1/13/03 Chapter 18 Wireless Networks
-
Upload
networksguy -
Category
Documents
-
view
1.659 -
download
2
Transcript of 1/13/03 Chapter 18 Wireless Networks
1/13/03 Chapter 18 Wireless Networks 1
Chapter 18: Wireless Networks
Provide network access without wires – to reduce cost of wiring, support inherently mobile devices – palms, laptops, PDAs.
• Use unconstrained media (e.g., radio) for transmission – no wires• Three major system classes
• Wide Area Networks (WAN) – world–wide (global) in extent• Local Area Networks (LAN) – campus-wide in extent• Personal Area Networks (PAN) – office-wide in extent
• Relatively new technologies –first developed in the mid-80s• Strongly support personal mobility – locally to globally• Many protocols, technologies, and implementations (new)• Standards relatively immature• Many security problems at all levels – theory, standards, implementation
1/13/03 Chapter 18 Wireless Networks 2
Wireless Threats
Denial of Service – radio frequency jamming or message flooding.
Interception – eavesdrop since the signals are broadcast over the air.
Manipulation – changing messages.
Masquerading – posing as a legitimate user to enter a network.
Awireless system should protect against these threats in the system design, implementation, and operational environment.
Some do well, others are in bad shape!
1/13/03 Chapter 18 Wireless Networks 3
Wireless Networks - Fundamentals
Network
Destination Network (wired or wireless) Access Point
Wire Transmission Path
Radio Transmission Path
Mobile Devices
Cell Phone
Palm Pilot
Laptop
1/13/03 Chapter 18 Wireless Networks 4
Wireless Wide Area Networks (WAN)
WANWide Area Network(National/Global)
Licensed, 800-900 Mhz, 1.8-1.9 Ghz
• Started with cellular phones (U.S.,1982)
– 1G, 2G, 3G, 4G
• Protocols - many
–AMPS, TDMA, CDMA, GSM, CDPD, GPRS,UMT-2000,…
• Rapid Growth – “By 2002, wireless phones worldwide will outnumber TVs and PCs combined.”
–Strategic News Service
1/13/03 Chapter 18 Wireless Networks 5
Wireless Wide Area Networks (WAN)
• Started with cell phones – many technologies & standards.• Progressed through multiple generations:
• Analog voice phones,• Digital voice phones, and• Web-enabled phones.
• Despite multiple generations, technology is still immature and changing dynamically (e.g., web access from a cell phone).• Many providers – crowded market.• Interoperability a mixed bag – some good, some bad.• Some very differentiated products (voice-only, data only, mixed).• Don’t expect convergence anytime soon.
1/13/03 Chapter 18 Wireless Networks 6
Wireless Devices and Selected Characteristics
Access PointPalm VIIBlackberryDigital PhoneCDPD Modem
WA
N
WirelessDevice
na500500125500
PurchaseCost ($)
From fees240400360480
Network Service($/device-yr)
NetworkBandwidth
(kbps)Key Features
66
1919
carrier ownedno Outllook, coverage
Outlook, coveragevoice, CDPD-WAP
good coverage
1/13/03 Chapter 18 Wireless Networks 7
Blackberry Handheld Devices – Single Purpose Device
Wireless e-mail using Microsoft Exchange
1/13/03 Chapter 18 Wireless Networks 8
Blackberry Real-time Messaging
Outlook/ExchangeServers
YourOffice
Colleague'sOffice
Internet
1
2 3
4
6
You
Blackberry Network5
1. Colleague sends urgent message.
2. Sent to Exchangeservers.
3. Received at yourdesktop PC (if on).
4. Encrypted and sent through the Internet.
5. Transmitted by Blackberry network.
6. Blackberry receives and decrypts message.
Firewall
1/13/03 Chapter 18 Wireless Networks 9
Blackberry Architecture
Blackberry Handheld
Wireless Network Access Point
Internet
Firewall
Exchange Server
Blackberry Server
User’s Desktop
1/13/03 Chapter 18 Wireless Networks 10
Blackberry Architecture – How It Works
• Mail arrives at the user’s desktop in the usual way.• Software is installed on the user’s desktop and configured according to user-specified filtering/forwarding rules.• Messages are compressed, encrypted,forwarded to server that maintains an outbound connection to the Blackberry network. • Messages are forwarded and displayed on the Blackberry handheld.• Similarly, messages can be originated on the handheld, sent back to the user’s desktop and sent out over the mail connection.
