WPA, RSN, and IEEE 802'11i

1
WPA, RSN, and IEEE 802.11i
2
What is IEEE 802.11i

• IEEE 802.11i defines a new type of wireless
  network called a robust security network (RSN).
• Transitional security network (TSN) Both RSN and
  WEP systems can operate in parallel.
• Most existing Wi-Fi cards cannot be upgraded to
  RSN because the cryptographic operations required
  are not supported by the HW and beyond the
  capability of software upgrades.
• Then, WPA networks is defined.

3
What is WPA

• Temporal Key Integrity Protocol (TKIP) a
  security solution based around the capabilities
  of existing Wi-Fi products.
• TKIP is allowed as an optional mode under RSN.
• Wi-Fi alliance adopted a new security approach
  based on the draft RSN but only specifying TKIP.
  This subset of RSN is called as WPA

4
Differences between RSN and WPA

• RSN also supports the AES cipher algorithm in
  addition to TKIP, whereas WPA focuses on TKIP.
• RSN and WPA share a single security architecture
  under which TKIP- or AES-based security protocols
  can operate.
• This architecture includes upper-level
  authentication, secret key distribution, and key
  renewal.

5
Security Context

• Security context e.g., passport, secret key.
• In authentication, you often have to trust other
  parties.
• In RSN, there are many different keys forming
  part of a key hierarchy, and most of these keys
  are not known before the authentication process
  completes.
• Temporal keys these keys

6

• Keys proof your i.d. and give access to
  services.
• In RSN, correctly authenticating (master key)
  enable you to receive or create the temporal or
  session keys that are used for encryption and
  data protection.

7
Security Layers

• Wireless LAN layer
• Encrypting and decrypting data
• Access control layer
• Manage the security context. It must stop any
  data passing to or from an enemy.
• Authentication layer
• In authentication server (separated from AP)
• Provides a way to manage the user database.

8

• Master Key (MK)
• MK symmetric key representing Stations(STA)
  and Authentication Servers(AS) decision during
  this session
• Only STA and AS can possess MK
• Pairwise Master Key (PMK)
• PMK is a fresh symmetric key controlling STAs
  and Access Points(AP) access to 802.11 channel
  during this session.

9

• Only STA and AS can manufacture PMK
• PMK derived from MK
• AS distributes PMK to AP
• PMK possession demonstrates authorization to
  access 802.11 channel during this session

10
WPA and RSN key Hierarchy
11

• MK ?PMK
• Or AP could make access control decisions
  instead of AS
• MK is fresh and bound to this session between STA
  and AS
• PMK is bound to this STA and this AP

12
(No Transcript)
13
(No Transcript)
14

• Four separate keys for two layers protection
  EAPOL handshake and users data.
• Data Encryption key
• Data Integrity key
• EAPOL-Key Encryption key
• EAPOL-Key Integrity key
• Pairwise transient key (PTK) the four keys

15
Nonce N-once, a value N only use once.
16
802.11 Operational Phases
17

• Discovery
• Determine promising parties with whom to
  communicate
• AP advertises network security capabilities to
  STAs
• 802.1X authentication
• Centralize network admission policy decisions at
  the AS
• STA determines whether it does indeed want to
  communicate
• Mutually authenticate STA and AS
• Generate Master Key as a side effect of
  authentication
• Generate PMK as an access authorization token

18

• RADIUS-based key distribution
• AS moves PMK to STAs AP
• 802.1X key management
• Bind PMK to STA and AP
• Confirm both AP and STA possess PMK
• Generate fresh PTK
• Prove each peer is live
• Synchronize PTK use
• Distribute GTK

19
Discovery Overview

• AP advertises capabilities in Beacon, Probe
  Response
• SSID in Beacon, Probe provides hint for right
  authentication credentials
• Performance optimization only no security value
• RSN Information Element advertises
• All enabled authentication suites
• All enabled unicast cipher suites
• Multicast cipher suite
• STA selects authentication suite and unicast
  cipher suite in Association Request

