Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shambhu Upadhyaya 1 802.11 Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)

Published byLydia Hudson Modified over 9 years ago

Similar presentations

Presentation on theme: "Shambhu Upadhyaya 1 802.11 Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)"— Presentation transcript:

1 Shambhu Upadhyaya 1 802.11 Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)

2 Shambhu Upadhyaya 2 Pairwise Keys Unicast data sent between two stations has to be private between them For this purpose a pairwise key is used which is known to the two parties Each mobile device has a unique pairwise key with the access point AP Mobile Device Key 1 Mobile Device Key 2 Mobile Device Key 3 Key 1Key 2Key 3 Pairwise Key

3 Shambhu Upadhyaya 3 Group Keys For Broadcast or multicast transmissions, data is received by multiple stations Thus a key needs to be shared by all members of the trusted group Each trusted mobile device shares this group key with the Access Point AP Mobile Device Key G Mobile Device Key G Mobile Device Key G Group Key

4 Shambhu Upadhyaya 4 Types of Keys Preshared keys -Installed in the access point and mobile device by some method outside of RSN/WPA -Used by most WEP systems -Possession of the key is the basis for authentication -Bypasses the concept of upper layer authentication completely Server-based keys -The keys are generated by some upper layer authentication protocol -Authentication server provides the access points with the temporal keys required for session protection

5 Shambhu Upadhyaya 5 Pairwise Key Hierarchy At the top of the hierarchy is Pairwise Master Key (PMK) Can be delivered from upper layer authentication protocol or can use a preshared secret There exists a unique PMK for each mobile host

6 Shambhu Upadhyaya 6 Creation and Delivering of PMK Generation of the PMK is based on the top level key held by both the user and the server Could be in a ‘smart card’ or a password known to both the user and the server (kept in a person’s head) During the EAP authentication process the method proves that both parties know this secret After successful authentication a key generating authentication process (e.g., TLS, Kerberos) then generates random-like key material This random key material is used to create the PMK Thus after the authentication process the PMK is known to both the client and the authentication server This key needs to be transferred to the Access Point for use during the session -WPA mandates the use of RADIUS to make this transfer -RSN does not specify a particular method for the transfer

7 Shambhu Upadhyaya 7 Computing Temporal Keys 802.1X model, data can start flowing once access point has the key, but WPA/RSN has more steps Now temporal keys are derived from this PMK for use during each session These keys are called temporal keys as they are recomputed each time the mobile device associates with the AP There are four keys derived for this purpose -Data Encryption Key (128 bits) -Data Integrity Key (128 bits) -EAPOL-Key Encryption Key (128 bits) -EAPOL-Key Integrity Key (128 bits) Collection of these four keys is called as Pairwise Transient Key (PTK)

8 Shambhu Upadhyaya 8 Details of Temporal Keys First two keys are used to encrypt and protect the data Last two are used to protect communication between the access point and mobile device during the initial handshake As the temporal keys change every time a station reattaches with the AP, liveliness is ensured by including a couple of Nonces in the computation of the temporal keys A Nonce is a value which is “never” or “extremely unlikely” to be repeated Each device generates a nonce and passes it to the other device Also to bind identity of the devices to the keys, MAC addresses of the devices are included in computation

9 Shambhu Upadhyaya 9 Temporal Key Generation Key Computation Block PMK Nonce1 Nonce2 MAC 1 MAC 2 Data Encr Data MIC EAPOL Encr EAPOL MIC Temporal Key Computation

10 Shambhu Upadhyaya 10 Exchanging and Verifying Key Information (Legitimizing AP) In the above exchange there is an implicit trust between the mobile host and the Access point To ensure that the Access Point is not rogue, it must authenticate itself with the mobile device To do this, the access point proves its possession of the PMK which it gets from the authentication server and can only be obtained by a legitimate AP This is done by carrying out a four-way mutual authentication between the AP and the mobile host using EAPOL Key Messages

11 Shambhu Upadhyaya 11 Access Point’s Legitimacy -Message (A): Authenticator -> Supplicant Contains the ANonce (nonce from the AP) Message is send unencrypted On receiving this message supplicant computes the temporal keys -Message (B): Supplicant -> Authenticator Contains the SNonce (nonce from the mobile host) Also contains the MIC (Message Integrity Code) to prevent the message from being tampered This is done using the EAPOL Key Integrity key from the PTK The Authenticator calculates the PTK based on the received SNonce

