Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies

Published byAbigayle Briggs Modified over 6 years ago

Similar presentations

Presentation on theme: "Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies"— Presentation transcript:

1 Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies
January 2002 TGi security overview Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies Tim Moore, Microsoft; Clint Chaplin, Symbol

2 Section numbers based on Draft 1.8 Beacon/Probe/Associate
January 2002 Section numbers based on Draft 1.8 Beacon/Probe/Associate 802.1X authentication using RADIUS EAP/EAP-TLS Key Hierarchy Key derivations Nonces Key Management Per packet TKIP Per packet AES Re-associate Tim Moore, Microsoft; Clint Chaplin, Symbol

3 Beacon Search for APs that support Enhanced security Select ESN
January 2002 Beacon Search for APs that support Enhanced security Select ESN Capability bit (bit 11) ( ) Select Authentication Suite Beacon Authentication Suite IE ( ) OUI 00:00:00:03 is 802.1X (default) Since optional should attempt to associate if no Auth suite IE Select cipher suites (7.3.2.X) Contains unicast and multicast cipher suite IE ( , 19) OUI 00:00:00:01 TKIP OUI 00:00:00:02 AES (default) Since optional should attempt to associate if no Cipher suite IE Is there any point in the IEs in the beacon, they are optional so if not there still need to associate. If not default auth when must you put the Auth IE in? If not default must be in beacon and must be consistent (subset) in responses (probe/association) Tim Moore, Microsoft; Clint Chaplin, Symbol

4 Probe Request/Response
January 2002 Probe Request/Response Select ESN Capability bit (bit 11) ( ) Select Authentication Probe response Authentication IE ( ) OUI 00:00:00:03 is 802.1X (default) Since optional should attempt to associate if no Auth suite IE Select cipher suite Contains unicast and multicast cipher suite IE ( , 19) OUI 00:00:00:01 TKIP OUI 00:00:00:02 AES (default) Since optional should attempt to associate if no cipher suite IE Capability bit must be same as beacon Must be consistent (equal or a subset) in probe responses Tim Moore, Microsoft; Clint Chaplin, Symbol

5 Association Request/Response
January 2002 Association Request/Response Select ESN Capability bit (bit 11) ( ) Select Authentication Associate request/response Authentication IE ( ) OUI 00:00:00:03 is 802.1X (default) Select cipher suite Contains unicast and multicast cipher suite IE ( , 19) OUI 00:00:00:01 TKIP OUI 00:00:00:02 AES (default) Capability bit must be same as beacon and probe Must be consistent (equal or a subset) in association responses Tim Moore, Microsoft; Clint Chaplin, Symbol

6 802.1X 802.1X – IEEE 802.1X standard Starts after association
January 2002 802.1X 802.1X – IEEE 802.1X standard Starts after association Packets sent as unencrypted data Credentials supported Pre-shared key Authentication (using a Radius server) EAPOL-Start Initiates 802.1X from client EAPOL-Packet Carries EAP messages EAPOL-Key Carries key updates Tim Moore, Microsoft; Clint Chaplin, Symbol

7 802.1X/Radius (RFC2865) 802.1X exchange to radius server
January 2002 802.1X/Radius (RFC2865) 802.1X exchange to radius server 802.1X carries EAP packets (RFC2284) EAP packet carried over Radius in a EAP attribute Authentication completes when Radius server sends either Radius-Access-Accept: AP sends EAP_Success (in EAPOL-Packet) to station Radius-Access-Reject: AP sends EAP_Failure Master session keys need to be moved from Radius server to AP Note the initial master session key derivation is at the Radius server Described in Annex J – also used for pre-shared secret Carried in Radius-Access-Accept Radius attribute Annex K Tim Moore, Microsoft; Clint Chaplin, Symbol

8 EAP (RFC2284) EAP-Request EAP-Response EAP-Success EAP-Failure
January 2002 EAP (RFC2284) EAP-Request Identity – Request for user id Notification – display message to user MD5 – MD5 authentication TLS – EAP-TLS authentication … - other authentication methods EAP-Response Identity – user id Notification – ack of display message Nak – EAP auth method not supported MD5 – MD5 auth TLS – TLS auth … - other auth methods EAP-Success Auth successful EAP-Failure Auth Failed Tim Moore, Microsoft; Clint Chaplin, Symbol