20
(No Transcript)
21

• Conformant STA declines to associate if its own
  policy does not overlap with APs policy
• Conformant AP rejects STAs that do not select
  from offered suites
• 802.11 Open System Authentication retained for
  backward compatibilityno security value
• No protection during this phase capabilities
  validated during key management
• Capabilities advertised in an RSN Information
  Element (RSN IE)

22
The RSN IE

• Element Length the size of element in octets.
• Version 1 meansSupports 802.1X key management
  per 802.11iSupports CCMP

23
Suite Selectors

• Constituent of
• Authentication suite list authentication and key
  management methods
• Pairwise cipher suite list crypto used for key
  distribution, unicast
• Group cipher suite list crypto used for
  multicast/broadcast

24
Some Suite Selector
25

• Preauthentication 1 means supported
• Group key unicast for WEP only
• replay counters for QoS support
• Reserved set to 0 on transmit, ignored on
  receive

26
Discovery Summary

• At the end of discovery
• STA knows
• The alleged SSID of the network
• The alleged authentication and cipher suites of
  the network
• These allow STA to locate correct credentials,
  instead of trial use of credentials for every
  network
• The AP knows which of its authentication and
  cipher suites the STA allegedly chose
• A STA and an AP have established an 802.11
  channel
• The associated STA and AP are ready authenticate

27
Authentication Components
28
Authentication Overview
29
Authentication Summary

• At the end of authentication
• The AS and STA have established a session if
  concrete EAP method does
• The AS and STA possess a mutually authenticated
  Master Key if concrete EAP method does
• Master Key represents decision to grant access
  based on authentication
• STA and AS have derived PMK
• PMK is an authorization token to enforce access
  control decision
• AS has distributed PMK to an AP (hopefully, to
  the STAsAP)

30
802.1X Key Management

• Original 802.1X key management hopelessly broken,
  so redesigned by 802.11i
• New model
• Given a PMK, AP and AS use it to
• Derive a fresh PTK
• AP uses KCK and KEK portions of PTK to
  distribute Group Transient Key (GTK)
• Limitations
• No explicit binding to earlier association,
  authentication
• Relies on temporality, PMK freshness for security
• Keys are only as good as back-end allows

31
Key Management Overview
32
(No Transcript)
33
4-Way Handshake Discussion (1)

• Assumes PMK is known only by STA and AP
• So architecture requires a further assumption
  that AS is a trusted 3rd party
• PTK derived, not transported
• Guarantees PTK is fresh if ANonce or SNonce is
  fresh
• Guarantees Messages 2, 4 are live if ANonce is
  fresh and unpredictable,
• Guarantees Message 3 is live if SNonce is fresh
  and unpredictable
• PTK derivation binds PTK to STA, AP

34
Nonce N-once, a value N only use once.
35
4-Way Handshake Discussion (2)

• Message 1 tells STA
• ANonce, MAC
• Message 2 tells AP
• Use EAPoL MIC key to compute MIC of EAPoL Message
• This allows AP to know that STA possesses PTK
• AP derives temporal key
• Message 3 tells STA
• There is no man-in-the-middle
• AP possesses PTK
• Asserting Install bit in Message 3 synchronizes
  Temporal Key use (data link protections)
  starting seq no.
• This message is unencrypted
• Message 4 serves no cryptographic purpose
• Used only because 802.1X state machine wants it
• This is to ACK completion of 4-handshake and
  indicate that STA install the keys and start
  encryption.

