While significant progress has been already made on fixing the

advertisement
A Methodology for Evaluating
Wireless Network Security Protocols
Presented on: December 10, 2004
David Rager and Kandaraj Piamrat
CS386M: Communication Networks - Fall 2004
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Table of Content
1. Introduction
3
2. Explanation of Terms
4
3. Methodology
6
a.
b.
c.
d.
e.
f.
g.
h.
Authentication capability
Encryption strength
Integrity guarantees
Prevention of attacks
Identity prevention
Ease and cost of implementation
Power consumption
Novel idea
4. Analysis of Protocols
a.
b.
c.
d.
WEP
WPA
RSN
VPN
7
8
9
10
12
13
14
15
16
16
19
21
23
5. Conclusion
24
6. References
25
7. Appendix
27
a. Comparison of categorical performance
b. Main contributors to each protocol’s success
c. Derivation of points in concrete form
27
27
28
2
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Introduction
Wireless networks have been deployed everywhere in today’s internet, causing all to think about
its security. Unfortunately wireless networks have a lot of properties that attackers can use to
mount an attack. These properties are for example, dynamicity (wireless network are mobile so
they change the topology more frequently than a wired one), power constraints (mobile nodes are
constrained in power consumption by their batteries), and finally agent-based properties
(wireless networks usually use agents such as caches and proxies to enhance their performance).
Wireless network security has two wide approaches. The first one can be called “first line of
defense” [7], which include prevention mechanisms such as authentication, authorization, and
encryption. The second line of defense is the intrusion detection and response approach used to
detect the attack or to respond after an attack occurs. In this paper, we consider the first line of
defense.
While significant progress has already been made on fixing the problems with the current line of
defense, there is no clear metric methodology for evaluating the efficacy of new protocols. We
will categorize the different security requirements of a protocol, such as authentication capability,
encryption strength, integrity guarantees, protection of identity, and the ease and cost of
implementation. After enumerating how we can measure a protocol by these properties, we will
analyze WEP, WPA, and the complete 802.11i in terms of these measurements.
3
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Explanation of Terms[17]
RC4 is a symmetric stream cipher with an arbitrary key size. It is used in many applications such
as WEP, TLS, and TKIP. It is not patented but it is a trade secret of RSA security. There used to
also exist an exportable variant of RC4 which utilizes a 40-bit key, which is vulnerable to a brute
force attack.
EAP (Extensible Authentication Protocol) [rfc2284] is a general protocol for PPP
authentication that supports multiple authentication mechanisms. It provides an infrastructure
that enables clients to authenticate via a central authentication server. EAP does not select a
specific authentication mechanism at the link control phase but rather postpones this until the
authentication phase; this enables the authenticator to request more information before
determining the specific authentication mechanism to use.
802.11X is an IEEE standard for EAP encapsulation in wired and wireless network. It defines
three roles: the supplicant (user or client requesting authentication), the authentication server (the
server providing authentication), and the authenticator (the device which the supplicant requests
access to and that requests access from the authentication server - usually the Wireless Access
Point).
TKIP (Temporal Key Integrity Protocol) uses an RC4 stream cipher with 128-bit keys for
encryption and 64-bit keys for authentication. It has a per-packet key mixing function to decorrelate the public initialization vectors (IV) from weak keys and also has a rekeying
mechanism to provide fresh encryption and integrity keys. As a result, it is resistant to
cryptographic attacks based on key reuse.
AES (Advanced Encryption Standard) is a symmetric cipher which is faster than asymmetric
ciphers, but its requirements for key exchange makes it difficult to use. It also requires more
hardware on the network card than exists on current day devices.
ICV (Integrity Check Value) is a checksum capable of detecting modification of an
information system.
MIC (Message Integrity Check) is part of the 802.11i standard. It is an additional 8 byte field
placed between the data portion of an 802.11 frame and the 4 byte ICV (Integrity Check Value).
