Presentation is loading. Please wait.

Presentation is loading. Please wait.

Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN

Published byDarcy Curtis Modified over 9 years ago

Similar presentations

Presentation on theme: "Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN"— Presentation transcript:

1 Xiuzhen Cheng cheng@gwu.edu
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN Xiuzhen Cheng

2 Review on 802.1X Access Control
Association Request Association Response Start (optional) Request Identity Response Identity (RADIUS packet) Response Identity Request 1 Response 1 Success Request/Method Response/Method …. supplicant Authenticator Authentication Server EAP-Success EAPOL-key Data EAPOL-Logoff

3 TLS Basics – Revisited Alice Bob
I want to talk, Ciphers I support, RAlice Certificate, cipher I choose, RBob [Certificate request] {S}Bob, {keyed hash of handshake msgs} [Certificate] Finished! Data protected with keys derived from K Choose secret S Compute K = f(S, RAlice, RBob) Compute K = f(S, RAlice, RBob) Alice Bob S is the premaster key K is the master key

4 WPA and RSN Key Hierarchy
Pairwise Key Hierarchy Group Key Hierarchy Key Derivation

5 Terminologies Pairwise Key: protect the communication between an access point and a mobile station Group Key: shared by a trusted group containing multiple parties Pairwise Key Hierarchy: all the keys used between a pair of devices (one of which is usually the access point) Group Key Hierarchy: Various keys shared by all the devices in the group. Preshared keys: keys installed in the access point and in the mobile device by some method outside WPA/RSN WEP uses preshared keys, possession of the key means authenticity Server-Based keys: generated by the upper layer authentication protocol such as TLS

6 Pairwise Key Hierarchy
Pairewise Master Key (PMK): Either preshared or delivered from the upper-layer authentication PMK is the top of the pairwise key hierarchy One PMK for each mobile device, shared with the Authentication Server, from which all other pairwise keys are derived PMK generated at the authentication server Authentication needs a “supreme secret”, which is different than PMK Authentication procedure generates a PMK shared by the server and the supplicant Transferring the PMK from the server to the AP needs protection 802.11i does not specify how RADIUS if the server and the AP do not collocate – specified in WPA; RADIUS has an attribute for this purpose

7 Pairwise Master Key PMK is required to be 256 bits long
Can you memorize the 32 bytes pershared PMK? – use a shorter password, as suggested by the i PMK is not used directly for any security operations Temporal keys are generated from PMK Temporal keys are recomputed when a mobile device associates to the access point Two sets of temporal keys: one for EAPOL handshake and one for data All temporal keys must be 128 bits in length All temporal keys form the pairwise transient key (PTK)

8 Temporal Keys PMK Nonce 1 Data Encr Key Computation Block Nonce 2
Four temporal keys Data Encryption Key (128 bits) Data Integrity Key (128 bits) EAPOL-Key Encryption Key (128 bits) EAPOL-Key Integrity Key (128 bits) Need liveness to make sure that every recomputation generates a different set of keys Nonces for liveness MAC addresses for binding the keys with the identity of the devices PMK Nonce 1 Nonce 2 MAC 1 MAC2 Key Computation Block Data Encr Data MIC EAPOL Encr EAPOL MIC

9 Authenticating the Access Point
Authenticator == Access Point Supplicant == Mobile device Mobile devices have to verify the access point Access point and a mobile device prove to each other that they own the PMK key Through a four-way handshake protocol with the EAPOL-Key message Needs a shared key between the access point and the authentication server PMK is computed by the server and the supplicant AP receives PMK from a server through a secure channel

10 Four-Way Handshake Msg(A): ANonce Msg(B): SNonce || MIC(SNonce})
Authenticator generates ANonce; Supplicant generates SNonce Four EAPOL-Key messages (unencrypted) are involved Msg C and D are for synchronization – install keys simultaneously All temporal Keys will be effective after this handshake Msg(A): ANonce Computes temporal keys Msg(B): SNonce || MIC(SNonce}) Computes temporal keys MIC for tampering prevention and for the proof of the ownership of the PMK at the supplicant Authenticator Msg(C): Seq No || MIC(Seq No) Supplicant Msg C tells that new keys are ready at the Authenticator; MIC for tampering prevention and for the proof of the ownership of the PMK at the authenticator Seq No will be used for the first encrypted msg Install all keys Install all keys Msg(D): ACK

11 Group Key Hierarchy Group key needs rekeying when membership change
Wait until pairwise keys are available then send group keys At the Access Point: Create a 256-bit group master key (GMK) Derive the 256-bit group transient key (GTK) from which the group temporal keys are obtained After each pairwise secure connection is established Send GTK to mobile devices through an EAPOL-Key message Check for ACK of the receipt.

