Вы находитесь на странице: 1из 47

White Paper ( 1.

2)

IEEE 802.11
Cisco Wireless Security Suite

dbugrime@cisco.com

1.

IEEE 802.11b 1999


. ,
-, , ,
.
IEEE 802.11b
.
Ethernet, IEEE 802.11b
.
, IEEE 802.11.
, IEEE 802.11
802.11b, 802.11a, 802.11g
.
(authentification),
(privacy) (integrity) .
:
8 IEEE 802.11
, ;
;

IEEE 802.11;
Cisco Wireless Security Suite Cisco Systems
.
IEEE 802.1X
.
2.

IEEE 802.11

, ,
:

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
1 / 47

(user authentication)
;
(data privacy)
.
IEEE 802.11 :
(open authentication) (shared key authentication).
,
(Service Set Identifier, SSID) MAC- (MAC address authentication). .
WEP (Wired Equivalent Privacy)
, , WEP-
, . WEP IEEE 802.11
40 104 . WEP
.
2.1.

(Service Set Identificator, SSID)

SSID , .
, SSID ,
. SSID
, .
2.2.

IEEE 802.11

IEEE 802.11
, .
: .
IEEE 802.11 (. 1):
1. (Client) probe request .
2. (access point, AP), ,
probe response.
3.
(authentication request).
4. (authentication reply).
5. association request.
6. association response.
7.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
2 / 47

. 1

IEEE 802.11

1. Probe Request
2. Probe Response

3. ,
4. ,
5. ,

6. ,

, .

2.2.1. Probe Requests, Probe Responses



probe request. probe request ,
,
SSID (. 2).

probe request probe response,
. ,
,
. , ,
.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
3 / 47

. 2

Probe Request

2.2.2. (Open Authentication)


.
. ,
, , 1997
IEEE 802.11
. , IEEE 802.11-
( - ..), ,
.
:

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
4 / 47

(authentication request) (. 3)
(authentication response) (. 4)
. 3

. 4

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
5 / 47

, .
, , SSID
, . WEP
.
WEP-,
, , (. 5).
. 5

WEP$
1.
2.

3. /

4. ,
WEP

WEP 123456

WEP 112233

5.

2.2.3. (Shared Key Authentication)


IEEE 802.11.
WEP.
. 6:
1. ,
.
2. , challenge text.
3. challenge text WEP-,
.
4.
challenge text, ,
.
. 6


1.
2.
+ Challenge

3.
+ Challenge
4.

WEP 123456

WEP 123456

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
6 / 47

2.2.4. MAC$ (MAC Address Authentication)


MAC- IEEE 802.11,
, Cisco Systems.
MAC- MAC-
,
(. 7). MAC- IEEE 802.11 .
. 7

MAC$
2. MAC#

RADIUS# (PAP)

1.

MAC# ABC

2.3.

4.

RADIUS

3. RADIUS-ACCEPT

2.3.1.
SSID beacon (. 8). ,
beacon , .. ""
, SSID
802.11, Sniffer Pro Wireless. , .. Cisco Aironet,
SSID beacon.
SSID probe response,
(. 9).
. 8

SSID Beacon$

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
7 / 47

. 9

SSID Probe Response

SSID .
, SSID

. Cisco SSID
.

2.3.2.
,
. ,
WEP. Cisco WEP.
, WEP (
),
Cisco Service Selection Gateway (SSG).

2.3.3.
WEP-
challenge text, .
challenge .
, challenge text, ,
(man-in-the-middle attack). challenge text, challenge text, (. 10).
WEP XOR (key stream), (ciphertext).
, XOR
Cisco Systems, Inc.
All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
8 / 47

. ,

.
. 10


Plain#Text Challenge
Cipher#Text Response

Plain#Text Challenge

XO R

Cipher#Text Response

2.3.4. MAC$
IEEE 802.11 MAC- .
, MAC-,
MAC- .
MAC- ,
MAC-.
IEEE 802.11 MAC- .
3.

WEP

WEP RC4,
(symmetric key stream cipher). ,
.

.
3.1.

(Stream Cipher) (Block Ciphers)

2 ( ,
XOR) ,
, . ,
, (. 11).

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
9 / 47

. 11

XOR

,
. , XOR
. ,
(. 12). ,
16- 38
16 1 6 , 10
.
. 12

XOR

. . .

