By Ramin Hedayatzadeh

“IEEE i or WPA2” Introduction Integrity of WEP to WPA (necessity) WPA and its second generation WPA2 concepts Definition Portions WPA2 - Personal mode Authentication method (PSK) WPA2 - Enterprise mode Authentication method (802.1x /EAP) Ports (controlled n uncontrolled) EAP types supported on new Wi-Fi Certified products EAP-TLS EAP-TTLS/MSCHAP v2 PEAPv0/EAP-MSCHAP v2 PEAPv1/EAP-GTC EAP-SIM

Introduction con… Encryption method (AES) History CCMP concepts CTR (counter mode) CBC-MAC (Data Authentication and Integrity) WPA2 Technical considerations Specifications & Features Upgrade problems Resources

Introduction Integrity of WEP to WPA (necessity) Integrity of WEP to WPA (necessity) By 2001, a series of independent studies from various academic and commercial institutions had identified weaknesses in Wired Equivalent Privacy (WEP), the original native security mechanism for wireless local area networks (WLANs) in the Institute of Electrical and Electronics Engineers (IEEE) specification.

WPA and its second generation WPA and its second generation Introduction cont…  To address this situation, Wi-Fi® Alliance introduced 2 new interoperable Wi-Fi security specifications for both enterprise and home networks:  In 2003, the Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA™) as a strong, standards-based interoperable Wi-Fi security specification.  In 2004, the Wi-Fi Alliance introduced Wi-Fi Protected Access 2 (WPA2™), the second generation of WPA security.

Concepts Definition Definition WPA2 (Wi-Fi Protected Access 2) provides network administrators with a high level of assurance that only authorized users can access the network. Based on the ratified IEEE i standard, WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS compliant AES encryption algorithm.

Concepts cont.. WPA2 can be enabled in two versions - Personal and Enterprise: WPA2 - Personal protects unauthorized network access by utilizing a set-up password. WPA2 - Personal protects unauthorized network access by utilizing a set-up password. WPA2 - Enterprise verifies network users through a server WPA2 - Enterprise verifies network users through a server

Scientific definition WPA2 is a security method in which it supports IEEE 802.1X/EAP authentication or PSK technology and a new advanced encryption mechanism using the Counter- Mode/CBC-MAC Protocol (CCMP) called the Advanced Encryption Standard (AES).

Portions WPA2 concludes 2 portions in each mode (personal and enterprise) Authentication Authentication Encryption Encryption In comparison both modes use the same encryption which is AES. but they are different in authentication completely:

WPA2 - Personal mode Authentication method (PSK) Personal Mode is designed for home and small office/home office (SOHO) users who do not have authentication servers available. It operates in an unmanaged mode that uses a pre-shared key (PSK) for authentication instead of IEEE 802.1X.

WPA2 - Enterprise mode Authentication method (802.1x /EAP) Enterprise Mode is a term given to products that are tested to be interoperable in both PSK and IEEE 802.1X/EAP modes of operation for authentication.

Port Access Entity A PAE, also known as a LAN port, is a logical entity that supports the IEEE 802.1X protocol that is associated with a port. A LAN port can adopt the role of authenticator, supplicant, or both. A PAE, also known as a LAN port, is a logical entity that supports the IEEE 802.1X protocol that is associated with a port. A LAN port can adopt the role of authenticator, supplicant, or both.

Supplicant For wireless connections, the supplicant is the logical LAN port on a wireless LAN network adapter, operating in infrastructure mode that requests access to the wired network by proving its credentials with authentication. For wireless connections, the supplicant is the logical LAN port on a wireless LAN network adapter, operating in infrastructure mode that requests access to the wired network by proving its credentials with authentication. Supplicants may be included in the client operating system, integrated into drivers, or installed as third-party standalone software. Supplicants may be included in the client operating system, integrated into drivers, or installed as third-party standalone software.

Authenticator: For wireless connections, the authenticator is the logical LAN port through which wireless clients, operating in infrastructure mode, gain access to the wired network. For wireless connections, the authenticator is the logical LAN port through which wireless clients, operating in infrastructure mode, gain access to the wired network.

