Wireless LAN Security Technologies

1
Wireless LAN Security Technologies ??????????

• ?????
• ???????

2
Outline

• Wired Equivalent Privacy (WEP)
• IEEE 802.11i and WPA
• WPA and RSN key Hierarchy
• 802.11i Operational Phases
• Discovery
• 802.1x authentication
• RADIUS-based key distribution
• 802.1x key management
• Data protection
• TKIP, CCMP

3
WEP

• WEP RC4 cipher (stream cipher).

4

• Most stream ciphers operate by taking a
  relatively short secret key and expanding it into
  a pseudorandom keystream the same length as the
  message.
• The pseudorandom random number generator (PRNG),
  i.e. RC4, is a set of rules used to expand the
  key into a keystream.

5
WEP data processing
6
Weaknesses of WEP

• The IV value is too short.
• IVWEP key ? Weak key attacks (FMS attack).
• Message integrity.
• Use master key directly and no built-in provision
  to update the keys.
• There is no protection against message replay.

7
What is IEEE 802.11i

• IEEE 802.11i defines a new type of wireless
  network called a robust security network (RSN).
• Transitional security network (TSN) Both RSN and
  WEP systems can operate in parallel.
• Most existing Wi-Fi cards cannot be upgraded to
  RSN because the cryptographic operations required
  are not supported by the HW and beyond the
  capability of software upgrades.
• Then, WPA networks is defined.

8
What is WPA

• Temporal Key Integrity Protocol (TKIP) a
  security solution based around the capabilities
  of existing Wi-Fi products.
• TKIP is allowed as an optional mode under RSN.
• Wi-Fi alliance adopted a new security approach
  based on the draft RSN but only specifying TKIP.
  This subset of RSN is called as WPA

9
Differences between RSN and WPA

• RSN also supports the AES cipher algorithm in
  addition to TKIP, whereas WPA focuses on TKIP.
• RSN and WPA share a single security architecture
  under which TKIP- or AES-based security protocols
  can operate.
• This architecture includes upper-level
  authentication, secret key distribution, and key
  renewal.

10
Security Layers

• Wireless LAN layer
• Encrypting and decrypting data
• Access control layer
• Manage the security context. It must stop any
  data passing to or from an enemy.
• Authentication layer
• In authentication server (separated from AP)
• Provides a way to manage the user database.

11
WPA and RSN key Hierarchy
1.Authenticate to derive Master Key (MK)
AS
2. Derive Pairwise Master Key from MK,

• Distribute (PMK)

STA
AP
3. Use PMK to enforce 802.11 channel
access derive and use PTK
12
WPA and RSN key Hierarchy
Master Key (MK)
Pairwise Master Key (PMK) TLS-PRF (Master Key,
Client EAP encryption I clientHello.random I
serverHello.random)
Pairwise Transient Key (PTK) EAPoL-PRF (PMK, AP
Nonce I STA Nonce I AP MAC Addr I STA MAC Addr)
13
Pairwise Keys
Mobile device
Mobile device
Key 2
Mobile device
Key 3
Key 1
AP
Key 1
Key 2
Key 3
Pairwise Key
14

• MK ?PMK
• Or AP could make access control decisions instead
  of AS
• MK is fresh and bound to this session between STA
  and AS
• PMK is bound to this STA and this AP

15

• Four separate keys for two layers protection
  EAPOL handshake and users data.
• Data Encryption key
• Data Integrity key
• EAPOL-Key Encryption key
• EAPOL-Key Integrity key
• Pairwise transient key (PTK) the four keys

16
Temporal Key Computation

• Key
• Computation
• Block

PMK
Data Encr
Nonce 1
Data MIC
Nonce 2
EAPOL Encr
MAC 1
EAPOL MIC
MAC 2
Nonce N-once, a value N only use once.
17
802.11 Operational Phases
Access
Authentication Server

• Station

Point
Security capabilities discovery
802.1X authentication
RADIUS-based Key distribution
802.1X Key management
Data protection (TKIP, AES-CCMP)
18

• Discovery
• AP advertises network security capabilities to
  STAs
• 802.1x authentication
• Mutually authenticate STA and AS
• Generate Master Key as a side effect of
  authentication
• Generate PMK as an access authorization token

19

• RADIUS-based key distribution
• AS moves PMK to STAs AP
• 802.1x key management
• Bind PMK to STA and AP
• Confirm both AP and STA possess PMK
• Generate fresh PTK
• Prove each peer is live
• Synchronize PTK use
• Distribute GTK

20
Discovery Overview

• AP advertises capabilities in Beacon, Probe
  Response
• SSID in Beacon, Probe provides hint for right
  authentication credentials
• Performance optimization only no security value
• RSN Information Element advertises
• All enabled authentication suites
• All enabled unicast cipher suites
• Multicast cipher suite
• STA selects authentication suite and unicast
  cipher suite in Association Request

