Security Enhancement of WLAN Clients Using Smart Card Technology - PowerPoint PPT Presentation

1 / 59
About This Presentation
Title:

Security Enhancement of WLAN Clients Using Smart Card Technology

Description:

United Arab Emirates University College of Engineering Department of Electrical Engineering Graduation Project (II) First Semester 2003/2004 Security Enhancement of ... – PowerPoint PPT presentation

Number of Views:143
Avg rating:3.0/5.0
Slides: 60
Provided by: abd64
Category:

less

Transcript and Presenter's Notes

Title: Security Enhancement of WLAN Clients Using Smart Card Technology


1
United Arab Emirates University College of
Engineering Department of Electrical
Engineering Graduation Project (II) First
Semester 2003/2004
Security Enhancement of WLAN Clients
Using Smart Card Technology
Faculty Advisor Dr.
Mohammad Abdul Hafez Group members Abdulrahman-R-
Almasri
980211475 Alaaeldin FM Al-Anqar
980211476 Ahmad Mohd Alymmahi
980710581
2
Overview
  • Objective.
  • To improve the security system of wireless Local
    Area Network (WLAN) clients using the technology
    of smart cards.
  • Motivations.
  • The demand on wireless technology is increasing.
  • The security of WLAN is difficult to guarantee
    !!
  • Large companies and banks avoid WLANs !!
  • Smart Card Technology is the latest technology
    that came out to markets.
  • Users should be convinced !!

3
Overview
  • Approach.
  • Deploying a wireless LAN.
  • Different security solutions like MAC address
    authentication, WEP Encryption, IEEE 802.1x, EAP
    Protocols, and the Radius Server were implemented
    and tested to evaluate their security level.
  • The Smart Cards solution was implemented and
    tested .

4
Presentation Contents
  • Projects Plan.
  • Projects Budget.
  • Projects Impacts Safety Considerations.
  • Task (1) RF Design Using AVAYA Wireless
  • Solution.
  • Task (2) Implementing of Existing WLAN
    Security
  • Solutions.
  • Task (4) Smart Cards Solution .
  • Conclusions Recommendations.
  • References.

5
Projects Plan
Major tasks of GP1 shown in Gantt chart
6
Projects Budget
Number Item Quantity Availability Pric per unit EAD Total EAD. Unavailable Price EAD.
1 PC 1 v 2000 2000 --
2 Radius Server (Software) 1 v Free -- --
3 PCMCIA 4 v 385.35 1541.4 --
4 Access point 2000 AP-3 2 v 1427.63 2855.26 --
5 Smart cards (Raak) 2 v 110 220 --
6 UTP CAT5 cables 20m X 1Dr / m 40 40
7 RJ-45 Connectors 10 X 3.67 36.7 36.7
8 Sniffer Software 1 v 4771 4771 --
9 Laptops 2 X 1000 2000 2000
Total -- -- - 13484 2096.7
7
Projects Impacts
  • Economical Impacts.
  • environmental Impacts.
  • Health Impacts.

8
Safety Considerations
  • The output power of wireless LAN systems is
    very low.
  • A little exposure to RF energy is provided to
    those in
  • the area of a wireless LAN system.
  • No adverse health affects have ever been
    attributed to
  • wireless LANs.

9
RF Design Using AVAYA Wireless Solution
  • Avaya access point 3 provides a dual slot
    architecture.
  • It enables users to have a flexible and smooth
    migration to 5 GHz technologies.
  • The Avaya Wireless AP-3 can deliver a data rate
    of both 11 Mbps and/or 54 Mbps.
  • It provides great security capabilities via
    Avaya Silver and Gold PC cards.
  • Users get robust, reliable connectivity and a
    high performance.

Dual slot architecture of AP-3
10
RF Design Using AVAYA Wireless Solution
  • A site survey was done at the 1st floor
  • of the EE Department (Male campus).
  • Objectives.
  • Methodology

- A laptop was used to give a reasonable
mobility to users.
- Client Manager software was used to
verify the quality of the wireless link.
- Two different locations of the access point
were chosen.
- The laptop was moved through a fixed path.
- The RF strength was measured at different
locations through the area.
11
RF Design Using AVAYA Wireless Solution
Exc Excellent VG Very Good
Indicates the RF strength by he color and the
number of columns.
Point Location A B C D E F G H I J L
1 Exc Exc Exc Exc Exc Exc Exc Exc VG VG VG
2 Exc Exc Exc Exc Exc VG VG VG Exc Exc Exc
Site survey measurements of radio frequency
strength
12
Network Analyzer Tools used
  • AirSnare
  • Netasyst
  • Wlanexpert
  • WinePcape-3-1
  • Biongo
  • PCTL
  • Fakeap 0.3

13
Network Analyzer Tools used
AirSnare
It monitors network traffic for MAC addresses and
alerts you when a MAC address is found.
Netasyst
It provides the flexibility to monitor Wireless
and LAN networks simultaneously. Also, it
captures frames, and builds a database of network
objects from observed traffic to detect network
anomalies.
SMAC
Its a MAC Address Modifying Utility.
14
Implementation of existing security solutions to
WLAN
Medium Access Control (MAC) Address Filtering
  • Overview
  • Assigning the MAC addresses of clients in list
    in the access point.
  • Only assigned clients can get access to the
    network!!
  • Advantages
  • Easy to implement, easy to use, suitable for
    small networks!
  • Disadvantages
  • MAC address can be stolen.
  • MAC address can be changed.

