View
215
Download
1
Category
Preview:
Citation preview
Friday, Dec 3, 2004 IEEE 802.11i 1
IEEE 802.11i
60-564 Survey
Fall 2004
Aniss Zakaria
Friday, Dec 3, 2004 IEEE 802.11i 2
Survey based on two main papers:
• IEEE 802.11i Standard, http://standards.ieee.org ,June 2004
• Jyh-Cheng Chen, Ming-Chia Jiang and Yi-Wen Liu, “Wireless LAN Security and IEEE 802.11i”, url = http://wire.cs.nthu.edu.tw/wire1x/WC02-124-post.pdf , 2004
Friday, Dec 3, 2004 IEEE 802.11i 3
IEEE 802.11 Introduction:
• WLANs are in everywhere.
• Authentication modes:
• Open System Authentication. Just supply correct SSID.
• Shared key Authentication. Relay on WEP.
• WEP: Wired Equivalent Privacy.
• WEP is weak and breakable. AirSnort.
Friday, Dec 3, 2004 IEEE 802.11i 4
WEP
Without WEP, no confidentiality, integrity, or authentication of user data
The cipher used in WEP is RC4, keylength from 40 up to 104 bits
Key is shared by all clients and the base station compromising one node compromises network
Manual key distribution among clients makes changing the key difficult
Friday, Dec 3, 2004 IEEE 802.11i 5
WEP .. cont
Friday, Dec 3, 2004 IEEE 802.11i 6
What’s wrong with WEP?
How does WEP “work”?
802.11 Hdr Data
Append ICV = CRC32(Data)
Data802.11 Hdr ICV
Data802.11 Hdr IV ICV
Select and insert IV
Per-packet Key = IV || RC4 Base Key
RC4 Encrypt Data || ICV
Remove IV from packet
Per-packet Key = IV || RC4 Base Key
RC4 Decrypt Data || ICV
Check ICV = CRC32(Data)
24 bits
Friday, Dec 3, 2004 IEEE 802.11i 7
IV is the main problem:
• IV is only 24 bits provide a 16,777,216 different RC4 cipher streams for a given WEP key
• Chances of duplicate IVs are:
• 1% after 582 encrypted frames
• 10% after 1881 encrypted frames
• 50% after 4,823 encrypted frames
• 99% after 12,430 encrypted frames• Increasing Key size will not make WEP any safer. Why?
refer to Jesse Walker paper “IEEE 802.11i wireless LAN: Unsafe at any key size”, http://www.dis.org/wl/pdf/unsafe.pdf, Oct 2000
Friday, Dec 3, 2004 IEEE 802.11i 8
IV is the main problem:
Friday, Dec 3, 2004 IEEE 802.11i 9
Review of the cipher RC4
Pseudo-random number
generator
Plaintext data byte p
“key stream” byte b
Ciphertext data byte c = p b
Decryption works the same way: p = c b
Thought experiment: what happens when p1 and p2 are encrypted under the same “key stream” byte b?
c1 = p1 b c2 = p2 b
Then: c1 c2 = (p1 b) (p2 b) = p1 p2
What’s wrong with WEP?
Friday, Dec 3, 2004 IEEE 802.11i 10
We need a solution:• IEEE 802.11 has formed a new Task Group “i” to solve WEP problems.
• Wi-Fi Protected Access (WPA) was created by the Wi-Fi Alliance in 2002 – in part out of impatience with the slow - moving 802.11i standard.
• WPA focus mainly on legacy (current) equipments, require only firmware update.
• IEEE 802.11i has added a newer Encryption mechanism which require changes in current WLAN equipments.
• 802.11i has been ratified by the IEEE in June 2004.
• Unlike 802.11a, b and g specifications, all of which define physical layer issues, 802.11i defines a security mechanism that operates between the Media Access Control (MAC) sublayer and the Network layer.
•The Wi-Fi Alliance refers to the new 802.11i standard as WPA2.
Friday, Dec 3, 2004 IEEE 802.11i 11
IEEE 802.11i standard:
• IEEE 802.11 TGi has defined two major frameworks:
• Pre-RSN
• RSN
• The definition of RSN according to IEEE 802.11i standard is a Security Network which only allows the creation of Robust Security Network Associations (RSNA).
• simply, Pre-RSN is what current WLANs are, but RSN systems are what IEEE 802.11i systems should be.
Friday, Dec 3, 2004 IEEE 802.11i 12
Pre-RSN IEEE 802.11 entity authentication
Open System authentication Allows a station to be authentication without having a
correct WEP keyShared Key authentication
The AP send a challenge packet to the Mobile Station
The MS encrypt the challenge packet using the shared WEP key and send the encrypted result back to the AP
IEEE 802.11i Frameworks:
Friday, Dec 3, 2004 IEEE 802.11i 13
IEEE 802.11i Frameworks: RSN
Authentication Enhancement:IEEE 802.11i utilizes IEEE 802.1X for its
authentication and key management services. Key Management and Establishment:
Manual key managementAutomatic key management
Encryption Enhancement:Temporal Key Integrity Protocol (TKIP)Counter-Mode/CBC-MAC Protocol (CCMP)
So .. These are the 3 enhancements which IEEE 802.11i has introduced .. We will talk about each of these items individually in the following slides.
Friday, Dec 3, 2004 IEEE 802.11i 14
IEEE 802.1X:Authentication Enhancement
• Port-based authentication mechanism used for both wired and wireless networks.
