Formal Verification of PAP and EAP-MD5 Protocols in Wireless

Formal Verification of PAP and EAP-MD5 Protocols in Wireless

Formal Verification of PAP and EAP-MD5 Protocols in Wireless Networks : FDR Model Checking Il-Gon Kim, Jin-Young Choi Dept. of Computer Science and Engineering, Korea University, Seoul, 136-701 KOREA {igkim, choi}@formal.korea.ac.kr Abstract with the state explosion problem. ESTELLE, Murphi, NRL Protocol Analyzer and FDR are examples of model check- IEEE 802.1x and authentication server based security ing tools[2]. In particular, model checking using FDR has protocols are mainly used for enhancing security of wire- been widely used in formal methods and frequently cited in less networks. In this paper, we specify PAP and EAP-MD5 the security literature, after finding man-in-the-middle at- based security protocols formally with Casper and CSP, and tack of Needham-Schroeder Public Key Protocol[3],[7]. In then verify their security properties such as secrecy and au- this paper, we specify the PAP and EAP-MD5 based se- thentication using FDR. We also show that they are vulnera- curity protocols[12] which are frequently used in 802.11, ble to the man-in-the-middle attack. Finally we discuss their using Casper[8] and CSP[3],[10]. Then we verify whether security weakness and potential countermeasures related to or not they satisfy such security properties as secrecy and PAP and EAP-MD5 protocols. authentication, using FDR model checking tool. After run- ning FDR tool, we reconfirm the existence of some known security flaws in these protocols. This paper is constructed 1 Introduction as follows. Section 2 describes IEEE 802.1x. In section 3, we provide an overview description of Casper, CSP and With the rapid growth of wireless networks, a wide range FDR respectively. Section 4 deals with access server au- of networks and applications have come into existence, so thentication. In section 5, we show PAP and EAP based se- that security solutions are needed to meet the requirements curity protocol models, which are written in Casper script. of a wide variety of customers based on IEEE 802.11 mech- In section 6, we describe the verification results obtained anism. IEEE 802.1x provides some various security proto- with these security protocol models. Finally, this paper is cols based on PPP, EAP[1] and AAA[5] servers. Analyzing concluded in section 7. a security protocol’s flaw is difficult and error-prone, but it is very important that this be done, from the viewpoint of 2 Access Server Authentication security and privacy. Many security protocols have been discussed in the academic literature, with various goals, In this paper, we assume that RADIUS is used as such as the establishment of a cryptographic key[11], or the access authentication server. RADIUS was devel- achieving authentication[2],[9]. Unfortunately, a large pro- oped by IETF AAA Working Group, to support AAA portion of the protocols which are proposed do not suc- services, which allow for the authentication, authoriza- ceed in their stated goals[2]. There have been several ap- tion and accounting of remote users in wireless net- proaches to the specification and analysis of authentication works. There are some open-source software versions(e.g. protocols. Several methods have been tried, each with their FreeRADIUS[4]), as well as commercial(e.g. Merit Net- own strengths and weaknesses. Among them, model check- works, Livingston Enterprize and Microsoft). RADIUS ing has been proven to be a very successful approach an- uses the UDP protocol, which means that it allows one alyzing security protocols. The basic approach is to make session to be opened and remain open throughout the en- a model of the protocol, together with a model of the in- tire transaction. It communicates on port 1812, not 1645. truder. This method is very efficient for exploring the state The message formats used for sending and receiving be- space of the abstraction model and finding counterexample tween client and server have several message types such states in which the security properties are violated. How- as “Access-Request”, “Access-Accept”, “Access-Reject”, ever, model checking is limited to a finite system contain- “Access-Challenge”, etc. RADIUS supports a variety of ing a small state space, as otherwise it will be confronted different protocols for transmitting credential user data to Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE “Functions”, “System” and “Intruder Information”. 