Wireless LAN Security

About This Presentation

Title:

Wireless LAN Security

Description:

Wi-Fi (short for 'Wireless Fidelity') is the popular term for ... Promoted by the Wi-Fi Alliance (Formerly WECA - Wireless Ethernet ... overpowering valid ... – PowerPoint PPT presentation

Number of Views:73

Avg rating:3.0/5.0

Slides: 102

Provided by: luce169

Category:

more less

Transcript and Presenter's Notes

Title: Wireless LAN Security

1
Wireless LAN Security

Wi-Fi Technology
Wireless Fidelity (Wi-Fi)
Basic Security Practices
Vulnerabilities
WEP
WPA
802.11i
EAP and 802.1x

Based on LUCENT NavisRadius discussion team,
Richard Perlman
2
Wi-Fi

Wi-Fi (short for Wireless Fidelity") is the
popular term for a high-frequency wireless local
area network (WLAN)
Promoted by the Wi-Fi Alliance (Formerly WECA -
Wireless Ethernet Carriers Association)
Used generically when referring to any type of
802.11 network, whether 802.11a, 802.11b,
802.11g, dual-band, etc.
The IEEE accepted 802.11 specification in 1997.

3
Wireless LAN Topology

Wireless LAN is typically deployed as an
extension of an existing wired network as shown
below.

4
Wireless LAN Topology

Here is an example of small business usage of
Wi-Fi Network.

DSL Router
DSLConnectionEtc.
The DSL router and Wi-Fi AP are often combined
into a single unit
5
(No Transcript)
6
(No Transcript)
7
(No Transcript)
8
Basic 802.11 Security

SSID (Service Set Identifier) or ESSID (Extended
Service Set Identifier)
Each AP has an SSID that identifies itself.
The SSID is a secret key that is set by the
network administrator.
Wireless client must know the SSID of the AP to
which it wants to connect.
Network sniffing can discover the SSID.
SSID keeps a client from accidentally connecting
to a neighboring AP only.
It does not keep an attacker out.

9
SSID

SSID (Service Set Identifier) or ESSID (Extended
Service Set Identifier)
Since the SSID is a secret key, it creates a
management problem for the network administrator.
Every user of the network must configure the SSID
into their system.
If the network administrator seeks to lock a user
out of the network, the administrator must change
the SSID of the network, which requires
reconfiguration of every network node.
Some 802.11 NICs allow you to configure several
SSIDs at one time.

10
802.11 Authentication

The following events must occur before an 802.11
station can communicate with a wireless access
point
Turn on the wireless Client
Client listens for messages from any access
points (AP) that are in range
Client finds a message from an AP that has a
matching SSID
Client sends an authentication request to the AP
AP authenticates the station
Client sends an association request to the AP
AP associates with the station
Client can now communicate with the Ethernet
network thru the AP

11
802.11 Authentication Flow
12
Basic 802.11 Security

MAC filters
Some APs provide the capability for checking the
MAC address of the client before allowing it to
connect to the network.
Using MAC filters is considered to be very weak
security because with many Wi-Fi client
implementations it is possible to change the MAC
address by reconfiguring the card.
An attacker could sniff a valid MAC address from
the wireless network traffic .

13
Authentication Type

An access point must authenticate a station
before the station can associate with the access
point or communicate with the network.
Two types of authentication
Open System Authentication
Only use SSID
Shared Key Authentication
The station should use a pre-shared WEP key

14
Open System Authentication

The following steps occur when two devices use
Open System Authentication
The station sends an authentication request to
the access point.
The access point authenticates the station.
The station associates with the access point and
joins the network.
The process is illustrated below.

15
Shared Key Authentication

Steps for Shared Key Authentication
The station sends an authentication request to
the access point.
The access point sends challenge text to the
station.
The station uses its configured 64-bit or 128-bit
default WEP key to encrypt the challenge text,
and sends the encrypted text to the access point.
The access point decrypts the encrypted text
using its configured WEP Key that corresponds to
the stations default key.
If the decrypted text matches the original
challenge text, then the access point
authenticates the station.
The station connects to the network.

16
Shared Key Authentication

If the decrypted text does not match the original
challenge text then the access point will refuse
to authenticate the station and the station will
be unable to communicate.

