Wireless LAN Overview

1
Wireless LAN Overview

• Wi-Fi Technology
• Wireless Fidelity (Wi-Fi)
• Channels
• Basic SecurityPractices
• Vulnerabilities
• WEP
• WPA
• 802.11i

2
Wireless LAN Overview

• EAP and 802.1x
• 802.1x
• EAP
• Definition
• Process Flow
• EAP Types and Flow

3
Wi-Fi Technology
4
Wi-Fi

• Wi-Fi (short for Wireless Fidelity") is the
  popular term for a high-frequency wireless local
  area network (WLAN)
• Promoted by the Wi-Fi Alliance (Formerly WECA -
  Wireless Ethernet Carriers Association)
• Used generically when referring to any type of
  802.11 network, whether 802.11a, 802.11b,
  802.11g, dual-band, etc. The term is promulgated
  by the Wi-Fi Alliance

5
Wi-Fi

• Wi-Fi standards use the Ethernet protocol and
  CSMA/CA (carrier sense multiple access with
  collision avoidance) for path sharing
• The 802.11b (Wi-Fi) technology operates in the
  2.4 GHz range offering data speeds up to 11
  megabits per second. The modulation used in
  802.11 has historically been phase-shift keying
  (PSK).
• Note, unless adequately protected, a Wi-Fi
  wireless LAN is easily accessible by unauthorized
  users

6
Wireless LAN Topology

• Wireless LAN is typically deployed as an
  extension of an existing wired network as shown
  below. 

7
Wireless LAN Topology

• Here is an example of small business usage of
  Wi-Fi Network.

DSL Router
DSLConnectionEtc.
The DSL router and Wi-Fi AP are often combined
into a single unit
8
What is 802.11?

• 802.11 refers to a family of specifications
  developed by the IEEE for wireless LAN
  technology. 802.11 specifies an over-the-air
  interface between a wireless client and a base
  station or between two wireless clients.
• The IEEE accepted the specification in 1997.

9
802.11 Family Members

• There are several specifications in the 802.11
  family
• 802.11
• Applies to wireless LANs and provides 1 or 2 Mbps
  transmission in the 2.4 GHz band using either
  frequency hopping spread spectrum (FHSS) or
  direct sequence spread spectrum (DSSS).
• 802.11a
• An extension to 802.11 that applies to wireless
  LANs and provides up to 54 Mbps in the 5GHz band.
  802.11a uses an orthogonal frequency division
  multiplexing encoding scheme rather than FHSS or
  DSSS.
• 802.11b
• (also referred to as 802.11 High Rate or Wi-Fi)
  is an extension to 802.11 that applies to
  wireless LANs and provides 11 Mbps transmission
  (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4
  GHz band. 802.11b uses only DSSS. 802.11b was a
  1999 ratification to the original 802.11
  standard, allowing wireless functionality
  comparable to Ethernet.
• 802.11g
• Applies to wireless LANs and provides 20 Mbps in
  the 2.4 GHz band.

10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
802.11Range Comparisons
15
802.11 Authentication

• The 802.11 standard defines several services that
  govern how two 802.11 devices communicate. The
  following events must occur before an 802.11
  station can communicate with an Ethernet network
  through a wireless access point provides
• Turn on the wireless Client
• Client listens for messages from any access
  points (AP) that are in range
• Client finds a message from an AP that has a
  matching SSID
• Client sends an authentication request to the AP
• AP authenticates the station
• Client sends an association request to the AP
• AP associates with the station
• Client can now communicate with the Ethernet
  network thru the AP

16
What Exactly Is 802.1x?

• Standard set by the IEEE 802.1 working group.
• Describes a standard link layer protocol used for
  transporting higher-level authentication
  protocols.
• Works between the Supplicant (Client Software)
  and the Authenticator (Network Device).
• Maintains backend communication to an
  Authentication (Typically RADIUS) Server.

17
What Does it Do?

• Transport authentication information in the form
  of Extensible Authentication Protocol (EAP)
  payloads.
• The authenticator (switch) becomes the middleman
  for relaying EAP received in 802.1x packets to an
  authentication server by using RADIUS to carry
  the EAP information.
• Several EAP types are specified in the standard.
• Three common forms of EAP are
• EAP-MD5 MD5 Hashed Username/Password
• EAP-OTP One-Time Passwords
• EAP-TLS Strong PKI Authenticated Transport
  Layer Security (SSL)

802.1x Header
EAP Payload
18
What is RADIUS?

• RADIUS The Remote Authentication Dial In User
  Service
• A protocol used to communicate between a network
  device and an authentication server or database.
• Allows the communication of login and
  authentication information. i.e.
  Username/Password, OTP, etc. using
  Attribute/Value pairs (Attribute Value)
• Allows the communication of extended attribute
  value pairs using Vendor Specific Attributes
  (VSAs).
• Can also act as a transport for EAP messages.
• RFC2865, RFC2866 and others

RADIUS Header
UDP Header
EAP Payload
19
802.11 Authentication Flow
20
Wi-Fi Channels

• Wireless LAN communications are based on the use
  of radio signals to exchange information through
  an association between a wireless LAN card and a
  nearby access point.
• Each access point in an 802.11b/g network is
  configured to use one radio frequency (RF)
  channel.
• Although the 802.11b/g specifications indicate
  that there are fourteen (14) channels that can be
  utilized for wireless communications, in the
  U.S., there are only eleven channels allowed for
  AP use. In addition, since there is frequency
  overlap among many of the channels, there must be
  22 MHz separation between any two channels in
  use.

21
Wi-Fi Channels

• In a multi-access point installation, where
  overlapping channels can cause interference,
  dead-spots and other problems, Channels 1, 6 and
  11 are generally regarded as the only safe
  channels to use. Since there are 5 5MHz channels
  between 1 and 6, and between 6 and 11, or 25MHz
  of total bandwidth, that leaves three MHz of
  buffer zone between channels.
• In practice, this constraint limits the number of
  useable channels to three (channels 1, 6, and
  11). 802.11a wireless networks have eight
  non-overlapping channels which provide more
  flexibility in terms of channel assignment.