In fact, MIC is very similar to the older ICV, but instead of guaranteeing only the packet
payload, it also protects the header. The algorithm that implements MIC is known as Michael,
and it also implements a frame counter, which discourages replay attacks.
CCMP (Counter mode with Cipher block Chaining Message authentication code Protocol)
is the integrity mechanism in the 802.11i standard. It is based on the CCM mode of the AES
encryption algorithm. It uses 128-bit keys, with a 48-bit initialization vector for replay
avoidance. It has two components. The first is Counter Mode (CM) which provides data privacy,
and the second is Cipher Block Chaining Message Authentication Code (CBC-MAC) which
provides data integrity and authentication. CCMP is mandatory for anyone implementing RSN
4
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
(Robust Secure Network). CCMP has some disadvantage since it cannot be used with a machine
that does not have enough CPU power.
RADIUS (Remote Authentication Dial In User Service) is a protocol for remote user
authentication and accountability. It enables centralized management of authentication data, such
as usernames and passwords. It utilizes the MD5 algorithm for secure password hashing.
Communications between the client and server are authenticated and encrypted using a shared
secret which is not transmitted over the network. The RADIUS server is an excellent choice for
keeping track of every user’s access, because it is a centralized authentication server. The
disadvantage is that since everything is in the RADIUS server, if it is compromised, the attacker
obtains everything.
IV (Initialization Vector) is a block of bits that is combined with the first block of data in any
of several modes of a block cipher. In some cryptosystems, it is random and is sent with the
cipher text.
Handshaking in data communication is a sequence of events governed by hardware or software,
requiring mutual agreement of the state of the operational mode before information exchange.
An n-way handshake uses n messages to establish the connection.
Per-Packet Key Mixing is a function used in a per-packet encryption key. It takes the base key,
transmitter MAC address, and packet sequence number as inputs and outputs a new per-packet
WEP key.
5
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Methodology
In this paper, we considered four main approaches which are cited in chronological order as the
following: WEP, WPA, 802.11i / RSN, and VPN. The first three approaches are derived
chronologically from each other. This means that the more recent approach tries to solve the
problem found in the earlier ones. In this paper we look through all the approaches to see
techniques that they use for security and then evaluate these techniques separately from the
approaches. At the end of the evaluation we will be able to measure the performance of each
approach depending on the purpose of the network.
In order to evaluate each approach, we need to define metrics that we are going to use. Therefore
we decide to use the following metrics:
6
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Authentication Capability
When a user wants to use the network, the network devices decide how much authentication is
required to allow a new user on the network. A protocol can be trivially setup to allow anyone
anonymously on the network, protecting the identity of a client. A protocol can perform
authentication via challenge response messages, requiring knowledge of a group key. A protocol
may require the hardware of the user to meet certain specifications (like a MAC address).
Finally, a protocol may authenticate a user based upon his/her own credentials, perhaps through a
password verified via an internal server.
The authentication protocol must not be prone to man in the middle attacks and all exchanged
passwords must be securely transmitted. Also, in the event that an intruder can capture an
authentication server, the greater the redundancy between servers and synchronized decisions
between them, the better. Creating a Byzantine agreement protocol is complex computationally
and expensive in terms of network efficiency, so points should be removed under ease of use via
number of messages exchanged.
It can be seen that in order to be efficient in authentication, we should consider several
parameters. Table 1 explains what should be considered:
Consideration
Type of authentication
0(bad)
Key with challenge
response
Number of
authentication servers
Use of new
authentication
mechanisms
Known MITM attacks
One
1(fair)
Key with challenge
response and MAC
address
Three
None
-
One or more
-
2(good)
Credentials based
(# faults permitted) *
3+1
Use of EAP
(802.11X)[17]
None
Table 1: Authentication capability
7
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Encryption Strength
A good protocol must choose an encryption scheme that is secure under a probabilistic
polynomial time model. Additionally, the protocol must apply the encryption scheme in a way
that does not open a good encryption scheme to vulnerability. A good protocol should have a key
management mechanism so the user will not have to worry about the manually generating and
installing new keys.
