Transcript Document

802.11 security
Courtesy of
William Arbaugh with Univ. of Maryland
Jesse Walker with Intel
Gunter Schafer with TU Berlin
Bernard Aboba with Microsoft
agenda
•
•
•
•
802.11 introduction
WEP
802.11i vs WPA
802.1x
Basic service set (BSS)
• AP and STAs
Independent BSS
• Between STAs
authentication
• Two modes
– Open authentication
– WEP authentication
* WEP: wired equivalent privacy
Open Authentication
AP
STA
Authenticate (request)
Authenticate (success)
• AP always accepts authentication request
• instead, AP may use MAC address lists for security (access control)
WEP Authentication
AP
STA
Shared secret distributed out of band
Authenticate (request)
Challenge (Nonce)
Response (Nonce RC4 encrypted under shared key)
Decrypted
nonce OK?
Authenticate (success)
• Authentication key distributed out-of-band
• Access Point generates a “randomly generated” challenge
• Station encrypts challenge using the pre-shared secret key
Which one is better?
• WEP authentication
– Gives a good matching example
• Challenge: plaintext (nonce)
• Response: ciphertext (encrypted nonce)
• In reality, open authentication is the norm
– Right after authentication/association, STA
and AP use the same secret key
40bit --> 128bit
ACL: access control list
WEP confidentiality and integrity
(IC)
WEP Encapsulation
802.11 Hdr
Encapsulate
802.11 Hdr
IV
Data
Decapsulate
Data
ICV
Encrypted part
WEP Encapsulation Summary:
• Encryption Algorithm = RC4 (stream cipher)
• Per-packet encryption key = 24-bit IV concatenated to a pre-shared key
• WEP allows IV to be reused with any frame
• Data integrity provided by CRC-32 of the plaintext data (the “ICV”)
• Data and ICV are encrypted under the per-packet encryption key
IV is changing
RC4
Encryption Key K
Pseudo-random
number generator
Random byte b
Plaintext data byte
p

Decryption works the same way: p = c  b
Ciphertext data byte
p
K:104 bits + IV:24 bits = 128 bits shared key
IV collision
ICV (integrity check value)
But the ICV is linear, meaning for any polynomials p and q
ICV(p+q) = ICV(p) + ICV(q)
This means that if q is an arbitrary nth degree polynomial, i.e., an
arbitrary change in the underlying message data:
(p+q)x32 + ICV(p+q) + b = px32 + qx32 + ICV(p) + ICV(q) + b
= ((px32 + ICV(p)) + b) + (qx32 + ICV(q))
Two modes in WEP keys
• Default keys
– Every STA shares the same key
• Key mapping keys
– Every STA uses its own key
default keys
Total 4 keys: 2 for AP + 2 for STAs
Why two for each direction?
Key mapping keys
• Different key for each user
• Still default key is necessary
– For broadcast messages
• optional
p=cb
b=cp
802.11i approach
• Separation of authentication and data
integrity
• Leverage higher layer protocol for
authentication
802.1x, EAP, RADIUS:
authentication and
access control
* These are not originally intended for WLAN
Authentication for dial-in users
PSTN (POTS)
Enterprise or ISP Network
RADIUS
POP
Authentication
Server (AS)
NAS or RAS
(Authenticator)
Central
database
User
(Supplicant)
• Supplicant: an entity that wants to have access
• Authenticator: an entity that controls the access gate
• Authentication server: an entity that decides
whether the supplicant is to be admitted
Access control illustration
1. Authenticator is alerted by the supplicant
2. Supplicant identifies himself
3. Authenticator requests authorization from
the authentication server
4. Authentication server indicates YES or NO
5. Authenticator allows or blocks access
• Three party interaction
• authenticator only opens channel until
authentication/access control is performed
• authenticator is like doorkeeper
Network Access Server
(NAS) in Ethernet
• To offer economical Ethernet-based access we need a
new class of network access server – the EtherNAS.
• The EtherNAS is managed like a dialup NAS but offers
thousands of times the bandwidth.
• IEEE 802.11 APs supporting 802.1X and RADIUS are
the first (but not the last) EtherNASes
• Key standards include:
– IEEE 802
– IETF RFC 2865 - 2869: RADIUS
– IEEE 802.1X: Network Port Authentication
How about central database in NAS?
Why Do Auth at the Link Layer?
• It’s fast, simple, and inexpensive
– Most popular link layers support it: PPP, IEEE 802
– Cost matters if you’re planning on deploying 1 million ports!
