1. IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1

2. 3.1 Introduction Prepared by : Zuraidy Adnan, FITM UNISEL2  802.11 security architecture – Wired Equivalent Privacy (WEP)  Responsible for the CIA in 802.11 network.  Designed to be “Wireless Ethernet”  Important architectural differences between 802.11 & TWNs  802.11 limited support for roaming, restricted to wireless access network only  While TWN support seamless roaming over large geographical areas.

3. 3.2 WEP Prepared by : Zuraidy Adnan, FITM UNISEL3  Key establishment in 802.11  None, out of scope  Relies on preshared key STAs and APs  Does not specify how the keys are established.  Anonymity in 802.11  Not a major concern.  The use of IP address unlike IMSI in TWNs  IP address assign to user can change over time  The use of Network Address Translation (NAT)  Mapping the internal IP with Global IP (GIP)

4. 3.2 WEP (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL4  Authentication in 802.11  Authentication – control access to the network.  Wired LAN – security features being inherits from the network  WLAN – no physical access authentication  Net authenticate STAs – STA authenticate Net  APs – Broadcast beacon (mgmt frame which announce the existence of the network)  Each beacon have Service Set Identifier (SSID) – or – Net name – identify ESS.  STA want to connect – passive / active scan.  STAs send probe request to all available channel

5. 3.2 WEP (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL5  Authentication in 802.11 (cont.)  Concerned Aps received a probe – send probe-response  STAs find out which station it can join  STAs choose the network it whishes to join – based on signal strength  The authentication process start – two options :-  Open System Authentication (OSA)  See figure 18.2 : 802.11 OSA, page 408  Using OSA – mean no authentication at all  Shared Key Authentication (SKA)

6. 3.2 WEP (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL6  Authentication in 802.11 (cont.)  Shared Key Authentication (SKA)  See figure 18.3 : 802.11 SKA, page 410  Challenge – response system  SKA divide STAs into 2 groups, 1 – allowed access, 2 – all other STAs  Group 1 – STAs share secret key with Aps  Using SKA requires, the STAs and APs capable of using WEP, and the STAs and AP have preshared key.

7. 3.2 WEP (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL7  Authentication in 802.11 (cont.)  Authentication and Handoffs  See figure 18.4 : 802.11 handoffs and security, page 411  What’s wrong with 802.11 authentication?  No method specified in WEP for each STA to be assigned with unique key  Many 802.11 deployment share key across Aps  One way – no provision for the STA to authenticate the Net.  Pseudo-Authentication scheme  Allows only STAs that knows the SSID to join the Net  Using MAC address as a secret.  Aps maintain a list of STA’s MAC, only registered MAC can access the Net

8. 3.2 WEP (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL8  Confidentiality in 802.11  See figure 18.5 : WEP, page 414  5 steps to provide confidentiality in 802.11  See figure 18.6 : A WEP packet, page 415  The packet that been produced after encryption process.  What’s wrong with WEP  Usage of RC4 stream chiper, always failed in wireless medium.  Solution : shift synchronization requirement from session to a packet – change keys for every packet.  IV which concatenated with master key per packet being sent in clear text  Susceptible to Fluhrer-Mantin-Shamir (FMS) attack.  Specify no rules for IV selection

9. 3.2 WEP (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL9  Data Integrity in 802.11  802.11 uses Integrity Check Value (ICV) field in the packet  See figure 18.7 : Data integrity in WEP, page 419  ICV – Cyclic Redundancy Check-32bits (CRC32)  CRC32 is linear and not cryptographically computed  Eve still can modify the message!  Loopholes in 802.11 security (summary)  The list 1-9, page 421 & 422.

