Wireless Security - 802.11i
Lars Strand
lars (at) unik no
June 2004
802.11
Working Group 11 of IEEE 802
'Task Groups' within the WG enhance portions of the standard:
802.11 – 1997: The IEEE standard for wireless networks
♦
often called '802.11legacy'
♦
transfer using infrared or the 2.4GHz band
Ad Hoc Technology
♦
2
radio uses frequence-hopping spread spectrum (FSSS) or
direct-sequence spread spectrum (DSSS)
♦
1 to 2 Mbps
♦
ratified in 1999, resulted in 802.11b
♦
today: '802.11 uses three different physical layers (PHY):
802.11a, 802.11b and 802.11g'
802.11 Task Groups
802.11a – 1999: Also called 'Wi-Fi5'
♦
uses orthogonal frequency division multiplexing (OFDM)
♦
not so crowded 5GHz with data rates from 6 to 54Mbps
Ad Hoc Technology
802.11b – 1999: Also called: '802.11 High Rate' or 'Wi-Fi'
3
♦
most used today
♦
ratified version of 802.11 (and the 802.11 groups was born)
♦
theoretical 11Mbps speed (average is 4-6Mbps)
♦
high rate DSSS in the (crowded) 2.4GHz band
♦
uses only DSSS
♦
802.11b+ (non-standard) up to 22Mbps
802.11 Task Groups
802.11c – does not exists. Task group C exists however, but has
not created their own standard. Instead they have added standard
from LAN-bridging (802.1D) to wireless AP operations
802.11d – 2001: New countries
♦
modify physical layer to meet regulatory requirements
802.11e – 2002: Enhance MAC layer to improve QoS
802.11f – 2003: Inter Access Point Protocol (IAPP)
Ad Hoc Technology
802.11g – 2003: Higher rate extension to 2.4GHz band
4
♦
rate up to 54Mbps
♦
full backwards compatible with 802.11b (g's slow down to b)
♦
Super G = channel bonding up to 108Mbps
802.11 Task Groups
802.11h – 2003: Modified 802.11a
♦
♦
in Europe, strong potensial for 802.11a interfering with
satelite communications
uses the 5GHz band
will become the sucessor of 802.11a?
802.11i – 2004: new standard for wireless security
802.11j – work in progress: add 4.9 GHz and 5 GHz in Japan
802.11k – work in progress: aims to provide measuerment
information to make wireless networks more efficient
Ad Hoc Technology
♦
5
♦
Roaming decisions
♦
RF channel knowledge
♦
Hidden nodes
♦
Client statistics
♦
Transmit Power Control (TPC)
802.11 Task Groups
802.11l – skipped because it looks like 802.11i
802.11m – work in progress: for maintaince
Ad Hoc Technology
802.11n – work in progress: new WLAN standard
6
♦
build from ground up (no “turbo-mode” chips)
♦
100Mbps real speed (250Mbps at PHY level)
♦
better operating distance
♦
standard by the end of 2005?
802.11o – work in progress: Voice over WLAN (faster handoff,
prioritize voice traffic over data)
802.11p – work in progress: using 5.9GHz band for ITS (long
range)
802.11 Task Groups
802.11p – work in progress: using 5.9GHz band for ITS (long
range)
802.11q – work in progress: support for VLAN
802.11r – work in progress: r for "roaming", handling "fast handoff"
when roaming between AP
Ad Hoc Technology
802.11s – work in progress: self-healing/self-configuring mesh
networks
7
802.11x – is often used to summarize all standards within the
Working Group, but it is NOT a standard!
WEP
Wired Equivalent Privacy (WEP)
Relies on a secret key k shared between the nodes
 Checksumming
♦
Integrity checksum c(M) on the message M
♦
called Integrity Check Value (ICV) based on CRC-32
♦
Plaintext P = <M, c(M)>
Ad Hoc Technology
 Encryption
8
♦
chosen initial vector (IV) v and given secret key k
♦
RC4 produces a keystream as a function of v and k
♦
XOR the plaintext with the keystream to obtain
ciphertext: C = P ⊕ RC4(v,k)
Ad Hoc Technology
WEP
9
Figure borrowed from Borisov, Goldberg, Wagner 2001
Vulnerability of WEP
 WEP key recovery – limited IV range (0 to 16777215). Same IV
used over and over again: information to crack WEP key (data
confidentiality, access control)
 Violation of data integrity – modify the ciphertext and forward
changed message even without knowing the encryption key
(data integrity)
 Key management – static manual stored keys
 No access point autentication (authentication, access control)
Ad Hoc Technology
Crypto experts: "WEP is a broken protocol!"
10
Conclusion: Wired Equivalent Privacy (WEP) isn't!
Vendor specific "fixes": longer keys, dynamic keys, VPN
Crack-tool: Airsnort
Ad Hoc Technology
Airsnort
11
802.11i
802.11i to the rescue!
Goal: new standard for wireless security!
Consist of three major parts:
1) Temporary Key Integrity Protocol (TKIP)
2) Counter Mode with CBC-MAC Protocol (CCMP)
3) Port-based authentication protocol (802.1X)
Ad Hoc Technology
+ key management
12
Other features:
secure IBSS, secure fast handoff, secure deauthentication,
disassociation and roaming support
Ratified June 2004
TKIP
Temporary Key Integrity Protocol (TKIP)
802.11's response to do something – anything – to improve security
Wi-Fi Alliance did not have time to wait for 802.11i --> WPA
 Enhancment of WEP – fixes all know WEP flaws
 Software/firmware upgrade 802.11b equipment
 Will degrade performance: uses more CPU in 802.11b devices!