• Client doesn’t need network access to authenticate
– No need to resolve names, obtain an IP address prior to auth
• NAS devices need minimal layer 3 functionality
– 802.11 access points, 1 Gbps switch ports go for $300,
support 802.1D, 802.1X, SNMP & RADIUS, may have no layer
3 filtering support
– Authentication, AAA support typically a firmware upgrade
• In a multi-protocol world, doing auth at link layer
enables authorizing all protocols at the same time
– Doing it at the network layer would mean adding authentication
within IPv4, IPv6, AppleTalk, IPX, SNA, NetBEUI
– Would also mean authorizing within multiple layers
– Result: more delay
What is IEEE 802.1X?
• The IEEE standard for authenticated and autoprovisioned LANs.
• A framework for authentication and key management
– IEEE 802.1X derives keys which can be used to provide perpacket authentication, integrity and confidentiality
– Typically used along with well-known key derivation algorithms
(e.g. TLS, SRP, etc.)
– IEEE 802.1X does not mandate security services – can do
authentication, or authentication & encryption
– Encryption alone not recommended (but that’s what WEP does)
• What 802.1X is not
– Purely a wireless standard – it applies to all IEEE 802
technologies (e.g. Ethernet First Mile applications)
– A cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc.
• But 802.1X can be used to derive keys for any cipher
– A single authentication method
• But 802.1X can support many authentication methods without
changes to the AP or NIC firmware
What is EAP?
• The Extensible Authentication Protocol (RFC 2284)
– Provides a flexible link layer security framework
– Simple encapsulation protocol
• No dependency on IP
• ACK/NAK, no windowing
• No fragmentation support
– Few link layer assumptions
• Can run over any link layer (PPP, 802, etc.)
• Does not assume physically secure link
– Methods provide security services
• Assumes no re-ordering
• Can run over lossy or lossless media
– Retransmission responsibility of authenticator (not needed for 802.1X or 802.11)
• EAP methods based on IETF standards
– Transport Level Security (TLS) (supported in Windows 2000)
– Secure Remote Password (SRP)
– GSS_API (including Kerberos)
EAP Architecture
AKA
SIM
TLS
SRP
Method
Layer
EAP
APIs
EAP
Layer
EAP
NDIS
APIs
PPP
802.3
802.5
802.11
Media
Layer
EAPOL-Start
EAPOL-Logoff
EAPOL-Key
What is RADIUS?
•
•
Remote Access Dial In User Service
Supports authentication, authorization, and
accounting for network access
–
–
•
•
Physical ports (analog, ISDN, IEEE 802)
Virtual ports (tunnels, wireless)
Allows centralized administration and accounting
IETF status
–
Proposed standard
•
•
–
RFC 2865, RADIUS authentication/authorization
RFC 2618-2621, RADIUS MIBs
Informational
•
•
•
•
RFC
RFC
RFC
RFC
2866, RADIUS accounting
2867-8, RADIUS Tunneling support
2869, RADIUS extensions
3162, RADIUS for IPv6
802.1X Topologies
Semi-Public Network /
Enterprise Edge
Enterprise or ISP
Network
PAE
R
A
D
I
U
S
Authentication
Server
AP (Authenticator)
PAE
STA (Supplicant)
PAE: port access entry
802.1X Security Philosophy
• Approach: a flexible security framework
– Implement security framework in upper layers
– Enable plug-in of new authentication, key management methods
without changing NIC or Access Point
– Leverage main CPU resources for cryptographic calculations
• How it works
– Security conversation carried out between supplicant and
authentication server
– NIC, Access Point acts as a pass through device
• Advantages
– Decreases hardware cost and complexity
– Enables customers to choose their own security solution
– Can implement the latest, most sophisticated authentication and key
management techniques with modest hardware
– Enables rapid response to security issues
IEEE 802.1X Conversation
Switch
Laptop computer
Radius Server
Ethernet
Port connect
Access blocked
EAPOL
EAPOL-Start
RADIUS
EAP-Request/Identity
EAP-Response/Identity
Radius-Access-Request
Radius-Access-Challenge
EAP-Request
EAP-Response (credentials)
Radius-Access-Request
Radius-Access-Accept
EAP-Success
Access allowed
802.1X on 802.11
Wireless
Access Point
Radius Server
Laptop computer
Ethernet
Association
Access blocked
802.11
802.11 Associate-Request
RADIUS
802.11 Associate-Response
EAPOW-Start
EAPOW
EAP-Request/Identity
EAP-Response/Identity
EAP-Request
EAP-Response (credentials)
EAP-Success
Why?