22
Wi-Fi Channels

• For example, 802.11a - An extension to the IEEE
  802.11 standard that applies to wireless LANs and
  provides up to 54 Mbps in the 5GHz band.
• For the North American users, equipment available
  today operates between 5.15 and 5.35GHz.
• This bandwidth supports eight separate,
  non-overlapping 200 MHz channels.
• These channels allow users to install up to eight
  access points set to different channels without
  interference, making access point channel
  assignment much easier and significantly
  increasing the level of throughput the wireless
  LAN can deliver within a given area.

23
Wi-Fi Channels

• If two access points that use the same RF channel
  are too close, the overlap in their signals will
  cause interference, possibly confusing wireless
  cards in the overlapping area.
• To avoid this potential scenario, it is important
  that wireless deployments be carefully designed
  and coordinated.
• It is also critical to make sure that deployment
  does not cause conflicts with other pre-existing
  wireless implementations.

Three channels on a single floor
24
Basic 802.11 Security

• SSID (Service Set Identifier) or ESSID (Extended
  Service Set Identifier)
• Each AP has an SSID that it uses to identify
  itself. Network configuration requires each
  wireless client to know the SSID of the AP to
  which it wants to connect.
• SSID provides a very modest amount of control. It
  keeps a client from accidentally connecting to a
  neighboring AP only. It does not keep an attacker
  out.

25
SSID

• SSID (Service Set Identifier) or ESSID (Extended
  Service Set Identifier)
• The SSID is a token that identifies an 802.11
  network. The SSID is a secret key that is set by
  the network administrator. Clients must know the
  SSID to join an 802.11 network however, network
  sniffing can discover the SSID.
• The fact that the SSID is a secret key instead of
  a public key creates a management problem for the
  network administrator.
• Every user of the network must configure the SSID
  into their system. If the network administrator
  seeks to lock a user out of the network, the
  administrator must change the SSID of the
  network, which requires reconfiguration of every
  network node. Some 802.11 NICs allow you to
  configure several SSIDs at one time.

26
Basic 802.11 Security

• MAC filters
• Some APs provide the capability for checking the
  MAC address of the client before allowing it to
  connect to the network.  
• Using MAC filters is considered to be very weak
  security because with many Wi-Fi client
  implementations it is possible to change the MAC
  address by reconfiguring the card.
• An attacker could sniff a valid MAC address from
  the wireless network traffic .

27
Basic 802.11 Security

• Static WEP keys
• Wired Equivalent Privacy (WEP) is part of the
  802.11 specification.
• Static WEP key operation requires keys on the
  client and AP that are used to encrypt data sent
  between them. With WEP encryption, sniffing is
  eliminated and session hijacking is difficult (or
  impossible).
• Client and AP are configured with a set of 4
  keys, and when decrypting each are used in turn
  until decryption is successful. This allows keys
  to be changed dynamically.
• Keys are the same in all clients and AP. This
  means that there is a community key shared by
  everyone using the same AP. The danger is that if
  any one in the community is compromised, the
  community key, and hence the network and everyone
  else using it, is at risk.

28
Authentication Type

• An access point must authenticate a station
  before the station can associate with the access
  point or communicate with the network. The IEEE
  802.11 standard defines two types of
  authentication
• Open System Authentication
• Shared Key Authentication

29
Authentication Type Open System Authentication

• The following steps occur when two devices use
  Open System Authentication
• The station sends an authentication request to
  the access point.
• The access point authenticates the station.
• The station associates with the access point and
  joins the network.
• The process is illustrated below.

30
Authentication Type Shared Key Authentication

• The following steps occur when two devices use
  Shared Key Authentication
• The station sends an authentication request to
  the access point.
• The access point sends challenge text to the
  station.
• The station uses its configured 64-bit or 128-bit
  default key to encrypt the challenge text, and
  sends the encrypted text to the access point.
• The access point decrypts the encrypted text
  using its configured WEP Key that corresponds to
  the stations default key.
• The access point compares the decrypted text with
  the original challenge text. If the decrypted
  text matches the original challenge text, then
  the access point and the station share the same
  WEP Key and the access point authenticates the
  station.
• The station connects to the network.

31
Authentication Type Shared Key Authentication

• If the decrypted text does not match the original
  challenge text (i.e., the access point and
  station do not share the same WEP Key), then the
  access point will refuse to authenticate the
  station and the station will be unable to
  communicate with either the 802.11 network or
  Ethernet network.
• The process is illustrated in below.

32
Overview of WEP Parameters

• Before enabling WEP on an 802.11 network, you
  must first consider what type of encryption you
  require and the key size you want to use.
  Typically, there are three WEP Encryption options
  available for 802.11 products
• Do Not Use WEP The 802.11 network does not
  encrypt data. For authentication purposes, the
  network uses Open System Authentication.
• Use WEP for Encryption A transmitting 802.11
  device encrypts the data portion of every packet
  it sends using a configured WEP Key. The
  receiving device decrypts the data using the same
  WEP Key. For authentication purposes, the
  wireless network uses Open System Authentication.
• Use WEP for Authentication and Encryption A
  transmitting 802.11 device encrypts the data
  portion of every packet it sends using a
  configured WEP Key. The receiving 802.11 device
  decrypts the data using the same WEP Key. For
  authentication purposes, the 802.11 network uses
  Shared Key Authentication.
• Note Some 802.11 access points also support Use
  WEP for Authentication Only (Shared Key
  Authentication without data encryption).

