Академический Документы
Профессиональный Документы
Культура Документы
Rev. 4.0
1-1
April 2, 2008
Technical Education
1-2
April 2, 2008
Technical Education
Table of Contents
1.0 2.0 2.1 2.1.1 2.1.2 2.1.3 2.1.4 2.2 2.2.1 2.2.2 3.0 3.1 3.2 3.3 3.3.1 3.3.2 3.3.3 4.0 4.1 4.2 4.3 4.3.1 4.3.2 4.3.3 4.3.4 4.4 4.5 5.0 5.1 5.2 5.2.1 5.3 6.0 7.0 8.0 9.0 Introduction..................................................................................................................................... 6 802.11 Security................................................................................................................................ 7 802.11 Authentication ....................................................................................................................... 7 Open Authentication ......................................................................................................................... 8 Shared-Key Authentication ............................................................................................................... 9 Broadcast of SSID ...........................................................................................................................10 MAC address authentication............................................................................................................10 802.11 WEP ....................................................................................................................................10 WEP RC4 ........................................................................................................................................11 WEP CRC-32 ..................................................................................................................................12 Weaknesses in 802.11 Security ....................................................................................................15 Weaknesses in 802.11 Authentication.............................................................................................15 Use of SSID and MAC Address Authentication ...............................................................................17 Weaknesses with WEP....................................................................................................................17 Weaknesses with the RC4 Stream Cipher.......................................................................................18 CRC-32............................................................................................................................................19 Lack of Key Distribution ...................................................................................................................21 IEEE 802.1X (Port-Based Network Access Control) ...................................................................23 802.1X Authentication Process........................................................................................................25 Dynamic Encryption Keys................................................................................................................26 EAP Authentication Methods ...........................................................................................................27 EAP-TLS..........................................................................................................................................29 EAP PEAP-MSCHAPv2...................................................................................................................30 Cisco LEAP .....................................................................................................................................32 EAP-FAST .......................................................................................................................................33 A little bit about importing Certificates..............................................................................................36 Advantages of 802.1X Authentication..............................................................................................37 Wi-Fi Protected Access.................................................................................................................38 WPA Authentication.........................................................................................................................39 WPA TKIP .......................................................................................................................................39 Message Integrity Check .................................................................................................................41 Advantages of WPA.........................................................................................................................42 IEEE 802.11i (WPA2)......................................................................................................................43 Cisco Compatible Extensions ......................................................................................................45 Putting It All Together ...................................................................................................................47 Glossary .........................................................................................................................................48
1-3
April 2, 2008
Technical Education
1-4
April 2, 2008
Technical Education
802.11 Security
(In The Beginning)
1-5
April 2, 2008
Technical Education
1.0 Introduction
An 802.11 wireless network (WLAN) has many advantages over a traditional wired network. However, 802.11 wireless technology introduces security risks that a wired network is not susceptible to. Without a robust wireless security solution, organizations leave themselves vulnerable to attack through their WLAN. Access control, data privacy and data integrity are key components in preventing unauthorized access to a WLAN and compromising confidential information. Unfortunately, the security protocols defined in the original IEEE 802.11 specification (8802-11:1999) were defined at a time when the primary concerns for deploying an 802.11 wireless network were interoperability and ease of use - not security - and as a result are relatively weak in preventing the types of attacks that can be executed today against any 802.11 wireless network. A number of papers have been published on the Internet which expose the vulnerabilities in the authentication, data privacy and data integrity protocols defined in the 802.11 specification. Today, however, there are a number of enhanced wireless security solutions that are designed to combat these vulnerabilities and provide strong security for 802.11 networks. The primary focus of this document is to provide the reader with: An introduction to the security protocols defined in the original IEEE 802.11 specification. A description of the vulnerabilities of these protocols and the attacks used to exploit these vulnerabilities An introduction to the enhanced wireless security solutions available today that were developed to mitigate these vulnerabilities and attacks.
