wireless LAN security: After WEP

7/27/2019 wireless LAN security: After WEP

1/30

Wireless LAN security: After WEP

Carlo U. Nicola, SGI FH Aargau

With extracts from publications/slides of :

M. Joyce; Vodaphone; S. Frankel et al. NIST;

L. Bullyn, J.P. Hubeaux, ETHL


2/30

NS HS12 2

Problems:

1. How to authenticatelegitimate users?

2. How to authorizeauthenticated androaming users?

3. How to guaranteeconfidentiality/integrity ofmessages.

The general picture in a WLAN


3/30

NS HS12 3

WIFI Protected Access (WPA) Robust Security Network

(RSN)

802.11i a new security architecture standard


4/30

NS HS12 4

Manufacturers' standard

WEP vs WPA vs WPA2


5/30

NS HS12 5

802.11i try to solve the compatibility problem with old WEP system by defining a

transitional (and optional) protocol called TKIP (Temporal Key Integrity Protocol). Itsmost remarkable characteristics are:

! Provides confidentiality and integrity.! TKIP uses existing RC4 but avoids some of the worst WEPs problems.! It is not elegant, but runs on old hardware (after a software upgrade)

TKIP corrects the following previous WAP flaws:! Message integrity: add a message integrity protocol.! IV (Initialisation Vector) selection and use: as counter (sequence

number!)! Per-packet key mixing! Increase the size of IV.! Key management.

TKIP: the WEP compatibility path


6/30

NS HS12 6

Per packet key mixing

RC4 stream to XORed withplain text message

Dummy bytedesigned toavoid weakRC4 keys.

TKIP: RC4 seed production


7/30

NS HS12 7

TKIP: IV, confidentiality and integrity

IV size: From 24 bits! 48 bits

! IV use as a sequence number to avoid replay attacks.

! IV is constructed to avoid certain weak keys. (RC4 has some weak

keys)

Confidentiality:

! achieved through RC4 output XORed with the plain text

Integrity: new algorithm MIC (Message Integrity Code):! Replaces ICV (Integrity Check Value)

! Protects against bit-flip attacks by adding tamper-proof hash to

messages

! Must be implemented on clients and AP

! MIC = H(random # || MAC header || sequence number || payload)! Sequence number must be in order or packet is rejected

! Part of the firmware software update


8/30

NS HS12 8

Robust Security Network (RSN) for establishing secure communications:

! Uses 802.1x for authentication! Replaces TKIP

AES algorithm replaces RC4:

! Counter (CTR) Mode with Cipher Block Chaining (CCMP = CounterMode with Cipher Block Chaining Message Authentication Code Protocol)

1. CTR mode for encryption2. CBC-MAC provides data integrity/authentication

! 128-bit keys, 48-bit IV

! CCMP mandatory with RSN

! Ensures data confidentiality and integrity

802.11i: the new world of WPA2


9/30

NS HS12 9

1. The supplicantrequests access to the services (wants to connect to the network)

2. The authenticatorcontrols access to the services (controls the state of a port)

3. The authentication serverauthorizes access to the services

a) the supplicant authenticates itself to the authentication server

b) if the authentication is successful, the authentication server instructs the authenticator toswitch the port on

c) the authentication server informs the supplicant that access is allowed

802.1X authentication protocol as model for 802.11i


10/30

NS HS12 10

The simple mapping:supplicant! mobile device (STA)

authenticator! access point (AP)authentication server! server application running on the AP or on a

dedicated machineport! logical state implemented in software in the AP

The extension to the basic 802.1X model in 802.11i:1. Successful authentication results not only in switching the port on,

but also in a session key between the mobile device and theauthentication server

2. The session key is sent to the AP in a secure way:! This assumes a shared key between the AP and the auth server! This key is usually set up manually!