(Electronic
Code Book, ECB, encryption mode). ECB ,
. . 13
"FOO" AHGHE. , , ,
.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
10 / 47

. 13


12345

AHGHE

XOR

FOO

:
1. (Initialization Vectors, IVs)
2. (feedback modes)

3.1.1. (Initialization Vector, IV)


.
,
, IV.
. . 14 "FOO" ,
, , . 13. IEEE 802.11
, . , , ,
.
. 14


IV

12345

XOR

WGSSF

FOO

24 (. 15) 40- 104-


WEP, 64- 128-
. ,
(. 16). ,
WEP 64 128 ,
40 104 .
Cisco Systems, Inc.
All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
11 / 47

. 15

IV

MAC Service Data Unit (MSDU)

ICV

0-2304

ID

. 16

24

802.11

3.1.2.

.
. ,
(cipher block chaining, CBC, mode).
XOR
.
,
. . 17.
, .
. 17

XOR

IV +

XOR

XOR

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
12 / 47

3.2.

2001 Fluhrer, Mantin, Shamir ,


WEP (interesting frames),
. WEP (key
scheduling algorithm, KSA) RC4. (
) ,
. AT&T/Rice University AirSnort
40 128
4 . 4
, .

WEP

. WEP
, .
3.3.

WEP
.
, 2
.
.
,
IEEE 802.11
(message intgrity check, MIC).
. ,
Integrity Check Value (ICV), ,
CRC32, .
,
(bit-flipping)
(IV replay).

3.3.1. (Initialization Vector Replay Attacks)


IV replay
, ,
. 18:
1.
(, IP , , ..)
2. ,
.
3. , XOR
.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
13 / 47

4. ,
, .
, ,
,

WEP.
. 18

2.

1.

, ,
, . 19:
1. , .
ICMP echo request (ping) , .
2. .
3. 256 .
4. ,
, ICMP echo reply.
5. , .

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
14 / 47

. 19

ICMP Echo (ping)

XO R

3.3.2. (Bit$Flipping Attacks)


, ,
ICV.
,
. L2-
L3-. . 20:
1.
802.11.
2. 3- .
3. ICV (
).
4. .
5. ( )
ICV .
6. ICV
.
7. , .
8. .
9. ,
.
10.
.
11. .

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
15 / 47

12. ,
,
. 13.
. 20

WEP

ICV

L3

CRC

WEP

XO R

ICV .
ICV ,
(. 21):
1. F1 C1.
2. F2 , F1, F1.
3. F3 XOR F1 F2.
4. 2 F3.
5. C3 F3 XOR C1 C2.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
16 / 47

. 21

ICV
C1

(F1)

01011010110101

110

XO R
110
(F2)

00000011100000
XO R

(F3)

101

New ICV
Calculated (C3)

01011001010101
010
ICV

ICV (C2)

C2
C3


ICV (F3)

3.4.

01011001010101

101

WEP+

IEEE 802.11 .
, WEP ,
. IEEE 802.11
, , ,

.
.
,
, , / .

.
4.

Cisco Wireless Security Suite

Cisco

Systems

IEEE 802.11. ,
, Cisco Systems
IEEE 802.11, Cisco Wireless
Security Suite.
WEP
, :
1. .
2. .
3. .
Cisco Wireless Security Suite:

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
17 / 47

IEEE 802.1X IEEE 802.1X


.
Cisco Lightweight Extensible Authentication Protocol (LEAP)

.
Temporal Key Integrity Protocol (TKIP) Cisco Systems
WEP:
(Message Integrity Check, MIC)
, ;
(Per-Packet Keying)
, ,
;
(Broadcast Key Rotation).
4.1.

Cisco Wireless Security Suite

4.1.1. 802.1X
Cisco Wireless Security Suite IEEE 802.1X.
IEEE 802.1X IEEE 802.1X
. 22.

4.1.2. LEAP EAP Cisco


Cisco Systems LEAP 2001 ,
. LEAP,
EAP, 802.1X.
.
4.1.2.1. (Mutual Authentication)
,
.

, . Cisco LEAP
.
4.1.2.2. (User$Based Authentication)
IEEE 802.11 ,
,

. ,
, 802.11 WEP
, .
WEP-
.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
18 / 47


. Cisco LEAP
.
4.1.2.3. WEP$
,
,
WEP-. Cisco LEAP
.
802.1X .
,

WEP,
Cisco WEP.