• Can operate in two modes: • Wireless LAN mode - as described above.• Directly between two handheld devices (peer-to-peer).
1/13/03 Chapter 18 Wireless Networks 11
Blackberry Protection
• Peer-to-peer mode is not secure (scrambled, but not encrypted).
• Wireless network mode:• Symmetric encryption-key shared between desktop & handheld.• 3 DES encryption, key exchange while handheld is docked.• Server behind firewall only supports outbound connections, followed by out-bound/in-bound communications.
Secured Path Unsecured Path
Blackberry User’s Desktop Another User
1/13/03 Chapter 18 Wireless Networks 12
WANWide Area Network
(National/Global)
WANWide Area Network
(National/Global)
LANLocal Area Network(Campus/Building)
LANLocal Area Network(Campus/Building)
Unlicensed, 900 Mhz, 2.4 Ghz, 5 Ghz
Local Area Network (LAN)
• IEEE Standards– 802.11, 1998 (2 Mbps)– 802.11b, 1999 (11 Mbps)– 802.11a, 1999 (54 Mbps)– 802.11g, 2000 (54 Mbps)
• Interface Prices– $500 – 1997 (2 Mbps)– $160 – 2000 (11 Mbps)
• Wireless Options Today– Laptops - Apple, Dell,
Gateway, IBM, Compaq, Acer…
Wireless Local Area Network (LAN)
1/13/03 Chapter 18 Wireless Networks 13
You
Wireless Access Point
LAN
Lab/Conference Room
YourOffice
Work un-tethered.
Improve productivity by saving time (use idle time, minimize meeting prep time).
Have real-time access for urgent messages and key information.
Wireless Local Area Network (LAN)
1/13/03 Chapter 18 Wireless Networks 14
Local Area Networks (LAN)
Function – wireless equivalent to Ethernet Local Area Network.
Based on IEEE standard 802.11 series.
• 802.11 – 1997, data rates to 2 Mb/s (outdated).• 802.11b - 1999, data rates to 11 Mb/s (available now).• 802.11g - 2000, data rates to 22 Mb/s (available 2002-2003).• 802.11a - emerging, data rates to 54 Mb/s (available late 2001).
802.11b is dominant technology being implemented.
Part of the specification is the Wired Equivalent Protocol (WEP)designed to protect link layer (over-the-air) traffic from eavesdropping and other attacks (according to IEEE specification).
1/13/03 Chapter 18 Wireless Networks 15
IEEE 802.11 Standard
The standard describes the Medium Access Control (MAC) andPhysical Layer (PHY) specifications. 802.11 is one part of the 802Specification as shown below.
802.2 Logical Link Control
802.1 Bridging
802.3MeduimAccess
802.3Physical
802.4MeduimAccess
802.4Physical
802.5MeduimAccess
802.5Physical
802.6MeduimAccess
802.6Physical
802.9MeduimAccess
802.9Physical
802.11MeduimAccess
802.11Physical
802.12MeduimAccess
802.12Physical
PhysicalLayer
DataLinkLayer
Ethernet Token Token Dual Integrated Wireless Demand Bus Ring Bus Services Priority
1/13/03 Chapter 18 Wireless Networks 16
IEEE 802.11a,b,g – Alphabet Soup
802.11a
Data Rate: 54Mbps physical channel–31Mbps actual(due to protocol overhead).Further reduced if there is interference/errors (common in radio).Error Rate Reduction: Reduced rates -(48/36/24/18/12/9/6 Mbps).Range: 80 Meters = ~ 263 feet (antenna design can increase).Modulation: Orthogonal Frequency Division Multiplexing (OFDM).Channel bandwidth: 25 MHz.Frequency band: 5GHz.Number of Channels: 12 (in the USA), 4 (Asia) 0 (EU).Quality of Service: No.Availability: Now.