17
Vulnerabilities
18
Vulnerabilities

There are several known types of wireless attacks
that must be protected against
SSID (network name) sniffing
WEP encryption key recovery attacks
ARP poisoning (man in the middle attacks)
MAC address spoofing
Access Point management password and SNMP attacks
Wireless end user (station) attacks
Rogue AP attacks (AP impersonation)
DOS (denial of service) wireless attacks

19
Diversity Antenna Attacks

If diversity antennas A and B are attached to an
AP, they are setup to cover both sides of the
area independently.
Alice is on the left side of the area, so the AP
will choose antenna A for Alice.
Bob is on the opposite side of the area so
antenna B will be used for Bob.
Bob can take Alice off the network by changing
his MAC address to be the same as Alice's.
Bob can also guarantee that his signal is
stronger on antenna B than Alice's signal on
antenna A by using an amplifier or other
enhancement mechanism.
Once Bob's signal has been detected as the
stronger signal on antenna B, the AP will send
and receive frames for the MAC address on antenna
B.
As long as Bob continues to send traffic to the
AP, Alice's frames will be ignored.

20
Malicious AP overpowering valid AP

If a client is not using WEP authentication (or
an attacker has knowledge of the WEP key), then
the client is vulnerable to DoS attacks from
spoofed APs.
Clients can generally be configured to associate
with any access point or to associate to an
access point in a particular ESSID.
If a client is configured to associate to any
available AP, it will select the AP with the
strongest signal regardless of the ESSID.
If the client is configured to associate to a
particular ESSID, it will select the AP in the
ESSID with the strongest signal strength.
Either way, a malicious AP can effectively
black-hole traffic from a victim by spoofing the
desired AP.

21
Man-in-the-Middle Attacks

Man-in-the-middle (MITM) attacks have two major
forms eavesdropping and manipulation.
Eavesdropping occurs when an attacker receives a
data communication stream.
A manipulation attack requires the attacker to
not only have the ability to receive the victim's
data but then be able to retransmit the data
after changing it.

22
Properties of protected communications for
wireless networks

Authentication the wireless network node must
be identified and must submit credentials that
can be validated.
Encryption the wireless network node must
encrypt the data to ensure data confidentiality.
Data integrity the wireless network node must
include information in the packet so the receiver
can determine that the contents of the packet
were not modified in transit.

23
Recommended 802.11 Security Practices

Change the default password for the Admin account
SSID
Change the default
Disable Broadcast
Make it unique
If possible, Change it often
Enable MAC Address Filtering
Enable WEP 128-bit Data Encryption. (This will
reduce network performance)
Use the highest level of encryption possible
Use a Shared Key
Use multiple WEP keys
Change it regularly
Turn off DHCP
Refrain from using the default IP subnet

24
WEP What?

WEP (Wired Equivalent Privacy) referring to the
intent to provide a privacy service to wireless
LAN users similar to that provided by the
physical security inherent in a wired LAN.
WEP is the privacy protocol specified in IEEE
802.11 to provide wireless LAN users protection
against casual eavesdropping.

25
WEP encryption process
26
WEP How?

When WEP is active, each 802.11 packet is
encrypted separately with a RC4 cipher stream
generated by a 64 bit RC4 key.
This key is composed of a 24 bit initialization
vector (IV) and a 40 bit WEP key.
The encrypted packet is generated with a bit-wise
exclusive OR (XOR) of the original packet and the
RC4 stream.
The IV is chosen by the sender and should be
changed so that every packet won't be encrypted
with the same cipher stream.
The IV is sent in the clear with each packet.
An additional 4 byte Integrity Check Value (ICV)
is computed for the original packet using the
CRC-32 checksum algorithm and appended to the
end.
The ICV is also encrypted with the RC4 cipher
stream.

27
Overview of WEP Parameters

Before enabling WEP on an 802.11 network, you
must first consider what type of encryption you
require and the key size you want to use.
Typically, there are three WEP Encryption options
available for 802.11 products
Do Not Use WEP The 802.11 network does not
encrypt data. For authentication, the network
uses Open System Authentication.
Use WEP for Encryption A transmitting 802.11
device encrypts the data portion of every packet
it sends using a configured WEP Key. The
receiving device decrypts the data using the same
WEP Key. For authentication purposes, the
wireless network uses Open System Authentication.
Use WEP for Authentication and Encryption Same
as above. However for authentication purposes,
the 802.11 network uses Shared Key
Authentication.
Note Some 802.11 access points also support Use
WEP for Authentication Only (Shared Key
Authentication without data encryption).

