Title: Wireless Security A Silver Lining Ahead
1Wireless Security A Silver Lining Ahead
- www.psionteklogix.com
- Rosario Macri
- April 10, 2003
2Agenda
- IEEE 802.1X
- Principles of Operation
- Wi-Fi Protected Access (WPA)
- Brief overview
- Data Privacy
- User Authentication
- 802.1X
- IEEE 802.11i
- Brief Introduction
- Data Privacy
- User Authentication
- 802.1X
3IEEE 802.1X Port Based Network Access Control
- IEEE 802.1X standard - intended to provide strong
authentication, access control and key
management. - Means of authenticating and authorizing devices -
prevents access where authentication and
authorization fails. - Wireless terminal is Supplicant and Access Point
is Authenticator. - Authentication initiated by Supplicant or
Authenticator - Occurs at System initialization
time - Authentication - process of binding a name to
something known, in IEEE 802.11 refers to the
Media Access Control address (MAC address).
4802.1X Principles of Operation, contd
- Port Access Entity (PAE) operates algorithms and
protocols associated with authentication
mechanisms for device port. - Supplicant - responsible for responding to
Authenticator for information that will establish
its credentials. - Authenticator - responsible for communication
with Supplicant, submits information received
from Supplicant to Authentication Server -
Supplicant credentials checked for correct
authorization. - Authentication Server- provides authentication
services to Authenticator to determine whether
Supplicant is authorized to access services
provided by the Authenticator. - Authentication Server function can be co-located
with authenticator function within same entity,
but is typically an external server (e.g. RADIUS
Server).
5 802.1X - Principles of Operation
- Figure 1. illustrates the IEEE 802.1X setup.
- Supplicant authenticates via Authenticator to
central Authentication Server. - Authentication Server confirms Supplicants
credentials. - Authentication Server directs Authenticator to
provide services after successful authentication.
PAE Access Point, Ethernet Switch, etc.
PAE Ethernet, Token Ring, Wireless, etc.
Supplicant
Authenticator
EAPOL (Ethernet, Token Ring, 802.11)
Encapsulated EAP messages, typically on Radius
AAA Server Any EAP Server, Typically RADIUS
Authentication Server
Figure 1. The IEEE 802.1X Setup
6802.1X Principles of Operation, contd
- Supplicant, Authenticator and Authentication
Server are necessary to complete authentication
exchange. - Figure 2. illustrates Port-based access control
(Authenticator) Controlled Port and
Uncontrolled Port are two logical entities, but
are same physical connection to the LAN
Figure 2. Controlled and Uncontrolled ports
7802.1X Principles of Operation, contd
- Protocol exchanges between Authenticator and
Authentication Server conducted via Controlled or
Uncontrolled Port. -
- Controlled Port accepts packets from
authenticated devices, Uncontrolled Port only
accepts 802.1X packets. - Uncontrolled Port used for exchanging Extensible
Authentication Protocol (EAP) over LAN packets,
EAPOL, with Supplicant. - Uncontrolled Port and Controlled Port considered
same point of attachment to the LAN. - Point of attachment is association between
wireless terminal and Access Point.
8802.1X Principles of Operation, contd
- Authentication dialog between Supplicant and
Authentication Server carried in EAP frames. - EAP over LAN (EAPOL), is used for all
communication between Supplicant and
Authenticator. - EAP
- Authentication framework
- Supports multiple authentication methods
- Operates directly over Data-Link Layer
- Does not require Internet Protocol (IP)
- EAP authentication types include EAP-MD5,
EAP-TLS, EAP-TTLS - Proprietary EAP types being developed by vendors,
Ciscos Lightweight Extensible Authentication
Protocol - LEAP
9802.1X Principles of Operation, contd
- Figure 3. illustrates Supplicant, Authenticator,
Authentication Server relationship. - Authenticator accepts EAPOL packets from
Supplicant, forwards EAP packets to
Authentication Server over higher layer protocol
like RADIUS. - Authenticator forwards Authentication Server EAP
packets over EAPOL to Supplicant.
Figure 3. Authenticator, Supplicant, and
Authenticator Server roles
10802.1X Principles of Operation, contd
- Figure 4. illustrates complete 802.1X
authentication session showing EAP and RADIUS
messages.
Figure 4. A complete 802.1X authentication session
11802.1X Principles of Operation, contd
- MAC layer encryption keys generated as part of
authentication process between Supplicant and
Authentication Server - encryption keys will be
used by chosen data encryption protocol. - 802.1X used to direct encryption keys down to MAC
layer on both Authenticator and Supplicant. - Two sets of encryption keys are generated,
- Pairwise Master Key (Session Key)
- Groupwise Key (Group Key).