1/13/03 Chapter 18 Wireless Networks 17
IEEE 802.11a,b,g – Alphabet Soup
802.11b
Data Rate: 11Mbps physical channel – 6Mbps actual(due to protocol overhead).Also further reduced if there is interference/errors.Error Rate Reduction: Reduced rates - (5.5/2/1 Mbps).Range: 100 Meters = ~ 328 feet.Modulation: Direct Sequence Spread Spectrum (DSSS).Channel bandwidth: 25 MHz.Frequency band: 2.4GHz.Number of Channels: 3 (in the USA), 3 (Asia), 3 (EU).Quality of Service: No.Availability: Now.
1/13/03 Chapter 18 Wireless Networks 18
IEEE 802.11a,b,g – Alphabet Soup
802.11g
Data Rate: 54Mbps physical channel – 31Mbps actual.Range: 150 Meters = ~ 492 feet.Modulation: Orthogonal Frequency Division Multiplexing (OFDM) and Discrete Sequence Spread Spectrum (DSSS). Channel bandwidth: 25 MHz.Frequency band: 2.4GHz.Number of Channels: 3 (in the USA), 3 (Asia), 4 (EU).Quality of Service: No.Availability: Late 2002 – early 2003.
1/13/03 Chapter 18 Wireless Networks 19
IEEE 802.11a,b,g – Some Comparisons
Data Rate: a & g at 54Mbps win over 11 Mbs for b.Range: g @150m, b @ 100m, a @ 80m.Number of Channels: 12 for a, 3 for b & g.Interference: a @ 5Ghz has little competition, 2.5GHz is loaded withcompetitors (e.g., cell phones, microwave ovens, Bluetooth).
1/13/03 Chapter 18 Wireless Networks 20
IEEE 802.11a,b,g – Competing Technologies
HomeRF2:
Developer: HomeRF Working Group (~ 70 members).Data Rate: 10Mbps physical channel – 6Mbps actual.Range: 50 Meters = ~ 164 feet.Modulation: Frequency Hopping Spread Spectrum (FSSS). Channel bandwidth: 5 MHz.Frequency band: 2.4GHz.Number of Channels: 15 (in the USA), 15 (Asia), 0 (EU).Quality of Service: Yes.Availability: Now.
1/13/03 Chapter 18 Wireless Networks 21
IEEE 802.11a,b,g – Competing Technologies
HiperLAN2:
Developer: Euro. Telecommunication Standards Institute (ETSI). Data Rate: 54Mbps physical channel – 31Mbps actual.Range: 80 Meters = ~ 262 feet.Modulation: Orthogonal Frequency Division Multiplexing (OFDM). Channel bandwidth: 25 MHz.Frequency band: 5GHz.Number of Channels: 12 (in the USA), 4 (Asia), 15 (EU).Quality of Service: Yes.Availability: 2003.
1/13/03 Chapter 18 Wireless Networks 22
IEEE 802.11a,b,g – Competing Technologies
5-UP (5GHz Unified Protocol):
Developer: Joint project of IEEE and ETSI.Data Rate: 108Mbps physical channel – 72Mbps actual.Range: 80 Meters = ~ 262 feet.Modulation: Orthogonal Frequency Division Multiplexing (OFDM).Channel bandwidth: 50MHz.Frequency band: 5GHz.Number of Channels: 6 (in the USA), 2 (Asia), 7 (EU).Quality of Service: Yes.Availability: 2003.
Note: Merges 802.11a & HiperLAN2 into a single protocol.
1/13/03 Chapter 18 Wireless Networks 23
IEEE 802.11d,e,f,h,i,and j – Some Variations
These are not complete specifications, but rather enhancements of802.11a, b, and g.
802.11d: IEEE:
Purpose: Versions of 802.11b that operate on other frequencies Suitable in parts of the world where 2.4 GHz is not available.
Status: May not be required since the International Telecommunications Union (ITU) and most countries are freeing up the required spectrum.