1-6
April 2, 2008
Technical Education
1-7
April 2, 2008
Technical Education
Figure 2. illustrates Open authentication and the effect of using different WEP keys.
1-8
April 2, 2008
Technical Education
Figure 3. Shared-Key Authentication Two additional network access control methods are used as a means for ensuring a mobile device can or cannot connect to a WLAN. Although these methods are supported and recommended by many 802.11 equipment vendors they are not defined in the 802.11 specification: Broadcast of SSID MAC address authentication 1-9
April 2, 2008
Technical Education
April 2, 2008
Technical Education
WEP requires that each 802.11 device share the same key for proper encryption and decryption of data, and is based on a 40-bit encryption key length. When the 802.11 specification was ratified (approved) in 1997 it was illegal to ship products that used 128bit encryption outside of the U.S. As a result, the specification defines the use of a 40-bit key length. Today, however, 802.11 products support WEP key lengths of 104 bits, offering both 40 bit and 104 bit WEP encryption. 104-bit WEP keys do provide more security, but even 104-bit keys are susceptible to attack.
The strength (security) of stream ciphers rests entirely on the randomness of the keystream; therefore, the design of the secret key-to-keystream operation is very important. Unfortunately, the major weakness with any stream cipher is the reuse of keystreams; that is, encrypting two different plain-text messages with the same keystream creates similar patterns in the cipher-text messages. This introduces a security threat because attackers can analyze the patterns in the cipher-text messages.
1-11
April 2, 2008
Technical Education
If the attacker manages to obtain the contents of one of the plain-text messages, then they can decipher the contents of the second plain-text message based on the patterns in the cipher-text messages and the known plain-text message. To overcome the possibility of keystream reuse, WEP uses an Initialization Vector (IV) to alter the keystream so that no one keystream will be the same. The IV is a dynamically 24 generated 24-bit numeric value which generates 2 or 16, 777, 216 possible keystream values and is concatenated to the key before the keystream is generated. Every time the IV changes, so does the keystream, despite using the same key. The IV provides two functions as part of the WEP protocol: It is the mechanism used to generate a new, unique keystream for every plaintext message. It provides synchronization by keeping the encryption / decryption process synchronized in the event of lost or retransmitted messages. In the final steps of the WEP encryption process the IV is transmitted in clear-text along with the cipher-text message so that the receiving device will know the value of the IV and be able to decrypt the received cipher-text message.
Figure 5. illustrates the 802.11 WEP encryption process which incorporates the Initialization Vector and Integrity Checksum Value.
1-12
April 2, 2008
Technical Education
Although it is commonly referred to as 64-bit and 128-bit WEP encryption (40-bit key + 24-bit IV or 104-bit key + 24-bit IV) the strength of the keys are actually only 40 bits and 104 bits because the 24-bit IV is sent unencrypted in the frame header. To decrypt the message, the receiving device simply reverses the encryption process: 1. The receiving device generates a keystream based on its configured WEP key and the IV sent in the frame header of the message. 2. The receiving device then applies the XOR function to the keystream and ciphertext message to recover the initial plain-text message. 3. It then separates the plain-text message into the data and ICV and computes an integrity checksum value on the received data and compares the calculated ICV to the received ICV. 4. If the two checksum values match the receiving device accepts the message as valid data and places the data on the wired LAN. For proper encryption and decryption of data all devices must be configured with the same key.
802.11 management frames are sent in clear-text (unencrypted) even when WEP encryption is enabled.
1-13
April 2, 2008
Technical Education
1-14
April 2, 2008
Technical Education
1-15
April 2, 2008
Technical Education
The Maryland paper explains that the process of exchanging the clear-text version and encrypted version of the challenge over the wireless medium is susceptible to a man-inthe-middle attack; the attacker uses sniffer software to capture both the clear-text version of the challenge and the encrypted response transmitted between the mobile device and AP. The attacker can then derive the keystream by simply performing the XOR function on the clear-text and encrypted challenges. The attacker then requests authentication to the AP, at which point the AP will send a clear-text challenge. The attacker then performs the XOR function on the clear-text challenge and the derived keystream to generate a valid authentication response. The attacker computes a new ICV and responds to the AP with a valid authentication response message. The AP authenticates the attacker and grants them access to the WLAN. At this point, the attacker has successfully associated to the AP without actual knowledge of the WEP key. Once successfully associated, the attacker can launch another attack to determine the WEP key, allowing them to transmit messages to the AP. Once an attacker has successfully executed a man-in-the-middle attack, mobile devices will view the attacker as an authorized AP and conversely the AP views the attacker as an authorized mobile device. Both the mobile device and AP fail to detect the attacker and continue transmitting information.
