Transcript EAP

• Beyond Traditional IEEE 802.11
Security
Marie Waldrick
May 5, 2003
Outline
•
•
•
•
•
•
•
Characterizing Wireless Networks
Wireless technology, 802.11 currently
802.1X
EAP Architecture
802.1X/EAP
Future Trends-802.1X/EAP/TKIP
Conclusion-802.11i
Characterizing
Wireless Networks
• Adhoc only requires wireless devices
on each computer.
• Infrastructure requires wireless
devices on each computer AND a
base station (with built in DHCP
server and firewall)
Peer-to-Peer (Adhoc)
Wireless devices have no
access point connection
and each device
communicates with each
other directly
Client/Server (infrastructure networking)
Extends an existing wired LAN to
wireless devices by adding an access
point (bridge and central controller)
Advantages to Infrastructure Mode
• Automatic use of Network Address
Translation (NAT) firewall –blocks all
outside port requests
• Local reserved IP addresses only used by
clients. Those IP addresses will not show
up on the internet.
• The DCHP server (gateway) that is built
into this NAT firewall does not require that
any one computer be on (and functioning)
in order to use the connection.
Wireless Networks
• By nature, wireless networks need to advertise their
beacons to show their existence
The IEEE 802.11 standard
•Service set identifier (SSID)
Beacons frames broadcast network parameters are
sent unencrypted
•Media Access Control (MAC) address filtering
802.11 uses 48 bit station identifiers in the frame headers
-check mac address to insure station has access
not part of 802.11 standard but used anyway to identify
Wired Equivalent Privacy (WEP)
Was supposed to provide authentication and privacy
Secret 40 bit keys, but unsafe at any length
Static-manually-configured keys
Weakness due to long life of keys and they are shared
among many users
802.1X Standard
-Solves
user authentication problem
-Standard for passing EAP over a wired or
wireless LAN
-EAP messages are packaged in Ethernet frames
and don’t use PPP.
-It is only authentication
-Provides a security framework for port-based
access control
-Resides in the upper layers to enable new
authentication and key management methods
without changing current network devices.
-The latest security technology should still work
with your existing infrastructure
802.1X architecture overview
Client
AP
Supplicant
Authenticator
Authentication
Server
Concrete Authentication Protocol
EAP carries concrete authentication
protocol between Supplicant and
Authentication Server
802.1: carries EAP
over 802 LAN between
Supplicant and
Authenticator
RADIUS/UDP/IP:
carries EAP between
Authenticator and
Authentication Server
•
•
•
•
•
802.1x connection
A client device connects to a port on
an 802.1x switch and AP
The switch port can determine the
authenticity of the devices
The services offered by the switch
can be made available on that port
Only EAPOL frames can be sent and
received on that port until
authentication is complete.
When the device is properly
authenticated, the port switches traffic
EAP Transport
“Authentication” Protocol
Access
point
3
5
4
2
1
Authentication
Server
1 -Client Associates with Blocked Access Point
2 -User Provides Login Authentication Credentials
3 a)-Server<->user authentication
b)-Server delivers Unicast WEP key to Access Point
4 -Access point delivers broadcast WEP key Encrypted with
Unicast WEP key to client
5 -Client and Access Point activate WEP and Use Unicast and
Broadcast WEP keys for transmission
Unicast-communication single host single receiver
packets sent to a unicast address are
delivered to the interface identified
by that address
Multicast is communication between a single
host and multiple receivers
Multicast Sends Packets to a Subnet,
and defined devices listen for Multicast
Packets
What is EAP
• Beyond simple user names and passwords
• Easily encapsulated within any data link protocol
• Provides a generalized framework for all sorts of
authentication methods.
• Simpler interoperability and compatibility across
authentication methods
• For example, when you dial a remote access
server(RAS) and use EAP as part of your PPP
connection, the RAS doesn’t need to know any of the
details about your authentication system. Only you and
the authentication server have to be coordinated.
• The RAS server gets out of the business and just repackages EAP packets to hand off to a RADIUS server
to make the actual authentication decision.
EAPoL packet structure
Source Ethernet Addr
Destination Ethernet Addr
Ether type = 888E
Vers
|
Body Length
Type
Body
(e.g. EAP frame)
EAP messages are packaged in ethernet
frames and don’t use PPP
A typical EAPOL protocol run
Supplicant
Authenticator
EAPOL start
EAP request/identity
EAP response/identity
EAP request/MD5-challenge
EAP response/MD5-challenge
EAP success
TKIP
SEQ #
Temporal key
P1
P2
RC4
MAC addr
IV/SEQ ciphertext
S | D | body
hash
|
IV
Shared secret key
RC4
S | D | body
| ICV
CRC-32
IV | ciphertext
|
|
WEP
| MIC
Integrity key
|
TKIP
(Temporal Key Integrity Protocol)
• Addresses weak IVs, IV collisions
• Firmware upgrade deployable to existing
802.11 hardware
• Components
-Cryptographic message integrity code
-Packet sequencing
-Per-packet key generation
-Re-keying mechanism
TKIP-MIC
• Sender and receiver share 64-bit secret
integrity key
• MIC = H(src MAC|dst MAC|frame body)K
• If receivers computation matches the MIC
sent, then message presumed authentic
• If 2 forgeries in a second, then assume
under attack
-Delete keys, disassociate, and reassociate
TKIP-Packet Sequencing
• Reuse 16-bits of WEP IV packet field for
sequence number
• Initialize sequence # to 0 for new
encryption key
• Increment sequences # by 1 on each
packet
• Discard any packet out of sequence
TKIP-Per-packet Key
• Phase 1:
– Key_mix(128-bit temporal key, 48-bit MAC)=128-bit
result
• Ensures unique key if clients share same temporal key
• Phase 2:
Key_mix(phase 1 result, seq #) = 128-bit per-packet key
Incrementing seq# ensures unique key for each packet
• Keystream=RC4(128-bit per-packet key)
TKIP-Rekeying
• Key hierarchy
– Master key
• Established via 802.1x or manually
• Used to securely communicate key encryption
keys
- Key encryption keys (2)
• Secure messages containing keying material for
deriving temporal keys
• Key 1: encryption
Key 2: integrity
– Temporal keys(2)
• Key 1: encrypting data
Key 2: data integrity
TKIP
• If master key compromised, then TKIP is
voided
• The lack of PKI represents a huge issue
on the AP side.
