802'11 security

1
802.11 security

• Courtesy of
• William Arbaugh with Univ. of Maryland
• Jesse Walker with Intel
• Gunter Schafer with TU Berlin
• Bernard Aboba with Microsoft

2
agenda

• 802.11 introduction
• WEP
• 802.11i vs WPA
• 802.1x

3
(No Transcript)
4
Basic service set (BSS)

• AP and STAs

5
Independent BSS

• Between STAs

6
(No Transcript)
7
(No Transcript)
8
authentication

• Two modes
• Open authentication
• WEP authentication
• WEP wired equivalent privacy

9
Open Authentication
AP
STA
Authenticate (request)
Authenticate (success)

• AP always accepts authentication request
• instead, AP may use MAC address lists for
  security (access control)

10
WEP Authentication
AP
STA
Shared secret distributed out of band
Authenticate (request)
Challenge (Nonce)
Decrypted nonce OK?
Response (Nonce RC4 encrypted under shared key)
Authenticate (success)

• Authentication key distributed out-of-band
• Access Point generates a randomly generated
  challenge
• Station encrypts challenge using the pre-shared
  secret key

11
Which one is better?

• WEP authentication
• Gives a good matching example
• Challenge plaintext (nonce)
• Response ciphertext (encrypted nonce)
• In reality, open authentication is the norm
• Right after authentication/association, STA and
  AP use the same secret key

12
(No Transcript)
13
(No Transcript)
14
40bit --gt 128bit
15
ACL access control list
16
(No Transcript)
17
WEP confidentiality and integrity
(IC)
18
WEP Encapsulation
Encrypted part

• WEP Encapsulation Summary
• Encryption Algorithm RC4 (stream cipher)
• Per-packet encryption key 24-bit IV
  concatenated to a pre-shared key
• WEP allows IV to be reused with any frame
• Data integrity provided by CRC-32 of the
  plaintext data (the ICV)
• Data and ICV are encrypted under the per-packet
  encryption key

IV is changing
19
RC4
Decryption works the same way p c ? b
20
K104 bits IV24 bits 128 bits shared key
21
IV collision
22
ICV (integrity check value)
But the ICV is linear, meaning for any
polynomials p and q ICV(pq) ICV(p) ICV(q)
This means that if q is an arbitrary nth degree
polynomial, i.e., an arbitrary change in the
underlying message data (pq)x32 ICV(pq) b
px32 qx32 ICV(p) ICV(q) b
((px32 ICV(p)) b) (qx32 ICV(q))
23
Two modes in WEP keys

• Default keys
• Every STA shares the same key
• Key mapping keys
• Every STA uses its own key

24
default keys
Total 4 keys 2 for AP 2 for STAs
Why two for each direction?
25
Key mapping keys

• Different key for each user
• Still default key is necessary
• For broadcast messages
• optional

26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
p c ? b
b c ? p
30
(No Transcript)
31
(No Transcript)
32
(No Transcript)
33
(No Transcript)
34
802.11i approach

• Separation of authentication and data integrity
• Leverage higher layer protocol for authentication

35
802.1x, EAP, RADIUS authentication andaccess
control
These are not originally intended for WLAN
36
Authentication for dial-in users
Enterprise or ISP Network
PSTN (POTS)
RADIUS
EAP Over RADIUS
POP
Authentication Server (AS)
PPP
NAS or RAS (Authenticator)
Central database
User (Supplicant)

• Supplicant an entity that wants to have access
• Authenticator an entity that controls the
  access gate
• Authentication server an entity that decides
• whether the supplicant is to be admitted

37
Access control illustration

• Authenticator is alerted by the supplicant
• Supplicant identifies himself
• Authenticator requests authorization from the
  authentication server
• Authentication server indicates YES or NO
• Authenticator allows or blocks access

• Three party interaction
• authenticator only opens channel until
  authentication/access control is performed
• authenticator is like doorkeeper

38
Network Access Server (NAS) in Ethernet

• To offer economical Ethernet-based access we need
  a new class of network access server the
  EtherNAS.
• The EtherNAS is managed like a dialup NAS but
  offers thousands of times the bandwidth.
• IEEE 802.11 APs supporting 802.1X and RADIUS are
  the first (but not the last) EtherNASes
• Key standards include
• IEEE 802
• IETF RFC 2865 - 2869 RADIUS
• IEEE 802.1X Network Port Authentication

How about central database in NAS?
39
Why Do Auth at the Link Layer?

