Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Web security: SSL and TLS
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE Wireless Local Area Networks (WLAN’s).
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Doc.: IEEE /562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Proposed solutions to comments on section 7
Robust Security Network (RSN) Service of IEEE
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
Open issues with PANA Protocol
WEP & WPA Mandy Kershishnik.
Some LB 62 Motions January 13, 2003 January 2004
CSCE 715: Network Systems Security
Keying for Fast Roaming
802.1X and key interactions Tim Moore November 2001
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CSE 4095 Transport Layer Security TLS, Part II
Motions to Address Some Letter Ballot 52 Comments
Wireless Network Security
Virtual Private Networks (VPN)
An Example Protocol for FastAKM
Nancy Cam Winget, Atheros
Stefan Rommer, Mats Näslund, András Méhes (Ericsson)
Security at the Transport Layer: SSL and TLS
SSL Protocol Figures used in the presentation
July 2002 Threat Model Tim Moore Tim Moore, Microsoft.
Security for Measurement Requests and Information
Security for Measurement Requests and Information
doc.: IEEE /252 Bernard Aboba Microsoft
Security for Measurement Requests and Information
802.1X and AKE Comparison Nancy Cam-Winget, Atheros
TKIP.
doc.: IEEE /454r0 Bob Beach Symbol Technologies
Fast Roaming Compromise Proposal
SSL/TLS.
An Example Protocol for FastAKM
Roaming timings and PMK lifetime
Fast Roaming Compromise Proposal
Responses to Clause 5 Comments
Fast Roaming Compromise Proposal
802.1X and AKE Comparison Nancy Cam-Winget, Atheros
Roaming timings and PMK lifetime
Keying for Fast Roaming
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
Fast Roaming Observations
TGi Draft 1 Clause – 8.5 Comments
Use of EAPOL-Key messages
Sept 2003 PMK “sharing” Tim Moore Tim Moore, Microsoft.
Roaming timings and PMK lifetime
Group Key Optimizations
TGi Draft 1 Clause – 8.5 Comments
Presentation transcript:

Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies January 2002 TGi security overview Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies Tim Moore, Microsoft; Clint Chaplin, Symbol

Section numbers based on Draft 1.8 Beacon/Probe/Associate January 2002 Section numbers based on Draft 1.8 Beacon/Probe/Associate 802.1X authentication using RADIUS EAP/EAP-TLS Key Hierarchy Key derivations Nonces Key Management Per packet TKIP Per packet AES Re-associate Tim Moore, Microsoft; Clint Chaplin, Symbol

Beacon Search for APs that support Enhanced security Select ESN January 2002 Beacon Search for APs that support Enhanced security Select ESN Capability bit (bit 11) (7.3.1.4) Select Authentication Suite Beacon Authentication Suite IE (7.3.2.17) OUI 00:00:00:03 is 802.1X (default) Since optional should attempt to associate if no Auth suite IE Select cipher suites (7.3.2.X) Contains unicast and multicast cipher suite IE (7.3.2.18, 19) OUI 00:00:00:01 TKIP OUI 00:00:00:02 AES (default) Since optional should attempt to associate if no Cipher suite IE Is there any point in the IEs in the beacon, they are optional so if not there still need to associate. If not default auth when must you put the Auth IE in? If not default must be in beacon and must be consistent (subset) in responses (probe/association) Tim Moore, Microsoft; Clint Chaplin, Symbol

Probe Request/Response January 2002 Probe Request/Response Select ESN Capability bit (bit 11) (7.3.1.4) Select Authentication Probe response Authentication IE (7.3.2.17) OUI 00:00:00:03 is 802.1X (default) Since optional should attempt to associate if no Auth suite IE Select cipher suite Contains unicast and multicast cipher suite IE (7.3.2.18, 19) OUI 00:00:00:01 TKIP OUI 00:00:00:02 AES (default) Since optional should attempt to associate if no cipher suite IE Capability bit must be same as beacon Must be consistent (equal or a subset) in probe responses Tim Moore, Microsoft; Clint Chaplin, Symbol

Association Request/Response January 2002 Association Request/Response Select ESN Capability bit (bit 11) (7.3.1.4) Select Authentication Associate request/response Authentication IE (7.3.2.17) OUI 00:00:00:03 is 802.1X (default) Select cipher suite Contains unicast and multicast cipher suite IE (7.3.2.18, 19) OUI 00:00:00:01 TKIP OUI 00:00:00:02 AES (default) Capability bit must be same as beacon and probe Must be consistent (equal or a subset) in association responses Tim Moore, Microsoft; Clint Chaplin, Symbol

