Wireless LAN 802.1X 01

8/8/2019 Wireless LAN 802.1X 01

1/131

8/8/2019 Wireless LAN 802.1X 01

2/131

Wireless LAN OverviewWireless LAN Overview

EAP and 802.1x

802.1x EAP

Definition

Process Flow

EAP Types and Flow

8/8/2019 Wireless LAN 802.1X 01

3/131

WiWi--Fi TechnologyFi Technology

8/8/2019 Wireless LAN 802.1X 01

4/131

WiWi--FiFi

Wi-Fi (short for Wireless Fidelity") is the popular

term for a high-frequency wireless local area network

(WLAN)

Promoted by the Wi-Fi Alliance (Formerly WECA -

Wireless Ethernet Carriers Association)

Used generically when referring to any type of 802.11network, whether 802.11a, 802.11b, 802.11g, dual-

band, etc. The term is promulgated by the Wi-Fi

Alliance

8/8/2019 Wireless LAN 802.1X 01

5/131

WiWi--FiFi

Wi-Fi standards use the Ethernet protocol andCSMA/CA (carrier sense multiple access with

collision avoidance) for path sharing

The 802.11b (Wi-Fi) technology operates in the 2.4

GHz range offering data speeds up to 11 megabits persecond. The modulation used in 802.11 has

historically been phase-shift keying (PSK).

Note, unless adequately protected, a Wi-Fi wireless LAN is

easily accessible by unauthorized users

8/8/2019 Wireless LAN 802.1X 01

6/131

Wireless LAN TopologyWireless LAN Topology

Wireless LAN is typically deployed as an extension of anexisting wired network as shown below.

8/8/2019 Wireless LAN 802.1X 01

7/131

Wireless LAN TopologyWireless LAN Topology

Here is an example of small business usage of Wi-Fi

Network.

DSL

ConnectionEtc.

DSL Router

The DSL router and

Wi-Fi AP are often

combined into a

single unit

8/8/2019 Wireless LAN 802.1X 01

8/131

What is 802.11?What is 802.11?

802.11 refers to a family of specifications developed

by the IEEE for wireless LAN technology. 802.11

specifies an over-the-air interface between a wireless

client and a base station or between two wirelessclients.

The IEEE accepted the specification in 1997.

8/8/2019 Wireless LAN 802.1X 01

9/131

802.11 Family Members802.11 Family Members

There are several specifications in the 802.11 family:

802.11 Applies to wireless LANs and provides 1 or 2 Mbps transmission in the

2.4 GHz band using either frequency hopping spread spectrum (FHSS)or direct sequence spread spectrum (DSSS).

802.11a

An extension to 802.11 that applies to wireless LANs and provides upto 54 Mbps in the 5GHz band. 802.11a uses an orthogonal frequencydivision multiplexing encoding scheme rather than FHSS or DSSS.

802.11b

(also referred to as 802.11 High Rate or Wi-Fi) is an extension to802.11 that applies to wireless LANs and provides 11 Mbps

transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHzband. 802.11b uses only DSSS. 802.11b was a 1999 ratification to theoriginal 802.11 standard, allowing wireless functionality comparable toEthernet.

802.11g

Applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band.

8/8/2019 Wireless LAN 802.1X 01

10/131

8/8/2019 Wireless LAN 802.1X 01

11/131

8/8/2019 Wireless LAN 802.1X 01

12/131

8/8/2019 Wireless LAN 802.1X 01

13/131

8/8/2019 Wireless LAN 802.1X 01

14/131

802.11Range Comparisons802.11Range Comparisons

8/8/2019 Wireless LAN 802.1X 01

15/131

802.11 Authentication802.11 Authentication

The 802.11 standard defines several services that

govern how two 802.11 devices communicate. Thefollowing events must occur before an 802.11 station

can communicate with an Ethernet network through a

wireless access point provides:

1. Turn on the wireless Client2. Client listens for messages from any access points (AP) that are in range

3. Client finds a message from an AP that has a matching SSID

4. Client sends an authentication request to the AP

5. AP authenticates the station

6. Client sends an association request to the AP

7. AP associates with the station

8. Client can now communicate with the Ethernet network thru the AP

8/8/2019 Wireless LAN 802.1X 01

16/131

What Exactly Is 802.1x?What Exactly Is 802.1x? Standard set by the IEEE 802.1 working group.

Describes a standard link layer protocol used for

transporting higher-level authentication protocols.

Works between the Supplicant (Client Software) and

the Authenticator(Network Device).

Maintains backend communication to anAuthentication (Typically RADIUS) Server.

8/8/2019 Wireless LAN 802.1X 01

17/131

What Does it Do?What Does it Do? Transport authentication information in the form of Extensible

Authentication Protocol (EAP) payloads.

The authenticator (switch) becomes the middleman for relayingEAP received in 802.1x packets to an authentication server byusing RADIUS to carry the EAP information.

Several EAP types are specified in the standard.

Three common forms of EAP are

EAP-MD5 MD5 Hashed Username/Password

EAP-OTP One-Time PasswordsEAP-TLS Strong PKI Authenticated Transport Layer Security(SSL)

802.1x Header EAP Payload

8/8/2019 Wireless LAN 802.1X 01

18/131

What is RADIUS?What is RADIUS?

RADIUS The Remote Authentication Dial In User Service

A protocol used to communicate between a network device andan authentication server or database.

Allows the communication of login and authentication

information. i.e. Username/Password, OTP, etc. usingAttribute/Value pairs (Attribute = Value)

Allows the communication of extended attribute value pairs usingVendor Specific Attributes (VSAs).

Can also act as a transport for EAP messages.

RFC2865, RFC2866 and others

RADIUS Header EAP Payload UDP Header

8/8/2019 Wireless LAN 802.1X 01

19/131

802.11 Authentication Flow802.11 Authentication Flow

8/8/2019 Wireless LAN 802.1X 01

20/131

WiWi--Fi ChannelsFi Channels

Wireless LAN communications are based on the use ofradio signals to exchange information through anassociation between a wireless LAN card and a nearbyaccess point.

Each access point in an 802.11b/g network is configured

to use one radio frequency (RF) channel. Although the 802.11b/g specifications indicate that there

are fourteen (14) channels that can be utilized forwireless communications, in the U.S., there are onlyeleven channels allowed for AP use. In addition, sincethere is frequency overlap among many of the channels,there must be 22 MHz separation between any twochannels in use.

8/8/2019 Wireless LAN 802.1X 01

21/131


In a multi-access point installation, where overlapping

channels can cause interference, dead-spots and otherproblems, Channels 1, 6 and 11 are generally regarded asthe only safe channels to use. Since there are 5 5MHzchannels between 1 and 6, and between 6 and 11, or25MHz of total bandwidth, that leaves three MHz of

buffer zone between channels. In practice, this constraint limits the number of useable

channels to three (channels 1, 6, and 11). 802.11awireless networks have eight non-overlapping channelswhich provide more flexibility in terms of channelassignment.