Figure 6. Vulnerability of Shared-Key Authentication Due to the inherent vulnerability of Shared-key authentication, it is strongly recommended that it not be used. Shared-key authentication is part of the 802.11 specification and therefore vendors are required to support it to be 802.11 compliant. It is recommended that Open authentication be used with WEP encryption enabled as opposed to Shared-key authentication.
TT145 802.11 Wireless Security
1-16
April 2, 2008
Technical Education
1-17
April 2, 2008
Technical Education
1-18
April 2, 2008
Technical Education
Since there are a little more than 16 million possible IV values, it is important how each IV is chosen in order to mitigate the attacks that focus on the weaknesses of the IV. Unfortunately, the WEP protocol doesn't specify how IVs are chosen or how often theyre changed. Some 802.11 vendor implementations start the IV at zero and increase it incrementally for each packet, rolling back to zero after the 16 millionth packet has been sent. Some vendor implementations choose IVs randomly which sounds like a good idea but really isn't because with a randomly chosen IV theres a 50% chance of keystream reuse after less than 5,000 packets.
3.3.2 CRC-32
The Berkeley paper goes on to describe the weaknesses in the CRC-32 checksum algorithm. The researchers show that the CRC-32 algorithm is inadequate in ensuring data integrity because it is a linear checksum and is susceptible to a bit-flip or replay attack. To execute a bit-flip/replay attack, an attacker uses wireless sniffer software to capture encrypted messages transmitted between a mobile device and AP. The following steps describe how a bit-flip attack is executed: 1. The attacker sniffs a frame on the WLAN and flips random bits in the data payload of the frame. 2. The attacker modifies the ICV (detailed later). 3. The attacker transmits the modified frame. 4. The receiver (either a mobile device or AP) receives the frame and calculates the ICV based on the frame contents. 5. The receiver compares its calculated ICV with the value in the ICV field of the frame. 6. The receiver accepts the modified frame. 7. The receiver de-encapsulates the frame and processes the Layer 3 packet. 8. Because bits are flipped in the Layer 3 packet, the Layer 3 checksum fails. 9. The receiver IP stack generates a predictable error. 10. The attacker sniffs the wireless LAN looking for the encrypted error message. 11. Upon receiving the error message, the attacker derives the key stream as with the IV replay attack.
1-19
April 2, 2008
Technical Education
Figure 7. Bit-Flip/Replay Attack The basis of the bit-flip attack is in the failure of the CRC-32 algorithm. If the change to the ICV reflects the change to the data payload, then the modified message will go undetected by the AP. The attacker is able to calculate the correct ICV by performing the following operations: 1. A captured frame (F1) has an ICV (C1). 2. A new frame is generated (F2) the same length as F1, with bits flipped. 3. Frame F3 is produced by XORing F1 and F2. 4. The ICV for F3 is calculated (C2). 5. The correct ICV (C3) for F3 is generated by XORing C1 and C2 Figure 8. illustrates the steps for calculating the correct ICV during a bit-flip attack.
1-20
April 2, 2008
Technical Education
1-21
April 2, 2008
Technical Education
1-22
April 2, 2008
Technical Education
With respect to 802.11, the supplicant is represented by the mobile device and the authenticator is represented by the AP in an autonomous (Thick AP) environment, or by the wireless controller in a centralized, controller-based environment. The most common type of authentication server is RADIUS (Remote Authentication Dial-In User Service). Figure 9. illustrates the IEEE 802.1X setup.
