Wireless Security A Silver Lining Ahead

1
Wireless Security A Silver Lining Ahead

• www.psionteklogix.com
• Rosario Macri
• April 10, 2003

2
Agenda

• IEEE 802.1X
• Principles of Operation
• Wi-Fi Protected Access (WPA)
• Brief overview
• Data Privacy
• User Authentication
• 802.1X
• IEEE 802.11i
• Brief Introduction
• Data Privacy
• User Authentication
• 802.1X

3
IEEE 802.1X Port Based Network Access Control

• IEEE 802.1X standard - intended to provide strong
  authentication, access control and key
  management.
• Means of authenticating and authorizing devices -
  prevents access where authentication and
  authorization fails.
• Wireless terminal is Supplicant and Access Point
  is Authenticator.
• Authentication initiated by Supplicant or
  Authenticator - Occurs at System initialization
  time
• Authentication - process of binding a name to
  something known, in IEEE 802.11 refers to the
  Media Access Control address (MAC address).

4
802.1X Principles of Operation, contd

• Port Access Entity (PAE) operates algorithms and
  protocols associated with authentication
  mechanisms for device port.
• Supplicant - responsible for responding to
  Authenticator for information that will establish
  its credentials.
• Authenticator - responsible for communication
  with Supplicant, submits information received
  from Supplicant to Authentication Server -
  Supplicant credentials checked for correct
  authorization.
• Authentication Server- provides authentication
  services to Authenticator to determine whether
  Supplicant is authorized to access services
  provided by the Authenticator.
• Authentication Server function can be co-located
  with authenticator function within same entity,
  but is typically an external server (e.g. RADIUS
  Server).

5
802.1X - Principles of Operation

• Figure 1. illustrates the IEEE 802.1X setup.
• Supplicant authenticates via Authenticator to
  central Authentication Server.
• Authentication Server confirms Supplicants
  credentials.
• Authentication Server directs Authenticator to
  provide services after successful authentication.

PAE Access Point, Ethernet Switch, etc.
PAE Ethernet, Token Ring, Wireless, etc.
Supplicant
Authenticator
EAPOL (Ethernet, Token Ring, 802.11)
Encapsulated EAP messages, typically on Radius
AAA Server Any EAP Server, Typically RADIUS
Authentication Server
Figure 1. The IEEE 802.1X Setup
6
802.1X Principles of Operation, contd

• Supplicant, Authenticator and Authentication
  Server are necessary to complete authentication
  exchange.
• Figure 2. illustrates Port-based access control
  (Authenticator) Controlled Port and
  Uncontrolled Port are two logical entities, but
  are same physical connection to the LAN

Figure 2. Controlled and Uncontrolled ports
7
802.1X Principles of Operation, contd

• Protocol exchanges between Authenticator and
  Authentication Server conducted via Controlled or
  Uncontrolled Port.
• Controlled Port accepts packets from
  authenticated devices, Uncontrolled Port only
  accepts 802.1X packets.
• Uncontrolled Port used for exchanging Extensible
  Authentication Protocol (EAP) over LAN packets,
  EAPOL, with Supplicant.
• Uncontrolled Port and Controlled Port considered
  same point of attachment to the LAN.
• Point of attachment is association between
  wireless terminal and Access Point.

8
802.1X Principles of Operation, contd

• Authentication dialog between Supplicant and
  Authentication Server carried in EAP frames.
• EAP over LAN (EAPOL), is used for all
  communication between Supplicant and
  Authenticator.
• EAP
• Authentication framework
• Supports multiple authentication methods
• Operates directly over Data-Link Layer
• Does not require Internet Protocol (IP)
• EAP authentication types include EAP-MD5,
  EAP-TLS, EAP-TTLS
• Proprietary EAP types being developed by vendors,
  Ciscos Lightweight Extensible Authentication
  Protocol - LEAP

9
802.1X Principles of Operation, contd

• Figure 3. illustrates Supplicant, Authenticator,
  Authentication Server relationship.
• Authenticator accepts EAPOL packets from
  Supplicant, forwards EAP packets to
  Authentication Server over higher layer protocol
  like RADIUS.
• Authenticator forwards Authentication Server EAP
  packets over EAPOL to Supplicant.

Figure 3. Authenticator, Supplicant, and
Authenticator Server roles
10
802.1X Principles of Operation, contd

• Figure 4. illustrates complete 802.1X
  authentication session showing EAP and RADIUS
  messages.

Figure 4. A complete 802.1X authentication session
11
802.1X Principles of Operation, contd

• MAC layer encryption keys generated as part of
  authentication process between Supplicant and
  Authentication Server - encryption keys will be
  used by chosen data encryption protocol.
• 802.1X used to direct encryption keys down to MAC
  layer on both Authenticator and Supplicant.
• Two sets of encryption keys are generated,
• Pairwise Master Key (Session Key)
• Groupwise Key (Group Key).

