Professional Documents
Culture Documents
Wireless LAN Security
Wireless LAN Security
Jeanette Lee May-Jul, 2007 traffic key. A popular alternative is the 128-bit WEP
protocol, which uses a 104-bit key size. Users typically
enter a 128-bit WEP key as a string of 26 Hexadecimal
1. WEP (Hex) characters (0-9 and A-F). Each character represents
http://airheads.arub anetwork s.com/article/wireless-client-security-demystified-wep
4 bits of the key. 4 * 26 = 104 bits. Adding the 24-bit IV
creates what is then called a 128-bit WEP key. A 256-bit
Wireless client security can be an overwhelming alphabet WEP system is available and even larger sizes could
soup of acronyms, standards and protocols. In this series of theoretically be supported. Unfortunately, key size is not
articles, we will examine the more popular variants in the major security limitation in WEP.
detail; how they work and how they can be made to work
for you. Because RC4 is a stream cipher, the same traffic key must
never be used twice. The purpose of an IV, which is
The Fundamentals of Security transmitted as plain text, is to prevent any repetition, but a
Before we talk about wireless security as a whole, it’s 24-bit IV is not long enough to ensure this on a busy
worth examining the different types of protocols and network. The way in which the IV is used also opens WEP
security mechanisms available. These typically fall within to a related key attack. For a 24-bit IV, there is a 50%
one of three different categories: probability the same IV will repeat after 5000 packets.
Client-side
No Yes No No No No (PAC) No
authentication/certificate required
Server-side
No Yes Yes Yes No No (PAC) Yes
authentication/certificate required
Moderate
Deployment complexity Low High Moderate Moderate Moderate Moderate
to high
Medium
Security strength Low Highest High High Low High
to high
EAP Summary
Based on this table, we can draw some reasonably clear
conclusions:
TLS, while very secure, requires client certificates to be
installed on each wireless workstation. Installing and
maintaining a PKI infrastructure must be part of any TLS
installation and does create more administrative overhead.
If a working PKI already exists, TLS is a very good option
TTLS addresses the certificate issue by tunneling TLS, and
thus eliminating the need for a certificate on the client side. authorization and access control (AAA) for dial-up ISP
If a working PKI structure does not exist, this is an option connections. The 802.1x standard mandates an AAA server as
worth considering the back-end server. R ADIUS is the only AAA server
LEAP is one of the earliest EAP implementations; however supported today. Theoretically, other types of AAA servers
inherent security flaws have now made it less popular and could be used, but nothing has been standardized or
it is not recommended implemented as of this writing
Authenticator is a piece of software running on the device that
EAP-FAST promises to be as easy as LEAP but as secure
communicates with both the supplicant and the authentication
as PEAP, however it has different implementation and
server and enforces the authentication server’s deny or permit
operational modes that, ultimately, offer a compromise.
directive
The highest security, ultimately, ends up looking very
similar to PEAP – without the widespread client support The supplicant and the authenticator use the Extensible
that PEAP enjoys Authentication Protocol (EAP) to securely negotiate
authentication. As we discussed last week, there are several
PEAP works similarly to EAP-TTLS in that it does not different types of EAP in use today that offer different
require a certificate on the client side and is natively advantages and disadvantages. During the authentication
supported by many client operating systems. PEAP is the process, the authentication server and the supplicant negotiate
protocol of choice when client-side certificates are not which type of EAP they will use for the authentication
required. When deploying PEAP, EAP-MSChapv2 is transaction. Both devices must mutually support the choice of
likewise the protocol of choice as compared to EAP-GTC. EAP. If they cannot agree on a mutual EAP authentication
This is primarily due to the fact that EAP-GTC it is not process, 802.1x fails.
supported by Microsoft’s IAS RADIUS server or the
native Windows supplicant
How 8 02.1x W orks
More information on the many different EAP protocols can Here are the steps that must occur before 802.1x will allow a
be found at device access to the network:
http://en.wikipedia.org/wiki/Extensible_Authentication_Pro
A wireless client device (supplicant) requests access to a
tocol.
WLAN. An authenticator (access point/mobility controller)
5. 802.1x Access Control asks for the supplicant’s identity. No other traffic than EAP is
allowed at this point, i.e. the “port” is closed
https://airheads.arubanetworks.com/article/wireless-client-security-demystified-802-1x-access-cont
rol The supplicant responds to the authenticator with identity data
that will estab lish its credentials. EAP, the protocol used to
transport authentication messages, was originally used for
802.1x is an IEEE standard designed to enforce authentication
dial-up PPP. The identity was the user name and was sent in
of a client before Layer 2 access to the network is permitted.