1-23
April 2, 2008
Technical Education
802.1X uses the Extensible Authentication Protocol (EAP) to pass authentication information between the mobile device and the authentication server. EAP effectively creates a session between the mobile device and authentication server, allowing the user to forward their credentials to the authentication server. If the EAP authentication method used supports mutual authentication, then the authentication server also provides its credentials to the mobile device within the same session. The EAP session provides the mobile device limited access to the network for authentication purposes only. Once the user of the mobile device has successfully authenticated to the network, the session is terminated and the user is granted access. The encapsulated form of EAP, known as EAP over LAN (or EAPOL), is used for communication between the mobile device and authenticator. The authenticator acts as an EAP proxy between the mobile device and authentication server, accepting EAPOL packets from the mobile device and forwarding them to the authentication server over a protocol such as RADIUS. The authentication server confirms the users credentials and directs the authenticator to allow the mobile device access to the network. In turn, the authenticator forwards all authentication server EAP packets over EAPOL to the mobile device. RADIUS is a widely deployed protocol for enabling centralized authentication, authorization and accounting for network access. The authenticator sends the users credentials and connection parameter information in the form of a RADIUS message to the RADIUS server (authentication server). The RADIUS server authenticates and authorizes the authenticators request and sends back a RADIUS message response. RADIUS messages are never sent between the mobile device and authenticator. RADIUS messages are sent as User Datagram Protocol (UDP) messages. UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. Some RADIUS servers support UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. Only one RADIUS message is included in the UDP payload of a RADIUS packet. The following provides a brief description of the various RADIUS message types: Access-Request Sent by the authenticator to request authentication and authorization for network access. Access-Accept Sent by the RADIUS server (authentication server) in response to an Access-Request message. This message informs the authenticator that the connection attempt is authenticated and authorized. Access Reject Sent by the RADIUS server in response to an Access-Request message. This message informs the authenticator that the connection attempt is rejected. The RADIUS server sends this message if either the users credentials are not authentic or the connection attempt is not authorized.
1-24
April 2, 2008
Technical Education
Access-Challenge Sent by the RADIUS server in response to an Access-Request message. This message is a challenge to the authenticator that requires a response provided by the mobile device. Accounting-Request Sent by the authenticator to specify accounting information for a connection that was accepted. Accounting-Response Sent by the RADIUS server in response to the AccountingRequest message. This message acknowledges the successful receipt and processing of the Accounting-Request. To provide additional security, the authenticator and authentication server are configured with a shared secret. The shared secret is used to secure RADIUS traffic and is typically configured as a text string on both the authenticator and authentication server.
Figure 10. illustrates how 802.1X has the effect of creating two distinct logical points of access to the authenticators physical point of attachment to the LAN.
1-25
April 2, 2008
Technical Education
802.1X authentication typically occurs after the mobile device has established a connection to the authenticator (i.e. associated to the AP) at startup or after roaming. Upon detecting the mobile devices connection, the authenticator enables the mobile devices port and forces the port into an unauthorized state so that only EAP traffic is forwarded; all other traffic is blocked. The mobile device at this point is unable to send any network traffic - including critical traffic like DHCP requests - until the 802.1X authentication process is complete and the user of the mobile device has been successfully authenticated. The controlled port only accepts packets from authenticated devices and can be thought of as a logical switch. If the user is authenticated, then the switch is closed and traffic may flow through that port. If the user is in the process of authentication or fails authentication, then the switch is open and traffic may not flow through that port. The authenticator uses the uncontrolled port to exchange EAP protocol information between the mobile device and authentication server. Protocol exchanges between the authenticator and authentication server can be conducted via one or more of the authenticators controlled or uncontrolled ports. A pair of controlled ports one on the AP or WLAN controller and one on the mobile device is created for each mobile device connected to the AP or WLAN controller. This creates a one-to-one relationship between the authenticator and each of its associated mobile devices. Once the user is authenticated and authorized, the mobile device is granted network access and can transmit data to the network through its controlled port.