In order to have that good protocol, we consider the different parameters below:
Consideration
Key type
Cipher key type
Cipher key length
0(bad)
Static key
RC4
40 or 104 bit
encryption
1(fair)
128 bit encryption
Key lifetime
Time used to crack
Encrypted packet
needed to crack
Can be recovered by
cryptanalysis
Key management
used
24-bit IV
Few hours
Few millions
48-bit IV
Few days
-
2(good)
Dynamic key
AES
128 bit encryption +
64 bit
authentication
48-bit IV
Centuries
Few billions
Yes
-
No
None
Static
EAP
Table 2: Encryption Strength
8
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Integrity Guarantees
Giving a recipient a means to check a message’s integrity is a well known step for preventing
message tampering. A good integrity scheme will compute a hash involving each bit in the
message. This hash will be a one-way hash, such that the message can not be reverse engineered
and changing a bit in the message should result in a large change in the hash value.
If a hash function that does not meet these requirements is used, then the integrity value should
be transmitted under encryption of a fresh or well-protected key. Therefore, it may be good to
use a public/private key scheme to communicate the integrity value securely.
In order to ensure integrity, we should guarantee two things: integrity of the message header and
integrity of the data itself. For example, it is known that the use of the CRC checksum called
Integrity check value is not secure and the packet can be intercepted. So a good protocol will not
use this mechanism. On the other hand, CCM is a long term solution and it should be deployed
when possible.
Consideration
Integrity of message
header
Integrity of the data
0(bad)
None
1(fair)
Michael
2(good)
CCM[4]
CRC-32
Michael
CCM
Table 3: Integrity Guarantees
9
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Prevention of Attacks
When a key is discovered by attackers, it is important that the discovered key is rotated out soon.
Therefore, a protocol that provides a fresh key frequently is more secure than a protocol that uses
the same key until user intervention. Additionally, the next key derived should be independent of
all previous keys, satisfying a requirement called “forward secrecy.”
Replay attacks
A replay attack involves two users communicating and a third one later using one of the
messages communicated to gain some advantage he would not have otherwise. A good example
is supposing Alice and Bob are communicating, and Eve is listening. Alice needs to authenticate
herself to Bob, so Alice sends Bob an encrypted version of her password. Later, Eve can pose as
Alice, because when Bob asks for Alice’s password, all Eve needs to do is replay the message
she captured earlier. Bob will accept that authentication and will begin communicating with Eve
assuming that Eve is actually Alice. Thus Eve will have access to all the same information that
Alice does, perhaps even the ability to change her password.
Once included, prevention of a replay attack is actually quite simple. Bob will send Alice a fresh
nonce, a newly generated random number, to act as a session identifier. Alice appends this nonce
to the password, and then encrypts. Since each message to encrypt is now different, because each
session will have a different nonce, the encrypted version of the password can not be replayed. If
Eve tries to act as Alice, she will receive a new nonce from the server, and since Eve does not
know the encryption key, she will be unable to create a new password message.
It is interesting to note that the nonce is transmitted in the clear. So long as Bob sends a fresh
nonce whenever a new session or IP address is encountered, the actor posing as Alice will
always have to know the key to fake an encryption.
We say a protocol is secure from a replay attack if it provides a sense of freshness for each
packet, which would keep an intruder from replaying that packet. The use of an initialization
vector is a start towards this, but the space must be large enough such that collisions are rare.
DoS
Denial of Service (DoS) takes on many meanings. At its core, DoS attacks involve preventing a
client from receiving a service from the network that it would be able to receive under more
friendly conditions.
