210 likes | 350 Views
Wireless Security: The need for WPA and 802.11i. By Abuzar Amini CS 265 Section 1. Wireless Security Timeline. WEP - Part of original 802.11 specification published in 1999. WPA - Developed to fix numerous WEP flaws. Ratified by Wi-Fi Alliance in 2003.
E N D
Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1
Wireless Security Timeline • WEP - Part of original 802.11 specification published in 1999. • WPA - Developed to fix numerous WEP flaws. Ratified by Wi-Fi Alliance in 2003. • 802.11i - More robust, permanent security standard expected to be finalized soon. Currently in 7th draft.
WEP • Wired Equivalent Privacy • Uses RC4 Stream cipher • Has static 40-bit base key • 64-bit per-packet key • 24-bit Initialization Vector (IV) • Uses Integrity Check Value (ICV) to verify integrity
WEP Weaknesses (IV repetition) • Short 24-bit IV means RC4 key must be changed every 224 packets or data can be exposed via IV repetition. • With repeated IV -> c1 c2 = p1 p2 • Not very feasible to change WEP key after 16 million packets transmitted.
WEP Weaknesses (Replay Attack) Authorized WEP communications Alice Eavesdrop and record Replay packets Bob Trudy
WEP Weaknesses (Forgery Attack) • Packet data can be forged • WEP uses ICV (CRC-32) to verify integrity. • Create a blank message with same number of data bytes, flip some bits and compute ICV. • XOR bit-flipped message and ICV into captured message. • Result - Undetected forgery. • Identity can be forged • Source address, Destination address not protected.
WEP Weaknesses (Keys) • WEP uses same key for authentication and encryption. • No way to manage keys. • Same static key used on AP as well as all clients.
WPA: The solution for today • Wi-Fi Protected Access (WPA) created to fix vulnerabilities of WEP while keeping the ability to run on legacy Access Points. • Subset of 802.11i Standard. • Two major components: TKIP and 802.1X Extensible Authentication Protocol (EAP) based authentication.
TKIP • Temporal Key Integrity Protocol. • Consists of new algorithms to wrap WEP • A new Message Integrity Code (MIC) called Michael. • IV sequencing to defeat replay attacks. • A per-packet key mixing function to de-correlate IVs from weak keys. • A re-keying mechanism to provide fresh encryption and integrity keys.
TKIP (Michael) • Uses two 64-bit keys, one for each link direction. • Unlike WEP, packet Sender Address and Destination Address are computed as part of the MIC. • 8-byte MIC appended to the packet data.
TKIP (IV Sequencing) • IV sequencing used to protect against replay attacks. • Reset packet sequence number to 0 on rekey. • Increment sequence number by 1 each time packet transmitted. • Packets received out of sequence are dropped.
TKIP (Key mixing) • Per-packet mixing function implemented in 2 phases: • Phase 1: Combines local MAC address and temporal key. Then run through S-box to produce intermediate key. • Fistel cipher used to encrypt the packet sequence number under the intermediate key, producing 128-bit per-packet key.
TKIP (Keys) • One 128-bit encryption key • Two 64-bit integrity keys • Master keys assigned by Authentication Server using the 802.1X architecture
802.1X EAP • WPA uses 802.1X as an authentication and key replacement mechanism. • 802.1X specifies the following components: • Supplicant – A user or a client that wants to be authenticated. • Authentication server – An authentication system, such as a RADIUS server, that handles actual authentications. • Authenticator – A device that acts as an intermediary between a supplicant and an authentication server. Usually, an AP.
802.1X EAP Messages Supplicant Authenticator Auth. Server Attach EAP-identity request EAP Identity Response EAP Auth Request EAP Auth Response EAP Success / Optional Master Key
Different forms of EAP • EAP-Transport Layer Security(EAP-TLS) • Authentication requires use of PKI • EAP-Tunneled TLS (EAP-TTLS) • Favored by some for use in 802.11i • EAP-Protected EAP (PEAP) • Favored by some for use in 802.11i
802.11i:Robust Security for Tomorrows WLANs • Still uses some WPA features • TKIP • 802.1X • Key hierarchy • Key management
802.11i • New cipher • AES block cipher replaces RC4 • AP hardware needs to be upgraded to support more complex AES computations. • Mode of operation - AES Counter Mode Encryption with CBC-MAC (CCM).
AES-CCM Mode Encrypted • CBC-MAC used to compute MIC on header and payload. • CTR mode is used to encrypt the payload and MIC. MIC Header Payload Authenticated
802.11i (Other Features) • EAP over an Ethernet LAN (EAPOL) • Roaming support • Allows clients to pre-authenticate with different APs, on wired or wireless LANs. • Independent Base Service Set (IBSS) • Allows clients to authenticate to each other, even if not in range of an AP. • Password-to-key mapping