Replay Attack - Security Analysis of the Proposed Authentication Protocols

3.3 Security Analysis of the Proposed Authentication Protocols

3.3.5 Replay Attack

An attacker records messages of an ongoing authentication session and replays these messages in the future in an attempt to be successfully authenticated and possibly gain access to the network as a client. An attacker may replay a client’s messages to gain

access to the network, or a MAP’s messages in order to impersonate the MAP. We prevent this type of attack by using message encryption, nonces, and the security rules listed in Section 3.3.1.

3.3.5.1 Replaying Client Messages

We consider possible replay attacks on messages generated by the proposed authentication protocols.

In theloginauthentication protocol described in Section 3.2.1, an attackerAoverhears and replays a message (3) sent earlier by a clientC.

• If the MAP had successfully received the original message (3) from C, it would have saved the noncesNC1,NC2 and NC3. When the MAP receives the replayed message, it compares the nonces in the message against the saved noncesNC1,NC2 and NC3, and can detect that this is a replayed message because a new message is supposed to have new nonces and not repeated nonces (rules (R1) and (R2) in Section 3.3.1).

• If the MAP did not receive the original message (3) fromC, the MAP may accept the replayed message as a valid message (if the timer associated with the sent message (2) has not expired yet) and reply with a message (4). However, the attacker will not be able to decrypt message (4) because he does not know the private key of clientC, and thus fails to proceed to step (5) of the login authentication protocol in Section 3.2.1.(ClientC will also see message (4) sent by the MAP, assuming that

it has not timed out on the lost message, and proceed to step (5) of the protocol. In this case, the attacker actually helps instead of harming.)

In thelogin authentication protocol, an attacker may replay a message (5) of a client

• If the MAP had successfully received the original message (5) fromC, it can detect that the current message is a replayed message thanks to the repetition of nonce

N_R₂ in the message.

• If the MAP did not receive the original message (5) fromC, the MAP may accept the replayed message as a valid message and reply with a message (6). (Again, the attacker helps the client “retransmit” the lost message (5), assuming that the MAP has not timed out due to the lost message fromC.) Note that although the attacker will also receive message (6) it will not be able to access network services because that requires the knowledge of the pairwise master key (PMK) described in Section 3.2.1. The attacker does not have that knowledge because it does not possess the necessary private keys to decrypt messages (3) and (4) in order to obtain the nonces needed to compute the PMK.

In the handoverauthentication protocol presented in Section 3.2.2, an attacker cap- tures and replays a message (1) sent earlier by a clientC.

• If the MAP had successfully received the original message (1) fromC, it saved the nonce NC. When the MAP receives the replayed message, it compares the nonce

in the message against the saved nonces, and can detect that this is a replayed message because a new message is supposed to have a newly generated nonce. • If the MAP did not receive the original message (1) from C, it may accept the

replayed message as a valid message and reply with a message (2). However, the attacker will not be able to compute the correct MAC valueVKM AC(NR) because it

does not know the MAC keyK_{M AC}, and thus fails the authentication by the MAP in step (3).

Note that clientC may also receive message (2) from the MAP, if it has not timed out on the lost message, and responds with a message (3). If C does not receive message (2) before a timer expires, it re-sends a new message (1) with a different nonceN_C0.

Also in the handover authentication protocol, an attacker may replay a message (3) of a clientC.

• If the MAP had successfully received that message (3) fromC earlier, it can detect that this is a replayed message thanks to the repetition of nonceNRin the message. • If the MAP did not receive the original message (3) from C, it may accept the replayed message as a valid message. The client is then considered successfully authenticated by the MAP, assuming that the MAP receives the replayed message before it times out on the lost message. Since only the client and the MAP know the shared keyKM AC, by computing the MAC valueVK0M AC(NR) usingKM AC and

comparing it with the one in the message (3),M2 can confirm that message (3) is originated fromC, not from the attacker. Thus,M₂ has successfully authenticated clientC asC is the only client who knowsKM AC.

3.3.5.2 Replaying MAP Messages

We examine possible attack scenarios aimed at replaying MAP messages.

In the login authentication protocol described in Section 3.2.1, an attacker overhears and replays a message (4) sent earlier by a MAP R.

• If the client had successfully received the message (4) fromR, it saved the nonces

N_R₁, N_R₂ and N_R₃. When the client receives the replayed message, it compares the nonces in the message against the saved nonces, and can detect that this is a replayed message because a new message is supposed to have newly generated nonces (rules (R1) and (R2) in Section 3.3.1).

• If the client did not receive the original message (4) fromR, the client may accept the replayed message as a valid message (if the timer on the sent message (3) has not expired yet), and reply with a message (5). However, the attacker will not be able to generate the MAC valueV_K_{M AC}(N_C₂) because he does not know the MAC keyKM AC, and thus fails the authentication by the client in step (6).

Note that the MAP may also receive the replayed message correctly and proceed to step (6) of the protocol. In this case, the attacker actually helps to “retransmit” the message (4) that the MAP lost in the first place. (If R does not receive the

replayed message (5) , clientCwill time out on waiting for message (6) fromRand restart the authentication procedure.)

Also in the login authentication protocol described in Section 3.2.1, an attacker may replay a message (6) sent earlier by a MAPR.

• If client C had successfully received message (6) from R earlier, it can detect that this is a replayed message because it had received the same transfer ticket earlier. • If client C did not receive the original message (6) from the MAP, C will accept

the replayed message and consider the authentication successful (assuming thatC

receives the replayed messages before it times out on the lost message). However, the attacker will not be able to impersonate the MAP because it does not know the PMK shared by the client and the MAP, which is required for subsequent communications between the client and the MAP.

In the handoverauthentication protocol presented in Section 3.2.2, an attacker overhears and replays a message (2) sent earlier by a MAP R. If the client had successfully received the original message (2) from R earlier, it can detect that this is a replayed message thanks to the repetition of nonceNRin the message. If the client did not receive the original message (2), it may accept the replayed message as a valid message and reply with a message (3) (before it times out on the lost message). AfterCreceives the replayed message (2), it computes a MAC valueV_K0_{M AC}(NC, NR) using KM AC (a shared key between C and M2). If V_K0_{M AC}(NC, NR) =VKM AC(NC, NR), C confirms that message (2)

is originated from M2, not from the attacker. The protocol prevents the attacker from impersonatingM₂ if the attacker does not know the key K_{M AC} shared only between C

andM2. Thus, client C has succesfully authenticatedM2, who has the knowledge of the shared keyKM AC, not the attacker.

In document Efficient Security Protocols for Fast Handovers in Wireless Mesh Networks (Page 151-157)