Finite-State Verification

Beyond the intuitive approach, another powerful methodology is finite-state verifica-tion (or model checking), since it can help people to understand the protocol better and find some subtle problems which might be ignored by people. Using the 4-Way Handshake as an example, we showed the procedure for model checking protocols with a finite-state verification tool, called Murφ. We identified the functionality of each field in the 4-Way Handshake messages, and proposed a simplified protocol that has the same authentication properties as the original one under our Murφ model.

Most significantly, we found an effective DoS attack on Message 1 in the protocol, and proposed several simple solutions.

This attack exploits the vulnerability of unprotected Message 1 in the 4-Way Handshake. In fact, the designers and reviewers have noticed that Message 1 is vul-nerable; however, the practical attack, which allows an attacker to block the hand-shake by simply inserting one forged message, is not apparent before our security

analysis. By intuition 802.11i is supposed to allow only one active 4-Way Handshake at any time, and generate a shared PTK between a corresponding supplicant and authenticator. However, we showed that the supplicant must allow multiple hand-shakes to execute in parallel, in order to ensure protocol completion in the presence of packet loss, which enables the attack. When 802.1X authentication is implemented, the attack could be more difficult due to the PMKID and link layer encryption, but the vulnerability still exists in the protocol.

Although it is not difficult to fix the problem, it is not obvious to find a solution with minor modifications on the protocol. We discussed three repairs - a random-drop queue, Message 1 authentication, and reusing the nonce. A random-random-drop queue of a certain size can be implemented to avoid memory exhaustion attacks without any modifications to the protocol; however, it is not so effective even with reason-able queue sizes. Message 1 authentication can resolve the vulnerability completely;

however, it requires significant modification on the packet format. Our final solution, simply reusing the nonces in the supplicant until one legitimate 4-Way Handshake is completed, has no modifications to the protocol itself and eliminates the vulnerability inherently. It is even more efficient to re-use the nonces and store the received nonces and derived PTKs in a combination.

6.2.3 A Modular Correctness Proof

Although several vulnerabilities are identified, our analysis is incomplete because peo-ple could neglect some potential attacks, and finite-state verification is only capable of checking bounded number of participants and sessions due to physical limitations.

In order to analyze the IEEE 802.11i protocols under unbounded number of partici-pants and sessions, we adopted the Protocol Composition Logic (PCL) to conduct a correctness proof. The divide-and-conquer strategy is used to take advantage of the modularity of 802.11i.

For the security properties, we proved mutual authentication and key secrecy for individual components - TLS session, 4-Way Handshake and Group Key Handshake.

We also analyzed the composibility of these components and concluded that all these

components compose securely. Since 802.11i has very complicated control flows when different failure recovery mechanisms are adopted, we developed a new composition theorem for staged composition. It follows that the components compose securely for a range of failure recovery control flows, including the improvements proposed in Chapter 2 and [41]. The general result also proves security for other configurations presented in the 802.11i specifications, including the use of a Pre-Shared Key (PSK) or cached Pair-wise Master Key (PMK). We also extended PCL to tackle memory associated with nonce reuse in the modified 4-Way Handshake and the global sequence counter in the Group Key Handshake.

For each component of 802.11i, we identified the required operating environments that other concurrent protocols in the system must satisfy to avoid destructive inter-action. These insights are useful for making 802.11i implementation and deployment decisions, which demonstrate that PCL is suitable for compositional analysis of large protocols. Since TLS is widely deployed for a variety of purposes apart from 802.11i, these results for TLS also have independent interest.

6.2.4 Using 802.11i in Ad Hoc Routing

Since 802.11i is supposed to be widely implemented in wireless devices, we analyzed the influence of 802.11i on wireless ad hoc networks. In the current wireless ad hoc networks, most proposals for secure routing are very complicated, which might cause potential vulnerabilities due to inappropriate implementations. However, we showed that under the protection of 802.11i, it is very easy to achieve a secure routing mechanism by some simple improvements on the common DSR protocol.

Due to our modular correctness proof, 802.11i can authenticate the peers and provide a secure link between neighboring nodes. Therefore, if all nodes are honest, a common routing protocol, e.g. DSR, will work well to discover routing information.

However, it is very possible that one or several nodes are compromised or dishonest, which destroys the whole routing security. We proposed a secure routing protocol with only slight modifications on the original DSR, and analyzed the security of the proposed protocol. Compared with designing a secure routing protocol on top of a

plain network, it appears to be much easier to achieve a secure routing protocol on top of a network with confidential links among neighbors.

Furthermore, our methodology is useful if any other link layer security mechanism is deployed instead of 802.11i. Actually this corresponds to the natural construction paradigm of wireless ad hoc networks, because the network can expand in a scalable way when the nodes in the system accept more and more neighbors.

Protocol Composition Logic