IEEE 802.11 Wireless Local Area Networks (WLAN’s) Two modes of operation: 1. Ad-Hoc Mode The clients communicate directly with each other. No mediation is needed. 2. Infrastructure Mode Clients and stations. Stations – Computers with NIC (Network Interface Cards) and Access Points (APs) Communication With APs 3 stages: 1. Unauthenticated and Unassociated. 2. Authenticated and Unassociated. 3. Authenticated and Associated. Wireless Protocols IEEE 802.11 WEP for security Challenge/Response with symmetric key for authentication IEEE 802.1X WEP for security EAP for authentication WEP- Wired Equivalent Privacy Link layer security protocol. Secures IEEE 802.11 communications. Based upon RC4 stream cipher encryption system, with symmetric key. WEP protocol Shared Secret key 40 bits 64 bits RC4 Original text 24 bits IV Initialization vector IV used IV Initialization vector Shared Secret key 40 bits 64 bits IV clear IV used RC4 IV clear Encrypted text CRC32 Encrypted text Original text CRC Security problems in WEP During the years, a lot of security problems have been discovered in WEP. We will discuss the most important of those problems, which is known as the “IV Collisions” problem. IV Collisions Every once in a while, an IV gets reused. C1 = P1 RC4(v,k) C2 = P2 RC4(v,k) IV Collisions (2) We get the following equation: C1C2 = (P1RC4(v,k))(P2RC4(v,k)) XOR is associative, and therefore: C1 C2 = P1 P2 The Bottom line WEP security is better than no security at all, but not by much The Problem EAP assumes a secured connection to work with Problems over an unsecured connection Snooping the user ID Forging / changing EAP packets Denial of service Offline dictionary attack Man-in-the-middle Authentication method downgrading attack Breaking a weak key Man-in-the-middle B E A MD5 EAP Request <R> MD5 EAP Request <R> H(ID || KEY || R) EAP Failure H(ID || KEY || R) EAP Success Possible Solutions Mutual authentication Cryptographic connection between authentication methods Using a limited number of unsecured authentication methods Preferring one strong method over a large number of weak ones. Possible Solutions (2) Using authentication method that derives a symmetric key, prevents replay attack and promises message integrity The authentication method should be safe against dictionary attack One method has all the above advantages: Quick summary of TLS Application Handshake Alert protocol Record Protocol TCP CCS Quick summary of TLS (2) Server Client TCP three-way handshake Client Hello <Client Random, Proposed algorithms> Server Hello <Server random, Selected algorithm> CA Certificate Server done Client Key Exchange Enc (Pub(s),<Pre-Master secret>) Both sides perform a known calculation to derive the Master Key Quick summary of TLS (3) Server Client CCS (ID) FIN MAC authentication of all former messages CCS (ID) FIN MAC authentication of all former messages Data transfer (encrypted by the Master Key) EAP - TLS Code Identifier Type Flags Length TLS message length TLS message length TLS Data EAP –TLS (2) Authenticator Peer EAP Request <Identity> EAP Response <Identity (MyID)> EAP Request, type = EAP-TLS <TLS Start> EAP Response, type = EAP-TLS <TLS Client Hello> EAP Request, type = EAP-TLS <TLS Server Hello, TLS Certificate, TLS Certificate Request, TLS Server Done> EAP-TLS (3) Authenticator Peer EAP Response, type = EAP-TLS <TLS Certificate, TLS Client Key Exchange, TLS CCS, Certificate verify, TLS FIN> EAP Request, type = EAP-TLS <TLS CCS, TLS FIN> EAP Response, type = EAP-TLS EAP Success / EAP Failure Session resumption The SessionID field in the TLS Client Hello Message should be the same as the ID of the session to return to. The authenticator sends EAP request with TLS Server Hello, TLS CCS (using the former session CCS ID), and TLS FIN. The peer sends EAP response with TLS CCS using the same ID, and TLS FIN. The protocol continues as in the standard EAP-TLS. Session resumption (2) Advantages of session resumption: Quick renewal of connections. Handling roaming in WLAN. Key Derivation PRF1 = PRF (Master Secret, "Client EAP Encryption", Random) PRF2 = PRF ("", "Client EAP Encryption", Random) PRF1 is 128 bytes long. PRF2 is 64 bytes long. Key Derivation (2) 0 32 64 96 128 PRF1 Client’s ENC Key Server’s ENC Key Client’s Auth Key 32 0 64 PRF2 Client’s IV Server’s Auth Key Server’s IV Fragmentation The first fragment raises the L, M and S flags. The total TLS message length is also included. All other fragments, except the last, raise the M flag. The identification field in the EAP header increases by 1 with each fragment. Every EAP with a TLS fragment is responded by an EAP packet with no data as an Ack.