802.1xWhat it is, How it’s broken, and

How to fix it.Bruce Potter

The Shmoo Group

gdead@shmoo.com

Why Wireless?

• No cable plant– Lower cost (initially… TCO may be higher)– Rapid deployment

• Enhanced mobility

• Ad hoc relationships

• Many different requirements

Why Not Wireless

• No physical security

• Low throughput

• Unregulated, noisy bands

802.11, 802.11b, etc.• IEEE standard – based on well known Ethernet standards• 802.11 – FHSS or DSSS, WEP, 2.4 GHz, Infrastructure

(BSS) or Ad-Hoc (iBSS)– Limited to 2Mb/s due to FCC limits on dwell times per frequency

hop

• 802.11b – DSSS only, WEP, 2.4 GHz, Infrastructure or Ad-Hoc– Up to 11Mb/s– Also known as Wi-Fi

• 802.11a and 802.11g

An Association

• Associations are a basic part of 802.11• Client Requests authentication• AP responds with auth type (Open/WEP)• Authentication is performed• If successful, then Association is requested

and granted• SSID is sent in the clear, so not advertising

SSID is NOT a valid security mechanism

General Principles• Deal with the basics

– Integrity• Protecting your packets from modification by other parties

– Confidentiality• Keeping eavesdroppers within range from gaining useful

information• Keeping unauthorized users off the network

– Free Internet!– Risks to both internal and external network

– Availability• Low level DoS is hard to prevent

• Like any other environment, there are no silver bullets

Current Security Practices

• WEP –Wired Equivalent Privacy– Link Level– Very Broken

• Firewalls/MAC Filtering

• Reactionary – IDS/Active Portal

• Higher level protocols

WEP In a Nutshell

• 40 bits of security == 64 bits of marketing spam. • 104 bits of security == 128 bits of marketing spam

Thoughts on WEP

• Key management beyond a handful of people is impossible– Too much trust– Difficult administration– Key lifetime can get very short in an enterprise

• No authentication for management frames• No per packet auth• False Advertising!!!

What is Lacking?

• Scalability– Many clients– Large networks

• Protection for all parties

• Eliminate invalid trust assumptions

802.1x

• Port based authentication for all IEEE 802 networks (layer 2 authentication)

• Originally for Campus networks

• Extended for wireless

• Allows for unified AAA services

• Provides means for key transport

Pre-Authentication State

Post-Authentication State

EAP

• Extensible Authentication Protocol• Originally designed for PPP

– Shoehorned into 802.1x• Switch/Access point is a pass through for EAP

traffic. New authentication mechanisms do not require infrastructure upgrades

• LEAP – Cisco’s Lightweight EAP– Password based and (relatively) widely available

• De facto mechanism between AS and AServ is RADIUS

EAP Methods• EAP-TLS: Uses certs! If implemented

properly, solves many problems• TTLS – Tunneled TLS. Allows encapsulation of

other auth mechanisms.– “machine” auth’d by TLS, person by the tunneled

protocol• PEAP – IETF Draft

– Like TTLS but with another EAP method encapsulated• TLS/TTLS and others require certs

– We all have a PKI setup, right? and use it properly and regularly?

What’s Right

• Protection of the infrastructure

• Authentication mechanism can – change as needed– address flaws in existing wireless security

• Lightweight– No encapsulation, no per packet overhead…

simply periodic authentication transactions

What’s Right

• In controlled environment, risks can be mitigated by higher level protocols– VPN/SSL/SSH

• NOTE: exchange of WEP key material is not part of 802.1x specification– Remember: designed for wired campus

networks

What’s Right

• Association happens BEFORE 802.1x transaction.– Good: If 802.1x session is protected by default

WEP key then the attacker must first compromise the WEP key to make use of 802.1x vulns

– Bad: Key management anyone? Just how does the default key get there?

What’s Wrong

• www.missl.cs.umd.edu/wireless/1x.pdf– First Open source supplicant– First holes in 802.1x

• One way authentication– Less of a concern in LAN environment

• Traffic Interception• Session Highjacking

What’s Wrong – Technical• One way Authentication

– Gateway authenticates the client

– Client has no explicit means to authenticate the Gateway

– Rouge gateways put client at risk• Remember – the loudest access point wins

• Still no Authentication of management frames (assoc/deassoc/beacons/etc…)

What’s Wrong - Technical

• MITM– Send “Authentication Successful” to client– Client associates with malicious AP

• Hijacking– Send deassociation message to client… AP is in

the dark– Change MAC to client and have live

connection

What’s Wrong – Technical• RADIUS uses shared secret with the Authenticator

– Same issue as WEP, but on a more reasonable scale

• Authentication after association presents roaming problems– Authentication takes a non-trivial amount of time… can

disrupt data in transit

• Failure of RADIUS server == failure of network– Many AP implementations don’t allow multiple

RADIUS servers

– Most RADIUS server failover is non-transparent

What’s Wrong – touchy feely

• They forgot about the client (trust assumptions)– Everyone is ask risk– Everyone is a threat– Lack of physical security requires encrypted channel to

secure 802.1x

• Wired “port” is not the same as wireless “port”• Protocol designed to not require hardware

replacement– Leads to less than stellar solution, esp WRT

authentication of management frames.

What’s Wrong – touchy feely

• Extensibility leads to complexity– Complexity leads to mistakes in

implementation– Read the MS Guide on create EAP methods as

an example.

• Multivendor support is difficult

• Using a shoehorn to force protocols to work together leads to problems

Why Did it Go Wrong?

• 802.1x – Designed for Campus networks

• EAP – Designed for PPP

• NEITHER designed with wireless threat model in mind

• Lesson: Don’t apply old protocols to new problems without understanding the risk.

Where Are We Today?

• Several 802.1x implementations available– Windows XP (not PocketPC 2002)– Open1x.org

• EAP implementations– Windows IAS– FreeRADIUS – MD5 and TLS– Cisco– Other RADIUS servers

Where Are We Today?

• 802.1x capable Access Points– Cisco– Lucent

• RG1000/RG1100 can be hacked with AP500 firmware to become 1x capable

• Some drawbacks

– OS authenticator from open1x.org– others

What’s Next

• Integration of existing solutions to “raise the bar”

• Limited 802.1x implementations

• 802.11i (Task Group I – Security)– On track… the right track– Mutual auth, per packet auth– 802.1x a part of

What’s Next• WEP has the right idea• End to End Solutions ala SSL, SSH, IPSec

– Not likely

Temporal Key Integrity Protocol

• Fast Packet Keying• Packet MAC• Dynamic Rekeying• Key distribution via 802.1x

• 3Q product deployment• Still RC4 based to be backward compatible• AES with 802.1x keying in the distant future

Questions

http://www.shmoo.com/1x/