3.2 CSP(Communicating Sequential Processes) CSP[6] is a process specification language specially de- signed to describe communication processes, and it can de- scribe both a pure parallelism and interleaving semantics. In CSP, the former is expressed as ‘’ and the latter as Figure 1. Access-Request packet “|”. The combination of a client, server and intruder are regarded as a process. The use of two different concurrency concepts is well suited to the description and analysis of and from the authentication server. The two most common network protocols. For example, security communication protocols are PAP(Password Authentication Protocol)[9] systems operated in distributed networks can be modeled and CHAP(Challenge Handshake Protocol[9]). In the briefly as follows. PAP authentication method, the user sends an Access- SYSTEM = (CLIENT1 ||| CLIENT2 ||| SERVER) Request packet containing his or her user name and pass- || INTRUDER word, together in one packet, to the NAS(Network Ac- cess Server)[9] but in CHAP, the user sends an Access- 3.3 FDR(Failure Divergence Refinement) Request packet including user password, but without the user name. This is the main difference between PAP and FDR is a model checking tool for state machine, with CHAP. The authentication method used with RADIUS is foundations in the theory of concurrency based on CSP. peculiar to the vendor’s specific product so that each im- This tool checks whether a security model described with plementation is slightly different. Therefore, in this pa- CSPM (Machine Readable CSP) satisfies certain security per, we analyze the vulnerability of RADIUS based on its properties such as secrecy and authentication. If the security RFC document[9] and the FreeRADIUS software package model doesn’t satisfy these properties, FDR shows coun- which is very widely used. Fig. 1 shows an example of an terexample event traces and helps to analyze which attack “Access-Request” packet sent from an authenticator(client) scenario would be most likely to happen. For the equiv- to a FreeRADIUS(server). alence checking of the specification model(safety property model) and implementation model(security system model 3 Casper, CSP and FDR paralleled with intruder model), FDR supports three re- finement checking methods. First, traces refinement can 3.1 Casper(A compiler for the Analysis of Secu- show safety property. Second, failures refinement can rep- rity Protocols) resent system’s deadlock property. Finally, failure and di- vergence can detect the livelock property. For further infor- Over the last few years, a method for analyzing security mation about Casper and CSP/FDR, the reader is referred protocol that first models communication security protocol to [3],[6],[7],[8],[10]. using CSP, then verifies its secrecy, authentication and other properties using FDR[3],[7],[8],[10]. In this method, the 4 The Specification of the PAP and EAP- main difficulty is specifying the security protocol’s behavior MD5 Protocol using CSP. Creating the description of the security model with CSP is a very error-prone and difficult task. To sim- In this paper, we describe the PAP and EAP-MD5 based plify the expression of the security protocol, and render this security protocols using Casper and CSP. To do this, we use process more error free, Casper was developed by Gavin the following terminology: “USER” means a client host that Lowe[8]. This tool enables a non-expert who is unfamiliar wishes to obtain a service from the server. “NAS” stands with CSP to express the security protocol’s behavior more for Network Access Server and it is an intermediate access easily, without being familiar with the notation used by point between the “USER” and “RADIUS”. “RADIUS” is CSP notation, using various key types, messages, security an AAA server used to authenticate, authorize and account properties and intruder knowledge descriptions contained in for specific resources provided to “USER”. Casper. In brief, Casper is a compiler that translates a more simple and concise description of a security communication 4.1 PAP Specification model into CSP code. The security process is described by means of 8 section headers, including “Free variables”, In this subsection, we illustrate the PAP specification. “Processes”, “Protocol”, “Specification”, “Variables”, Example 1 shows the user authentication procedure based Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE on PAP shown in the RFC document. S: Server rauth : Nonce Example1. User Telnet to Specified Host based on PAP passwd, shared: SessionKey 1. USER sends his or her user name(“igkim”) and f : HashFunction InverseKeys = password(“formal”) to the NAS (f,f),(passwd,passwd),(shared,shared) (“163.152.40.23”) using port 3. #Protocol description 2. NAS sends an Access-Request packet to RA- 0. -> A : B DIUS. The Access-Request packet is constructed 1.A->S:A,passwd as follows; In this example, the shared secret is 2. S -> B : S, rauth, passwd (+) defined as “shared secret”. f(rauth, shared) 3. B -> S : B, f(rauth,shared) Code = Access Request ID = 0 #Intruder Information Length = 56 Intruder = Mallory Request Authenticator = random number IntruderKnowledge = User-Name = igkim {Alice, Bob, Mallory, Sam} User-Password = XOR(formal, MD5(shared secret + request authenticator)) Example 2 shows the PAP authentication protocol writ- NAS-IP-Address = “163.152.1.16” ten in Casper script.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us