802.11 security Courtesy of

William Arbaugh with Univ. of MarylandJesse Walker with Intel

Gunter Schafer with TU BerlinBernard Aboba with Microsoft

agenda• 802.11 introduction• WEP• 802.11i vs WPA• 802.1x

Basic service set (BSS)• AP and STAs

Independent BSS• Between STAs

authentication• Two modes

– Open authentication– WEP authentication

* WEP: wired equivalent privacy

Open Authentication

Authenticate (success)

Authenticate (request)

STA APAP

• AP always accepts authentication request

• instead, AP may use MAC address lists for security (access control)

WEP Authentication

Challenge (Nonce)

Response (Nonce RC4 encrypted under shared key)

STA APAP

Shared secret distributed out of band

Decrypted

nonce OK?

• Authentication key distributed out-of-band

• Access Point generates a “randomly generated” challenge

• Station encrypts challenge using the pre-shared secret key

Authenticate (success)

Authenticate (request)

Which one is better?• WEP authentication

– Gives a good matching example• Challenge: plaintext (nonce)• Response: ciphertext (encrypted nonce)

• In reality, open authentication is the norm– Right after authentication/association,

STA and AP use the same secret key

40bit --> 128bit

ACL: access control list

WEP confidentiality and integrity

(IC)

WEP Encapsulation802.11 Hdr Data

WEP Encapsulation Summary:

• Encryption Algorithm = RC4 (stream cipher)

• Per-packet encryption key = 24-bit IV concatenated to a pre-shared key

• WEP allows IV to be reused with any frame

• Data integrity provided by CRC-32 of the plaintext data (the “ICV”)

• Data and ICV are encrypted under the per-packet encryption key

802.11 Hdr DataIV ICV

Encapsulate Decapsulate

Encrypted part

IV is changing

RC4

Pseudo-random number

generator

Encryption Key K

Plaintext data byte p

Random byte b

Ciphertext data byte p

Decryption works the same way: p = c b

K:104 bits + IV:24 bits = 128 bits shared key

IV collision

ICV (integrity check value)But the ICV is linear, meaning for any polynomials p and q

ICV(p+q) = ICV(p) + ICV(q)

This means that if q is an arbitrary nth degree polynomial, i.e., an arbitrary change in the underlying message data:

(p+q)x32 + ICV(p+q) + b = px32 + qx32 + ICV(p) + ICV(q) + b

= ((px32 + ICV(p)) + b) + (qx32 + ICV(q))

Two modes in WEP keys• Default keys

– Every STA shares the same key• Key mapping keys

– Every STA uses its own key

default keys

Total 4 keys: 2 for AP + 2 for STAs

Why two for each direction?

Key mapping keys• Different key for each user• Still default key is necessary

– For broadcast messages• optional

p = c b b = c p

802.11i approach• Separation of authentication and

data integrity• Leverage higher layer protocol for

authentication

802.1x, EAP, RADIUS: authentication and

access control

* These are not originally intended for WLAN

NAS or RASNAS or RAS(Authenticator)(Authenticator)

UserUser(Supplicant)(Supplicant)

Enterprise or ISP NetworkEnterprise or ISP NetworkPSTN (POTS)PSTN (POTS)

Authentication Authentication Server (AS)Server (AS)

RADIUS

PPPPPP

EAP Over RADIUS

EAP Over RADIUS

Authentication for dial-in users

POP

• Supplicant: an entity that wants to have access• Authenticator: an entity that controls the access gate• Authentication server: an entity that decides

whether the supplicant is to be admitted

Central database

Access control illustration1. Authenticator is alerted by the supplicant2. Supplicant identifies himself3. Authenticator requests authorization from

the authentication server4. Authentication server indicates YES or NO5. Authenticator allows or blocks access

• Three party interaction• authenticator only opens channel until authentication/access control is performed• authenticator is like doorkeeper

Network Access Server (NAS) in Ethernet

• To offer economical Ethernet-based access we need a new class of network access server – the EtherNAS.

• The EtherNAS is managed like a dialup NAS but offers thousands of times the bandwidth.

• IEEE 802.11 APs supporting 802.1X and RADIUS are the first (but not the last) EtherNASes

• Key standards include:– IEEE 802– IETF RFC 2865 - 2869: RADIUS– IEEE 802.1X: Network Port Authentication

How about central database in NAS?

Why Do Auth at the Link Layer?• It’s fast, simple, and inexpensive

– Most popular link layers support it: PPP, IEEE 802– Cost matters if you’re planning on deploying 1 million ports!