1/13/03 Chapter 18 Wireless Networks 24
IEEE 802.11d,e,f,h,i,and j – Some Variations
802.11f: IEEE
Purpose: Improves the handover mechanism in 802.11 so users canmaintain a connection while moving between two different switched network segments or two different access points attached to two different networks.
802.11h: IEEE
Purpose: Adds better control over transmission power and radio channel selection to 802.11a. This and 802.11e could make the standard acceptable to the EU.
1/13/03 Chapter 18 Wireless Networks 25
IEEE 802.11d,e,f,h,i,and j – Some Variations
IEEE 802.11i:
Purpose: Replaces WEP with a new standard based on the Advanced Encryption Standard (AES). Also deals with an authentication standard.
IEEE 802.11j:
Purpose: To make 802.11a and HiperLAN networks co-exist on the same frequencies bands.
1/13/03 Chapter 18 Wireless Networks 26
802.11 Wireless Local Area Network (LAN)
• Three (3) possible physical layers are specified:• Infared (short range – line of sight),• Frequency Hopping Spread spectrum (FHSS), and• Direct Sequence Spread Spectrum (DSSS).
• Three frequency bands are used; 900 MHz, 2.4 GHz, and 5 GHz.• 802.11b uses DSSS and the 2.4 GHz frequency band.• This is the unregulated Industrial, Scientific, and Medical (ISM) band.• Range is a few 100 - 300 feet – multiple access points provide campus •coverage (like cell phones).• 802.11b data rate is 11 Mb/s, but performance varies as a function of distance between the mobile device and the nearest access point.• The specified protocol is Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA).
1/13/03 Chapter 18 Wireless Networks 27
Access Point
Access Point
Wired Network
Wireless Application Servers
Wireless Handheld (WinCE or Palm)
R
To additional Network Segments
High Level Architecture
1/13/03 Chapter 18 Wireless Networks 28
High Level Architecture – Text
Mobile device (Personal Digital Assistant, laptop, Palm Pilot, etc.) requires a radio frequency transmitting/receiving modem and client software compatible with the IEEE standard.
Access point is a bridge between the backside wired network and the frontside wireless network. It sends and receives wireless frames, does error control, authenticates and authorizes users, encrypts wireless traffic, interfaces to the wired network
Access point
Laptop modem
1/13/03 Chapter 18 Wireless Networks 29
Objectives of 802.11 Secuirty - WEP
Reasonably strong security – not perfect, but adequate.
Self-Synchronizing – Signal strength varies, so it must be able to synchronize.
Computationally efficient – Important for small (cheap) mobile devices.
Exportable – Must meet U. S. export control requirements (now eased).
Optional – WEP is an optional requirement of the standard.
1/13/03 Chapter 18 Wireless Networks 30
Wired Equivalent Privacy (WEP) – 802.11 Security
According to the standard, particular attention was paid to:
• Defeating an adversaries ability to eavesdrop on wireless transmissions in order to preserve confidentiality by encrypting the channel traffic,
• Providing integrity assurance that a message has not been modified in transit, and
• Authenticating users over an encrypted channel.
We will discuss each of these capabilities.
1/13/03 Chapter 18 Wireless Networks 31
Eavesdropping – 802.11 Security
• The problem – in-air broadcast signals can be always be intercepted.
• Methods are different depending on the physical layer.
• Infared - interception is difficult because of line-of-sight and short distance requirements. Line of sight interception is difficult, but not impossible (location issue).
• The difficulty of recovering Frequency Hopping Spread Spectrum (FHSS) and Direct Sequence Spread Spectrum (DSSS) is attributed to the psuedo-random nature of the signal spreading.
• Reality - any device designed to receive/transmit 802.11 signals can intercept signals. Requires only simple modifications to drivers and/or flash memory to operate in promiscuous mode. Basic assumption – adversaries have access to all signals transmitted!