28
Basic 802.11 Security

Static WEP keys
Static WEP key operation requires keys on the
client and AP are sent between them.
With WEP encryption, sniffing is eliminated and
session hijacking is difficult (or impossible).
Client and AP are configured with a set of 4
keys, and when decrypting each are used in turn
until decryption is successful.
This allows keys to be changed dynamically.
Keys are the same in all clients and AP.
This means that there is a community key shared
by everyone using the same AP.
The danger is that if any one in the community is
compromised, the community key, and hence the
network is at risk.

29
WEP - Weaknesses

Key Management and Key Size
Key management is not specified in the WEP
standard,
Therefore keys will tend to be long-lived and of
poor quality.
The Initialization Vector (IV) is Too Small
WEPs IV size of 24 bits provides for 16,777,216
different RC4 cipher streams for a given WEP key,
for any key size.
Remember that the RC4 cipher stream is XOR-ed
with the original packet and the IV is sent in
the clear with each packet.
The Integrity Check Value (ICV) algorithm is not
appropriate
The WEP ICV is based on CRC-32, an algorithm for
detecting noise and common errors in
transmission.
CRC-32 is an excellent checksum for detecting
errors, but an awful choice for a cryptographic
hash.

30
WEP - Weaknesses

WEPs use of RC4 is weak
RC4 in its implementation in WEP has been found
to have weak keys.
There is more correlation between the key and the
output than there should be for good security.
Determining which packets were encrypted with
weak keys is easy because the first three bytes
of the key are taken from the IV that is sent
unencrypted in each packet.
This weakness can be exploited by a passive
attack.
Authentication Messages can be easily forged
802.11 defines two forms of authentication
Open System (no authentication) and
Shared Key authentication.
These are used to authenticate the client to the
access point.
The idea was that authentication would be better
than no authentication because the user has to
prove knowledge of the shared WEP key, in effect,
authenticating himself.

31
Security Issues with the original 802.11 standard

No detection of rogue or malicious wireless APs.
No per-user identification and authentication.
No mechanism for central authentication,
authorization, and accounting.
Some implementations derive WEP keys from
passwords, resulting in weak WEP keys.
No support for extended authentication methods.
For example, token cards, certificates/smart
cards, one-time passwords, biometrics, and so on.
No support for key management. For example,
rekeying global keys and dynamic per-station or
per-session key management.

32
Improved Security Standards

802.1x Authentication (2001)
WPA (Wi-Fi Protected Access) (2002)
802.11i -2004
Incorporated into 802.11-2007

33
Authentication with the 802.1X

Standard set by the IEEE 802.1 working group.
The solution for shortcomings of the IEEE 802.11
IEEE802.1x is the denotation of a standard that
is titled Port Based Network Access Control.
Provide a control mechanism to connect physically
to a LAN.
The standard provides a framework that allows the
use of any chosen authentication method.
Current and future authentication methods can be
used without having to adapt the standard.

34
What Exactly Is 802.1x?

Describes a standard link layer protocol used for
transporting higher-level authentication
protocols.
Works between the Supplicant (Client Software)
and the Authenticator (Network Device).
Maintains backend communication to an
Authentication (Typically RADIUS) Server.
RADIUS Remote Authentication Dial-In User
Service

35

General Description ofIEEE 802.1x Terminology
wireless network
enterprise network
enterprise edge
EAP over wireless
EAP over RADIUS
RADIUS server
Supplicant
Authentication Server
Authenticator
Operates on client
Processes EAP requests
Operates on devices at network edge, like APs and
switches
36
802.1x Traffic

As the picture indicates, EAP information, when
transmitted from Supplicant to Authentication
Server, is first encapsulated within a (wireless)
LAN frame (referred to as EAP over LAN or EAPoL).
Once received by the Authenticator it is
extracted from the LAN frame and placed in a
packet that conforms to the RADIUS protocol.
This RADIUS packet is then transmitted to the
Authentication Server using the RADIUS (UDP)
protocol.
Traffic coming from the Authentication Server to
the Supplicant follows the reverse process.

37
EAP

EAP was originally designed as part of the PPP
(Point-to-Point Protocol)
The PPP Extensible Authentication Protocol (EAP)
is a general protocol for PPP authentication
which supports multiple authentication
mechanisms.
It was developed in response to an increasing
demand for remote access user authentication.
RFC 2284 defines PPP Extensible Authentication
Protocol.
EAP does not select a specific authentication
mechanism at Link Control Phase, but rather
postpones this until the Authentication Phase.
This allows the authenticator to request more
information before determining the specific
authentication mechanism.
This also permits the use of a "back-end" server
which actually implements the various mechanisms
while the PPP authenticator merely passes through
the authentication exchange.