1-26
April 2, 2008
Technical Education
The length of a session is defined on the authentication server. When a session expires or the mobile device roams from one authenticator to another, re-authentication occurs and a new session key is generated, which in turn generates new encryption keys. If, somehow, an attacker does manage to intercept an encryption key, a new key is generated after a specified period of time rendering the captured key invalid. Figure 11. illustrates the 802.1X mutual authentication process with dynamic per-packet keying.
1-27
April 2, 2008
Technical Education
The EAP authentication methods that are commonly used today include: EAP-TLS EAP PEAP-MSCHAPv2 LEAP (Cisco proprietary) EAP-FAST The EAP authentication method used during the 802.1X authentication process is negotiated between the mobile device and authentication server (i.e. EAP authentication methods are configured on the mobile device and authentication server). The authenticator simply acts as a pass-through device passing EAP messages between the mobile device and authentication server. The actual processing of EAP messages occurs at the mobile device and authentication server, not the authenticator. The advantage of using EAP over RADIUS is that EAP authentication methods do not need to be configured on the authenticator. The authenticator need only support the capabilities to pass EAP messages between the mobile device and authentication server.
1-28
April 2, 2008
Technical Education
4.3.1 EAP-TLS
EAP-TLS is a two-way (mutual) authentication protocol in which the mobile device authenticates the authentication server, and in turn, the authentication server authenticates the user. EAP-TLS is one of the original authentication methods specified by the IEEE when 802.1X and EAP were initially proposed and established as a standard. TLS is used in many environments and is intended to be an alternative to the Secure Sockets Layer (SSL) security protocol. EAP-TLS relies on a Client Certificate for authenticating the user and a Server Certificate for authenticating the authentication server. Certificates are issued by a Certificate Authority (CA) which is typically part of a Public Key Infrastructure (PKI); a system of certificates, certificate authorities and other registration authorities that verify and authenticate the validity of each user involved in transactions and exchanges of information. As part of the EAP-TLS authentication process, the mobile device and authentication server perform a TLS handshake to establish a secure, encrypted TLS tunnel through which user credentials are forwarded for authentication. The nature of the encrypted TLS tunnel secures against man-in-the-middle-attacks, and the use of certificates secures against dictionary attacks. Figure 13. illustrates the EAP-TLS authentication process
1-29
April 2, 2008
Technical Education
Encryption keys are dynamically generated and distributed after successful authentication to encrypt subsequent data transmissions. EAP-TLS is an ideal authentication solution in environments which already have a PKI deployed for user authentication. It is unlikely, however, that a customer would deploy a PKI to support authentication of wireless devices only. Advantages of EAP-TLS include: Encrypted TLS tunnel secures against man-in-the-middle attacks. Certificates provide strong authentication; secures against dictionary attacks. Widely supported. Disadvantages of EAP-TLS include: Certificates must be installed and managed on each mobile device; too cumbersome. Requires a Certificate Authority.
1-30
April 2, 2008
Technical Education
Since MSCHAPv2 is a password-based authentication protocol it is important for administrators to configure strong passwords to prevent dictionary attacks. Characteristics of strong passwords include: A mixture of uppercase and lowercase letters. At least one numeric character (0-9) or non-alphanumeric characters (! @ # &). At least one special character within the password; not at the beginning or end. No resemblance to the users name or user ID. A word that is not found in the dictionary. PEAP-MSCHAPv2 can be deployed against any user database that supports the MSCHAPv2 format, such as Windows NT and Active Directory. Since Microsoft credentials can be used with PEAP-MSCHAPv2, mobile devices may be configured to use Windows login credentials to authenticate to the network. Advantages of PEAP-MSCHAPv2 include: Encrypted TLS tunnel secures against man-in-the-middle attacks. Client Certificates not required; simplifies end user / device management. Can be deployed against existing authentication database. Widely supported. Disadvantages of PEAP-MSCHAPv2 include: Strong passwords must be used.
