Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE /035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 1 IEEE 802.1X For Wireless LANs Bernard Aboba, Tim Moore, Microsoft.

Published byArabella Haynes Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE /035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 1 IEEE 802.1X For Wireless LANs Bernard Aboba, Tim Moore, Microsoft."— Presentation transcript:

1 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 1 IEEE 802.1X For Wireless LANs Bernard Aboba, Tim Moore, Microsoft John Roese, Ravi Nalmati, Cabletron Albert Young, 3Com Carl Temme, Bill McFarland T-Span David Halasz, Aironet Paul Congdon, HP Andrew Smith, Extreme Networks

2 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 2 Outline Deployment issues with 802.11 Adaptation of IEEE 802.1X to 802.11 Summary

3 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 3 Deployment Issues With 802.11 User administration –Integration with existing user administration tools required (RADIUS, LDAP-based directories) Create a Windows group for wireless Any user or machine who is a member of the group has wireless access –Identification via User-Name easier to administer than MAC address identification –Usage accounting and auditing desirable Key management –Static keys difficult to manage on clients, access points –Proprietary key management solutions require separate user databases

4 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 4 Security Issues With 802.11 No per-packet authentication Vulnerability to disassociation attacks No user identification and authentication No central authentication, authorization, accounting RC4 stream cipher vulnerable to known plaintext attack Some implementations derive WEP keys from passwords No support for extended authentication –Token cards, certificates, smartcards, one-time passwords, biometrics, etc. Key management issues –Re-key of global keys –No dynamic per-STA key management

5 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 5 Advantages of IEEE 802.1X Open standards based –Leverages existing standards: EAP (RFC 2284), RADIUS (RFC 2138, 2139) –Enables interoperable user identification, centralized authentication, key management User-based identification –Identification based on Network Access Identifier (RFC 2486) enables support for roaming access in public spaces (RFC 2607). Dynamic key management Centralized user administration –Support for RADIUS (RFC 2138, 2139) enables centralized authentication, authorization and accounting –RADIUS/EAP (draft-ietf-radius-ext-07.txt) enables encapsulation of EAP packets within RADIUS.

6 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 6 Advantages of IEEE 802.1X, cont’d Extensible authentication support –EAP designed to allow additional authentication methods to be deployed with no changes to the access point or client NIC –RFC 2284 includes support for password authentication (EAP-MD5), One-Time Passwords (OTP) –Windows 2000 supports smartcard authentication (RFC 2716) and Security Dynamics

7 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 7 802.11 General Topology Authenticator (e.g. Access Point) Supplicant Enterprise Network Semi-Public Network / Enterprise Edge Authentication Server RADIUSRADIUS EAP Over Wireless (EAPOW) EAP Over RADIUS PAE PAE

8 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 8 Ethernet Laptop computer Switch Radius Server IEEE 802.1X Conversation EAPOL-Start EAP-Response/Identity Radius-Access-Challenge EAP-Response (credentials) Access blocked Port connect Radius-Access-Accept EAP-Request/Identity EAP-Request Access allowed EAP-Success Radius-Access-Request RADIUS EAPOL

9 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 9 Goals for 802.1X on 802.11 Wireless LANs Minimal changes required to 802.1X and 802.11 specifications –802.1X protocol same over 802.3 as 802.11 Client access control –Support for both user and machine access control Centralized user administration –RADIUS client support on Access Point Management of encryption keys –Transmission of global/multicast keys from access point to client –Dynamic derivation of unicast keys Roaming support Ad-hoc networking support

10 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 10 802.11 association Access point configured to allow open and shared authentication Initial client authentication –Open authentication used, since dynamically derived WEP key not yet available Client associates with access point

11 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 11 802.1X authentication in 802.11 IEEE 802.1X authentication occurs after 802.11 association –After association, client and access point have an Ethernet connection –Prior to authentication, access point filters all non-EAPOL traffic from client –If 802.1X authentication succeeds, access point removes the filter 802.1X messages sent to destination MAC address –Client, Access Point MAC addresses known after 802.11 association No need to use 802.1X multicast MAC address in EAP-Start, EAP- Request/Identity messages –Prior to 802.1X authentication, access point only accepts packets with source = Client and Ethertype = EAPOL