21
Discovery
Access
Station
Point
Probe Request
Probe Response RSN IE (AP supports CCMP Mcast ,
CCMP Ucast , 802.1X Auth)
802.11 Open System Auth
802.11 Open Auth (success)
Association Req RSN IE (STA requests CCMP Mcast
, CCMP Ucast , 802.1X Auth)
Association Response (success)
22

• Conformant STA declines to associate if its own
  policy does not overlap with APs policy
• Conformant AP rejects STAs that do not select
  from offered suites
• 802.11 Open System Authentication retained for
  backward compatibilityno security value
• No protection during this phase capabilities
  validated during key management
• Capabilities advertised in an RSN Information
  Element (RSN IE)

23
Discovery Summary

• At the end of discovery
• STA knows
• The alleged SSID of the network
• The alleged authentication and cipher suites of
  the network
• These allow STA to locate correct credentials,
  instead of trial use of credentials for every
  network
• The AP knows which of its authentication and
  cipher suites the STA allegedly chose
• A STA and an AP have established an 802.11
  channel
• The associated STA and AP are ready authenticate

24
Authentication Components
Station
Authentication Server
Access
Point
EAP-TLS
EAP
802.1x (EAPoL)
RADIUS
802.11
UDP/IP
25
Authentication Overview
STA
AP
AS
STA 802.1x blocks port for data traffic
AP 802.1x blocks port for data traffic
802.1x
802.1x/EAP-Request Identity
802.1x/EAP-Response Identity (EAP type specific)
RADIUS
RADIUS Access Reqiest/Identity
EAP type specific Mutual authentication
Derive Pairwise Master Key (PMK)
Derive Pairwise Master Key (PMK)
RADIUS Accept (with PMK)
802.1x/EAP-SUCCESS
26
Authentication Summary

• At the end of authentication
• The AS and STA have established a session if
  concrete EAP method does
• The AS and STA possess a mutually authenticated
  Master Key if concrete EAP method does
• Master Key represents decision to grant access
  based on authentication
• STA and AS have derived PMK
• PMK is an authorization token to enforce access
  control decision
• AS has distributed PMK to an AP (hopefully, to
  the STAs AP)

27
Key Management Overview
STA
AS
AP
Step1 Use RADIUS to push PMK from AS to AP
Step2 Use PMK and 4-Way Handshake to Derive,
bind, and verify PTK
Step3 Use Group Key Handshake to send GTK from
AP to STA
28
Step 2 4-Way Handshake
AP
STA
PMK
PMK
Pick Random ANonce
EAPoL-Key(Reply Required, Unicast, ANonce)
Pick Random SNonce, Derive PTK
EAPoL-PRF(PMK,ANonce I SNonce I AP MAC Addr I STA
MAC Addr)
EAPoL-Key(Unicast, Snonce, MIC, STA RSN IE)
Derive PTK
EAPoL-Key(Reply Required, Install PTK, Unicast,
ANonce, MIC, AP RSN IE)
EAPoL-Key(Unicast, MIC)
Install TK
Install TK
29
4-Way Handshake Discussion (1)

• Assumes PMK is known only by STA and AP
• So architecture requires a further assumption
  that AS is a trusted 3rd party
• PTK derived, not transported
• Guarantees PTK is fresh if ANonce or SNonce is
  fresh
• Guarantees Messages 2, 4 are live if ANonce is
  fresh and unpredictable,
• Guarantees Message 3 is live if SNonce is fresh
  and unpredictable
• PTK derivation binds PTK to STA, AP

30

• Key
• Computation
• Block

PMK
Data Encr
Nonce S
Data MIC
Nonce A
EAPOL Encr
MAC S
EAPOL MIC
MAC A
Nonce N-once, a value N only use once.
31
4-Way Handshake Discussion (2)

• Message 1 tells STA
• ANonce, MAC
• Message 2 tells AP
• Use EAPoL MIC key to compute MIC of EAPoL Message
• This allows AP to know that STA possesses PTK
• AP derives temporal key
• Message 3 tells STA
• There is no man-in-the-middle
• AP possesses PTK
• Asserting Install bit in Message 3 synchronizes
  Temporal Key use (data link protections)
  starting seq no.
• This message is unencrypted
• Message 4 serves no cryptographic purpose
• Used only because 802.1x state machine wants it
• This is to ACK completion of 4-handshake and
  indicate that STA install the keys and start
  encryption.

32
TKIP

• Pairwise Master Key PMK
• 256 bits

Protect Key Handshakes
Protect Data
TKIP Pairwise Key Hierarchy
33
AES-CCMP

• Pairwise Master Key PMK
• 256 bits

Protect Key Handshakes
Protect Data
AES Pairwise Key Hierarchy
34
802.11 Operational Phases
Access
Authentication Server

• Station

Point
Security capabilities discovery
802.1X authentication
RADIUS-based Key distribution
802.1X Key management
Data protection (TKIP, AES-CCMP)
35
Temporal Key Integrity Protocol

• TKIP has to be secure and available as an
  upgraded to WEP systems.
• The implementation of WEP almost depends on the
  hardware assist functions.
• The hardware assist functions in these earlier
  systems cannot support AES-CCMP.
• TKIP uses existing RC4 and upgrades the firmware.
  