12 Group Key Hierarchy How to update group keys without breaking the service? – group key delivery takes time WEP provides the place (identified by the KeyID field) for 4 keys to be stored simultaneously Pairwise key use KeyID = 0 Use KeyID=1 for the current key and KeyID=2 for the new key Switch keyID 2 when all mobile devices are notified about the new key (ACK message) How to generate GMK? AP chooses a 256-bit cryptographic-quality random number as the GMK It is unnecessary to bind the GMK to any identity since group keys are for message protection instead of authentication

13 Group Temporal Keys Group Encryption Key (128 bits)
Group Integrity Key (128 bits) These two keys are concatenated together to form the Group Transient Key (GTK) GTK is derived from GMK, a nonce (for liveness) and the MAC address of the AP GTK is delivered through a two-way handshake through EAPOL-Key messages Msg(a): GTK encrypted and protected by the pairwise Encr and MIC keys Access Point Mobile Device ACK

14 Temporal Key Computation
All temporal keys should be independent on each other PMK, Nonce 1, Nonce 2, MAC 1,and MAC2 are fed into a pseudo Random Generator as the seed to generate random bytes, forming the temporal keys Similar for GTK Can the same pseudo random generator used for different purposes? Desirable and YES RSN and WPA define a set of pseudorandom functions, each incorporating a different text string in to the input, to produce a certain number of bits PRF-128 PRF-256 PRF-384 PRF-512

15 Pseudorandom Functions
All the variants of the PRF are implemented using the same algorithm based on HMAC-SHA-1 Each pseudorandom function takes three parameters and produces the desired number of random bits A secret key A text string identifying the application Some data specific to each case such as nonces. Eg: the starting random number of the nonce counter is PRF-256(Random Number, “Init Counter”, MAC||Time) PRF-512(PMK, “Pairwise key expansion”, MAC1||MAC2||Nonce1||Nonce2) MAC1 is the smallest and Nonce1 is the smallest PRF-256(GMK, “Group key expansion”, MAC||GNonce)

16 Nonce Selection N-once: A Number used only once with a given key
When nonces are needed Group keys are refreshed Mobile devices join/leave the network Is a calendar clock a good choice? Theoretically YES since a timer never goes back In practical, not practical: Is your clock correct? (synchronization needed for multiple timers) A larger nonce counter (256 bits long) initialized with a random number suffices Starting value of the nonce counter = PRF-256(Random Number, “Init Counter”, MAC||Network Time (if known))

17 Summary of Key Establishment
Authentication Server only knows the PMK If authentication is done at the upper layer through an authentication server (eg. TLS), the procedure authenticates the supplicant and authorizes it to join the network If a preshared key is used, authentication is assumed and subsequently verified during the four-way handshake Once authorized, the mobile device and access point perform a four-way handshake to generate temporal keys and prove mutual knowledge of the PMK The Access point computes and distributes group keys

18 Summary of Key Hierarchies
Pairwise Master Key – PMK 256 bits Pairwise Transient Key – PTK 512 bits EAPOL MIC Key EAPOL Encr Key Data Encr Key Data MIC Key 128 bits bits bits bits Protect Key Handshakes Protect Data Pairwise Key Hierarchy

19 Summary Of Key Hiercharchies
Group Master Key – GMK 256 bits Group Transient Key – GTK 256 bits Data Encr Key Data MIC Key 128 bits bits Protect Multicast/Broadcast

20 What’s Next We just talked about the key hierarchies in WPA and RSN.
Which security cipher to choose? TKIP CCMP

Download ppt "Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN"

Similar presentations

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Chapter 07 Designing and Implementing Security for WLAN

Chapter 07 Designing and Implementing Security for WLAN
CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Analysis and Improvements over DoS Attacks against IEEE 802.11i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
MIS 5212.001 Week 12 Site:

MIS Week 12 Site:
IPsec Internet Headquarters Branch Office SA R1 R2

IPsec Internet Headquarters Branch Office SA R1 R2
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Chapter 8 Web Security.

Chapter 8 Web Security.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
WLAN security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.

IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.
Analysis of 4-way handshake protocol in IEEE 802.11i Changhua He Stanford University Mar. 04, 2004.

Analysis of 4-way handshake protocol in IEEE i Changhua He Stanford University Mar. 04, 2004.

Similar presentations

Ads by Google