*
Mario Čagalj
University of Split
2013/2014.

st
Assembled from different sources: Walker, Lehembre
Buttyan, ...
Produced by Mario Čagalj

 We have seen that WEP is critically flawed
 IEEE 802.11i defined to properly secure wireless LANs (2004)
 Specifies robust security mechanisms for WLANs
 Defines Transition Security Network (TSN)




Called WiFi-Protected Access ( WPA ) by WiFi-Alliance
Based on “new” TKIP (that uses “old” RC4 like WEP)
Backward compatibility (with old RC4-only hardware)
IEEE 802.1X authentication framework
 More importantly defines a Robust Security Network (RSN)



Called WiFi-Protected Access 2 ( WPA2 ) by WiFi-Alliance
Based on AES and optionally TKIP
Also uses IEEE 802.1X authentication framework
3

Tajnost podataka
(enkripcija)
Integritet podataka
Autentikacija i kontrola pristupa
IEEE 802.11b
WEP
WEP (RC4)
WEP (RC4) + CRC
Shared Key
Authentication
WPA
TKIP (RC4)
IEEE 802.11i
(WPA2)
AES,
(opcija TKIP)
TKIP-MIC
AES-MAC
(opcija TKIP-MIC)
IEEE 802.1X/EAP
(+ EAP-TLS, LEAP…)
IEEE 802.1X/EAP
(+ EAP-TLS, LEAP…)
TKIP: Temporal Key Integrity Protocol
AES: Advanced Encryption Standard
MIC: Message Integrity Code
MAC: Message Authentication Code
EAP: Extensible Authentication Protocol
TLS: Transport Layer Security
LEAP: Light EAP (Cisco)
4

 Novine u IEEE 802.11i u usporedbi sa WEP-om
 Autentifikacija i kontrola pristupa zasnovana na
IEEE 802.1X modelu
 Fleksibilan autentifikacijski okvir EAP
( Extensible Authentication Protocol )
 Mogu se koristiti “dokazani” protokoli (npr., TLS)
 Autentifikacijski proces rezultira sesijskim tajnim ključem


Različite funkcije koriste različite ključeve koji se izvode iz sesijskog ključa
Enkripcijska funkcija značajno poboljšana (AES, TKIP)
 Zaštita integriteta poruka značajno poboljšana
 AES-MAC i TKIP-MIC
5

LAN
(Internet)
Kontroliran port
AP Autentifikacijski server
Mobilni klijent
Slobodan
(otvoren) port
Port-based Network Access Control
● Mobilni klijent zahtijeva pristup uslugama (želi se spojiti na mrežu)
● AP kontrolira pristup uslugama ( kontrolirani port )
● Autentifikacijski server (AS)
• Mobilni klijent i AS se međusobno autentificiraju
• AS informira AP da može otvoriti kontrolirani port mobilnom klijentu
6

Mobilni klijent (M) Pristupna točka (AP) Autentikacijski server (AS)
Otkrivanje sigurnosnih funkcionalnosti
Rezultat: M i AS
-generiraju Master Key (MK)
-izvedu Pairwise MK (PMK)
802.1X autentifikacija
Rezultat: M i AP
-provjere PMK
802.1X key management
-izvedu Paiwise Transient Key (PTK)
PTK vezan uz ovaj M i ovu AP
Distribucija PMK ključa
(npr. putem RADIUS-a)
Zaštita podataka
(TKIP, CCMP/AES)
CCMP = Counter-Mode / Cipher Block Chaining Message
Authentication Code Protocol based on AES block cipher
7



Autentifikacijski server nije prisutan
Autentifikacija zasnovana na dijeljenom ključu ( Pre-Shared Key, PSK )
PSK
(umjesto PMK)
Mobilni klijent (M) Pristupna točka (AP)
Otkrivanje sigurnosnih funkcionalnosti
IEEE 802.1X key management
(Provjera PSK/PTK– “4-way” handshake)
Zaštita podataka
(TKIP, CCMP/AES)
8

1.
Agreeing on the security policy
2.
IEEE 802.1X authentication (absent in home nets)
3.
Key derivation and distribution
4.
Protecting data confidentiality and integrity
9

1.
Agreeing on the security policy between M and AP


Security policy advertied in RSN IE (RSN Information Element)
E.g., use PSK (Pre-Shared Key) or 802.1X (auth prot.), TKIP or CCMP/AES, etc.
Guillaume Lehembre, hakin9 6/2005
10

1.
Agreeing on the security policy
2.
IEEE 802.1X authentication (absent in home nets)
3.
Key derivation and distribution
4.
Protecting data confidentiality and integrity
11

