60564 Survey

1
60-564 Survey Fall 2004
IEEE 802.11i
Aniss Zakaria
2
Survey based on two main papers

• IEEE 802.11i Standard, http//standards.ieee.org
  ,June 2004
• Jyh-Cheng Chen, Ming-Chia Jiang and Yi-Wen Liu,
  Wireless LAN Security and IEEE 802.11i, url
  http//wire.cs.nthu.edu.tw/wire1x/WC02-124-post.pd
  f , 2004

3
IEEE 802.11 Introduction

• WLANs are in everywhere.
• Authentication modes
• Open System Authentication. Just supply correct
  SSID.
• Shared key Authentication. Relay on WEP.
• WEP Wired Equivalent Privacy.
• WEP is weak and breakable. AirSnort.

4
WEP

• Without WEP, no confidentiality, integrity, or
  authentication of user data
• The cipher used in WEP is RC4, keylength from 40
  up to 104 bits
• Key is shared by all clients and the base station
• compromising one node compromises network
• Manual key distribution among clients makes
  changing the key difficult

5
WEP .. cont
6
Whats wrong with WEP?
How does WEP work?
7
IV is the main problem

• IV is only 24 bits provide a 16,777,216
  different RC4 cipher streams for a given WEP key
• Chances of duplicate IVs are
• 1 after 582 encrypted frames
• 10 after 1881 encrypted frames
• 50 after 4,823 encrypted frames
• 99 after 12,430 encrypted frames
• Increasing Key size will not make WEP any safer.
  Why?
• refer to Jesse Walker paper IEEE 802.11i
  wireless LAN Unsafe at any key size,
  http//www.dis.org/wl/pdf/unsafe.pdf, Oct 2000

8
IV is the main problem
9
Whats wrong with WEP?
Review of the cipher RC4
Plaintext data byte p
Decryption works the same way p c ? b Thought
experiment what happens when p1 and p2 are
encrypted under the same key stream byte b? c1
p1 ? b c2 p2 ? b Then c1 ? c2 (p1 ? b)
? (p2 ? b) p1 ? p2
10
We need a solution

• IEEE 802.11 has formed a new Task Group i to
  solve WEP problems.
• Wi-Fi Protected Access (WPA) was created by the
  Wi-Fi Alliance in 2002 in part out of
  impatience with the slow - moving 802.11i
  standard.
• WPA focus mainly on legacy (current) equipments,
  require only firmware update.
• IEEE 802.11i has added a newer Encryption
  mechanism which require changes in current WLAN
  equipments.
• 802.11i has been ratified by the IEEE in June
  2004.
• Unlike 802.11a, b and g specifications, all of
  which define physical layer issues, 802.11i
  defines a security mechanism that operates
  between the Media Access Control (MAC) sublayer
  and the Network layer.
• The Wi-Fi Alliance refers to the new 802.11i
  standard as WPA2.

11
IEEE 802.11i standard

• IEEE 802.11 TGi has defined two major
  frameworks
• Pre-RSN
• RSN
• The definition of RSN according to IEEE 802.11i
  standard is a Security Network which only allows
  the creation of Robust Security Network
  Associations (RSNA).
• simply, Pre-RSN is what current WLANs are, but
  RSN systems are what IEEE 802.11i systems should
  be.

12
IEEE 802.11i Frameworks

• Pre-RSN
• IEEE 802.11 entity authentication
• Open System authentication
• Allows a station to be authentication without
  having a correct WEP key
• Shared Key authentication
• The AP send a challenge packet to the Mobile
  Station
• The MS encrypt the challenge packet using the
  shared WEP key and send the encrypted result back
  to the AP

13
IEEE 802.11i Frameworks

• RSN
• Authentication Enhancement
• IEEE 802.11i utilizes IEEE 802.1X for its
  authentication and key management services.
• Key Management and Establishment
• Manual key management
• Automatic key management
• Encryption Enhancement
• Temporal Key Integrity Protocol (TKIP)
• Counter-Mode/CBC-MAC Protocol (CCMP)

So .. These are the 3 enhancements which IEEE
802.11i has introduced .. We will talk about each
of these items individually in the following
slides.
14
Authentication Enhancement
IEEE 802.1X