12
802.1X Principles of Operation, contd

• Pairwise Master Key (PMK) is unique to
  association between individual Supplicant and
  Authenticator.
• Groupwise Key shared among all Supplicants
  connected to same Authenticator.
• PMK used to generate additional encryption keys
  used by the chosen data encryption protocol.

13
802.1X EAP Authentication Types

• EAP-MD5 Challenge
• Earliest authentication type, duplicates CHAP
  password protection on a WLAN.
• Base-level EAP support among 802.1X devices,
  one-way authentication, MD5 not generally used
  anymore.
• EAP-TLS (Transport Layer Security)
• Certificate-based, mutual authentication of
  client and network.
• Client-side and server-side certificates to
  perform authentication.
• Dynamically generated user and session based WEP
  keys distributed to secure connection.
• EAP-LEAP (Lightweight Extensible Authentication
  Protocol)
• Ciscos proprietary EAP authentication type,
  supports mutual authentication.
• Provides security during credential exchange,
  credentials include username and password.
• Encrypts data transmission using dynamically
  generated WEP keys.

14
802.1X EAP Authentication Types, contd

• EAP-TTLS (Tunneled TLS)
• Extension to EAP-TLS, uses certificates to
  authenticate server side and legacy or
  token-based methods to authenticate client side.
• Network manager has option of using simple
  authentication protocols - clear text passwords,
  challenge-response passwords or token-based
  authentication. Client certificates not needed.
• TTLS packs this authentication protocol inside
  of TLS tunnel when it comes time to authenticate
  user, hence the term Tunneled.
• Similar security properties as EAP-TLS, like
  mutual authentication and a shared secret for
  session WEP key.

15
Wi-Fi Protected Access (WPA)

• Flaws in WEP known since January 2001 - flaws
  include weak encryption, (keys no longer than 40
  bits), static encryption keys, lack of key
  distribution method.
• IEEE developing 802.11i standard for enhanced
  wireless security - Addresses weak data
  encryption and user authentication within
  existing 802.11 standard.
• 802.11i standard will not be ratified until late
  2003, possibly early 2004 - outstanding issues.
• WPA standard joint effort between Wi-Fi Alliance
  and IEEE - WPA a subset of IEEE 802.11i standard
  (Draft 3.0).
• WPA provides stronger data encryption (weak in
  WEP) and user authentication (largely missing in
  WEP).

16
WPA Data Encryption

• WPA uses Temporal Key Integrity Protocol (TKIP) -
  stronger data encryption, addresses known
  vulnerabilities in WEP.
• TKIP chosen as primary encryption cipher suite -
  Easily deployed and supported in legacy 802.11b
  hardware compared to other available cipher
  suites.
• TKIP based on RC4 stream cipher algorithm,
  surrounds WEP cipher engine with 4 new
  algorithms,
• Extended 48-bit Initialization Vector (IV) and IV
  sequencing rules (compared to the shorter 24-bit
  WEP RC4 key).
• New per-packet key mixing function.
• Derivation and distribution method - a.k.a.
  re-keying.
• A message integrity check (MIC) - a.k.a.
  Michael, ensures messages havent been tampered
  with during transmission.

17
WPA Data Encryption, contd

• Figure 5. illustrates Temporal Key Integrity
  Protocol.
• DA Destination Address TKIP Temporal Key
  Integrity Protocol
• ICV Integrity Check Value TSC TKIP
  Sequence Counter
• MPDU Message Protocol Data Unit TTAK result
  of phase 1 key mixing of Temporal Key
• MSDU MAC Service Data Unit and
  Transmitter Address
• RSN Robust Security Network WEP Wired
  Equivalent Privacy
• SA Source Address WEP IV Wired Equivalent
  Privacy Initialization Vector
• TA Transmitter Address

Figure 5. Temporal Key Integrity Protocol
18
WPA Data Encryption, contd

• TKIP Sequence Counter (TSC) - Combination of
  extended 48-bit IV and IV sequence counter,
  extends life of Temporal Key, eliminates need to
  re-key Temporal Key during single association.
• Temporal and MIC Keys derived from Pairwise
  Master Key (PMK) - PMK derived as part of 802.1X
  exchange.
• Message Integrity Check (MIC) - Cryptographic
  checksum designed to make it much more difficult
  for an attacker to successfully intercept and
  alter data.

19
WPA Data Encryption, contd

• TKIP implements countermeasures - reduces rate
  which attacker can make message forgery attempts
  down to two packets every 60 seconds.
• After 60 second timeout new PMK or Groupwise Key
  generated, depending on which attacked ensures
  attacker cannot obtain information from attacked
  key.
• Countermeasures bound probability of successful
  forgery and amount of information attacker can
  learn about a key.
• TKIP is made available as firmware or software
  upgrade to existing legacy hardware.
• TKIP eliminates having to replace existing
  hardware or having to purchase new hardware.

