security Courtesy of William Arbaugh with Univ. of Maryland Jesse Walker with Intel Gunter Schafer with TU Berlin Bernard Aboba with Microsoft

agenda introduction WEP i vs WPA 802.1x

Basic service set (BSS) AP and STAs

Independent BSS Between STAs

authentication Two modes –Open authentication –WEP authentication * WEP: wired equivalent privacy

Open Authentication Authenticate (success) Authenticate (request) STA AP AP always accepts authentication request instead, AP may use MAC address lists for security (access control)

WEP Authentication Challenge (Nonce) Response (Nonce RC4 encrypted under shared key) STA AP Shared secret distributed out of band Decrypted nonce OK? Authentication key distributed out-of-band Access Point generates a “randomly generated” challenge Station encrypts challenge using the pre-shared secret key Authenticate (success) Authenticate (request)

Which one is better? WEP authentication –Gives a good matching example Challenge: plaintext (nonce) Response: ciphertext (encrypted nonce) In reality, open authentication is the norm –Right after authentication/association, STA and AP use the same secret key

40bit --> 128bit

ACL: access control list

WEP confidentiality and integrity (IC)

WEP Encapsulation HdrData WEP Encapsulation Summary: Encryption Algorithm = RC4 (stream cipher) Per-packet encryption key = 24-bit IV concatenated to a pre-shared key WEP allows IV to be reused with any frame Data integrity provided by CRC-32 of the plaintext data (the “ICV”) Data and ICV are encrypted under the per-packet encryption key HdrDataIVICV EncapsulateDecapsulate Encrypted part IV is changing

RC4 Pseudo-random number generator Encryption Key K Plaintext data byte p Random byte b  Ciphertext data byte p Decryption works the same way: p = c  b

K:104 bits + IV:24 bits = 128 bits shared key

IV collision

ICV (integrity check value) But the ICV is linear, meaning for any polynomials p and q ICV(p+q) = ICV(p) + ICV(q) This means that if q is an arbitrary nth degree polynomial, i.e., an arbitrary change in the underlying message data: (p+q)x 32 + ICV(p+q) + b = px 32 + qx 32 + ICV(p) + ICV(q) + b = ((px 32 + ICV(p)) + b) + (qx 32 + ICV(q))

Two modes in WEP keys Default keys –Every STA shares the same key Key mapping keys –Every STA uses its own key

default keys Total 4 keys: 2 for AP + 2 for STAs Why two for each direction?

Key mapping keys Different key for each user Still default key is necessary –For broadcast messages optional

p = c  bb = c  p

802.11i approach Separation of authentication and data integrity Leverage higher layer protocol for authentication

802.1x, EAP, RADIUS: authentication and access control * These are not originally intended for WLAN

NAS or RAS (Authenticator) User(Supplicant) Enterprise or ISP Network PSTN (POTS) Authentication Server (AS) RADIUS PPP EAP Over RADIUS Authentication for dial-in users POP Supplicant: an entity that wants to have access Authenticator: an entity that controls the access gate Authentication server: an entity that decides whether the supplicant is to be admitted Central database

Access control illustration 1.Authenticator is alerted by the supplicant 2.Supplicant identifies himself 3.Authenticator requests authorization from the authentication server 4.Authentication server indicates YES or NO 5.Authenticator allows or blocks access Three party interaction authenticator only opens channel until authentication/access control is performed authenticator is like doorkeeper

Network Access Server (NAS) in Ethernet To offer economical Ethernet-based access we need a new class of network access server – the EtherNAS. The EtherNAS is managed like a dialup NAS but offers thousands of times the bandwidth. IEEE APs supporting 802.1X and RADIUS are the first (but not the last) EtherNASes Key standards include: –IEEE 802 –IETF RFC : RADIUS –IEEE 802.1X: Network Port Authentication How about central database in NAS?