12 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 12 802.11/802.1X State Machine

13 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 13 802.1X and Per-STA Session Keys How can EAPOL be used to derive per-Station unicast session keys? –Can use any EAP method supporting secure dynamic key derivation EAP-TLS (RFC 2716) EAP-GSS Security Dynamics Other –Keys derived on client and the RADIUS server –RADIUS server transmits key to access point RADIUS attribute encrypted on a hop-by-hop basis using shared secret shared by RADIUS client and server –Unicast keys can be used to encrypt subsequent traffic, including EAPOW-key packet (for carrying multicast/global keys) Per-Station unicast session keys not required –If only multicast/global keys are supported, then session key is only used to encrypt the multicast/global key

14 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 14 802.1X and Multicast/Global Keys How can EAPOL transfer multicast/global keys? –A new EAPOL packet type can be defined for use in transporting multicast/global keys: EAPOW-Key –EAPOW-Key packet type used to transmit one or more keys from access point to client –EAPOW-Key packets only sent after EAPOW authentication succeeds –EAPOW-Key packets are encrypted using derived per- STA session key

15 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 15 Ethernet Access Point Radius Server 802.1X On 802.11 EAPOL-Start EAP-Response/Identity Radius-Access-Challenge EAP-Response (credentials) Access blocked Association Radius-Access-Accept EAP-Request/Identity EAP-Request Radius-Access-Request RADIUS EAPOW Laptop computer Wireless 802.11 802.11 Associate EAP-Success Access allowed EAPW-Key (WEP)

16 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 16 Re-authentication Access points are allowed to force clients to re-associate at any time –Default is 60 minutes –The client responses transparently to the user Access point sends WEP global key to client using 802.lX –EAPOW-Key message used to send global key

17 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 17 Roaming Process (no pre-authentication) –802.11 Re-association –802.1X will re-authenticate but network access will be denied during re-authentication Optional support for fast handoff –Inter-access point protocol Handoff per client keys Use EAPOW-Key to update shared key –Shared key pre-authentication Shared authentication using global WEP key If succeeds then allow immediate access to network –i.e. 802.1X is put immediately into the authenticated state

18 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 18 “Unauthenticated” VLAN Support Potential extension to IEEE 802.1X Designed to enable access to a registration server, enrollment server, etc. prior to authentication EAP-Notification message can inform user of location of server to take credit card, enroll user, etc. prior to obtaining network access.

19 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 19 802.1X and Ad-Hoc Networking What is ad-hoc networking? –Station communicating directly with other stations How does ad-hoc networking work with 802.lX? –Both Stations initiate EAPOL conversation –All stations authenticate with each other Otherwise mutual authentication required and algorithm to select authenticator –RADIUS not used in ad-hoc mode Typically implies that user credentials are stored on Stations

20 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 20 Key Management for Ad-Hoc Networking Requirements –Password-based mutual authentication –Secure key generation Evaluation of existing EAP methods –EAP-TLS: supports mutual authentication, keying, but assumes both participants have a certificate –EAP-GSS: supports mutual authentication, assumes “server” side is in contact with KDC 802.1X will work in adhoc mode if required –Shared key is better for some user scenarios –May need new EAP method for this purpose

21 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 21 How 802.1X Addresses 802.11 Security Issues User Identification & Strong authentication Dynamic key derivation Mutual authentication Per-packet authentication Dictionary attack precautions

22 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 22 Summary of 802.11/802.1X Vulnerabilities

23 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 23 Summary IEEE 802.1X offers solutions to 802.11 deployment issues –User identification –Centralized user management –Key management Minimal changes required to 802.11 specification –Additional MIB parameters for 802.1X/802.11 configuration Implementation requirements –Support for dynamically derived WEP keys + mutual authentication –Support for ad-hoc networking –Access-Point functions as RADIUS client Requires support for RFC 2138, 2139, draft-ietf-radius-ext-07.txt –Access-Point functions as IEEE 802.1X authenticator PAE Addresses most WEP security vulnerabilities

24 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 24 Call to Action 802.1X –Add changes required for 802.11 Messages sent to destination MAC address for 802.11 Add EAPOW-Key message 802.11 –Adopt 802.1X as an enhanced authentication and key management method –Enable appropriate methods supported by 802.1X to be used for 802.11 authentication and key management –MAC changes to improve encryption, integrity protection –The IAPP work needs to consider security impact re STA mobility between APs.