12 Shambhu Upadhyaya 12 Four-way Handshake Contd.. It now verifies the MIC based on the calculated temporal keys This MIC check ensures the Authenticator that the supplicant has matching PMK -Message (C): Authenticator -> Supplicant Message indicates that the authenticator is ready to start using the new set of keys Also contains a MIC so that supplicant can verify Authenticator’s possession of the PMK Also contains the start sequence for the first encrypted frame -Message (D): Supplicant -> Authenticator This acknowledges the completion of the four way handshake Also indicates that the supplicant would now install the new temporal keys

13 Shambhu Upadhyaya 13 Group Key Hierarchy Used for broadcast and multicast transmissions Broadcasts and multicasts can be sent from the access point only Pairwise keys cannot be used as the same transmission is to be heard by all stations Hence the same key is shared by all stations and is called the Group key

14 Shambhu Upadhyaya 14 Group Key Hierarchy Group keys pose a problem when a station leaves the network The pairwise keys are removed when a station disconnects but the group keys are still valid and can be used by the station to passively listen to the group transmissions This might be undesirable in some situations The solution to this problem is to change the group key once a station leaves the network

15 Shambhu Upadhyaya 15 Group Key Hierarchy Changing and distributing group keys is easier than pairwise keys as there already exists a secure channel (using pairwise keys) over which the group key can be sent The access point performs the following functions during Group Key Rekeying -Create a 256 bit Group Master Key (GMK) -Derive a Group Transient Key (GTK) from which the temporal keys are obtained -After establishment of each pairwise secure connection Send GTK to mobile device with current sequence number Check for acknowledgement of the receipt

16 Shambhu Upadhyaya 16 Group Key Hierarchy To provide an uninterrupted service, WEP provided the support for multiple keys Using this, four keys can be installed in a device at a time Each transmission carries a KeyID which specifies which of the keys to use for decryption Thus, if during a multicast transmission a station disconnects, the AP can continue transmission using the old key set till the new set of Group keys is calculated and distributed, after which it switches to the new keys set Also, GMK is not bound to a particular station and hence can be easily chosen by simply choosing a cryptographic quality random number

17 Shambhu Upadhyaya 17 References Jon Edney and William Arbaugh, Real 802.11 Security, Addison-Wesley, 2004

18 Shambhu Upadhyaya 18 802.11 Security – TKIP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 12)

19 Shambhu Upadhyaya 19 TKIP Temporal Key Integrity Protocol Designed as a wrapper around WEP -Can be implemented in software -Reuses existing WEP hardware -Runs WEP as a sub-component Quick-fix to the existing WEP problem New “procedures” around Legacy WEP Components -Cryptographic message integrity code -Packet sequencing -Per-packet key mixing -Re-keying mechanism

20 Shambhu Upadhyaya 20 TKIP Introduction Never use the same IV value more than once for any particular session key -Prevents key-stream reuse by a system Receivers discard any packets whose IV value is less or equal to the last successfully received packet encrypted with the same key -Prevents replay attacks Regularly generate a new random session key before the IV counter overflows -Prevents key-stream reuse Provide a more thorough mixing of the IV value and the session key to derive the packet's RC4 key -To “fix” the RC4 Key scheduling issues with WEP

21 Shambhu Upadhyaya 21 Weaknesses of WEP 1 IV value is too short and not protected from reuse 2 The way keys are constructed from IV makes it susceptible to weak key (FMS) attack 3No effective way to detect message tampering 4 Directly uses master keys with no provision for re-keying 5No protection against replay attacks

22 Shambhu Upadhyaya 22 Changes from WEP to TKIP PurposeChange Weakness Addressed Message Integrity Adds a message integrity protocol to prevent tampering (one which can be implemented in software using a low power microprocessor) (3) IV selection and use Changes how IV values are selected, uses it as a replay counter (1), (3)

23 Shambhu Upadhyaya 23 Changes from WEP to TKIP PurposeChange Weakness Addressed Per-Packet Key Mixing Changes encryption key for every frame (1),(2),(4) IV Size Increases the size of the IV to avoid reusing the same IV (1),(4) Key Management Adds a mechanism to distribute and change keys and derive temporal keys (4)

24 Shambhu Upadhyaya 24 Message Integrity Essential to security of the message WEP uses ICV (Integrity Check Value), but it offers no real protection Thus, ICV is not a part of TKIP security Basic idea behind computing the MIC (Message Integrity Code) is calculating a checksum over the message bytes so that any modification to the message can be detected This MIC is combined with a secret key so that only authorised parties can generate and verify the MIC Many available cryptographic methods can be used for the purpose