38
EAP

By using EAP, support for a number of
authentication schemes may be added by defining
EAP-Types.
Support might include token cards, one-time
passwords, public key authentication using smart
card, certificates, and others.
EAP hides the details of the authentication
scheme from those network elements that need not
know
For example in PPP, the client and the AAA server
only need to know the EAP type, and the Network
Access Server does not

39

Before EAP Start

802.11 association between client and
authenticator
IP connection blocked by AP

EAP over wireless
EAP over RADIUS
RADIUS server
802.1X traffic
RADIUS traffic (IP/UDP over Layer 2 protocol (Eg.
Ethernet)
authentication traffic
AP transfers data from 802.1x EAP messages into
RADIUS messages, and visa versa AP blocks IP
connection until RADIUS access-accept is received
normal data
40
EAP Authentication procedure

Physical connection between the client station
and the network is established first, which for
wireless operation means that 802.11 Association
has to be completed
this is the equivalent of plugging in a wired
station in an Ethernet wall socket.
After Association the 802.1x authentication
commences, initiated by the Authenticator (i.e.
the AP or NAS), which sends an EAP Request to the
Supplicant (i.e. the client station) asking for
its credentials.
These credentials could be machine name or user
name, depending on the authentication method that
is used.
The Supplicant transmits its identity information
as part of an EAP response to the Authenticator,
which takes the packet from the LAN frame and
encapsulates it in a RADIUS protocol message for
transmission to the Authentication Server.

41
EAP Authentication procedure

At this point a sequence of exchanges will take
place between the Authentication Server and the
Supplicant (via the Authenticator),
the exact details depend on the Authentication
method used.
The ultimate result of the complete sequence is
either a positive result, where the supplicant is
successfully authenticated, or a negative one
where the authentication has failed.
In the first case the door to network is opened
and all network resources are now available for
the client device,
while in the second case the network access
remains blocked.

42
EAP Authentication
43
What Does it Do?

Transport authentication information in the form
of Extensible Authentication Protocol (EAP)
payloads.
The authenticator (switch) becomes the middleman
for relaying EAP received in 802.1x packets to an
authentication server by using RADIUS to carry
the EAP information.
Several EAP types are specified in the standard.
Three common forms of EAP are
EAP-MD5 MD5 Hashed Username/Password
EAP-OTP One-Time Passwords
EAP-TLS Strong PKI Authenticated Transport
Layer Security (SSL)

44
What is RADIUS?

RADIUS The Remote Authentication Dial In User
Service
A protocol used to communicate between a network
device and an authentication server or database.
Allows the communication of login and
authentication information. i.e.
Username/Password, OTP, etc. using
Attribute/Value pairs (Attribute Value)
Allows the communication of extended attribute
value pairs using Vendor Specific Attributes
(VSAs).
Can also act as a transport for EAP messages.
RFC2865, RFC2866 and others

RADIUS Header
UDP Header
EAP Payload
45
EAP Architecture
46
EAP Architecture
47
EAP Authentication Methods MD5

EAP-Message Digest 5 uses the same challenge
handshake protocol as PPP-based CHAP, but the
challenges and responses are sent as EAP
messages.
MD5 can be considered as the lowest common
denominator EAP type.
EAP-MD5 does not support the use of per session
WEP keys, or mutual authentication of Access
Point and client.
It also does not support encrypted links for user
data, so cannot be used in an 802.11i
environment.
The EAP-MD5 authentication algorithm provides
one-way password based network authentication of
the client.
(CHAP Challenge-Handshake Authentication
Protocol)

48
EAP Authentication Methods MD5

This algorithm can also be used for less
stringent wireless LAN security requirements.
Advantage it is simple to administer for an
operator, re-using the database of usernames and
passwords which may exist currently.
Disadvantage no encryption keys are generated.
Also, while the protocol can be used by the
client to authenticate the network, it is
typically used only for the network to
authenticate the client.

49
EAP Authentication Methods MD5

A wireless station associates to its AP.
The AP will issue an EAP Request Identity frame
to the client station.
The client station responds with its identity
(machine name or user name).
The AP relays the EAP message (I.e. client
stations identity) to the RADIUS server, to
initiate the authentication services.
The MD5 protocol replies on a challenge text
issued by the server to the client.
Client is to encrypt this challenge using its
user password and return the result.
The server will decrypt the result using the
password that is recorded for the user.
When results match the original, the client is
validated as genuine.
No encryption keys are generated.