Standard EAP with TKIP WLAN Design
Attack Mitigation Roles for Standard EAP WLAN Design
802.1X/EAP with TKIP
Threats mitigated
• Wireless packet sniffers
-per packet keying
-key rotation
• Unauthenticated access
-only authenticated users are able to access the wireless
and wired network
-optional access control on the Layer 3 switch limits
wired network access
• MITM
-the mutual authentication nature of several EAP
authentication types combined with the MIC can prevent
hackers from inserting themselves in the path of wireless
communications.
802.1X/EAP with TKIP
Additional Threats mitigated
• IP spoofing
-have to first authenticate to WLAN
-layer 3 switch restricts any spoofing to the local
subnet range
• ARP spoofing
-have to first authenticate to WLAN
• Network topology discovery
-have to first authenticator to WLAN
-know network exist by SSID, but cannot access
the network.
802.1X/EAP with TKIP
Threats not mitigated
Password attack
-passive monitoring 802.1X/EAP exchanges
between client and the access point
-Protected EAP mitigates this by establishing a
TLS tunnel from the client to the server before
asking for user authentication credentials.
IETF-802.11i
Determines authentication encryption
and MAC algorithms. Select by
Server Default Cipher Suite
CipherSuite
CipherSuite
Network Access
Server
(NAS)
TLS_DHE_CSS_WITH_3DES_EDE_
CBC_SHA
Trust
Back End
(EAP)
Server
EAP Conversation (over PPP, 802.11, etc.)
Keys for Link Layer
CipherSuites
EAP
method
EAP Method
IEEE 802.11i
Embraces 802.1x and TKIP
Replaces RC4 with AES for encryption and
integrity
48-bit sequence counter, 128-bit key
Requires coprocessor, therefore new
hardware deployment
Summary
• Mobile communication technology will
continue to grow encouraged by switching
to packet-switched 3G cellular phones
• Results in natural progression to
accessing the internet without wires
• Results in requiring more privacy/security
protection mechanisms
• Standards/vendor products eventually
evolve to meet customers’ needs
The Alliance announced the first
certified products with WPA
April 29, 2003
• The Wi-Fi Alliance created Wi-Fi Protected
Access (WPA) in October of 2002 as a stepping
stone between the sullied Wired Equivalent
Privacy (WEP) encryption that has long been
part of the 802.11 specifications, and the
upcoming 802.11i standard that will bring IEEE
endorsed security to WLANs.
http://www.80211planet.com/news/
References:
•
•
•
•
•
•
•
•
•
•
•
•
P. Nikander, Authorization and charging in public WLANs using FreeBSD and 802.1x,
Ericsson Research NomadicLab, [email protected]
IEEE Draft P802.1X/D11: Standard for Portbased Network Access Control, LAN MAN
StandardsCommittee of the IEEE Computer Society,March 27, 2001.
L. Blunk and J. Vollbrecht, RFC2284, PPP ExtensibleAuthentication Protocol (EAP),
IETF,March 1998.
C. Rigney, S. Willens, A. Rubens, W. Simpson, RFC2865, Remote Authentication Dial
In User Service (RADIUS), IETF, June 2000.
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htmns?
Cisco Networking Academy Program: Second-Year Companion Guide, Cisco
Systems, Inc., Cisco Press 2001.
Glen Fleishman, “Key to Wi-Fi security”, http://www.infoworld.com/article/
/03/01/10/030113newifisec_1.html
H.Anderson,“Protected Extensible Authentication Protocol (PEAP),
http://www.globecom.net/ietf/draft/draft-josefsson-pppex-eap-tls-eap-02.html
Rob Flickenger, “Using SSH Tunneling”,
http://www.oreillynet.com/pub/a/wireless/2001/02/23/wep.html
http://www.ietf.org/ietf/lid-abstracts.txt
www.inetdevgrp.org/20020618/WLANSecurity.pdf
http://www.prism.gatech.edu/~gt0369c/802_11%20Security%20Survey_slides.pdf
Thank You
Notes:
• If access is approved, the authenticator hands
over a unique per-supplicant master key from
which the supplicant's network adapter derives
the TKIP key, the packet integrity key, and other
cryptographic necessities. The user can then be
authenticated
• EAP is used to frequently refresh the master
key, reducing the window of opportunity for
intercepting packets for cracking.