IEEE 802.11i

NES 541

Dr. Mohammad Shurman

Overview of 802.11i

802.11i task group developed capabilities to address WLAN security issues after the collapse of WEP Wi-Fi Alliance Wi-Fi Protected Access (WPA)

final 802.11i Robust Security Network (RSN

Main novelties in 802.11i wrt to WEP – access control model is based on 802.1X

– flexible authentication framework (based on EAP – Extensible Authentication Protocol)

– authentication can be based on strong protocols (e.g., TLS – Transport Layer Security)

– authentication process results in a shared session key (which prevents session hijacking)

– different functions (encryption, integrity) use different keys derived from the session key using a one-way function

– integrity protection is improved

– encryption function is improved

2 of 27

Overview of 802.11i RSN

The 802.11i RSN security specification defines the following services:

• Authentication: A protocol is used to define an exchange between a user and an AS that provides mutual authentication and generates temporary keys to be used between the client and the AP over the wireless link.

• Access control: This function enforces the use of the authentication function, routes the messages properly, and facilitates key exchange. It can work with a variety of authentication protocols.

• Privacy with message integrity: MAC-level data (e.g., an LLC PDU) are encrypted, along with a message integrity code that ensures that the data have not been altered.

3 of 27

802.11i Phases of Operation

The operation of an IEEE 802.11i RSN can be broken down into five distinct phases of operation. – Discovery

– Authentication

– Key generation and distribution

– Protected data transfer

– Connection termination

authentication server (AS)

4 of 27

Phases of Operation 1

• Discovery: AP uses messages called Beacons and Probe Responses to advertise IEEE 802.11i security policy. The STA uses these to identify an AP for a WLAN with which it wishes to communicate.

• The STA associates with the AP, which it uses to select the cipher suite and authentication mechanism when the Beacons and Probe Responses present a

choice.

5 of 27

Phases of Operation 2

• Authentication: During this phase, the STA and AS prove their identities to each other. The AP blocks non-authentication traffic between the STA and AS until the authentication transaction is successful.

• The AP does not participate in the authentication transaction other than forwarding traffic between the STA and AS.

• This phase enables mutual authentication between an STA and an authentication server (AS)

• NULL authentication where the client says "authenticate me", and the AP responds with "yes".

6 of 27

IEEE 802.1X Access Control Approach

IEEE 802.11i uses the Extensible Authentication Protocol (EAP) defined in the IEEE 802.1X standard and designed to provide access control functions for LANs.

Before a supplicant is authenticated by the AS, using an authentication protocol, the authenticator (AP) only passes control or authentication messages between the supplicant and the AS

– the IEEE802.1X control channel is unblocked but the 802.11 data channel is blocked.

Once a supplicant is authenticated and keys are provided

– the authenticator can forward data from the supplicant,

– Under these circumstances, the data channel is unblocked.

IEEE802.1X uses the concepts of controlled and uncontrolled ports.

Ports are logical entities defined within the authenticator and refer to physical network connections. For a WLAN, the authenticator may have only two physical ports

– one connecting to the DS (backbone distribution system)

– one for wireless communication within its BSS.

7 of 27

IEEE 802.1X Access Control Approach

8 of 27

802.1X authentication model

supplicant services authenticator authentication server

LAN

authenticator system supplicant sys auth server sys

port controls

the supplicant requests access to the services (wants to connect to the network)

the authenticator controls access to the services (controls the state of a port)

the authentication server authorizes access to the services – the supplicant authenticates itself to the authentication server – if the authentication is successful, the authentication server instructs the

authenticator to switch the port on – the authentication server informs the supplicant that access is allowed

9 of 27

Mapping the 802.1X model to WiFi

supplicant mobile device (STA)

authenticator access point (AP)

authentication server server application running on the AP or on a dedicated machine

port logical state implemented in software in the AP

one more thing is added to the basic 802.1X model in 802.11i:

– successful authentication results not only in switching the port on, but also in a session key between the mobile device and the authentication server

– the session key is sent to the AP in a secure way

• this assumes a shared key between the AP and the auth server

– this key is usually set up manually

10 of 27

Protocols – EAP, EAPOL, and RADIUS

EAP (Extensible Authentication Protocol) [RFC 3748] – carrier protocol designed to transport the messages of “real” authentication

protocols (e.g., TLS) – very simple, four types of messages:

• EAP request – carries messages from the supplicant to the authentication server • EAP response – carries messages from the authentication server to the supplicant • EAP success – signals successful authentication • EAP failure – signals authentication failure

– authenticator doesn’t understand what is inside the EAP messages, it recognizes only EAP success and failure

EAPOL (EAP over LAN) [802.1X] – used to encapsulate EAP messages into LAN protocols (e.g., Ethernet) – EAPOL is used to carry EAP messages between the STA and the AP

RADIUS (Remote Access Dial-In User Service) [RFC 2865-2869, RFC 2548] – used to carry EAP messages between the AP and the auth server – Microsoft point to point encryption attribute (MS-MPPE-Recv-Key) is used to

transport the session key from the auth server to the AP – RADIUS is mandated by WPA and optional for RSN

11 of 27

EAP in action

AP STA auth server

EAP Request (Identity)

EAP Response (Identity) EAP Response (Identity)

EAP Request 1 EAP Request 1

EAP Response 1 EAP Response 1

EAP Success EAP Success

EAP Request n EAP Request n

EAP Response n EAP Response n

...

