Wireless LAN security: After WEP

Carlo U. Nicola, SGI FH Aargau

With extracts from publications/slides of :

M. Joyce; Vodaphone; S. Frankel et al. NIST;

L. Bullyán, J.P. Hubeaux, ETHL

NS HS12 2

Problems:

1. How to authenticate

legitimate users?

2. How to authorize

authenticated and

roaming users?

3. How to guarantee

confidentiality/integrity of

messages.

The general picture in a WLAN

NS HS12 3

WIFI Protected Access (WPA) Robust Security Network

(RSN)

802.11i a new security architecture standard

NS HS12 4

Manufacturers' standard

WEP vs WPA vs WPA2

NS HS12 5

802.11i try to solve the compatibility problem with old WEP system by defining a

transitional (and optional) protocol called TKIP (Temporal Key Integrity Protocol). Its

most remarkable characteristics are: ! Provides confidentiality and integrity.

! TKIP uses existing RC4 but avoids some of the worst WEP’s problems.

! It is not elegant, but runs on old hardware (after a software upgrade)

TKIP corrects the following previous WAP flaws: ! Message integrity: add a message integrity protocol.

! IV (Initialisation Vector) selection and use: as counter (sequence

number!) ! Per-packet key mixing

! Increase the size of IV.

! Key management.

TKIP: the WEP compatibility path

NS HS12 6

Per packet key mixing

RC4 stream to XORed with

plain text message

Dummy byte

designed to

avoid weak

RC4 keys.

TKIP: RC4 seed production

NS HS12 7

TKIP: IV, confidentiality and integrity

IV size: From 24 bits ! 48 bits

! IV use as a sequence number to avoid replay attacks.

! IV is constructed to avoid certain “weak keys.” (RC4 has some weak

keys)

Confidentiality:

! achieved through RC4 output XORed with the plain text

Integrity: new algorithm MIC (Message Integrity Code):

! Replaces ICV (Integrity Check Value)

! Protects against bit-flip attacks by adding tamper-proof hash to

messages

! Must be implemented on clients and AP

! MIC = H(random # || MAC header || sequence number || payload)

! Sequence number must be in order or packet is rejected

! Part of the firmware software update

NS HS12 8

Robust Security Network (RSN) for establishing secure communications:

! Uses 802.1x for authentication

! Replaces TKIP

AES algorithm replaces RC4:

! Counter (CTR) Mode with Cipher Block Chaining (CCMP = Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)

1. CTR mode for encryption

2. CBC-MAC provides data integrity/authentication

! 128-bit keys, 48-bit IV

! CCMP mandatory with RSN

! Ensures data confidentiality and integrity

802.11i: the new world of WPA2

NS HS12 9

1. The supplicant requests access to the services (wants to connect to the network)

2. The authenticator controls access to the services (controls the state of a port)

3. The authentication server authorizes access to the services

a) the supplicant authenticates itself to the authentication server

b) if the authentication is successful, the authentication server instructs the authenticator to switch the port on

c) the authentication server informs the supplicant that access is allowed

802.1X authentication protocol as model for 802.11i

NS HS12 10

The simple mapping: supplicant ! mobile device (STA)

authenticator ! access point (AP)

authentication server ! server application running on the AP or on a

dedicated machine port ! logical state implemented in software in the AP

The extension to the basic 802.1X model in 802.11i:

1. Successful authentication results not only in switching the port on,

but also in a session key between the mobile device and the

authentication server

2. The session key is sent to the AP in a secure way: ! This assumes a shared key between the AP and the auth server

! This key is usually set up manually!

Mapping 802.1X to WLAN

NS HS12 11

Mapping 802.1X to WLAN

NS HS12 12

Counter Mode (CTR) encryption:

1. Message is divided into blocks Bi

2. Each block Bi is separately encrypted

into EK(Bi)

3. A counter i is encrypted: EK(i)

4. EK(i) © EK(Bi) produces the encrypted

message block!

CTR is closely related with the OFB

mode with the notable exception that

decryption in CTR can be parallelized

(a huge advantage in a mobile world).

CBC-MAC Mode :

EK(.): AES encryption (AES key length 128-256 bits)

AES –Counter Mode with Cipher Block Chaining

NS HS12 13

1. Mutually authenticate STA and AS

2. Generate Master Key (MK) as a side effect of authentication

3. Generate pairwise MK as an access authorization token

4. Generate 4 keys for encryption/integrity

802.11i: Overview

NS HS12 14

802.11i: Protocol phases

NS HS12 15

Step 1: Discovery

AP advertises network security capabilities to stations (STAs)

Step 2: 802.1x authentication:

! Mutual authentication of both STA and AS

! Generate Master Key (MK) as a side effect of authentication

! Generate pairwise MK as an access authorization token

! Generate 4 keys for encryption/integrity

802.11i: Protocol some details

NS HS12 16

MK ≠ PMK or AP could make access control decision instead of the

authorization server (AS)

MK is fresh and bound to the session between STA and AS

PMK is bound to this STA and this AP

RSN Key hierarchy

NS HS12 17

At the end of the authentication phase between STA and AS we have: ! The AS and STA have established a session;

! The AS and STA possess a mutually authenticated Master Key;

! The Master Key represents a decision to grant access based on

authentication ! STA and AS have derived PMK

! PMK is an authorization token to enforce access control decision

! AS has distributed the PMK to the STA’s AP

802.11i: Authentication overview

NS HS12 18

Four separate keys for two layers’ protection:

1. EAP (Extensible Authentication Protocol) handshake and user’s data: EAP is

only a carrier protocol that carry the messages of a higher layer

authentication protocol (i.e. TLS).

a) Data Encryption key

b) Data Integrity key

c) EAPOL(EAP On LAN)-Key Encryption key

d) EAPOL-Key Integrity key

2. Pair wise transient key (PTK): the four keys

3. Once that the keys are chosen:

– AES encryption (confidentiality)

– AES CBC MAC (integrity)

How to derive the keys in a secure manner

NS HS12 19

Notice the similarities

with the SSL protocol !