the clear (not encrypted). A malicious sniffer might capture
The 802.1x protocol consists of three parts:
this and learn the user’s identity. Identity hiding is therefore
Supplicant, or client, is software running on a device trying to used; the real identity is not sent before an encrypted session
gain access to the network is established
Authentication server is the system that validates client After the identity has been sent, the authentication process
credentials and determines if the client should be allowed begins. The authenticator re-encapsulates the EAPOL
access. The authentication server must be a RADIUS5 server. messages to RADIUS format and passes them to the
Remote Authentication Dial-In User Service (RADIUS) is authentication server. During the authentication process, the
defined in RFC-2865 and other, later documents. It was authenticator simply translates and relays packets between the
originally designed to provide centralized authentication, supplicant and the authentication server
Each authentication process is slightly different, depending on • 802.1x, EAP and an authentication server for
the type of EAP authentication used, however, at some point authentication
the authentication server will send a success or failure message • RSN to keep track of associations and client-AP
If the authentication server transmits a success message, the security negotiations
authenticator opens the “port” for the supplicant and network
• AES-CCMP for confidentiality and integrity
access is granted. If a failure message is sent, the port is not
opened. This supplicant is free at this point to try again and • A four-way handshake
validation. 802.1x and EAP in 802.11
802.1x offers a powerful access control mechanism. Unlike We discussed 802.1x previously and how it works with
any other protocol discussed in this document, 802.1x ensures EAP to provide authentication within the wireless LAN
a client device has absolutely no network access before infrastructure. 8011.i includes 802.1x and EAP and further
authentication improves upon this model.
Robust Security Network (RSN)
The advantages of 802.1x are: 802.11i uses the concept of a Robust Security Network
• High level of network access control (RSN). In an RSN, wireless devices need to support
• Can work with other protocols to provide authentication additional capabilities. In a true RSN, WLAN access
and encryption points/system only allow RSN mobile devices to connect.
• Key distribution and rotation Because not all wireless NICs are RSN-capable, an
intermediate network has been defined called Transitional
Security Network (TSN). A TSN is similar to an RSN in
The major drawbacks of 802.1x are: concept and architecture, but does not implement all of the
• No encryption – the 802.1x protocol, in and of itself, mandatory capabilities and mechanisms.
does not include an encryption algorithm and must be AES-CCMP
used with an encryption protocol such as WEP, TKIP or
As discussed in a previous article, 802.11i makes use of
AES
AES-CCMP for encryption and data integrity.
• No authentication – the 802.1x protocol does not include
Four-way Handshake
authentication, thus it must be coupled with a protocol
such as EAP In a wireless network, there are two authentications that
• RADIUS requirement – the 802.1x protocol only
need to happen:
supports RADIUS today as a de facto standard for The access point (controller in a thin network) must
authentication server messages. This means a RADIUS authenticate itself to the wireless client
authentication server, or proxy, must be used even if the The client and AP/controller must successfully derive keys
actual authentication server is some other protocol such to encrypt traffic
as LDAP
The earlier EAP exchange provides the shared secret key
Even with these issues, 802.1x is still an extremely effective PMK (Pairwise Master Key). This key is designed to last
security protocol when coupled with other standards such as the entire session and therefore should be exposed as little
EAP. as possible. This is performed with a process called the
four-way handshake. The entire mission of the handshake
is to establish another key called the PTK (Pairwise
6. 802.11i, WPA2 and xSec
Transient Key). The PTK is generated by concatenating the
https://airheads.arubanetworks.com/article/wireless-client-security-de following attributes: PMK, AP nonce (ANonce), STA
mystified-802-11i-wpa2-and-xsec
nonce (SNonce), AP MAC address and STA MAC
IEEE 802.11i is an amendment to the original 802.11 address. The product is then put through a cryptographic
standard specifying security mechanisms for wireless hash function. This handshake also produces a Group
networks (Wi-Fi). The draft standard was ratified on June Transient Key (GTK) which is used for broadcast and
24, 2004, and supersedes the previous security multicast traffic. Here’s how it works:
specification, Wired Equivalent Privacy (WEP), which was The AP sends a one-time random number (called the
shown to have severe security weaknesses. nonce-value) to the station (ANonce). The client now has
all the attributes to construct the PTK
How 802.11i Works The station (STA) sends its own nonce-value (SNonce) to
The 802.11i architecture contains four key components: the AP with a Message Integrity Checksum (MIC)
The AP sends the GTK and a sequence number together also goes farther by encrypting parts of the 802.11 header
with another MIC checksum. The sequence number is what Authentication – is offered using the industry standard
will be used in the next multicast or broadcast frame, so EAP and its associated authentication types
that the receiving station can do a basic replay detection
operation Key generation/distribution and rotation - the ability to
derive a hierarchy of keys from a master key, this is
The station then sends a confirmation to the AP typically performed by EAP and 802.1x
The PTK obtained from this handshake is divided into five WPA2
separate keys:
Wi-Fi Protected Access v2.0 (WPA2) is an implementation
Pairwise Transient Key (PTK) of the IEEE 802.11i standard tested and certified by the
EAPOL-Key Encryption Key (KEK) - AP uses this key to Wi-Fi Alliance. It is interoperable with any other
encrypt additional data sent (in the 'Key Data' field) to the 802.11i-compliant system. WPA2 implements the
client (for example, the RSN IE or the GTK) mandatory elements of 802.11i. In particular, the Michael
EAPOL-Key Confirmation Key (KCK)– Used to compute algorithm is replaced by a message authentication code,
MIC on WPA EAPOL Key message CCMP, that is considered fully secure and RC4 is replaced
by AES.
