520 likes | 929 Views
60-564 Survey Fall 2004. IEEE 802.11i. Aniss Zakaria. Survey based on two main papers:. IEEE 802.11i Standard, http://standards.ieee.org ,June 2004
E N D
60-564 Survey Fall 2004 IEEE 802.11i Aniss Zakaria IEEE 802.11i
Survey based on two main papers: • IEEE 802.11i Standard, http://standards.ieee.org ,June 2004 • Jyh-Cheng Chen, Ming-Chia Jiang and Yi-Wen Liu, “Wireless LAN Security and IEEE 802.11i”, url = http://wire.cs.nthu.edu.tw/wire1x/WC02-124-post.pdf , 2004 IEEE 802.11i
IEEE 802.11 Introduction: • WLANs are in everywhere. • Authentication modes: • Open System Authentication. Just supply correct SSID. • Shared key Authentication. Relay on WEP. • WEP: Wired Equivalent Privacy. • WEP is weak and breakable. AirSnort. IEEE 802.11i
WEP • Without WEP, no confidentiality, integrity, or authentication of user data • The cipher used in WEP is RC4, keylength from 40 up to 104 bits • Key is shared by all clients and the base station • compromising one node compromises network • Manual key distribution among clients makes changing the key difficult IEEE 802.11i
WEP .. cont IEEE 802.11i
What’s wrong with WEP? 802.11 Hdr Data 802.11 Hdr 802.11 Hdr IV Append ICV = CRC32(Data) Check ICV = CRC32(Data) Select and insert IV Per-packet Key = IV || RC4 Base Key RC4 Encrypt Data || ICV Remove IV from packet Per-packet Key = IV || RC4 Base Key RC4 Decrypt Data || ICV ICV Data ICV Data 24 bits How does WEP “work”? IEEE 802.11i
IV is the main problem: • IV is only 24 bits providea16,777,216 different RC4 cipher streams for a given WEP key • Chances of duplicate IVs are: • 1% after 582 encrypted frames • 10% after 1881 encrypted frames • 50% after 4,823 encrypted frames • 99% after 12,430 encrypted frames • Increasing Key size will not make WEP any safer. Why? • refer to Jesse Walker paper “IEEE 802.11i wireless LAN: Unsafe at any key size”, http://www.dis.org/wl/pdf/unsafe.pdf, Oct 2000 IEEE 802.11i
IV is the main problem: IEEE 802.11i
What’s wrong with WEP? Pseudo-random number generator “key stream” byte b Ciphertext data bytec = p b Review of the cipher RC4 Plaintext data byte p Decryption works the same way: p = c b Thought experiment: what happens when p1 and p2 are encrypted under the same “key stream” byte b? c1 = p1 bc2 = p2 b Then: c1c2= (p1 b)(p2 b) = p1 p2 IEEE 802.11i
We need a solution: • IEEE 802.11 has formed a new Task Group “i” to solve WEP problems. • Wi-Fi Protected Access (WPA) was created by the Wi-Fi Alliance in 2002 – in part out of impatience with the slow - moving 802.11i standard. • WPA focus mainly on legacy (current) equipments, require only firmware update. • IEEE 802.11i has added a newer Encryption mechanism which require changes in current WLAN equipments. • 802.11i has been ratified by the IEEE in June 2004. • Unlike 802.11a, b and g specifications, all of which define physical layer issues, 802.11i defines a security mechanism that operates between the Media Access Control (MAC) sublayer and the Network layer. • The Wi-Fi Alliance refers to the new 802.11i standard as WPA2. IEEE 802.11i
IEEE 802.11i standard: • IEEE 802.11 TGi has defined two major frameworks: • Pre-RSN • RSN • The definition of RSN according to IEEE 802.11i standard is a Security Network which only allows the creation of Robust Security Network Associations (RSNA). • simply, Pre-RSN is what current WLANs are, but RSN systems are what IEEE 802.11i systems should be. IEEE 802.11i
IEEE 802.11i Frameworks: • Pre-RSN • IEEE 802.11 entity authentication • Open System authentication • Allows a station to be authentication without having a correct WEP key • Shared Key authentication • The AP send a challenge packet to the Mobile Station • The MS encrypt the challenge packet using the shared WEP key and send the encrypted result back to the AP IEEE 802.11i
IEEE 802.11i Frameworks: • RSN • Authentication Enhancement: • IEEE 802.11i utilizes IEEE 802.1X for its authentication and key management services. • Key Management and Establishment: • Manual key management • Automatic key management • Encryption Enhancement: • Temporal Key Integrity Protocol (TKIP) • Counter-Mode/CBC-MAC Protocol (CCMP) So .. These are the 3 enhancements which IEEE 802.11i has introduced .. We will talk about each of these items individually in the following slides. IEEE 802.11i