4.1.3. TKIP
802.11
WEP .
Cisco Systems WEP,
. Temporal Key Integrity
Protocol (TKIP), IEEE 802.11 Task Group i.
TKIP WEP:
1. (message integrity check, MIC) .
2. (Per-Packet Keying).
3. (broadcast key rotation) (
IEEE 802.11 Task Group i).
4.1.3.1. (message integrity check, MIC)
MIC ICV 802.11. MIC
:
MIC
(sequence number),
.
MIC , ,
ICV.
. 22 , . 23, MIC.
. 22

WEP$
802.11
Header

IV

LLC

SNAP

Payload

ICV

WEP

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
19 / 47

. 23

WEP$ MIC
802.11
Header

IV

LLC

SNAP

MIC

SEQ

Payload

ICV

WEP

sequence number ,
.
.
MIC , . 24.
. 24

MIC
Seed

DA

SA

LLC

SNAP

SEQ

Payload

MMH
Hash

4-byte
MIC

MIC,
. (
) .
MIC . ,
IEEE 802.11 Task Group i,
. , MIC
Cisco Aironet.
4.1.3.2. (Per$Packet Keying)
, Fluhrer, Mantin, Shamir, AirSnort,
WEP .
, .
IEEE 802.11 Task Group i
. Cisco Systems ,
.
Cisco Systems WEP IV ,

, XOR
.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
20 / 47

Cisco Systems
WEP- IV,
.
(. 25).
. 25

(IV)

WEP

HASH

(IV)

WEP

XO R

WEP

24- Cisco Systems


sequencing. sequencing 24-
,
IV. IV
, IV
WEP - .
sequencing ,
IV, .
,
IV WEP-.
224 , IV
. , WEP ,
IV. Cisco LEAP .
IV
.
4.1.3.3. (broadcast key rotation)

IEEE 802.1X,

WEP-,

unicast-. broadcast- multicast- Cisco Wireless Security Suite :


broadcast-, .
broadcast-.
broadcast- 802.1X .
, Cisco TKIP, broadcast- ,
. ,

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
21 / 47

, IV ,
.
, - .
broadcast-. broadcast-
, unicast- .

broadcast-

.
Cisco broadcast- .
broadcast-, RC4,
.
RADIUS .
broadcast- 802.1X,
,
broadcast-, . Cisco Systems
broadcast- ,
802.1X.
5.
5.1.

IEEE 802.1X
IEEE 802.1X

IEEE 802
/
.
,
,
.
, , ,
, :
(identity theft) ,
.
(eavesdropping)
.
Man-in-the-Middle ,
.

.
OSI.
IEEE 802.1X
, -,
. ,

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
22 / 47

, ,
,
IEEE 802.11.
5.2.

IEEE 802.1X


IEEE 802.1X
:
,
;
;
;
, , ,
, RADIUS-;

;
,
EAP ;
SNMP.
IEEE 802.1X
EAP,
(. 26).
. 26

802.1X

Network Server
(User Database,
DHCP/DNS Services)
LEAP


Cisco Aironet

EAP TLS

Cisco Aironet

Cisco Secure
Access Control Server
(AAA Server)

Cisco Certification
Authority Server

Cisco Access Registrar


(AAA Server)
LEAP
EAP#MD5

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
23 / 47

5.3.

IEEE 802.1X

IEEE 802.1X
IEEE 802.11, IEEE 802.11 Task Group i (TGi).
IEEE 802.1X
, OSI (. 27).
. 27

802.1X
EAP#Cisco Wireless
(Cisco LEAP)

EAP#TLS

EAP#PEAP

PKI

802.1X
(802.1x Layer)

802.1x

802.3
Ethernet

802.5
Token Ring


(Method Layer)

802.11
Wireless Ethernet


(Link Layer)

IEEE 802.1X :
(Supplicant) .
(Authenticator) (
).
(Authentication Server) RADIUS-.
IEEE 802.1X (Credentials)
.

. Cisco LEAP,
EAP-TLS, EAP-SIM.
, ,
(Association ID). .

,
(. 28).