1/13/03 Chapter 18 Wireless Networks 32
Eavesdropping Solution - Encrypt 802.11 Transmissions
Eavesdropping is mitigated if signals are not intelligible – 802.11 encryptstransmissions using RC4 developed in 1987 by Ron Rivest at MIT. RC4 is considered a secure cipher. Background on Ron’s Code # 4 (RC4):
• RC4 was kept secret for the first 7 years, but was anonymously posted to the Cypherpunks mailing list in 1994 and became public knowledge.
• RC4 is a symmetric cipher and can use several different key lengths. The 802.11 specification allows for 40 bit (export controlled) and longer (typically 128 bit) lengths although specific lengths and implementations vary by vendor. • RC4 is generally considered a strong cipher by cryptographers. The 802.11 implementation operates in Output Feedback (OFB) mode.
1/13/03 Chapter 18 Wireless Networks 33
RC4 – Operated in Output Feedback Mode
E E-1
Plaintext pj Plaintext pjCiphertext cj
IV
Key
Ij
Key
Ij
Oj Oj
Leftmostr bits
Leftmostr bits
Oj-1Oj-1
IV
1/13/03 Chapter 18 Wireless Networks 34
RC4 – Text description
RC4 uses three (3) inputs: a random initialing vector IV, a random secret key k, and the plaintext P.
The IV is input to E, the RC4 encryption algorithm, along with the key. E produces a random keystream that is sent to the output box O.
The output box shifts the keystream out a Byte at a time and each Byte is combined with a Byte of plaintext under the Exclusive OR function.
The output of E (the keystream) is also fed back to the I stage where it is combined with the IV to produce a new input to E. This causes the keystream to vary as a complex function of IV, K, and E.
Reversed at the receiver. Both IV and K must be known to the receiver. K is passed securely (e.g., manually), IV is passed in clear text.
1/13/03 Chapter 18 Wireless Networks 35
RC4 – more
The secret key is initially distributed to the access point and the mobile device. The method is not specified in IEEE 802.11, but should be secret.
The IV which changes for each session, is sent in the clear as part of the Initial handshake. Does not have to be secret since the strength of the encryption is derived from the algorithm and key secrecy, not IV secrecy.
Integrity of the IV must be a maintained between the transmitter and receiver or encryption/decryption won’t work. Also, the IV should not be re-used with the same key schedule. Consider 2 messages:
C1 = P1 RC4(IV1, K1) & C2 = P2 RC4(IV1, K1)
C1 C2 = (P1 RC4(IV1, K1)) (P2 RC4(IV1, K1))
The EXOR of 2 ciphertexts produces the EXOR of the two plaintexts.C’s are known - If one of the plaintexts is known, the second is revealed.
1/13/03 Chapter 18 Wireless Networks 36
Authentication in 802.11
Two basic levels of authentication:
Open System Authentication – the default that authenticates any device requesting authentication – essentially “none”
Shared-Key Authentication – The mobile device is authenticated OR both the mobile devices and the access point mutually authenticate to each other. Authentication is a three-state process:
1. Unauthenticated & unassociated.2. Authenticated and unassociated.3. Authenticated and associated.
Involves messages between a mobile station and an access point.
1/13/03 Chapter 18 Wireless Networks 37
Authentication Messages
Initiator (STA) Responder (AP)
Authentication Request – Sequence # 1
Authentication Challenge – Sequence # 2
Authentication Response – Sequence # 3
Authentication Result – Sequence # 4
Challenge is a psuedo-random number, must be re-played by the initiator. If successful, the process is repeated in reverse (i.e., mutual authentication).
Access Points send beacon messages, then:
1/13/03 Chapter 18 Wireless Networks 38
Integrity Assurance – No change in transit
An integrity checksum is computed for each message exchanged between a station and an access point. It is re-computed and tested when received.
If the computed checksum does not match the appended checksum as received, the packet is discarded and re-transmission requested.
All of this sounds reasonable on the surface.
Certainly the goals of authentication, integrity, and confidentiality are theappropriate ones to implement for protecting the information.
So…how does the standard and its implementation stack up?
TERRIBLE!!!!!!!!!!!
1/13/03 Chapter 18 Wireless Networks 39
The Problems – High Level
There are many attacks that reveal the secret key.