9 802.1X/Radius On 802.11 Association Access blocked 802.11 Associate
January 2002 802.1X/Radius On Wireless Access Point Radius Server Laptop computer Access blocked Association Ethernet Associate 802.11 RADIUS EAPOL-Start EAP-Request/Identity EAP-Response/Identity Radius-Access-Request Radius-Access-Challenge EAP-Request Radius-Access-Request EAP-Response (credentials) EAP-Success Access allowed Radius-Access-Accept Tim Moore, Microsoft; Clint Chaplin, Symbol

10 EAP-TLS (RFC2716) A possible authentication method
January 2002 EAP-TLS (RFC2716) A possible authentication method Client cert auth to radius server Server cert auth to client (optional) Certs are often larger than an Ethernet frame so fragmented across multiple round trips Master key generation Master session key derivation On station and Radius server Fast reconnect Re-authentication Server caches TLS session information after TLS session terminates Client and Server prove possession of master secret Generates new master session key material Reduces number of round trips and size of messages (no certs sent) Tim Moore, Microsoft; Clint Chaplin, Symbol

11 EAP-TLS Station AP January 2002
<- PPP EAP-Request/EAP-Type=EAP-TLS ( TLS Start) PPP EAP-Response/EAP-Type=EAP-TLS (TLS client_hello) > TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done) (TLS certificate, TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) > <- PPP EAP-Request/EAP-Type=EAP-TLS (TLS change_cipher_spec, TLS finished) PPP EAP-Response/EAP-Type=EAP-TLS -> Tim Moore, Microsoft; Clint Chaplin, Symbol

12 EAP-TLS – fast reconnect
January 2002 EAP-TLS – fast reconnect Station AP <- PPP EAP-Request/EAP-Type=EAP-TLS( TLS Start) PPP EAP-Response/EAP-Type=EAP-TLS (TLS client_hello) > <- PPP EAP-Request/EAP-Type=EAP-TLS (TLS server_hello, TLS change_cipher_spec TLS finished) (TLS change_cipher_spec, TLS finished) > Tim Moore, Microsoft; Clint Chaplin, Symbol

13 January 2002 802.1X pre-shared key Pre-shared Key on stations that authenticate to each other Pre-shared Key is the Master Key Annex J is used to derive initial Master Session Keys Nonce is not live: Source | Destination MAC address Temporal keys not derived from initial Master Session Keys EAPOL-Key messages send Nonce for key mapping keys Next Master Session Key derivation includes liveness Derived Temporal Keys EAPOL-Key auth and encryption keys does not contain liveness Tim Moore, Microsoft; Clint Chaplin, Symbol

14 Key Hierarchy January 2002 Master key
Pre-shared key Or Master key created by EAP method During EAP authentication Master session key (derived from APEncn-1, APIVn-1) Expand from master key or from the previous temporal key Sent from Radius server if using EAP via Radius server Transient session key (derived from PAEnc) Derived from master session key Temporal Encrypt key (128bits) Truncated transient session key Used as AES-OCB key Temporal Auth key (64bits) Used in TKIP EAPOL-Key message encryption key (APEnc) Used to encrypt nonce or key material EAPOL-Key message authentication key (PAAuth) EAPOL-Key IV (PAIV) Authenticator IE MIC key (APAuth) Used to MIC key message Per-packet key (TKIP only) Derived from Temporal key Change diagram in to remove Master keys and change the iteration entry arrows to be from the correct place Note change Auth IE key to APAuth key Where is Temporal Auth key derived from? Note used of PAIV as EAPOL-Key IV Tim Moore, Microsoft; Clint Chaplin, Symbol

15 TKIP Temporal Key Mapping Key Hierarchy
January 2002 TKIP Temporal Key Mapping Key Hierarchy Should iteration be of Transient key rather than temporal key? Tim Moore, Microsoft; Clint Chaplin, Symbol

