1 / 28

Solutions for WEP

Solutions for WEP. Bracha Hod June 1, 2003. 802.11i Task Group. Addresses WEP issues No forger y protection No protection against replays Attack through weak keys IV re-use But has constraints Needs a firmware patch: large market already Access Points have cheap proc essor

macaria
Download Presentation

Solutions for WEP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Solutions for WEP Bracha Hod June 1, 2003

  2. 802.11i Task Group • Addresses WEP issues • No forgery protection • No protection against replays • Attack through weak keys • IV re-use • But has constraints • Needs a firmware patch: large market already • Access Points have cheap processor • Part is hardwired in the devices

  3. Robust Secure Network • Interim solution • Use constrains • 802.1x - authentication and key management • TKIP - data encapsulation • Longterm solution • Ignore constrains • 802.1x - authentication and key management • AES - data encapsulation

  4. 802.1X

  5. EAP-TLS EAP 802.1X (EAPoL) RADIUS 802.11 UDP/IP 802.1x Architecture • Allows choice of auth. methods using EAP • Chosen by peers at authentication time • Access point doesn’t care about EAP methods • Requires some authentication server • RADIUS is the de facto back-end protocol

  6. Uncontrolled port Authentication Server Supplicant Authenticator Controlled port 802.1X Terminology • Port-based access control mechanism • Ports for passing data without authentication • Parts for passing data only after authentication

  7. Associate EAP Identity Request EAP Identity Response EAP Identity Response Authentication Server Supplicant Authenticator EAP Auth Request EAP Auth Request EAP Auth Response EAP Auth Response EAP-Success EAP-Success 802.1x Model 802.1x Radius Authentication traffic Port Status: Normal Data

  8. 802.1x Advantages • Standards-based • Flexible authentication • Scalable to large enterprise networks • Centrally managed • Roaming can be made as transparent as possible • Keys are dynamically generated and propagated

  9. 802.1x Flaws • Possible attacks • Man-in-the-middle • Session hijacking • Denial-of-service attacks • Solutions • Strong mutual authentication by protocols like EAP-TLS, EAP-TTLS and EAP-PEAP which provide strong master-key in the end • The area of coverage of an access point is small enough that an attacker would have a substantial risk of discovery

  10. TKIP

  11. Temporal Key Integrity Protocol • Designed as a wrapper around WEP • Can be implemented in software • Reuses existing WEP hardware • Runs WEP as a sub-component • Components • Cryptographic message integrity code • Packet sequencing • Per-packet key mixing • Re-keying mechanism

  12. SA DA Payload 8 byte MIC Michael MIC • Sender and receiver share 64-bit secret key • MIC = h (src MAC|dst MAC|frame body)K • If receivers computation matches the MIC sent, then message presumed authentic • If 2 forgeries in a second, then assume under attack (delete keys, disassociate, and reassociate) Authentication Key

  13. Wireless Station Access Point Hdr Hdr Hdr Packet n Packet n + 1 Packet n Packet Sequencing • Reuse 16-bits of WEP IV packet field for sequence number • Initialize seq# to 0 on new encryption key • Increment seq# by 1 on each packet • Discard any packet out of sequence

  14. Key Mixing • Phase 1: • Key_mix1(128-bit temporal key, 48-bit MAC) • 128-bit result • Ensure unique key if clients share same temporal key • Phase 2: • Key_mix2(phase1 result,seq#) • The result is 128-bit per-packet key • Incrementing seq# ensure unique key for each packet • Keystream = RC4(128-bit per-packet key)

  15. Intermediate key Temporal key Transmitter Address: 00-A0-C9-BA-4D-5F Per-packet key Packet Sequence # Key Mixing • The keys are 128-bit • The transmitter address is 48-bit • The sequence number is 16-bit Phase 1 Mixer Phase 2 Mixer

  16. Rekeying • Key hierarchy • Master key • Established via 802.1x or manually • Used to securely communicate key encryption keys • Key encryption keys (2) • Secure messages containing keying material for deriving temporal keys • Key 1: encryption data 128-bit • Key 2: data integrity 64-bit • Temporal keys (2) • Key 1: encrypting data 128-bit • Key 2: data integrity 64-bit

  17. Putting The Pieces Together

  18. Summery • Advantages • Fixes several issues in WEP • Companies having existing WEP-based equipment can upgrade to TKIP through relatively simple firmware patches • Disadvantages • Relies on the original 802.11 security specifications • Not ideal solution • “We should all realize that TKIP is really a kludge. We are trying to make the best of a difficult situation, but TKIP should be phased out as soon as possible…”

  19. AES

  20. Requirements • Use encryption properly • In particular The protocol must never reuse nonces or IVs or other information used to randomize the encryption function • Defend against forgeries and replays • In particular, a design must never reuse keys • Protect the source and destination addresses from modification • Minimize the cost: • Minimize the number of cryptographic primitives used • Minimize the software expenses • Use the best practice cryptographic primitives

  21. AES-based Encapsulations • Replaces RC4 with AES for encryption and integrity • Requires coprocessor, therefore new hardware deployment • AES • Symmetric key block cipher • Require sequence counter, 128-bit key • Two cryptographic modes: • AES-CCM (CCMP): Counter Mode with CBC-MAC • AES-OCB (WRAP): Offset Codebook

  22. ctr1 ctr3 ctrn ctr2 EK EK EK EK EK EK EK EK m1 m3 mn m2 c1 c3 cn c2 Counter Mode & CBC-MAC ctrn-1 cj=EK(ctrj)mj mn-1 cn-1 m1 m2 mn-1 mn c0=IV cj=EK(mj cj-1) MAC=cm IV EK cm

  23. 48-bit sequence counter AES key 010000111010101 Encrypted Header Payload MIC Authenticated AES-CCM • Use CBC-MAC to compute a MIC on the MPDU + header fields • CTR mode to encrypt the payload and the MIC • The counter for encryption and the IV for MIC are made by concatenation of the sequence counter and header fields Seq CTR

  24. offset offset offset  L(ntz(n))  L(1)  L(0) m2 m1 checksum Nonce mn Len(mn)  offset  offset  offset  L L(-1) EK EK EK EK EK ossfet  offset  offset Pad Offset  c1 c2 Full tag L = EK(0) cn OCB …

  25. 28-bit sequence counter AES key 010000111010101 Encrypted Header Payload MIC Authenticated AES-OCB • OCB provides both data privacy and data authenticity by a single AES-key and 28-bit sequence counter • The nonce of OCB is made by concatenation of the sequence counter and header fields Seq CTR

  26. CCM vs. OCB • Security • OCB mode appears to be superior for data authentication • Performance • In hardware there are no difference • In software, AES-OCB enjoy about 2:1 performance advantage over AES-CCM • Patent situation • OCB has patent, while CCM doesn’t

  27. Today & The Future • 2000 – WEP • Better than no security • 2001-2002 - 802.1x–WEP • Fixes authentication issues for legacy equipment • 2002-2003 - 802.11i–TKIP • Fixes known encryption issues for legacy equipment • 2003-2004 - 802.11i-AES • Next generation security for future products

  28. Thank You!

More Related