240 likes | 261 Views
Module IV Chapter 15. IEEE 802.11 Wireless LAN Security. BACKGROUND. There are two types of WLANs Ad hoc networks- here, stations communicate directly. 2. Infrastructure WLANs- Uses Access Points (APs). Stations first sends frame to AP, then AP delivers the frame to final destination.
E N D
Module IVChapter 15 IEEE 802.11 Wireless LAN Security
BACKGROUND • There are two types of WLANs • Ad hoc networks- here, stations communicate directly. 2. Infrastructure WLANs- Uses Access Points (APs). Stations first sends frame to AP, then AP delivers the frame to final destination.
Basic Service Set (BSS)- A network of wireless stations associated with an AP is called “Basic Service Set (BSS)”. • Extended Service Set (ESS)- Collection/ union of several Basic Service Sets to cover large areas is called “Extended Service Set (ESS)”.
Communication Process • On power-up, wireless station must search for AP within its range. • For this, AP will be periodically broadcasting a special message called “Beacon”. It contains SSID of the AP. • Alternatively, a station may send a probe-request frame, which probes for APs in its range. • AP, on hearing such a request, responds with a probe-response frame. • To become a part of WLAN, a station must associate with AP.
AUTHENTICATION • Pre-WEP Authentication: - Early versions of 802.11 used naïve approaches. For Ex. Mere knowledge of SSID was sufficient for authentication. But, attacker can easily get to know the SSID. - MAC address based admission: Here, AP maintains a list of valid MAC addresses and allows only those in the list to communicate. Still attacker is able to modify his network card for the same.
Authentication in WEP • In WEP, station authenticates itself with Challenge-Response protocol. • Basically AP generates a challenge and sends it to the station. • The station encrypts challenge and sends it to AP. • Uses Stream cipher RC4 for encryption. • Station computes Response as follows, RESPONSE = CHALLENGE XOR KEYSTREAM(S, IV) Where, S- Shared Secret & IV- Initial Vector
Authentication & Key Agreement in 802.11i Authentication: • Different authentication mechanisms and message types are defined by Extensible Authentication Protocol (EAP). • The generic authentication messages in IEEE 802.11i are shown in figure. • The protocol used between the station and AP is EAP, but that between AP and AS depends upon specifics of AS. • For Example, AS is usually a RADIUS (Remote Authentication Dial in User Service).
Main authentication methods supported by EAP include the following, • EAP-MD5: Here, AS challenges the station to transmit MD5 hash of the user’s password. Station prompts user to type his password. It then computes the hash of password and sends this across. This method is in secure, as the attacker can eavesdrop. • EAP-TLS: It is based on SSL TLS protocol. It requires the AP and User (station) to have digital certificates. It is the most secured among all EAP methods.
3. EAP-TTLS (Tunneled TLS): requires certificates only at the AP end. The AP authenticates itself to the station and both sides construct a secured tunnel between themselves. Over this secured tunnel, station authenticates itself to AP. 4. EAP-PEAP: proposed by Microsoft, Cisco and RSA security. It is similar to EAP-TTLS. Here, the secured tunnel is used to start a second EAP exchange where a station authenticates itself to AS.
Key Hierarchy • There are 2 types of keys used in WLANs. 1. Pairwise keys- used to protect traffic between station and AP. 2. Group key- used to protect broadcast or multicast traffic between the AP and multiple stations. • Root of key hierarchy is Pairwise Master Key (PMK). There are 2 ways to obtain this as shown in figure,
Station and AS may agree upon a Master Session key (MSK) as part of the Authentication procedure. AS then communicates this to AP. • Alternative to computing a fresh PMK for each session is the Pre-Shared key (PSK), which is used as PMK.
256-bit PMK is used to derive 384-bit Pairwise Transient Key (PTK). Three 128-bit chunks are extracted from PTK as follows, • Temporal Key (TK)- used for both encryption and integrity protection of data between AP and station. • Key Confirmation Key (KCK)- used to protect some of the messages in 4-way handshake. • Key Encryption Key (KEK)- used to encrypt the message containing the group key.
Four-Way Handshake Main goals of this are to • Derive the PTK from the PMK, • Verify the cipher suits communicated in the beacon and Associate Request frames and • Communicate the group keys from the AP to the station. Figure:
3. CONFIDENTIALITY & INTEGRITY • Data Protection in WEP: WEP was designed to provide message confidentiality, integrity and access control but it failed. Let us see how? WEP Encryption & Integrity checking: • WEP uses stream cipher RC4 for encryption. It generates a key Stream based on secret shared between two parties. • Uses 40-bit Secret concatenated with 24-bit IV to create 64-bit key. Cipher text C is obtained as follows, C = P XOR KS(S, IV) It recovers plain-text by decryption as follows, P = C XOR KS(S, IV)
Known Plaintext Attack • The 1st problem with WEP is possibility of keystream re-use. Since, IV is 24-bit length, only 224 distinct keystreams could be generated. • Suppose attacker find two frames that are encrypted by same IV. Let their ciphertext’s be C and C’ and corresponding plaintexts be P and P’. • Hence we get, P XOR P’ = C XOR C’ So, P’ = P XOR C XOR C’ Thus, knowing P, C and C’, we can obtain P’ (Plaintext attack).
Data protection in TKIP & CCMP • After observing the various flaws of WEP, IEEE 802.11i committees started to seek replacement and framed following two, • Firmware of existing 802.11i is upgraded to have many changes and developed Wireless Protected Access (WPA)- Temporal Key Integrity Protocol (TKIP). • Implementation of 802.11i to use AES is WPA-2 (Counter Mode with CBC MAC protocol- CCMP).
Temporal Key Integrity Protocol (TKIP) • Uses 128-bit key. It generates random and different key for each frame sent. • It uses “2-phase Key Mixing” protocol. • Input to this protocol are 128-bit Temporal key, Sender’s MAC address and 4 most significant bytes of a 48-bit frame sequence counter. • 2 pseudo-random functions are used in 2 phases. • Input to PRF1 -> 32 most significant bits of sequence counter. PRF2 -> least significant 16 bits of sequence counter.
Counter mode with CBC MAC Protocol- CCMP • It uses AES for message authentication/ integrity. • Unlike TKIP, it uses same key for encryption and MAC computation. • Here also 48-bit sequence counter is used and called as Packet Number (PN). • MIC is computed using AES in Cipher Block Chaining (CBC) mode as shown in fig. • Procedure to compute i-th block is: 1. Ai = ETK(PN + i * j) here, j is constant known to both sender and receiver. 2. Compute i-th block of cipher text = Ai * Pi