In wireless security, DoS attacks have various forms. As briefly explained in the survey paper
and more completely explained in Bellardo and Savage’s work, it is possible to deny a client
service to an access point by sending a small 30 messages per second on the link layer. It is also
possible to deny wireless networks service by jamming the relevant frequencies, an exploitation
of the physical layer. It is also possible for another client to pose as a wireless station, confusing
other wireless clients and effectively denying them service. This exploit involves acting as a
10
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
DHCP server and Internet gateway and is hence a layer three attack. A good protocol is robust
from attack on all layers used.
One well-known method for preventing some DoS attacks is to use a “cookie.” A cookie usually
contains a hash under a personal key of the source address of the initiator, any session identifiers,
and something that the responder knows and can remember across many sessions without setting
up state for a specific session. A cookie is usually involved in at least a four-way handshake and
works like this:
1. Initiator sends a request to the responder to have a session
2. Responder sends back an acknowledgement and a cookie
3. If the initiator sent with the correct source IP address in step one, he will receive part two
and can reply with the cookie and setup the session
4. If the responder receives the correct cookie, he will also setup the session.
So, the cookie works, because the responder will not initiate state until he has verified the source
address of the initiator. Since many DoS attacks rely upon spoofing a source address, this is a
reasonably effective method for prevention.
Consideration
Replay attack
prevention
DoS cookie
Number of known
attacks prevented
0(bad)
None
1(fair)
-
No
None
Some of them
2(good)
IV sequence , Perpacket key mixing
Yes
All of them
Table 4: Prevention of attacks
11
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Identity Protection
A good protocol is one that only reveals identity to the intended parties. Preservation of identity
keeps attackers from narrowing their search for a given user’s information. At some point,
identity or group identity must be communicated if authentication is to make progress. A
protocol which reveals identities in plain-text has the worst identity protection, while a protocol
that reveals identity under a strong form of encryption with a fresh key has the best type of
identity protection.
It is also better to use a basic form of authentication like source IP address validation before
revealing identity.
Consideration
Group identity
revealed to
Specific identity
revealed to
0(bad)
Entire network
1(fair)
All parties
2(good)
Specific parties
Entire network
All parties
Specific parties
Table 5: Identity protection
12
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Ease and Cost of Implementation
Since the computational costs of setting up an anonymous connection are close to none, we will
use this as the highest standard. The “ease” of implementation is a subjective measure, which
requires some knowledge of technology already in existence. One concrete measure of a protocol
could be the number of gates it would require in a client’s hardware device. Another concrete
measure could be the number of lines of code required to implement it. The complexity of the
protocol can also be measured by the number of actors involved and the number of messages
exchanged.
The network utilization efficiency can be measured by the number of handshakes and parties
involved in establishing a user’s identity. In other words, if a protocol requires four parties to
authenticate a user instead of three but establishes identity to the same degree of security the
protocol requiring four parties is less efficient.
A new protocol should be relatively easy to deploy, in that it does not require a complete
overhaul of a network to function. We currently do not know of a protocol that can not be
implemented completely incrementally, but we can imagine that such a protocol could be
created.
Consideration
Computation cost
Incremental
installation
Number of messages
exchanged
Number of actors
involved
Packet key
Additional server
hardware
Additional network
infrastructure
Number of gates in
client device
Lines of Code
0(bad)
High
No
1(fair)
Medium
-
2(good)
Low
Yes
300
30
3
Many actors
-
Few actors
Mixing function
Yes
Concatenated
-
No need
No
Yes
-
No
High
-
Low
High
-
Low
Table 6: Ease and cost of implementation
13
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Power Consumption
Most devices that use wireless connections run from a battery-powered power source. As a
result, it is only fair to include power consumption in our evaluation of wireless protocols. Power
consumption is best measured in a relative manner between protocols. For example, a protocol
which uses AES will use more power than one that uses RC4.
Additionally, when a client receives attack-like behavior, it would be good for a protocol to
specify a means to detect the attack and conserve power. This is especially important for
networks that are seldom recharged, like sensor networks. A wireless protocol evaluation
methodology would be incomplete without considering power. It should be noted that
implementing AES in hardware instead of running it from ROM software cuts the power cost
significantly [5].
