1. Network Access Control Schemes Vulnerable to Covert Channels11/03/2004 Florent Bersani & Anne-Sophie Duserre

2. Agenda

Context

• Network Access Control ?

• Covert channels ?

Examples

• In mobile phone networks : DECT, GSM

• In IEEE 802.11 WLANs

Discussion

• Impact

• Solutions

3. Agenda

Context

• Network Access Control ?

• Covert channels ?

Examples

• In mobile phone networks : DECT, GSM

• In IEEE 802.11 WLANs

Discussion

• Impact

• Solutions

4. NAC: t he first line of defense

Network access control is about :

• Securely verifying the identity of a device/user that wants to connect to a network

• Checking if this device/user is indeed authorized to do so

Robust network access control is the key:

• To properly defined security zones

• To financial valuation of network access

5. NAC in a roaming situation 6. Covert channels: abusing protocols

A communication channel is covert if it is neither designed nor intended to transfer information at all. [Lampson73]

For network protocols, a covert channel is rather a communication channel that is abused to unnoticeably transfer unexpected data .

• These channels provide venues to circumvent the policy

7. Agenda

Context

• Network Access Control ?

• Covert channels ?

Examples

• In mobile phone networks : DECT, GSM

• In IEEE 802.11 WLANs

Discussion

• Impact

• Solutions

8. DECT DECT Portable Part DECT Fixed Part Inter- Working Unit Localand / orPublic Phone Network DECTCommon Interface 1 9. DECT NAC in roaming scenarios K S =PRF(K,R S ) & RES1=PRF'(K S ,RAND_F) 10. GSM BTS BTS BTS MS BSC BSC BTS MSC Transport Network VLR HLR AuC 11. GSM NAC in roaming situations K C =PRF(K I ,RAND) & SRES1=PRF'(K I ,RAND) 12. WLAN 2 Peer Pass-through Authenticator Authentication Server HomeRADIUSServer Wireless Access Point EAP Peer 1 ProxyRADIUSServer 13. WLAN NAC in roaming situations(1/2) 14. WLAN NAC in roaming situations(2/2)

EAP [RFC 3748] may transport EAP methods that are opaque to the Visited AS, e.g. PEAP or EAP-PSK

A rogue Home AS may use this communication channel that it is granted with its user for other purposes than authentication!

15. Agenda

Context

• Network Access Control ?

• Covert channels ?

Examples

• In mobile phone networks : DECT, GSM

• In IEEE 802.11 WLANs

Discussion

• Impact

• Solutions

16. Impact

What the impact of the covert channel ?

• Feasibility

• Attraction

• Detectability

The covert channel we present should be taken into account

• W hen signing roaming agreements

• • pricing of the authentication traffic

• • choice of appropriate EAP methods

• W hen designing a threat model for WLANs

17. Solutions

Revert to another NAC schemes

• Cryptography has long recognized that multi-party protocols warrant specific research

• A thorough threat model should be determined

• A relevant protocol should then be selected

• Tweak the standards (Design EAP methods that may be split between the visited AS and the home AS)

Decrease the potential attraction of this channel

• Make the channel uninteresting for non-authentication traffic

Monitor for this channel

• Monitor the statistics of EAP dialogs

18. Questions & Comments 19. Questions & Comments [email_address] 20. References

[Lampson73] B. W. Lampson, "A Note on the Confinement Problem," Communications of the ACM, 16:10, pp. 613-615, October 1973 .

[ RFC 3748 ] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, Extensible Authentication Protocol (EAP), June 2004, RFC 3748