Mapping 802.1X to WLAN


11/30

NS HS12 11

Mapping 802.1X to WLAN


12/30

NS HS12 12

Counter Mode (CTR) encryption:

1. Message is divided into blocks Bi

2. Each block Bi is separately encryptedinto EK(Bi)

3. A counter i is encrypted: EK(i)4. EK(i)EK(Bi) produces the encrypted

message block!

CTR is closely related with the OFB

mode with the notable exception that

decryption in CTR can be parallelized

(a huge advantage in a mobile world).

CBC-MAC Mode :

EK(.): AES encryption (AES key length 128-256 bits)

AES Counter Mode with Cipher Block Chaining


13/30

NS HS12 13

1. Mutually authenticate STA and AS

2. Generate Master Key (MK) as a side effect of authentication

3. Generate pairwise MK as an access authorization token

4. Generate 4 keys for encryption/integrity

802.11i: Overview


14/30

NS HS12 14

802.11i: Protocol phases


15/30

NS HS12 15

Step 1: DiscoveryAP advertises network security capabilities to stations (STAs)

Step 2: 802.1x authentication:

! Mutual authentication of both STA and AS

! Generate Master Key (MK) as a side effect of authentication! Generate pairwise MK as an access authorization token

! Generate 4 keys for encryption/integrity

802.11i: Protocol some details


16/30

NS HS12 16

MK PMK or AP could make access control decision instead of the

authorization server (AS)

MK is fresh and bound to the session between STA andAS

PMK is bound to thisSTA and th isAP

RSN Key hierarchy


17/30

NS HS12 17

At the end of the authentication phase between STA and AS we have:! The AS and STA have established a session;!

The AS and STA possess a mutually authenticated Master Key;! The Master Key represents a decision to grant access based on

authentication! STA and AS have derived PMK! PMK is an authorization token to enforce access control decision! AS has distributed the PMK to the STAs AP

802.11i: Authentication overview


18/30

NS HS12 18

Fourseparate keys for two layers protection:

1. EAP (Extensible Authentication Protocol) handshake and users data: EAP isonly a carrier protocol that carry the messages of a higher layerauthentication protocol (i.e. TLS).

a) DataEncryption key

b) DataIntegrity key

c) EAPOL(EAP On LAN)-KeyEncryption key

d) EAPOL-KeyIntegrity key

2. Pair wise transient key (PTK): the four keys

3. Once that the keys are chosen:

AES encryption (confidentiality) AES CBC MAC (integrity)

How to derive the keys in a secure manner


19/30

NS HS12 19

Notice the similaritieswith the SSL protocol !

RSN: association and security negotiation (1)


20/30

NS HS12 20

RSN: association and security negotiation (2)

RSN capable devices identify themselves by asserting Robust Security in Association, Beacon,Probe, and Reassociation messages. There are four association-specific parameters:

(1) Authentication mechanism(2) Unicast cipher suite(3) Multicast cipher suite(4) Nonces


21/30

NS HS12 21

EAP (Extensible Authentication Protocol) [RFC 3748] is a carrier protocol designed totransport the messages of real authentication protocols (e.g., TLS). It knows only

four types of messages:EAP request: carries messages from the supplicant to the authentication serverEAP response: carries messages from the authentication server to the supplicantEAP success: signals successful authenticationEAP failure: signals authentication failureThe authenticator doesnt understand what is inside the EAP messages, it recognizes

only EAP success and failure.

EAPOL (EAP over LAN) [802.1X] is used to encapsulate EAP messages into LANprotocols (e.g., Ethernet). EAPOL carries EAP messages between the STA and theAP.

RADIUS (Remote Access Dial-In User Service) [RFC 2865-2869, RFC 2548] carries

EAP messages between the AP and the authentification server. RADIUS ismandatory for WPA but optional for RSN.MS-MPPE-Recv-Key RADIUS attribute is used to transport the session key from theauth server to the AP (Job of the system's manager !).

