Physical & Personnel Security Physical Security Personnel Security.
Wireless LAN security: After WEPweb.fhnw.ch/.../wlan-security/wireless_2.pdfReal 802.11 Security:...
Transcript of Wireless LAN security: After WEPweb.fhnw.ch/.../wlan-security/wireless_2.pdfReal 802.11 Security:...
Wireless LAN security: After WEP
Carlo U. Nicola, SGI FH Aargau
With extracts from publications/slides of :
M. Joyce; Vodaphone; S. Frankel et al. NIST;
L. Bullyán, J.P. Hubeaux, ETHL
NS HS12 2
Problems:
1. How to authenticate
legitimate users?
2. How to authorize
authenticated and
roaming users?
3. How to guarantee
confidentiality/integrity of
messages.
The general picture in a WLAN
NS HS12 3
WIFI Protected Access (WPA) Robust Security Network
(RSN)
802.11i a new security architecture standard
NS HS12 4
Manufacturers' standard
WEP vs WPA vs WPA2
NS HS12 5
802.11i try to solve the compatibility problem with old WEP system by defining a
transitional (and optional) protocol called TKIP (Temporal Key Integrity Protocol). Its
most remarkable characteristics are: ! Provides confidentiality and integrity.
! TKIP uses existing RC4 but avoids some of the worst WEP’s problems.
! It is not elegant, but runs on old hardware (after a software upgrade)
TKIP corrects the following previous WAP flaws: ! Message integrity: add a message integrity protocol.
! IV (Initialisation Vector) selection and use: as counter (sequence
number!) ! Per-packet key mixing
! Increase the size of IV.
! Key management.
TKIP: the WEP compatibility path
NS HS12 6
Per packet key mixing
RC4 stream to XORed with
plain text message
Dummy byte
designed to
avoid weak
RC4 keys.
TKIP: RC4 seed production
NS HS12 7
TKIP: IV, confidentiality and integrity
IV size: From 24 bits ! 48 bits
! IV use as a sequence number to avoid replay attacks.
! IV is constructed to avoid certain “weak keys.” (RC4 has some weak
keys)
Confidentiality:
! achieved through RC4 output XORed with the plain text
Integrity: new algorithm MIC (Message Integrity Code):
! Replaces ICV (Integrity Check Value)
! Protects against bit-flip attacks by adding tamper-proof hash to
messages
! Must be implemented on clients and AP
! MIC = H(random # || MAC header || sequence number || payload)
! Sequence number must be in order or packet is rejected
! Part of the firmware software update
NS HS12 8
Robust Security Network (RSN) for establishing secure communications:
! Uses 802.1x for authentication
! Replaces TKIP
AES algorithm replaces RC4:
! Counter (CTR) Mode with Cipher Block Chaining (CCMP = Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
1. CTR mode for encryption
2. CBC-MAC provides data integrity/authentication
! 128-bit keys, 48-bit IV
! CCMP mandatory with RSN
! Ensures data confidentiality and integrity
802.11i: the new world of WPA2
NS HS12 9
1. The supplicant requests access to the services (wants to connect to the network)
2. The authenticator controls access to the services (controls the state of a port)
3. The authentication server authorizes access to the services
a) the supplicant authenticates itself to the authentication server
b) if the authentication is successful, the authentication server instructs the authenticator to switch the port on
c) the authentication server informs the supplicant that access is allowed
802.1X authentication protocol as model for 802.11i
NS HS12 10
The simple mapping: supplicant ! mobile device (STA)
authenticator ! access point (AP)
authentication server ! server application running on the AP or on a
dedicated machine port ! logical state implemented in software in the AP
The extension to the basic 802.1X model in 802.11i:
1. Successful authentication results not only in switching the port on,
but also in a session key between the mobile device and the
authentication server
2. The session key is sent to the AP in a secure way: ! This assumes a shared key between the AP and the auth server
! This key is usually set up manually!