• Its fast, simple, and inexpensive
• Most popular link layers support it PPP, IEEE
  802
• Cost matters if youre planning on deploying 1
  million ports!
• Client doesnt need network access to
  authenticate
• No need to resolve names, obtain an IP address
  prior to auth
• NAS devices need minimal layer 3 functionality
• 802.11 access points, 1 Gbps switch ports go for
  300, support 802.1D, 802.1X, SNMP RADIUS, may
  have no layer 3 filtering support
• Authentication, AAA support typically a firmware
  upgrade
• In a multi-protocol world, doing auth at link
  layer enables authorizing all protocols at the
  same time
• Doing it at the network layer would mean adding
  authentication within IPv4, IPv6, AppleTalk, IPX,
  SNA, NetBEUI
• Would also mean authorizing within multiple
  layers
• Result more delay

40
What is IEEE 802.1X?

• The IEEE standard for authenticated and
  auto-provisioned LANs.
• A framework for authentication and key management
• IEEE 802.1X derives keys which can be used to
  provide per-packet authentication, integrity and
  confidentiality
• Typically used along with well-known key
  derivation algorithms (e.g. TLS, SRP, etc.)
• IEEE 802.1X does not mandate security services
  can do authentication, or authentication
  encryption
• Encryption alone not recommended (but thats what
  WEP does)
• What 802.1X is not
• Purely a wireless standard it applies to all
  IEEE 802 technologies (e.g. Ethernet First Mile
  applications)
• A cipher not a substitute for WEP, RC4, DES,
  3DES, AES, etc.
• But 802.1X can be used to derive keys for any
  cipher
• A single authentication method
• But 802.1X can support many authentication
  methods without changes to the AP or NIC firmware

41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
What is EAP?

• The Extensible Authentication Protocol (RFC 2284)
• Provides a flexible link layer security framework
• Simple encapsulation protocol
• No dependency on IP
• ACK/NAK, no windowing
• No fragmentation support
• Few link layer assumptions
• Can run over any link layer (PPP, 802, etc.)
• Does not assume physically secure link
• Methods provide security services
• Assumes no re-ordering
• Can run over lossy or lossless media
• Retransmission responsibility of authenticator
  (not needed for 802.1X or 802.11)
• EAP methods based on IETF standards
• Transport Level Security (TLS) (supported in
  Windows 2000)
• Secure Remote Password (SRP)
• GSS_API (including Kerberos)

45
EAP Architecture
TLS
SRP
AKA SIM
Method Layer
EAP APIs
EAP
EAP Layer
NDIS APIs
Media Layer
PPP
802.3
802.5
802.11
46
EAPOL-Start EAPOL-Logoff
EAPOL-Key
47
(No Transcript)
48
What is RADIUS?

• Remote Access Dial In User Service
• Supports authentication, authorization, and
  accounting for network access
• Physical ports (analog, ISDN, IEEE 802)
• Virtual ports (tunnels, wireless)
• Allows centralized administration and accounting
• IETF status
• Proposed standard
• RFC 2865, RADIUS authentication/authorization
• RFC 2618-2621, RADIUS MIBs
• Informational
• RFC 2866, RADIUS accounting
• RFC 2867-8, RADIUS Tunneling support
• RFC 2869, RADIUS extensions
• RFC 3162, RADIUS for IPv6

49
802.1X Topologies
Enterprise or ISP Network
Semi-Public Network / Enterprise Edge
RADIUS
EAP Over RADIUS
EAP over LAN (EAPOL)
Authentication Server
PAE
AP (Authenticator)
PAE
PAE port access entry
STA (Supplicant)
50
802.1X Security Philosophy

• Approach a flexible security framework
• Implement security framework in upper layers
• Enable plug-in of new authentication, key
  management methods without changing NIC or Access
  Point
• Leverage main CPU resources for cryptographic
  calculations
• How it works
• Security conversation carried out between
  supplicant and authentication server
• NIC, Access Point acts as a pass through device
• Advantages
• Decreases hardware cost and complexity
• Enables customers to choose their own security
  solution
• Can implement the latest, most sophisticated
  authentication and key management techniques with
  modest hardware
• Enables rapid response to security issues

51
IEEE 802.1X Conversation
Switch
Radius Server
Laptop computer
Ethernet
EAPOL
RADIUS
52
802.1X on 802.11
Wireless
Access Point
Radius Server
Ethernet
Laptop computer
802.11
RADIUS
802.11 Associate-Response
EAPOW
Why?
53
(No Transcript)
54
802.1X authentication in 802.11