8/8/2019 Wireless LAN 802.1X 01

22/131


For example, 802.11a - An extension to the IEEE

802.11 standard that applies to wireless LANs andprovides up to 54 Mbps in the 5GHz band.

For the North American users, equipment available todayoperates between 5.15 and 5.35GHz.

This bandwidth supports eight separate, non-overlapping200 MHz channels.

These channels allow users to install up to eightaccess points set to different channels withoutinterference, making access point channel assignment

much easier and significantly increasing the level ofthroughput the wireless LAN can deliver within a

given area.

8/8/2019 Wireless LAN 802.1X 01

23/131


If two access points that use the same RF channel are too close, the

overlap in their signals will cause interference, possibly confusing

wireless cards in the overlapping area.

To avoid this potential scenario, it is important that wireless

deployments be carefully designed and coordinated.

It is also critical to make sure that deployment does not cause

conflicts with other pre-existing wireless implementations.

Three channels on a single floor

8/8/2019 Wireless LAN 802.1X 01

24/131

Basic 802.11 SecurityBasic 802.11 Security

SSID (Service Set Identifier) or ESSID (Extended

Service Set Identifier)

Each AP has an SSID that it uses to identify itself. Network

configuration requires each wireless client to know the SSID

of the AP to which it wants to connect.

SSID provides a very modest amount of control. It keeps a

client from accidentally connecting to a neighboring AP only.

It does not keep an attacker out.

8/8/2019 Wireless LAN 802.1X 01

25/131

SSIDSSID SSID (Service Set Identifier) or ESSID (Extended

Service Set Identifier) The SSID is a token that identifies an 802.11 network.

The SSID is a secret key that is set by the networkadministrator. Clients must know the SSID to join an802.11 network; however, network sniffing candiscover the SSID.

The fact that the SSID is a secret key instead of a publickey creates a management problem for the networkadministrator.

Every user of the network must configure the SSID into theirsystem. If the network administrator seeks to lock a user out ofthe network, the administrator must change the SSID of thenetwork, which requires reconfiguration of every networknode. Some 802.11 NICs allow you to configure several SSIDsat one time.

8/8/2019 Wireless LAN 802.1X 01

26/131


MAC filters

Some APs provide the capability for checking the MAC

address of the client before allowing it to connect to the

network.

Using MAC filters is considered to be very weak security

because with many Wi-Fi client implementations it is possibleto change the MAC address by reconfiguring the card.

An attacker could sniff a valid MAC address from the wireless

network traffic .

8/8/2019 Wireless LAN 802.1X 01

27/131


Static WEP keys

Wired Equivalent Privacy (WEP) is part of the 802.11specification.

Static WEP key operation requires keys on the client and AP that

are used to encrypt data sent between them. With WEP encryption,

sniffing is eliminated and session hijacking is difficult (or

impossible). Client and AP are configured with a set of 4 keys, and when

decrypting each are used in turn until decryption is successful. Thisallows keys to be changed dynamically.

Keys are the same in all clients and AP. This means that there is a

community key shared by everyone using the same AP. Thedanger is that if any one in the community is compromised, the

community key, and hence the network and everyone else using it,

is at risk.

8/8/2019 Wireless LAN 802.1X 01

28/131

Authentication TypeAuthentication Type

An access point must authenticate a station before the station

can associate with the access point or communicate with thenetwork. The IEEE 802.11 standard defines two types of

authentication:

Open System Authentication

Shared Key Authentication

8/8/2019 Wireless LAN 802.1X 01

29/131

Authentication Type: Open SystemAuthentication Type: Open System

AuthenticationAuthentication The following steps occur when two devices use Open

System Authentication: The station sends an authentication request to the access point.

The access point authenticates the station.

The station associates with the access point and joins the network.

The process is illustrated below.

8/8/2019 Wireless LAN 802.1X 01

30/131

ut ent cat on ype: are eyut ent cat on ype: are ey

AuthenticationAuthentication

The following steps occur when two devices use

Shared Key Authentication:1. The station sends an authentication request to the access point.

2. The access point sends challenge text to the station.

3. The station uses its configured 64-bit or 128-bit default key to

encrypt the challenge text, and sends the encrypted text to the accesspoint.

4. The access point decrypts the encrypted text using its configured

WEP Key that corresponds to the stations default key.

5. The access point compares the decrypted text with the original

challenge text. If the decrypted text matches the original challengetext, then the access point and the station share the same WEP Key

and the access point authenticates the station.

6. The station connects to the network.

8/8/2019 Wireless LAN 802.1X 01

31/131

Authentication Type: Shared KeyAuthentication Type: Shared Key

AuthenticationAuthentication If the decrypted text does not match the original challenge text (i.e., the

access point and station do not share the same WEP Key), then the

access point will refuse to authenticate the station and the station will

be unable to communicate with either the 802.11 network or Ethernet

network.

The process is illustrated in below.

8/8/2019 Wireless LAN 802.1X 01

32/131

Overview of WEP ParametersOverview of WEP Parameters

Before enabling WEP on an 802.11 network, you must first considerwhat type of encryption you require and the key size you want to use.Typically, there are three WEP Encryption options available for 802.11products:

Do Not Use WEP:The 802.11 network does not encrypt data. Forauthentication purposes, the network uses Open System Authentication.

Use WEP for Encryption:A transmitting 802.11 device encrypts the dataportion of every packet it sends using a configured WEP Key. The

receiving device decrypts the data using the same WEP Key. Forauthentication purposes, the wireless network uses Open SystemAuthentication.

Use WEP for Authentication and Encryption:A transmitting 802.11device encrypts the data portion of every packet it sends using a configuredWEP Key. The receiving 802.11 device decrypts the data using the same

WEP Key. For authentication purposes, the 802.11 network uses SharedKey Authentication.

Note:Some 802.11 access points also support Use WEP forAuthentication Only (Shared Key Authentication without dataencryption).

8/8/2019 Wireless LAN 802.1X 01

33/131

Recommended 802.11 Security PracticesRecommended 802.11 Security Practices

Change the default password for the Admin account

SSID Change the default

Disable Broadcast

Make it unique

If possible, Change it often

Enable MAC Address Filtering Enable WEP 128-bit Data Encryption. Please note that this

will reduce your network performance

Use the highest level of encryption possible

Use a Shared Key

Use multiple WEP keys Change it regularly

Turn off DHCP

Refrain from using the default IP subnet

8/8/2019 Wireless LAN 802.1X 01

34/131

VulnerabilitiesVulnerabilities

8/8/2019 Wireless LAN 802.1X 01

35/131

VulnerabilitiesVulnerabilities

There are several known types of wireless

attacks that must be protected against:

SSID (network name) sniffing

WEP encryption key recovery attacks

ARP poisoning (man in the middle attacks) MAC address spoofing

Access Point management password and SNMP

attacks

Wireless end user (station) attacks Rogue AP attacks (AP impersonation)

DOS (denial of service) wireless attacks

8/8/2019 Wireless LAN 802.1X 01

36/131

Diversity Antenna AttacksDiversity Antenna Attacks If diversity antennas A and B are attached to an AP, they are setup to cover both sides of

tan area independently. Alice is on the left side of the area, so the AP will choose antenna

A for the sending and receiving frames. Bob is on the opposite side of the area fromAlice and will therefore send and receive frames with antenna B.