Why Do Auth at the Link Layer? It’s fast, simple, and inexpensive –Most popular link layers support it: PPP, IEEE 802 –Cost matters if you’re planning on deploying 1 million ports! Client doesn’t need network access to authenticate –No need to resolve names, obtain an IP address prior to auth NAS devices need minimal layer 3 functionality – access points, 1 Gbps switch ports go for $300, support 802.1D, 802.1X, SNMP & RADIUS, may have no layer 3 filtering support –Authentication, AAA support typically a firmware upgrade In a multi-protocol world, doing auth at link layer enables authorizing all protocols at the same time –Doing it at the network layer would mean adding authentication within IPv4, IPv6, AppleTalk, IPX, SNA, NetBEUI –Would also mean authorizing within multiple layers –Result: more delay

What is IEEE 802.1X? The IEEE standard for authenticated and auto-provisioned LANs. A framework for authentication and key management –IEEE 802.1X derives keys which can be used to provide per-packet authentication, integrity and confidentiality –Typically used along with well-known key derivation algorithms (e.g. TLS, SRP, etc.) –IEEE 802.1X does not mandate security services – can do authentication, or authentication & encryption –Encryption alone not recommended (but that’s what WEP does) What 802.1X is not –Purely a wireless standard – it applies to all IEEE 802 technologies (e.g. Ethernet First Mile applications) –A cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc. But 802.1X can be used to derive keys for any cipher –A single authentication method But 802.1X can support many authentication methods without changes to the AP or NIC firmware

What is EAP? The Extensible Authentication Protocol (RFC 2284) –Provides a flexible link layer security framework –Simple encapsulation protocol No dependency on IP ACK/NAK, no windowing No fragmentation support –Few link layer assumptions Can run over any link layer (PPP, 802, etc.) Does not assume physically secure link –Methods provide security services Assumes no re-ordering Can run over lossy or lossless media –Retransmission responsibility of authenticator (not needed for 802.1X or ) EAP methods based on IETF standards –Transport Level Security (TLS) (supported in Windows 2000) –Secure Remote Password (SRP) –GSS_API (including Kerberos)

EAP Architecture EAPLayer MethodLayer EAPEAP TLSTLS MediaLayer NDISAPIs EAPAPIs PPP SRPSRPAKASIMAKASIM

EAPOL-Start EAPOL-Logoff EAPOL-Key

What is RADIUS? Remote Access Dial In User Service Supports authentication, authorization, and accounting for network access –Physical ports (analog, ISDN, IEEE 802) –Virtual ports (tunnels, wireless) Allows centralized administration and accounting IETF status –Proposed standard RFC 2865, RADIUS authentication/authorization RFC , RADIUS MIBs –Informational RFC 2866, RADIUS accounting RFC , RADIUS Tunneling support RFC 2869, RADIUS extensions RFC 3162, RADIUS for IPv6

802.1X Topologies AP (Authenticator) STA (Supplicant) Enterprise or ISP Network Semi-Public Network / Enterprise Edge Authentication Server RADIUSRADIUS EAP over LAN (EAPOL) EAP Over RADIUS PAE PAE PAE: port access entry

802.1X Security Philosophy Approach: a flexible security framework –Implement security framework in upper layers –Enable plug-in of new authentication, key management methods without changing NIC or Access Point –Leverage main CPU resources for cryptographic calculations How it works –Security conversation carried out between supplicant and authentication server –NIC, Access Point acts as a pass through device Advantages –Decreases hardware cost and complexity –Enables customers to choose their own security solution –Can implement the latest, most sophisticated authentication and key management techniques with modest hardware –Enables rapid response to security issues

Ethernet Laptop computer Switch Radius Server IEEE 802.1X Conversation EAPOL-Start EAP-Response/Identity Radius-Access-Challenge EAP-Response (credentials) Access blocked Port connect Radius-Access-Accept EAP-Request/Identity EAP-Request Access allowed EAP-Success Radius-Access-Request RADIUS EAPOL

Ethernet Access Point Radius Server 802.1X on EAPOW-Start EAP-Response/Identity Radius-Access-Challenge EAP-Response (credentials) Access blocked Association Radius-Access-Accept EAP-Request/Identity EAP-Request Radius-Access-Request RADIUS EAPOW Laptop computer Wireless Associate-Request EAP-Success Access allowed EAPOW-Key (WEP) Associate-Response Why?