33
Recommended 802.11 Security Practices

• Change the default password for the Admin account
• SSID
• Change the default
• Disable Broadcast
• Make it unique
• If possible, Change it often
• Enable MAC Address Filtering
• Enable WEP 128-bit Data Encryption. Please note
  that this will reduce your network performance
• Use the highest level of encryption possible
• Use a Shared Key
• Use multiple WEP keys
• Change it regularly
• Turn off DHCP
• Refrain from using the default IP subnet

34
Vulnerabilities
35
Vulnerabilities

• There are several known types of wireless attacks
  that must be protected against
• SSID (network name) sniffing
• WEP encryption key recovery attacks
• ARP poisoning (man in the middle attacks)
• MAC address spoofing
• Access Point management password and SNMP attacks
• Wireless end user (station) attacks
• Rogue AP attacks (AP impersonation)
• DOS (denial of service) wireless attacks

36
Diversity Antenna Attacks

• If diversity antennas A and B are attached to an
  AP, they are setup to cover both sides of tan
  area independently. Alice is on the left side of
  the area, so the AP will choose antenna A for the
  sending and receiving frames. Bob is on the
  opposite side of the area from Alice and will
  therefore send and receive frames with antenna B.
  
• Bob can take Alice off the network by changing
  his MAC address to be the same as Alice's. Bob
  can also guarantee that his signal is stronger on
  antenna B than Alice's signal on antenna A by
  using an amplifier or other enhancement
  mechanism.
• Once Bob's signal has been detected as the
  stronger signal on antenna B, the AP will send
  and receive frames for the MAC address on antenna
  B. As long as Bob continues to send traffic to
  the AP, Alice's frames will be ignored.

37
Malicious AP overpowering valid AP

• If a client is not using WEP authentication (or
  an attacker has knowledge of the WEP key), then
  the client is vulnerable to DoS attacks from
  spoofed APs.
• Clients can generally be configured to associate
  with any access point or to associate to an
  access point in a particular ESSID.
• If a client is configured to associate to any
  available AP, it will select the AP with the
  strongest signal regardless of the ESSID.
• If the client is configured to associate to a
  particular ESSID, it will select the AP in the
  ESSID with the strongest signal strength.
• Either way, a malicious AP can effectively
  black-hole traffic from a victim by spoofing the
  desired AP.

38
Man-in-the-Middle Attacks

• Man-in-the-middle (MITM) attacks have two major
  forms eavesdropping and manipulation.
• Eavesdropping occurs when an attacker receives a
  data communication stream. This is not so much a
  direct attack as much as it is a leaking of
  information. An eavesdropper can record and
  analyze the data that he is listening to.
• A manipulation attack requires the attacker to
  not only have the ability to receive the victim's
  data but then be able to retransmit the data
  after changing it.

39
WEP What?

• WEP (Wired Equivalent Privacy) referring to the
  intent to provide a privacy service to wireless
  LAN users similar to that provided by the
  physical security inherent in a wired LAN.
• WEP is the privacy protocol specified in IEEE
  802.11 to provide wireless LAN users protection
  against casual eavesdropping.

40
IV Key Hashing/Temporal Key
WEP Encryption Today
IV
BASE KEY
PLAINTEXT DATA
CIPHERTEXT DATA
XOR
RC4
STREAM CIPHER
41
WEP How?

• When WEP is active in a wireless LAN, each 802.11
  packet is encrypted separately with a RC4 cipher
  stream generated by a 64 bit RC4 key. This key is
  composed of a 24 bit initialization vector (IV)
  and a 40 bit WEP key.
• The encrypted packet is generated with a bit-wise
  exclusive OR (XOR) of the original packet and the
  RC4 stream.
• The IV is chosen by the sender and should be
  changed so that every packet won't be encrypted
  with the same cipher stream.
• The IV is sent in the clear with each packet.
• An additional 4 byte Integrity Check Value (ICV)
  is computed on the original packet using the
  CRC-32 checksum algorithm and appended to the
  end.
• The ICV (be careful not to confuse this with the
  IV) is also encrypted with the RC4 cipher stream.

42
WEP - Weaknesses

• Key Management and Key Size
• Key management is not specified in the WEP
  standard, and therefore is one of its weaknesses,
  because without interoperable key management,
  keys will tend to be long-lived and of poor
  quality.
• The Initialization Vector (IV) is Too Small
• WEPs IV size of 24 bits provides for 16,777,216
  different RC4 cipher streams for a given WEP key,
  for any key size. Remember that the RC4 cipher
  stream is XOR-ed with the original packet to give
  the encrypted packet which is transmitted, and
  the IV is sent in the clear with each packet.
• The Integrity Check Value (ICV) algorithm is not
  appropriate
• The WEP ICV is based on CRC-32, an algorithm for
  detecting noise and common errors in
  transmission. CRC-32 is an excellent checksum for
  detecting errors, but an awful choice for a
  cryptographic hash.

43
WEP - Weaknesses

• WEPs use of RC4 is weak
• RC4 in its implementation in WEP has been found
  to have weak keys. Having a weak key means that
  there is more correlation between the key and the
  output than there should be for good security.
  Determining which packets were encrypted with
  weak keys is easy because the first three bytes
  of the key are taken from the IV that is sent
  unencrypted in each packet.
• This weakness can be exploited by a passive
  attack. All the attacker needs to do is be within
  a hundred feet or so of the AP.
• Authentication Messages can be easily forged
• 802.11 defines two forms of authentication
• Open System (no authentication) and
• Shared Key authentication.
• These are used to authenticate the client to the
  access point.
• The idea was that authentication would be better
  than no authentication because the user has to
  prove knowledge of the shared WEP key, in effect,
  authenticating himself.