Bob can take Alice off the network by changing his MAC address to be the same as

Alice's. Bob can also guarantee that his signal is stronger on antenna B than Alice's signal

on antenna A by using an amplifier or other enhancement mechanism.

Once Bob's signal has been detected as the stronger signal on antenna B, the AP will send

and receive frames for the MAC address on antenna B. As long as Bob continues to sendtraffic to the AP, Alice's frames will be ignored.

8/8/2019 Wireless LAN 802.1X 01

37/131

Malicious AP overpowering valid APMalicious AP overpowering valid AP

If a client is not using WEP authentication (or an attacker has knowledge of the WEP

key), then the client is vulnerable to DoS attacks from spoofed APs.

Clients can generally be configured to associate with any access point or to associateto an access point in a particular ESSID.

If a client is configured to associate to any available AP, it will select the AP

with the strongest signal regardless of the ESSID.

If the client is configured to associate to a particular ESSID, it will select the AP

in the ESSID with the strongest signal strength.

Either way, a malicious AP can effectively black-hole traffic from a victim by

spoofing the desired AP.

8/8/2019 Wireless LAN 802.1X 01

38/131

8/8/2019 Wireless LAN 802.1X 01

39/131

WEPWEP What?What?

WEP (Wired Equivalent Privacy) referring to the intent to

provide a privacy service to wireless LAN users similar to

that provided by the physical security inherent in a wired

LAN.

WEP is the privacy protocol specified in IEEE 802.11 to

provide wireless LAN users protection against casualeavesdropping.

8/8/2019 Wireless LAN 802.1X 01

40/131

IVKey Hashing/Temporal KeyIVKey Hashing/Temporal Key

WEPEncryption Today

IV BASE KEY

STREAM CIPHER

PLAINTEXT DATA

CIPHERTEXT DATAXORRC4

8/8/2019 Wireless LAN 802.1X 01

41/131

WEPWEP How?How?

When WEP is active in a wireless LAN, each 802.11 packet is

encrypted separately with a RC4 cipher stream generated by

a 64 bit RC4 key. This key is composed of a 24 bit

initialization vector (IV) and a 40 bit WEP key.

The encrypted packet is generated with a bit-wise exclusive

OR (XOR) of the original packet and the RC4 stream.

The IV is chosen by the sender and should be changed sothat every packet won't be encrypted with the same cipher

stream.

The IV is sent in the clear with each packet.

An additional 4 byte Integrity Check Value (ICV) is computed

on the original packet using the CRC-32 checksum algorithmand appended to the end.

The ICV (be careful not to confuse this with the IV) is also

encrypted with the RC4 cipher stream.

8/8/2019 Wireless LAN 802.1X 01

42/131

WEPWEP -- WeaknessesWeaknesses

Key Management and Key Size

Key management is not specified in the WEP standard, andtherefore is one of its weaknesses, because without interoperable

key management, keys will tend to be long-lived and of poor

quality.

The Initialization Vector (IV) is Too Small

WEPs IV size of 24 bits provides for 16,777,216 different RC4cipher streams for a given WEP key, for any key size. Remember

that the RC4 cipher stream is XOR-ed with the original packet to

give the encrypted packet which is transmitted, and the IV is sent

in the clear with each packet.

The Integrity Check Value (ICV) algorithm is not appropriate

The WEP ICV is based on CRC-32, an algorithm for detecting

noise and common errors in transmission. CRC-32 is an excellent

checksum for detecting errors, but an awful choice for a

cryptographic hash.

8/8/2019 Wireless LAN 802.1X 01

43/131

WEPWEP -- WeaknessesWeaknesses

WEPs use of RC4 is weak

RC4 in its implementation in WEP has been found to have weakkeys. Having a weak key means that there is more correlationbetween the key and the output than there should be for goodsecurity. Determining which packets were encrypted with weakkeys is easy because the first three bytes of the key are taken fromthe IV that is sent unencrypted in each packet.

This weakness can be exploited by a passive attack. All theattacker needs to do is be within a hundred feet or so of the AP.

Authentication Messages can be easily forged

802.11 defines two forms of authentication:

Open System (no authentication) and

Shared Key authentication. These are used to authenticate the client to the access point.

The idea was that authentication would be better than noauthentication because the user has to prove knowledge of the sharedWEP key, in effect, authenticating himself.

8/8/2019 Wireless LAN 802.1X 01

44/131

WPAWPA

Wi-Fi Protected Access (WPA) is a new security guideline

issued by the Wi-Fi Alliance. The goal is to strengthen security over the current WEP

standards by including mechanisms from the emerging 802.11i

standard for both data encryption and network access control.

Path: WEP -> WPA -> 802.11i WPA = TKIP(Temporal Key Integrity Protocol) + IEEE 802.1x

For encryption, WPA has TKIP, which uses the same

encryption algorithm as WEP, but constructs keys in a

different way.

For access control, WPA will use the IEEE 802.1x protocol.

8/8/2019 Wireless LAN 802.1X 01

45/131

802.11i802.11i Future Wireless Security StandardFuture Wireless Security Standard

Task group "i" within the IEEE 802.11 is responsible for

developing a new standard for WLAN security to replace theweak WEP (Wired Equivalent Privacy).

The IEEE 802.11i standard utilizes the authentication schemes

of 802.1x and EAP(Extensible Authentication Protocol) in

addition to a new encryption scheme AES (AdvancedEncryption Standard) and dynamic key distribution scheme -

TKIP(Temporal Key Integrity Protocol).

802.11i = TKIP + IEEE 802.1x + AES

8/8/2019 Wireless LAN 802.1X 01

46/131

802.11i802.11iFuture Wireless Security StandardFuture Wireless Security Standard

Temporal Key Integrity Protocol (TKIP)

The Temporal Key Integrity Protocol is part of the IEEE 802.11iencryption standard for wireless LANs. TKIP is the next generationof WEP, the Wired Equivalency Protocol, which is used to secure802.11 wireless LANs. TKIP provides per-packet key mixing, amessage integrity check and a re-keying mechanism, thus fixing theflaws of WEP.

8/8/2019 Wireless LAN 802.1X 01

47/131

802.11i802.11iFuture Wireless Security StandardFuture Wireless Security Standard

Advanced Encryption Standard (AES)

AES is the U.S. government's next-generation cryptography algorithm, which

will replace DES and 3DES.