Authentication Server. The authentication server checks the credentials of the supplicant on behalf of the authenticator, and then responds to the authenticator, indicating whether or not the supplicant is authorized to access the authenticator's services.. The authentication server checks the credentials of the supplicant on behalf of the authenticator, and then responds to the authenticator, indicating whether or not the supplicant is authorized to access the authenticator's services.

Authentication Server A component of the AP A component of the AP This is typically not implemented for wireless APs. A separate entity A separate entity Typically, a wireless AP uses the Remote Authentication Dial-In User Service (RADIUS) protocol to send the connection attempt parameters to a RADIUS server.

EAP traffic is exchanged between the client (supplicant) and AP (authenticator) over the layer 2 EAPol protocol. The supplicant doesn’t have layer 3 connectivity to the RADIUS server. When the AP received EAP traffic from the Client it converts it to the appropriate RADIUS request and then passes it to the RADIUS server for processing. EAP traffic is exchanged between the client (supplicant) and AP (authenticator) over the layer 2 EAPol protocol. The supplicant doesn’t have layer 3 connectivity to the RADIUS server. When the AP received EAP traffic from the Client it converts it to the appropriate RADIUS request and then passes it to the RADIUS server for processing. If the supplicant encrypts the data, the authenticator can't inspect the content of the request, but can extract from the response attributes such as the client’s VLAN assignment. If the supplicant encrypts the data, the authenticator can't inspect the content of the request, but can extract from the response attributes such as the client’s VLAN assignment.

After 802.1x authentication, the client receives the master key (MK) from the authentication server. The master key is tied to that authentication session. From the MK, the same primary master key (PMK) is generated on both the client and the authentication server. After 802.1x authentication, the client receives the master key (MK) from the authentication server. The master key is tied to that authentication session. From the MK, the same primary master key (PMK) is generated on both the client and the authentication server.

Once the user has been authenticated, the authentication server and the client simultaneously generate a Master Key (PMK). Once the user has been authenticated, the authentication server and the client simultaneously generate a Master Key (PMK). All wireless devices associated with an access point must be able to decrypt the broadcast and multicast traffic. They do so with the same group key, or GTK.if the AP changes the GTK because it was compromised, the AP issues a replacement key using a simpler two-way handshake with the KEK encrypting the GTK. All wireless devices associated with an access point must be able to decrypt the broadcast and multicast traffic. They do so with the same group key, or GTK.if the AP changes the GTK because it was compromised, the AP issues a replacement key using a simpler two-way handshake with the KEK encrypting the GTK.

The 4-Way Handshake Once a shared PMK is agreed upon between the authenticator and the supplicant, the authenticator may begin a 4-Way Handshake By itself or upon request from the supplicant. Once a shared PMK is agreed upon between the authenticator and the supplicant, the authenticator may begin a 4-Way Handshake By itself or upon request from the supplicant.

The authentication process 1) You can initiate the authentication process either by the supplicant or the access point. 1) You can initiate the authentication process either by the supplicant or the access point. 2) The supplicant provides its identity by responding to the access point with an EAP-Response/Identity packet. 2) The supplicant provides its identity by responding to the access point with an EAP-Response/Identity packet. 3) The authentication server sends an EAP- Request/Authentication packet to the access point over RADIUS and forwards this to the supplicant over EAPOL. 3) The authentication server sends an EAP- Request/Authentication packet to the access point over RADIUS and forwards this to the supplicant over EAPOL. If the supplicant supports the authentication type, it responds with the EAP-Response/Authentication packet to the access point, which forwards this packet to the authentication server. If the supplicant supports the authentication type, it responds with the EAP-Response/Authentication packet to the access point, which forwards this packet to the authentication server.

Ports (Controlled n Uncontrolled) To control access to a network, the access point uses the concept of "controlled" and "uncontrolled" ports. Both these ports are logical and virtual, but they use a single wireless association (link) between the supplicant and the access point. To control access to a network, the access point uses the concept of "controlled" and "uncontrolled" ports. Both these ports are logical and virtual, but they use a single wireless association (link) between the supplicant and the access point.

