to allow a client on a WLAN to connect to an access point through the use of mutually trusted server. EAP is a general framework that specifies how different sub-protocols can be combined to securely achieve this goal. IEEE 802.11 is usually one of the sub-protocols used within the EAP framework. There are three main contributions of this thesis. The first is a modular security analysis of the general EAP framework. This includes two generic composition theorems that reflect the modular nature of EAP, and which es- tablish sufficient criteria on its sub-protocols in order for the whole framework to be instantiated securely. Having proven the soundness of the general EAP framework, it remains to find suitable sub-protocols that satisfy the security criteria of the composition results. Our second main contribution is a security analysis of one such concrete sub- protocol, namely the EAP-TLS protocol which is used to establish a shared key between the wireless client and the trusted server. We prove that EAP-TLS is a secure two-party authenticated key exchange protocol by presenting a generic compiler that transforms secure channel protocols into secure key exchange protocols. Our third main contribution is a thorough security analysis of the IEEE 802.11 protocol. We study both the handshake protocol as well as the encryp- tion algorithm used to protect the application data. On their own, our results on IEEE 802.11 apply to the usage found in wireless home networks where a key is shared between the client and access point a priori, e.g. using a pass- word. However, by combining this with our composition theorems for the EAP framework, we also obtain a result for IEEE 802.11 in its “enterprise” variant, where the common key is instead established using a mutually trusted server. Acknowledgments I would like to thank my two supervisors Danilo Gligoroski and Colin Boyd for all their guidance and support throughout my studies. Much of the work in this thesis is the result of collaboration with others. First of all, I want to thank my co-authors on the two papers on which the main parts of this thesis are based: Chris Brzuska and Douglas Stebila. I especially want to acknowledge Chris Brzuska for showing me how fun (and exhausting!) research can be, but also for being a friend, a mentor, a role-model, and in effect a third supervisor for me. Without him this thesis would simply not have been possible. Additionally, I want to thank Bogdan Warinschi and Cas Cremers for many helpful discussions. I am also indebted to those who volunteered their time and effort into proofreading my thesis: Colin Boyd, Cristina Onete, Chris Brzuska, and Gareth Davies—I express my deepest gratitude to all of you. A big thanks also goes to my office mates Simona Samardjiska, Britta Hale, and Chris Carr for the great company during my PhD at NTNU. Finally, I would like to thank my family for their unwavering support and encouragement throughout the years, and last but not least, Vilde for always believing in me. Thank you. Contents 1 Introduction 1 1.1 Computational modeling of cryptographic protocols ....... 3 1.2 Content and contribution of thesis ................. 5 1.2.1 Publications .......................... 7 1.2.2 Outline of thesis ....................... 7 2 Description of EAP and IEEE 802.11 9 2.1EAP.................................. 9 2.2 IEEE 802.11 .............................. 15 2.2.1 IEEE 802.11 basics ...................... 15 2.2.2 A brief history of security in IEEE 802.11 ......... 16 2.2.3 Detailed description of the IEEE 802.11 security protocol 18 3 Formal models 24 3.1 Notation and preliminaries ..................... 25 3.1.1 Security games ........................ 25 3.1.2 Concrete vs. asymptotic security .............. 26 3.2 A unified protocol execution model ................. 27 3.2.1 Protocol participants ..................... 28 3.2.2 Long-term keys ........................ 29 3.2.3 Protocol syntax ........................ 30 3.2.4 Protocol correctness ..................... 33 3.2.5 Security experiment ..................... 33 3.2.6 Freshness predicates and partnering ............ 36 3.3 2P-AKE protocols and 3P-AKE protocols ............. 46 3.3.1 Comparing the three AKE security models . ...... 48 3.3.2 Comparison with other models ............... 52 3.4 ACCE protocols ........................... 53 3.5 Explicit entity authentication .................... 56 4 Security of EAP 59 v vi Contents 4.1 Modeling EAP ............................ 60 4.1.1 Client–server EAP method ................. 60 4.1.2 Server–authenticator key transport protocol ........ 62 4.1.3 Client–authenticator protocol ................ 63 4.1.4 Related work on EAP .................... 65 4.2 First composition theorem ...................... 66 4.3 Second composition theorem .................... 80 4.3.1 Explicit entity authentication ................ 81 4.3.2 AKEfs security ........................ 86 4.4 Application to EAP ......................... 88 4.4.1 EAP without channel binding ................ 89 4.4.2 Channel binding scope .................... 89 5 Security of EAP-TLS 91 5.1 Motivation .............................. 91 5.1.1 Related work on EAP-TLS . ................ 95 5.2 TLS-like ACCE =⇒ AKE..................... 95 5.2.1 TLS-like protocols ...................... 95 5.2.2 Construction ......................... 97 5.2.3 Main result . ......................... 97 5.3 Application to EAP-TLS ......................110 5.3.1 TLS security .........................111 5.3.2 On the key collision resistance of the TLS KDF ......115 6 Security of IEEE 802.11 118 6.1 Summary of the IEEE 802.11 protocol ...............119 6.1.1 Related work on IEEE 802.11 ................119 6.2 Analyzing the 4-Way Handshake ..................120 6.2.1 Formal modeling .......................120 6.2.2 AKEnfs security ........................123 6.2.3 Explicit entity authentication ................126 6.2.4 Security of IEEE 802.11 with upper-layer authentication . 132 6.3 Analyzing CCMP ...........................133 6.3.1 Description of CCMP ....................133 6.3.2 Analysis of CCMP ......................135 6.4 Multi-ciphersuite and negotiation security of IEEE 802.11 ....138 6.4.1 Multi-ciphersuite security ..................140 6.4.2 Negotiation security .....................142 7 Conclusions 144 7.1 Limitations of our results ......................145 7.1.1 Things not covered by our analysis .............146 Contents vii 7.1.2 Tightness of security reductions ...............147 7.2 Future work and open problems . .................147 A Additional definitions 149 A.1 Pseudorandom functions .......................149 A.2 Message authentication codes ....................150 A.3 Authenticated encryption . ....................150 A.4 Stateful authenticated encryption ..................153 B Transcript parsing rules 156 Bibliography 159 Chapter 1 Introduction Contents 1.1 Computational modeling of cryptographic protocols 3 1.2 Content and contribution of thesis .......... 5 1.2.1 Publications ..................... 7 1.2.2 Outline of thesis ................... 7 Designing secure cryptographic protocols is difficult. Over the years a large number of security protocols have been proposed that later turned out to be flawed. This is mostly due to the inherent complexity of the protocols them- selves, but it can also be partly ascribed to the paradigm in which they were tra- ditionally designed. Typically, a protocol designer would start out by proposing some concrete protocol construction P . Next, the protocol would get analyzed, often revealing some flaw. The designer would then revise the original design of P to (hopefully) include a fix for the discovered flaw. The whole cycle would then repeat itself, with a new round of analysis discovering new flaws, yielding more fixes, and so on. Over time, a body of prudent practices emerged [AN96], identifying com- mon pitfalls when designing cryptographic protocols. However,