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
24 / 47

. 28

802.1X
1

(
).
, .
IEEE 802.1X, .
( ) EAP Start (. 29) .
EAP Request Identity (Identity).
EAP Response, , .
RADIUS-ACCEPT RADIUS-REJECT
( ). RADIUS-ACCEPT ,
.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
25 / 47

. 29

802.1X/EAP

Start
Request Identity
Identity

RADIUS



Identity

RADIUS

RADIUS

5.4.

EAP

5.4.1.
Extensible Authentication Protocol (EAP) ,
(authentication, authorization, and accounting, AAA),
. AAA- ( AAA,
), EAP, ,
.
, (. Cisco Secure
ACS). .
, EAP .
, .. MD5, Kerberos, Public Key, One Time Passwords (OTP), -,
AAA-.
, ,
( .. IEEE 802.11 WEP) .
, EAP
TLS
, .
. 1 00000 .

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
26 / 47

. 1

802.1X/EAP

WEP+

Windows XP, 2000, 98, 95, ME, NT,


Windows CE, Linux, DOS, Mac OS

Windows XP, 2000, 98, 95, ME, NT

EAP+TLS

Windows XP1

EAP+MD5

Windows XP1

Cisco EAP
(LEAP)
Protected EAP

(PEAP)

1. Microsoft EAP Windows 2000, Windows NT 4, Windows 98,


Windows 98 Second Edition, Windows ME. .
, EAP$TLS
, . EAP supplicant Meetinghouse Data Communications (www.mtghouse.com).

. 2


LEAP

PEAP

EAP-TLS

Windows

Microsoft

+Microsoft (LDAP, NDS, .)

LDAP

Windows

(OTP)

Layer 3

Man+in+the+middle

5.4.2. (RFC) EAP


. 3 EAP.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
27 / 47

. 3

(RFC) EAP

RFC 2865

(RADIUS)

RFC 2869

RADUIS

RFC 2284

EAP PPP

RFC 2716

EAP$TLS PPP

RFC 2246

TLS

RFC 2459

PKI, 1: X.509 CRL

5.5.

(Public Key Infrastructure, PKI)

5.5.1. PKI EAP$TLS


EAP-TLS TLS 1.0 (RFC 2246),
Secure Socket Layer (SSL) 3.0 Netscape. TLS SSL ,
TLS 1.0 SSL 3.0.
TLS SSL PKI:
.
AAA- .
PKI.
PKI .

5.5.2. (RFC) PKI


. 4 PKI.

. 4

(RFC) PKI

RFC 2459

Internet X.509 Public Key Infrastructure Certificate and CRL Profile

RFC 2510

Internet X.509 Public Key Infrastructure Certificate Management Protocols

RFC 2511

Internet X.509 Certificate Request Message Format

RFC 2527

Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework

RFC 2528

Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in
Internet X.509 Public Key Infrastructure Certificates

RFC 2559

Internet X.509 Public Key Infrastructure Operational Protocols $ LDAPv2

RFC 2585

Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP

RFC 2587

Internet X.509 Public Key Infrastructure LDAPv2 Schema

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
28 / 47

5.5.3. PKI
PKI ,
,
, -.
PKI ,
. PKI

, - ,
.
PKI , . 5.

. 5

, PKI

, PKI,
,

.


,
.

,
,
.

.

PKI
,
.

,

, . $.

: EAP$TLS , .

5.5.4.
PKI , ,
. ,
, ,
:

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
29 / 47

(Certificate version)
(Serial number)
(Certificate issuer)
(User)
(Users public key)
(Validity period)
(Optional extensions)
(Signature algorithm)
(Signature)

, , ,
, , -
(. 30).
. 30

5.5.5.

. , ,
, . , ,
.
( ) .

. PKI, ,
, , .
.
.

5.5.6. PKI .
PKI , , , . 6.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
30 / 47

. 6

PKI


(Registration authority, RA)


,
.
, ,
,
,
.


(Certification authority, CA)


. ,
, ,
.


(Certification authority agent,
CAA)

(End entity, EE)

,
, ,

.

(Repository)


(Revocation Lists).

. 31 PKI .
. 31

PKI

PKI
:

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
31 / 47

CA/RA (CA/RA Public Key Distribution)


(Certificate Enrollment)
(Certificate Revocation)
(Certificate Query)
(CRL Query)
, CA, RA PKI
RSA Laboratories Public Key Cryptography Standards (PKCS).
CA/RA .
( ) (,
, ..) , CA/RA.
CA/RA ,
. , PKI,
, .
(. 32):
1. .
2. (Enrollment Request),
(Challenge Password), CA/RA CA/RA.