• Already implemented in many Operating Systems like Windows XP SP1.
• It provide a framework to authenticate and authorize devices connecting to network.
• IEEE 802.1X has three main pieces:
• Supplicant
• Authenticator
• Authentication Server (AS)
Friday, Dec 3, 2004 IEEE 802.11i 15
IEEE 802.1X:Authentication Enhancement
• Authenticator and supplicant communicate with one another by using the Extensible Authentication Protocol (EAP, RFC-2284).• EAP originally designed to work over PPP, but IEEE 802.1X define a method to use EAP Over LAN (EAPOL)• The EAP protocol can support multiple authentication mechanisms, such as MD5-challenge, One-Time Passwords, Generic Token Card, TLS, TTLS and smart cards such as EAP SIM etc.
Friday, Dec 3, 2004 IEEE 802.11i 16
IEEE 802.1X:Authentication Enhancement
• Ethernet type of EAPOL is 88-8E.
Friday, Dec 3, 2004 IEEE 802.11i 17
IEEE 802.1X:Authentication Enhancement
Friday, Dec 3, 2004 IEEE 802.11i 18
Key Management and Establishment:
• Two ways to support key distribution:
• Manual key management Administrator will manually configure keys.
• Automatic Key management IEEE 802.1x used for key management services, only available on RSNA.
• Two Key Hirarechies:
• Pairwise key hierarchy
• Group key hierarchy
Friday, Dec 3, 2004 IEEE 802.11i 19
Key Management and Establishment:
Master Key – represents positive access decision Pairwise Master Key (PMK) – represents
authorization to access 802.11 medium Pairwise Transient Key (PTK) – Collection of
operational keys: Key Confirmation Key (KCK) – used to bind PTK
to the AP, STA; used to prove possession of the PMK
Key Encryption Key (KEK) – used to distribute Group Transient Key (GTK)
Temporal Key (TK) – used to secure data traffic
Pairwise key hierarchy
Friday, Dec 3, 2004 IEEE 802.11i 20
Key Management and Establishment:Pairwise key hierarchy
Friday, Dec 3, 2004 IEEE 802.11i 21
4-way handshake:The 4-way handshake does several things: • Confirms the PMK between the supplicant and authenticator.• Establishes the temporal keys to be used by the data-confidentiality protocol • Authenticates the security parameters that were negotiated • Performs the first group key handshake • Provides keying material to implement the group key handshake
Key Management and Establishment:Pairwise key hierarchy
Friday, Dec 3, 2004 IEEE 802.11i 22
4-way handshake:
Friday, Dec 3, 2004 IEEE 802.11i 23
Group Master Key (GMK) – which is a random number.
Group Transient Key (GTK) – An operational keys: Temporal Key – used to “secure” multicast/broadcast
data traffic
802.11i specification defines a “Group key hierarchy” Entirely gratuitous: impossible to distinguish GTK from
a randomly generated key
Key Management and Establishment:Group key hierarchy
Friday, Dec 3, 2004 IEEE 802.11i 24
Key Management and Establishment:Group key hierarchy
Friday, Dec 3, 2004 IEEE 802.11i 25
Encryption Enhancement:• Two main Encryption algorithms are used:
• TKIP Temporal Key Integrity Protocol
• CCMP Counter-Mode/CBC-MAC Protocol
• Path: WEP -> WPA -> 802.11i
• WPA = TKIP + IEEE 802.1x
• 802.11i = TKIP + IEEE 802.1x + CCMP
Friday, Dec 3, 2004 IEEE 802.11i 26
Encryption Enhancement:TKIP:
• Stronger privacyStronger privacy- Still uses RC-4 encryption- Still uses RC-4 encryption- Key rollover (temporal key)- Key rollover (temporal key)- Expand IV space (24 - Expand IV space (24 48 bits
• TKIP consider as a short-term solution for WLAN security.TKIP consider as a short-term solution for WLAN security.
• used to ease the transition from current WEP WLAN to the next used to ease the transition from current WEP WLAN to the next RSN networks.RSN networks.
• Stronger integrityStronger integrity- Message Integrity Code (MIC) - computed with own - Message Integrity Code (MIC) - computed with own integrity algorithm (MICHAEL)integrity algorithm (MICHAEL)- Separate integrity key- Separate integrity key- Integrity counter measures- Integrity counter measures
Friday, Dec 3, 2004 IEEE 802.11i 27
Encryption Enhancement:TKIP:
TKIP uses the IV and base key to hash a new key – thus a new key will be available every packet; weak keys are mitigated.
Friday, Dec 3, 2004 IEEE 802.11i 28
Encryption Enhancement:CCMP:
• Long-term solution.• Mandatory for RSNA systems.• IV size is 48 bits.• Uses stronger encryption of AES which uses the CCM mode (RFC 3610) with 128-bit key and 128-bit block size.• CCM mode combines Counter-Mode (CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC). • For Privacy: AES-CCM (128 bit key)
Integrity: CBC-MAC• Support preauthorization so clients can preauthorize when roaming, if they already had a full authorization in their home network.
Friday, Dec 3, 2004 IEEE 802.11i 29
Friday, Dec 3, 2004 IEEE 802.11i 30
802.11i Summary
Data protocols provide confidentiality, data origin authenticity, replay protection
Data protocols require fresh key on every session
Key management delivers keys used as authorization tokens, proving channel access is authorized
Architecture ties keys to authentication
Recommended