TT145 802.11 Wireless Security
1-31
April 2, 2008
Technical Education
1-32
April 2, 2008
Technical Education
Advantages of Cisco LEAP include: Simple to deploy and operate; password-based. Disadvantages of Cisco LEAP include: Not supported by Microsoft. Cisco proprietary; not supported by all hardware vendors. Susceptible to dictionary attacks; strong passwords must be used.
4.3.4 EAP-FAST
EAP-FAST is an EAP authentication protocol developed by Cisco to support organizations that cannot enforce a strong password policy as required by LEAP, and who wish to deploy an authentication method that does not require certificates. EAP-FAST is a mutual authentication protocol that encrypts EAP messages via a TLS tunnel. The tunnel is established using strong secrets called Protected Access Credentials (PACs) which the authentication server generates using a master key known only to the server. EAP-FAST authentication occurs in 3 phases: Phase Zero (Automatic PAC Provisioning) Phase zero is a means for dynamically providing a mobile device with a PAC. A secure tunnel is established based on an anonymous Diffie-Hellman key exchange between the mobile device and authentication server whereby the server sends the mobile device a PAC through the secure tunnel. Providing a PAC to the mobile device is the only purpose for phase zero. Automatic provisioning of the PAC via phase zero is referred to as in-band provisioning. Phase zero is optional. PACs can also be manually set up on each mobile device. This method is referred to as out-of-band provisioning. Administrators can control whether the authentication server supports phase zero by enabling automatic PAC provisioning on the server. Phase zero relies on the MSCHAPv2 protocol to authenticate the user from which the secure tunnel is established and the PAC is sent. Therefore, it may be necessary to use manual provisioning if youre using a non-Microsoft-format user database such as LDAP, which does not support MSCHAPv2. It is important to understand that the initial user authentication performed in phase zero is strictly done for the purposes of establishing the secure tunnel through which the PAC is sent. The end result of phase zero is the distribution of the PAC to the mobile device, not user authentication required for access to the network.
1-33
April 2, 2008
Technical Education
After the PAC is successfully sent to the mobile device, the authentication server issues an authentication failure to the authenticator and the mobile device is disassociated from the WLAN. The mobile device then re-initiates an EAP-FAST authentication request with the WLAN using the newly provisioned PAC. The process of authenticating the user to the network begins with phase one. Figure 17. illustrates EAP-FAST automatic PAC provisioning via phase zero.
Phase One In phase one, the authentication server and mobile device establish a TLS tunnel based on the PAC. The authentication server sends the mobile device an Authority ID (A-ID) and the mobile device selects the correct PAC from its storage by correlating the provided A-ID with its saved PACs, and a TLS tunnel is established. Phase Two In phase two, the users credentials are forwarded to the authentication server through the TLS tunnel for user authentication to the network. EAP-FAST only supports EAP based user credentials within the TLS tunnel. The following EAP based user credentials are currently supported with EAPFAST: o o o EAP-MSCHAPv2 (PACs manually or automatically provisioned) EAP-GTC (PACs manually provisioned) EAP-TLS (PACs manually provisioned)
Keep in mind that although user authentication occurs frequently, the provisioning of PACs to mobile devices occurs infrequently and is based on policies configured on the authentication server. A mobile device will use the same PAC many times when reauthenticating to the network.
TT145 802.11 Wireless Security
1-34
April 2, 2008
Technical Education
EAP-FAST was not intended to replace LEAP. It was designed for organizations wishing to deploy a secure authentication solution without the need for strong passwords or certificates. Advantages of EAP-FAST include: Encrypted TLS tunnel secures against man-in-the-middle attacks. Digital certificates not required. Strong passwords not required. Disadvantages of EAP-FAST include: Limited vendor support; not supported by Microsoft
1-35
April 2, 2008
Technical Education
1-36
April 2, 2008
Technical Education
Windows Mobile operating systems do contain a native certificate import utility. The native import utility automatically detects certificates. Therefore, there are no issues with importing Client certificates on Windows Mobile based devices when using WZC or SCU. CA certificates on the other hand dont contain private keys and therefore pose no issues to import into Windows CE or Windows Mobile based mobile devices when using WZC, SCU, or the Odyssey Access Client. Importing Client certificates on mobile devices is only an issue when deploying TLS authentication. PEAP-MSCHAPv2 requires the mobile device contain only the CA certificate, which raises no issue.
