Skip to main content
SpringerLink
Log in

Modelling of 802.11 4-Way Handshake Attacks and Analysis of Security Properties

  • Conference paper
  • First Online:
Security and Trust Management (STM 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12386))

Included in the following conference series:

Abstract

The IEEE 802.11 standard defines a 4-way handshake between a supplicant and an authenticator for secure communication. Many attacks such as KRACK, cipher downgrades, and key recovery attacks have been recently discovered against it. These attacks raise the question as to whether the implementation violates one of the required security properties or whether the security properties are insufficient. To the best of our knowledge, this is the first work that shows how to answer this question using formal methods. We model and analyse a variety of these attacks using the Tamarin prover against the security properties mandated by the standard for the 4-way handshake. This lets us see which security properties are violated. We find that our Tamarin models vulnerable to the KRACK attacks do not violate any of the standard’s security properties, indicating that the properties, as specified by the standard, are insufficient. We propose an additional security property and show that it is violated by systems vulnerable to KRACK attacks, and that enforcing this property is successful in stopping them. We demonstrate how to use Tamarin to automatically test the adequacy of a set of security properties against attacks, and that the suggested mitigations make 802.11 secure against these attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. IEEE Standard for Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications. IEEE Std. 802.11-1997, November 1997

    Google Scholar 

  2. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Amendment 6. IEEE Std. 802.11i-2004, July 2004

    Google Scholar 

  3. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications. IEEE Std. 802.11-2016, December 2016

    Google Scholar 

  4. IEEE Standard for Local and Metropolitan Area Networks-Port-Based Network Access Control. IEEE Std. 802.1X-2020, February 2020

    Google Scholar 

  5. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. ACM SIGPLAN Not. 36(3), 104–115 (2001)

    Article  Google Scholar 

  6. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21

    Chapter  Google Scholar 

  7. Blanchet, B., Smyth, B., Cheval, V., Sylvestre, M.: ProVerif 2.02: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial, July 2020

    Google Scholar 

  8. Cremers, C.: On the protocol composition logic PCL. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS), Tokyo, Japan, pp. 66–76, March 2008

    Google Scholar 

  9. Cremers, C., Kiesl, B., Medinger, N.: A formal analysis of IEEE 802.11’s WPA2: countering the kracks caused by cracking the counters. In: Proceedings of the USENIX Security Symposium (USENIX Security), pp. 1–17. Virtual Event, August 2020 (to appear)

    Google Scholar 

  10. Datta, A., Derek, A., Mitchell, J.C., Roy, A.: Protocol composition logic (PCL). Electron. Notes Theor. Comput. Sci. 172, 311–358 (2007)

    Article  MathSciNet  Google Scholar 

  11. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    Article  MathSciNet  Google Scholar 

  12. Harkins, D., Malinen, J.: Addressing the issue of nonce reuse in 802.11 implementations, October 2017. https://mentor.ieee.org/802.11/dcn/17/11-17-1602-03-000m-nonce-reuse-prevention.docx

  13. He, C., Mitchell, J.C.: Analysis of the 802.11i 4-way handshake. In: Proceedings of the ACM Workshop on Wireless Security (WiSe), Philadelphia, PA, pp. 43–50, October 2004

    Google Scholar 

  14. He, C., Sundararajan, M., Datta, A., Derek, A., Mitchell, J.C.: A modular correctness proof of IEEE 802.11i and TLS. In: ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, pp. 2–15, November 2005

    Google Scholar 

  15. Joux, A.: Authentication failures in NIST version of GCM. Pub. C. to NIST (2006)

    Google Scholar 

  16. Kremer, S., Künnemann, R.: Automated analysis of security protocols with global state. J. Comput. Secur. 24(5), 583–616 (2016)

    Article  Google Scholar 

  17. Lowe, G.: A hierarchy of authentication specifications. In: Proceedings of the IEEE Computer Security Foundations Workshop (CSFW), Rockport, MA, pp. 31–43, June 1997

    Google Scholar 

  18. Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48

    Chapter  Google Scholar 

  19. Singh, R.R., Moreira, J., Chothia, T., Ryan, M.D.: TAMARIN prover models of attacks on the 802.11 4-way handshake to verify security properties (source code and proofs) (2020). http://people.du.ac.in/~rrsingh/wpa2models

  20. McMahon Stone, C., Chothia, T., de Ruiter, J.: Extending automated protocol state learning for the 802.11 4-way handshake. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11098, pp. 325–345. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99073-6_16

    Chapter  Google Scholar 

  21. Vanhoef, M., Piessens, F.: Predicting, decrypting, and abusing WPA2/802.11 group keys. In: Proceedings of the USENIX Security Symposium, pp. 673–688 (2016)

    Google Scholar 

  22. Vanhoef, M., Piessens, F.: Key reinstallation attacks: forcing nonce reuse in WPA2. In: Proceedings of the ACM Conference on Computer and Communications Security (CSS), Dallas, TX, pp. 1313–1328 (2017)

    Google Scholar 

  23. Wi-Fi Alliance: Security update october 2017, October 2017. https://www.wi-fi.org/security-update-october-2017

Download references

Acknowledgements

We would like to thank Robert Künnemann, Chris McMahon Stone and Mathy Vanhoef for useful discussions. We would also like to thank the anonymous reviewers for their insightful comments and suggestions. This work was partially supported by the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 779391 (FutureTPM).

Author information

Authors and Affiliations

  1. School of Computer Science, University of Birmingham, Birmingham, UK

    Rajiv Ranjan Singh, José Moreira, Tom Chothia & Mark D. Ryan

  2. Department of Computer Science, Shyam Lal College (Eve.), University of Delhi, Delhi, India

    Rajiv Ranjan Singh

Authors
  1. Rajiv Ranjan Singh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. José Moreira
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tom Chothia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mark D. Ryan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rajiv Ranjan Singh .

Editor information

Editors and Affiliations

  1. Royal Holloway, University of London, Egham, UK

    Kostantinos Markantonakis

  2. National Research Council, Pisa, Italy

    Marinella Petrocchi

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Singh, R.R., Moreira, J., Chothia, T., Ryan, M.D. (2020). Modelling of 802.11 4-Way Handshake Attacks and Analysis of Security Properties. In: Markantonakis, K., Petrocchi, M. (eds) Security and Trust Management. STM 2020. Lecture Notes in Computer Science(), vol 12386. Springer, Cham. https://doi.org/10.1007/978-3-030-59817-4_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-59817-4_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-59816-7

  • Online ISBN: 978-3-030-59817-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation