7/27/2019 wireless LAN security: After WEP
1/30
Wireless LAN security: After WEP
Carlo U. Nicola, SGI FH Aargau
With extracts from publications/slides of :
M. Joyce; Vodaphone; S. Frankel et al. NIST;
L. Bullyn, J.P. Hubeaux, ETHL
7/27/2019 wireless LAN security: After WEP
2/30
NS HS12 2
Problems:
1. How to authenticatelegitimate users?
2. How to authorizeauthenticated androaming users?
3. How to guaranteeconfidentiality/integrity ofmessages.
The general picture in a WLAN
7/27/2019 wireless LAN security: After WEP
3/30
NS HS12 3
WIFI Protected Access (WPA) Robust Security Network
(RSN)
802.11i a new security architecture standard
7/27/2019 wireless LAN security: After WEP
4/30
NS HS12 4
Manufacturers' standard
WEP vs WPA vs WPA2
7/27/2019 wireless LAN security: After WEP
5/30
NS HS12 5
802.11i try to solve the compatibility problem with old WEP system by defining a
transitional (and optional) protocol called TKIP (Temporal Key Integrity Protocol). Itsmost remarkable characteristics are:
! Provides confidentiality and integrity.! TKIP uses existing RC4 but avoids some of the worst WEPs problems.! It is not elegant, but runs on old hardware (after a software upgrade)
TKIP corrects the following previous WAP flaws:! Message integrity: add a message integrity protocol.! IV (Initialisation Vector) selection and use: as counter (sequence
number!)! Per-packet key mixing! Increase the size of IV.! Key management.
TKIP: the WEP compatibility path
7/27/2019 wireless LAN security: After WEP
6/30
NS HS12 6
Per packet key mixing
RC4 stream to XORed withplain text message
Dummy bytedesigned toavoid weakRC4 keys.
TKIP: RC4 seed production
7/27/2019 wireless LAN security: After WEP
7/30
NS HS12 7
TKIP: IV, confidentiality and integrity
IV size: From 24 bits! 48 bits
! IV use as a sequence number to avoid replay attacks.
! IV is constructed to avoid certain weak keys. (RC4 has some weak
keys)
Confidentiality:
! achieved through RC4 output XORed with the plain text
Integrity: new algorithm MIC (Message Integrity Code):! Replaces ICV (Integrity Check Value)
! Protects against bit-flip attacks by adding tamper-proof hash to
messages
! Must be implemented on clients and AP
! MIC = H(random # || MAC header || sequence number || payload)! Sequence number must be in order or packet is rejected
! Part of the firmware software update
7/27/2019 wireless LAN security: After WEP
8/30
NS HS12 8
Robust Security Network (RSN) for establishing secure communications:
! Uses 802.1x for authentication! Replaces TKIP
AES algorithm replaces RC4:
! Counter (CTR) Mode with Cipher Block Chaining (CCMP = CounterMode with Cipher Block Chaining Message Authentication Code Protocol)
1. CTR mode for encryption2. CBC-MAC provides data integrity/authentication
! 128-bit keys, 48-bit IV
! CCMP mandatory with RSN
! Ensures data confidentiality and integrity
802.11i: the new world of WPA2
7/27/2019 wireless LAN security: After WEP
9/30
NS HS12 9
1. The supplicantrequests access to the services (wants to connect to the network)
2. The authenticatorcontrols access to the services (controls the state of a port)
3. The authentication serverauthorizes access to the services
a) the supplicant authenticates itself to the authentication server
b) if the authentication is successful, the authentication server instructs the authenticator toswitch the port on
c) the authentication server informs the supplicant that access is allowed
802.1X authentication protocol as model for 802.11i
7/27/2019 wireless LAN security: After WEP
10/30
NS HS12 10
The simple mapping:supplicant! mobile device (STA)
authenticator! access point (AP)authentication server! server application running on the AP or on a
dedicated machineport! logical state implemented in software in the AP
The extension to the basic 802.1X model in 802.11i:1. Successful authentication results not only in switching the port on,
but also in a session key between the mobile device and theauthentication server
2. The session key is sent to the AP in a secure way:! This assumes a shared key between the AP and the auth server! This key is usually set up manually!