• IEEE 802.1X authentication occurs after 802.11
  association or reassociation
• Association/Reassociation serves as port up
  within 802.1X state machine
• Prior to authentication, access point filters all
  non-802.1X traffic from client
• If 802.1X authentication succeeds, access point
  removes the filter
• 802.1X messages sent to destination MAC address
• Client, Access Point MAC addresses known after
  802.11 association
• No need to use 802.1X multicast MAC address in
  EAP-Start, EAP-Request/Identity messages
• Prior to 802.1X authentication, access point only
  accepts packets with source Client and
  Ethertype EAPOL

55
802.1X and Per-STA Session Keys

• How does 802.1X derive per-Station unicast
  session keys?
• Can use any EAP method supporting secure dynamic
  key derivation
• EAP-TLS (RFC 2716)
• EAP-SRP
• EAP-AKA, EAP-SIM (for compatibility with
  cellular)
• Security Dynamics
• Keys derived on client and the RADIUS server
• RADIUS server transmits key to access point
• RADIUS attribute encrypted on a hop-by-hop basis
  using shared secret shared by RADIUS client and
  server
• Unicast keys can be used to encrypt subsequent
  traffic, including EAPOW-key packet (for carrying
  multicast/global keys)

56
802.1X Authentication

• 802.1X users identified by usernames, not MAC
  addresses
• Enables user-based authentication, authorization,
  accounting
• For use with 802.1X, EAP methods supporting
  mutual authentication are recommended
• Need to mutually authenticate to guarantee key is
  transferred to the right entity
• Prevents man-in-the-middle and rogue server
  attacks
• Common EAP methods support mutual authentication
• TLS server and client must supply a certificate,
  prove possession of private key
• SRP permits mutual authentication via weak
  shared secret without risk of dictionary attack
  on the wire
• Tunneled TLS enables any EAP method to run,
  protected by TLS

57
Advantages of IEEE 802.1X

• Open standards based
• Leverages existing standards EAP (RFC 2284),
  RADIUS (RFC 2865, 2866, 2867, 2868, 2869)
• Enables interoperable user identification,
  centralized authentication, key management
• Enables automated provisioning of LAN
  connectivity
• User-based identification
• Identification based on Network Access Identifier
  (RFC 2486) enables support for roaming access in
  public spaces (RFC 2607).
• Enables a new class of wireless Internet Access
• Dynamic key management
• Improved security for wireless (802.11)
  installations

58
WEPv1.0 w/802.1X

• Improved key derivation
• Per-user unicast keys instead of global unicast
  key
• Unicast key may be changed periodically to avoid
  staleness
• Support for standards-based key derivation
  techniques
• Examples TLS, SRP
• Additional fixes still under discussion
• Authentication for reassociate, disassociate
• WEP deficiencies still present
• No keyed MIC
• Improper usage of RC4 stream cipher
• No IV replay protection
• Long term solution Need a real cipher!
• AES proposals under discussion

59
802.1X Implementations

• Implementations available now
• IEEE 802.1X support included in Windows XP
• Firmware upgrades available from AP and NIC
  vendors
• Interoperability testing underway
• 802.1X OS support
• Microsoft Windows XP
• Cisco Windows 9x, NT4, 2000, Mac OS, Linux
• RADIUS servers supporting EAP
• Microsoft Windows 2000 Server
• Cisco ACS
• Funk RADIUS
• Interlink Networks (formerly MERIT) RADIUS server

60
Advertising Security Options

• Modeled on supported rates
• AP advertises security options in probe response
• Placed in probe response only if STA requests it
  in probe request
• STAs collect this information prior to
  associations and can make association and roaming
  decisions based upon it

61
Selecting security options

• STA requests security options in association
  request from available options contained in probe
  response
• AP accepts/rejects association based on request
  contents
• No additional protocol handshakes necessary
• No impact on roaming performance

62
802.11i Key Hierarchy

• Separation of authentication and message
  protection
• Authentication server-based key
• Established in advance
• Communication temporal (session) key
• Pairwise key
• Group key

63
Pairwise key

• Different for each STA
• PMK is derived from server-based key
• Pairwise master key (PMK)
• At server and at STA by themselves
• Server delivers PMK to AP by RADIUS
• Then 4 temporal keys derived from PMK
• Data encryption key
• Data integrity key
• EAPOL-Key encryption key
• EAPOL-Key integrity key
• The collection of temporal keys is referred to as
  pairwise transient key (PTK)

64
Group key

• For broadcast, multicast
• Group master key (GMK)
• AP chooses randomly
• Group transient key (GTK)
• Using the secure link by pairwise keys
• When a node leaves, GTK is changed
• Group encryption key
• Group integrity key