Wireless Authentication Protocol Presented By: Tasmiah Tamzid Anannya Student Id:
Introduction Wireless networking is becoming popular among internet users Large number of wireless protocols are available for home and business use By using mobile computers, users can have the access to the resources no matter of their location within the wireless network. The IEEE defines some level of protection for wireless users which introduces WEP Protocol 2
WEP Protocol Wired Equivalent Protocol - it tries to make the level of protection of wireless local networks similar to the protection level of wired local networks As wireless networks began to grow in popularity, many researchers discovered flaws in the original WEP design But “something is better than nothing”, even with it's known weaknesses The intention for WEP design was to make it hard to break-in as opposed to impossible to break-in. 3
WEP- Authentication Open System Authentication Enables mobile stations to access the access point without confirmation of the station’s identity. One way handshake Easy to attack and allows unauthorized attacks 4
WEP- Authentication Shared Key Authentication 5 Wireless Device Wireless Access Point Auth Req Auth Challenge Auth Response Auth Success In WEP, no secret key is exchanged after authentication Sometimes, The same secret key or shared key is used for both authentication and encryption. So there is no way to tell whether the subsequent messages come from the trusted device or from an impostor.
WEP- Encryption Message: What you’re encrypting CRC: To verify the integrity of the message Plaintext: The message + CRC Initialization vector (IV): A 24-bit number which plays two roles Key: A 40 or 104-bit number which is used to build the keystream Keystream: What is used to encrypt the plaintext Ciphertext: What we end up post-encryption MessageCRC IVKey Keystream Ciphertext 6
7 WEP encryption step-by-step Step 1: Compute CRC for the message CRC-32 polynomial is used Message CRC
8 KeyIV WEP encryption step-by-step Step 2: Compute the keystream IV is concatenated with the key RC4 encryption algorithm is used on the 64 or 128 bit concatenation Keystream
9 WEP encryption step-by-step Step 3: Encrypt the plaintext The plaintext is XORed with the keystream to form the ciphertext The IV is prepended to the ciphertext MessageCRC Keystream Ciphertext IV
10 WEP decryption step-by-step Step 1: Build the keystream Extract the IV from the incoming frame Prepend the IV to the key Use RC4 to build the keystream Keystream Ciphertext IV Key
11 WEP decryption step-by-step Step 2: Decrypt the plaintext and verify XOR the keystream with the ciphertext Verify the extracted message with the CRC Keystream Ciphertext MessageCRC
WEP Protocol Execution Message CRC Generator CRC + MessageCRC Key IV Generator IV + KeyIV RC4 Keystream 12 XOR IVCypherText
What are the main weaknesses of WEP? INITIALIZATION VECTOR: IEEE does not specify how to generate IV It’s carried in plaintext in the “encrypted” message! It’s only 24 bits! There are no restrictions on IV reuse! The IV forms a significant portion of the “seed” for the RC4 algorithm! 13
What are the main weaknesses of WEP? KNOWN PLAINTEXT ATTACK: PlainTexts P1, P2, Keystreams K1, K2 and Resulting cyphertexts C1, C2 respectively If attacker picks two packets derived from the same IV and s/he knows one plain text other can be obtained easily As C1 XOR C2= P1 XOR P2 14
What are the main weaknesses of WEP? Once a key stream is known, a new ciphertext can be constructed by XOR-ing the new plain text and the known keystream to create a new, fraud cipher text. The same IV can be used with every packet. 15
The Next Solution In order to solve this problem, Wi-Fi defines WPA (Wi-Fi Protected Access) standard to improve the protection of wireless devices. It acts as a strong protective mechanism for wireless networks Enables the existing Wi-Fi wireless devices to be upgraded with the new software solution Is applicable in small, as well as in large wireless networks, and Is applicable immediately. WPA allows a more complex data encryption on the TKIP protocol (Temporal Key Integrity Protocol) and assisted by MIC (Message Integrity Check) 16
WPA Authentication Personal WPA or WPA-PSK (Key Pre-Shared): Used for small office and home for domestic use Does not use an authentication server Both the client and the AP already possess this key WPA provides mutual authentication, and the key is never transmitted over the air. 17
WPA Authentication Enterprise WPA : This WPA uses 802.1X+EAP for authentication No pre-shared key is used here A RADIUS server is needed 18
Extensible Authentication Protocol 19 EAP Methods EAP Supplicants EAP Methods EAP Radius Server EAP Authenticator EAP Peer Authentication Server EAP Messages PPP Radius
WPA Encryption WPA allows a more complex data encryption on the TKIP protocol (Temporal Key Integrity Protocol) and assisted by MIC (Message Integrity Check) 20
TKIP- Temporal Key Integrity Protocol It is a set of algorithms that wrap WEP to give the best possible solution Components of TKIP: A cryptographic message integrity code, or MIC, called Michael: to defeat forgeries; A new IV sequencing discipline: to remove replay attacks from the attacker’s arsenal; A per-packet key mixing function: to de-correlate the public IVs from weak keys A re-keying mechanism: to provide fresh encryption and integrity keys, undoing the threat of attacks stemming from key reuse 21