802.1X 802.1X – IEEE 802.1X standard Starts after association January 2002 802.1X 802.1X – IEEE 802.1X standard Starts after association Packets sent as unencrypted data Credentials supported Pre-shared key Authentication (using a Radius server) EAPOL-Start Initiates 802.1X from client EAPOL-Packet Carries EAP messages EAPOL-Key Carries key updates Tim Moore, Microsoft; Clint Chaplin, Symbol

802.1X/Radius (RFC2865) 802.1X exchange to radius server January 2002 802.1X/Radius (RFC2865) 802.1X exchange to radius server 802.1X carries EAP packets (RFC2284) EAP packet carried over Radius in a EAP attribute Authentication completes when Radius server sends either Radius-Access-Accept: AP sends EAP_Success (in EAPOL-Packet) to station Radius-Access-Reject: AP sends EAP_Failure Master session keys need to be moved from Radius server to AP Note the initial master session key derivation is at the Radius server Described in Annex J – also used for pre-shared secret Carried in Radius-Access-Accept Radius attribute Annex K Tim Moore, Microsoft; Clint Chaplin, Symbol

EAP (RFC2284) EAP-Request EAP-Response EAP-Success EAP-Failure January 2002 EAP (RFC2284) EAP-Request Identity – Request for user id Notification – display message to user MD5 – MD5 authentication TLS – EAP-TLS authentication … - other authentication methods EAP-Response Identity – user id Notification – ack of display message Nak – EAP auth method not supported MD5 – MD5 auth TLS – TLS auth … - other auth methods EAP-Success Auth successful EAP-Failure Auth Failed Tim Moore, Microsoft; Clint Chaplin, Symbol

802.1X/Radius On 802.11 Association Access blocked 802.11 Associate January 2002 802.1X/Radius On 802.11 Wireless Access Point Radius Server Laptop computer Access blocked Association Ethernet 802.11 Associate 802.11 RADIUS EAPOL-Start EAP-Request/Identity EAP-Response/Identity Radius-Access-Request Radius-Access-Challenge EAP-Request Radius-Access-Request EAP-Response (credentials) EAP-Success Access allowed Radius-Access-Accept Tim Moore, Microsoft; Clint Chaplin, Symbol

EAP-TLS (RFC2716) A possible authentication method January 2002 EAP-TLS (RFC2716) A possible authentication method Client cert auth to radius server Server cert auth to client (optional) Certs are often larger than an Ethernet frame so fragmented across multiple round trips Master key generation Master session key derivation On station and Radius server Fast reconnect Re-authentication Server caches TLS session information after TLS session terminates Client and Server prove possession of master secret Generates new master session key material Reduces number of round trips and size of messages (no certs sent) Tim Moore, Microsoft; Clint Chaplin, Symbol

EAP-TLS Station AP January 2002 <- PPP EAP-Request/EAP-Type=EAP-TLS ( TLS Start) PPP EAP-Response/EAP-Type=EAP-TLS (TLS client_hello) -> TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done) (TLS certificate, TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <- PPP EAP-Request/EAP-Type=EAP-TLS (TLS change_cipher_spec, TLS finished) PPP EAP-Response/EAP-Type=EAP-TLS -> Tim Moore, Microsoft; Clint Chaplin, Symbol

EAP-TLS – fast reconnect January 2002 EAP-TLS – fast reconnect Station AP <- PPP EAP-Request/EAP-Type=EAP-TLS( TLS Start) PPP EAP-Response/EAP-Type=EAP-TLS (TLS client_hello) -> <- PPP EAP-Request/EAP-Type=EAP-TLS (TLS server_hello, TLS change_cipher_spec TLS finished) (TLS change_cipher_spec, TLS finished) -> Tim Moore, Microsoft; Clint Chaplin, Symbol

January 2002 802.1X pre-shared key Pre-shared Key on stations that authenticate to each other Pre-shared Key is the Master Key Annex J is used to derive initial Master Session Keys Nonce is not live: Source | Destination MAC address Temporal keys not derived from initial Master Session Keys EAPOL-Key messages send Nonce for key mapping keys Next Master Session Key derivation includes liveness Derived Temporal Keys EAPOL-Key auth and encryption keys does not contain liveness Tim Moore, Microsoft; Clint Chaplin, Symbol

