Friday, Dec 3, 2004 IEEE 802.11i 1

IEEE 802.11i

60-564 Survey

Fall 2004

Aniss Zakaria

Friday, Dec 3, 2004 IEEE 802.11i 2

Survey based on two main papers:

• IEEE 802.11i Standard, http://standards.ieee.org ,June 2004

• Jyh-Cheng Chen, Ming-Chia Jiang and Yi-Wen Liu, “Wireless LAN Security and IEEE 802.11i”, url = http://wire.cs.nthu.edu.tw/wire1x/WC02-124-post.pdf , 2004

Friday, Dec 3, 2004 IEEE 802.11i 3

IEEE 802.11 Introduction:

• WLANs are in everywhere.

• Authentication modes:

• Open System Authentication. Just supply correct SSID.

• Shared key Authentication. Relay on WEP.

• WEP: Wired Equivalent Privacy.

• WEP is weak and breakable. AirSnort.

Friday, Dec 3, 2004 IEEE 802.11i 4

WEP

Without WEP, no confidentiality, integrity, or authentication of user data

The cipher used in WEP is RC4, keylength from 40 up to 104 bits

Key is shared by all clients and the base station compromising one node compromises network

Manual key distribution among clients makes changing the key difficult

Friday, Dec 3, 2004 IEEE 802.11i 5

WEP .. cont

Friday, Dec 3, 2004 IEEE 802.11i 6

What’s wrong with WEP?

How does WEP “work”?

802.11 Hdr Data

Append ICV = CRC32(Data)

Data802.11 Hdr ICV

Data802.11 Hdr IV ICV

Select and insert IV

Per-packet Key = IV || RC4 Base Key

RC4 Encrypt Data || ICV

Remove IV from packet

Per-packet Key = IV || RC4 Base Key

RC4 Decrypt Data || ICV

Check ICV = CRC32(Data)

24 bits

Friday, Dec 3, 2004 IEEE 802.11i 7

IV is the main problem:

• IV is only 24 bits provide a 16,777,216 different RC4 cipher streams for a given WEP key

• Chances of duplicate IVs are:

• 1% after 582 encrypted frames

• 10% after 1881 encrypted frames

• 50% after 4,823 encrypted frames

• 99% after 12,430 encrypted frames• Increasing Key size will not make WEP any safer. Why?

refer to Jesse Walker paper “IEEE 802.11i wireless LAN: Unsafe at any key size”, http://www.dis.org/wl/pdf/unsafe.pdf, Oct 2000

Friday, Dec 3, 2004 IEEE 802.11i 8

IV is the main problem:

Friday, Dec 3, 2004 IEEE 802.11i 9

Review of the cipher RC4

Pseudo-random number

generator

Plaintext data byte p

“key stream” byte b

Ciphertext data byte c = p b

Decryption works the same way: p = c b

Thought experiment: what happens when p1 and p2 are encrypted under the same “key stream” byte b?

c1 = p1 b c2 = p2 b

Then: c1 c2 = (p1 b) (p2 b) = p1 p2

What’s wrong with WEP?

Friday, Dec 3, 2004 IEEE 802.11i 10

We need a solution:• IEEE 802.11 has formed a new Task Group “i” to solve WEP problems.

• Wi-Fi Protected Access (WPA) was created by the Wi-Fi Alliance in 2002 – in part out of impatience with the slow - moving 802.11i standard.

• WPA focus mainly on legacy (current) equipments, require only firmware update.

• IEEE 802.11i has added a newer Encryption mechanism which require changes in current WLAN equipments.

• 802.11i has been ratified by the IEEE in June 2004.

• Unlike 802.11a, b and g specifications, all of which define physical layer issues, 802.11i defines a security mechanism that operates between the Media Access Control (MAC) sublayer and the Network layer.

•The Wi-Fi Alliance refers to the new 802.11i standard as WPA2.

Friday, Dec 3, 2004 IEEE 802.11i 11

IEEE 802.11i standard:

• IEEE 802.11 TGi has defined two major frameworks:

• Pre-RSN

• RSN

• The definition of RSN according to IEEE 802.11i standard is a Security Network which only allows the creation of Robust Security Network Associations (RSNA).

• simply, Pre-RSN is what current WLANs are, but RSN systems are what IEEE 802.11i systems should be.

Friday, Dec 3, 2004 IEEE 802.11i 12

Pre-RSN IEEE 802.11 entity authentication

Open System authentication Allows a station to be authentication without having a

correct WEP keyShared Key authentication

The AP send a challenge packet to the Mobile Station

The MS encrypt the challenge packet using the shared WEP key and send the encrypted result back to the AP

IEEE 802.11i Frameworks:

Friday, Dec 3, 2004 IEEE 802.11i 13

IEEE 802.11i Frameworks: RSN

Authentication Enhancement:IEEE 802.11i utilizes IEEE 802.1X for its

authentication and key management services. Key Management and Establishment:

Manual key managementAutomatic key management

Encryption Enhancement:Temporal Key Integrity Protocol (TKIP)Counter-Mode/CBC-MAC Protocol (CCMP)

So .. These are the 3 enhancements which IEEE 802.11i has introduced .. We will talk about each of these items individually in the following slides.

Friday, Dec 3, 2004 IEEE 802.11i 14

IEEE 802.1X:Authentication Enhancement

• Port-based authentication mechanism used for both wired and wireless networks.