25 Shambhu Upadhyaya 25 Message Integrity - Michael As WEP is required to work over existing hardware it cannot use computationally intensive cryptographic methods Even if the computations are moved to software level in clients, existing Access Points cannot perform heavy computations Thus, TKIP uses a method of computing MIC called Michael Michael uses simple shift and add operations instead of multiplications and hence is usable in TKIP

26 Shambhu Upadhyaya 26 Message Integrity - Michael Michael operates on MSDUs (MAC Service Data Unit) rather than individual MPDUs (MAC Protocol Data Unit) -Useful as the computation can be performed in the device driver on the computer rather than on the adapter card -Also reduces overhead as MIC is not calculated for each MPDU being sent out As Michael is computationally simple, it offers a weak form of security To counter these drawbacks, it includes a set of countermeasures which are used when an attack is detected

27 Shambhu Upadhyaya 27 Michael Countermeasures Used to reliably detect attacks and shut down communication to the attacked station for a period of one minute This is done by disabling keys for a link as soon as the attack is detected Also has a blackout period of one minute before the keys are reestablished This can be used by the attacker to launch a DoS attack on the network (theoretically)

28 Shambhu Upadhyaya 28 IV Selection and Use TKIP has the following major changes in the way IVs are used as compared to WEP -IV Size is increased from 24 to 48 bits -IV has a secondary role as a sequence counter to avoid replay attacks -IVs are constructed so as to avoid certain ‘weak keys’ -Instead of directly appending it with the secret key, IVs are used to generate mixed keys

29 Shambhu Upadhyaya 29 IV Use in TKIP Upper IVLower IV 32 bits16 bits IVd Per Packet Key 24 bits104 bits Phase 1 Key Mixing Phase 2 Key Mixing MAC Address Session Key ‘d’ is a dummy byte designed to avoid weak keys Creating the RC4 Encryption Key

30 Shambhu Upadhyaya 30 TSC (TKIP Sequence Counter) WEP has no protection against replay attacks In TKIP IV doubles up as a sequence counter to prevent replay attacks TKIP uses the concept of replay window to implement the counters -The receiver keeps track of the highest TSC and the last 16 TSC values -When a new frame arrives it checks and classifies it as one of the following types ACCEPT: TSC is larger than the largest seen so far REJECT: TSC is less than the value of the largest - 16 WINDOW: TSC is less than the largest, but more than the lower limit

31 Shambhu Upadhyaya 31 Per–Packet Key Mixing Uses the session keys which are derived from the master keys Per Packet key mixing mechanism further derives a separate unrelated key for each packet from the session key To save computation key mixing is divided into two phases -Phase 1 involves data that is relatively static like secret session key, higher order 32 bits of IV, MAC address etc. so that this computation is done infrequently -Phase 2 is quicker to compute and is done for each packet – and used the lower 16 bits of the IV (which increases monotonically with each packet)

32 Shambhu Upadhyaya 32 TKIP Role in Transmission Compute MICAppend MIC Fragmentation Key Mixing IV GenerationCompute ICV Encrypt Append ICV to Packet MPDU for Tx MSDU for Transmission Master Key MIC Key Encryption Key Key derivation block Michael block RC4 block Append IV & Add MAC Hdr

33 TKIP MPDU Frame Initialization Vector (IV) Key Identifier (ID) Extended IV Payload Data -MPDU data MIC -The MIC value is computed using the Michael algorithm over the entire payload data of the MSDU Integrity Check Value (ICV) -The checksum value computed over the unencrypted payload data Frame Check Sequence (FCS) -(CRC) computed over all fields of the MPDU Shambhu Upadhyaya 33

34 Shambhu Upadhyaya 34 TKIP Role in Reception Compute MIC Remove & Check Mic Re-Assembly Key Mixing Decrypt IV ExtractionCheck TSC Window Strip MAC Hdr MSDU Accepted Master Key MIC Key Encryption Key Key derivation block Michael block TSC block Received MPDU RC4 block Reject if bad MIC, invoke counter- measures Reject if bad ICV Reject if bad TSC

35 Shambhu Upadhyaya 35 References Jon Edney and William Arbaugh, Real 802.11 Security, Addison-Wesley, 2004

Download ppt "Shambhu Upadhyaya 1 802.11 Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)"

Similar presentations

SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Analysis and Improvements over DoS Attacks against IEEE 802.11i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
P1451.5 Security Survey and Recommendations By: Ryon Coleman October 16, 2003.

P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.

Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
15 November 2004 1 Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.

15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.

Similar presentations

Ads by Google