AES r p e DES

ype o a gor h Symmetric, block cipher Symmetric, eistel cipher

ey s ze (in bits) 128, 192, 256 112 or 168

Speed igh ow

e o crack(assume a

machine could try 255 keys per second - S )

149 trillion years 4.6 billion years

Resource consump on ow Medium

AES vs. rp e DES

8/8/2019 Wireless LAN 802.1X 01

48/131

EAP and 802.1xEAP and 802.1x

8/8/2019 Wireless LAN 802.1X 01

49/131

802.1x802.1x

IEEE802.1x is the denotation of a standard that is titled

Port Based Network Access Control, which indicatesthat the emphasis of the standard is to provide a control

mechanism to connect physically to a LAN.

The standard does not define the authentication methods,

but it does provide a framework that allows the application

of this standard in combination with any chosenauthentication method.

It adds to the flexibility as current and future authentication

methods can be used without having to adapt the standard.

8/8/2019 Wireless LAN 802.1X 01

50/131

802.1x Components802.1x Components

The 802.1x standard recognizes the following concepts:

Port Access Entity (PAE) which refers to the mechanism (algorithms and protocols) associated

with a LAN port (residing in either a Bridge or a Station)

Supplicant PAE

which refers to the entity that requires authentication before getting

access to the LAN (typically in the client station)

Authenticator PAE

which refers to the entity facilitating authentication of a supplicant

(typically in bridge or AP)

Authentication server which refers to the entity that provides authentication service to the

Authenticators in the LAN (could be a RADIUS server)

8/8/2019 Wireless LAN 802.1X 01

51/131

802.1x Components802.1x Components

8/8/2019 Wireless LAN 802.1X 01

52/131

802.1x Call Flow802.1x Call Flow

8/8/2019 Wireless LAN 802.1X 01

53/131


8/8/2019 Wireless LAN 802.1X 01

54/131

802.1x Traffic802.1x Traffic

As the picture indicates, EAP information, when transmitted from Supplicantto Authentication Server, is first encapsulated within a (wireless) LAN frame(referred to as EAP over LAN or EAPoL). Once received by the Authenticatorit is extracted from the LAN frame and placed in a packet that conforms to theRADIUS protocol.

This RADIUS packet is then transmitted to the Authentication using theRADIUS (UDP) protocol.

Traffic coming from the Authentication Server to the Supplicant follows thereverse process.

8/8/2019 Wireless LAN 802.1X 01

55/131

EAPEAP

EAP was originally designed as part of the PPP (Point-to-PointProtocol)

The PPP Extensible Authentication Protocol (EAP) is a general protocolfor PPP authentication which supports multiple authenticationmechanisms. It was developed in response to an increasing demand forremote access user authentication that uses other security devices.

By using EAP, support for a number of authentication schemes

may be added by defining EAP-Types. Support might includetoken cards, one-time passwords, public key authenticationusing smart card, certificates, and others.

EAP hides the details of the authentication scheme from thosenetwork elements that need not know

For example in PPP, the client and the AAA server onlyneed to know the EAP type, and the Network Access Serverdoes not

EAPEAP

8/8/2019 Wireless LAN 802.1X 01

56/131

EAPEAP

RFC 2284 defines PPP Extensible Authentication Protocol.

EAP does not select a specific authentication mechanism atLink Control Phase, but rather postpones this until theAuthentication Phase.

This allows the authenticator to request more informationbefore determining the specific authentication mechanism.

This also permits the use of a "back-end" server whichactually implements the various mechanisms while the PPPauthenticator merely passes through the authenticationexchange.

8/8/2019 Wireless LAN 802.1X 01

57/131

EAP ArchitectureEAP Architecture

OtherEAPTypes

8/8/2019 Wireless LAN 802.1X 01

58/131

EAP ArchitectureEAP Architecture

8/8/2019 Wireless LAN 802.1X 01

59/131

EAP ComparisonEAP Comparison

8/8/2019 Wireless LAN 802.1X 01

60/131

EAP ComparisonEAP Comparison

8/8/2019 Wireless LAN 802.1X 01

61/131

8/8/2019 Wireless LAN 802.1X 01

62/131

EAP El tEAP El t

8/8/2019 Wireless LAN 802.1X 01

63/131

EAP ElementsEAP Elements

EAP basically consists of four different protocol elements:

Request packets (from Authenticator [AP] to client [Supplicant])

Response packets (from Client to Authenticator)

Success packet

Failure packetMay originate from an AAA server{

EAP ElEAP El

8/8/2019 Wireless LAN 802.1X 01

64/131

EAP ElementsEAP Elements

EAP MEAP M

8/8/2019 Wireless LAN 802.1X 01

65/131

EAP MessageEAP Message

All EAP messages have a common format:

Code Identifier Length

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 10 1 2 3

Data ...

Code: 1 byte,

representing the

type of EAPmessage

Data: any size,

The messages data

ID: 1 byte,

Used for matchingrequests and

responses

Length: 2 byte,

The total messagelength

EAP M 2EAP M 2

8/8/2019 Wireless LAN 802.1X 01

66/131

EAP Message 2EAP Message 2

EAP request and re

spon

se me

ssage

shavethe same format , with code=1 for requests

and code=2 for responses

Code Identifier Length

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 10 1 2 3

Type Data .Type

Type: 1 byte,

The type of

authentication protocol

used

Data: any size,Data used for the

authentication process


8/8/2019 Wireless LAN 802.1X 01

67/131


EAP Success messages are EAP messages with code 3 and no

data. A success message means that the authentication concluded successfully.

EAP failure messages are EAP messages with code 4 and no

data.

A Failure message means that the authentication has failed.

8/8/2019 Wireless LAN 802.1X 01

68/131

General Description ofGeneral Description of

IEEE 802.1x TerminologyIEEE 802.1x Terminology

Supplicant Authentication Server Authenticator

Operates on client Processes EAP requestsOperates on devices

at network edge, like

APs and switches

wireless networkwireless network enterprise network enterprise networkenterprise edgeenterprise edge

EAP over wirelessEAP over wireless EAP over RADIUSEAP over RADIUSRADIUS

server

8/8/2019 Wireless LAN 802.1X 01

69/131

Before EAP StartBefore EAP Start

normal data

authentication traffic

802.1X traffic RADIUS traffic

(IP/UDP over

Layer 2 protocol

(Eg. Ethernet)

802.11 association between client and authenticator IP connection blocked by AP

AP transfers data from 802.1x EAPmessages into RADIUS messages,and visa versa

AP blocks IP connection untilRADIUS access-accept is received

EAP over wirelessEAP over wireless EAP over RADIUSEAP over RADIUSRADIUS

server

802 1x Call Flow802 1x Call Flow

8/8/2019 Wireless LAN 802.1X 01

70/131


EAP FloEAP Flo

8/8/2019 Wireless LAN 802.1X 01

71/131

EAP FlowEAP Flow

After the Link Establishment phase is complete, the

authenticator sends one or more Requests to authenticate thepeer.

The Request has a type field to indicate what is being

requested. Examples of Request types include Identity, MD5-

challenge, One-Time Passwords, Generic Token Card, etc.

The MD5-challenge type corresponds closely to the CHAP

authentication protocol.