44
WPA

• Wi-Fi Protected Access (WPA) is a new security
  guideline issued by the Wi-Fi Alliance.
• The goal is to strengthen security over the
  current WEP standards by including mechanisms
  from the emerging 802.11i standard for both data
  encryption and network access control.
• Path WEP -gt WPA -gt 802.11i
• WPA TKIP(Temporal Key Integrity Protocol)
  IEEE 802.1x
• For encryption, WPA has TKIP, which uses the same
  encryption algorithm as WEP, but constructs keys
  in a different way.
• For access control, WPA will use the IEEE 802.1x
  protocol.

45
802.11i Future Wireless Security Standard

• Task group "i" within the IEEE 802.11 is
  responsible for developing a new standard for
  WLAN security to replace the weak WEP (Wired
  Equivalent Privacy).
• The IEEE 802.11i standard utilizes the
  authentication schemes of 802.1x and
  EAP(Extensible Authentication Protocol) in
  addition to a new encryption scheme AES
  (Advanced Encryption Standard) and dynamic key
  distribution scheme - TKIP(Temporal Key Integrity
  Protocol).
• 802.11i TKIP IEEE 802.1x AES

46
802.11i Future Wireless Security Standard

• Temporal Key Integrity Protocol (TKIP)
• The Temporal Key Integrity Protocol is part of
  the IEEE 802.11i encryption standard for wireless
  LANs. TKIP is the next generation of WEP, the
  Wired Equivalency Protocol, which is used to
  secure 802.11 wireless LANs. TKIP provides
  per-packet key mixing, a message integrity check
  and a re-keying mechanism, thus fixing the flaws
  of WEP.

47
802.11i Future Wireless Security Standard

• Advanced Encryption Standard (AES)
• AES is the U.S. government's next-generation
  cryptography algorithm, which will replace DES
  and 3DES.

48
EAP and 802.1x
49
802.1x

• IEEE802.1x is the denotation of a standard that
  is titled Port Based Network Access Control,
  which indicates that the emphasis of the standard
  is to provide a control mechanism to connect
  physically to a LAN.
• The standard does not define the authentication
  methods, but it does provide a framework that
  allows the application of this standard in
  combination with any chosen authentication
  method.
• It adds to the flexibility as current and future
  authentication methods can be used without having
  to adapt the standard.

50
802.1x Components

• The 802.1x standard recognizes the following
  concepts
•  Port Access Entity (PAE)
• which refers to the mechanism (algorithms and
  protocols) associated with a LAN port (residing
  in either a Bridge or a Station)
•  Supplicant PAE
• which refers to the entity that requires
  authentication before getting access to the LAN
  (typically in the client station)
• Authenticator PAE
• which refers to the entity facilitating
  authentication of a supplicant (typically in
  bridge or AP)
• Authentication server
• which refers to the entity that provides
  authentication service to the Authenticators in
  the LAN (could be a RADIUS server)

51
802.1x Components
52
802.1x Call Flow
53
802.1x Call Flow
54
802.1x Traffic

• As the picture indicates, EAP information, when
  transmitted from Supplicant to Authentication
  Server, is first encapsulated within a (wireless)
  LAN frame (referred to as EAP over LAN or EAPoL).
  Once received by the Authenticator it is
  extracted from the LAN frame and placed in a
  packet that conforms to the RADIUS protocol.
• This RADIUS packet is then transmitted to the
  Authentication using the RADIUS (UDP) protocol.
• Traffic coming from the Authentication Server to
  the Supplicant follows the reverse process.

55
EAP

• EAP was originally designed as part of the PPP
  (Point-to-Point Protocol)
• The PPP Extensible Authentication Protocol (EAP)
  is a general protocol for PPP authentication
  which supports multiple authentication
  mechanisms. It was developed in response to an
  increasing demand for remote access user
  authentication that uses other security devices.
• By using EAP, support for a number of
  authentication schemes may be added by defining
  EAP-Types. Support might include token cards,
  one-time passwords, public key authentication
  using smart card, certificates, and others.
• EAP hides the details of the authentication
  scheme from those network elements that need not
  know
• For example in PPP, the client and the AAA server
  only need to know the EAP type, and the Network
  Access Server does not

56
EAP

• RFC 2284 defines PPP Extensible Authentication
  Protocol.
• EAP does not select a specific authentication
  mechanism at Link Control Phase, but rather
  postpones this until the Authentication Phase.
• This allows the authenticator to request more
  information before determining the specific
  authentication mechanism.
• This also permits the use of a "back-end" server
  which actually implements the various mechanisms
  while the PPP authenticator merely passes through
  the authentication exchange.

57
EAP Architecture
58
EAP Architecture
59
EAP Comparison
60
EAP Comparison
61
(No Transcript)
62
(No Transcript)
63
EAP Elements

• EAP basically consists of four different protocol
  elements
• Request packets (from Authenticator AP to
  client Supplicant)
• Response packets (from Client to Authenticator)
• Success packet
• Failure packet

May originate from an AAA server
64
EAP Elements
65
EAP Message

• All EAP messages have a common format

66
EAP Message 2

• EAP request and response messages have the same
  format , with code1 for requests and code2 for
  responses

67
EAP Message 3

• EAP Success messages are EAP messages with code 3
  and no data.
• A success message means that the authentication
  concluded successfully.
• EAP failure messages are EAP messages with code 4
  and no data.
• A Failure message means that the authentication
  has failed.