.
3. CA/RA ,
.
4. CA/RA , ,
.
5. , .


PKI

. 32

,
, .
CA/RA ,
, .

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
32 / 47

, CA/RA CA/RA
, (Certificate Revocation List, CRL).

CA.
Fully Qualified Domain Name (FQDN).
- ,
URL (CRL Distribution Point),

.

5.5.7. (CA) (RA)


PKI ,
(root CA), (subordinate CA). PKI
RA
CA ,
,
CA.
PKI.
CA . CA
, ,
PKI.
RA
,
CA, , .
.
RA
CA. RA
CA. . 33
:
1.

RA.

2.

RA ,
CA.

3.

CA .

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
33 / 47

. 33

CA RA

CA

2.
CA
RA

RA

3.

1.

CA

CA

5.5.8. PKI

PKI

CA,

LDAP-,
(CRL Distribution Point, CDP).
,
().
PKI
/ .
,
, PKI,
CA RA. A CA_A
. B,
CA_B PKI, A
, CA (CA_A) CA. ,
, CA PKI,
CA_ROOT.

5.5.9. (certificant validation)


,
.
, . ISAKMP IPSec HTTP SSL.
.
. 34 .
, :

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
34 / 47

;
CA, ,
PKI;
.
. 34

LDAP
3.
CRL.
CA

/CRL

2.

CA.
CA

1.
.

,
IPsec Security Associations (SA). , SA,
,
. IPSec SA
.

6.

EAP+TLS

EAP-TLS. EAP-TLS
SSL v3.0. EAP-TLS SSL EAP,
SSL - TCP.
EAP-TLS SSL,
, (.. RADIUS-).
,
.
6.1.

TLS

TLS :
1. SSL- .
2. .
3. .
Cisco Systems, Inc.
All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
35 / 47

4. .
5. .
6. .
7. .

.
6.2.

EAP TLS

, EAP-TLS 802.1x/EAP,
: (
), ( ) (RADIUS-). RADIUS- EAP-TLS.
802.1x/EAP,
.
. 35 802.1x/EAP
EAP-TLS:
1. EAP Start .
2. EAP Request Identity.
3. EAP Response
(network access identifier, NAI), .
4.

NAI

RADIUS-,

RADIUS Access Request.


5. RADIUS- .
6. RADIUS-.
7. RADIUS- .
8. RADIUS- .
9. RADIUS- .
10. RADIUS- RADIUS Accept WEP-,
.
11. EAP Success.
12. WEP- ,
WEP- .
LEAP EAP-MD5.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
36 / 47

. 35

EAP$TLS

RADIUS

EAPOL Start

EAP

EAP Request/Identity

""

EAP Response/Identity
(UserID)

RADIUS
Access Request

,
UserID

Server#side TLS

EAP#TLS

Client#side TLS

EAP Success



EAPOL#Key (Multicast)
EAPOL#Key
(Session Parameters)

RADIUS Access Success


(
)

,
,
.

EAP-TLS . 36. EAP-Request


RADIUS- .
EAP-Response, ,
( ).
RADIUS-
.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
37 / 47

. 36

EAP$TLS

RADIUS

EAP-TLS Start
[EAP-Type=EAP-TLS
(TLS client_hello)]

[EAP-Type=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
TLS certificate_verify,
TLS change_cipher_spec,
TLS finished)]

[EAP-Type=EAP-TLS]

[EAP-Type=EAP-TLS,
Start bit set, no data]

EAP-Response

EAP-Request
EAP-Response

EAP-Request
EAP-Response

[EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate, TLS
server_key_exchange,
TLS certificate_request,
TLS server_hello_done)]
[EAP-Type=EAP-TLS
(TLSchange_cipher_spec,
TLS finished)]

EAP-Success

6.3.

EAP+TLS

EAP-TLS
. 37.
TLS- premaster secret RADIUS-, RSA- , RADIUS- Diffie-Hellman, DH_RSA DH_DSS,
premaster secret . master secret,
, (Pseudo-Random
Function, PRF), TLS RFC 2246, :
premaster secret,
ASCII- master secret,
ClientHello.random ServerHello.random.
EAP-TLS RFC 2716 .
:

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
38 / 47

master secret,
ASCII- client EAP encryption.
ClientHello.random ServerHello.random.
, Message Authentication Code (MAC),
(

).

