Download presentation
Presentation is loading. Please wait.
Published byEmil Robbins Modified over 8 years ago
1
1 /24 May 2006 - 1 Systems Architecture http://sar.informatik.hu-berlin.de WPA / WPA 2(802.11i) Burghard Güther, Tim Hartmann 12.06.2007
2
2 /24 May 2006 - 2 Systems Architecture http://sar.informatik.hu-berlin.de Introduction WEP is not sufficient - Weak key management (use and distribution) - Weak cryptography (affecting integrity and confidentiality) - Weak authentication (if any) Networks and Ressources are not adequately protected in WEP based Wireless LANs
3
3 /24 May 2006 - 3 Systems Architecture http://sar.informatik.hu-berlin.de Introduction RSN – defined in 802.11i – adresses those problems - Including changes for all of the above mentioned weaknesses - Important change regards the encryption algorithm, rising the need for new hardware For backward compatibility TKIP (Temporal Key Integrity Protocol) was specified and became the base for WPA - Difference to RSN is keeping RC4 as cipher, but with altered utilization WPA2 is based almost completely on RSN
4
4 /24 May 2006 - 4 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Overview New Authentication Method - using EAP (Extensible Authentication Protocol) and - Four-Way Handshake New Key Management - a Key Hierarchy is defined - Dynamic and Pre-Shared Keys are supported
5
5 /24 May 2006 - 5 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Authentication Goals: STA identity is confirmed, so only approved STAs gain access - How exactly User identities are checked is due to the chosen Method - Those could be Passwords, Smartcards, Tokens, so the Method has great impact on overall security AP identity is confirmed, so «rogue» APs are avoided - Common method are Certificates Session Key is installed in AP and STA to prevent later impersonation - Unlike in wired LANs, there is no physical connection
6
6 /24 May 2006 - 6 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Authentication Method (based on modified 802.1X): - Three entities are defined - Supplicant wants access to the network, here the STA - Authenticator controls access by port based access control, here the AP - Authentication Server handles authorization, can be located outside the AP on a different machine Security Policy is negotiated during Association with a Wireless LAN - Contains EAP Method Selection
7
7 /24 May 2006 - 7 Systems Architecture http://sar.informatik.hu-berlin.de Steps 4. and 5. may be repeated according to EAP Method Similarities WPA / WPA2 - Authentication AS (Auth.server)AP (Authenticator)STA (Supplicant) 1. EAPOL-Start (opt.) 2. EAPOL Request 3. EAPOL Response 3. RADIUS Access Request 4. RADUIS Access Challenge 4. EAP Request 5. RADIUS Access Request 5. EAP Response 6. RADUIS Access Accept 6. EAP Success 7. EAPOL Logoff (opt.)
8
8 /24 May 2006 - 8 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Authentication All Authentication Communication goes over the uncontrolled port of the AP The AP only mediates EAP Messages without interpreting them EAPOL (EAP over LAN) is used between AP and STA EAP over RADIUS is commonly used between AP and AS - Not mandatory in 802.11i
9
9 /24 May 2006 - 9 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Authentication On EAP Success Message the Four Way Handshake is initialized Security of the Channel between AP and AS is not part of the Standard, but required for RSN to be secure EAP Methods is not specified, but variants utilizing TLS are common - In that case, the TLS Handshake is encapsulated in EAP Messages Mutual Authentication must be guaranteed by the EAP Methods selected
10
10 /24 May 2006 - 10 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Authentication Port is still closed, until completion of Four Way Handshake In this phase Keys are generated for the Communictaion between STA and AP, using a Master Key STAAP EAPOL Key (MIC, Seq Nr.) Computes PTK EAPOL Key (Random 2, MIC Computes PTK Verify MIC EAPOL Key (Random 1) Verify MIC EAPOL Key (Ack, MIC) Controlled Port is unblocked
11
11 /24 May 2006 - 11 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Key Management Top Level is the Pairwise Master Key - Can be pre-installed or delivered through EAP Authentication - Master Key means, it is used to derive actual Session Keys Second Level is the Pairwise Transient Key - Consist of four Keys - Data encryption Key and Data integrity Key (identical in RSN) - Key encryption Key and Key integrity Key (used in 4-Way Handshake) - Input is PMK, MAC Address and Random Number of both participants
12
12 /24 May 2006 - 12 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Key Management Another Level is the Group Transient Key - Consist of only two Keys - Group encryption Key and Group Integrity Key - Transmitted to STAs during Group Key Handshake, secured with Key encryption Key - GK Handshakes can occur any time (necessary)
13
