640 likes | 752 Views
802.11 security. Courtesy of William Arbaugh with Univ. of Maryland Jesse Walker with Intel Gunter Schafer with TU Berlin Bernard Aboba with Microsoft. agenda. 802.11 introduction WEP 802.11i vs WPA 802.1x. Basic service set (BSS). AP and STAs. Independent BSS. Between STAs.
E N D
802.11 security Courtesy of William Arbaugh with Univ. of Maryland Jesse Walker with Intel Gunter Schafer with TU Berlin Bernard Aboba with Microsoft
agenda • 802.11 introduction • WEP • 802.11i vs WPA • 802.1x
Basic service set (BSS) • AP and STAs
Independent BSS • Between STAs
authentication • Two modes • Open authentication • WEP authentication * WEP: wired equivalent privacy
Open Authentication AP STA Authenticate (request) Authenticate (success) • AP always accepts authentication request • instead, AP may use MAC address lists for security (access control)
WEP Authentication AP STA Shared secret distributed out of band Authenticate (request) Challenge (Nonce) Decrypted nonce OK? Response (Nonce RC4 encrypted under shared key) Authenticate (success) • Authentication key distributed out-of-band • Access Point generates a “randomly generated” challenge • Station encrypts challenge using the pre-shared secret key
Which one is better? • WEP authentication • Gives a good matching example • Challenge: plaintext (nonce) • Response: ciphertext (encrypted nonce) • In reality, open authentication is the norm • Right after authentication/association, STA and AP use the same secret key
802.11 Hdr ICV Data Encapsulate Decapsulate 802.11 Hdr IV Data WEP Encapsulation Encrypted part • WEP Encapsulation Summary: • Encryption Algorithm = RC4 (stream cipher) • Per-packet encryption key = 24-bit IV concatenated to a pre-shared key • WEP allows IV to be reused with any frame • Data integrity provided by CRC-32 of the plaintext data (the “ICV”) • Data and ICV are encrypted under the per-packet encryption key IV is changing
Pseudo-random number generator Encryption Key K Random byte b Plaintext data byte p Ciphertext data byte p RC4 Decryption works the same way: p = c b
ICV (integrity check value) But the ICV is linear, meaning for any polynomials p and q ICV(p+q) = ICV(p) + ICV(q) This means that if q is an arbitrary nth degree polynomial, i.e., an arbitrary change in the underlying message data: (p+q)x32 + ICV(p+q) + b = px32 + qx32 + ICV(p) + ICV(q) + b = ((px32 + ICV(p)) + b) + (qx32 + ICV(q))
Two modes in WEP keys • Default keys • Every STA shares the same key • Key mapping keys • Every STA uses its own key
default keys Total 4 keys: 2 for AP + 2 for STAs Why two for each direction?
Key mapping keys • Different key for each user • Still default key is necessary • For broadcast messages • optional
p = c b b= c p
802.11i approach • Separation of authentication and data integrity • Leverage higher layer protocol for authentication
802.1x, EAP, RADIUS: authentication andaccess control * These are not originally intended for WLAN
Authentication for dial-in users Enterprise or ISP Network PSTN (POTS) RADIUS EAP Over RADIUS POP Authentication Server (AS) PPP NAS or RAS (Authenticator) Central database User (Supplicant) • Supplicant: an entity that wants to have access • Authenticator: an entity that controls the access gate • Authentication server: an entity that decides • whether the supplicant is to be admitted
Access control illustration • Authenticator is alerted by the supplicant • Supplicant identifies himself • Authenticator requests authorization from the authentication server • Authentication server indicates YES or NO • Authenticator allows or blocks access • Three party interaction • authenticator only opens channel until authentication/access control is performed • authenticator is like doorkeeper
Network Access Server (NAS) in Ethernet • To offer economical Ethernet-based access we need a new class of network access server – the EtherNAS. • The EtherNAS is managed like a dialup NAS but offers thousands of times the bandwidth. • IEEE 802.11 APs supporting 802.1X and RADIUS are the first (but not the last) EtherNASes • Key standards include: • IEEE 802 • IETF RFC 2865 - 2869: RADIUS • IEEE 802.1X: Network Port Authentication How about central database in NAS?