), EAPOL Key Message (. 35).


. 37

EAP$TLS.

Client Random
(per connection)

Pre-Master Secret
(per session)

Server Random
(per connection)

PRF

Master Secret
(per session)

PRF

Write MAC Client/Server


(per connection)

7.

IV Client/Server
(per connection)

Write Secret Client/Server


(per connection)

PEAP (Protected EAP)

Protected EAP . PEAP


PKI RADIUS-,
. PEAP
RADIUS-, EAP
. , , EAP generic
token card (GTC) (one-time passwords, OTP) EAP-MD5
(password based authentication).
, PEAP ,
EAP-TLS. , ,
, EAP-TLS,
.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
39 / 47

PEAP Cisco Systems, Microsoft, RSA Security,


IETF. Glen Zorn,
Cisco Systems.
7.1.

PEAP

PEAP . 38.
EAP-TLS:
1. EAP Start .
2. EAP Request Identity.
3. EAP Response
(network access identifier, NAI), .
4.

NAI

RADIUS-,

RADIUS Access Request.


5. RADIUS- .
6. RADIUS-.
PEAP:
7. RADIUS- ,
.
8. TLS Record Protocol RADIUS- EAP.
9. EAP.
10. RADIUS- RADIUS Accept WEP-,
.

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
40 / 47

. 38

PEAP.

Start

RADIUS# AAA#

Request Identity
Identity

Identity

Server Certificate

Server Certificate

EAP EAP

Broadcast Key
Key L ength

7.2.

PEAP Cisco Microsoft

PEAP , (directory
services), LDAP, Novell NDS (OTP databases).

PEAP

Cisco

Microsoft

TLS-. Microsoft
MS-CHAP Version 2,
Windows NT Domains Active Directory. Cisco
logon-, OTP- logon-
, RSA Security, Secure Computing Corporation, Novell,
Microsoft . , Cisco
TLS-, .. ,
.
8.

Cisco LEAP

Cisco LEAP 802.11,


RADIUS-.
LEAP,
RADIUS-, .

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
41 / 47

8.1.

Cisco LEAP

Cisco LEAP
, .
(single-sign-on, SSO), Cisco
LEAP Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).
LEAP /,

, . -,
- . LEAP
NT- (Microsoft NT key),
/ - Message Digest Algorithm 4 (MD4) (. 39).
. 39

NT$ Windows

MD4

MD4

NT#

NT- LEAP
/ Windows NT Domain Services Windows 2000 Active Directory.
Open Database Connectivity (ODBC) ,
MS-CHAP.
Cisco Sytems Microsoft Windows (Windows 95, 98, ME,
2000, NT and XP) Windows logon Cisco LEAP logon.
Windows logon Cisco Aironet.
NT- .
802.1X RADIUS-.
: , / .
8.2.

Cisco LEAP

LEAP ,
. Cisco RADIUS- ,
, , , .
- Cisco
Cisco Aironet, LEAP.
Cisco Systems, Inc.
All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
42 / 47

8.2.1.
Cisco Systems LEAP RADIUS- :
Cisco Secure Access Control Server (ACS) 2.6
Cisco Access Registrar v1.7
Cisco Systems LEAP RADIUS- :
Funk Steel Belted RADIUS v3.0
Interlink Networks Merit v5.1
LEAP AirPort Apple Computers.

8.2.2. Cisco LEAP


- Cisco
Cisco SAFE .
SAFE: Wireless Security in Depth :
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm

.
8.2.2.1. LEAP
LEAP .
, .
, , :
6 ;
, ;
, ;
;
, - .
:
cnw84Fri, cannot wait for Friday
!crE8vpw, not creative password
G8tSm^rt, get smart
8.2.2.2. RADIUS$
RADIUS- Cisco Secure ACS,
MAC- 802.11 (
), LEAP, CHAP/MS-CHAP
(.. MAC-).
Cisco Secure ACS :

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
43 / 47

CiscoSecure CHAP CHAP, MS-CHAP ARAP.