10. 3.3 WPA Prepared by : Zuraidy Adnan, FITM UNISEL10  Wi-Fi Protected Access (WPA)  Prestandard subset of 802.11i  Biggest differences –  Usage of AES (Advanced Encryption Standard) for providing confidentiality and integrity  Usage of Temporal Key Integrity Protocol (TKIP) and MICHAEL.  Both differences makes big changes in WLAN security architecture & hardware parts.  Most parts (h/ware) in 802.11 implementation cannot be used in WPA 802.11i

11. 3.3 WPA (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL11  Key establishment  WEP used preshared key establish using out of band mechanism  2 environments – home & enterprise  Diff infra capacities to provide security  Enterprise – 802.11i use IEEE 802.1X for key establishment & authentication.  802.1X use backend authentication server  Home user – no backend authentication server – allow out-of- band mechanism for key establishment  See figure 18.8 : Key hierarchy in 802.11, page 425

12. 3.3 WPA (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL12  Key establishment (cont.)  WPA solve the problem of authentication in WEP by reducing exposure of master key (MK)  WPA extends the two-tier hierarchy to multiple hierarchy.  Pair-wise master key (PMK) – preshared key, or derived from 802.1X  PMK – 32bytes – too long for human to remember  Allow user to enter shorter password which will be used as a seed to generate 32byte key.  Pair-wise transient key (PTK) – Session key, consist of 4 keys, 128bits long.

13. 3.3 WPA (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL13  Key establishment (cont.)  4 keys – encryption key for data, integrity key for data, encryption key for EAPoL msg, and integrity key for EAPoL msg.  PTK derived from PMK using pseudorandom function (PRF)  PRF is based on HMAC-SHA algorithm.  Five input values to obtain PTK from PMK :-  PTK = PRF-512(PMK, “pair-wise expansion”, AP_MAC || STA_MAC || Anonce || Snonce)  5 values – PMK, MAC add for two endpoints, one nonce for each endpoints.

14. 3.3 WPA (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL14  Key establishment (cont.)  Nonce – “number-once” – generated at both side  Anonce = PRF-256(Random Number, “Init counter”, AP_MAC || Time)  Snonce = PRF-256 (Random Number, “Init counter”,STA_MAC || Time)  Next step – derive per-packet keys from PTK.  See figure 18.9 : TKIP encryption, page 427  See “important features to note in (TKIP encrypt) process”, page 428.

15. 3.3 WPA (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL15  Authentication  Home user, 802.11i allows WEP like configuration  Enterprise user, 802.11i specify the use of 802.1X  802.1X architected along with Extensible Authentication Protocol over LAN (EAPoL)  See figure 18.10a : 802.1X/EAP port model, page 429  See figure 18.10b : EAPoL, page 429  EAP specify 3 net elements – Supplicant, Authenticator, Authentication Server  See figure 18.10c : EAP over WLAN, page 430  STA – supplicant, AP – authenticator, backend authentication server

16. 3.3 WPA (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL16  Authentication (cont.)  See figure 18.10d : 802.1X network architecture  Confidentiality  Enhancement from WEP confidentiality  TKIP double the IV size from 24 to 48bits  Used for per-packet mixing function, instead of just add more bits into the size, and still can co-exist in WEP compatible hardware.  Integrity  TKIP use a new message integrity check (MIC) protocol, MICHAEL

17. 3.3 WPA (cont.) Prepared by : Zuraidy Adnan, FITM UNISEL17  Integrity (cont.)  MICHAEL – no multiplication operation, instead, just rely on shift and add operations.  Another enhancement – to use IV as a sequence counter.  Overall picture : confidentiality + integrity  See figure 18.10e : TKIP – the complete picture, page 435  How does WPA Fix WEP loopholes  See table 18.1 : WEP loopholes and WPA fixes

18. 3.4 WPA2 Prepared by : Zuraidy Adnan, FITM UNISEL18  Only few enhancements features from WPA  Enhancements :-  Authentication - Replaces a stream chiper (RC4) with a strong block chiper (AES). Instead, WPA2 embed AES in stream chiper.  Integrity – provides for stronger integrity protection using AES-based CCMP.  See figure 18.15 : WPA2 – the complete picture  See table 18.2 : comparison of WEP, WPA, and WPA2 security architectures.