Typically, the authenticator will send an initial Identity

Request followed by one or more Requests for authentication

information. However, an initial Identity Request is notrequired, and MAY be bypassed in cases where the identity is

presumed (leased lines, dedicated dial-ups, etc.).

EAP FlowEAP Flow

8/8/2019 Wireless LAN 802.1X 01

72/131

EAP FlowEAP Flow

The peer sends a Response packet in reply to each Request.

As with the Request packet, the Response packet contains atype field which corresponds to the type field of the Request.

The authenticator ends the authentication phase with a Success

or Failure packet.

G i EAP A th ti ti FlG i EAP A th ti ti Fl

8/8/2019 Wireless LAN 802.1X 01

73/131

Generic EAP Authentication FlowGeneric EAP Authentication Flow

AuthenticatorPeer

Repeated as many

times as needed

EAP Request

EAP Response with the same type or a Nak

EAP Success or EAP Failure message

EAP Request

EAP Response with the same type or a Nak

EAP Success or failure message

Repeated

as

needed

If mutual

Auth

Is required

Identity Request

Identity Response

Identity Request

Identity Response

EAP AuthenticationEAP Authentication

8/8/2019 Wireless LAN 802.1X 01

74/131


Physical connection between the clientstation and the network is established

first, which for wireless operationmeans that 802.11 Association has to becompleted (this is the equivalent of

plugging in a wired station in anEthernet wall socket).


8/8/2019 Wireless LAN 802.1X 01

75/131


After Association the 802.1xauthentication commences, initiated by

the Authenticator (i.e. the AP or NAS),which sends an EAP Request to theSupplicant (i.e. the client station) askingfor its credentials. These credentialscould be machine name or user name,

depending on the authentication methodthat is used.


8/8/2019 Wireless LAN 802.1X 01

76/131


The Supplicant transmits its identityinformation as part of an EAP response

to the Authenticator, which takes thepacket from the LAN frame andencapsulates it in a RADIUS protocolmessage for transmission to theAuthentication Server.


8/8/2019 Wireless LAN 802.1X 01

77/131


At this point a sequence of exchangeswill take place between the

Authentication Server and theSupplicant (via the Authenticator), ofwhich the exact details depend on theAuthentication method used. Theultimate result of the complete sequence

is either a positive result, where thesupplicant is successfully authenticated,or a negative one where theauthentication has failed. In the firstcase the door to network is opened

and all network resources are nowavailable for the client device, while inthe second case the network accessremains blocked.

EAP Authentication MethodsEAP Authentication Methods MDMD55

8/8/2019 Wireless LAN 802.1X 01

78/131


EAP-Message Digest 5 uses the same challenge handshake

protocol as PPP-based CHAP, but the challenges andresponses are sent as EAP messages. MD5 can be considered as the lowest common denominator EAP

type.

EAP-MD5 does not support the use of per session WEP keys, ormutual authentication of Access Point and client.

It also does not support encrypted links for user data, so cannot beused in an 802.11i environment.

The EAP-MD5 authentication algorithm provides one-waypassword based network authentication of the client.

EAP Authentication MethodsEAP Authentication Methods MD5MD5

8/8/2019 Wireless LAN 802.1X 01

79/131


This algorithm can also be used for wireless applications

with less stringent wireless LAN security requirements. Advantage of using EAP-MD5 is that it is simple to administer foran operator, re-using the database of usernames and passwordswhich may exist currently.

Disadvantage of using EAP-MD5 in wireless LAN applications isthat no encryption keys are generated. Also, while the protocol can

be used by the client to authenticate the network, it is typically usedonly for the network to authenticate the client.


8/8/2019 Wireless LAN 802.1X 01

80/131

EAP Authentication MethodsEAP Authentication Methods MD5MD5 A wireless station associates to its AP.

The AP will issue an EAP Request Identity frame to the client station.

The client station responds with its identity (machine name or user name).

The AP relays the EAP message (I.e. client stations identity) to the RADIUS

server, to initiate the authentication services.

The MD5 protocol replies on a challenge text issued by the server to the client.

Client is to encrypt this challenge using its user password and return the result.


8/8/2019 Wireless LAN 802.1X 01

81/131


The server will decrypt the result using the password that is recorded for

the user.

When results match the original, the client is validated as genuine.

No encryption keys are generated.

EAPEAP MDMD55

8/8/2019 Wireless LAN 802.1X 01

82/131

EAPEAP MDMD55

EAP Authentication MethodsEAP Authentication Methods TLSTLS

8/8/2019 Wireless LAN 802.1X 01

83/131


Transport Layer Security (TLS) is a certificate based

authentication protocol. RFC 2716 provides mutualauthentication and supports per-session WEP keys .

Certificate based authentication provides a highly securedigital equivalent of ID cards used by both the client andnetwork so they can authenticate each other. Public Key

Infrastructure (PKI) digital signature techniques are used toprove each partys authenticity.


8/8/2019 Wireless LAN 802.1X 01

84/131


A digital certificate is comprised of the following fields:

a version certificate serial number

signature algorithm identifier

name of the issuer

validity period

name public key

optional unique identifiers

a signature value.

Certificate AuthorityCertificate Authority

8/8/2019 Wireless LAN 802.1X 01

85/131

Certificate AuthorityCertificate Authority


8/8/2019 Wireless LAN 802.1X 01

86/131


A wireless station associates

to its AP.

The AP will issue an EAP

Request

Identity frame to the client

station.


8/8/2019 Wireless LAN 802.1X 01

87/131

ut e t cat o et odsut e t cat o et ods SS

The client station responds

with its

identity (machine name or

user name).

The AP relays the EAP

message (I.e.client stations identity) to the

RADIUS

server, to initiate the

authentication

services.


8/8/2019 Wireless LAN 802.1X 01

88/131

The RADIUS server requests

credentials

from the client station to

confirm the

identity, by sending the EAP

request viathe AP.

The client replies sending its

credentials

relayed by the AP.


8/8/2019 Wireless LAN 802.1X 01

89/131


The TLS_Hello messages are the

start of the TLS handshake protocol:

Server initiates by sending its

Server_hello (including, the

Certificate, the so-called

Cyphersuite, indicating what

crypto algorithm it can handle). Client replies with Client_Hello,

stating among others its

certificate, what crypto-algorithm

was selected, and requesting the

server to send its certificate. The client and Server engage in

the Key-Exchange sequence

(Diffie-Hellman).

8/8/2019 Wireless LAN 802.1X 01

90/131


8/8/2019 Wireless LAN 802.1X 01

91/131


8/8/2019 Wireless LAN 802.1X 01

92/131

8/8/2019 Wireless LAN 802.1X 01

93/131

EAP Authentication MethodsEAP Authentication Methods TTLSTTLS

8/8/2019 Wireless LAN 802.1X 01

94/131


Tunneled Transport Layer Security (TTLS) and Protected Extensible

Authentication Protocol (PEAP) are similar in operation and support both

secure username/password and mutual authentication. EAP-TTLS a combination of both EAP-TLS, and traditional password-based

methods such as Challenge Handshake Authentication Protocol (CHAP), and

One Time Password (OTP). On the client side merely passwords are required

instead of digital certificates, which relieves the administrator of the systems

to manage and distribute certificates. On the authentication server side a

certificate is required. Certificates do not have to be installed in each client device. This is because

PKI techniques are used to first allow the client to authenticate the server (via

a certificate installed on the server) and form a secured connection between

client and server. Then the server authenticates the client over the secured

connection with the user providing a username and password pair.