12802.1X Principles of Operation, contd
- Pairwise Master Key (PMK) is unique to
association between individual Supplicant and
Authenticator. - Groupwise Key shared among all Supplicants
connected to same Authenticator. - PMK used to generate additional encryption keys
used by the chosen data encryption protocol.
13802.1X EAP Authentication Types
- EAP-MD5 Challenge
- Earliest authentication type, duplicates CHAP
password protection on a WLAN. - Base-level EAP support among 802.1X devices,
one-way authentication, MD5 not generally used
anymore. - EAP-TLS (Transport Layer Security)
- Certificate-based, mutual authentication of
client and network. - Client-side and server-side certificates to
perform authentication. - Dynamically generated user and session based WEP
keys distributed to secure connection. - EAP-LEAP (Lightweight Extensible Authentication
Protocol) - Ciscos proprietary EAP authentication type,
supports mutual authentication. - Provides security during credential exchange,
credentials include username and password. - Encrypts data transmission using dynamically
generated WEP keys.
14802.1X EAP Authentication Types, contd
- EAP-TTLS (Tunneled TLS)
- Extension to EAP-TLS, uses certificates to
authenticate server side and legacy or
token-based methods to authenticate client side. - Network manager has option of using simple
authentication protocols - clear text passwords,
challenge-response passwords or token-based
authentication. Client certificates not needed. - TTLS packs this authentication protocol inside
of TLS tunnel when it comes time to authenticate
user, hence the term Tunneled. - Similar security properties as EAP-TLS, like
mutual authentication and a shared secret for
session WEP key.
15Wi-Fi Protected Access (WPA)
- Flaws in WEP known since January 2001 - flaws
include weak encryption, (keys no longer than 40
bits), static encryption keys, lack of key
distribution method. - IEEE developing 802.11i standard for enhanced
wireless security - Addresses weak data
encryption and user authentication within
existing 802.11 standard. -
- 802.11i standard will not be ratified until late
2003, possibly early 2004 - outstanding issues. - WPA standard joint effort between Wi-Fi Alliance
and IEEE - WPA a subset of IEEE 802.11i standard
(Draft 3.0). - WPA provides stronger data encryption (weak in
WEP) and user authentication (largely missing in
WEP).
16WPA Data Encryption
- WPA uses Temporal Key Integrity Protocol (TKIP) -
stronger data encryption, addresses known
vulnerabilities in WEP. - TKIP chosen as primary encryption cipher suite -
Easily deployed and supported in legacy 802.11b
hardware compared to other available cipher
suites. - TKIP based on RC4 stream cipher algorithm,
surrounds WEP cipher engine with 4 new
algorithms, - Extended 48-bit Initialization Vector (IV) and IV
sequencing rules (compared to the shorter 24-bit
WEP RC4 key). - New per-packet key mixing function.
- Derivation and distribution method - a.k.a.
re-keying. - A message integrity check (MIC) - a.k.a.
Michael, ensures messages havent been tampered
with during transmission.
17WPA Data Encryption, contd
- Figure 5. illustrates Temporal Key Integrity
Protocol. - DA Destination Address TKIP Temporal Key
Integrity Protocol - ICV Integrity Check Value TSC TKIP
Sequence Counter - MPDU Message Protocol Data Unit TTAK result
of phase 1 key mixing of Temporal Key - MSDU MAC Service Data Unit and
Transmitter Address - RSN Robust Security Network WEP Wired
Equivalent Privacy - SA Source Address WEP IV Wired Equivalent
Privacy Initialization Vector - TA Transmitter Address
Figure 5. Temporal Key Integrity Protocol
18WPA Data Encryption, contd
- TKIP Sequence Counter (TSC) - Combination of
extended 48-bit IV and IV sequence counter,
extends life of Temporal Key, eliminates need to
re-key Temporal Key during single association. - Temporal and MIC Keys derived from Pairwise
Master Key (PMK) - PMK derived as part of 802.1X
exchange. - Message Integrity Check (MIC) - Cryptographic
checksum designed to make it much more difficult
for an attacker to successfully intercept and
alter data.
19WPA Data Encryption, contd
- TKIP implements countermeasures - reduces rate
which attacker can make message forgery attempts
down to two packets every 60 seconds. - After 60 second timeout new PMK or Groupwise Key
generated, depending on which attacked ensures
attacker cannot obtain information from attacked
key. - Countermeasures bound probability of successful
forgery and amount of information attacker can
learn about a key. - TKIP is made available as firmware or software
upgrade to existing legacy hardware. - TKIP eliminates having to replace existing
hardware or having to purchase new hardware.