 Not ideal design – more 'hacks' to make it work
Ad Hoc Technology
 NB! Not a long term solution!
13
TKIP – Michael, IV
1. Michael: Crypthographic Message Integrity Code (MIC)
♦
SHA-1/MD5 are to CPU-expensive
♦
64bit MIC designed by Niels Ferguson
♦
'weak' integrity protection (2^29 attack exists) – limited CPU!
♦
♦
♦
TKIP countermeasure: MIC is encrypted + key discarded if
attacked (more than 2 failed MIC pr. second)
only 'secure' when used with a secure encryption system (RC4
with rapid re-keying and per-packet mixing)
defeating forgeries
Ad Hoc Technology
2. IV sequence enforment
14
♦
IV extended from 24 to 48 bits
♦
careful sequencing rules to prevent reuse
♦
defeating replays
TKIP – Key mixing, rekeying
3. Key mixing: per-packet keying – defeating weak keys
* phase 1:
temporary key (TK) 128bit, client's MAC address (TA), IV32
(most significant 32 bits of IV) = P1K 80bits
* phase 2:
Ad Hoc Technology
P1K, IV16, TK = per-packet key (RC4KEY) 128bit
15
Figure borrowed from uninett.no
Key hierarchy
4. Rekeying – delivers fresh keys to various TKIP algorithms
- Master Key normally generated by authentication
Ad Hoc Technology
- PMK is derived from the master key
16
CCMP
Counter Mode with Cipher-Block-Chaining Message
Authentication Code Protocol (CCMP)
The new flagship of wireless security!
* designed by N. Ferguson, R. Housley and D. Whiting
* public domain
* protocol designed from ground-up
- not withstood the test of time...
Ad Hoc Technology
- but based on well known technology
17
- critized for beeing to complex
CCMP
* block ciphers provides privacy but not authenticy
* combined modes (authenticated-encryption modes)
- privacy AND authentication
* CCMP = combined mode:
- Counter Mode (CTR) encryption mode = privacy
- CBC- MAC = integrity and authentication
Ad Hoc Technology
Uses flashy new AES with 128bit keys, 48bit IV
18
What about Wireless Robust Authentication Protocol (WRAP)??
- based upon Offset Codebook (OCB) mode of AES
- plagued by intellectual property rights (patents)
- RSN: CCMP is mandatory, WRAPS optional
802.1X
Port based authentication protocol for Ethernet (802.1X)
Uses Extensible Authentication Protocol (EAP)
June 2004: RFC3748 Extensible Authentication Protocol (EAP)
(Obsoletes RFC2284)
Ad Hoc Technology
"This document defines the Extensible Authentication Protocol
(EAP), an authentication framework which supports multiple
authentication methods. EAP typically runs directly over data
link layers such as Point-to-Point Protocol (PPP) or IEEE 802,
without requiring IP."
19
"EAP is used to select a specific authentication mechanism,
typically after the authenticator requests more information in
order to determine the specific authentication method to be
used." --RFC3748, page 3
802.1X
General EAP authentication with RADIUS as AAA protocol
Ad Hoc Technology
AAA = Authentication, Authorization, Accounting
20
Figure borrowed from Gary McGraw
802.1X- EAP authentication overview
STA
AP
STA 802.1X blocks port for
data traffic
AS
AP 802.1X blocks port for
data traffic
802.1X/EAP-Request Identity
802.1X/EAP-Response Identity
(EAP type specific)
RADIUS Access
Request/Identity
EAP type specific
mutual
authentication
Ad Hoc Technology
Derive Pairwise Master Key (PMK)
21
Derive Pairwise Master Key (PMK)
RADIUS Accept (with PMK)
802.1X/EAP-SUCCESS
802.1X
Slide borrowed from Jesse Walker
RADIUS
802.1X- EAP
Ad Hoc Technology
Security layers
22
802.1X- EAP
RADIUS is NOT part of 802.11i, but a 'back-end' protocol! (but is
the de-facto back-end protocol!)
EAP provides a framework for authentication
May support several different authentication mechanism (not part of
801.11i):
♦
Ad Hoc Technology
♦
23
EAP-MD5: Username/password (IETF draft)
EAP-TLS: Creates a TLS session within the EAP
authentication process. Needs certificates and therefore PKI.
(RFC2716)
♦
LEAP: Cisco propertiary
♦
MS-CHAPv2: Microsoft username/password. (RFC2759)
♦
EAP-TTLS vs. PEAP: tunnel mode for safe transport of
authentication data
802.11i - summary
802.11i consist of three main part:
1) TKIP
2) CCMP
3) 802.1X
+ key management!
Wi-Fi Protected Access (WPA)
- TKIP + 802.1X
- Wi-Fi Alliance tok 'snapshot' of unfinished 802.11i = WPA
Robust Secure Networks (RSN)
Ad Hoc Technology
- CCMP + 802.1X
24
- may also be called WPA2
Transition Security Network (TSN)
- RSN which uses TKIP instead of CCMP
802.11i questions
* how to support roaming between access points?
- update all other AP?
* how to make key-architecture support ad-hoc networks?
- today:
i) session oriented to syncronize master key
ii) assume 802.1x authentication server
--> Oakly, Diffie-Hellman, El-Gamal? - must share a secret!
Does NOT exists in ad-hoc networks!
Ad Hoc Technology
- add these security mechanism
25
- alter the security architecture
--> else: security not possible
802.11i - ad-hoc
Eurofighter: authenticate and make devices talk
Distributed RADIUS server?
- Group keys: Who issues master keys? Vote for master?
- what if two manet merges? --> issue new master group key?
Existing solution: change to EAP
Two level authentication
Ad Hoc Technology
A
26
G