36
TKIP
37
AES
38
4-Way Handshake Discussion (3)

• Sequence number field used by 4-way handshake
  only to filter late packets
• Recall PTK KCK KEK TK
• KCK used to authenticate Messages 2, 3, and 4
• KEK unused by 4-way handshake
• TKsinstalled after Message 4
• The discovery RSN IE exchange from alteration
  protected by the MIC in Messages 2 and 3

39
4-Way Handshake Discussion (4)

• Asserting Install bit in Message 3 synchronizes
  Temporal Key use (data link protections)

40
Temporal Key Integrity Protocol

• TKIP allows WEP systems to be upgraded to be
  secure.
• TKIP has to be secure and available as an
  upgraded to WEP systems.

41
(No Transcript)
42
(No Transcript)
43

• The implementation of WEP almost depends on the
  hardware assist functions.
• The hardware assist functions in these earlier
  systems cannot support AES-CCMP.
• TKIP uses existing RC4 and upgrades the firmware.

44
Weaknesses of WEP

• The IV value is too short.
• IVWEP key ? Weak key attacks (FMS attack).
• Message integrity.
• Use master key directly and no built-in provision
  to update the keys.
• There is no protection against message replay.

45
Changes from WEP to TKIP

• Message integrity add a message integrity
  protocol. (Michael)
• IV selection and use as counter (sequence no)
• Per-packet key Mixing
• Increase the size of IV.
• Key management.

46
TKIP MPDU Format
47
Message Integrity

• ICV offers no real protection at all.
• All the well-known methods need a new
  cryptographic algorithm or require fast multiply
  operation.
• Michael uses no multiplications, just shift and
  add operations.
• Michael is vulnerable to brute force attacks.
• Michael countermeasures.

48
TKIP MPDU Format
49
IV selection and use

• IV size 24 bits ? 48 bits
• IV use as a sequence number to avoid replay
  attacks.
• Throw out any message that have a TSC lt the last
  message.
• IV is constructed to avoid certain weak keys.

50
Per-packet key mixing

• P1K ? phase 1 (TA_MAC, TSC_U, TK)
• TSC_U 32 bits
• TK 128 bits
• P1K 80 bits
• P2K ? phase 2 (P1K, TSC_L, TK)
• TSC_L16 bits

51
(No Transcript)
52
TKIP role in Transmission
128
128
53
(No Transcript)
54
AES-CCMP

• Advanced Encryption Standard (AES), a block
  ciphersuite, is the default mode for IEEE
  802.11i.
• NIST approves AES in 2002.
• AES is invented by J. Daeman V. Rijmen, called
  as Rijndael Algorithm.
• Original Alg. block sizes, key sizes ? 128, 192,
  or 256 bits.
• NIST AES block size? 128, key sizes ? 128, 192,
  or 256 bits.
• IEEE 802.11i block size, key size ? 128 bits
• AES is to CCMP what RC4 is to TKIP.

55
Modes of operation

• Mode of operation the method used to convert
  between messages and blocks.
• Electronic code book (ECB)
• Simple
• If two blocks have the same data, the encrypted
  result of the two blocks will also be the same,
  giving information to any onlooker.
• AAAAA(64 B), 4 blocks.

56
ECB
57

• Counter mode
• The receiving party who wants to decrypt the
  message must know the starting value of the
  counter and the rules for advancing it.
• Properties
• Only need to implement the AES.
• Encryption can be done in parallel
• Need not to break the message in an exact number
  of block.

58
Counter Mode
59

• However, counter mode does not provide any
  message authentication, only encryption.
• RSN Counter mode CBC MAC CCM
• Cipher block chaining

60
CCM Mode Overview

• Use CBC-MAC to compute a MIC on the plaintext
  header, length of the plaintext header, and the
  payload
• Use CTR mode to encrypt the payload
• Counter values 1, 2, 3,
• Use CTR mode to encrypt the MIC
• Counter value 0

61
(No Transcript)
62
MAC
CCMP header
63
Steps in processing an MPDU
64
CCMP header
65
CCMP Encryption and Decryption
66
CCMP Encryption Block
67
(No Transcript)
68
CCMP CBC-MAC IV
69
(No Transcript)
70
CCMP CTR
71
(No Transcript)