Consideration
Clients use low power
Client can detect
attacks and enter lowpower mode
0(bad)
No
No
1(fair)
-
2(good)
Yes
Yes
Table 7: Power consumption
14
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Novel Ideas
In this section we aim to include an idea that is currently unincorporated into wireless network
security protocols. Additionally, we want to leave some room for rewarding ideas no one has
thought of yet. This flexibility will be important for measuring new protocols.
A protocol that could tell whether a client is inside a given physical boundary could keep
intruders external to a corporation at bay. Perhaps we could accomplish this by some form of
signal triangulation, where a client registers with different wireless access points, and the
strength of his signal is measured at each access point. Each access point would experience
different levels of signal interference, as the signal would travel around monitors, but perhaps
this can be overcome by having more than three observation points and some tricky
mathematics. Regardless, the ability to tell the physical location of a wireless client could be
useful.
Consideration
Determines physical
location
0(bad)
No
1(fair)
-
2(good)
Yes
15
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Analysis of Protocols
WEP (Wired Equivalent Privacy)
WEP is an encryption algorithm that is a part of the 802.11b standards. It was designed to be as
secure as a wired LAN. But it seems that WEP has a lot of flaws and is prone to many attacks.
Some examples are: passive attacks to decrypt traffic based on statistical analysis, active attacks
to inject new traffic from unauthorized mobile stations based on known plain text, active attacks
to decrypt traffic based on tricking the access point, and a dictionary-building attack that after
analysis of about a day’s worth of traffic allows real time automated decryption of traffic.
Summary of techniques used in WEP







Challenge response authentication mechanism – Shared Key Authentication
2 party, 3 way handshake
RC4 Symmetric key cipher encryption algorithm
Single static preshared 40/104 bit key
Initialization vector for creating freshness of encryption key
Self-synchronizing [15]
Packet integrity check
Analysis
WEP will be the weakest of the protocols we analyze, because it is the oldest and has the largest
number of known attacks. It earns an average score of 30.6%.
Authentication: (0/8)
WEP has a keyed challenge response mechanism for authentication, where the client requests a
challenge message to encrypt from the server, and if the client sends back a valid encryption of
that message under the shared key, that client is considered authenticated. Additionally, WEP
only uses one “server”, the access point itself, to authenticate a client. None of the newer EAPbased authentication mechanisms are used in WEP, and there are known MITM attacks, where a
client can pose as a server. These problems earn WEP a score of 0 for authentication.
Encryption Strength: (0/16)
WEP uses a static key shared amongst all users for a given wireless network identifier. While a
server can rotate the key chosen, there are still only three other choices. WEP uses the wellknown and accepted cipher RC4 to encrypt data in linear time. Unfortunately, WEP uses this
solid encryption scheme in a way that makes RC4 vulnerable to attack and thus RC4 is not a
benefit, but a liability. The 40 bit version of WEP is relatively weak when compared to the 104
bit version and other 128 bit keys in other protocols. The 40 bit version existed to meet
exportation laws. Since those have been repealed, a key so short seems only applicable to
16
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
personal use where security is not an issue. If we were to consider personal finances private,
however, the 40 bit key is not enough. Throughout WEP’s lifetime, many have discovered its 24
bit initialization vector (IV) to be a weakness. With a space of 224 and the IV being sent in the
clear, collisions occur too often to be of statistically secure significance. These collisions,
combined with a short key on a high-traffic network can yield a key that takes only a few hours
to crack. This cracking can be done with as little as four million packets. Finally, the ability to
automatically revoke a key from the network via a management interface is not built-in to WEP.
Failing all of these conditions, WEP earns a score of 0 when it comes to encryption strength.
Integrity Guarantees: (0/4)
WEP uses a simple checksum to guarantee the integrity of the data itself and does nothing to
guarantee the header, so it earns a score of 0.