• Client doesn’t need network access to authenticate– No need to resolve names, obtain an IP address prior to auth

• NAS devices need minimal layer 3 functionality– 802.11 access points, 1 Gbps switch ports go for $300,

support 802.1D, 802.1X, SNMP & RADIUS, may have no layer 3 filtering support

– Authentication, AAA support typically a firmware upgrade• In a multi-protocol world, doing auth at link layer

enables authorizing all protocols at the same time– Doing it at the network layer would mean adding

authentication within IPv4, IPv6, AppleTalk, IPX, SNA, NetBEUI– Would also mean authorizing within multiple layers– Result: more delay

What is IEEE 802.1X?• The IEEE standard for authenticated and auto-

provisioned LANs.• A framework for authentication and key management

– IEEE 802.1X derives keys which can be used to provide per-packet authentication, integrity and confidentiality

– Typically used along with well-known key derivation algorithms (e.g. TLS, SRP, etc.)

– IEEE 802.1X does not mandate security services – can do authentication, or authentication & encryption

– Encryption alone not recommended (but that’s what WEP does)

• What 802.1X is not– Purely a wireless standard – it applies to all IEEE 802

technologies (e.g. Ethernet First Mile applications)– A cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc.

• But 802.1X can be used to derive keys for any cipher– A single authentication method

• But 802.1X can support many authentication methods without changes to the AP or NIC firmware

What is EAP?• The Extensible Authentication Protocol (RFC 2284)

– Provides a flexible link layer security framework– Simple encapsulation protocol

• No dependency on IP• ACK/NAK, no windowing• No fragmentation support

– Few link layer assumptions• Can run over any link layer (PPP, 802, etc.)• Does not assume physically secure link

– Methods provide security services• Assumes no re-ordering• Can run over lossy or lossless media

– Retransmission responsibility of authenticator (not needed for 802.1X or 802.11)

• EAP methods based on IETF standards– Transport Level Security (TLS) (supported in Windows 2000)– Secure Remote Password (SRP)– GSS_API (including Kerberos)

EAP Architecture

EAPEAPLayerLayer

MethodMethodLayerLayer

EAPEAP

TLSTLS

MediaMediaLayerLayer

NDISNDIS

APIsAPIs

EAP EAP

APIsAPIs

PPPPPP 802.3802.3 802.5802.5 802.11802.11

SRPSRPAKAAKASIMSIM

EAPOL-StartEAPOL-Logoff

EAPOL-Key

What is RADIUS?• Remote Access Dial In User Service• Supports authentication, authorization, and

accounting for network access– Physical ports (analog, ISDN, IEEE 802)– Virtual ports (tunnels, wireless)

• Allows centralized administration and accounting

• IETF status– Proposed standard

• RFC 2865, RADIUS authentication/authorization• RFC 2618-2621, RADIUS MIBs

– Informational• RFC 2866, RADIUS accounting• RFC 2867-8, RADIUS Tunneling support• RFC 2869, RADIUS extensions• RFC 3162, RADIUS for IPv6

802.1X Topologies

AP (Authenticator)AP (Authenticator)

STA (Supplicant)STA (Supplicant)

Enterprise or ISP Enterprise or ISP NetworkNetwork

Semi-Public Network /Semi-Public Network /Enterprise EdgeEnterprise Edge

Authentication Authentication ServerServer

RADIUS

EAP over LAN (EAPOL)

EAP over LAN (EAPOL) EAP Over RADIUS

EAP Over RADIUS

PAEPAE

PAEPAE

PAE: port access entry

802.1X Security Philosophy• Approach: a flexible security framework

– Implement security framework in upper layers– Enable plug-in of new authentication, key management methods

without changing NIC or Access Point– Leverage main CPU resources for cryptographic calculations

• How it works– Security conversation carried out between supplicant and

authentication server– NIC, Access Point acts as a pass through device

• Advantages– Decreases hardware cost and complexity– Enables customers to choose their own security solution– Can implement the latest, most sophisticated authentication and

key management techniques with modest hardware– Enables rapid response to security issues

EthernetLaptop computer

Switch

Radius Server

IEEE 802.1X Conversation

EAPOL-Start

EAP-Response/Identity

Radius-Access-Challenge

EAP-Response (credentials)

Access blockedPort connect

Radius-Access-Accept

EAP-Request/Identity

EAP-Request

Access allowed

EAP-Success

Radius-Access-Request

Radius-Access-Request

RADIUSEAPOL

Ethernet

Access Point

Radius Server

802.1X on 802.11

EAPOW-Start

EAP-Response/Identity

Radius-Access-Challenge

EAP-Response (credentials)

Access blockedAssociation

Radius-Access-Accept

EAP-Request/Identity

EAP-RequestRadius-Access-Request

Radius-Access-Request

RADIUS

EAPOW

Laptop computer

Wireless

802.11802.11 Associate-Request

EAP-Success

Access allowedEAPOW-Key (WEP)

802.11 Associate-Response

Why?