Authentication Enhancement IEEE 802.1X: • Port-based authentication mechanism used for both wired and wireless networks. • Already implemented in many Operating Systems like Windows XP SP1. • It provide a framework to authenticate and authorize devices connecting to network. • IEEE 802.1X has three main pieces: • Supplicant • Authenticator • Authentication Server (AS) IEEE 802.11i
Authentication Enhancement IEEE 802.1X: • Authenticator and supplicant communicate with one another by using the Extensible Authentication Protocol (EAP, RFC-2284). • EAP originally designed to work over PPP, but IEEE 802.1X define a method to use EAP Over LAN (EAPOL) • The EAP protocol can support multiple authentication mechanisms, such as MD5-challenge, One-Time Passwords, Generic Token Card, TLS, TTLS and smart cards such as EAP SIM etc. IEEE 802.11i
Authentication Enhancement IEEE 802.1X: • Ethernet type of EAPOL is 88-8E. IEEE 802.11i
Authentication Enhancement IEEE 802.1X: IEEE 802.11i
Key Management and Establishment: • Two ways to support key distribution: • Manual key management Administrator will manually configure keys. • Automatic Key management IEEE 802.1x used for key management services, only available on RSNA. • Two Key Hirarechies: • Pairwise key hierarchy • Group key hierarchy IEEE 802.11i
Key Management and Establishment: Pairwise key hierarchy • Master Key – represents positive access decision • Pairwise Master Key (PMK) – represents authorization to access 802.11 medium • Pairwise Transient Key (PTK) – Collection of operational keys: • Key Confirmation Key (KCK) – used to bind PTK to the AP, STA; used to prove possession of the PMK • Key Encryption Key (KEK) – used to distribute Group Transient Key (GTK) • Temporal Key (TK) – used to secure data traffic IEEE 802.11i
Key Management and Establishment: Pairwise key hierarchy IEEE 802.11i
Key Management and Establishment: Pairwise key hierarchy • 4-way handshake:The 4-way handshake does several things: • Confirms the PMK between the supplicant and authenticator. • Establishes the temporal keys to be used by the data-confidentiality protocol • Authenticates the security parameters that were negotiated • Performs the first group key handshake • Provides keying material to implement the group key handshake IEEE 802.11i
4-way handshake: IEEE 802.11i
Key Management and Establishment: Group key hierarchy • Group Master Key (GMK) – which is a random number. • Group Transient Key (GTK) – An operational keys: • Temporal Key – used to “secure” multicast/broadcast data traffic • 802.11i specification defines a “Group key hierarchy” • Entirely gratuitous: impossible to distinguish GTK from a randomly generated key IEEE 802.11i
Key Management and Establishment: Group key hierarchy IEEE 802.11i
Encryption Enhancement: • Two main Encryption algorithms are used: • TKIPTemporal Key Integrity Protocol • CCMPCounter-Mode/CBC-MAC Protocol • Path: WEP -> WPA -> 802.11i • WPA = TKIP + IEEE 802.1x • 802.11i = TKIP + IEEE 802.1x + CCMP IEEE 802.11i
Encryption Enhancement: TKIP: • Stronger privacy • - Still uses RC-4 encryption • - Key rollover (temporal key) - Expand IV space (24 48 bits • Stronger integrity • - Message Integrity Code (MIC) - computed with own integrity algorithm (MICHAEL) • - Separate integrity key • - Integrity counter measures • TKIP consider as a short-term solution for WLAN security. • used to ease the transition from current WEP WLAN to the next RSN networks. IEEE 802.11i
Encryption Enhancement: TKIP: TKIP uses the IV and base key to hash a new key – thus a new key will be available every packet; weak keys are mitigated. IEEE 802.11i
Encryption Enhancement: CCMP: • Long-term solution. • Mandatory for RSNA systems. • IV size is 48 bits. • Uses stronger encryption of AES which uses the CCM mode (RFC 3610) with 128-bit key and 128-bit block size. • CCM mode combines Counter-Mode (CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC). • For Privacy: AES-CCM (128 bit key) • Integrity: CBC-MAC • Support preauthorization so clients can preauthorize when roaming, if they already had a full authorization in their home network. IEEE 802.11i
802.11i Summary • Data protocols provide confidentiality, data origin authenticity, replay protection • Data protocols require fresh key on every session • Key management delivers keys used as authorization tokens, proving channel access is authorized • Architecture ties keys to authentication IEEE 802.11i