Prevention of Attacks: (0/6)
There are many attacks for WEP. As previously mentioned, WEP has attacks on all the network
layers it uses. For details of other types of attacks please see Your Wireless Network Has No
Clothes and Intercepting Mobile Communications: The Insecurity of 802.11. As simple as WEP
is, it still has a DoS weakness in its normal operation. The basic challenge response
authentication mechanism requires the server to remember what challenge message it sent the
client. Otherwise the client could lie about what challenge message it received and commit a
replay attack, reusing a previous challenge response dialogue it witnessed earlier. WEP could
have avoided this DoS by giving the client a signature of the challenge message under its own
private key to return along with a copy of the challenge message and the clients encryption.
However, WEP specifies no use of a cookie. Finally, while WEP has a notion of fresh encryption
for each packet by using IVs, it uses the small space of 2^24. So as WEP is, it receives a score of
0 for prevention of attacks.
Identity Protection: (4/4)
WEP performs quite well when it comes to identity protection. The only identity revealed is its
association with a group that knows the key to the wireless station.
Ease and Cost of Implementation: (17/18)
WEP consists of two simple security mechanisms: an authentication phase and a communication
under encryption phase. Both of these phases are remarkably simple. Authentication occurs with
a simple challenge response exchange. Encryption occurs with an XOR which is linear in time
relative to the length of the message. The computational cost of doing an XOR is quite low when
compared to other encryption standards like AES. The number of actors needed to coordinate
authentication and encryption are just the client and access point. Since WEP is already a
mainstream product, products that support WEP versus no encryption are equally cheap. In sum,
WEP is a great protocol when we examine just the cost in hardware, so we award it a (17/18) in
this area.
17
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Power Consumption: (2/4)
In general, WEP does not consume much power. This is mainly due to the computational
simplicity of the encryption scheme, but it can also be credited to the sleep mode standard with
most implementations. Since WEP does not have a method for detecting attacks and
automatically sleeping for awhile, it receives only a score of (2/4).
Novel Ideas: (0/2)
WEP neither provides a way to determine physical location nor provides something creative of
its own. So, while WEP was the first approach at a wireless security protocol, something novel in
and of itself, that novelty does not translate to measurable merits. As a result, WEP receives a
score of 0 in this area.
18
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
WPA (Wi-Fi Protected Access)
WPA is basically a corrected version of WEP with additional mechanisms to improve security
and performance. There are two modes of WPA (Enterprise mode and Pre-Shared Key mode).
Since the pre-shared key mode is quite similar to WEP, we will consider the enterprise mode
which is more secure and has additional mechanisms. Note that the enterprise mode is not used
in a home wireless network because it requires a RADIUS server which is too expensive for the
home user.
Summary of techniques used in WPA






3 party, multi way handshake
RC4 (note that some vendors also implement WPA2 which uses AES instead of RC4)
128 bit keys
Temporal Key Integrity Protocol (TKIP)– fresh key
802.1X dynamically assigns and distributes keys per session/user/packet, it is the
standard for Extensible Authentication Protocol (EAP)
Packet Integrity Check (MIC) that protect the header as well as the payload
Analysis of WPA
Given the mistakes of WEP to learn from, WPA is a much more solid protocol and earns an
overall score of 41.5%.
Authentication Capability: (6/8)
WPA employs a complex authentication mechanism. WPA authentication involves four parties:
the client, the access point, a RADIUS authentication server, and a certificate authority. WPA
allows four to five main variants of an Extensible Authentication Protocol (EAP). Included in
this list are LEAP, EAP-TLS, EAP-TTLS, and PEAP. The differences between each of these
protocols can be found in the IBM presentation Securing a Wireless LAN. In short, they always
involve server certificates for verifying server identity and helping derive the key. The client can
be authenticated using legacy methods like CHAP or more modern methods like EAP-MD5.