Radius-Access-Request
Radius-Access-Challenge
Radius-Access-Request
Radius-Access-Accept
EAPOW-Key (WEP)Access allowed
802.1X authentication in 802.11
• IEEE 802.1X authentication occurs after 802.11
association or reassociation
– Association/Reassociation serves as “port up” within 802.1X
state machine
– Prior to authentication, access point filters all non-802.1X
traffic from client
– If 802.1X authentication succeeds, access point removes the
filter
• 802.1X messages sent to destination MAC address
– Client, Access Point MAC addresses known after 802.11
association
• No need to use 802.1X multicast MAC address in EAP-Start, EAPRequest/Identity messages
– Prior to 802.1X authentication, access point only accepts
packets with source = Client and Ethertype = EAPOL
802.1X and Per-STA Session Keys
• How does 802.1X derive per-Station unicast session
keys?
– Can use any EAP method supporting secure dynamic key
derivation
•
•
•
•
EAP-TLS (RFC 2716)
EAP-SRP
EAP-AKA, EAP-SIM (for compatibility with cellular)
Security Dynamics
– Keys derived on client and the RADIUS server
– RADIUS server transmits key to access point
• RADIUS attribute encrypted on a hop-by-hop basis using shared
secret shared by RADIUS client and server
– Unicast keys can be used to encrypt subsequent traffic,
including EAPOW-key packet (for carrying multicast/global
keys)
802.1X Authentication
• 802.1X users identified by usernames, not MAC
addresses
– Enables user-based authentication, authorization, accounting
• For use with 802.1X, EAP methods supporting mutual
authentication are recommended
– Need to mutually authenticate to guarantee key is transferred to
the right entity
– Prevents man-in-the-middle and rogue server attacks
• Common EAP methods support mutual authentication
– TLS: server and client must supply a certificate, prove
possession of private key
– SRP: permits mutual authentication via weak shared secret
without risk of dictionary attack on the wire
– Tunneled TLS: enables any EAP method to run, protected by
TLS
Advantages of IEEE 802.1X
• Open standards based
– Leverages existing standards: EAP (RFC 2284),
RADIUS (RFC 2865, 2866, 2867, 2868, 2869)
– Enables interoperable user identification, centralized
authentication, key management
– Enables automated provisioning of LAN connectivity
• User-based identification
– Identification based on Network Access Identifier
(RFC 2486) enables support for roaming access in
public spaces (RFC 2607).
– Enables a new class of wireless Internet Access
• Dynamic key management
– Improved security for wireless (802.11) installations
WEPv1.0 w/802.1X
• Improved key derivation
– Per-user unicast keys instead of global unicast key
– Unicast key may be changed periodically to avoid
staleness
– Support for standards-based key derivation techniques
• Examples: TLS, SRP
• Additional fixes still under discussion
– Authentication for reassociate, disassociate
• WEP deficiencies still present
– No keyed MIC
– Improper usage of RC4 stream cipher
– No IV replay protection
• Long term solution: Need a “real” cipher!
– AES proposals under discussion
802.1X Implementations
•
Implementations available now
–
–
–
•
802.1X OS support
–
–
•
IEEE 802.1X support included in Windows XP
Firmware upgrades available from AP and NIC
vendors
Interoperability testing underway
Microsoft: Windows XP
Cisco: Windows 9x, NT4, 2000, Mac OS, Linux
RADIUS servers supporting EAP
–
–
–
–
Microsoft Windows 2000 Server
Cisco ACS
Funk RADIUS
Interlink Networks (formerly MERIT) RADIUS server
Advertising Security Options
• Modeled on “supported rates”
• AP advertises security options in probe
response
– Placed in probe response only if STA requests
it in probe request
• STAs collect this information prior to
associations and can make association
and roaming decisions based upon it
Selecting security options
• STA requests security options in
association request from available
options contained in probe response
• AP accepts/rejects association based
on request contents
• No additional protocol handshakes
necessary
– No impact on roaming performance
802.11i Key Hierarchy
• Separation of authentication and
message protection
• Authentication: server-based key
– Established in advance
• Communication: temporal (session)
key
– Pairwise key
– Group key
Pairwise key
• Different for each STA
• PMK is derived from server-based key
– Pairwise master key (PMK)
– At server and at STA by themselves
– Server delivers PMK to AP by RADIUS
• Then 4 temporal keys derived from PMK
–
–
–
–
Data encryption key
Data integrity key
EAPOL-Key encryption key
EAPOL-Key integrity key
• The collection of temporal keys is referred
to as pairwise transient key (PTK)
Group key
• For broadcast, multicast
• Group master key (GMK)
– AP chooses randomly
• Group transient key (GTK)
–
–
–
–
Using the secure link by pairwise keys
When a node leaves, GTK is changed
Group encryption key
Group integrity key