It is easy to mount a known plaintext attack to recover keys.
Integrity is not cryptographically assured – messages can be modified without the modification being readily detected.
Many wireless networks are being operated using open authentication(i.e., no authentication or encryption). They are optional parts of the standard, not mandatory. Only the weak checksum is mandatory.
So….How do we break such a network?
1/13/03 Chapter 18 Wireless Networks 40
Authentication BreaksUsing the 4 message exchange, the break works like this:
1. Frame 1 is sent in the clear to request authentication – that’s Ok.2. The challenge response is returned by the AP – the challenge is not encrypted. The challenge is generated by combining a random number, an IV, and the shared key and is sent in the clear (128B message).3. The responding station, extracts the challenge, puts it into a response frame, encrypts it with the shared key using a new IV (sent in the clear) and sends it back.4. The AP decrypts, checks integrity and compares the challenge to the original – if same, authentication of the station is successful.
An adversary can capture the clear text challenge and the ciphertext challenge response. Knowing the IV, the attacker can derive the keystream. The adversary can now create a valid response to a new challenge and join the network.
1/13/03 Chapter 18 Wireless Networks 41
Authentication Breaks - More
That is:
The responding station has created
CHECK THIS OUT BOB
BUT, the bad guy still does not have the shared secret key. (s)he has only been authenticated, so this attack is not of great value.
What is required to go further is to discover the value of the shared secret key.
As we shall see this can also be accomplished relatively easily.
1/13/03 Chapter 18 Wireless Networks 42
WEP Encryption
The WEP encryption model:
RC4 EXOR CiphertextMessage
IntegrityCheck
Algorithm
Combine
Secret Key
IV
IV
ICV
PlaintextMessage
Transmitted Message
Keystream
1/13/03 Chapter 18 Wireless Networks 43
WEP Decryption
The WEP decryption model:
RC4
EXORCiphertextMessage
IntegrityCheck
Algorithm
CombineIV
PlaintextMessage
ReceivedMessage
Secret Key
KeystreamCompute IVC (CRC-32)on plaintext message +attached IVC. If remainderis 0, Pass, Else fail.
1/13/03 Chapter 18 Wireless Networks 44
Encryption Breaks
One of the issues with Output FeedBack (OFB) mode stream encryption is that encrypting two messages under the same IV and key can reveal Information about both the IV and key.
The IV is transmitted in the clear, so it is available. If the IV is a good random number and not re-used, it is protected. Trouble is the IV:
• Is initialized to 0 in some implementations (no standard requirement)• It is only 24 bits long. If initialized to 0, then it wraps around mod 24.• Doing the math 224 x 2346 B/packet = ~40GB (~320 Gb). • The network has a capacity to do about 432 Gb per day
The adversary can send a message to the network (known plaintext) and sniff the ciphertext since the network will encrypt it for him (her).
1/13/03 Chapter 18 Wireless Networks 45
Encryption Breaks - contd
Then the adversary sniffs the network for another instance of the same IV used for the known plaintext message and recovers that ciphertext.
Now the adversary has a known plaintext/ciphertext pair encrypted with the same secret key and can recover the key.
Since the keys are shared and typically manually distributed, they don’t change very often.
That in itself is a problem – multiple users with the same key and difficulty in manually distributing keys tend to influence long time key use.
1/13/03 Chapter 18 Wireless Networks 46
Encryption Breaks - Recap
1. Send a plaintext message to a user on the wireless network and sniff the network for the message. Moderate difficulty, trivial with insider help.2. Capture the IV (sent in the clear) and ciphertext.3. Sniff the network for another instance of the same IV with the original message. Not difficult, but may require significant storage space.4. On a hit, the adversary has:a. Original plaintext/ciphertext pair encrypted with the secret key.b. IV and new ciphertext encrypted with the same key.
C1 = P1 RC4(IV1, K1) & C2 = P2 RC4(IV1, K1)
C1 C2 = (P1 RC4(IV1, K1)) (P2 RC4(IV1, K1))
C1, C2, P1, and certainty that the same IV & key were used.