There are no known MITM attacks for WPA, and while it is credentials based system, it uses
only one authentication server, so we give it a score of (6/8).
Encryption Strength: (14/16)
The encryption scheme employed by WPA is still RC4. However, WPA uses RC4 in a way that
allows it to maintain its strength. For starters, the initialization vector is twice as long at 48 bits,
and the key length is a standard 128 bits. Additionally, WPA has a built-in mechanism for
providing fresh keys to clients. Every time a client authenticates, it and the server derive a new
pair-wise key. While WEP had a later modification to allow a rotation of keys, called TKIP,
WPA signifies the completion of this idea, in that it provides a fresh key every time. The larger
space of IVs (2^48) ensures that there will be less collisions for the time that one key is used, and
19
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
that trillions, not millions of packets must be collected before cryptanalysis can be done. One
potential future vulnerability could be in how a server and client compute a fresh key. Each key
should be perfectly independent of the previously derived key. WPA still uses the older
encryption scheme RC4 to maintain backwards compatibility with older hardware. A stronger
encryption scheme is still desired, so we give WPA a score of (14/16).
Integrity Guarantees: (2/4)
WPA uses the integrity method called Michael (MIC). MIC is described under Explanation of
Terms. Our methodology could not be clearer, in that MIC is a technique more complex than a
checksum, but still simpler than other signature methods. So, it earns a score of (2/4).
Prevention of Attacks: (4/6)
WPA uses per packet 48-bit IVs that provide good prevention of replay attacks. There is no
cookie, so WPA is still vulnerable to DoS, and now there are more parties to deny service – the
access point and the RADIUS server. There are no known attacks on WPA, but this may change
with time. Due to the lack of a cookie, we give WPA a (4/6).
Identity Protection: (0/4)
WPA involves the client specifically answering the question “Who are you?”[12]. There is no
plainer violation of identity protection than answering this question on the open air waves. WPA
receives a score of (0/4).
Ease and Cost of Implementation: (5/18)
WPA is significantly more difficult to implement than WEP. The addition of two other parties,
the RADIUS server and the certificate authority, require many more lines of code to implement
the protocol correctly. While it is significantly more complex, the basic encryption scheme is still
relatively simple, so WPA can still run on legacy hardware. Because of this, we give it a score of
(7/18).
Power Consumption: (1/4)
In general, WPA does not consume much power. This is mainly due to the computational
simplicity of the encryption scheme, but it can also be credited to the sleep mode standard with
most implementations. Since WPA does not have a method for detecting attack and
automatically sleeping for awhile, it receives only a score of 1/4 exactly like WEP.
Novel Ideas: (0/2)
Much like WEP, WPA neither addresses our own idea of determining physical location nor
creates something completely new that our methodology does not cover. As a result, it also earns
a score of (0/2).
20
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
802.11i / Robust Secure Network (RSN)
While WPA implements the improvements possible on legacy hardware, RSN represents
everything that we wanted to place in WPA but could not due to hardware restrictions. As a
result, we will see a couple key differences between WPA and RSN. To make reading easier,
those which are the same will be marked with a reference to the WPA explanation. RSN’s
overall score is 51.0%
Summary of techniques used in 802.11i







EAP
3 party, multi way handshake
Advanced Encryption Standard
Symmetric cipher
128 bit keys
Requires more computationally powerful hardware
Packet Integrity Check (Counter Mode Encryption)
Analysis of 802.11i / RSN
RSN’s average score is:
Authentication Capability: (6/8)
See WPA.
Encryption Strength: (15/16)
AES provides a stronger encryption scheme over WEP’s RC4. AES provides solid strength, so
we give it a score of (15/16).
Integrity Guarantees: (4/4)
With more expensive hardware, AES can use the integrity method called CCM. Put shortly,
CCM guarantees more than MIC, so it is rewarded with a score of (4/4).
Prevention of Attacks: (4/6)
See WPA.