Protocols: EAP, EAPOL and RADIUS


22/30

NS HS12 22

EAP dynamics (1)


23/30

NS HS12 23

EAP dynamics (2)


24/30

NS HS12 24

LEAP (Light EAP):! developed by Cisco! similar to MS-CHAP extended with session key transport

EAP-TLS (TLS over EAP):! only the TLS Handshake Protocol is used! server and client authentication, generation of master secret! TLS master secret becomes the session key! mandated by WPA, optional in RSN

PEAP (Protected EAP):! phase 1: TLS Handshake without client authentication! phase 2: client authentication protected by the secure channel established in

phase 1

Protocols(2): LEAP, EAP-TLS, PEAP


25/30

NS HS12 25

EAP-SIM:! An extended GSM authentication in a WLAN context.

! Protocol (simplified) :STA !AP: EAP response ID (IMSI/pseudonym)STA!AP: EAP response (nonce)AP: [gets two auth. triplets from the mobile operators AuC]AP!STA: EAP request (2RAND|MIC2Kc|{new pseudonym}2Kc)STA!AP: EAP response (2SRES)AP!STA: EAP success

Protocols(3): EAP-SIM

S f ll h j l


26/30

NS HS12 26

Summary of all the major protocols

Bibli h


27/30

NS HS12 27

1. W. Arbaugh, N. Shankar, J. Wan, K. Zhang. Your 802.11 network has no clothes. IEEE Wireless

Communications Magazine,9(6):44-51, 2002.2. N. Borisov, I. Goldberg, D. Wagner. Intercepting mobile communications: the insecurity of 802.11. Proceedingsof the 7th ACM Conference on Mobile Computing and Networking, 2001.

3. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz. Extensible Authentication Protocol (EAP). RFC3748. 2004.

4. J. Edney, W. Arbaugh. Real 802.11 Security: WiFi Protected Access and 802.11i. Addison-Wesley, 2004.5. S. Fluhrer, I. Mantin, A. Shamir. Weaknesses in the key scheduling algorithm of RC4. Proceedings of the 8th

Workshop on Selected Areas in Cryptography. 2001.

6. B. Aboba, P. Calhoun. RADIUS (Remote Authentication Dial In UserService) Support for ExtensibleAuthentication Protocol (EAP), RFC 3579, 2003.7. J. Walker. Unsafe at any key size: An analysis of the WEP encapsulation. IEEE 802.11-00/362, 2000.8. Wi-FiAlliance. Wi-FiProtected Access: http://www.wi-fi.org/white_papers/whitepaper-042903-wpa/

9. IEEE Std 802.1X-2001. IEEE Standard: Port-based Network Access Control, 2001.10. IEEE Std 802.11. IEEE Standard: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)

Specifications, 1999.11. IEEE Std 802.11i. IEEE Standard Amendment 6: Medium Access Control (MAC) Security Enhancements, 2004.

Bibliography


28/30

NS HS12 28

Appendix

RSN Key glossary


29/30

NS HS12 29

From L. Bullyn, J.P. Hubeaux, ETHL "Key management": The session key establishedbetween the mobile device and the AP as the result of the authentication procedure is

called the pairwise master key (PMK). It is a pairwise key, because it is known only tothat mobile device and the AP (and the authentication server, but it is considered to be atrusted entity); and it is a master key, because it is not used directly for encryption orintegrity protection of messages, but it is used to derive encryption and integrity keys.

More precisely, both the mobile device and the AP derive four keys from the PMK: adata-encryption key, a data-integrity key, a key-encryption key, and a key-integrity key.

These four keys together are called the pairwise transient key (PTK). We must notethat AES-CCMP uses the same key for encryption and for integrity protection of data,therefore, in the case of AES-CCMP, the PTK consists of three keys only. Besides thePMK, the derivation of the PTK also uses as input the MAC addresses of the parties (themobile device and the AP) and two random numbers generated by the parties.

RSN Key glossary

SIM refresher


30/30

NS HS12 30

SIM refresher

Documents

wireless LAN security: After WEP