68

General Description ofIEEE 802.1x Terminology
wireless network
enterprise network
enterprise edge
EAP over wireless
EAP over RADIUS
RADIUS server
Supplicant
Authentication Server
Authenticator
Operates on client
Processes EAP requests
Operates on devices at network edge, like APs and
switches
69

Before EAP Start

• 802.11 association between client and
  authenticator
• IP connection blocked by AP

EAP over wireless
EAP over RADIUS
RADIUS server
802.1X traffic
RADIUS traffic (IP/UDP over Layer 2 protocol (Eg.
Ethernet)
authentication traffic
AP transfers data from 802.1x EAP messages into
RADIUS messages, and visa versa AP blocks IP
connection until RADIUS access-accept is received
normal data
70
802.1x Call Flow
71
EAP Flow

• After the Link Establishment phase is complete,
  the authenticator sends one or more Requests to
  authenticate the peer.
• The Request has a type field to indicate what is
  being requested. Examples of Request types
  include Identity, MD5-challenge, One-Time
  Passwords, Generic Token Card, etc.
• The MD5-challenge type corresponds closely to the
  CHAP authentication protocol.
• Typically, the authenticator will send an initial
  Identity Request followed by one or more Requests
  for authentication information. However, an
  initial Identity Request is not required, and MAY
  be bypassed in cases where the identity is
  presumed (leased lines, dedicated dial-ups,
  etc.). 

72
EAP Flow

• The peer sends a Response packet in reply to each
  Request. As with the Request packet, the
  Response packet contains a type field which
  corresponds to the type field of the Request. 
• The authenticator ends the authentication phase
  with a Success or Failure packet.

73
Generic EAP Authentication Flow
Authenticator
Peer
74
EAP Authentication

• Physical connection between the client station
  and the network is established first, which for
  wireless operation means that 802.11 Association
  has to be completed (this is the equivalent of
  plugging in a wired station in an Ethernet wall
  socket).

75
EAP Authentication

• After Association the 802.1x authentication
  commences, initiated by the Authenticator (i.e.
  the AP or NAS), which sends an EAP Request to the
  Supplicant (i.e. the client station) asking for
  its credentials. These credentials could be
  machine name or user name, depending on the
  authentication method that is used.

76
EAP Authentication

• The Supplicant transmits its identity information
  as part of an EAP response to the Authenticator,
  which takes the packet from the LAN frame and
  encapsulates it in a RADIUS protocol message for
  transmission to the Authentication Server.

77
EAP Authentication

• At this point a sequence of exchanges will take
  place between the Authentication Server and the
  Supplicant (via the Authenticator), of which the
  exact details depend on the Authentication method
  used. The ultimate result of the complete
  sequence is either a positive result, where the
  supplicant is successfully authenticated, or a
  negative one where the authentication has failed.
  In the first case the door to network is opened
  and all network resources are now available for
  the client device, while in the second case the
  network access remains blocked.

78
EAP Authentication Methods MD5

• EAP-Message Digest 5 uses the same challenge
  handshake protocol as PPP-based CHAP, but the
  challenges and responses are sent as EAP
  messages.
• MD5 can be considered as the lowest common
  denominator EAP type.
• EAP-MD5 does not support the use of per session
  WEP keys, or mutual authentication of Access
  Point and client.
• It also does not support encrypted links for user
  data, so cannot be used in an 802.11i
  environment.
• The EAP-MD5 authentication algorithm provides
  one-way password based network authentication of
  the client.

79
EAP Authentication Methods MD5

• This algorithm can also be used for wireless
  applications with less stringent wireless LAN
  security requirements.
• Advantage of using EAP-MD5 is that it is simple
  to administer for an operator, re-using the
  database of usernames and passwords which may
  exist currently. 
• Disadvantage of using EAP-MD5 in wireless LAN
  applications is that no encryption keys are
  generated. Also, while the protocol can be used
  by the client to authenticate the network, it is
  typically used only for the network to
  authenticate the client.

80
EAP Authentication Methods MD5

• A wireless station associates to its AP.
• The AP will issue an EAP Request Identity frame
  to the client station.
• The client station responds with its identity
  (machine name or user name).
• The AP relays the EAP message (I.e. client
  stations identity) to the RADIUS
• server, to initiate the authentication
  services.
• The MD5 protocol replies on a challenge text
  issued by the server to the client.
• Client is to encrypt this challenge using its
  user password and return the result.

81
EAP Authentication Methods MD5

• The server will decrypt the result using the
  password that is recorded for the user.
• When results match the original, the client is
  validated as genuine.
• No encryption keys are generated.

82
EAP MD5
83
EAP Authentication Methods TLS

• Transport Layer Security (TLS) is a certificate
  based authentication protocol. RFC 2716 provides
  mutual authentication and supports per-session
  WEP keys .
• Certificate based authentication provides a
  highly secure digital equivalent of ID cards used
  by both the client and network so they can
  authenticate each other. Public Key
  Infrastructure (PKI) digital signature techniques
  are used to prove each partys authenticity.

84
EAP Authentication Methods TLS

• A digital certificate is comprised of the
  following fields
• a version
• certificate serial number
• signature algorithm identifier
• name of the issuer
• validity period
• name
• public key
• optional unique identifiers
• a signature value.

85
Certificate Authority
86
EAP Authentication Methods TLS

• A wireless station associates to its AP.
• The AP will issue an EAP Request
• Identity frame to the client station.

87
EAP Authentication Methods TLS

• The client station responds with its
• identity (machine name or user name).
• The AP relays the EAP message (I.e.
• client stations identity) to the RADIUS
• server, to initiate the authentication
• services.

88
EAP Authentication Methods TLS

• The RADIUS server requests credentials
• from the client station to confirm the
• identity, by sending the EAP request via
• the AP.
• The client replies sending its credentials
• relayed by the AP.

89
EAP Authentication Methods TLS

• The TLS_Hello messages are the start of the TLS
  handshake protocol
• Server initiates by sending its Server_hello
  (including, the Certificate, the so-called
  Cyphersuite, indicating what crypto algorithm it
  can handle).
• Client replies with Client_Hello, stating among
  others its certificate, what crypto-algorithm was
  selected, and requesting the server to send its
  certificate.
• The client and Server engage in the
  Key-Exchange sequence (Diffie-Hellman).