36
Inside the MAC Chip
Micro- processor
Hardware Assist
Firmware
RAM (Random Access Memory)
37
Changes from WEP to TKIP

• Message integrity add a message integrity
  protocol. (Michael)
• IV selection and use as counter (sequence no)
• Per-packet key Mixing
• Increase the size of IV.
• Key management.

38
TKIP MPDU Format

• Hlen

FC
Dur
A3
A1
A4
A2
Packet number
QoS Ct l
Seq Ct l
C-1
C-2
C-n-1
C-n
MIC
FCS
Data
Header Part
Encrypted
Expanded IV16
IV32
b0
b4
b5
b6
b7
39
Message Integrity

• ICV offers no real protection at all.
• All the well-known methods need a new
  cryptographic algorithm or require fast multiply
  operation.
• Michael uses no multiplications, just shift and
  add operations.
• Michael is vulnerable to brute force attacks.
• Michael countermeasures.

40
TKIP MPDU Format

• Hlen

FC
Dur
A3
A1
A4
A2
Packet number
QoS Ct l
Seq Ct l
C-1
C-2
C-n-1
C-n
MIC
FCS
Data
Header Part
Encrypted
Expanded IV16
IV32
b0
b4
b5
b6
b7
41
IV selection and use

• IV size 24 bits ? 48 bits
• IV use as a sequence number to avoid replay
  attacks.
• Throw out any message that have a TSC lt the last
  message.
• IV is constructed to avoid certain weak keys.

42
Per-packet key mixing

• P1K ? phase 1 (TA_MAC, TSC_U, TK)
• TSC_U 32 bits
• TK 128 bits
• P1K 80 bits
• P2K ? phase 2 (P1K, TSC_L, TK)
• TSC_L16 bits

43
Creating the RC4 Encryption Key
48 Bit IV Value
RC4 Encryption Key
32 bits
16 bits
24 bits
104 bits
d is a dummy byte Designed to avoid Weak keys
MAC Address
Session Key
44
TKIP role in Transmission
MSDU for Transmission
Michael Block
Append MIC
Computer MIC
Append MIC
Fragmentation
128 MIC Key
Master Key
Key derivation block
128 Encryption Key
Append IV / ICV
IV Generation
Add MAC Hdr
Key Mixing
Encrypt
RC4 Block
Computer MIC
45
AES-CCMP

• Advanced Encryption Standard (AES), a block
  ciphersuite, is the default mode for IEEE
  802.11i.
• NIST approves AES in 2002.
• AES is invented by J. Daeman V. Rijmen, called
  as Rijndael Algorithm.
• Original Alg. block sizes, key sizes ? 128, 192,
  or 256 bits.
• NIST AES block size? 128, key sizes ? 128, 192,
  or 256 bits.
• IEEE 802.11i block size, key size ? 128 bits
• AES is to CCMP what RC4 is to TKIP.

46

• Counter mode
• The receiving party who wants to decrypt the
  message must know the starting value of the
  counter and the rules for advancing it.
• Properties
• Only need to implement the AES.
• Encryption can be done in parallel
• Need not to break the message in an exact number
  of block.

47
Counter Mode
Message
1
2
3
4
5
6
7
8
9
10
11
Counter
E
E
E
E
E
E
E
E
E
E
E
AES
Xor
XOR
XOR
XOR
XOR
XOR
XOR
XOR
XOR
XOR
XOR
XOR
Cipher text
48

• However, counter mode does not provide any
  message authentication, only encryption.
• RSN Counter mode CBC MAC CCM
• Cipher block chaining

49
CCM Mode Overview
Encrypted

• Use CBC-MAC to compute a MIC on the plaintext
  header, length of the plaintext header, and the
  payload
• Use CTR mode to encrypt the payload
• Counter values 1, 2, 3,
• Use CTR mode to encrypt the MIC
• Counter value 0

Authenticated
50
E
E
E


Padding
Padding
B0
E
E
E
A1
Am
A0
51
MAC

• Hlen

FC
Dur
A3
A1
A4
A2
Packet number
QoS Ct l
Seq Ct l
C-1
C-2
C-n-1
C-n
MIC C-0
FCS
Data
Header Part
CCMP header
Encrypted (note)
b0
b4
b5
b6
b7
52
CCMP Encryption Block
Start value of counter
Packet Number
1st block CBC-MAC
Counter
Computer MIC Add to MPDU
Encrypt MPDU With AES/ Counter mode
Source Address
Length
Plaintext MPDU
Encrypted MPDU
Temporal Key
53
(a)
(b)
Authenticated data
(c)
(d)
(e)
Encrypted


Unencrypted


54
Summary
Access
Authentication Server

• Station

Point
Security capabilities discovery
802.1X authentication
802.1X Key management
RADIUS-based Key distribution
Data protection (TKIP, AES-CCMP)