Temporal Key (TK) – Used to encrypt/decrypt Unicast
data packets How WPA2 Security Works
Michael MIC Authenticator Tx Key – Used to compute WPA2 works just like the 802.11i standard and supports
MIC on unicast data packets transmitted by the AP all of the mandatory features and capabilities. WPA2 is
often used interchangeably with 802.11i.
Note: the Michael MIC keys are only used if TKIP is used
xSec
A variant on the 802.11i standard is xSec. xSec is a joint
effort between Funk Software (now Juniper) and Aruba
Networks. It was created to meet the requirements of
FIPS-140-2 certification as a Layer 2 protocol. The
original 802.11i standard is, as specified, able to pass this
certification. xSec encompasses all of the benefits of
802.11i and improves upon them even further:
Access control – offers a high level of network access
control through mechanisms such as 802.1x
Encryption – offers AEC-CBC-256, a encryption protocol
approved for government use for Layer 2 data
transmissions, with HMAC-SHA1 for complete 802.11
header encryption
Authentication – is offered using the industry standard
EAP and its associated authentication types
to encrypt the data.
Key generation/distribution and rotation - the ability to
derive a hierarchy of keys from a master key, this is
802.11i has been designed from the ground up using typically performed by EAP and 802.1x
proven technologies. Although no security system can ever Universal media support - xSec is unique in that it works
be considered totally unbreakable, 802.11i security is a across both wired and wireless networks
dependable solution and shows no weaknesses at this time.
Although xSec offers benefits above and beyond the
As an entire security eco-system, 802.11i combines many 802.11i standard, it is worth mentioning that it does require
of the fundamental protocols discussed in this series of a specific supplicant that supports xSec. Today that client
articles. It offers a complete solution: is the Odyssey client sold by Funk, now Juniper Systems.
Access control – offers a high level of network access
control through mechanisms such as 802.1x
Encryption – offers AES-CCMP as proven, highly
regarded cryptographic algorithms that go far beyond the
RC4 stream cipher used by WEP and TKIP. AES-CCMP
7. WPA • MIC packet integrity checking prevents packet replay
attacks
https://airheads.arubanetworks.com/article/wireless-client-security-de
mystified-wpa#top • Backwards-compatible with most 802.11 network cards
Wi-Fi Protected Access (WPA) was developed by the
Wi-Fi Alliance as an interim solution aimed at addressing The major drawbacks of WPA include:
the weakness of WEP-based wireless networks. WPA has, • Backwards-compatibility limits crypto operations – thus
rightly, been admired as a masterpiece of retro engineering. encryption is still ultimately based on RC4, as is WEP
It addresses the weaknesses of WEP and the result is a very • TKIP is not FIPS-certified or approved for US
secure security system that is backwardly compatible with government use
most existing Wi-Fi compliant equipment. WPA is a
practical solution that will provide more than adequate • WPA, as an interim solution, is not compatible with
security for most wireless network applications. pure 802.11i/RSN environments. Some vendors, such
as Aruba Networks, do offer a mixed mode which
How WPA Works allows both WPA-TKIP and WPA-AES on the same
WPA is designed for use with an 802.1X/EAP SSID
authentication server, which distributes different keys to
each user. However, it can also be used in a less secure
"pre-shared key" (PSK) mode, where every user is given Coming next: The Final Frontier: Wireless Client Security
the same passphrase – a passphrase is similar to a Guidelines
password. The Wi-Fi Alliance calls the pre-shared key
version WPA Personal and the 802.1X authentication
version WPA Enterprise.
Unlike the 802.11i standard that uses AES-CCMP by
default, WPA data is encrypted using TKIP’s RC4 stream
cipher, with a 128-bit key and a 48-bit initialization vector
(IV). One major improvement in WPA over WEP is the use
of the Temporal Key Integrity Protocol (TKIP), which
dynamically changes keys as the system is used. When
combined with the much larger IV, this defeats the
well-known key recovery attacks that were discovered with
WEP.
In addition to authentication and encryption, WPA also
provides vastly improved payload integrity when compared
to WEP. The cyclic redundancy check (CRC) used in WEP
is inherently insecure; it is possible to alter the payload and
update the message CRC without knowing the WEP key. A
more secure message authentication code (MIC) is used in
WPA.( Called MIC for Message Integrity Code, it also
happens to be based on an algorithm called Michael._ The
MIC used in WPA includes a frame counter, which
prevents replay attacks from being executed; this was
another weakness in WEP.
By any measure, WPA is a strong security system. Any
system using WPA today will have addressed the major
shortcomings of the original 802.11 standard.
Major features of WPA include:
• Use of 802.1x for access control and authentication
• TKIP encryption that is far stronger than WEP and
fixes many issues with larger keys, IVs and changing
keys
• Key management and distribution scheme (PSK is also
still supported)