20WPA User Authentication
- Authentication and Key Management based on IEEE
802.1X. - WPA supports two authenticated key management
protocols, - EAP Authentication
- Pre-Shared Key
- 802.1x and EAP authentication - Enterprise
environments through centralized authentication
server, Mutual Authentication required to prevent
user from joining rogue network. - Pre-Shared Key authentication (PSK) - Home or
Office environment, no centralized authentication
server or EAP framework available. - Pre-shared key authentication easily configured
by home or office user.
21WPA User Authentication, contd
- Pre-shared key - Requires home or office user to
manually enter password (Master Key) in Access
Point or Wireless Gateway and same password in
each P.C. allowed access to that wireless
network. - Devices with matching password join the wireless
network - prevents unauthorized access. - Manually configured WPA password automatically
starts TKIP encryption process. - WPA requires APs announce supported ciphers
(encryption types) and authentication types -
Clients choose most secure encryption and
authentication type.
22WPA - Summary
- Wi-Fi Protected Access effectively addresses WLAN
security requirements and provides immediate and
strong encryption and authentication solution. - WPA forward compatible with the full 802.11i
standard. -
- WPA replaces WEP as standard Wi-Fi security
mechansim. - Initial release of WPA addresses AP based 802.11
networks, Ad-hoc (peer-to-peer) networks
addressed in final WPA standard, WPA version 2. - Wi-Fi Alliance to adopt full 802.11i standard as
version 2 of WPA. - WPA will be mandatory for Wi-Fi certification
before the end of 2003
23IEEE 802.11i (RSN) Enhanced Wireless Security
- 802.11i enhanced wireless security standard -
known as Robust Security Network (RSN), developed
by IEEE Taskgroup i (Tgi). - 802.11i (RSN) addresses weaknesses of WEP based
wireless security Replaces WEP. - 802.11i, security solution for legacy 802.11
hardware and new hardware (already making its
way into market). - 802.11i addresses AP based and ad-hoc
(peer-to-peer) based 802.11 wireless security
requirements. - 802.11i (RSN) specifies user authentication
through IEEE 802.1X and data encryption through
Temporal Key Integrity Protocol (TKIP) and
Counter Mode with CBC-MAC Protocol (CCMP).
24802.11i (RSN) Data Encryption
- TKIP targeted at legacy 802.11 hardware, CCMP
targeted at future 802.11 hardware. - RSN supporting simultaneous use of TKIP and CCMP
referred as Transitional Network - AP and client
use highest level of security both can mutually
support. - 802.11i specifies both TKIP and CCMP, true RSN
uses only CCMP - CCMP mandatory for 802.11i
(RSN), TKIP optional. - Transitional Network, temporary solution for
purpose of converting all hardware to CCMP-only
based security solution. - Counter Mode with CBC-MAC Protocol (CCMP) based
on Advanced Encryption Standard (AES) - FIPS-197
certified algorithm approved by National
Institute of Standards and Technology (NIST).
25802.11i (RSN) Data Encryption, contd
- AES one of latest and greatest in encryption
technology, replaces Data Encryption Standard
(DES) and Triple Data Encryption Standard (3DES)
for all government transactions. - AES mode chosen for 802.11 is Counter Mode with
CBC-MAC (CCM). - Counter Mode used for data privacy, CBC-MAC
(Cipher Block Chaining Message Authentication
Code) used for data integrity and authentication. - Message Authentication Code (MAC) same
functionality as Message Integrity Check (MIC)
used for TKIP. - AES uses fixed 128-bit encryption key length and
uses same key for encryption and decryption For
802.11.
26802.11i (RSN) Data Encryption, contd
- Figure 6. illustrates CCMP encapsulation process,
de-capsulation process is essentially reverse of
encapsulation process - Difference is one final
step added that compares value of computed MIC to
that received before decrypted frame is passed
on by the MAC.
Figure 6. The CCMP Encapsulation Process
27802.11i (RSN) Data Encryption, contd
- Same AES temporal encryption key, AES(K), used in
AES encryption blocks for both MIC calculation
and packet encryption. - Like TKIP, AES temporal encryption key derived
from Pairwise Master Key (PMK) - PMK derived as
part of 802.1X exchange
28802.11i (RSN) User Authentication
- 802.11i (RSN) user authentication based on IEEE
802.1x. - Same principles and functionality for WPA user
authentication apply to 802.11i (RSN) user
authentication.
29802.11i (RSN) - Summary
- 802.11i (RSN) addresses security concerns for
legacy hardware and new hardware. - Security solution providing robust data
encryption and user authentication. - Addresses AP based and ad-hoc (peer-to-peer)
based 802.11 wireless security requirements.
30