Mapping 802.1X to WLAN
7/27/2019 wireless LAN security: After WEP
11/30
NS HS12 11
Mapping 802.1X to WLAN
7/27/2019 wireless LAN security: After WEP
12/30
NS HS12 12
Counter Mode (CTR) encryption:
1. Message is divided into blocks Bi
2. Each block Bi is separately encryptedinto EK(Bi)
3. A counter i is encrypted: EK(i)4. EK(i)EK(Bi) produces the encrypted
message block!
CTR is closely related with the OFB
mode with the notable exception that
decryption in CTR can be parallelized
(a huge advantage in a mobile world).
CBC-MAC Mode :
EK(.): AES encryption (AES key length 128-256 bits)
AES Counter Mode with Cipher Block Chaining
7/27/2019 wireless LAN security: After WEP
13/30
NS HS12 13
1. Mutually authenticate STA and AS
2. Generate Master Key (MK) as a side effect of authentication
3. Generate pairwise MK as an access authorization token
4. Generate 4 keys for encryption/integrity
802.11i: Overview
7/27/2019 wireless LAN security: After WEP
14/30
NS HS12 14
802.11i: Protocol phases
7/27/2019 wireless LAN security: After WEP
15/30
NS HS12 15
Step 1: DiscoveryAP advertises network security capabilities to stations (STAs)
Step 2: 802.1x authentication:
! Mutual authentication of both STA and AS
! Generate Master Key (MK) as a side effect of authentication! Generate pairwise MK as an access authorization token
! Generate 4 keys for encryption/integrity
802.11i: Protocol some details
7/27/2019 wireless LAN security: After WEP
16/30
NS HS12 16
MK PMK or AP could make access control decision instead of the
authorization server (AS)
MK is fresh and bound to the session between STA andAS
PMK is bound to thisSTA and th isAP
RSN Key hierarchy
7/27/2019 wireless LAN security: After WEP
17/30
NS HS12 17
At the end of the authentication phase between STA and AS we have:! The AS and STA have established a session;!
The AS and STA possess a mutually authenticated Master Key;! The Master Key represents a decision to grant access based on
authentication! STA and AS have derived PMK! PMK is an authorization token to enforce access control decision! AS has distributed the PMK to the STAs AP
802.11i: Authentication overview
7/27/2019 wireless LAN security: After WEP
18/30
NS HS12 18
Fourseparate keys for two layers protection:
1. EAP (Extensible Authentication Protocol) handshake and users data: EAP isonly a carrier protocol that carry the messages of a higher layerauthentication protocol (i.e. TLS).
a) DataEncryption key
b) DataIntegrity key
c) EAPOL(EAP On LAN)-KeyEncryption key
d) EAPOL-KeyIntegrity key
2. Pair wise transient key (PTK): the four keys
3. Once that the keys are chosen:
AES encryption (confidentiality) AES CBC MAC (integrity)
How to derive the keys in a secure manner
7/27/2019 wireless LAN security: After WEP
19/30
NS HS12 19
Notice the similaritieswith the SSL protocol !
RSN: association and security negotiation (1)
7/27/2019 wireless LAN security: After WEP
20/30
NS HS12 20
RSN: association and security negotiation (2)
RSN capable devices identify themselves by asserting Robust Security in Association, Beacon,Probe, and Reassociation messages. There are four association-specific parameters:
(1) Authentication mechanism(2) Unicast cipher suite(3) Multicast cipher suite(4) Nonces
7/27/2019 wireless LAN security: After WEP
21/30
NS HS12 21
EAP (Extensible Authentication Protocol) [RFC 3748] is a carrier protocol designed totransport the messages of real authentication protocols (e.g., TLS). It knows only
four types of messages:EAP request: carries messages from the supplicant to the authentication serverEAP response: carries messages from the authentication server to the supplicantEAP success: signals successful authenticationEAP failure: signals authentication failureThe authenticator doesnt understand what is inside the EAP messages, it recognizes
only EAP success and failure.
EAPOL (EAP over LAN) [802.1X] is used to encapsulate EAP messages into LANprotocols (e.g., Ethernet). EAPOL carries EAP messages between the STA and theAP.
RADIUS (Remote Access Dial-In User Service) [RFC 2865-2869, RFC 2548] carries
EAP messages between the AP and the authentification server. RADIUS ismandatory for WPA but optional for RSN.MS-MPPE-Recv-Key RADIUS attribute is used to transport the session key from theauth server to the AP (Job of the system's manager !).