802.1X authentication in IEEE 802.1X authentication occurs after association or reassociation –Association/Reassociation serves as “port up” within 802.1X state machine –Prior to authentication, access point filters all non-802.1X traffic from client –If 802.1X authentication succeeds, access point removes the filter 802.1X messages sent to destination MAC address –Client, Access Point MAC addresses known after association No need to use 802.1X multicast MAC address in EAP-Start, EAP- Request/Identity messages –Prior to 802.1X authentication, access point only accepts packets with source = Client and Ethertype = EAPOL

802.1X and Per-STA Session Keys How does 802.1X derive per-Station unicast session keys? –Can use any EAP method supporting secure dynamic key derivation EAP-TLS (RFC 2716) EAP-SRP EAP-AKA, EAP-SIM (for compatibility with cellular) Security Dynamics –Keys derived on client and the RADIUS server –RADIUS server transmits key to access point RADIUS attribute encrypted on a hop-by-hop basis using shared secret shared by RADIUS client and server –Unicast keys can be used to encrypt subsequent traffic, including EAPOW-key packet (for carrying multicast/global keys)

802.1X Authentication 802.1X users identified by usernames, not MAC addresses –Enables user-based authentication, authorization, accounting For use with 802.1X, EAP methods supporting mutual authentication are recommended –Need to mutually authenticate to guarantee key is transferred to the right entity –Prevents man-in-the-middle and rogue server attacks Common EAP methods support mutual authentication –TLS: server and client must supply a certificate, prove possession of private key –SRP: permits mutual authentication via weak shared secret without risk of dictionary attack on the wire –Tunneled TLS: enables any EAP method to run, protected by TLS

Advantages of IEEE 802.1X Open standards based –Leverages existing standards: EAP (RFC 2284), RADIUS (RFC 2865, 2866, 2867, 2868, 2869) –Enables interoperable user identification, centralized authentication, key management –Enables automated provisioning of LAN connectivity User-based identification –Identification based on Network Access Identifier (RFC 2486) enables support for roaming access in public spaces (RFC 2607). –Enables a new class of wireless Internet Access Dynamic key management –Improved security for wireless (802.11) installations

WEPv1.0 w/802.1X Improved key derivation –Per-user unicast keys instead of global unicast key –Unicast key may be changed periodically to avoid staleness –Support for standards-based key derivation techniques Examples: TLS, SRP Additional fixes still under discussion –Authentication for reassociate, disassociate WEP deficiencies still present –No keyed MIC –Improper usage of RC4 stream cipher –No IV replay protection Long term solution: Need a “real” cipher! –AES proposals under discussion

802.1X Implementations Implementations available now –IEEE 802.1X support included in Windows XP –Firmware upgrades available from AP and NIC vendors –Interoperability testing underway 802.1X OS support –Microsoft: Windows XP –Cisco: Windows 9x, NT4, 2000, Mac OS, Linux RADIUS servers supporting EAP –Microsoft Windows 2000 Server –Cisco ACS –Funk RADIUS –Interlink Networks (formerly MERIT) RADIUS server

Advertising Security Options Modeled on “supported rates” AP advertises security options in probe response –Placed in probe response only if STA requests it in probe request STAs collect this information prior to associations and can make association and roaming decisions based upon it

Selecting security options STA requests security options in association request from available options contained in probe response AP accepts/rejects association based on request contents No additional protocol handshakes necessary –No impact on roaming performance

802.11i Key Hierarchy Separation of authentication and message protection Authentication: server-based key –Established in advance Communication: temporal (session) key –Pairwise key –Group key

Pairwise key Different for each STA PMK is derived from server-based key –Pairwise master key (PMK) –At server and at STA by themselves –Server delivers PMK to AP by RADIUS Then 4 temporal keys derived from PMK –Data encryption key –Data integrity key –EAPOL-Key encryption key –EAPOL-Key integrity key The collection of temporal keys is referred to as pairwise transient key (PTK)

Group key For broadcast, multicast Group master key (GMK) –AP chooses randomly Group transient key (GTK) –Using the secure link by pairwise keys –When a node leaves, GTK is changed –Group encryption key –Group integrity key