IEEE 802.11
Wireless Local Area Networks
(WLAN’s)
Two modes of operation:
1. Ad-Hoc Mode
The clients communicate directly with each
other. No mediation is needed.
2. Infrastructure Mode
Clients and stations.
Stations – Computers with NIC (Network
Interface Cards) and Access Points (APs)
Communication With APs
3 stages:
1. Unauthenticated and Unassociated.
2. Authenticated and Unassociated.
3. Authenticated and Associated.
Wireless Protocols
IEEE 802.11
WEP for security
Challenge/Response with symmetric key
for authentication
IEEE 802.1X
WEP for security
EAP for authentication
WEP- Wired Equivalent Privacy
Link layer security protocol.
Secures IEEE 802.11 communications.
Based upon RC4 stream cipher encryption
system, with symmetric key.
WEP protocol
Shared
Secret key
40 bits
64 bits
RC4
Original
text
24 bits
IV
Initialization
vector
IV used
IV
Initialization
vector
Shared
Secret key
40 bits
64 bits
IV
clear
IV used
RC4
IV
clear
Encrypted
text
CRC32
Encrypted
text
Original
text
CRC
Security problems in WEP
 During the years, a lot of security
problems have been discovered in WEP.
 We will discuss the most important of
those problems, which is known as the
“IV Collisions” problem.
IV Collisions
Every once in a while, an IV gets reused.
C1 = P1  RC4(v,k)
C2 = P2  RC4(v,k)
IV Collisions (2)
We get the following equation:
C1C2 = (P1RC4(v,k))(P2RC4(v,k))
XOR is associative, and therefore:
C1  C2 = P1  P2
The Bottom line
WEP security is better than
no security at all, but not
by much
The Problem
EAP assumes a secured
connection to work with
Problems over an
unsecured connection
Snooping the user ID
Forging / changing EAP packets
Denial of service
Offline dictionary attack
Man-in-the-middle
Authentication method downgrading attack
Breaking a weak key
Man-in-the-middle
B
E
A
MD5 EAP Request <R>
MD5 EAP Request <R>
H(ID || KEY || R)
EAP Failure
H(ID || KEY || R)
EAP Success
Possible Solutions
Mutual authentication
Cryptographic connection between
authentication methods
Using a limited number of unsecured
authentication methods
Preferring one strong method over a large
number of weak ones.
Possible Solutions (2)
Using authentication method that derives a
symmetric key, prevents replay attack and
promises message integrity
The authentication method should be safe
against dictionary attack
One method has all the
above advantages:
Quick summary of TLS
Application
Handshake
Alert
protocol
Record Protocol
TCP
CCS
Quick summary of TLS (2)
Server
Client
TCP three-way handshake
Client Hello
<Client Random, Proposed algorithms>
Server Hello
<Server random, Selected algorithm>
CA Certificate
Server
done
Client Key Exchange
Enc (Pub(s),<Pre-Master secret>)
Both sides perform a known
calculation to derive the Master Key
Quick summary of TLS (3)
Server
Client
CCS (ID)
FIN
MAC authentication of all former messages
CCS (ID)
FIN
MAC authentication of all former messages
Data transfer (encrypted by the Master
Key)
EAP - TLS
Code
Identifier
Type
Flags
Length
TLS message length
TLS message length
TLS Data
EAP –TLS (2)
Authenticator
Peer
EAP Request
<Identity>
EAP Response
<Identity (MyID)>
EAP Request, type = EAP-TLS
<TLS Start>
EAP Response, type = EAP-TLS
<TLS Client Hello>
EAP Request, type = EAP-TLS
<TLS Server Hello, TLS Certificate, TLS Certificate Request,
TLS Server Done>
EAP-TLS (3)
Authenticator
Peer
EAP Response, type = EAP-TLS
<TLS Certificate, TLS Client Key Exchange, TLS CCS,
Certificate verify, TLS FIN>
EAP Request, type = EAP-TLS
<TLS CCS, TLS FIN>
EAP Response, type = EAP-TLS
EAP Success / EAP Failure
Session resumption
The SessionID field in the TLS Client Hello
Message should be the same as the ID of
the session to return to.
The authenticator sends EAP request with
TLS Server Hello, TLS CCS (using the
former session CCS ID), and TLS FIN.
The peer sends EAP response with TLS
CCS using the same ID, and TLS FIN.
The protocol continues as in the standard
EAP-TLS.
Session resumption (2)
Advantages of session resumption:
Quick renewal of connections.
Handling roaming in WLAN.
Key Derivation
PRF1 = PRF (Master Secret, "Client EAP Encryption",
Random)
PRF2 = PRF ("", "Client EAP Encryption", Random)
PRF1 is 128 bytes long.
PRF2 is 64 bytes long.
Key Derivation (2)
0
32
64
96
128
PRF1
Client’s ENC Key Server’s ENC Key
Client’s Auth Key
32
0
64
PRF2
Client’s IV
Server’s Auth Key
Server’s IV
Fragmentation
The first fragment raises the L, M and S
flags. The total TLS message length is
also included.
All other fragments, except the last, raise
the M flag. The identification field in the
EAP header increases by 1 with each
fragment.
Every EAP with a TLS fragment is
responded by an EAP packet with no data
as an Ack.