2.
IEEE 802.1X authentication
 Based on EAP (Extensible Authentication Protocol) and the specific authentication method agreed earlier (in the 1 st phase)
Guillaume Lehembre, hakin9 6/2005
12

nd
 EAP (Extensible Authentication Protocol) [RFC 3748]
 carrier protocol designed to transport the messages of “real” authentication protocols (e.g., TLS)
 very simple, four types of messages:
 EAP request – carries messages from AS to M
 EAP response – carries messages from M to the AS
 EAP success – signals successful authentication
 EAP failure – signals authentication failure
 authenticator (AP) doesn’t understand what is inside the EAP messages, it recognizes only EAP success and failure
 EAP is not an authentication method itself
13

nd
 EAP (Extensible Authentication Protocol)
 End-to-end transport between M and AS
 AP proxies EAP between 802.1X and backend protocol between AP and AS (e.g. RADIUS) within the scope of IEEE 802.11i
EAP-TLS
EAP
EAPoL (802.1X)
802.11
Mobilni klijent Pristupna točka
EAP over RADIUS
RADIUS
TCP/IP
802.3 ili drugi
Autentifikacijski server
RADIUS: Remote Authentication Dial In User Service
14

nd
 EAPoL (EAP over LAN) [802.1X]
 used to encapsulate EAP messages into LAN protocols (e.g., Ethernet)
 EAPoL is used to carry EAP messages between the M and the AP
 RADIUS (Remote Access Dial-In User Service) [RFC 2865-2869, RFC 2548]
 used to carry EAP messages between the AP and the auth server
 RADIUS is mandated by WPA and optional for RSN (WPA2)
EAPoL (802.1X)
802.11
Mobilni klijent
EAP-TLS
EAP
Pristupna točka
EAP over RADIUS
RADIUS
TCP/IP
802.3 ili drugi
Autentifikacijski server
15

nd
 EAP in action
M encapsulated in EAPOL
EAPOL-Start
EAP Request (Identity)
EAP Response (Identity)
EAP Request 1
EAP Response 1
AP auth server encapsulated in RADIUS
EAP Response (Identity)
EAP Request 1
EAP Response 1
EAP Request n
EAP Response n
EAP Success
EAP Request n
EAP Response n
EAP Success
16

nd
Examples of embedded authentication protocols
 EAP-TLS (TLS over EAP)

 only the TLS Handshake Protocol is used server and client authentication via certificates, generation of master secret
 TLS master secret becomes the session key
 PEAP (Protected EAP)

 phase 1: TLS Handshake without client authentication (only server’s certificate) phase 2: client authentication protected by the secure channel from phase 1
 we will use it in our labs with WinSrv2008
 EAP-TTLS (used for securing FESB WiFi)
 similar to PEAP (mainly different inner/client authentication)
 we will use it in our demos
 EAP-SIM, EAP-MD5, EAP-PSK and many others
17

 Tunneled TLS over Extensible Authentication Protocol (EAP-TTLS)
 Provides protection for initial authentication messages (plaintext passwords, e.g.
PAP used by FESB)
<-----------certificate---------->
<--no trust--> <--trust--> <--trust-->
Mobilni klijent (M) Pristupna točka (AP) TTLS server
Autentifikacijski server (AS)
Establishing an authentication TLS tunnel
Authentication TLS protected authentication
WLAN master session key
Data traffic on secured link 18

 At the end of authentication:
 The AS and M have established a session
 The AS and M possess a mutually authenticated Master Key
(derived from the concrete EAP method)
 Master Key represents decision to grant access based on authentication
 M and AS have derived PMK (Pairwise Master Key)
 PMK is an authorization token to enforce access control decision at AP
 AS has distributed PMK to an AP (hopefully, to the M’s AP)
19

1.
Agreeing on the security policy
2.
IEEE 802.1X authentication (absent in home nets)
3.
Key derivation and distribution
4.
Protecting data confidentiality and integrity
20

3.
Key derivation and distribution


At this stage M and AP both hold PMK (Pairwise Master Key)
They use it to derive a fresh PTK (Pairwise Transient Key) and GTK (Group
Transient Key)
Guillaume Lehembre, hakin9 6/2005
21

Key derivation and distribution (3 rd phase)
 PTK (Pairwise Transient Key) – unique for this M and this AP
Guillaume Lehembre, hakin9 6/2005
22

Key derivation and distribution (3 rd phase)
 GTK (Group Transient Key) – for multicast, the same for all M’s
Guillaume Lehembre, hakin9 6/2005
23

Key derivation and distribution (3 rd phase)
PTK = EAPoL-PRF( PMK , ANonce | SNonce |
AP MAC Addr | M’s MAC Addr)
 4-Way Handshake (radio channel)
PTK
24

Key derivation and distribution (3 rd phase)
 Key Management Summary
 4-Way Handshake