Mapping 802.1X to WLAN
NS HS12 11
Mapping 802.1X to WLAN
NS HS12 12
Counter Mode (CTR) encryption:
1. Message is divided into blocks Bi
2. Each block Bi is separately encrypted
into EK(Bi)
3. A counter i is encrypted: EK(i)
4. EK(i) © EK(Bi) produces the encrypted
message block!
CTR is closely related with the OFB
mode with the notable exception that
decryption in CTR can be parallelized
(a huge advantage in a mobile world).
CBC-MAC Mode :
EK(.): AES encryption (AES key length 128-256 bits)
AES –Counter Mode with Cipher Block Chaining
NS HS12 13
1. Mutually authenticate STA and AS
2. Generate Master Key (MK) as a side effect of authentication
3. Generate pairwise MK as an access authorization token
4. Generate 4 keys for encryption/integrity
802.11i: Overview
NS HS12 14
802.11i: Protocol phases
NS HS12 15
Step 1: Discovery
AP advertises network security capabilities to stations (STAs)
Step 2: 802.1x authentication:
! Mutual authentication of both STA and AS
! Generate Master Key (MK) as a side effect of authentication
! Generate pairwise MK as an access authorization token
! Generate 4 keys for encryption/integrity
802.11i: Protocol some details
NS HS12 16
MK ≠ PMK or AP could make access control decision instead of the
authorization server (AS)
MK is fresh and bound to the session between STA and AS
PMK is bound to this STA and this AP
RSN Key hierarchy
NS HS12 17
At the end of the authentication phase between STA and AS we have: ! The AS and STA have established a session;
! The AS and STA possess a mutually authenticated Master Key;
! The Master Key represents a decision to grant access based on
authentication ! STA and AS have derived PMK
! PMK is an authorization token to enforce access control decision
! AS has distributed the PMK to the STA’s AP
802.11i: Authentication overview
NS HS12 18
Four separate keys for two layers’ protection:
1. EAP (Extensible Authentication Protocol) handshake and user’s data: EAP is
only a carrier protocol that carry the messages of a higher layer
authentication protocol (i.e. TLS).
a) Data Encryption key
b) Data Integrity key
c) EAPOL(EAP On LAN)-Key Encryption key
d) EAPOL-Key Integrity key
2. Pair wise transient key (PTK): the four keys
3. Once that the keys are chosen:
– AES encryption (confidentiality)
– AES CBC MAC (integrity)
How to derive the keys in a secure manner
NS HS12 19
Notice the similarities
with the SSL protocol !
RSN: association and security negotiation (1)
NS HS12 20
RSN: association and security negotiation (2)
RSN capable devices identify themselves by asserting Robust Security in Association, Beacon,
Probe, and Reassociation messages. There are four association-specific parameters:
(1) Authentication mechanism
(2) Unicast cipher suite
(3) Multicast cipher suite
(4) Nonces
NS HS12 21
EAP (Extensible Authentication Protocol) [RFC 3748] is a carrier protocol designed to
transport the messages of “real” authentication protocols (e.g., TLS). It knows only
four types of messages:
EAP request: carries messages from the supplicant to the authentication server
EAP response: carries messages from the authentication server to the supplicant
EAP success: signals successful authentication
EAP failure: signals authentication failure
The authenticator doesn’t understand what is inside the EAP messages, it recognizes
only EAP success and failure.
EAPOL (EAP over LAN) [802.1X] is used to encapsulate EAP messages into LAN
protocols (e.g., Ethernet). EAPOL carries EAP messages between the STA and the
AP.
RADIUS (Remote Access Dial-In User Service) [RFC 2865-2869, RFC 2548] carries
EAP messages between the AP and the authentification server. RADIUS is
mandatory for WPA but optional for RSN.
MS-MPPE-Recv-Key RADIUS attribute is used to transport the session key from the
auth server to the AP (Job of the system's manager !).