• Already implemented in many Operating Systems like Windows XP SP1.

• It provide a framework to authenticate and authorize devices connecting to network.

• IEEE 802.1X has three main pieces:

• Supplicant

• Authenticator

• Authentication Server (AS)

Friday, Dec 3, 2004 IEEE 802.11i 15

IEEE 802.1X:Authentication Enhancement

• Authenticator and supplicant communicate with one another by using the Extensible Authentication Protocol (EAP, RFC-2284).• EAP originally designed to work over PPP, but IEEE 802.1X define a method to use EAP Over LAN (EAPOL)• The EAP protocol can support multiple authentication mechanisms, such as MD5-challenge, One-Time Passwords, Generic Token Card, TLS, TTLS and smart cards such as EAP SIM etc.

Friday, Dec 3, 2004 IEEE 802.11i 16

IEEE 802.1X:Authentication Enhancement

• Ethernet type of EAPOL is 88-8E.

Friday, Dec 3, 2004 IEEE 802.11i 17

IEEE 802.1X:Authentication Enhancement

Friday, Dec 3, 2004 IEEE 802.11i 18

Key Management and Establishment:

• Two ways to support key distribution:

• Manual key management Administrator will manually configure keys.

• Automatic Key management IEEE 802.1x used for key management services, only available on RSNA.

• Two Key Hirarechies:

• Pairwise key hierarchy

• Group key hierarchy

Friday, Dec 3, 2004 IEEE 802.11i 19

Key Management and Establishment:

Master Key – represents positive access decision Pairwise Master Key (PMK) – represents

authorization to access 802.11 medium Pairwise Transient Key (PTK) – Collection of

operational keys: Key Confirmation Key (KCK) – used to bind PTK

to the AP, STA; used to prove possession of the PMK

Key Encryption Key (KEK) – used to distribute Group Transient Key (GTK)

Temporal Key (TK) – used to secure data traffic

Pairwise key hierarchy

Friday, Dec 3, 2004 IEEE 802.11i 20

Key Management and Establishment:Pairwise key hierarchy

Friday, Dec 3, 2004 IEEE 802.11i 21

4-way handshake:The 4-way handshake does several things: • Confirms the PMK between the supplicant and authenticator.• Establishes the temporal keys to be used by the data-confidentiality protocol • Authenticates the security parameters that were negotiated • Performs the first group key handshake • Provides keying material to implement the group key handshake

Key Management and Establishment:Pairwise key hierarchy

Friday, Dec 3, 2004 IEEE 802.11i 22

4-way handshake:

Friday, Dec 3, 2004 IEEE 802.11i 23

Group Master Key (GMK) – which is a random number.

Group Transient Key (GTK) – An operational keys: Temporal Key – used to “secure” multicast/broadcast

data traffic

802.11i specification defines a “Group key hierarchy” Entirely gratuitous: impossible to distinguish GTK from

a randomly generated key

Key Management and Establishment:Group key hierarchy

Friday, Dec 3, 2004 IEEE 802.11i 24

Key Management and Establishment:Group key hierarchy

Friday, Dec 3, 2004 IEEE 802.11i 25

Encryption Enhancement:• Two main Encryption algorithms are used:

• TKIP Temporal Key Integrity Protocol

• CCMP Counter-Mode/CBC-MAC Protocol

• Path: WEP -> WPA -> 802.11i

• WPA = TKIP + IEEE 802.1x

• 802.11i = TKIP + IEEE 802.1x + CCMP

Friday, Dec 3, 2004 IEEE 802.11i 26

Encryption Enhancement:TKIP:

• Stronger privacyStronger privacy- Still uses RC-4 encryption- Still uses RC-4 encryption- Key rollover (temporal key)- Key rollover (temporal key)- Expand IV space (24 - Expand IV space (24 48 bits

• TKIP consider as a short-term solution for WLAN security.TKIP consider as a short-term solution for WLAN security.

• used to ease the transition from current WEP WLAN to the next used to ease the transition from current WEP WLAN to the next RSN networks.RSN networks.

• Stronger integrityStronger integrity- Message Integrity Code (MIC) - computed with own - Message Integrity Code (MIC) - computed with own integrity algorithm (MICHAEL)integrity algorithm (MICHAEL)- Separate integrity key- Separate integrity key- Integrity counter measures- Integrity counter measures

Friday, Dec 3, 2004 IEEE 802.11i 27

Encryption Enhancement:TKIP:

TKIP uses the IV and base key to hash a new key – thus a new key will be available every packet; weak keys are mitigated.

Friday, Dec 3, 2004 IEEE 802.11i 28

Encryption Enhancement:CCMP:

• Long-term solution.• Mandatory for RSNA systems.• IV size is 48 bits.• Uses stronger encryption of AES which uses the CCM mode (RFC 3610) with 128-bit key and 128-bit block size.• CCM mode combines Counter-Mode (CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC). • For Privacy: AES-CCM (128 bit key)

Integrity: CBC-MAC• Support preauthorization so clients can preauthorize when roaming, if they already had a full authorization in their home network.

Friday, Dec 3, 2004 IEEE 802.11i 29

Friday, Dec 3, 2004 IEEE 802.11i 30

802.11i Summary

Data protocols provide confidentiality, data origin authenticity, replay protection

Data protocols require fresh key on every session

Key management delivers keys used as authorization tokens, proving channel access is authorized

Architecture ties keys to authentication