25 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 25 For More Information IEEE 802.1X –http://grouper.ieee.org/groups/802/1/pages/802.1x.htmlhttp://grouper.ieee.org/groups/802/1/pages/802.1x.html RADIUS –http://www.ietf.org/rfc/rfc2138.txthttp://www.ietf.org/rfc/rfc2138.txt –http://www.ietf.org/rfc/rfc2139.txthttp://www.ietf.org/rfc/rfc2139.txt –http://www.ietf.org/rfc/rfc2548.txthttp://www.ietf.org/rfc/rfc2548.txt –http://www.ietf.org/internet-drafts/draft-ietf-radius-radius-v2-06.txthttp://www.ietf.org/internet-drafts/draft-ietf-radius-radius-v2-06.txt –http://www.ietf.org/internet-drafts/draft-ietf-radius-accounting-v2-05.txthttp://www.ietf.org/internet-drafts/draft-ietf-radius-accounting-v2-05.txt –http://www.ietf.org/internet-drafts/draft-ietf-radius-ext-07.txthttp://www.ietf.org/internet-drafts/draft-ietf-radius-ext-07.txt –http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-09.txthttp://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-09.txt –http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-acct-05.txthttp://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-acct-05.txt EAP –http://www.ietf.org/rfc/rfc2284.txthttp://www.ietf.org/rfc/rfc2284.txt –http://www.ietf.org/rfc/rfc2716.txthttp://www.ietf.org/rfc/rfc2716.txt

26 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 26 Simplified Insecure Adhoc Support Simple, insecure adhoc networking sometimes desirable –Children playing games –Need “plug and go” solution without security complications –Not appropriate in business situations How can this be handled with 802.1X? –Clients assume network is un-authenticated An authenticated network will drop packets –Clients drop received EAP-Start messages Clients think they are connected to a non-authenticated network Adhoc networking just works.

27 doc.: IEEE 802.11-00/035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 27 Why Not Incorporate 802.1X into 802.11 authentication? Possible to add 802.1X support in 802.11 authentication phase –Requires additional authentication type for EAP –Requires additional of new key management functionality in 802.11 Likely to result in duplication of effort –Supplicants supporting 802.1X need duplicate code for 802.11 EAP –Supplicant operating system sees 802.11 as 802.3 Requires encapsulation/decapsulation in NIC driver to maintain transparency Large changes required to 802.11 state machine –802.1X state machine needs to be merged with 802.11 state machine No additional security over 802.1X over 802.11 approach –Associate/disassociate not encrypted or integrity protected so no additional security provided by doing EAP w/key derivation prior to 802.11 Associate Un-authenticated VLANs cannot be supported –Choice either authenticated or unauthenticated

Download ppt "Doc.: IEEE /035 Submission March 2000 Bernard Aboba, Tim Moore, MicrosoftSlide 1 IEEE 802.1X For Wireless LANs Bernard Aboba, Tim Moore, Microsoft."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-01/553r0 Submission September 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE 802.11 Tgi Tim Moore Bernard Aboba.

Doc.: IEEE /553r0 Submission September 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
IEEE 802.11i: A Retrospective Bernard Aboba Microsoft March 2004.

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba.

Doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba.
Doc.: IEEE 802.11-00/275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE 802.11 David Halasz, Stuart Norman, Glen.

Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
802.11 security Courtesy of William Arbaugh with Univ. of Maryland Jesse Walker with Intel Gunter Schafer with TU Berlin Bernard Aboba with Microsoft.

security Courtesy of William Arbaugh with Univ. of Maryland Jesse Walker with Intel Gunter Schafer with TU Berlin Bernard Aboba with Microsoft.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.

Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.
1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs.

1 © 2000, Cisco Systems, Inc. Cisco Company Confidential - Do not distributeSE Meeting – November 16th 2000 Security for Next Generation Wireless LANs.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © 2003. All rights.

VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

Similar presentations

Ads by Google