• Port-based authentication mechanism used for
  both wired and wireless networks.
• Already implemented in many Operating Systems
  like Windows XP SP1.
• It provide a framework to authenticate and
  authorize devices connecting to network.
• IEEE 802.1X has three main pieces
• Supplicant
• Authenticator
• Authentication Server (AS)

15
Authentication Enhancement
IEEE 802.1X

• Authenticator and supplicant communicate with
  one another by using the Extensible
  Authentication Protocol (EAP, RFC-2284).
• EAP originally designed to work over PPP, but
  IEEE 802.1X define a method to use EAP Over LAN
  (EAPOL)
• The EAP protocol can support multiple
  authentication mechanisms, such as MD5-challenge,
  One-Time Passwords, Generic Token Card, TLS, TTLS
  and smart cards such as EAP SIM etc.

16
Authentication Enhancement
IEEE 802.1X

• Ethernet type of EAPOL is 88-8E.

17
Authentication Enhancement
IEEE 802.1X
18
Key Management and Establishment

• Two ways to support key distribution
• Manual key management Administrator will
  manually configure keys.
• Automatic Key management IEEE 802.1x used for
  key management services, only available on RSNA.

• Two Key Hirarechies
• Pairwise key hierarchy
• Group key hierarchy

19
Key Management and Establishment
Pairwise key hierarchy

• Master Key represents positive access decision
• Pairwise Master Key (PMK) represents
  authorization to access 802.11 medium
• Pairwise Transient Key (PTK) Collection of
  operational keys
• Key Confirmation Key (KCK) used to bind PTK to
  the AP, STA used to prove possession of the PMK
• Key Encryption Key (KEK) used to distribute
  Group Transient Key (GTK)
• Temporal Key (TK) used to secure data traffic

20
Key Management and Establishment
Pairwise key hierarchy
21
Key Management and Establishment
Pairwise key hierarchy

• 4-way handshakeThe 4-way handshake does several
  things
• Confirms the PMK between the supplicant and
  authenticator.
• Establishes the temporal keys to be used by the
  data-confidentiality protocol
• Authenticates the security parameters that were
  negotiated
• Performs the first group key handshake
• Provides keying material to implement the group
  key handshake

22
4-way handshake
23
Key Management and Establishment
Group key hierarchy

• Group Master Key (GMK) which is a random
  number.
• Group Transient Key (GTK) An operational keys
• Temporal Key used to secure
  multicast/broadcast data traffic
• 802.11i specification defines a Group key
  hierarchy
• Entirely gratuitous impossible to distinguish
  GTK from a randomly generated key

24
Key Management and Establishment
Group key hierarchy
25
Encryption Enhancement

• Two main Encryption algorithms are used
• TKIP Temporal Key Integrity Protocol
• CCMP Counter-Mode/CBC-MAC Protocol

• Path WEP -gt WPA -gt 802.11i
• WPA TKIP IEEE 802.1x
• 802.11i TKIP IEEE 802.1x CCMP

26
Encryption Enhancement
TKIP

• Stronger privacy
• - Still uses RC-4 encryption
• - Key rollover (temporal key) - Expand IV space
  (24 ? 48 bits

• Stronger integrity
• - Message Integrity Code (MIC) - computed with
  own integrity algorithm (MICHAEL)
• - Separate integrity key
• - Integrity counter measures

• TKIP consider as a short-term solution for WLAN
  security.
• used to ease the transition from current WEP
  WLAN to the next RSN networks.

27
Encryption Enhancement
TKIP
TKIP uses the IV and base key to hash a new key
thus a new key will be available every packet
weak keys are mitigated.
28
Encryption Enhancement
CCMP

• Long-term solution.
• Mandatory for RSNA systems.
• IV size is 48 bits.
• Uses stronger encryption of AES which uses the
  CCM mode (RFC 3610) with 128-bit key and 128-bit
  block size.
• CCM mode combines Counter-Mode (CTR) and Cipher
  Block Chaining Message Authentication Code
  (CBC-MAC).
• For Privacy AES-CCM (128 bit key)
• Integrity CBC-MAC
• Support preauthorization so clients can
  preauthorize when roaming, if they already had a
  full authorization in their home network.

29
(No Transcript)
30
802.11i Summary

• Data protocols provide confidentiality, data
  origin authenticity, replay protection
• Data protocols require fresh key on every session
• Key management delivers keys used as
  authorization tokens, proving channel access is
  authorized
• Architecture ties keys to authentication