Distributing a Symmetric FMIPv6 Handover Key using

SENDChris Brigham

Tom Wang

Security Properties

• Mobile Node Authentication– If honest AR finishes the protocol and

believes it is talking to honest MN, then the MN believes it is talking to the AR.

Security Properties

• Access Router Authentication– If honest MN finishes the protocol and

believes it is talking to honest AR, then the AR believes it is talking to the MN.

Security Properties

• Handover Key Secrecy– The intruder cannot learn the handover key

until MN sends the FBU to AR.

Analysis Overview

• Full Protocol• Deconstructed Protocols

– Reduce signature scope– Remove nonce option– Remove CGA option

Full Protocol Model

Full Protocol Model

• Request (RtSolPr)– MN=>AR:

{CGAMN, EPKMN, NMN}[SigMN]

Full Protocol Model

• Request (RtSolPr)– MN=>AR:

{CGAMN, EPKMN, NMN}[SigMN]

• Response (PrRtAdv)– AR=>MN:

{CGAAR, {HK}EPK_MN, NMN}[SigAR]

Full Protocol Model

• Request (RtSolPr)– MN=>AR:

{CGAMN, EPKMN, NMN}[SigMN]• Response (PrRtAdv)

– AR=>MN: {CGAAR, {HK}EPK_MN, NMN}[SigAR]

• Fast Binding Update– MN=>AR:

{CGAMN, HK}

Full Model - Results

• Attack found!– “Access Router authenticated” invariant fails

• Man-in-the-middle attack– Similar to NS problem– Intended destination not checked for

response message

MN ARE

Full Model – Attack Trace

• MN sends request to AR. E intercepts.• E sends new request to AR, using MN’s nonce

and handover key encryption key.• AR sends response to E, and E forwards

response to MN.– AR actually generated handover key for E, though E

cannot read the handover key at this point.• When MN sends FBU to AR with handover key,

handover fails.

Valid Attack?

Valid Attack?

• In specification draft section 3.2:– “The SEND signature covers all fields in the

PrRtAdv, including the 128 bit source and destination addresses …”

• Model was missing signature on source and destination addresses

• All invariants passed on revised model.

On to Decomposition

• Protocol is sufficient to enforce required security properties

• Are the features of SEND overkill for handover key distribution?

Reduced Signature Scope

• Remove source/destination addresses from the signed portion of each message– Decomposition is identical to the original,

broken, full model.

No “Noncense”

• How will the protocol behave if signature on nonce is removed?

• Replay attack found– “Access Router authenticated” invariant fails

No “Noncense” – Trace

• MN and AR complete first session as usual, but E records AR’s response from previous session.

• MN reconnects to same AR.• MN sends request for handover with new

nonce. E intercepts.• E sends MN AR’s previous response with

new nonce.• FBU fails since handover key is not valid.

Removing CGAs

• How will the protocol behave if CGAs are removed and replaced with real IPv6 addresses?

• Worst case attack found– Access Router authentication invariant fails– Mobile Node authentication invariant fails– Secrecy fails

Removing CGAs - Trace

• MN sends AR request for handover, but E intercepts.

• E forges the signature, creates his own handover key encryption key and nonce, and sends request to AR. E pretends to be MN.

• AR generates handover key and sends it to MN.• E intercepts AR’s response.• E can now issue FBU and get packets meant for

MN!

Our Conclusion

• The SEND options used for handover key distribution are necessary and sufficient

Our Conclusion

• The SEND options used for handover key distribution are necessary and sufficient

• We should have known:– From draft, section 13.0:– “The authors would like to thank John C.

Mitchell and Arnab Roy, of Stanford University, for their review of the design and suggestions for improving it.”

Questions?