15
MAC Address Filtering (Cont.)
Testing
  • MAC Address authentication was enabled in the
    access point.
  • MAC Addresses of clients were assigned into the
    table.

16
MAC Address Filtering (Cont.)
  • Netasyst was used to analyze the network
  • All clients using the network and their MAC
    Addresses were picked.

17
Gantt Chart for Graduation Project (2)
18
MAC Address Filtering (Cont.)
  • The network was detected using AirSnare
  • All MAC addresses of clients using the network
    were shown.
  • SMAC was used to change the MAC address in order
    to get into the network.

19
Implementation of existing security solutions to
WLAN
Wired Equivalent Privacy (WEP)
Overview
  • A security protocol that provides a high level
    of security.
  • It relies on a secret shared key between an
    access point and a client.
  • The (Ron's Code 4) RC4 encryption algorithm is
    used in WEP.

20
WEP Encryption (Cont.)
(1) An initial authentication frame is sent.
(2) A challenge text (128 bytes) is sent from the
AP to the station.
(3) The challenge key is encrypted with the
shared key and then sent back.
(4) The challenge key is decrypted with the
shared key at the AP and then compared.
Shared Key Authentication
21
WEP Encryption (Cont.)
Advantages
  • More secure than MAC Authentication.
  • Users should have the key in order connect the
    network.
  • RC4 is simple enough that most programmers can
    quickly implement it in software.


Disadvantages
  • The key can be obtained easily using some
    hacking tools.
  • Lack of key distribution and key management .

22
WEP Encryption (Cont.)
Testing
The length of the key was chosen
The WEP encryption was enabled
The keys were entered
Key 1 was chosen to be the IV
23
Netasyst Some important commands
  • Wired Equivalent Privacy (WEB) Analyses

-Netasyst Provides the user with 802.11 WEP
shared key. -The number of packets observed on
the wireless LAN indicates that Wired Equivalent
Policy encryption was used on the
packet. -Netasyst includes 64 and 128 bits web
data encryption
24
Netasyst Some important commands
The encrypted data of IEEE 11.b
25
Implementation of existing security solutions to
WLAN
802.11x Authentication
Overview
  • A protocol that used to enforce authentication
    and access control for wireless networks.
  • It works in conjunction with the EAP.
  • 802.1x acts as the gate keeper while EAP acts as
    the authentication mechanism.

26
802.1x Authentication
Components of 802.1x
  • Supplicant which is simply wireless client
    software
  • Authenticator access point or network port
  • authentication server

27
802.1x Authentication
Advantages
  • Multi-vendor standard framework for securing the
    network.
  • Allows the addition of newer authentication
    methods without replacing network equipment.
  • Supports both wired and wireless networks.
  • Uses industry standard authentication servers
    (example RADIUS Server).

28
802.1x Authentication
Disadvantages
  • Weaknesses in WEP .
  • EAP is not secure enough (EAP packets can be
    spoofed and changed).

29
Implementation of existing security solutions to
WLAN
Extensible Authentication Protocol (EAP)
Overview
  • A mechanism that defines a standard message
    exchange between devices.
  • Internet Protocol (IP) is not required.
  • It transports messages between devices.
  • EAP supports a number of authentication
    protocols.

30
EAP Encryption (Cont.)
Protocols of EAP
  • EAP-MD5 (Message-Digest 5).
  • EAP-TLS (Transport Level Security).
  • EAP-TTLS (Tunneled TLS).
  • EAP-PEAP (Protected EAP Protocol).
  • Cisco LEAP (Lightweight EAP).

                                                              
                                                              
Components of EAP
  • Client / Supplicant.
  • Authenticator.
  • Authenticator Server.

31
EAP Encryption (Cont.)
802.1x and EAP Authentication
Unauthorized State
  • The supplicant requests access to the
    authenticator
  • The client can send a start EAP Message
  • The supplicant returns its identity

EAP Message is returned
The identity is forwarded to the server
  • The identity is checked

Acceptance/Rejection Message
  • Acceptance occurred

Authorized State
32
EAP Encryption (Cont.)
Advantages
  • Supports multiple authentication protocols.
  • There is no need to reprogram it!!
  • Easy to implement and deploy.


Disadvantages
  • The authentication mechanism is weak!!
  • Attackers can recover passwords easily .

33
Implementation of existing security solutions to
WLAN
Radius Server
Overview
  • RADIUS Remote Authentication Dial In User
    Service.
  • It remotes users according to a database.
  • It assigns an IP address to the wireless device
    or establishing a time limit on the session.
  • RADIUS servers Steel-Belted, WinRadius, NAVIS,
    Merit, Kerberos, Microsoft IAS.