1-37
April 2, 2008
Technical Education
Figure 19. WPA WPA provides an architectural framework on top of which standards-based security protocols are used to deliver authentication and encryption services for 802.11 networks. The following key components make up WPA: Mutual Authentication Either using 802.1X authentication or Pre-Shared Keys (PSK). Unicast and Broadcast Encryption Keys Keys derived upon successful authentication for the encryption of unicast and multicast data. Dynamic Key Management Dynamically generated per user, per session, per packet encryption keys. Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) Protocols that combine to provide strong data encryption and data integrity. Larger IV Key Length Initialization Vector is expanded from 24 bits to 48 bits.
TT145 802.11 Wireless Security
1-38
April 2, 2008
Technical Education
1-39
April 2, 2008
Technical Education
The goal of TKIP is to address all of WEPs known problems: Correct WEPs mis-use of encryption; RC4 implementation. Prevent IV roll-over; keystream reuse. Prevent bit flip and replay attacks. Ensure data integrity; prevent frame forgeries. To do this, TKIP surrounds the WEP protocol with four new elements: 1. An extended 48-bit IV and IV sequencing rules (compared to WEPs 24-bit IV). 2. Two additional key mixing functions. 3. A method for generating and distributing encryption keys. 4. A Message Integrity Check (MIC) algorithm a.k.a. Michael to ensure messages havent been tampered with during transmission.
TKIP increases the key size from 40 bits to 128 bits and replaces WEPs single static key with a key that is dynamically generated. In addition, TKIP uses a key hierarchy and key management methodology that removes the predictability which attackers relied on to exploit the WEP key; that is, TKIP replaces WEPs single, manually configured key for some 500 trillion possible keys that can be used on a given data packet.
1-40
April 2, 2008
Technical Education
The protocol employs two S-box mixing functions from which a base key, a 48-bit IV and MAC address of the transmitting device are used to derive the unique 128-bit key. The base key is derived using either the Pairwise Transient Key (PTK) or Group Transient Key (GTK) generated during the 802.1X or PSK authentication process. The S-box mixing functions are designed to prevent weak IV attacks described in section 3.3.1. TKIPs use of an extended 48-bit IV addresses WEPs issue in which the 24-bit IV would roll over in a short period of time resulting in the same keystream being reused to encrypt different messages. With a 48-bit key length the probability of an IV roll-over is highly unlikely, thus making an attack impractical. To further reduce this probability, TKIP mandates that the base key be changed before the IV rolls over, thus preventing the same keystream value from ever being generated. Furthermore, IV sequencing rules specify how IVs are selected and verified. The IV is used as a sequence number and acts as an increasing 48-bit counter. A receiving device will discard any packet associated with the same key where the IV value is less than a previously received packet. TKIPs use of a 48-bit IV and sequencing rules defends against bit flip and replay attacks.
1-41
April 2, 2008
Technical Education
The receiving device checks the CRC, ICV and IV of all packets first before checking the MIC; therefore a MIC failure almost always means an active attack. In addition, TKIP supplements MIC with countermeasures that reduce the rate at which an attacker can make message forgery attempts down to two tries every 60 seconds. If a mobile device detects a MIC failure on the packets received, it sends a MIC failure report. If the WLAN records two MIC failures (i.e. MIC failure reports or failures on received packets) within 60 seconds of each other, all mobile devices are disassociated from the WLAN and will not be allowed to re-associate for the next 60 seconds. Stopping traffic for 60 seconds makes it impossible for an attacker to recover the MIC key. After the 60 second timeout new keys are generated to ensure the attacker cannot obtain any information about the key from the attack.