Uncontrolled port: Uncontrolled port: The uncontrolled port allows an uncontrolled exchange of data between the authenticator (the wireless AP) and other networking devices on the wired network, regardless of any wireless client's authorization state. The uncontrolled port allows only authentication traffic through it. Controlled port: Controlled port: The controlled port allows data to be sent between a wireless client and the wired network, the controlled port is initially in an "unauthorized" state that makes the supplicant unable to access the network until it proves its credentials with the authentication server.

EAP types supported on new Wi- Fi Certified products Extensible Authentication Protocol Extensible Authentication Protocol As the name suggests, EAP is designed in such a way that the authentication mechanisms that EAP uses are extensible. The protocol is flexible enough to allow any type of authentication mechanism over it.

EAP Types EAP-TLS EAP-TLS PEAPv0/EAP-MSCHAPv2 PEAPv0/EAP-MSCHAPv2 PEAPv1/EAP-GTC PEAPv1/EAP-GTC EAP-TTLS EAP-TTLS EAP-SIM EAP-SIM

EAP-TLS Is the original wireless LAN EAP authentication protocol. Although it’s rarely implemented due to a steep deployment curve, it is still considered one of the most secure EAP standards available and is universally supported by all manufacturers of wireless LAN hardware and software including Microsoft. Is the original wireless LAN EAP authentication protocol. Although it’s rarely implemented due to a steep deployment curve, it is still considered one of the most secure EAP standards available and is universally supported by all manufacturers of wireless LAN hardware and software including Microsoft.

PEAPv0/EAP-MSCHAPv2 Is the technical term for what people most commonly refer to as "PEAP". Whenever the word PEAP is used, it almost always refers to this form of PEAP since most people have no idea there are so many flavors of PEAP. Behind EAP-TLS, PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world. Is the technical term for what people most commonly refer to as "PEAP". Whenever the word PEAP is used, it almost always refers to this form of PEAP since most people have no idea there are so many flavors of PEAP. Behind EAP-TLS, PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world.

PEAPv1/EAP-GTC Was created by Cisco as an alternative to PEAPv0/EAP-MSCHAPv2. It allows the use of an inner authentication protocol other than Microsoft’s MSCHAPv2. Even though Microsoft (along with RSA and Cisco) co-invented the PEAP standard, Microsoft never added support for PEAPv1 in general, which means PEAPv1/EAP- GTC has no native Windows OS support. Was created by Cisco as an alternative to PEAPv0/EAP-MSCHAPv2. It allows the use of an inner authentication protocol other than Microsoft’s MSCHAPv2. Even though Microsoft (along with RSA and Cisco) co-invented the PEAP standard, Microsoft never added support for PEAPv1 in general, which means PEAPv1/EAP- GTC has no native Windows OS support.

EAP-TTLS Was created by Funk software and Certicom and is primarily backed by Funk software and is supported by other third- party server and client software. Was created by Funk software and Certicom and is primarily backed by Funk software and is supported by other third- party server and client software.

EAP-SIM Was created for the GSM (Group Special Mobile, or Global System for Mobile Communications. A 2G digital standard for cellular phone communications adopted by many countries around the world. Its frequency bands range from MHz) mobile telecom industry, which favors the use of SIM cards for authentication. Was created for the GSM (Group Special Mobile, or Global System for Mobile Communications. A 2G digital standard for cellular phone communications adopted by many countries around the world. Its frequency bands range from MHz) mobile telecom industry, which favors the use of SIM cards for authentication.

Encryption method (AES) History History In 1997, the National Institute of Standards and Technology (NIST) initiated a process to select a symmetric-key encryption algorithm to be used to protect sensitive (unclassified) Federal information in furtherance of NIST’s statutory responsibilities. In 1998, NIST announced the acceptance of fifteen candidate algorithms and requested the assistance of the cryptographic research community in analyzing the candidates.

Encryption method (AES) In cryptography, the Advanced Encryption Standard (AES) is a block cipher adopted as an encryption standard by the U.S. government. It is expected to be used worldwide and analyzed extensively, as was the case with its predecessor, the Data Encryption Standard (DES). In cryptography, the Advanced Encryption Standard (AES) is a block cipher adopted as an encryption standard by the U.S. government. It is expected to be used worldwide and analyzed extensively, as was the case with its predecessor, the Data Encryption Standard (DES).