Key Hierarchy January 2002 Master key Pre-shared key Or Master key created by EAP method During EAP authentication Master session key (derived from APEncn-1, APIVn-1) Expand from master key or from the previous temporal key Sent from Radius server if using EAP via Radius server Transient session key (derived from PAEnc) Derived from master session key Temporal Encrypt key (128bits) Truncated transient session key Used as AES-OCB key Temporal Auth key (64bits) Used in TKIP EAPOL-Key message encryption key (APEnc) Used to encrypt nonce or key material EAPOL-Key message authentication key (PAAuth) EAPOL-Key IV (PAIV) Authenticator IE MIC key (APAuth) Used to MIC key message Per-packet key (TKIP only) Derived from Temporal key Change diagram in 8.5.1 to remove Master keys and change the iteration entry arrows to be from the correct place Note change Auth IE key to APAuth key Where is Temporal Auth key derived from? Note used of PAIV as EAPOL-Key IV Tim Moore, Microsoft; Clint Chaplin, Symbol

TKIP Temporal Key Mapping Key Hierarchy January 2002 TKIP Temporal Key Mapping Key Hierarchy Should iteration be of Transient key rather than temporal key? Tim Moore, Microsoft; Clint Chaplin, Symbol

Master key -> Master Session Key January 2002 Master key -> Master Session Key Annex J RFC2716 RFC2246 Takes a Nonce and expands from Master Temporal Key to 128bytes of key material PRF1 = PRF (K, "client EAP encryption", Nonce) APEnc PAEnc APAuth PAAuth Generate 64bytes of IV (Nonce) PRF2 = PRF ("","client EAP encryption", Nonce) APIV PAIV Tim Moore, Microsoft; Clint Chaplin, Symbol

Master Session Key Derivation January 2002 Master Session Key Derivation Is using Nonce from previous Master Session key derivation a good idea or not? Tim Moore, Microsoft; Clint Chaplin, Symbol

PRF TLS Section 5 – RFC2246 PRF(secret, label, seed) = January 2002 PRF TLS Section 5 – RFC2246 PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed); S1 is first half of secret S2 is second half of secret Tim Moore, Microsoft; Clint Chaplin, Symbol

Temporal key -> Master Session Key January 2002 Temporal key -> Master Session Key Annex J RFC2716 RFC2246 Takes a Nonce and expands from Temporal Key to 128bytes of key material PRF1 = PRF (K, "key expansion“, Nonce) APEnc PAEnc APAuth PAAuth Generate 64bytes of IV (Nonce) PRF2 = PRF ("","IV block", Nonce) APIV PAIV Tim Moore, Microsoft; Clint Chaplin, Symbol

Master Session Key -> Transient Session Key January 2002 Master Session Key -> Transient Session Key Annex I RFC3078/3079 On PAEnc Do we need this extra derivation step? Tim Moore, Microsoft; Clint Chaplin, Symbol

Transient Session Key Truncation to Temporal key January 2002 Transient Session Key Truncation to Temporal key Annex I Last 128 bits of transient session key From PAEnc Go back 2 slides for next key Tim Moore, Microsoft; Clint Chaplin, Symbol

Nonce Master session key derivation needs a nonce January 2002 Nonce Master session key derivation needs a nonce First Master session key derivation Nonce is generated by EAP method Nonce needs to be same on both station and radius server so master session key material is the same Following master session key derivation Nonce is from the previous derivation Sent from AP to station Nonces can be obtained from anywhere but previous master session key derivation does provide a nonce but text doesn’t explain this Tim Moore, Microsoft; Clint Chaplin, Symbol

Key Management EAPOL-Key for default/broadcast January 2002 Key Management EAPOL-Key for default/broadcast Contains actual temporal key Same key sent to all stations EAPOL-Key for key mapping Contains nonce used to derived temporal key Key updates Management policy for when keys are updated Most efficient to look at IV space used MIB contains max IV and current sent IV (Annex D) Need to add current receive IV SetKeys.Indication for MLME indication of IV space exhaustion (10.3.11.3) MIB for receive key IV numbers need to add a MIB variable to key tables Tim Moore, Microsoft; Clint Chaplin, Symbol