...

em

bedded a

uth. p

roto

col

EAPOL-Start

encapsulated in EAPOL

encapsulated in RADIUS

12 of 27

Protocols – LEAP, EAP-TLS, PEAP, EAP-SIM

LEAP (Light EAP) – developed by Cisco – similar to MS-CHAP extended with session key transport

EAP-TLS (TLS over EAP) – only the TLS Handshake Protocol is used – server and client authentication, generation of master secret – TLS maser secret becomes the session key – mandated by WPA, optional in RSN

PEAP (Protected EAP) – phase 1: TLS Handshake without client authentication – phase 2: client authentication protected by the secure channel established in phase 1

EAP-SIM – extended GSM authentication in WiFi context – protocol (simplified) :

STA AP: EAP res ID ( IMSI / pseudonym ) STA AP: EAP res ( nonce )

AP: [gets two auth triplets from the mobile operator’s AuC] AP STA: EAP req ( 2*RAND | MIC2*Kc | {new pseudonym}2*Kc ) STA AP: EAP res ( 2*SRES ) AP STA: EAP success

Authentication Center

13 of 27

Summary of the protocol architecture

TLS (RFC 2246)

EAP-TLS (RFC 2716)

EAP (RFC 3748)

EAPOL (802.1X)

802.11

EAP over RADIUS (RFC 3579)

RADIUS (RFC 2865)

TCP/IP

802.3 or else

mobile device AP auth server

14 of 27

Phases of Operation 3

• Key generation and distribution: The AP and the STA perform several operations that cause cryptographic keys to be generated and placed on the AP and the STA.

• Frames are exchanged between the AP and STA only

15 of 27

IEEE802.11i Key Management

Phase

16 of 27

IEEE802.11i Key Management Phase

Notice that the AP controlled port is still blocked to general user traffic. Although the authentication is successful, the ports remain blocked until the temporal keys are installed in the STA and AP, which occurs during the 4-Way Handshake. During the key management phase, a variety of cryptographic keys are generated and distributed to STAs. There are two types of keys:

– Pairwise keys are used for communication between a pair of devices, typically between an STA and an AP.

– group keys, for multicast communication. These keys form a hierarchy, beginning with a master key from which other keys are derived dynamically and used for a limited period of time.

17 of 27

IEEE802.11i Keys

pre-shared key (PSK) is a secret key shared by the AP and a STA, and installed offline

master session key (MSK) also known as the authorization, authentication and accounting key(AAAK) which is generated using the IEEE 802.1X protocol during the authentication phase.

pairwise master key (PMK) is derived from the master key as follows:

If a PSK is used, then the PSK is used as the PMK

if a MSK is used, then the PMK is derived from the MSK by truncation (if necessary).

By the end of the authentication phase (on EAP Success message), both the AP and the STA have a copy of their shared PMK.

pairwise transient key (PTK), which in fact consists of three keys to be used for communication between an STA and AP after they have mutually authenticated.

To derive the PTK, the PMK, the MAC addresses of the STA and AP, and nonces generated when needed are all input to the HMAC-SHA-1 function.

Group keys are used for multicast communication when one STA sends MPDU's to multiple STAs.

18 of 27

Key hierarchies

PMK (pairwise master key)

PTK (pairwise transient keys): - key encryption key - key integrity key - data encryption key - data integrity key (128 bits each)

GTK (group transient keys): - group encryption key - group integrity key

802.1X authentication

key derivation in STA and AP

random generation in AP

GMK (group master key)

key derivation in AP

protection

transport to every STA

unicast message trans. between STA and AP

broadcast messages trans. from AP to STAs

protection

protection

19 of 27

4-way handshake

4-way handshake usage

– The STA and SP use this handshake

to confirm the existence of the PMK

– verify the selection of the cipher suite

– derive a fresh PTK for the following

data session.

– For group key distribution, the AP

generates a GTK and distributes it to

each STA in a multicast group.

Anonce: Authenticator nonce

Snonce : Supplicant nonce

20 of 27

21 of 27

Phases of Operation 4

• Protected data transfer: Frames are exchanged between the STA and the end station through the AP. secure data transfer occurs between the STA and the AP only; security is not provided end-to-end.

22 of 27

Protected data transfer

have two schemes for protecting data

Temporal Key Integrity Protocol (TKIP)

s/w changes only to older WEP

adds 64-bit Michael message integrity code (MIC)

encrypts MPDU (MAC protocol data unit) plus MIC value using RC4

Counter Mode-CBC MAC Protocol (CCMP)

uses the cipher block chaining message authentication code (CBC-MAC) for integrity

uses the CTR block cipher mode of operation

23 of 27

24 of 27

Phases of Operation 5

• Connection termination: The AP and STA exchange frames. During this phase, the secure connection is torn down and the connection is restored to the original state.

25 of 27

Summary on WiFi security

security has always been considered important for WiFi

early solution was based on WEP – seriously flawed

– not recommended to use

the new security standard for WiFi is 802.11i – access control model is based on 802.1X

– flexible authentication based on EAP and upper layer authentication protocols (e.g., TLS, GSM authentication)

– improved key management

– TKIP • uses RC4 runs on old hardware

• corrects WEP’s flaws

• mandatory in WPA, optional in RSN (WPA2)

– AES-CCMP

• uses AES in CCMP mode (CTR mode and CBC-MAC)

• needs new hardware that supports AES

26 of 27

see you next class

27 of 27