802.1x What it is, How it’s broken, and How to fix it. Bruce Potter The Shmoo Group gdead@shmoo.com Practitioner, not researcher Talk will focus on the operational impact of 802.1x, not the low level technical breakdown.

Drive 12 miles to work in Northern VA, much of it through un-developed land. In Sept, there were 12 AP’s. In May there were 50.

Why Wireless? No cable plant Enhanced mobility Ad hoc relationships Lower cost (initially… TCO may be higher) Rapid deployment Enhanced mobility Ad hoc relationships Many different requirements talk about TCO

Why Not Wireless No physical security Low throughput Unregulated, noisy bands Snooping raw packets is trivial

802.11, 802.11b, etc. IEEE standard – based on well known Ethernet standards 802.11 – FHSS or DSSS, WEP, 2.4 GHz, Infrastructure (BSS) or Ad-Hoc (iBSS) Limited to 2Mb/s due to FCC limits on dwell times per frequency hop 802.11b – DSSS only, WEP, 2.4 GHz, Infrastructure or Ad-Hoc Up to 11Mb/s Also known as Wi-Fi 802.11a and 802.11g

An Association Associations are a basic part of 802.11 Client Requests authentication AP responds with auth type (Open/WEP) Authentication is performed If successful, then Association is requested and granted SSID is sent in the clear, so not advertising SSID is NOT a valid security mechanism

General Principles Deal with the basics Integrity Protecting your packets from modification by other parties Confidentiality Keeping eavesdroppers within range from gaining useful information Keeping unauthorized users off the network Free Internet! Risks to both internal and external network Availability Low level DoS is hard to prevent Like any other environment, there are no silver bullets

Current Security Practices WEP –Wired Equivalent Privacy Link Level Very Broken Firewalls/MAC Filtering Reactionary – IDS/Active Portal Higher level protocols

WEP In a Nutshell 40 bits of security == 64 bits of marketing spam. Not just encryption, also rudimentary authentication of AP’s and clients.

Thoughts on WEP Key management beyond a handful of people is impossible Too much trust Difficult administration Key lifetime can get very short in an enterprise No authentication for management frames No per packet auth False Advertising!!!

What is Lacking? Scalability Protection for all parties Many clients Large networks Protection for all parties Eliminate invalid trust assumptions

802.1x Port based authentication for all IEEE 802 networks (layer 2 authentication) Originally for Campus networks Extended for wireless Allows for unified AAA services Provides means for key transport NOT A WIRELESS PROTOCOL!!! Does not specify means for key transport

May not be Access Point… Originally it was a wired switch.

Pre-Authentication State

Post-Authentication State

EAP Extensible Authentication Protocol Originally designed for PPP Shoehorned into 802.1x Switch/Access point is a pass through for EAP traffic. New authentication mechanisms do not require infrastructure upgrades LEAP – Cisco’s Lightweight EAP Password based and (relatively) widely available De facto mechanism between AS and AServ is RADIUS

EAP Methods EAP-TLS: Uses certs! If implemented properly, solves many problems TTLS – Tunneled TLS. Allows encapsulation of other auth mechanisms. “machine” auth’d by TLS, person by the tunneled protocol PEAP – IETF Draft Like TTLS but with another EAP method encapsulated TLS/TTLS and others require certs We all have a PKI setup, right? and use it properly and regularly?

What’s Right Protection of the infrastructure Authentication mechanism can change as needed address flaws in existing wireless security Lightweight No encapsulation, no per packet overhead… simply periodic authentication transactions

What’s Right In controlled environment, risks can be mitigated by higher level protocols VPN/SSL/SSH NOTE: exchange of WEP key material is not part of 802.1x specification Remember: designed for wired campus networks

What’s Right Association happens BEFORE 802.1x transaction. Good: If 802.1x session is protected by default WEP key then the attacker must first compromise the WEP key to make use of 802.1x vulns Bad: Key management anyone? Just how does the default key get there?

What’s Wrong www.missl.cs.umd.edu/wireless/1x.pdf First Open source supplicant First holes in 802.1x One way authentication Less of a concern in LAN environment Traffic Interception Session Highjacking

What’s Wrong – Technical One way Authentication Gateway authenticates the client Client has no explicit means to authenticate the Gateway Rouge gateways put client at risk Remember – the loudest access point wins Still no Authentication of management frames (assoc/deassoc/beacons/etc…) Some EAP methods provide mutual authentication… but it’s not a requirement.

What’s Wrong - Technical MITM Send “Authentication Successful” to client Client associates with malicious AP Hijacking Send deassociation message to client… AP is in the dark Change MAC to client and have live connection

What’s Wrong – Technical RADIUS uses shared secret with the Authenticator Same issue as WEP, but on a more reasonable scale Authentication after association presents roaming problems Authentication takes a non-trivial amount of time… can disrupt data in transit Failure of RADIUS server == failure of network Many AP implementations don’t allow multiple RADIUS servers Most RADIUS server failover is non-transparent

What’s Wrong – touchy feely They forgot about the client (trust assumptions) Everyone is ask risk Everyone is a threat Lack of physical security requires encrypted channel to secure 802.1x Wired “port” is not the same as wireless “port” Protocol designed to not require hardware replacement Leads to less than stellar solution, esp WRT authentication of management frames.

What’s Wrong – touchy feely Extensibility leads to complexity Complexity leads to mistakes in implementation Read the MS Guide on create EAP methods as an example. Multivendor support is difficult Using a shoehorn to force protocols to work together leads to problems

Why Did it Go Wrong? 802.1x – Designed for Campus networks EAP – Designed for PPP NEITHER designed with wireless threat model in mind Lesson: Don’t apply old protocols to new problems without understanding the risk.

Where Are We Today? Several 802.1x implementations available Windows XP (not PocketPC 2002) Open1x.org EAP implementations Windows IAS FreeRADIUS – MD5 and TLS Cisco Other RADIUS servers NOTE: highest risk applications don’t have 802.1x – Pocket PC2k

Where Are We Today? 802.1x capable Access Points Cisco Lucent RG1000/RG1100 can be hacked with AP500 firmware to become 1x capable Some drawbacks OS authenticator from open1x.org others

What’s Next Integration of existing solutions to “raise the bar” Limited 802.1x implementations 802.11i (Task Group I – Security) On track… the right track Mutual auth, per packet auth 802.1x a part of

What’s Next WEP has the right idea End to End Solutions ala SSL, SSH, IPSec Not likely PocketPC2k2 doesn’t have a robust cert infrastrucuture.

Temporal Key Integrity Protocol Fast Packet Keying Packet MAC Dynamic Rekeying Key distribution via 802.1x 3Q product deployment Still RC4 based to be backward compatible AES with 802.1x keying in the distant future

Questions http://www.shmoo.com/1x/