Key Messages Contains TKIP key message AES key message Key index Flags January 2002 Key Messages Contains Key index Flags Key mapping/default: what type of key Tx/Rx: What use the key should be put to Reset IV: Whether to reset the IV space or not Key length Key material (Temporal key or Nonce) Key material length TKIP key message Encrypts using RC4, MIC using HMAC-MD5 AES key message Encrypts using AES-CBC, MIC using AES-CBC-MAC Should add a version number to the key message Tim Moore, Microsoft; Clint Chaplin, Symbol

EAPOL-Key Keys January 2002 Tim Moore, Microsoft; Clint Chaplin, Symbol

January 2002 Ping – Pong (8.5.8) Tim Moore, Microsoft; Clint Chaplin, Symbol

Per packet keying TKIP (8.6.1) January 2002 Per packet keying TKIP (8.6.1) TKIP Phase 1 key Done once per temporal key Mixing Transmitter Ethernet address into temporal key 128 bits TKIP Phase 2 key Done once per packet Mixing IV into phase 1 output Truncated to 104 bits for RC4 Tim Moore, Microsoft; Clint Chaplin, Symbol

TKIP Encryption is WEP using TKIP Phase 2 key January 2002 TKIP Encryption is WEP using TKIP Phase 2 key IV selection rules (8.6.2) MIC: Michael (8.6.3) Uses Temporal Auth Key Covers Source and destination MAC address Unencrypted data payload Requires Counter measures to limit attack rate (8.6.3.3) Tim Moore, Microsoft; Clint Chaplin, Symbol

January 2002 Michael( 8.6.3) Michael message processing: MICHAEL((K0, K1) , (M0,...,MN)) Input: Key (K0, K1) and message M0,...,MN Output: MIC value (V0, V1) (L,R)  (K0, K1) for i=0 to N-1 L  L  M­i (L, R)  b( L, R ) return (L,R) Michael block function: b(L,R) Input: (L,R) Output: (L,R) R  R  (L <<< 17) L  (L + R) mod 232 R R  XSWAP(L) R R  (L <<< 3) R R  (L >>> 2) Tim Moore, Microsoft; Clint Chaplin, Symbol

Per packet processing AES January 2002 Per packet processing AES Temporal key is used as the encryption key Encryption AES-OCB (8.7.2) Requires a Nonce Includes replay counter, QoS traffic class, Source and Destination MAC address 28bit replay counter/sequence number per QoS class 64bit MIC Tim Moore, Microsoft; Clint Chaplin, Symbol

Re-associate Request/Response January 2002 Re-associate Request/Response Select ESN Capability bit (bit 11) (7.3.1.4) Select Authentication Authentication IE (7.3.2.17) OUI 00:00:00:03 is 802.1X (default if no IE) Select cipher suite Contains unicast and multicast cipher suite IE (7.3.2.18, 19) OUI 00:00:00:01 TKIP OUI 00:00:00:02 AES (default if no IE) Fast handoff Authenticator IE (7.3.2.21) Passing station MIC to the old AP Re-associate request should contain auth and cipher suite that the station is using AP disassociates station if AP can’t support the auth and cipher suite that station can associate again and attempt different cipher suites If anything fails AP should disassociate client and station can start again Tim Moore, Microsoft; Clint Chaplin, Symbol

Re-associate Request/Response January 2002 Re-associate Request/Response If no IAPP or no Auth IE in Re-associate request then Re-associate to new AP Go back to slide 6 Else Auth IE processing rules (7.3.2.21) Use IAPP to move station Auth IE to old AP Old AP checks station MIC Old AP calculates new AP MIC IAPP moves Auth IE and original master session keys to new AP New AP passes Auth IE in re-association response New AP puts 1X state machine in authenticated state and sends EAP_Success Go to slide 19 Endif Relies on secure IAPP Need context block for IAPP that moves Auth IE, original master session keys and radius attributes between APs When go to slide 19, what is the Nonce used in the key derivation? Tim Moore, Microsoft; Clint Chaplin, Symbol

Authenticator IE January 2002 Tim Moore, Microsoft; Clint Chaplin, Symbol

IAPP Fast Hand-off of TGi Keys January 2002 IAPP Fast Hand-off of TGi Keys Old AP IAPP Send SecBlock IAPP Move STA IAPP Send SecBlock Ack IAPP Move Ack AS New AP Reassociate Request Query Query Response Reassociate Response Query transaction supplies IPsec security association material  only needed once if New AP caches SAs; requires AS to maintain registry of IPsec SAs SendBlock transaction copies keying material from old AP to new AP Move transaction deletes keying material off old AP Tim Moore, Microsoft; Clint Chaplin, Symbol

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.