Protocols: EAP, EAPOL and RADIUS
NS HS12 22
EAP dynamics (1)
NS HS12 23
EAP dynamics (2)
NS HS12 24
LEAP (Light EAP): ! developed by Cisco
! similar to MS-CHAP extended with session key transport
EAP-TLS (TLS over EAP): ! only the TLS Handshake Protocol is used
! server and client authentication, generation of master secret
! TLS master secret becomes the session key
! mandated by WPA, optional in RSN
PEAP (Protected EAP): ! phase 1: TLS Handshake without client authentication
! phase 2: client authentication protected by the secure channel established in
phase 1
Protocols(2): LEAP, EAP-TLS, PEAP
NS HS12 25
EAP-SIM: ! An extended GSM authentication in a WLAN context.
! Protocol (simplified) :
STA ! AP: EAP response ID (IMSI/pseudonym) STA ! AP: EAP response (nonce) AP: [gets two auth. triplets from the mobile operator’s AuC] AP ! STA: EAP request (2 £ RAND|MIC2 £ Kc|{new pseudonym}
2 £ Kc) STA ! AP: EAP response (2 £ SRES) AP ! STA: EAP success
Protocols(3): EAP-SIM
NS HS12 26
Summary of all the major protocols
NS HS12 27
1. W. Arbaugh, N. Shankar, J. Wan, K. Zhang. Your 802.11 network has no clothes. IEEE Wireless
Communications Magazine,9(6):44-51, 2002.
2. N. Borisov, I. Goldberg, D. Wagner. Intercepting mobile communications: the insecurity of 802.11. Proceedings
of the 7th ACM Conference on Mobile Computing and Networking, 2001.
3. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz. Extensible Authentication Protocol (EAP). RFC
3748. 2004.
4. J. Edney, W. Arbaugh. Real 802.11 Security: WiFi Protected Access and 802.11i. Addison-Wesley, 2004.
5. S. Fluhrer, I. Mantin, A. Shamir. Weaknesses in the key scheduling algorithm of RC4. Proceedings of the 8th
Workshop on Selected Areas in Cryptography. 2001.
6. B. Aboba, P. Calhoun. RADIUS (Remote Authentication Dial In UserService) Support for Extensible
Authentication Protocol (EAP), RFC 3579, 2003.
7. J. Walker. Unsafe at any key size: An analysis of the WEP encapsulation. IEEE 802.11-00/362, 2000.
8. Wi-FiAlliance. Wi-FiProtected Access: http://www.wi-fi.org/white_papers/whitepaper-042903-wpa/ 9. IEEE Std 802.1X-2001. IEEE Standard: Port-based Network Access Control, 2001.
10. IEEE Std 802.11. IEEE Standard: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)
Specifications, 1999.
11. IEEE Std 802.11i. IEEE Standard Amendment 6: Medium Access Control (MAC) Security Enhancements, 2004.
Bibliography
NS HS12 28
Appendix
NS HS12 29
From L. Bullyán, J.P. Hubeaux, ETHL "Key management": The session key established
between the mobile device and the AP as the result of the authentication procedure is
called the pairwise master key (PMK). It is a pairwise key, because it is known only to
that mobile device and the AP (and the authentication server, but it is considered to be a
trusted entity); and it is a master key, because it is not used directly for encryption or
integrity protection of messages, but it is used to derive encryption and integrity keys.
More precisely, both the mobile device and the AP derive four keys from the PMK: a
data-encryption key, a data-integrity key, a key-encryption key, and a key-integrity key.
These four keys together are called the pairwise transient key (PTK). We must note
that AES-CCMP uses the same key for encryption and for integrity protection of data,
therefore, in the case of AES-CCMP, the PTK consists of three keys only. Besides the
PMK, the derivation of the PTK also uses as input the MAC addresses of the parties (the
mobile device and the AP) and two random numbers generated by the parties.
RSN Key glossary
NS HS12 30
SIM refresher