90
EAP Authentication Methods TLS

• On completion of the DH Key exchange between
  server and client, the server transmits its keys
  to the AP.
• To encrypt subsequent IEEE 802.11 frames
  exchanged between the AP and the client, a WEP
  key pair is used, that is generated by the AP,
  and is the same for all clients associated to
  this particular AP.
• The AP will transmit this key pair to the client
  and uses the key received from the server to
  encrypt this message.
• Once the client received the WEP keys it will
  pass them to the PC card via the NDIS interface
  and the driver.
• Station and AP will use these WEP keys until
  station logs off or until re-authentication timer
  has expired (for period re-authentication).
• When station roams to another AP a
  re-authentication is required and new WEP keys
  are established.

91
EAP Authentication Methods TLS
92
(No Transcript)
93
(No Transcript)
94
EAP Authentication Methods TTLS

• Tunneled Transport Layer Security (TTLS) and
  Protected Extensible Authentication Protocol
  (PEAP) are similar in operation and support both
  secure username/password and mutual
  authentication.
• EAP-TTLS a combination of both EAP-TLS, and
  traditional password-based methods such as
  Challenge Handshake Authentication Protocol
  (CHAP), and One Time Password (OTP). On the
  client side merely passwords are required instead
  of digital certificates, which relieves the
  administrator of the systems to manage and
  distribute certificates. On the authentication
  server side a certificate is required.
• Certificates do not have to be installed in each
  client device. This is because PKI techniques are
  used to first allow the client to authenticate
  the server (via a certificate installed on the
  server) and form a secured connection between
  client and server. Then the server authenticates
  the client over the secured connection with the
  user providing a username and password pair.
• This principle is much like the way in which
  browser based commerce takes place today over web
  browsers. Secure connections are established
  before the users authentication information is
  exchanged. Users see this typically as a padlock
  symbol in their browsers.

95
EAP Authentication Methods TTLS

• In EAP-TTLS a secure TLS tunnel is first
  established between the supplicant and the
  authentication server.
• The client authenticates the network to which it
  is connecting by authenticating the digital
  certificate provided by the TTLS server. This is
  exactly analogous to the techniques used to
  connect to a secure web server. Once an
  authenticated tunnel is established, the
  authentication of the end user occurs.
• EAP-TTLS has the added benefit of protecting the
  identity of the end user from view over the
  wireless medium. In this way anonymity of the
  end user, a desirable attribute is provided.
• EAP-TTLS also enables existing end-user
  authentication systems to be reused. Two key
  advantages of EAP-TTLS are that anonymity of the
  end user is provided, and that any existing
  RADIUS server and its associated database can be
  re-used.
• EAP-TTLS is the only EAP type to date which
  provides end user anonymity.

96
EAP Authentication Methods TTLS

• A wireless station associates to its AP.
• The AP will issue an EAP Request Identity frame
  to the client station.
• The client station responds with its identity
  (machine name or user name).
• The AP relays the EAP message (I.e. client
  stations identity) to the RADIUS server, to
  initiate the authentication services.
• The authentication protocol between the RADIUS
  server and the client station is still TLS and
  used to allow the client to authenticate the
  server.

97
EAP Authentication Methods TTLS

• The TLS_Hello messages are the start of the TLS
  handshake protocol
• Server initiates by sending its Server_hello
  (including its certificate and Cyphersuite,
  indicating what crypto algorithm it can handle).
• Client responds by sending its acknowledgement
  for the crypto protocol to use (no certificates).
• The client and Server engage in the
  Key-Exchange sequence (Diffie-Hellman).
• Now the tunnel is established and secure, the
  additional user credentials are exchanged (using
  OTP or CHAP).

98
EAP Authentication Methods TTLS

• On completion of the exchange between server and
  client, the server transmits its keys to the AP.
• To encrypt subsequent IEEE 802.11 frames
  exchanged between the AP and the client, a WEP
  key pair is used, that is generated by the AP,
  and is the same for all clients associated to
  this particular AP.
• The AP will transmit this key pair to the client
  and uses the key received from the server to
  encrypt this message.
• Once the client received the WEP keys it will
  pass them to the PC card via the NDIS interface
  and the driver. Station and AP will use these WEP
  keys until station logs off or until
  re-authentication timer has expired (for period
  re-authentication).

99
EAP Authentication Methods TTLS
100
EAP Authentication Methods SRP

• SRP (Secure Remote Password) is a secure
  password-based authentication and key-exchange
  protocol.
• It solves the problem of authenticating clients
  to servers securely, in cases where the user of
  the client software must memorize a small secret
  (like a password) and carries no other secret
  information.
• The server stores a verifier for each user, which
  allows it to authenticate the client but which,
  if compromised, would not allow the attacker to
  impersonate the client. SRP also exchanges a
  cryptographically-strong secret as a byproduct of
  successful authentication, which enables the two
  parties to communicate securely.
• A key advantage of SRP is that the users
  password need not be stored in the RADIUS
  database. SRP is also a completely password based
  authentication system. No certificates are
  required.

101
EAP Authentication Methods SRP

• A wireless station associates to its AP.
• The AP will issue an EAP Request Identity frame
  to the client station.
• The client station responds with its identity
  (machine name or user name).
• The AP relays the EAP message (I.e. client
  stations identity) to the RADIUS server, to
  initiate the authentication services.
• The server initiates a key exchange by
  transmitting a Generator Value, a Modulus number
  and a salt value (to prevent re-occurring keys).

102
EAP Authentication Methods SRP

• The client calculates its Public Key as
• K(client) ga (mod N), where a is randomly
  chosen (clients private key).
• The Server executes a similar procedure and
  calculates its Public Key as
• K(Server) (vgb) (mod N), where b is randomly
  chosen (Servers private key), and is a stored
  verifier from the database .
• With keys in place, the client and server
  mutually validate each other.

