Distributing a Symmetric FMIPv6 Handover Key using
SENDChris Brigham
Tom Wang
Security Properties
• Mobile Node Authentication– If honest AR finishes the protocol and
believes it is talking to honest MN, then the MN believes it is talking to the AR.
Security Properties
• Access Router Authentication– If honest MN finishes the protocol and
believes it is talking to honest AR, then the AR believes it is talking to the MN.
Security Properties
• Handover Key Secrecy– The intruder cannot learn the handover key
until MN sends the FBU to AR.
Analysis Overview
• Full Protocol• Deconstructed Protocols
– Reduce signature scope– Remove nonce option– Remove CGA option
Full Protocol Model
Full Protocol Model
• Request (RtSolPr)– MN=>AR:
{CGAMN, EPKMN, NMN}[SigMN]
Full Protocol Model
• Request (RtSolPr)– MN=>AR:
{CGAMN, EPKMN, NMN}[SigMN]
• Response (PrRtAdv)– AR=>MN:
{CGAAR, {HK}EPK_MN, NMN}[SigAR]
Full Protocol Model
• Request (RtSolPr)– MN=>AR:
{CGAMN, EPKMN, NMN}[SigMN]• Response (PrRtAdv)
– AR=>MN: {CGAAR, {HK}EPK_MN, NMN}[SigAR]
• Fast Binding Update– MN=>AR:
{CGAMN, HK}
Full Model - Results
• Attack found!– “Access Router authenticated” invariant fails
• Man-in-the-middle attack– Similar to NS problem– Intended destination not checked for
response message
MN ARE
Full Model – Attack Trace
• MN sends request to AR. E intercepts.• E sends new request to AR, using MN’s nonce
and handover key encryption key.• AR sends response to E, and E forwards
response to MN.– AR actually generated handover key for E, though E
cannot read the handover key at this point.• When MN sends FBU to AR with handover key,
handover fails.
Valid Attack?
Valid Attack?
• In specification draft section 3.2:– “The SEND signature covers all fields in the
PrRtAdv, including the 128 bit source and destination addresses …”
• Model was missing signature on source and destination addresses
• All invariants passed on revised model.
On to Decomposition
• Protocol is sufficient to enforce required security properties
• Are the features of SEND overkill for handover key distribution?
Reduced Signature Scope
• Remove source/destination addresses from the signed portion of each message– Decomposition is identical to the original,
broken, full model.
No “Noncense”
• How will the protocol behave if signature on nonce is removed?
• Replay attack found– “Access Router authenticated” invariant fails
No “Noncense” – Trace
• MN and AR complete first session as usual, but E records AR’s response from previous session.
• MN reconnects to same AR.• MN sends request for handover with new
nonce. E intercepts.• E sends MN AR’s previous response with
new nonce.• FBU fails since handover key is not valid.
Removing CGAs
• How will the protocol behave if CGAs are removed and replaced with real IPv6 addresses?
• Worst case attack found– Access Router authentication invariant fails– Mobile Node authentication invariant fails– Secrecy fails
Removing CGAs - Trace
• MN sends AR request for handover, but E intercepts.
• E forges the signature, creates his own handover key encryption key and nonce, and sends request to AR. E pretends to be MN.
• AR generates handover key and sends it to MN.• E intercepts AR’s response.• E can now issue FBU and get packets meant for
MN!
Our Conclusion
• The SEND options used for handover key distribution are necessary and sufficient
Our Conclusion
• The SEND options used for handover key distribution are necessary and sufficient
• We should have known:– From draft, section 13.0:– “The authors would like to thank John C.
Mitchell and Arnab Roy, of Stanford University, for their review of the design and suggestions for improving it.”
Questions?