This principle is much like the way in which browser based commerce takesplace today over web browsers. Secure connections are established before the

users authentication information is exchanged. Users see this typically as a

padlock symbol in their browsers.


8/8/2019 Wireless LAN 802.1X 01

95/131


In EAP-TTLS a secure TLS tunnel is first established between the

supplicant and the authentication server.

The client authenticates the network to which it is connecting by

authenticating the digital certificate provided by the TTLS server. This

is exactly analogous to the techniques used to connect to a secure web

server. Once an authenticated tunnel is established, the

authentication of the end user occurs.

EAP-TTLS has the added benefit of protecting the identity of the enduser from view over the wireless medium. In this way anonymity ofthe end user, a desirable attribute is provided.

EAP-TTLS also enables existing end-user authentication systems to be

reused. Two key advantages of EAP-TTLS are that anonymity of the

end user is provided, and that any existing RADIUS server and itsassociated database can be re-used.

EAP-TTLS is the only EAP type to date which provides end useranonymity.


8/8/2019 Wireless LAN 802.1X 01

96/131

EAP Authentication MethodsEAP Authentication Methods TTLSTTLS A wireless station associates to its AP.


The client station responds with its identity (machine name or user name). The AP relays the EAP message (I.e. client stations identity) to the

RADIUS server, to initiate the authentication services.

The authentication protocol between the RADIUS server and the client

station is still TLS and used to allow the client to authenticate the server.


8/8/2019 Wireless LAN 802.1X 01

97/131


The TLS_Hello messages are thestart of the TLS handshake protocol:

Server initiates by sending itsServer_hello (including itscertificate and Cyphersuite,indicating what crypto algorithm itcan handle).

Client responds by sending its

acknowledgement for the cryptoprotocol to use (no certificates).

The client and Server engage in theKey-Exchange sequence (Diffie-Hellman).

Now the tunnel is established andsecure, the additional usercredentials are exchanged (using

OTP or CHAP).


8/8/2019 Wireless LAN 802.1X 01

98/131


On completion of the exchange between

server and client, the server transmits its

keys to the AP.

To encrypt subsequent IEEE 802.11

frames exchanged between the AP and the

client, a WEP key pair is used, that is

generated by the AP, and is the same for

all clients associated to this particular AP.

The AP will transmit this key pair to the

client and uses the key received from the

server to encrypt this message.

Once the client received the WEP keys it

will pass them to the PC card via the

NDIS interface and the driver. Station and

AP will use these WEP keys until station

logs off or until re-authentication timer

has expired (for period re-authentication).


8/8/2019 Wireless LAN 802.1X 01

99/131

EAP Authentication MethodsEAP Authentication Methods SRPSRP

8/8/2019 Wireless LAN 802.1X 01

100/131

SRP (Secure Remote Password) is a secure password-basedauthentication and key-exchange protocol.

It solves the problem of authenticating clients to serverssecurely, in cases where the user of the client software mustmemorize a small secret (like a password) and carries no othersecret information.

The server stores a verifier for each user, which allows it to

authenticate the client but which, if compromised, would notallow the attacker to impersonate the client. SRP also exchangesa cryptographically-strong secret as a byproduct of successfulauthentication, which enables the two parties to communicatesecurely.

A key advantage of SRP is that the users password need not bestored in the RADIUS database. SRP is also a completely

password based authentication system. No certificates arerequired.


8/8/2019 Wireless LAN 802.1X 01

101/131

A wireless station associates to its AP.


The client station responds with its identity (machine name or user name). The AP relays the EAP message (I.e. client stations identity) to the RADIUS

server, to initiate the authentication services.

The server initiates a key exchange by transmitting a Generator Value, a

Modulus number and a salt value (to prevent re-occurring keys).


8/8/2019 Wireless LAN 802.1X 01

102/131

The client calculates its Public Key as:

K(client) = ga (mod N), where a is randomly chosen

(clients private key).

The Server executes a similar procedure and calculates its

Public Key as:

K(Server) = (v+gb) (mod N), where b is randomly

chosen (Servers private key), and is a stored verifier from

the database .

With keys in place, the client and server mutually validate

each other.


8/8/2019 Wireless LAN 802.1X 01

103/131

On completion of the exchange between serverand client, the server transmits its keys to theAP.

To encrypt subsequent IEEE 802.11 framesexchanged between the AP and the client, aWEP key pair is used, that is generated by theAP, and is the same for all clients associated tothis particular AP.

The AP will transmit this key pair to the client

and uses the key received from the server toencrypt this message.

Once the client received the WEP keys it willpass them to the PC card via the NDIS interfaceand the driver.

Station and AP will use these WEP keys untilstation logs off or until re-authentication timerhas expired (for period re-authentication).

When station roams to another AP new WEPsare established.

EAP Authentication MethodsEAP Authentication Methods LEAPLEAP

8/8/2019 Wireless LAN 802.1X 01

104/131

Cisco delivers a special version of EAP (Extensible Authentication

Protocol), known as LEAP (where the L stands for lightweight).

Though the Cisco systems can be configured to operate with otherEAP protocols (and as such are capable of communicating with off the

shelf Radius implementations that support IEEE 802.1x), this

proprietary version is promoted by Cisco in order to offer a complete

Cisco solution.

LEAP also is known to have significant flaws: The key used for encryption between client and Access Point is derived

from the username and password stored at the Authentication server and

used by the client station during log-in. The method used in this case is

MSCHAP v1, and known in the industry to be vulnerable and hack-able

by existing hack tools.

The EAP exchange between client and authentication server is notencrypted, as the key is not yet determined. The username is transmitted in

the clear and the only the password is protected by an MSCHAP v1 hash,

which is relatively easy to hack.


8/8/2019 Wireless LAN 802.1X 01

105/131


8/8/2019 Wireless LAN 802.1X 01

106/131

EAP Authentication MethodsEAP Authentication Methods PEAPPEAP

8/8/2019 Wireless LAN 802.1X 01

107/131

Protected EAP (PEAP): A version of EAP developed

by Microsoft, Cisco, and RSA Security that offers twoimplementation options.

The first uses the Microsoft Challenge-Handshake

Authentication Protocol Version 2 (MS-CHAPv2) for

mutual authentication and does not require client digital

certificates.

The second implementation uses TLS for mutual

authentication and requires digital certificates on all the

clients (very similar to EAP-TLS).


8/8/2019 Wireless LAN 802.1X 01

108/131

PEAP w MSPEAP w MS--CHAPv2CHAPv2

8/8/2019 Wireless LAN 802.1X 01

109/131

The PEAP authentication process occurs in two parts.