13 /24 May 2006 - 13 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - Overview TKIP with RC4 Cipher - Integrity protection by Michael MIC (Message Integrity Code) - Replay protection by enforcing sequenced Initialization Vectors - Confidentiality by different use of RC4 - Countermeasures when detecting attacks RSN with AES-CCMP - Advanced Encryption Standard - Counter Mode Encryption (CTR) - Cipher Block Chaining Message Authentication Code (CBC-MAC) - Used for integrity, authentication and confidentiality - Replay protection by using sequence numbers during MAC computation
14
14 /24 May 2006 - 14 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - TKIP Michael Integrity Protection - Solution without the need for hardware upgrades - Integrity protection by encryption with MIC key - MIC computed over user data, source and destination adresses and priority bits Monotonically increasing TKIP Seqence Counter (TSC) (=IV) - IV length increased from 24bit to 48bit Cryptographic key-mixing process for new key for every frame: create dynamic WEP key from TK and TSC - Avoid weak keys by TKIP Mix - User frame, 64bit-MIC, transmitter adress encrypted with per-frame key
15
15 /24 May 2006 - 15 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - TKIP Different Key for every Message with 48 bit IV Image taken from SeCoWiNetV1.4.pdf [2]
16
16 /24 May 2006 - 16 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - TKIP Combined with countermeasures, executed after a failure of the Integrity Check: - Logging Security Event - Second failure within 60s disables reception for another 60s, even not allowing new Associations with TKIP - Changing PTK and GTK through reinvoking authentication with 4-Way Handshake
17
17 /24 May 2006 - 17 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP AES is a block cipher Insertion on block ciphers Criteria: - Completeness, every bit of output block depends on each bit of input block and each bit of the key - Avalanche effect, change of 1 bit in input block leads to changing of each output bit with probability ½ (same for key) - Statistical independence, between output and input block AES uses a number of simple operations two produce a complex output - This includes bit substitutions with lookup tables, permutations and «adding» the key which includes modulo operations - Sequence of those simple operations is repeated multiple times - Each sequence updates an internal state
18
18 /24 May 2006 - 18 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP AES Operational Modes (1) - Cipher Block Chaining (CBC) - Every Plaintext Block is XORed to the preceding Ciphertext Block before encryption, uses an IV for the 1st Block - Thus two identical Plaintext Blocks will generate different Ciphertext - Each Cipher Block is dependent on all preceding Plaintext Blocks - CBC can be used as MAC (CBC-MAC) Image taken from http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation [4]
19
19 /24 May 2006 - 19 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP AES Operational Modes (2) - Counter Mode (CTR) - Converts a Block Cipher into a Stream Cipher - Generates Keystream Blocks by encrypting values of an internal state and a nonce - Internal state is a Counter, that is incremented in each iteration Image taken from http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation [4]
20
20 /24 May 2006 - 20 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP CCM - Combines CBC-MAC (integrity and authentication) and CTR (confidentiality) – both encryption and MIC as result - Takes as input 128 bit TK, 48 bit Packet Number and some Data from the frame header - PN is used as counter (to prevent replay attacks) and with header information as nonce - Header forms additional input for CCM called AAD - => Nonce, AAD and plaintext data + key as input for CCM - Ensures confidentiality of data and integrity of data and header - Combines both to encrypt and produce a MIC simultaneously => same key for encryption and integrity protection - AES obviates the need for per-packet key - CCM header consist of identifier for TK and PN
21
21 /24 May 2006 - 21 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP AES CCMP Image taken from SP800-97.pdf [3]
22
22 /24 May 2006 - 22 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP Characteristics:
23
23 /24 May 2006 - 23 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP Security Vulnerability: « Replay detection », « impersonation detection » and «weak keys » are most important for attacks against WEP.
24
24 /24 May 2006 - 24 Systems Architecture http://sar.informatik.hu-berlin.de References [1] Breaking 104 bit WEP in less than 60 seconds (2007), Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin [2] Security and Cooperation in Wireless Networks, Thwarting Malicious and Selfish Behavior in the Age of Ubiquitous Computing, by Levente Buttyan (BME) and Jean-Pierre Hubaux (EPFL) [3] NIST Special Publication 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, Sheila Frankel, Bernard Eydt, Les Owens, Karen Scarfone [4] http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation, Wikipedia, 11. Juni 2007
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.