Why Do Auth at the Link Layer? • It’s fast, simple, and inexpensive • Most popular link layers support it: PPP, IEEE 802 • Cost matters if you’re planning on deploying 1 million ports! • Client doesn’t need network access to authenticate • No need to resolve names, obtain an IP address prior to auth • NAS devices need minimal layer 3 functionality • 802.11 access points, 1 Gbps switch ports go for $300, support 802.1D, 802.1X, SNMP & RADIUS, may have no layer 3 filtering support • Authentication, AAA support typically a firmware upgrade • In a multi-protocol world, doing auth at link layer enables authorizing all protocols at the same time • Doing it at the network layer would mean adding authentication within IPv4, IPv6, AppleTalk, IPX, SNA, NetBEUI • Would also mean authorizing within multiple layers • Result: more delay
What is IEEE 802.1X? • The IEEE standard for authenticated and auto-provisioned LANs. • A framework for authentication and key management • IEEE 802.1X derives keys which can be used to provide per-packet authentication, integrity and confidentiality • Typically used along with well-known key derivation algorithms (e.g. TLS, SRP, etc.) • IEEE 802.1X does not mandate security services – can do authentication, or authentication & encryption • Encryption alone not recommended (but that’s what WEP does) • What 802.1X is not • Purely a wireless standard – it applies to all IEEE 802 technologies (e.g. Ethernet First Mile applications) • A cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc. • But 802.1X can be used to derive keys for any cipher • A single authentication method • But 802.1X can support many authentication methods without changes to the AP or NIC firmware
What is EAP? • The Extensible Authentication Protocol (RFC 2284) • Provides a flexible link layer security framework • Simple encapsulation protocol • No dependency on IP • ACK/NAK, no windowing • No fragmentation support • Few link layer assumptions • Can run over any link layer (PPP, 802, etc.) • Does not assume physically secure link • Methods provide security services • Assumes no re-ordering • Can run over lossy or lossless media • Retransmission responsibility of authenticator (not needed for 802.1X or 802.11) • EAP methods based on IETF standards • Transport Level Security (TLS) (supported in Windows 2000) • Secure Remote Password (SRP) • GSS_API (including Kerberos)
EAP Architecture TLS AKA SIM SRP Method Layer EAP APIs EAP EAP Layer NDIS APIs Media Layer PPP 802.3 802.5 802.11
EAPOL-Start EAPOL-Logoff EAPOL-Key
What is RADIUS? • Remote Access Dial In User Service • Supports authentication, authorization, and accounting for network access • Physical ports (analog, ISDN, IEEE 802) • Virtual ports (tunnels, wireless) • Allows centralized administration and accounting • IETF status • Proposed standard • RFC 2865, RADIUS authentication/authorization • RFC 2618-2621, RADIUS MIBs • Informational • RFC 2866, RADIUS accounting • RFC 2867-8, RADIUS Tunneling support • RFC 2869, RADIUS extensions • RFC 3162, RADIUS for IPv6
802.1X Topologies Semi-Public Network / Enterprise Edge Enterprise or ISP Network RADIUS EAP Over RADIUS EAP over LAN (EAPOL) Authentication Server PAE AP (Authenticator) PAE PAE: port access entry STA (Supplicant)
802.1X Security Philosophy • Approach: a flexible security framework • Implement security framework in upper layers • Enable plug-in of new authentication, key management methods without changing NIC or Access Point • Leverage main CPU resources for cryptographic calculations • How it works • Security conversation carried out between supplicant and authentication server • NIC, Access Point acts as a pass through device • Advantages • Decreases hardware cost and complexity • Enables customers to choose their own security solution • Can implement the latest, most sophisticated authentication and key management techniques with modest hardware • Enables rapid response to security issues