16 Master key -> Master Session Key
January 2002 Master key -> Master Session Key Annex J RFC2716 RFC2246 Takes a Nonce and expands from Master Temporal Key to 128bytes of key material PRF1 = PRF (K, "client EAP encryption", Nonce) APEnc PAEnc APAuth PAAuth Generate 64bytes of IV (Nonce) PRF2 = PRF ("","client EAP encryption", Nonce) APIV PAIV Tim Moore, Microsoft; Clint Chaplin, Symbol

17 Master Session Key Derivation
January 2002 Master Session Key Derivation Is using Nonce from previous Master Session key derivation a good idea or not? Tim Moore, Microsoft; Clint Chaplin, Symbol

18 PRF TLS Section 5 – RFC2246 PRF(secret, label, seed) =
January 2002 PRF TLS Section 5 – RFC2246 PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed); S1 is first half of secret S2 is second half of secret Tim Moore, Microsoft; Clint Chaplin, Symbol

19 Temporal key -> Master Session Key
January 2002 Temporal key -> Master Session Key Annex J RFC2716 RFC2246 Takes a Nonce and expands from Temporal Key to 128bytes of key material PRF1 = PRF (K, "key expansion“, Nonce) APEnc PAEnc APAuth PAAuth Generate 64bytes of IV (Nonce) PRF2 = PRF ("","IV block", Nonce) APIV PAIV Tim Moore, Microsoft; Clint Chaplin, Symbol

20 Master Session Key -> Transient Session Key
January 2002 Master Session Key -> Transient Session Key Annex I RFC3078/3079 On PAEnc Do we need this extra derivation step? Tim Moore, Microsoft; Clint Chaplin, Symbol

21 Transient Session Key Truncation to Temporal key
January 2002 Transient Session Key Truncation to Temporal key Annex I Last 128 bits of transient session key From PAEnc Go back 2 slides for next key Tim Moore, Microsoft; Clint Chaplin, Symbol

22 Nonce Master session key derivation needs a nonce
January 2002 Nonce Master session key derivation needs a nonce First Master session key derivation Nonce is generated by EAP method Nonce needs to be same on both station and radius server so master session key material is the same Following master session key derivation Nonce is from the previous derivation Sent from AP to station Nonces can be obtained from anywhere but previous master session key derivation does provide a nonce but text doesn’t explain this Tim Moore, Microsoft; Clint Chaplin, Symbol

23 Key Management EAPOL-Key for default/broadcast
January 2002 Key Management EAPOL-Key for default/broadcast Contains actual temporal key Same key sent to all stations EAPOL-Key for key mapping Contains nonce used to derived temporal key Key updates Management policy for when keys are updated Most efficient to look at IV space used MIB contains max IV and current sent IV (Annex D) Need to add current receive IV SetKeys.Indication for MLME indication of IV space exhaustion ( ) MIB for receive key IV numbers need to add a MIB variable to key tables Tim Moore, Microsoft; Clint Chaplin, Symbol

24 Key Messages Contains TKIP key message AES key message Key index Flags
January 2002 Key Messages Contains Key index Flags Key mapping/default: what type of key Tx/Rx: What use the key should be put to Reset IV: Whether to reset the IV space or not Key length Key material (Temporal key or Nonce) Key material length TKIP key message Encrypts using RC4, MIC using HMAC-MD5 AES key message Encrypts using AES-CBC, MIC using AES-CBC-MAC Should add a version number to the key message Tim Moore, Microsoft; Clint Chaplin, Symbol

25 EAPOL-Key Keys January 2002
Tim Moore, Microsoft; Clint Chaplin, Symbol

26 January 2002 Ping – Pong (8.5.8) Tim Moore, Microsoft; Clint Chaplin, Symbol

27 Per packet keying TKIP (8.6.1)
January 2002 Per packet keying TKIP (8.6.1) TKIP Phase 1 key Done once per temporal key Mixing Transmitter Ethernet address into temporal key 128 bits TKIP Phase 2 key Done once per packet Mixing IV into phase 1 output Truncated to 104 bits for RC4 Tim Moore, Microsoft; Clint Chaplin, Symbol