The first part is the use of EAP and the PEAP EAP type

to create an encrypted TLS channel.

The second part is the use of EAP and a different EAP

type to authenticate network access.

The following examines PEAP with MS-CHAP v2

operation, using as an example, a wireless client thatattempts to authenticate to a wireless access point (AP)

that uses a RADIUS server for authentication and

authorization.

PEAP w MSPEAP w MS--CHAPv2CHAPv2

8/8/2019 Wireless LAN 802.1X 01

110/131

PEAP Part 1-Creating the TLS Channel

The following steps are used to create the PEAP TLS channel:

After creating the logical link, the wireless AP sends an EAP-Request/Identity message to the wireless client.

The wireless client responds with an EAP-Response/Identity message that

contains the identity (user or computer name) of the wireless client.

The EAP-Response/Identity message is sent by the wireless AP to the

RADIUS server. From this point on, the logical communication occurs

between the RADIUS server and the wireless client, using the wireless APas a pass-through device.

The RADIUS server sends an EAP-Request/Start PEAP message to the

wireless client.

The wireless client and the RADIUS server exchange a series of TLS

messages through which the cipher suite for the TLS channel is negotiated

and the RADIUS server sends a certificate chain to the wireless client for

authentication.

At the end of the PEAP negotiation, the RADIUS server has authenticated itself

to the wireless client. Both nodes have determined mutual encryption and signing

keys (using public key cryptography, not passwords) for the TLS channel.


8/8/2019 Wireless LAN 802.1X 01

111/131

EAP-Request / Identity

EAP- Response / Identity [My Domain]

EAP-Request (Type = PEAP, start)

TLS HandshakeClient

PEAP

Server

EAP- Response (empty)

PEAP w MSPEAP w MS--CHAPv2CHAPv2 PEAP Part 2 Authenticating With MS CHAP v2

8/8/2019 Wireless LAN 802.1X 01

112/131

PEAP Part 2-Authenticating With MS-CHAP v2 After the PEAP TLS channel is created, the following steps are used to authenticate the

wireless client credentials with MS-CHAP v2:

The RADIUS server sends an EAP-Request/Identity message. The wireless client responds with an EAP-Response/Identity message that

contains the identity (user or computer name) of the wireless client.

The RADIUS server sends an EAP-Request/EAP-MS-CHAP-V2 Challengemessage that contains a challenge string.

The wireless client responds with an EAP-Response/EAP-MS-CHAP-V2

Response message that contains both the response to the RADIUS serverchallenge string and a challenge string for the RADIUS server.

The RADIUS server sends an EAP-Request/EAP-MS-CHAP-V2 Successmessage, which indicates that the wireless client response was correct andcontains the response to the wireless client challenge string.

The wireless client responds with an EAP-Response/EAP-MS-CHAP-V2Ack message, indicating that the RADIUS server response was correct.

The RADIUS server sends an EAP-Success message.

At the end of this mutual authentication exchange, the wireless client has provided proof ofknowledge of the correct password (the response to the RADIUS server challenge string),and the RADIUS server has provided proof of knowledge of the correct password (theresponse to the wireless client challenge string). The entire exchange is encrypted throughthe TLS channel created in PEAP part 1.


8/8/2019 Wireless LAN 802.1X 01

113/131

PEAP

ServerClient

EAP-Request / Identity

EAP-Response / Identity [My ID]

EAP-Request / Type = X (MD5, OTP, etc)Establish EAP method and

Perform authentication

EAP-Success / EAP-Failure

Transfer of the generated key from the PEAP server

to the NAS if on different machines


8/8/2019 Wireless LAN 802.1X 01

114/131


8/8/2019 Wireless LAN 802.1X 01

115/131

EAP Authentication MethodsEAP Authentication Methods MSMS--CHAPvCHAPv22

8/8/2019 Wireless LAN 802.1X 01

116/131

The Microsoft EAP CHAP Extensions Version 2 (EAP MSCHAPv2)

protocol allows mutual authentication between an authenticator and a

peer that is seeking authentication. It extends the MSCHAPv2 protocol defined in RFC 2759, and is one

of several authentication methods associated with the Extensible

Authentication Protocol (EAP) defined in RFC 2284.

MSMS--CHAPv2, What is?CHAPv2, What is?

P h i i i MS CHAP 2 F ll i k

8/8/2019 Wireless LAN 802.1X 01

117/131

Peer authentication using MS-CHAPv2. Following stages takeplace after a PPTP tunnel is established and the setup for the

PPP connection has started. The client requests an authenticator challenge from the server.

The server sends back a 16-bytes random authenticator challenge.

The client generates the response:

The client generates 16-bytes random peer challenge.

The client generates the challenge by hashing the authenticator challenge,the peer challenge, and the user's login using SHA.

The client generates the NT password hash from the user's password.

The 16-byte NT password hash from step (c) is padded with 5 bytes of zero.From these 21 bytes three 7-byte DES keys are derived.

The first 8 bytes of the hash generated in step (b) (these 8 bytes are laterreferred to as the challenge) are encrypted using DES with each of the threekeys generated in step (d).

The 24 bytes resulting from step (e), the 16-byte random peer challenge, andthe user's login are sent back to the server as response.

MS-CHAPVersion 1 MS-CHAPVersion 2

8/8/2019 Wireless LAN 802.1X 01

118/131

MS CHAPVersion 2

Negotiates CHAP with an algorithm value

of 0x80.Negotiates CHAP with an algorithm value of 0x81.

Server sends an 8-byte challenge value.Server sends a 16-byte value to be used by the client in creating an

8-byte challenge value.

Client sends 24-byte LANMAN and 24-

byte NT response to 8-byte challenge.

Client sends 16-byte peer challenge that was used in creating the

hidden 8-byte challenge, and the 24-byte NT response.

Server sends a response stating SUCCESS

or FAILURE.

Server sends a response stating SUCCESS or FAILURE and

piggybacks an Authenticator Response to the 16-byte peer

challenge.

Client decides to continue or end based

upon the SUCCESS or FAILURE

response above.

Client decides to continue or end based upon the SUCCESS or

FAILURE response above. In addition, the Client checks the

validity of the Authenticator Response and disconnects if it is not

the expected value.

EAP Authentication MethodsEAP Authentication Methods MSMS--CHAPvCHAPv22

Th d h i h h h h d d f h

8/8/2019 Wireless LAN 802.1X 01

119/131

The server decrypts the response with the hashed password of the

client that is stored in a database.

If the decrypted response matches the challenge, the server sends apositive authenticator response:

The server hashes the NT password hash using MD4 to generate a

password-hash-hash.

The server generates a hash using SHA from the clients response, the

password-hash-hash, and the literal constant ``Magic server to clientsigning constant''.

The server generates another hash using SHA from the 20-byte output

of step (c), the 8-byte challenge (see step 3 (b)), and the literal

constant ``Pad to make it do more than one iteration''.

The resulting 20 bytes are send back to the client in the form `S=

upper-case ASCII representation of the byte values ''.