50
EAP Authentication Methods MD5
51
EAP Authentication Methods MD5
52
EAP Authentication Methods TLS

Transport Layer Security (TLS) is a certificate
based authentication protocol.
EAP-TLS is described in RFC 2716
EAP-TLS provides mutual authentication and
supports per-session WEP keys .
Certificate based authentication provides a
highly secure digital equivalent of ID cards used
by both the client and network so they can
authenticate each other.
Public Key Infrastructure (PKI) digital signature
techniques are used to prove each partys
authenticity.

53
EAP Authentication Methods TLS

A digital certificate is comprised of the
following fields
a version
certificate serial number
signature algorithm identifier
name of the issuer
validity period
name
public key
optional unique identifiers
a signature value.

54
Certificate Authority
55
EAP Authentication Methods TLS

A wireless station associates to its AP.
The AP will issue an EAP Request Identity frame
to the client station.
The client station responds with its identity
(machine name or user name).
The AP relays the EAP message (I.e. client
stations identity) to the RADIUS server, to
initiate the authentication services.
The RADIUS server requests credentials from the
client station to confirm the identity, by
sending the EAP request via the AP.
The client replies sending its credentials
relayed by the AP.

56
EAP Authentication Methods TLS

The TLS_Hello messages are the start of the TLS
handshake protocol
Server initiates by sending its Server_hello
(including, the Certificate, the so-called
Cyphersuite, indicating what crypto algorithm it
can handle).
Client replies with Client_Hello, stating among
others its certificate, what crypto-algorithm was
selected, and requesting the server to send its
certificate.
The client and Server engage in the
Key-Exchange sequence (Diffie-Hellman).
On completion of the DH Key exchange between
server and client, the server transmits its keys
to the AP.

57
EAP Authentication Methods TLS

To encrypt subsequent IEEE 802.11 frames
exchanged between the AP and the client, a WEP
key pair is used, that is generated by the AP,
and is the same for all clients associated to
this particular AP.
The AP will transmit this key pair to the client
and uses the key received from the server to
encrypt this message.
Once the client received the WEP keys it will
pass them to the PC card via the NDIS interface
and the driver.
Station and AP will use these WEP keys until
station logs off or until re-authentication timer
has expired (for periodic re-authentication).
When station roams to another AP a
re-authentication is required and new WEP keys
are established.

58
EAP Authentication Methods TLS
59
EAP Authentication Methods TLS
60
(No Transcript)
61
(No Transcript)
62
EAP Comparison
63
EAP Authentication Methods TTLS

Tunneled Transport Layer Security (TTLS) and
Protected Extensible Authentication Protocol
(PEAP) are similar in operation and support both
secure username/password and mutual
authentication.
EAP-TTLS a combination of both EAP-TLS, and
traditional password-based methods such as
Challenge Handshake Authentication Protocol
(CHAP), and One Time Password (OTP). On the
client side merely passwords are required instead
of digital certificates, which relieves the
administrator of the systems to manage and
distribute certificates. On the authentication
server side a certificate is required.
Certificates do not have to be installed in each
client device. This is because PKI techniques are
used to first allow the client to authenticate
the server (via a certificate installed on the
server) and form a secured connection between
client and server. Then the server authenticates
the client over the secured connection with the
user providing a username and password pair.
This principle is much like the way in which
browser based commerce takes place today over web
browsers. Secure connections are established
before the users authentication information is
exchanged. Users see this typically as a padlock
symbol in their browsers.

64
EAP Authentication Methods TTLS

In EAP-TTLS a secure TLS tunnel is first
established between the supplicant and the
authentication server.
The client authenticates the network to which it
is connecting by authenticating the digital
certificate provided by the TTLS server. This is
exactly analogous to the techniques used to
connect to a secure web server. Once an
authenticated tunnel is established, the
authentication of the end user occurs.
EAP-TTLS has the added benefit of protecting the
identity of the end user from view over the
wireless medium. In this way anonymity of the
end user, a desirable attribute is provided.
EAP-TTLS also enables existing end-user
authentication systems to be reused. Two key
advantages of EAP-TTLS are that anonymity of the
end user is provided, and that any existing
RADIUS server and its associated database can be
re-used.
EAP-TTLS is the only EAP type to date which
provides end user anonymity.