103
EAP Authentication Methods SRP

• On completion of the exchange between server and
  client, the server transmits its keys to the AP.
• To encrypt subsequent IEEE 802.11 frames
  exchanged between the AP and the client, a WEP
  key pair is used, that is generated by the AP,
  and is the same for all clients associated to
  this particular AP.
• The AP will transmit this key pair to the client
  and uses the key received from the server to
  encrypt this message.
• Once the client received the WEP keys it will
  pass them to the PC card via the NDIS interface
  and the driver.
• Station and AP will use these WEP keys until
  station logs off or until re-authentication timer
  has expired (for period re-authentication).
• When station roams to another AP new WEPs are
  established.

104
EAP Authentication Methods LEAP

• Cisco delivers a special version of EAP
  (Extensible Authentication Protocol), known as
  LEAP (where the L stands for lightweight).
• Though the Cisco systems can be configured to
  operate with other EAP protocols (and as such are
  capable of communicating with off the shelf
  Radius implementations that support IEEE 802.1x),
  this proprietary version is promoted by Cisco in
  order to offer a complete Cisco solution.
• LEAP also is known to have significant flaws
• The key used for encryption between client and
  Access Point is derived from the username and
  password stored at the Authentication server and
  used by the client station during log-in. The
  method used in this case is MSCHAP v1, and known
  in the industry to be vulnerable and hack-able by
  existing hack tools.
• The EAP exchange between client and
  authentication server is not encrypted, as the
  key is not yet determined. The username is
  transmitted in the clear and the only the
  password is protected by an MSCHAP v1 hash, which
  is relatively easy to hack.

105
EAP Authentication Methods LEAP
106
EAP Authentication Methods LEAP
107
EAP Authentication Methods PEAP

• Protected EAP (PEAP) A version of EAP developed
  by Microsoft, Cisco, and RSA Security that offers
  two implementation options.
• The first uses the Microsoft Challenge-Handshake
  Authentication Protocol Version 2 (MS-CHAPv2) for
  mutual authentication and does not require client
  digital certificates.
• The second implementation uses TLS for mutual
  authentication and requires digital certificates
  on all the clients (very similar to EAP-TLS).

108
EAP Authentication Methods PEAP
109
PEAP w MS-CHAPv2

• The PEAP authentication process occurs in two
  parts.
• The first part is the use of EAP and the PEAP EAP
  type to create an encrypted TLS channel.
• The second part is the use of EAP and a different
  EAP type to authenticate network access.
• The following examines PEAP with MS-CHAP v2
  operation, using as an example, a wireless client
  that attempts to authenticate to a wireless
  access point (AP) that uses a RADIUS server for
  authentication and authorization.

110
PEAP w MS-CHAPv2

• PEAP Part 1-Creating the TLS Channel
• The following steps are used to create the PEAP
  TLS channel
• After creating the logical link, the wireless AP
  sends an EAP-Request/Identity message to the
  wireless client.
• The wireless client responds with an
  EAP-Response/Identity message that contains the
  identity (user or computer name) of the wireless
  client.
• The EAP-Response/Identity message is sent by the
  wireless AP to the RADIUS server. From this point
  on, the logical communication occurs between the
  RADIUS server and the wireless client, using the
  wireless AP as a pass-through device.
• The RADIUS server sends an EAP-Request/Start PEAP
  message to the wireless client.
• The wireless client and the RADIUS server
  exchange a series of TLS messages through which
  the cipher suite for the TLS channel is
  negotiated and the RADIUS server sends a
  certificate chain to the wireless client for
  authentication.
• At the end of the PEAP negotiation, the RADIUS
  server has authenticated itself to the wireless
  client. Both nodes have determined mutual
  encryption and signing keys (using public key
  cryptography, not passwords) for the TLS channel.
  

111
EAP Authentication Methods PEAP
PEAP Server
Client
TLS Channel Established
EAP- Response (empty)
112
PEAP w MS-CHAPv2

• PEAP Part 2-Authenticating With MS-CHAP v2
• After the PEAP TLS channel is created, the
  following steps are used to authenticate the
  wireless client credentials with MS-CHAP v2
• The RADIUS server sends an EAP-Request/Identity
  message.
• The wireless client responds with an
  EAP-Response/Identity message that contains the
  identity (user or computer name) of the wireless
  client.
• The RADIUS server sends an EAP-Request/EAP-MS-CHAP
  -V2 Challenge message that contains a challenge
  string.
• The wireless client responds with an
  EAP-Response/EAP-MS-CHAP-V2 Response message that
  contains both the response to the RADIUS server
  challenge string and a challenge string for the
  RADIUS server.
• The RADIUS server sends an EAP-Request/EAP-MS-CHAP
  -V2 Success message, which indicates that the
  wireless client response was correct and contains
  the response to the wireless client challenge
  string.
• The wireless client responds with an
  EAP-Response/EAP-MS-CHAP-V2 Ack message,
  indicating that the RADIUS server response was
  correct.
• The RADIUS server sends an EAP-Success message.
• At the end of this mutual authentication
  exchange, the wireless client has provided proof
  of knowledge of the correct password (the
  response to the RADIUS server challenge string),
  and the RADIUS server has provided proof of
  knowledge of the correct password (the response
  to the wireless client challenge string). The
  entire exchange is encrypted through the TLS
  channel created in PEAP part 1.

113
EAP Authentication Methods PEAP
In the TLS Channel
PEAP Server
Client
Transfer of the generated key from the PEAP
server to the NAS if on different machines
114
EAP Authentication Methods PEAP
115
EAP Authentication Methods PEAP
116
EAP Authentication Methods MS-CHAPv2

• The Microsoft EAP CHAP Extensions Version 2 (EAP
  MSCHAPv2) protocol allows mutual authentication
  between an authenticator and a peer that is
  seeking authentication.
• It extends the MSCHAPv2 protocol defined in RFC
  2759, and is one of several authentication
  methods associated with the Extensible
  Authentication Protocol (EAP) defined in RFC
  2284.