Protocols: EAP, EAPOL and RADIUS
7/27/2019 wireless LAN security: After WEP
22/30
NS HS12 22
EAP dynamics (1)
7/27/2019 wireless LAN security: After WEP
23/30
NS HS12 23
EAP dynamics (2)
7/27/2019 wireless LAN security: After WEP
24/30
NS HS12 24
LEAP (Light EAP):! developed by Cisco! similar to MS-CHAP extended with session key transport
EAP-TLS (TLS over EAP):! only the TLS Handshake Protocol is used! server and client authentication, generation of master secret! TLS master secret becomes the session key! mandated by WPA, optional in RSN
PEAP (Protected EAP):! phase 1: TLS Handshake without client authentication! phase 2: client authentication protected by the secure channel established in
phase 1
Protocols(2): LEAP, EAP-TLS, PEAP
7/27/2019 wireless LAN security: After WEP
25/30
NS HS12 25
EAP-SIM:! An extended GSM authentication in a WLAN context.
! Protocol (simplified) :STA !AP: EAP response ID (IMSI/pseudonym)STA!AP: EAP response (nonce)AP: [gets two auth. triplets from the mobile operators AuC]AP!STA: EAP request (2RAND|MIC2Kc|{new pseudonym}2Kc)STA!AP: EAP response (2SRES)AP!STA: EAP success
Protocols(3): EAP-SIM
S f ll h j l
7/27/2019 wireless LAN security: After WEP
26/30
NS HS12 26
Summary of all the major protocols
Bibli h
7/27/2019 wireless LAN security: After WEP
27/30
NS HS12 27
1. W. Arbaugh, N. Shankar, J. Wan, K. Zhang. Your 802.11 network has no clothes. IEEE Wireless
Communications Magazine,9(6):44-51, 2002.2. N. Borisov, I. Goldberg, D. Wagner. Intercepting mobile communications: the insecurity of 802.11. Proceedingsof the 7th ACM Conference on Mobile Computing and Networking, 2001.
3. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz. Extensible Authentication Protocol (EAP). RFC3748. 2004.
4. J. Edney, W. Arbaugh. Real 802.11 Security: WiFi Protected Access and 802.11i. Addison-Wesley, 2004.5. S. Fluhrer, I. Mantin, A. Shamir. Weaknesses in the key scheduling algorithm of RC4. Proceedings of the 8th
Workshop on Selected Areas in Cryptography. 2001.
6. B. Aboba, P. Calhoun. RADIUS (Remote Authentication Dial In UserService) Support for ExtensibleAuthentication Protocol (EAP), RFC 3579, 2003.7. J. Walker. Unsafe at any key size: An analysis of the WEP encapsulation. IEEE 802.11-00/362, 2000.8. Wi-FiAlliance. Wi-FiProtected Access: http://www.wi-fi.org/white_papers/whitepaper-042903-wpa/
9. IEEE Std 802.1X-2001. IEEE Standard: Port-based Network Access Control, 2001.10. IEEE Std 802.11. IEEE Standard: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)
Specifications, 1999.11. IEEE Std 802.11i. IEEE Standard Amendment 6: Medium Access Control (MAC) Security Enhancements, 2004.
Bibliography
7/27/2019 wireless LAN security: After WEP
28/30
NS HS12 28
Appendix
RSN Key glossary
7/27/2019 wireless LAN security: After WEP
29/30
NS HS12 29
From L. Bullyn, J.P. Hubeaux, ETHL "Key management": The session key establishedbetween the mobile device and the AP as the result of the authentication procedure is
called the pairwise master key (PMK). It is a pairwise key, because it is known only tothat mobile device and the AP (and the authentication server, but it is considered to be atrusted entity); and it is a master key, because it is not used directly for encryption orintegrity protection of messages, but it is used to derive encryption and integrity keys.
More precisely, both the mobile device and the AP derive four keys from the PMK: adata-encryption key, a data-integrity key, a key-encryption key, and a key-integrity key.
These four keys together are called the pairwise transient key (PTK). We must notethat AES-CCMP uses the same key for encryption and for integrity protection of data,therefore, in the case of AES-CCMP, the PTK consists of three keys only. Besides thePMK, the derivation of the PTK also uses as input the MAC addresses of the parties (themobile device and the AP) and two random numbers generated by the parties.
RSN Key glossary
SIM refresher
7/27/2019 wireless LAN security: After WEP
30/30
NS HS12 30
SIM refresher