1 / 11

Dr. Kemal Akkaya E-mail: kemal@cs.siu

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11 Security - 2. Dr. Kemal Akkaya E-mail: kemal@cs.siu.edu. How about using Virtual Private Networking (VPN) for better Security?.

eaton-fulton
Download Presentation

Dr. Kemal Akkaya E-mail: kemal@cs.siu

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Department of Computer ScienceSouthern Illinois University CarbondaleWireless and Network SecurityLecture 9: IEEE 802.11 Security - 2 Dr. Kemal Akkaya E-mail: kemal@cs.siu.edu Wireless & Network Security 1

  2. How about using Virtual Private Networking (VPN) for better Security? • Deploying a secure VPN over a wireless network can greatly increase the security of your data • Idea behind this is to treat the wireless network the same as an insecure wired network (the internet). • Any user get authenticates through a server • Can use the network as if he/she is on the network • Campus network, business etc. • Not a good solution: • Overhead • Deployment • Performance • Susceptible to denial of service (DOS) attacks, along with any attack against the specific VPN Wireless & Network Security 2

  3. Solutions for better IEEE 802.11 Security • IEEE 802.1x • Per-user authentication • Key distribution mechanism • Wi-Fi Protected Access (WPA) • Proposed in 2003 • Subset of 802.11i • Two forms: • 802.1x + EAP + TKIP + MIC • Pre-shared Key + TKIP + MIC • IEEE 802.11i – WPA2 • 802.1x + EAP + AES + CCM • But WEP is still in wide use Wireless & Network Security 3

  4. IEEE 802.1X • 802.1X is a port-based, layer 2 (MAC address layer) authentication framework on IEEE 802 networks. • Uses EAP (Extensible Authentication Protocol) for implementation • It works along with the 802.11 protocol to manage authentication for WLAN clients • Centralized authentication • All clients go through APs • Interoperability: Can work along with NICs running WEP • Three main components: • Supplicant • Authenticator • Authentication Server Wireless & Network Security 4

  5. IEEE 802.1X Authentication Process • Client makes an association with AP • AP places client in an unauthenticated holding area; AP sends an authentication request to client • Client sends user ID to AP, which forwards it to server • Server sends challenge via AP to client • Challenge type up to vendor • Secret info is not sent over air in plaintext • Client responds to challenge • Server verifies response, provides fresh session keys Wireless & Network Security 5

  6. IEEE 802.1X Authentication Process Auth Server“RADIUS” Client AP Let me in! What’s your ID? ID = xxx@yyy.local Is xxx@yyy.local OK? Prove to me that you are xxx@yyy.local EAP Challenge/Authentication The answer is “xxx” Let him in. Here is the session key. Come in. Here is the session key. network http://www.yahoo.com Encryptedsession • Authentication session Wireless & Network Security 6

  7. WPA (Wi-Fi Protected Access) • Pre-standard subset of IEEE 802.11i • Interim solution to run on existing wireless hardware • Uses Temporal Key Integrity Protocol (TKIP) for data encryption and confidentiality • On October 31, 2002, the Wi-Fi Alliance endorsed TKIP under the name Wi-Fi Protected Access (WPA). • TKIP Changes • Still uses RC4, 128 bits for encryption • Key mixing function for combining the secret root key with the IV • Merely concatenation in WEP • Provisions for changing base keys • Secret part of encryption key changed in every packet • Avoids weak keys • IV acts as a sequence counter • Starts at 0, increments by 1 • Against replay attacks • Packets received out of order will be rejected by the AP Wireless & Network Security 7

  8. WPA Changes for Integrity • Includes Michael: a Message Integrity Code (MIC) • 64 bits • Replaces the CRC • Different keys for MIC and encryption • Observer cannot create new MIC to mask changes to data • Computationally Efficient • Increases IV from 24 bits to 64 bits • 900 years to repeat an IV at 10k packets/sec • For WEP this is done in 30 mins • Authentication • 2 forms based on 802.1X: • Per-user based: Public key • Pre-shared key: same key – WPA-PSK Wireless & Network Security 8

  9. Final Standard: 802.11i • The long-awaited security standard for wireless • Ratified in June 2004 • Also known as WPA2 for the market • Another name is Robust Security Network (RSN) • Hardware manufactured before 2002 is likely to be unsupported • AES requires a new dedicated chip • From March 2006, WPA2 certification is mandatory for all new devices • Addresses the main problems in WEP • Components: • 802.1X based Authentication • CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) • RSN based associations Wireless & Network Security 9

  10. More WPA2 • CCMP • Uses Advanced Encryption Standard (AES) • Unlike in TKIP, key management and message integrity is handled by a single component built around AES using a 128-bit key and a 128-bit block. • Uses CCM • Encrypts data and MIC • Key Caching • Skips re-entering of the user credential by storing the host information on the network • APs can store keys • Fast re-connection • Pre-authentication • If previously authenticated • Allows client to become authenticated with an AP before moving to it • Uses previous authentication info • Useful in encrypted VoIP over Wi-Fi • Fast Roaming Wireless & Network Security 10

  11. 802.11i Summary Wireless & Network Security 11

More Related