1-42
April 2, 2008
Technical Education
1-43
April 2, 2008
Technical Education
Mobile devices often roam back and forth between APs (authenticators). This has a negative effect on the WLANs performance. The basic concept behind key caching is that the mobile device and authenticator maintain their authentication status even when the mobile device roams away from the authenticator. Essentially, key caching stores user information so that if they leave and come back to an authenticator, they don't need to re-enter all their credentials. When the mobile device roams back to the authenticator, the security association can then be restarted. Key caching is based on the fact that the mobile device has previously been associated to an authenticator. Pre-authentication on the other hand enables a mobile device to establish a security association with an authenticator with which the mobile device has never been associated to by sending a pre-authentication packet that's routed through the authenticator the mobile device is currently associated with. Pre-authentication provides a way to establish a security association to a new authenticator before a mobile device has actually roamed to that authenticator allowing for faster roaming between authenticators. It is important to note that not all vendor implementations of 802.11i (WPA2) support features like pre-authentication.
All Psion Teklogix terminals with an 802.11g radio support 802.11i (WPA2) security
1-44
April 2, 2008
Technical Education
1-45
April 2, 2008
Technical Education
Ciscos CKIP and CMIC are pre-standard versions of WPAs TKIP and MIC and were introduced by Cisco to resolve the known issues with WEP before WPAs standardsbased TKIP and MIC were available. The Cisco Centralized Key Management (CCKM) protocol is Ciscos proprietary key management protocol that provides fast secure roaming of mobile devices in a Cisco based WLAN.
With the integration of the RA2041 802.11g CF radio from Summit, Psion Teklogix mobile devices have received CCX v4 certification status. The RA2041 radio is now available in the following PTX mobile devices: 7530 G2 7535 G2 8525 and 8530 G2 WAP G1 and WAP G2 8515 Ikon
1-46
April 2, 2008
Technical Education
1-47
April 2, 2008
Technical Education
9.0 Glossary
ACS (Cisco): AES: AP: CA: CCX: CF: CRC-32: DHCP: EAP: EAPOL: FAST: FDDI: GMK: GTC: GTK: IAS (Microsoft): IBSS: ICV: IEEE: ISAAC: Access Control Server Advanced Encryption Standard Access Point Certification Authority Cisco Compatible Extensions Compact Flash Cyclical Redundancy Checksum 32 Dynamic Host Configuration Protocol Extensible Authentication Protocol Extensible Authentication Protocol over LAN (EAP over LAN) Flexible Authentication through Secure Tunneling Fiber Distributed Data Interface Group Master Key Generic Token Card Group Transient Key Internet Authentication Service Independent Basic Service Set Integrity Checksum Value Institute of Electrical and Electronics Engineers Internet Security, Applications, Authentication and Cryptography Group Initialization Vector Key Scheduling Algorithm
IV: KSA:
1-48
April 2, 2008
Technical Education
Lightweight Directory Access protocol Light-weight Extensible Authentication Protocol Media Access Control Message Integrity Check Microsoft Challenge-Handshake Authentication Protocol version 2 Novell Directory Service Network Interface Card One Time Password Protected Access Credential Protected Extensible Authentication Protocol Public Key Infrastructure Pairwise Master Key Point-to-Point Protocol Pre-Shared Key Pairwise Transient Key Remote Authentication Dial-In User Service Summit Client Utility Service Set Identifier Secure Sockets Layer Temporal Key Integrity Protocol Transport Layer Security User Datagram Protocol Virtual Local Area Network Virtual Private Network
NDS: NIC: OTP: PAC: PEAP: PKI: PMK: PPP: PSK: PTK: RADIUS: SCU: SSID: SSL: TKIP: TLS: UDP: VLAN: VPN:
1-49
April 2, 2008
Technical Education
Wired Equivalent Privacy Wireless Local Area Network Wi-Fi Protected Access Wireless Zero Configuration (Microsofts native Windows wireless configuration manager) Exclusive OR (Boolean function)
XOR:
1-50
April 2, 2008