65
EAP Authentication Methods SRP

SRP (Secure Remote Password) is a secure
password-based authentication and key-exchange
protocol.
It solves the problem of authenticating clients
to servers securely, in cases where the user of
the client software must memorize a small secret
(like a password) and carries no other secret
information.
The server stores a verifier for each user, which
allows it to authenticate the client but which,
if compromised, would not allow the attacker to
impersonate the client.
SRP also exchanges a cryptographically-strong
secret as a byproduct of successful
authentication, which enables the two parties to
communicate securely.
A key advantage of SRP is that the users
password need not be stored in the RADIUS
database. SRP is also a completely password based
authentication system. No certificates are
required.

66
EAP Authentication Methods LEAP

Ciscos version of EAP (Extensible Authentication
Protocol), known as LEAP (where the L stands
for lightweight).
Though the Cisco systems can be configured to
operate with other EAP protocols, this
proprietary version is promoted by Cisco in order
to offer a complete Cisco solution.
LEAP also is known to have significant flaws
The key used for encryption between client and
Access Point is derived from the username and
password stored at the Authentication server and
used by the client station during log-in.
The method used in this case is MSCHAP v1, and
known in the industry to be vulnerable and
hack-able by existing hack tools.
The EAP exchange between client and
authentication server is not encrypted, as the
key is not yet determined. The username is
transmitted in the clear and the only the
password is protected by an MSCHAP v1 hash, which
is relatively easy to hack.

67
EAP Authentication Methods LEAP
68
EAP Authentication Methods LEAP
69
EAP Authentication Methods PEAP

Protected EAP (PEAP) A version of EAP developed
by Microsoft, Cisco, and RSA Security that offers
two implementation options.
The first uses the Microsoft Challenge-Handshake
Authentication Protocol Version 2 (MS-CHAPv2) for
mutual authentication and does not require client
digital certificates.
The second implementation uses TLS for mutual
authentication and requires digital certificates
on all the clients (very similar to EAP-TLS).

70
EAP Authentication Methods PEAP
In the TLS Channel
PEAP Server
Client
Transfer of the generated key from the PEAP
server to the NAS if on different machines
71
EAP Authentication Methods PEAP
72
EAP Authentication Methods PEAP
73
EAP Authentication Methods MS-CHAPv2

The Microsoft EAP CHAP Extensions Version 2 (EAP
MSCHAPv2) protocol allows mutual authentication
between an authenticator and a peer that is
seeking authentication.
It extends the MSCHAPv2 protocol defined in RFC
2759, and is one of several authentication
methods associated with the Extensible
Authentication Protocol (EAP) defined in RFC
2284.

74
MS-CHAPv2, What is?

Peer authentication using MS-CHAPv2. Following
stages take place after a PPTP tunnel is
established and the setup for the PPP connection
has started.
The client requests an authenticator challenge
from the server.
The server sends back a 16-bytes random
authenticator challenge.
The client generates the response
The client generates 16-bytes random peer
challenge.
The client generates the challenge by hashing the
authenticator challenge, the peer challenge, and
the user's login using SHA.
The client generates the NT password hash from
the user's password.
The 16-byte NT password hash from step (c) is
padded with 5 bytes of zero. From these 21 bytes
three 7-byte DES keys are derived.
The first 8 bytes of the hash generated in step
(b) (these 8 bytes are later referred to as the
challenge) are encrypted using DES with each of
the three keys generated in step (d).
The 24 bytes resulting from step (e), the 16-byte
random peer challenge, and the user's login are
sent back to the server as response.

75
EAP methods based on GSM credentials

Support for SIM and USIM (AKA) credentials
Uses standard SIM (Subscriber Identity Module)
and USIM(UMTS Subscriber Identity Module) cards
Wireless phone SIM cards as a way of obtaining
authentication
using SIM Extensible Authentication Protocol for
GSM (EAP-SIM)
Using USIM Extensible Authentication and Key
Agreement Protocol (EAP-AKA) for UMTS.
Generates 128 bit keys, has optional fast
reconnect and identity privacy support