RSN: association and security negotiation (1)

NS HS12 20

RSN: association and security negotiation (2)

RSN capable devices identify themselves by asserting Robust Security in Association, Beacon,

Probe, and Reassociation messages. There are four association-specific parameters:

(1) Authentication mechanism

(2) Unicast cipher suite

(3) Multicast cipher suite

(4) Nonces

NS HS12 21

EAP (Extensible Authentication Protocol) [RFC 3748] is a carrier protocol designed to

transport the messages of “real” authentication protocols (e.g., TLS). It knows only

four types of messages:

EAP request: carries messages from the supplicant to the authentication server

EAP response: carries messages from the authentication server to the supplicant

EAP success: signals successful authentication

EAP failure: signals authentication failure

The authenticator doesn’t understand what is inside the EAP messages, it recognizes

only EAP success and failure.

EAPOL (EAP over LAN) [802.1X] is used to encapsulate EAP messages into LAN

protocols (e.g., Ethernet). EAPOL carries EAP messages between the STA and the

AP.

RADIUS (Remote Access Dial-In User Service) [RFC 2865-2869, RFC 2548] carries

EAP messages between the AP and the authentification server. RADIUS is

mandatory for WPA but optional for RSN.

MS-MPPE-Recv-Key RADIUS attribute is used to transport the session key from the

auth server to the AP (Job of the system's manager !).

Protocols: EAP, EAPOL and RADIUS

NS HS12 22

EAP dynamics (1)

NS HS12 23

EAP dynamics (2)

NS HS12 24

LEAP (Light EAP): ! developed by Cisco

! similar to MS-CHAP extended with session key transport

EAP-TLS (TLS over EAP): ! only the TLS Handshake Protocol is used

! server and client authentication, generation of master secret

! TLS master secret becomes the session key

! mandated by WPA, optional in RSN

PEAP (Protected EAP): ! phase 1: TLS Handshake without client authentication

! phase 2: client authentication protected by the secure channel established in

phase 1

Protocols(2): LEAP, EAP-TLS, PEAP

NS HS12 25

EAP-SIM: ! An extended GSM authentication in a WLAN context.

! Protocol (simplified) :

STA ! AP: EAP response ID (IMSI/pseudonym) STA ! AP: EAP response (nonce) AP: [gets two auth. triplets from the mobile operator’s AuC] AP ! STA: EAP request (2 £ RAND|MIC2 £ Kc|{new pseudonym}

2 £ Kc) STA ! AP: EAP response (2 £ SRES) AP ! STA: EAP success

Protocols(3): EAP-SIM

NS HS12 26

Summary of all the major protocols

NS HS12 27

1. W. Arbaugh, N. Shankar, J. Wan, K. Zhang. Your 802.11 network has no clothes. IEEE Wireless

Communications Magazine,9(6):44-51, 2002.

2. N. Borisov, I. Goldberg, D. Wagner. Intercepting mobile communications: the insecurity of 802.11. Proceedings

of the 7th ACM Conference on Mobile Computing and Networking, 2001.

3. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz. Extensible Authentication Protocol (EAP). RFC

3748. 2004.

4. J. Edney, W. Arbaugh. Real 802.11 Security: WiFi Protected Access and 802.11i. Addison-Wesley, 2004.

5. S. Fluhrer, I. Mantin, A. Shamir. Weaknesses in the key scheduling algorithm of RC4. Proceedings of the 8th

Workshop on Selected Areas in Cryptography. 2001.

6. B. Aboba, P. Calhoun. RADIUS (Remote Authentication Dial In UserService) Support for Extensible

Authentication Protocol (EAP), RFC 3579, 2003.

7. J. Walker. Unsafe at any key size: An analysis of the WEP encapsulation. IEEE 802.11-00/362, 2000.

8. Wi-FiAlliance. Wi-FiProtected Access: http://www.wi-fi.org/white_papers/whitepaper-042903-wpa/ 9. IEEE Std 802.1X-2001. IEEE Standard: Port-based Network Access Control, 2001.

10. IEEE Std 802.11. IEEE Standard: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)

Specifications, 1999.

11. IEEE Std 802.11i. IEEE Standard Amendment 6: Medium Access Control (MAC) Security Enhancements, 2004.

Bibliography

NS HS12 28

Appendix

NS HS12 29

From L. Bullyán, J.P. Hubeaux, ETHL "Key management": The session key established

between the mobile device and the AP as the result of the authentication procedure is

called the pairwise master key (PMK). It is a pairwise key, because it is known only to

that mobile device and the AP (and the authentication server, but it is considered to be a

trusted entity); and it is a master key, because it is not used directly for encryption or

integrity protection of messages, but it is used to derive encryption and integrity keys.

More precisely, both the mobile device and the AP derive four keys from the PMK: a

data-encryption key, a data-integrity key, a key-encryption key, and a key-integrity key.

These four keys together are called the pairwise transient key (PTK). We must note

that AES-CCMP uses the same key for encryption and for integrity protection of data,

therefore, in the case of AES-CCMP, the PTK consists of three keys only. Besides the

PMK, the derivation of the PTK also uses as input the MAC addresses of the parties (the

mobile device and the AP) and two random numbers generated by the parties.

RSN Key glossary

NS HS12 30

SIM refresher