20
WPA User Authentication

• Authentication and Key Management based on IEEE
  802.1X.
• WPA supports two authenticated key management
  protocols,
• EAP Authentication
• Pre-Shared Key
• 802.1x and EAP authentication - Enterprise
  environments through centralized authentication
  server, Mutual Authentication required to prevent
  user from joining rogue network.
• Pre-Shared Key authentication (PSK) - Home or
  Office environment, no centralized authentication
  server or EAP framework available.
• Pre-shared key authentication easily configured
  by home or office user.

21
WPA User Authentication, contd

• Pre-shared key - Requires home or office user to
  manually enter password (Master Key) in Access
  Point or Wireless Gateway and same password in
  each P.C. allowed access to that wireless
  network.
• Devices with matching password join the wireless
  network - prevents unauthorized access.
• Manually configured WPA password automatically
  starts TKIP encryption process.
• WPA requires APs announce supported ciphers
  (encryption types) and authentication types -
  Clients choose most secure encryption and
  authentication type.

22
WPA - Summary

• Wi-Fi Protected Access effectively addresses WLAN
  security requirements and provides immediate and
  strong encryption and authentication solution.
• WPA forward compatible with the full 802.11i
  standard.
• WPA replaces WEP as standard Wi-Fi security
  mechansim.
• Initial release of WPA addresses AP based 802.11
  networks, Ad-hoc (peer-to-peer) networks
  addressed in final WPA standard, WPA version 2.
• Wi-Fi Alliance to adopt full 802.11i standard as
  version 2 of WPA.
• WPA will be mandatory for Wi-Fi certification
  before the end of 2003

23
IEEE 802.11i (RSN) Enhanced Wireless Security

• 802.11i enhanced wireless security standard -
  known as Robust Security Network (RSN), developed
  by IEEE Taskgroup i (Tgi).
• 802.11i (RSN) addresses weaknesses of WEP based
  wireless security Replaces WEP.
• 802.11i, security solution for legacy 802.11
  hardware and new hardware (already making its
  way into market).
• 802.11i addresses AP based and ad-hoc
  (peer-to-peer) based 802.11 wireless security
  requirements.
• 802.11i (RSN) specifies user authentication
  through IEEE 802.1X and data encryption through
  Temporal Key Integrity Protocol (TKIP) and
  Counter Mode with CBC-MAC Protocol (CCMP).

24
802.11i (RSN) Data Encryption

• TKIP targeted at legacy 802.11 hardware, CCMP
  targeted at future 802.11 hardware.
• RSN supporting simultaneous use of TKIP and CCMP
  referred as Transitional Network - AP and client
  use highest level of security both can mutually
  support.
• 802.11i specifies both TKIP and CCMP, true RSN
  uses only CCMP - CCMP mandatory for 802.11i
  (RSN), TKIP optional.
• Transitional Network, temporary solution for
  purpose of converting all hardware to CCMP-only
  based security solution.
• Counter Mode with CBC-MAC Protocol (CCMP) based
  on Advanced Encryption Standard (AES) - FIPS-197
  certified algorithm approved by National
  Institute of Standards and Technology (NIST).

25
802.11i (RSN) Data Encryption, contd

• AES one of latest and greatest in encryption
  technology, replaces Data Encryption Standard
  (DES) and Triple Data Encryption Standard (3DES)
  for all government transactions.
• AES mode chosen for 802.11 is Counter Mode with
  CBC-MAC (CCM).
• Counter Mode used for data privacy, CBC-MAC
  (Cipher Block Chaining Message Authentication
  Code) used for data integrity and authentication.
• Message Authentication Code (MAC) same
  functionality as Message Integrity Check (MIC)
  used for TKIP.
• AES uses fixed 128-bit encryption key length and
  uses same key for encryption and decryption For
  802.11.

26
802.11i (RSN) Data Encryption, contd

• Figure 6. illustrates CCMP encapsulation process,
  de-capsulation process is essentially reverse of
  encapsulation process - Difference is one final
  step added that compares value of computed MIC to
  that received before decrypted frame is passed
  on by the MAC.

Figure 6. The CCMP Encapsulation Process
27
802.11i (RSN) Data Encryption, contd

• Same AES temporal encryption key, AES(K), used in
  AES encryption blocks for both MIC calculation
  and packet encryption.
• Like TKIP, AES temporal encryption key derived
  from Pairwise Master Key (PMK) - PMK derived as
  part of 802.1X exchange

28
802.11i (RSN) User Authentication

• 802.11i (RSN) user authentication based on IEEE
  802.1x.
• Same principles and functionality for WPA user
  authentication apply to 802.11i (RSN) user
  authentication.

29
802.11i (RSN) - Summary

• 802.11i (RSN) addresses security concerns for
  legacy hardware and new hardware.
• Security solution providing robust data
  encryption and user authentication.
• Addresses AP based and ad-hoc (peer-to-peer)
  based 802.11 wireless security requirements.

30

• Thank-You