CCMP concepts AES uses the Counter-Mode/CBC-Mac Protocol (CCMP). CCM is a new mode of operation for a block cipher that enables a single key to be used for both encryption and authentication. AES uses the Counter-Mode/CBC-Mac Protocol (CCMP). CCM is a new mode of operation for a block cipher that enables a single key to be used for both encryption and authentication.

WPA2 Temporal Keys Data encryption key A 128-bit key Data encryption key A 128-bit key Data integrity key A 128-bit key Data integrity key A 128-bit key EAPOL-Key encryption key A 128-bit key EAPOL-Key encryption key A 128-bit key EAPOL-Key integrity key A 128-bit key EAPOL-Key integrity key A 128-bit key

The 2 underlying modes employed in CCM include Counter mode (CTR) that achieves data encryption/privacy and Cipher Block Chaining Message Authentication Code (CBC-MAC) to provide authentication and integrity. The 2 underlying modes employed in CCM include Counter mode (CTR) that achieves data encryption/privacy and Cipher Block Chaining Message Authentication Code (CBC-MAC) to provide authentication and integrity.

CBC-MAC (Data Authentication and Integrity) The CBC-MAC algorithm produces a message integrity code (MIC) that provides data origin authentication and data integrity for the wireless frame. The CBC-MAC algorithm produces a message integrity code (MIC) that provides data origin authentication and data integrity for the wireless frame. A Packet Number field A Packet Number field 1) Included in WPA2-protected wireless frame 1) Included in WPA2-protected wireless frame 2) Incorporated into the encryption (CTR) 2) Incorporated into the encryption (CTR) 3) and MIC calculations 3) and MIC calculations provides replay protection. provides replay protection.

CBC-MAC is used to generate an authentication component as a result of the encryption process. This is different from prior MIC implementations, in which a separate algorithm for integrity check is required. To further enhance its advanced encryption capabilities, AES uses a 48-bit Initialization Vector (IV). CBC-MAC is used to generate an authentication component as a result of the encryption process. This is different from prior MIC implementations, in which a separate algorithm for integrity check is required. To further enhance its advanced encryption capabilities, AES uses a 48-bit Initialization Vector (IV). AES has no known attacks and the current analysis indicates that it takes 2^120 operations to break an AES key—making.it an extremely secure cryptographic algorithm. AES has no known attacks and the current analysis indicates that it takes 2^120 operations to break an AES key—making.it an extremely secure cryptographic algorithm.

Strictly speaking, AES is not precisely Rijndael (although in practice they are used interchangeably) as Rijndael supports a larger range of block and key sizes; AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits, whereas Rijndael can be specified with key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits. Strictly speaking, AES is not precisely Rijndael (although in practice they are used interchangeably) as Rijndael supports a larger range of block and key sizes; AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits, whereas Rijndael can be specified with key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits.

AES is fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale. AES is fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale.

WPA2 Technical considerations Is WPA still secure? Is WPA still secure? Why is the Alliance introducing WPA2? Why is the Alliance introducing WPA2?

WPA2 Mixed Mode WPA2 Mixed Mode PMK Caching PMK Caching Preauthentication Preauthentication New features

Resources WiFi planet 2004 WiFi planet 2004 intel.com - mobile and wireless protection intel.com - mobile and wireless protection technet.microsoft.com - cable guy 2002 technet.microsoft.com - cable guy 2002 technet.microsoft.com - cable guy may 2005 technet.microsoft.com - cable guy may 2005 Microsoft Encyclopedia of Networking 2004 Microsoft Encyclopedia of Networking 2004 Microsoft Encyclopedia of security 2004 Microsoft Encyclopedia of security 2004 Cisco Systems - FAQ on Aironets 2005 Cisco Systems - FAQ on Aironets 2005 WiFi alliance - knowledge center 2006 WiFi alliance - knowledge center 2006 WiFi alliance - WPA2 Q&A WiFi alliance - WPA2 Q&A WiFi alliance - Deploying WPA™ and WPA2™ in the Enterprise WiFi alliance - Deploying WPA™ and WPA2™ in the Enterprise Wikipedia.org Wikipedia.org TechTarget 2006 TechTarget 2006 IBM - developerWorks IBM - developerWorks