76
EAP Authentication Methods SIM

EAP SIM (Subscriber Identity Module)
Authentication for GSM
EAP SIM authentication is based on Nokias EAP
Server Technology.
This provides an interface between the GSM
Authentication Center and one or more wireless
LANs and uses the Extensible Authentication
Protocol (EAP) in order to allow it to pass
traffic securely over any Wide Area Network
e.g. a Telcos internal data network or the
Internet.
It permits authentication to be performed by WLAN
clients that have an 802.11 interface and access
to a GSM SIM card, with or without GSM air
interface capabilities.
This authentication procedure is designed to
provide mutual authentication between a wireless
LAN client and an AAA server.
Typically the EAP server is implemented on the
AAA server (e.g. RADIUS) and has an interface to
the GSM network, so it operates as a gateway
between the Internet AAA network and the GSM
authentication infrastructure.
The system allows GSM mobile operators to reuse
their existing authentication infrastructure for
providing access to wireless networks.
EAP SIM combines the data from several GSM
triplets (RAND, SRES, Kc), obtained from an
Authentication Centre (AuC), to generate a more
secure session encryption key. EAP SIM also
enhances the basic GSM authentication mechanism
by providing for mutual authentication between
the client and the RADIUS server.

77
EAP Authentication Methods SIM
SIM- Subscriber Identify Module Usually referred
to as a SIM card, The SIM is the user
subscription to the mobile network. The SIM
contains relevant information that enabled access
control onto the subscribed operator's network.
78
(No Transcript)
79
EAP Authentication Methods SIM

The EAP SIM authentication proceeds as follows
The client receives an EAP Identity Request from
the access point (AP).
The client responds to the APs request with an
EAP Identity Response message containing the
users network identity which is stored on the
SIM (either the user's International Mobile
Subscriber Identity (IMSI) or a temporary
identity (pseudonym)).
The AP transmits this message to the RADIUS
server, which in turn forwards it to the
Authentication Center of the GSM network.
From the AuC the RADIUS server obtains GSM
triplets and passes the RAND to the client. The
SIM calculates the signed response (SRES) which
is returned to the RADIUS server. The SIM also
calculates cryptographic keying material, using a
secure hash function on the user identity and the
GSM encryption keys, for the derivation of
session encryption keys.
When the AAA server receives the clients
Authentication response, it calculates its own
XRES and compares it to the one received from the
client. If both match, the client is
authenticated and the AAA server calculates the
session encryption keys.
It then sends a RADIUS ACCEPT message to the AP,
which contains an encapsulated EAP Success
message and the (encrypted) client session key.
The AP installs the session key for the
encryption and forwards the EAP Success message
to the client which is now able to access the
network.

80
EAP Authentication Methods SIM
81
EAP Authentication Methods SIM
82
EAP Authentication Methods AKA

EAP AKA (authentication and key agreement) is for
UMTS
For a W-LAN-3G-inter-working the EAP AKA
protocols have been developed.
The basic difference in the security of the EAP
SIM and EAP AKA protocols is that, while both
provide mutual authentication, the
network-to-user authentication of EAP SIM is
implicitly based on the derived key Kc , whereas
the network-to-user authentication is integral
part of EAP/AKA procedure.
EAP/AKA is an EAP type for the UMTS
Authentication and Key Agreement (AKA)
EAP/AKA supports all the UMTS AKA scenarios
basic authentication, sequence number
synchronization etc.
Similar IMSI privacy support as in EAP/SIM
EAP/AKA includes GSM compatible mode
basic GSM authentication without the enhancements
of EAP/SIM
The home server knows if this particular user has
been given an old GSM SIM or a newer UMTS USIM
Client can refuse GSM-only authentication

83
EAP Authentication Methods AKA

AKA is based on challenge-response mechanisms and
symmetric cryptography.
AKA typically runs in a UMTS Subscriber Identity
Module (USIM), a smart card like device. However,
the applicability of AKA is not limited to client
devices with smart cards, but the AKA mechanisms
could also be implemented in host software.
Compared to the GSM mechanism, AKA provides
substantially longer key lengths and the
authentication of the server side as well as the
client side.

84
EAP Authentication Methods AKA
Client

Authenticator

EAP-Request/Identity
lt--------------------------------------
----------------

EAP-Response/Identity

(Includes user's NAI)

---------------------------------------
---------------gt

------------------------------
Server
runs UMTS algorithms,

generates RAND and AUTN.

------------------------------

EAP-Request/AKA-Challenge
(RAND, AUTN)

lt--------------------------------------
----------------

-------------------------------------

Client runs UMTS algorithms on USIM,

verifies AUTN, derives RES

and session key

-------------------------------------

EAP-Response/AKA-Challenge

(RES)

---------------------------------------
---------------gt

------------------------------
Server
checks the given RES,
and
finds it correct.