28 TKIP Encryption is WEP using TKIP Phase 2 key
January 2002 TKIP Encryption is WEP using TKIP Phase 2 key IV selection rules (8.6.2) MIC: Michael (8.6.3) Uses Temporal Auth Key Covers Source and destination MAC address Unencrypted data payload Requires Counter measures to limit attack rate ( ) Tim Moore, Microsoft; Clint Chaplin, Symbol

29 January 2002 Michael( 8.6.3) Michael message processing: MICHAEL((K0, K1) , (M0,...,MN)) Input: Key (K0, K1) and message M0,...,MN Output: MIC value (V0, V1) (L,R)  (K0, K1) for i=0 to N-1 L  L  M­i (L, R)  b( L, R ) return (L,R) Michael block function: b(L,R) Input: (L,R) Output: (L,R) R  R  (L <<< 17) L  (L + R) mod 232 R R  XSWAP(L) R R  (L <<< 3) R R  (L >>> 2) Tim Moore, Microsoft; Clint Chaplin, Symbol

30 Per packet processing AES
January 2002 Per packet processing AES Temporal key is used as the encryption key Encryption AES-OCB (8.7.2) Requires a Nonce Includes replay counter, QoS traffic class, Source and Destination MAC address 28bit replay counter/sequence number per QoS class 64bit MIC Tim Moore, Microsoft; Clint Chaplin, Symbol

31 Re-associate Request/Response
January 2002 Re-associate Request/Response Select ESN Capability bit (bit 11) ( ) Select Authentication Authentication IE ( ) OUI 00:00:00:03 is 802.1X (default if no IE) Select cipher suite Contains unicast and multicast cipher suite IE ( , 19) OUI 00:00:00:01 TKIP OUI 00:00:00:02 AES (default if no IE) Fast handoff Authenticator IE ( ) Passing station MIC to the old AP Re-associate request should contain auth and cipher suite that the station is using AP disassociates station if AP can’t support the auth and cipher suite that station can associate again and attempt different cipher suites If anything fails AP should disassociate client and station can start again Tim Moore, Microsoft; Clint Chaplin, Symbol

32 Re-associate Request/Response
January 2002 Re-associate Request/Response If no IAPP or no Auth IE in Re-associate request then Re-associate to new AP Go back to slide 6 Else Auth IE processing rules ( ) Use IAPP to move station Auth IE to old AP Old AP checks station MIC Old AP calculates new AP MIC IAPP moves Auth IE and original master session keys to new AP New AP passes Auth IE in re-association response New AP puts 1X state machine in authenticated state and sends EAP_Success Go to slide 19 Endif Relies on secure IAPP Need context block for IAPP that moves Auth IE, original master session keys and radius attributes between APs When go to slide 19, what is the Nonce used in the key derivation? Tim Moore, Microsoft; Clint Chaplin, Symbol

33 Authenticator IE January 2002
Tim Moore, Microsoft; Clint Chaplin, Symbol

34 IAPP Fast Hand-off of TGi Keys
January 2002 IAPP Fast Hand-off of TGi Keys Old AP IAPP Send SecBlock IAPP Move STA IAPP Send SecBlock Ack IAPP Move Ack AS New AP Reassociate Request Query Query Response Reassociate Response Query transaction supplies IPsec security association material  only needed once if New AP caches SAs; requires AS to maintain registry of IPsec SAs SendBlock transaction copies keying material from old AP to new AP Move transaction deletes keying material off old AP Tim Moore, Microsoft; Clint Chaplin, Symbol

Download ppt "Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies"

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Web security: SSL and TLS

Web security: SSL and TLS
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.

IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized.

Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Doc.: IEEE 802.11-02/551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.

Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Doc.: IEEE 802.11-01/562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE 802.11 Tgi Tim Moore Bernard Aboba.

Doc.: IEEE /562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.

Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Doc.: IEEE 802.11-01/610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and 802.11 key interactions Tim Moore.

Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN

Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Authentication 802.11 has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

Similar presentations

Ads by Google