Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-11-TGBE] MLA MAC address security DCN 0727/r0



Hi Yifan,

 

Thanks for your question and comments. <a2,m2> on that slide is correct because that’s what the AP will use (its own authentic MAC addresses) but the STA is looking for RA=m2’. The result is that msg will be ignored by the STA.

 

Re man-in-the-middle attack, it’s a textbook security example and it’s a common assumption when wireless security is concerned. Think of why there is a MIC to protect the protected management frames. That’s used to detect someone tempering with the content of the frame OTA.

 

Thanks,

Duncan

 

From: zhouyifan (G) <zhouyifan8@xxxxxxxxxx>
Sent: Wednesday, July 8, 2020 11:13 PM
To: STDS-802-11-TGBE@xxxxxxxxxxxxxxxxx
Subject: [STDS-802-11-TGBE] 答复: [STDS-802-11-TGBE] MLA MAC address security DCN 0727/r0

 

CAUTION: This email originated from outside of the organization.

Thanks Duncan for this thread.

 

In slide 8, the fourth bullet, is the <TA, RA> should be <a2,m2’>? Since the AP MLD only receive m’ from the association frames.

 

Still I have a doubt on the attack procedure. As you mentioned, there should be a relay between the AP MLD and non-AP MLD, and then the attack can happen. I’m not sure if it’s a real problem.

 

Best Regards.

 

周逸凡 / Yifan Zhou

Huawei Technologies

 

发件人: Duncan Ho [mailto:dho@xxxxxxxxxxxxxxxx]
发送时间: 202079 1:34
收件人: STDS-802-11-TGBE@xxxxxxxxxxxxxxxxx
主题: [STDS-802-11-TGBE] MLA MAC address security DCN 0727/r0

 

Hi all,

 

Sorry we ran out of time answering questions on the call today. I’ll try to answer them below here and please send me other questions you may have.

 

Rojan asked: How can 4-way handshake pass?

Answer: The 4-way handshake is between the non-AP MLD and the AP MLD and in MLO case it uses the MLD addresses to generate the PTK. Only the non-AP MLD and AP MLD know the PMK. The attacker does not change anything in the 4way handshake so the 4WH will pass. The problem is the attacker has changed one of the STA MAC addresses of the non-AP MLD included in the Association Req msg, which goes undetected.

 

If we add the STA MAC addresses of the non-AP MLD in one of the protected msgs within the 4way handshake, the AP will receive the protected STA MAC addresses. Same idea goes in the other direction (AP MLD to the STA MLD).

 

Yongho asked: can we change the MAC address part as the following?

The MAC address(es) of the STA(s) of the non-AP MLD corresponding to the link(s) it intends to setup with the AP MLD.

Answer: Absolutely.

 

Thanks,

Duncan

 


To unsubscribe from the STDS-802-11-TGBE list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBE&A=1


To unsubscribe from the STDS-802-11-TGBE list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBE&A=1


To unsubscribe from the STDS-802-11-TGBE list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBE&A=1