Establishes a fresh pairwise key bound to M and AP for this session
Proves liveness of peers
Demonstrates there is no man-in-the-middle between PTK holders if there was no man-in-the-middle between PMK holders
Synchronizes pairwise key use
 Provisions fresh group key GTK to all mobile stations (for multicast traffic)
25

Example: the 3 phases with
PEAP + MS-CHAPv2
26

1.
Agreeing on the security policy
2.
IEEE 802.1X authentication (absent in home nets)
3.
Key derivation and distribution
4.
Protecting data confidentiality and integrity
27

4.
Protecting data confidentiality and integrity
 IEEE 802.11i defines 3 protocols to protect data



TKIP ( Temporal Key Integrity Protocol )
 for legacy (old RC4 devices)
 WPA
CCMP ( C ounter Mode with C BCM AC P rotocol)


 uses AES manadatory in WPA2
WRAP (Wireless Robust Authenticated Protocol)
 uses AES and patent-protected authenticated-encryption method OCB optional in WPA2
 Three protocols instead of one due to politics
28

th
 Data Transfer Requirements
 Never send or receive unprotected packets
 Message origin authenticity —prevent forgeries
 Sequence packets —detect replays
 Avoid rekeying —48 bit packet sequence number
 Protect source and destination addresses
 Use one strong cryptographic primitive for both confidentiality and integrity
29



TKIP - Temporal Key Integrity Protocol
 Radi sa starim hardverom (koji podržava RC4)
Rješava sve sigurnosne probleme sa WEP protokolom, npr.



Povećava inicijalizacijski vektor ( ext v ) na 48 bitova (WEP - 24 bita), da bi se izbjeglo ponavljanje istog init. vektora
Novi mehanizam za zaštitu integriteta – Michael ( Message Integrity Code )
Inicijalizacijski vektor kao brojač služi za zaštitu od “replay” napada
802.11 hdr Podaci CRC
802.11 hdr v

WEP-RC4(k,v)
Podaci CRC
WEP
802.11 hdr
802.11 hdr ext v
Podaci MIC CRC

TKIP-RC4(PTK,ext v)
Podaci MIC CRC
TKIP
30



Pairwise Transient Key (PTK) je dug 512 bitova
 Enkripcijski ključ = PTK bitovi 256-383 (128 bitova)
 Autentifikacijski ključ = PTK bitovi 384-511 (128 bitova)
Message Integrity Code (8 bytes)
MAC Adresa
Izvora
MAC Adresa
Odredišta
Podaci MIC
Autentifikacijski ključ Michael algoritam
 Zaštita od “replay” napada
 Za svaki paket inicijalizacijski vektor se inkrementira ( + 1 )
 Odbacuje se paket koji je primljen izvan sekvence (…, n, n+1, n, …)
 Miješanje enkripcijskog ključa – rješavanje “slabih” RC4 ključeva
31

 Based on AES in CCM mode
 Counter Mode Encryption with CBC-MAC (Whiting, Ferguson and Housley)
 Counter Mode
Encryption: counter + i
(n)
Decription: counter + i
(n)
 CBC-MAC
IV m
1
+ m
2
+
P i
K
(n)
E
+
(n)
(n) m
3
+
C i
C i
K
C
N-1
(n)
E
+
(n)
(n) m
N
+
P i
K E K E K E
…
K E
MAC = C
N 32

 Use CBC-MAC to compute a MIC (Message Integrity Code) on the plaintext header, length of the plaintext header, and the payload
 Use CTR mode to encrypt the payload
 Counter values 1, 2, 3, …
 Use CTR mode to encrypt the MIC
 Counter value 0
33

34

 CCM provides authenticity and privacy
 A CBC-MAC of the plaintext is appended to the plaintext to form an encoded plaintext
 The encoded plaintext is encrypted in CTR mode
 CCM is packet oriented
 CCM can leave any number of initial blocks of the plaintext unencrypted
 CCM has a high security level
 It is provably secure
35



Autentifikacijski server nije prisutan (npr. kućne i ad hoc mreže)
Autentifikacija zasnovana na dijeljenom ključu ( Pre-Shared Key, PSK )
PSK
(umjesto PMK)
Mobilni klijent (M) Pristupna točka (AP)
Otkrivanje sigurnosnih funkcionalnosti
IEEE 802.1X key management
(Provjera PSK/PTK– “4-way” handshake)
Zaštita podataka
(TKIP, CCMP/AES)
36

 No explicit authentication!
 The IEEE 802.1X authentication exchange absent
 Can have a single pre-shared key for entire network (insecure)…
 …or one per STA pair (secure)
 Password-to-Key Mapping
 Uses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII password
 PMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256)


Salt = SSID, so PSK different for different SSIDs
4096 is the number of hashes used in this process
37

 Vulnerabilities of WPA, WPA2, IEEE 802.1X
38