Then C1 C2 P1 = P2
1/13/03 Chapter 18 Wireless Networks 47
Encryption Breaks - Recap
Test: Does C1 C2 P1 = P2?
Assume P1= 0010, P2 = 0100; Keystream for IV, K = 1100, then:
C1 = 0010 1100 = 1110C2 = 0100 1100 = 1000
C1 C2 P1 = 1110 1000 0010 = 0100 --- QED.
1/13/03 Chapter 18 Wireless Networks 48
Integrity Assurance
The standard uses the following format:
Message CRC 32
Keystream
=
CiphertextIV
Transmitted Data Stream
Exclusive OR
IVInput
1/13/03 Chapter 18 Wireless Networks 49
802.11 Frame Formats
FrameControl
Duration Dest.Address
SourceAddress
BSSIDSeq.No. Frame Body FCS
Frame Control: Version #; Frame type (control,data, management); sub-type; and numerous flags
Duration:
Destination Address:
Source Address:
BSSID:
Sequence Number:
Frame Body:
FCS:
Octets: 2 2 6 6 6 2 0 – 2312 4
1/13/03 Chapter 18 Wireless Networks 50
Improving Wireless Security – IEEE 802.1x
In 802.11 users authenticate to access points and this is subject to the flaws we have already discussed.
IEEE 802.1x describes an authentication method that is much stronger.
Even better, it applies to wired networks as well as wireless networks.
The authentication method is called Extensible Authentication Protocol (EAP)Over LANs (EAP-OL).
It is an extension of EAP that was originally defined for dial-up authenticationUsing the Point-to-Point Protocol PPP (see RFC 2284).
It is also know as port authentication.
1/13/03 Chapter 18 Wireless Networks 51
Wired & Wireless Access Authentication
Consider the following wired and wireless network connections:
HUB
Port
WirelessAccessPoint
(WAP)Port
Wireless Link
Wired Link
Hub: Ethernet hub/switch with wired connections to desktop machines.
WAP: Wireless Access Point with wireless connections to wireless-equipped Devices (e.g., laptops, PDAS, etc.).
Authentication: Provided by the port device or by a service called by the port device.
1/13/03 Chapter 18 Wireless Networks 52
Wired & Wireless Authentication
In an Ethernet wired network and a Windows environment, a system enters the network at bootup, by sending a request to the local network segment domain controller (found in the system configuration files).
The domain controller prompts the system for authentication credentials (e.g., a username password pair). On success, the system is authenticated.
In 802.1 wireless, the system associates with an access point and the access point authenticates the wireless system and allows/denies entry.
As we have seen, the wireless method is easily defeated.
IEEE 802.1x provides a method to call a stronger authenticator and will work with either a wired or wireless network.
1/13/03 Chapter 18 Wireless Networks 53
IEEE 802.1X Authentication
1
2
3
4
Step 1: Using EAP, the user requests authentication. The Hub or AP forwards the request to the AS.Step 2: The AS issues a request for an authenticator (e.g., password,etc.).Step 3: The user presents the authenticator.Step 4: The AS authenticates/denies the access request and sends the result back to the AP and the user.If authentication succeeds, the AP opens a port for the user. All traffic isencrypted. AS creates/distributes session keys used by the user and AP.
User Hub or Access Point (AP) Authentication Server (AS)
1/13/03 Chapter 18 Wireless Networks 54
IEEE 802.1X Authentication
The Authentication Server is specified in the standard as a RADIUS server.
RADIUS = Remote Authentication Dial-In User Service
RADIUS is the subject of two RFCs, 2138 and 2865.
RFC 2865 is the current RFC and it describes the operations and protocols supported by a RADIUS server.
1/13/03 Chapter 18 Wireless Networks 55
References
Wi-Fi forum at www.wi-fi.org
HiperLAN forum at www.hiperlan2.com
HomeRF working group at www.homerf.org
Dornan, A., “LANS with No Wires, but Strings Still Attached,” Network Magazine, February 2002, pp. 44-47.