802.1X authentication in 802.11• IEEE 802.1X authentication occurs after 802.11

association or reassociation– Association/Reassociation serves as “port up” within

802.1X state machine– Prior to authentication, access point filters all non-802.1X

traffic from client– If 802.1X authentication succeeds, access point removes

the filter• 802.1X messages sent to destination MAC address

– Client, Access Point MAC addresses known after 802.11 association• No need to use 802.1X multicast MAC address in EAP-Start,

EAP-Request/Identity messages– Prior to 802.1X authentication, access point only accepts

packets with source = Client and Ethertype = EAPOL

802.1X and Per-STA Session Keys• How does 802.1X derive per-Station unicast session

keys?– Can use any EAP method supporting secure dynamic key

derivation• EAP-TLS (RFC 2716)• EAP-SRP• EAP-AKA, EAP-SIM (for compatibility with cellular)• Security Dynamics

– Keys derived on client and the RADIUS server– RADIUS server transmits key to access point

• RADIUS attribute encrypted on a hop-by-hop basis using shared secret shared by RADIUS client and server

– Unicast keys can be used to encrypt subsequent traffic, including EAPOW-key packet (for carrying multicast/global keys)

802.1X Authentication• 802.1X users identified by usernames, not MAC

addresses– Enables user-based authentication, authorization, accounting

• For use with 802.1X, EAP methods supporting mutual authentication are recommended– Need to mutually authenticate to guarantee key is

transferred to the right entity– Prevents man-in-the-middle and rogue server attacks

• Common EAP methods support mutual authentication– TLS: server and client must supply a certificate, prove

possession of private key– SRP: permits mutual authentication via weak shared secret

without risk of dictionary attack on the wire– Tunneled TLS: enables any EAP method to run, protected by

TLS

Advantages of IEEE 802.1X• Open standards based

– Leverages existing standards: EAP (RFC 2284), RADIUS (RFC 2865, 2866, 2867, 2868, 2869)

– Enables interoperable user identification, centralized authentication, key management

– Enables automated provisioning of LAN connectivity• User-based identification

– Identification based on Network Access Identifier (RFC 2486) enables support for roaming access in public spaces (RFC 2607).

– Enables a new class of wireless Internet Access• Dynamic key management

– Improved security for wireless (802.11) installations

WEPv1.0 w/802.1X• Improved key derivation

– Per-user unicast keys instead of global unicast key– Unicast key may be changed periodically to avoid

staleness– Support for standards-based key derivation

techniques• Examples: TLS, SRP

• Additional fixes still under discussion– Authentication for reassociate, disassociate

• WEP deficiencies still present– No keyed MIC– Improper usage of RC4 stream cipher– No IV replay protection

• Long term solution: Need a “real” cipher!– AES proposals under discussion

802.1X Implementations• Implementations available now

– IEEE 802.1X support included in Windows XP– Firmware upgrades available from AP and NIC

vendors– Interoperability testing underway

• 802.1X OS support – Microsoft: Windows XP– Cisco: Windows 9x, NT4, 2000, Mac OS, Linux

• RADIUS servers supporting EAP– Microsoft Windows 2000 Server– Cisco ACS– Funk RADIUS– Interlink Networks (formerly MERIT) RADIUS

server

Advertising Security Options• Modeled on “supported rates”• AP advertises security options in probe

response – Placed in probe response only if STA

requests it in probe request• STAs collect this information prior to

associations and can make association and roaming decisions based upon it

Selecting security options• STA requests security options in

association request from available options contained in probe response

• AP accepts/rejects association based on request contents

• No additional protocol handshakes necessary– No impact on roaming performance

802.11i Key Hierarchy• Separation of authentication and

message protection• Authentication: server-based key

– Established in advance• Communication: temporal

(session) key– Pairwise key– Group key

Pairwise key• Different for each STA• PMK is derived from server-based key

– Pairwise master key (PMK)– At server and at STA by themselves– Server delivers PMK to AP by RADIUS

• Then 4 temporal keys derived from PMK– Data encryption key– Data integrity key– EAPOL-Key encryption key– EAPOL-Key integrity key

• The collection of temporal keys is referred to as pairwise transient key (PTK)

Group key• For broadcast, multicast• Group master key (GMK)

– AP chooses randomly• Group transient key (GTK)

– Using the secure link by pairwise keys– When a node leaves, GTK is changed– Group encryption key– Group integrity key