34
Radius Server
Architecture of a WLAN with RADIUS Server
solution
35
WinRadius Server Implementation
  • WinRaduis server was implemented as part of WLAN
    security solution

Step1 Installation
1-WinRadius was launched. 2- The "Configure
ODBC automatically" button was clicked at
"Settings/Database.
36
WinRadius Server Implementation
37
WinRadius Server Implementation
Step1 Installation
3- WinRadius was restarted. Now, all settings of
WinRadius are OK. 4- Some users were added to
WinRadius by clicking "" toolbar button as shown
in Figure
38
WinRadius Server Implementation
Step1 Installation
5- Radius Test was used to test the functionality
of WinRadius.
39
WinRadius Server Implementation
40
WinRadius Server Implementation
Step 2 WLAN configuration
In Windows XP, IEEE 802.1x was enabled and
MD5-Challenge was chosen as EAP type. Thus
WinRadius will use 802.1x to authenticate the
WLAN users.
41
Enabling the Access Point
Enabling The Servers Status

Entering The IP Address of the Radius Server
Entering The Radius Server Destination port
Entering The shared key
42
Enabling the Access Point
Entering The IP Addresses of the users
Entering The Destination ports of the users
Entering The shared keys
43
WinRadius Server Advantages
  • Lower purchase cost The cheapest in the world!!
  • Lower running cost.
  • More safe than ever.
  • Easy to understand and easy to manage.

44
Testing the Network
Data sent and received were recognized in the
access point and the server
45
Radius Server Implementation
46
Radius Server Implementation
47
Radius Server Implementation
48
Radius Server Implementation
49
Smart Cards Solution
Smart Card Technology
Overview
  • A wallet sized plastic card that is integrated
    with a circuit-chip.
  • It can be programmed to perform tasks and store
    information.
  • The microprocessor on the smart card is there
    for security.
  • The host computer and card reader actually
    "talk" to the microprocessor.

50
Smart Cards Solution
Configuration of Smart Cards
                               
51
Smart Cards Solution
Security of Smart Cards
  • Smart cards are extremely secure!!
  • It is impossible for a hacker to duplicate or
    corrupt the data stored on a card.
  • All standard encryption algorithms can be
    implemented DES, 3-DES, RSA, ECC
  • 4 different lengths of the same key are used to
    give the network a powerful security.

52
Smart Cards Solution
  • Chip is tamper-resistant.
  • Information stored on the card can be PIN
    protected and/or read-write protected.
  • Capable of performing data encryption.
  • Capable of processing (not just storing)
    information.

Advantages
Disadvantages
  • The card can be stolen!!
  • PIN Codes can be forgetting.

53
Implementation of Smart Cards Solution
  • Raak Technology was used.
  • The solution consists of a smart card or token,
    a digital certificate, and a full featured 802.1X
    client.
  • Raak smart cards and tokens were printed and
    configured for the end-user, and is ready to use
    right out of the box.
  • Raak smart cards and tokens allows the user to
    use them with multiple computers in multiple
    locations.
  • A user needs both the physical Smart Card and
    the Smart Card PIN code in order to authenticate.

54
Smart Cards Solution Implementation
C7 Cards
The C7 is protected with a user configurable PIN
(Personal Identification Number). Using the smart
card requires both the card and the PIN, for
complete two-factor authentication.
Features
  • Custom printed in full color.
  • Personalized with users own digital certificate.
  • Supports Windows XP Pro, XP Home, 2000.
  • Powerful cryptographic co-processor.
  • RSA 512, 768, 1024, 2048 keys.

55
Smart Cards Solution Implementation
T8 Tokens
The Raak T8 USB smart Token is printed with the
token ID number,
Features
  • Printed with the token ID.
  • Complete with a small USB connector.
  • Supports Windows XP Pro, XP Home, 2000.
  • Powerful cryptographic co-processor.
  • RSA 512, 768, 1024, 2048 keys.

56
WinRadius
  • WinRadius is a standard RADIUS server for network
    authentication and accounting
  • It is used for telecommunication wireless Local
    area Network.
  • There are more than 5000 users of WinRadius in
    the world

57
1 K. Chen, "Medium Access Control of Wireless
LANs for Mobile Computing," IEEE Network,
September / October 1994. 2 Pike. James,
Cisco Networking Security, Library of Congress,
2001. 3 Agrawal. Dharma, Zeng. Qing-An,
Wireless and mobile systems, University of
Cincinnati, 2003. 4 Geier. Jim, Wireless
LANs implementing interoperable networks,
Macmillan Technical Publisher, 1999. 5
www.cisco.com. 6 www.iss.com.
7 www.avaya.com.
8 http//www.iec.org/online/tutorials/smartcard
/index.html.
58
  • Summary.
  • Tasks Achieved.
  • Problems and Challenges.
  • Recommendations.

59
THANK YOU!!
For Attending and listening!!! We would
appreciate your questions and recommendations !!!
Write a Comment
User Comments (0)
About PowerShow.com