TKIP- MIC (Message Integrity Check) 64-bit Michael key is represented as two 32-bit words (K0,K1). The tagging function first pads a message with the hex value 0x5a and enough zero pad to bring the total message length to a multiple of 32- bits, then partitions the result into a sequence of 32-bit words M1 M2 … Mn. Then computes the tag from the key (L,R) ← (K0,K1) do i from 1 to n L ← L ^ Mi (L,R) ← b (L,R) return (L,R) as the tag Where b is a function built up from rotates, little-Endean additions, and bit swaps. 22
TKIP- MIC (Message Integrity Check) MIC strength is in the number of tag bits (n). This means that if the attacker wants to send a false message, 2 n messages have to be sent Strict IV Messages: False messages appear when the attacker meets the message and sends it as his own. Links IV counter with the MIC key. Transmitter and receiver set IV to zero each time TKIP key is changed and Sender increments IV sequence for each packet that is sent. If the IV sequence is out of order then it is a forgery message 23
TKIP- Key Generation 24 Phase 1: Combine MAC Address and Temporal Key This phase is calculated only if temporal key of the session is changed MAC Address Temporal Key Intermediate Key High 32 bit IV
TKIP- Key Generation 25 Phase 2: Produce Intermediate Key Hash function is calculated using phase 1 output and low 16 bits of IV The purpose of phase 2 is to make it difficult for the attacker to find correlation between IV and a key for each of the packets Intermediate Key Low 16 bit IV Final 128 bit per packet key
TKIP- Key Integration byte Final 128 bit per packet key 3 byte
TKIP- Refresh Key Mechanism TKIP uses three distinct keys 1. Temporal keys 2. Key encryption keys 3. Master keys 27
Temporal Keys Two Temporal Key types: 128-bit encryption key 64-bit Michael key Used by stations and APs for normal TKIP communication 28
Key Encryption Keys As the name suggests, a temporal key is “ temporal ” and needs to be updated frequently Key Encryption Keys encrypt the information regarding the key distribution. They protect the Temporal Keys. 29
Master Key Used to secure the distribution of the key encryption keys A station gets a master key after it is “authenticated” 30
ReKey Summary Master KeyKey Encryption Keys Master Key encrypts Key Encryption Keys Key Encryption KeysTemporal Keys Key Encryption Keys encrypt Temporal Keys Temporal KeysUser Data Temporal Keys encrypt User Data Master Key Authentication Server generates a Master Key Station is Authenticated 31
WPA- At a Glance 32 MAC Address Temporal Key Hash Phase 1 IV High Hash Phase 2 IV Low Michael Key Data Michael Tag Data + Tag CRC Data + Tag + CRC RC4 XOR IV Encrypted Data
WPA Weaknesses Keys generated from short passwords are subject to dictionary attack Key that is less than 20 characters is easy to attack. 33
Next i Equivalent- WPA2 The i standard is virtually identical to WPA2 Terms are often used interchangeably i and WPA2 They are the future of wireless access WPA was provided as an intermediate solution and WPA2 was designed as a future-proof solution 34
WPA2- Authentication WPA2, like WPA, supports two modes of security, sometimes referred to as “home user” and “corporate” In “home user” mode a pre-shared secret is used The “corporate” security is based on the EAP authentication framework ( including RADIUS) 35
WPA2- Encryption AES-CCMP is a combination of two AES counter mode encryption and CBC-MAC (Cipher Block Chaining –Message Authentication Code protocol) techniques used for WPA2 Encryption. 36
WPA2- Key Management WPA2 uses AES-CCMP Protocol for Key Management The process of management and creation of the key is the same for the TKIP and AES-CCMP Both TKIP and AES-CCMP are defined by i standard, but there is a difference in the number of keys AES-CCMP uses the same number of keys for message encryption and data integrity while TKIP uses two keys TKIP is based on RC4 encryption technique while AES-CCMP uses advanced encryption standard AES-CCMP is mandatory in i standard while TKIP is supported by i standard. 37
AES Mode With Counter 38 Counter Value Key Result 1 Step 1: The technique adds counter and AES temporal key using AES encryption algorithm
AES Mode With Counter 39 Result 1 First Message Block First Encrypted Block Step 2: The Result is then encrypted by XOR-ing with the first block message
CBC-MAC Calculation 40 Starting block AES Result1 Result 1 Next 128-bits AES Result 2 XResult 1 Result 2 Next 128-bits AES Result 3 XResult 2 XOR The procedure is repeated until all the 128-bit blocks have been encrypted.
Benefits of WPA2 AES has no known attacks and the current analysis indicates that it takes operations to break an AES key In addition to the encryption benefits, WPA2 also adds two enhancements to support fast roaming of wireless clients moving between wireless AP’s. PMK caching support – allows for reconnections to AP’s that the client has recently been connected without the need to re-authenticate. Pre-authentication support – allows a client to pre-authenticate with an AP towards which it is moving while still maintaining a connection to the AP it’s moving away from. PMK caching support and Pre-authentication support enable WPA2 to reduce the roaming time 41
Vulnerabilities of WPA2 DoS (Denial of Service) attacks like RF jamming, data flooding None of the Wi-Fi security standards can prevent attacks on the physical layer simply because they operate on Layer 2 and above. 42
SUMMARY 43 AuthenticationEncryptionIntegrity WEPWeakRC4CRC WPA802.1x-EAPTKIP+RC4MIC WPA2802.1x-EAPAESCBC-MAC
THANK YOU 44