The client uses the same procedure to generate the 20 bytes and

compares them to the servers authenticator response. If they match,

both the client and the server are authenticated.

EAP Authentication MethodsEAP Authentication Methods GTCGTC

8/8/2019 Wireless LAN 802.1X 01

120/131

Generic Token Card

Difference between MsCHAPv2 andGTCDifference between MsCHAPv2 andGTC

Wh t i th diff b t EAP MSCHAP 2 d

8/8/2019 Wireless LAN 802.1X 01

121/131

What is the difference between EAP-MSCHAPv2 andEAP-GTC PEAP supplicants?

Both supplicants support PEAP, but each supports different methodsof client authentication through the TLS tunnel. The MicrosoftPEAP supplicant supports client authentication by only MS-CHAPv2. This limits user databases to those that support MS-CHAPv2, such as Windows NT Domain and Active Directory.The Cisco PEAP supplicant (based on EAP-GTC) supports client

authentication by one-time passwords and logon passwords. Thisenables support for one-time password databases from vendorssuch as RSA Security and Secure Computing Corporation andlogon password databases such as LDAP and NDS as well asMicrosoft Novell Directory Service (NDS) databases.

In addition, the EAP-GTC implementation includes the ability to hideusername identities until the TLS encrypted tunnel is established,which provides additional confidentiality that usernames are notbeing broadcasted during the authentication phase. Starting inversion 3.2, Cisco Secure ACS will support both EAP-MSCHAPv2 and EAP-GTC PEAP supplicants.

EAP methods based on GSM credentialsEAP methods based on GSM credentials

8/8/2019 Wireless LAN 802.1X 01

122/131

Support for SIM and USIM (AKA) credentials

Uses standard SIM (Subscriber Identity Module) andUSIM(UMTS Subscriber Identity Module) cards

Wireless phone SIM cards as a way of obtaining authentication

using SIM Extensible Authentication Protocol for GSM (EAP-SIM)

Using USIM Extensible Authentication and Key Agreement Protocol

(EAP-AKA) for UMTS.

Generates 128 bit keys, has optional fast reconnect and

identity privacy support

EAP Authentication MethodsEAP Authentication Methods SIMSIM

EAP SIM (S b ib Id i M d l ) A h i i f GSM

8/8/2019 Wireless LAN 802.1X 01

123/131

EAP SIM (Subscriber Identity Module) Authentication for GSM

EAP SIM authentication is based on Nokias EAP Server Technology.

This provides an interface between the GSM Authentication Center and one or morewireless LANs and uses the Extensible Authentication Protocol (EAP) in order toallow it to pass traffic securely over any Wide Area Network e.g. a Telcos internaldata network or the Internet.

It permits authentication to be performed by WLAN clients that have an 802.11interface and access to a GSM SIM card, with or without GSM air interfacecapabilities.

This authentication procedure is designed to provide mutual authentication between awireless LAN client and an AAA server.

Typically the EAP server is implemented on the AAA server (e.g. RADIUS) and hasan interface to the GSM network, so it operates as a gateway between the InternetAAA network and the GSM authentication infrastructure.

The system allows GSM mobile operators to reuse their existing authentication

infrastructure for providing access to wireless networks. EAP SIM combines the data from several GSM triplets (RAND, SRES, Kc),

obtained from an Authentication Centre (AuC), to generate a more secure sessionencryption key. EAP SIM also enhances the basic GSM authentication mechanism byproviding for mutual authentication between the client and the RADIUS server.


8/8/2019 Wireless LAN 802.1X 01

124/131

SIM- Subscriber Identify Module

Usually referred to as a SIM card, The SIM is the user subscription to the

mobile network. The SIM contains relevant information that enabled access

control onto the subscribed operator's network.

8/8/2019 Wireless LAN 802.1X 01

125/131


The EAP SIM authentication proceeds as follows:

8/8/2019 Wireless LAN 802.1X 01

126/131

The EAP SIM authentication proceeds as follows:

The client receives an EAP Identity Request from the access point (AP).

The client responds to the APs request with an EAP Identity Response message

containing the users network identity which is stored on the SIM (either the user's

International Mobile Subscriber Identity (IMSI) or a temporary identity (pseudonym)).

The AP transmits this message to the RADIUS server, which in turn forwards it to the

Authentication Center of the GSM network.

From the AuC the RADIUS server obtains GSM triplets and passes the RAND to the

client. The SIM calculates the signed response (SRES) which is returned to the RADIUS

server. The SIM also calculates cryptographic keying material, using a secure hashfunction on the user identity and the GSM encryption keys, for the derivation of session

encryption keys.

When the AAA server receives the clients Authentication response, it calculates its own

XRES and compares it to the one received from the client. If both match, the client is

authenticated and the AAA server calculates the session encryption keys.

It then sends a RADIUS ACCEPT message to the AP, which contains an encapsulated

EAP Success message and the (encrypted) client session key.

The AP installs the session key for the encryption and forwards the EAP Success message

to the client which is now able to access the network.

8/8/2019 Wireless LAN 802.1X 01

127/131

8/8/2019 Wireless LAN 802.1X 01

128/131

EAP Authentication MethodsEAP Authentication Methods AKAAKA EAP AKA (authentication and key agreement) is for UMTS

8/8/2019 Wireless LAN 802.1X 01

129/131

EAP AKA (authentication and key agreement) is for UMTS

For a W-LAN-3G-inter-working the EAP AKA protocols have beendeveloped.

The basic difference in the security of the EAP SIM and EAP AKAprotocols is that, while both provide mutual authentication, the network-to-user authentication of EAP SIM is implicitly based on the derived key Kc ,whereas the network-to-user authentication is integral part of EAP/AKAprocedure.

EAP/AKA is an EAP type for the UMTS Authentication and KeyAgreement (AKA)

EAP/AKA supports all the UMTS AKA scenarios

basic authentication, sequence number synchronization etc.

Similar IMSI privacy support as in EAP/SIM

EAP/AKA includes GSM compatible mode

basic GSM authentication without the enhancements of EAP/SIM

The home server knows if this particular user has been given an oldGSM SIM or a newer UMTS USIM

Client can refuse GSM-only authentication

EAP Authentication MethodsEAP Authentication Methods AKAAKA

AKA is based on challenge response mechanisms and

8/8/2019 Wireless LAN 802.1X 01

130/131

AKA is based on challenge-response mechanisms andsymmetric cryptography.

AKA typically runs in a UMTS Subscriber Identity Module(USIM), a smart card like device. However, theapplicability of AKA is not limited to client devices withsmart cards, but the AKA mechanisms could also be

implemented in host software. Compared to the GSM mechanism, AKA provides

substantially longer key lengths and the authentication ofthe server side as well as the client side.

EAP Authentication MethodsEAP Authentication Methods AKAAKA

8/8/2019 Wireless LAN 802.1X 01

131/131

Client Authenticator

| |

| EAP-Request/Identity |

|

Documents

Wireless LAN 802.1X 01