117
MS-CHAPv2, What is?

• Peer authentication using MS-CHAPv2. Following
  stages take place after a PPTP tunnel is
  established and the setup for the PPP connection
  has started.
• The client requests an authenticator challenge
  from the server.
• The server sends back a 16-bytes random
  authenticator challenge.
• The client generates the response
• The client generates 16-bytes random peer
  challenge.
• The client generates the challenge by hashing the
  authenticator challenge, the peer challenge, and
  the user's login using SHA.
• The client generates the NT password hash from
  the user's password.
• The 16-byte NT password hash from step (c) is
  padded with 5 bytes of zero. From these 21 bytes
  three 7-byte DES keys are derived.
• The first 8 bytes of the hash generated in step
  (b) (these 8 bytes are later referred to as the
  challenge) are encrypted using DES with each of
  the three keys generated in step (d).
• The 24 bytes resulting from step (e), the 16-byte
  random peer challenge, and the user's login are
  sent back to the server as response.

118
 
119
EAP Authentication Methods MS-CHAPv2

• The server decrypts the response with the hashed
  password of the client that is stored in a
  database.
• If the decrypted response matches the challenge,
  the server sends a positive authenticator
  response
• The server hashes the NT password hash using
  MD4 to generate a password-hash-hash.
• The server generates a hash using SHA from the
  clients response, the password-hash-hash, and the
  literal constant Magic server to client signing
  constant''.
• The server generates another hash using SHA from
  the 20-byte output of step (c), the 8-byte
  challenge (see step 3 (b)), and the literal
  constant Pad to make it do more than one
  iteration''.
• The resulting 20 bytes are send back to the
  client in the form S upper-case ASCII
  representation of the byte values ''.
• The client uses the same procedure to generate
  the 20 bytes and compares them to the servers
  authenticator response. If they match, both the
  client and the server are authenticated.

120
EAP Authentication Methods GTC

• Generic Token Card

121
Difference between MsCHAPv2 and GTC

• What is the difference between EAP-MSCHAPv2 and
  EAP-GTC PEAP supplicants?
• Both supplicants support PEAP, but each supports
  different methods of client authentication
  through the TLS tunnel. The Microsoft PEAP
  supplicant supports client authentication by only
  MS-CHAPv2. This limits user databases to those
  that support MS-CHAPv2, such as Windows NT Domain
  and Active Directory. The Cisco PEAP supplicant
  (based on EAP-GTC) supports client authentication
  by one-time passwords and logon passwords. This
  enables support for one-time password databases
  from vendors such as RSA Security and Secure
  Computing Corporation and logon password
  databases such as LDAP and NDS as well as
  Microsoft Novell Directory Service (NDS)
  databases.
• In addition, the EAP-GTC implementation includes
  the ability to hide username identities until the
  TLS encrypted tunnel is established, which
  provides additional confidentiality that
  usernames are not being broadcasted during the
  authentication phase. Starting in version 3.2,
  Cisco Secure ACS will support both EAP-MSCHAPv2
  and EAP-GTC PEAP supplicants.

122
EAP methods based on GSM credentials

• Support for SIM and USIM (AKA) credentials
• Uses standard SIM (Subscriber Identity Module)
  and USIM(UMTS Subscriber Identity Module) cards
• Wireless phone SIM cards as a way of obtaining
  authentication
• using SIM Extensible Authentication Protocol for
  GSM (EAP-SIM)
• Using USIM Extensible Authentication and Key
  Agreement Protocol (EAP-AKA) for UMTS.
• Generates 128 bit keys, has optional fast
  reconnect and identity privacy support

123
EAP Authentication Methods SIM

• EAP SIM (Subscriber Identity Module)
  Authentication for GSM
• EAP SIM authentication is based on Nokias EAP
  Server Technology.
• This provides an interface between the GSM
  Authentication Center and one or more wireless
  LANs and uses the Extensible Authentication
  Protocol (EAP) in order to allow it to pass
  traffic securely over any Wide Area Network
  e.g. a Telcos internal data network or the
  Internet.
• It permits authentication to be performed by WLAN
  clients that have an 802.11 interface and access
  to a GSM SIM card, with or without GSM air
  interface capabilities.
• This authentication procedure is designed to
  provide mutual authentication between a wireless
  LAN client and an AAA server.
• Typically the EAP server is implemented on the
  AAA server (e.g. RADIUS) and has an interface to
  the GSM network, so it operates as a gateway
  between the Internet AAA network and the GSM
  authentication infrastructure.
• The system allows GSM mobile operators to reuse
  their existing authentication infrastructure for
  providing access to wireless networks.
• EAP SIM combines the data from several GSM
  triplets (RAND, SRES, Kc), obtained from an
  Authentication Centre (AuC), to generate a more
  secure session encryption key. EAP SIM also
  enhances the basic GSM authentication mechanism
  by providing for mutual authentication between
  the client and the RADIUS server.

124
EAP Authentication Methods SIM
SIM- Subscriber Identify Module Usually referred
to as a SIM card, The SIM is the user
subscription to the mobile network. The SIM
contains relevant information that enabled access
control onto the subscribed operator's network.
125
(No Transcript)
126
EAP Authentication Methods SIM

• The EAP SIM authentication proceeds as follows
• The client receives an EAP Identity Request from
  the access point (AP).
• The client responds to the APs request with an
  EAP Identity Response message containing the
  users network identity which is stored on the
  SIM (either the user's International Mobile
  Subscriber Identity (IMSI) or a temporary
  identity (pseudonym)).
• The AP transmits this message to the RADIUS
  server, which in turn forwards it to the
  Authentication Center of the GSM network.
• From the AuC the RADIUS server obtains GSM
  triplets and passes the RAND to the client. The
  SIM calculates the signed response (SRES) which
  is returned to the RADIUS server. The SIM also
  calculates cryptographic keying material, using a
  secure hash function on th