280 likes | 422 Views
Solutions for WEP. Bracha Hod June 1, 2003. 802.11i Task Group. Addresses WEP issues No forger y protection No protection against replays Attack through weak keys IV re-use But has constraints Needs a firmware patch: large market already Access Points have cheap proc essor
E N D
Solutions for WEP Bracha Hod June 1, 2003
802.11i Task Group • Addresses WEP issues • No forgery protection • No protection against replays • Attack through weak keys • IV re-use • But has constraints • Needs a firmware patch: large market already • Access Points have cheap processor • Part is hardwired in the devices
Robust Secure Network • Interim solution • Use constrains • 802.1x - authentication and key management • TKIP - data encapsulation • Longterm solution • Ignore constrains • 802.1x - authentication and key management • AES - data encapsulation
EAP-TLS EAP 802.1X (EAPoL) RADIUS 802.11 UDP/IP 802.1x Architecture • Allows choice of auth. methods using EAP • Chosen by peers at authentication time • Access point doesn’t care about EAP methods • Requires some authentication server • RADIUS is the de facto back-end protocol
Uncontrolled port Authentication Server Supplicant Authenticator Controlled port 802.1X Terminology • Port-based access control mechanism • Ports for passing data without authentication • Parts for passing data only after authentication
Associate EAP Identity Request EAP Identity Response EAP Identity Response Authentication Server Supplicant Authenticator EAP Auth Request EAP Auth Request EAP Auth Response EAP Auth Response EAP-Success EAP-Success 802.1x Model 802.1x Radius Authentication traffic Port Status: Normal Data
802.1x Advantages • Standards-based • Flexible authentication • Scalable to large enterprise networks • Centrally managed • Roaming can be made as transparent as possible • Keys are dynamically generated and propagated
802.1x Flaws • Possible attacks • Man-in-the-middle • Session hijacking • Denial-of-service attacks • Solutions • Strong mutual authentication by protocols like EAP-TLS, EAP-TTLS and EAP-PEAP which provide strong master-key in the end • The area of coverage of an access point is small enough that an attacker would have a substantial risk of discovery
Temporal Key Integrity Protocol • Designed as a wrapper around WEP • Can be implemented in software • Reuses existing WEP hardware • Runs WEP as a sub-component • Components • Cryptographic message integrity code • Packet sequencing • Per-packet key mixing • Re-keying mechanism
SA DA Payload 8 byte MIC Michael MIC • Sender and receiver share 64-bit secret key • MIC = h (src MAC|dst MAC|frame body)K • If receivers computation matches the MIC sent, then message presumed authentic • If 2 forgeries in a second, then assume under attack (delete keys, disassociate, and reassociate) Authentication Key
Wireless Station Access Point Hdr Hdr Hdr Packet n Packet n + 1 Packet n Packet Sequencing • Reuse 16-bits of WEP IV packet field for sequence number • Initialize seq# to 0 on new encryption key • Increment seq# by 1 on each packet • Discard any packet out of sequence
Key Mixing • Phase 1: • Key_mix1(128-bit temporal key, 48-bit MAC) • 128-bit result • Ensure unique key if clients share same temporal key • Phase 2: • Key_mix2(phase1 result,seq#) • The result is 128-bit per-packet key • Incrementing seq# ensure unique key for each packet • Keystream = RC4(128-bit per-packet key)
Intermediate key Temporal key Transmitter Address: 00-A0-C9-BA-4D-5F Per-packet key Packet Sequence # Key Mixing • The keys are 128-bit • The transmitter address is 48-bit • The sequence number is 16-bit Phase 1 Mixer Phase 2 Mixer
Rekeying • Key hierarchy • Master key • Established via 802.1x or manually • Used to securely communicate key encryption keys • Key encryption keys (2) • Secure messages containing keying material for deriving temporal keys • Key 1: encryption data 128-bit • Key 2: data integrity 64-bit • Temporal keys (2) • Key 1: encrypting data 128-bit • Key 2: data integrity 64-bit
Summery • Advantages • Fixes several issues in WEP • Companies having existing WEP-based equipment can upgrade to TKIP through relatively simple firmware patches • Disadvantages • Relies on the original 802.11 security specifications • Not ideal solution • “We should all realize that TKIP is really a kludge. We are trying to make the best of a difficult situation, but TKIP should be phased out as soon as possible…”
Requirements • Use encryption properly • In particular The protocol must never reuse nonces or IVs or other information used to randomize the encryption function • Defend against forgeries and replays • In particular, a design must never reuse keys • Protect the source and destination addresses from modification • Minimize the cost: • Minimize the number of cryptographic primitives used • Minimize the software expenses • Use the best practice cryptographic primitives
AES-based Encapsulations • Replaces RC4 with AES for encryption and integrity • Requires coprocessor, therefore new hardware deployment • AES • Symmetric key block cipher • Require sequence counter, 128-bit key • Two cryptographic modes: • AES-CCM (CCMP): Counter Mode with CBC-MAC • AES-OCB (WRAP): Offset Codebook
ctr1 ctr3 ctrn ctr2 EK EK EK EK EK EK EK EK m1 m3 mn m2 c1 c3 cn c2 Counter Mode & CBC-MAC ctrn-1 cj=EK(ctrj)mj mn-1 cn-1 m1 m2 mn-1 mn c0=IV cj=EK(mj cj-1) MAC=cm IV EK cm
48-bit sequence counter AES key 010000111010101 Encrypted Header Payload MIC Authenticated AES-CCM • Use CBC-MAC to compute a MIC on the MPDU + header fields • CTR mode to encrypt the payload and the MIC • The counter for encryption and the IV for MIC are made by concatenation of the sequence counter and header fields Seq CTR
offset offset offset L(ntz(n)) L(1) L(0) m2 m1 checksum Nonce mn Len(mn) offset offset offset L L(-1) EK EK EK EK EK ossfet offset offset Pad Offset c1 c2 Full tag L = EK(0) cn OCB …
28-bit sequence counter AES key 010000111010101 Encrypted Header Payload MIC Authenticated AES-OCB • OCB provides both data privacy and data authenticity by a single AES-key and 28-bit sequence counter • The nonce of OCB is made by concatenation of the sequence counter and header fields Seq CTR
CCM vs. OCB • Security • OCB mode appears to be superior for data authentication • Performance • In hardware there are no difference • In software, AES-OCB enjoy about 2:1 performance advantage over AES-CCM • Patent situation • OCB has patent, while CCM doesn’t
Today & The Future • 2000 – WEP • Better than no security • 2001-2002 - 802.1x–WEP • Fixes authentication issues for legacy equipment • 2002-2003 - 802.11i–TKIP • Fixes known encryption issues for legacy equipment • 2003-2004 - 802.11i-AES • Next generation security for future products