Authentication Verifies user has permission to access network 1. Open authentication

advertisement
Authentication
802.11 has three means of authentication
Verifies user has permission to access network
1. Open authentication: Each WLAN client can be
given Service Set Identifier (SSID) of network
– Only clients that know SSID may connect
– SSID may be entered manually into wireless
device, but anyone with device has access to
network
– Access points (APs) may freely advertise SSID
to any mobile device within range
2. Shared key authentication
•
AP sends the client a challenge text package that the
client must encrypt with correct WEP key and return to
AP.
• If the key is wrong or no key, authentication fails and
the client will not be allowed to associate with AP
•
Shared key is not secure because a hacker can
copy the clear text challenge and the encrypted
challenge and figure out the key
3. The MAC address (48 bit) can be entered
into the AP which will allow clients with valid
MAC address to associate.
•
•
Have to enter manually
Tedious to update the MAC list in the AP
Privacy
• 802.11 uses static WEP key to encrypt and
decrypt messages. Client and AP use the
same key.
– Longer the key more secure it is
– Have to manually enter the key in the client and
the AP
– Its not very secure. Can do exhaustive search and
break the code in 5 hours.
• WLAN security should be handled in layers
– It provides stronger overall security
– Ability to block access at multiple layers of the network
– Flexibility in selecting cost/benefit ratio of desired solution
• Layer 1-physical layer security is built into the devices
and is free except have to enter/maintain keys
– It may be adequate for home user who wants to keep out
casual intruder
• 802.1x dramatically increases security protection level.
• Physical layer encryption
– Lowest level of security is WEP (wired equivalent privacy) which allows
for 40-bit or 128-bit keys to be entered both in AP and mobile device.
– Its not secure cuz can find s/w on internet to crack the encryption.
– Also have to manually enter the keys so changing keys is time
consuming
– If a user is to be removed then have to manually delete the key from AP
• Wi-Fi protected access (WPA) combines two components to
provide strong security.
– 1st component called temporal key integrity protocol (TKIP). It provides
data encryption enhancements including key mixing function, message
integrity check (MIC), and a re-keying mechanism that rotates through
keys faster than any sniffer s/w can decode the keys.
• With key mixing, the MS uses the temporal key sent by the AP, its unique
MAC address, and an initialization vector, to generate per packet key.
• When MIC support is implemented on both the
AP and clients, the transmitter of a packet
adds a few bytes (the MIC) to the packet
before encrypting and transmitting it. Upon
receiving the packet, the recipient decrypts it
and checks the MIC. If the MIC in the frame
matches the calculated value, accept the
packet else reject it. MIC is derived using MIC
function.
• Per packet key: the transmitter uses the base
key and the IV vector which changes with
every packet to create a new key.
• The AP could use even value of IV and client
could use odd values of IV. At the end of the
IV value, a new WEP key could be used.
– 2nd component is 802.1x security. It is 2nd layer of security. It provides
a security mechanism thru which a user must be authenticated
before getting access to the network.
• WEP and TKIP have no user authentication mechanism.
Any user that has encryption key (legitimately or illegally
obtained) can get free access to the network and traffic
data. To overcome this weakness, 802.1x security is layered
on top of physical security.
– 802.1x user authentication requires a user to provide credentials to
the security server before getting access to the network. The
credentials could be in form of user id and password, certificate,
token, or biometric.
– The security server also verifies the access point. The security
server also creates a unique pair of encryption keys for this user
session, which are sent to both AP and client.
Download