------------------------------

EAP-Success
lt--------------------------------------
----------------

85
WPA

Wi-Fi Protected Access (WPA)
Interim Solution between WEP and 802.11i
Plugs holes in legacy 802.11 devices typically
requires firmware or driver upgrade, but not new
hardware
Subset of the 802.11i and is forward compatible
Sponsored by the Wi-Fi Alliance
Will require WPA for current certifications
Support announced by Microsoft, Intel, others

86
WPA

The goal is to strengthen security over the
current WEP standards by including mechanisms
from the emerging 802.11i standard for both data
encryption and network access control.
Path WEP -gt WPA -gt 802.11i
WPA TKIP(Temporal Key Integrity Protocol)
IEEE 802.1x
For encryption, WPA has TKIP, which uses the same
encryption algorithm as WEP, but constructs keys
in a different way.
For access control, WPA will use the IEEE 802.1x
protocol.

87
WPA Benefits

Encryption weakness improved but not solved
Some concern that TKIP may degrade WLAN
performance without hardware accelerator
But protects current device investment
Will be available sooner than 802.11i

88
WPA

Works similarly to 802.1X authentication
Both Clients and AP must be WPA enabled for
encryption to and from 802.1X EAP server
Key in a pass phrase (master key) in both client
and AP
If pass phrase matches, then AP allows entry to
the network
Pass phrase remains constant, but a new
encryption key is generated for each session

89
TKIP

Temporal Key Integrity Protocol
TKIP is the next generation of WEP.
Quick fix to overcome the reuse of encryption key
problem with WEP
Combines the pre-shared key with the clients MAC
and larger IV to ensure each client uses
different key stream
Still uses WEP RC4, but changes key
Mandates use of Message Integrity Code (Michael)
to prevent packet forgery

90
TKIP

TKIP fixes the flaws of WEP.
per-packet key mixing,
a message integrity check and
a re-keying mechanism,
The TKIP is part of the IEEE 802.11i encryption
standard.
Benefits
Uses existing device calculation capabilities to
perform the encryption operations
Improves security, but is still only a short-term
fix

91
Temporal Key Integrity Protocol (TKIP)
92
WEP vs WPA
93
The WPA encryption process
94
New 802.11i Security

Task group "i" within the IEEE 802.11 is
responsible for developing a new standard for
WLAN security to replace the weak WEP (Wired
Equivalent Privacy).
Require new wireless hardware
Has been incorporated into the published IEEE
802.11-2007 standard.

95
New 802.11i Security

Addresses the main problems of WEP and Shared-Key
Authentication
Authentication schemes of 802.1x and EAP
Temporal Key Integrity Protocol (TKIP)
AES Encryption replacement for RC4
Message Integrity Control Michael
Robust Security Network (RSN)
802.11i TKIP IEEE 802.1x AES

96
New 802.11i Security

Advanced Encryption Standard (AES)
AES is the U.S. government's next-generation
cryptography algorithm, which will replace DES
and 3DES.

97
WPA 2

Wi-Fi Protected Access 2 (WPA2) is a product
certification available through the Wi-Fi
Alliance that certifies wireless equipment as
being compatible with the IEEE 802.11i standard.
The goal of WPA2 certification is to support the
additional mandatory security features of the
IEEE 802.11i standard that are not already
included for products that support WPA, such as
AES encryption of wireless frames.
Like WPA, WPA2 offers both Enterprise and
Personal modes of operation.

98
Features of WPA2 Security

WPA2 authentication
For WPA2 Enterprise, WPA2 requires authentication
in two phases the first is an open system
authentication and the second uses 802.1X and an
EAP authentication method.
For environments without a RADIUS infrastructure
such as small office/home office (SOHO) networks,
WPA2 Personal supports the use of a PSK.
WPA2 key management
Like WPA, WPA2 requires the determination of a
mutual pairwise master key (PMK) based on the EAP
or PSK authentication processes and the
calculation of pairwise transient keys through a
4-way handshake.

99
Features of WPA2 Security

Advanced Encryption Standard
WPA2 requires support for the Advanced Encryption
Standard (AES) using the Counter Mode-Cipher
Block Chaining (CBC)-Message Authentication Code
(MAC) Protocol (CCMP).
AES Counter Mode is a block cipher that encrypts
128-bit blocks of data at a time with a 128-bit
encryption key.
The CBC-MAC algorithm produces a message
integrity code (MIC) that provides data origin
authentication and data integrity for the
wireless frame.
A Packet Number field included in the
WPA2-protected wireless frame and incorporated
into the encryption and MIC calculations provides
replay protection.
AES encryption meets the Federal Information
Processing Standard (FIPS) 140-2 requirement.