CiscoSecure PAP PAP;
CHAP, MS-CHAP ARAP, CiscoSecure CHAP (
).
MAC- Cisco Secure ACS
, 12
MAC- ASCII. CHAP/
MS-CHAP, MAC-
, MAC-
LEAP.
Cisco Wireless Security Suite :
http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wrsec_an.htm
8.2.2.3.
Cisco LEAP EAP Transport Layer Security (TLS)
, RADIUS Option 27 (RADIUS session timeout option).
,
IV.
,
1000

16777216
2 24
---------------------------------------------------------- = ------------------------ 16777 = 4 40
1000
1000

,
.
8.2.2.4.
, LEAP, ,
(Layer 3 ACL)
. , /
(intrusion-detection system, IDS)
(firewall).
9.

, , ,
. IEEE 802.11
, .
,
Cisco Wireless Security Suite
.
Cisco Systems, Inc.
All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
44 / 47

Cisco ,

, ..
WEP-, . ,
.
Cisco Systems ,
,
.
Cisco Systems Cisco Wireless Security Suite
,
.
Cisco Systems . Cisco Wireless
Security Suite ,
.
.
10.

"
2400-2483,5 "
http://www.minsvyaz.ru/site.shtml?parent=462&id=486#2
Cisco Wireless LAN Security Web site
http://www.cisco.com/go/aironet/security
Cisco Aironet Wireless LAN Security Overview
http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/a350w_ov.htm
SAFE: Wireless LAN Security in Depth
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm
Intercepting Mobile Communications: The Insecurity of 802.11
http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf
Your 802.11 Wireless Network Has No Clothes
http://www.cs.umd.edu/%7Ewaa/wireless.pdf
Cisco response to Your 802.11 Wireless Network Has No Clothes
http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1327_pp.htm
An Initial Security Analysis of the IEEE 802.1x Standard
http://www.cs.umd.edu/~waa/1x.pdf
Cisco response to An Initial Security Analysis of the IEEE 802.1x Standard
http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1680_pp.htm
Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
Cisco Systems, Inc.
All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
45 / 47

http://www.cs.rice.edu/~astubble/wep/
Cisco Wireless LAN Security Bulletin
http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1515_pp.htm
Authentication with 802.1x and EAP Across Congested WAN Links
http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/authp_an.htm
Configuring the Cisco Wireless Security Suite
http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wrsec_an.htm
OCB mode
http://www.cs.ucdavis.edu/~rogaway/ocb/ocb.htm
IEEE 802.11 Working Group Web site
http://grouper.ieee.org/groups/802/11/
Understanding PKI: Concepts, Standards, and Deployment Considerations, 2nd Edition
Adams, Carlisle and Steve Lloyd, ISBN: 0672323915, Publisher: Pearson Education, May 2002
http://btobsearch.barnesandnoble.com/booksearch/isbnInquiry.asp?btob=Y&isbn=0672323915
IETF Public-Key Infrastructure Working Group:
http://www.ietf.org/html.charters/pkix-charter.html
Discussion of Simple Certificate Enrollment Protocol:
http://www.cisco.com/warp/public/cc/pd/sqsw/tech/scep_wp.htm
RSA Public Key Cryptography Standards:
http://www.rsasecurity.com/rsalabs/pkcs/

Cisco Systems, Inc.


All contents are Copyright 19922002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
46 / 47

Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100

European Headquarters
Cisco Systems Europe
11 Rue Camille Desmoulins
92782 Issy-les-Moulineaux
Cedex 9
France
www-europe.cisco.com
Tel: 33 1 58 04 60 00
Fax: 33 1 58 04 61 00

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
www.cisco.com
Tel: 408 526-7660
Fax: 408 527-0883

Asia Pacific Headquarters


Cisco Systems, Inc.
Capital Tower
168 Robinson Road
#22-01 to #29-01
Singapore 068912
www.cisco.com
Tel: +65 317 7777
Fax: +65 317 7799

Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the

Cisco Web site at www.cisco.com/go/offices


Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia
Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland
Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland
Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden
S w i t z e r l a n d Ta i w a n T h a i l a n d Tu r k e y U k r a i n e U n i t e d K i n g d o m U n i t e d S t a t e s Ve n e z u e l a Vi e t n a m Z i m b a b w e
All contents are Copyright 19922002, Cisco Systems, Inc. All rights reserved. CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet Quotient,
iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the
Way We Work, Live, Play, and Learn, Discover All Thats Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst,
CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the
Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing,
RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
(0203R)