Identity Protection: (0/4)
See WPA.
21
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Ease and Cost of Implementation: (4/18)
It is quite similar to WPA, except it is even more difficult to implement and upgrade since it
requires new client hardware. This difficulty warrants RSN a score of (4/18).
Power Consumption: (2/4)
When AES is implemented in hardware, its power consumption is drastically less than when in
software. As a result, we assume that in the long run power consumption of AES will be
acceptable. Much like WPA, since RSN does not have a method for detecting attack and
automatically sleeping for awhile, it receives only a score of (2/4), exactly like WEP and WPA.
Novel Ideas: (0/2)
Much like WEP and WPA, RSN neither addresses our own idea of determining physical location
nor creates something completely new that our methodology does not cover. As a result, it also
earns a score of (0/2).
22
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
VPN
Virtual Private Network is a network constructed by using public wires to privately connect
nodes. For example there are a number of systems that enable you to create networks using the
Internet as the medium for data communication. These systems use encryption and other security
mechanisms to ensure that only authorized users can access the network and that the data cannot
be decrypted upon interception. The mechanism used in VPN differs from the other approach by
“Tunneling,” which is the process of placing an entire packet within another packet and sending
it over a network. The protocol of the outer packet is understood by the network and both end
points, called tunnel interfaces for where the packet enters and exits the network. To implement
tunneling, we require 3 additional protocols (Carrier protocol, Encapsulating protocol, and
Passenger protocol)
VPN uses several methods for keeping the connection and data secure. Some mechanisms are
firewalls, encryption, IPSec, and the AAA server:
 A firewall provides a strong barrier between your private network and the Internet.
You can set firewalls to restrict the number of open ports, what types of packets are
forwarded and which protocols are allowed.
 IPSec (Internet Protocol Security Protocol) provides enhanced security features such
as better encryption algorithms and more comprehensive authentication. IPSec has
two encryption modes: tunnel and transport. Tunnel mode encrypts the header and the
payload of each packet while transport mode only encrypts the payload. Only systems
that are IPSec compliant can take advantage of this protocol. Also, all devices must
use a common key and the firewalls of each network must have very similar security
policies set up. IPSec can encrypt data between various devices, such as: router to
router, firewall to router, PC to router, and PC to server
 AAA (Authentication, Authorization and Accounting) servers are used for more
secure access in a remote-access VPN environment. When a request to establish a
session comes in from a dial-up client, the request is proxied to the AAA server.
AAA then checks the following: who you are (authentication), what you are allowed
to do (authorization) and what you actually do (accounting).
VPN seems to be powerful but VPN is also expensive. First of all, tunneling requires additional
protocols to manage it (Carrier protocol, Encapsulating protocol, and Passenger protocol).
Moreover there are other requirements for administrating the VPN - the administrator must know
how much the VPN will be used and what type of data will be traveling through it.
Analysis of VPN
VPN is a type of overlay for WEP. Since it is not in and of itself a wireless protocol, it is not
directly comparable. We can dream up many overlays for any of the technologies discussed, but
we are focusing on securing the lowest layer possible. We include discussion of it above as an
example of one solution to the WEP problem that industry has adopted but stop short of
measuring it, because it is not the lowest layer of security.
23
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Conclusion
We have defined a methodology for evaluating wireless network security protocols. This
methodology encompasses the following characteristics:








Authentication Capability
Encryption Strength
Integrity Guarantees
Prevention of Attacks
Identity Protection
Ease and Cost of Implementation
Power Consumption
Novel Ideas
We then analyzed WEP, WPA, and 802.11i / RSN according to these metrics. As expected, WEP
performed the worst according to our measurements, while WPA and 802.11i / RSN performed
about the same – primarily because 802.11i / RSN requires better hardware support.
This methodology helps highlight some of the desires for different types of networks. For a
sensor network, where nodes are often left unconnected to power for a long duration, a high
score in power consumption is desirable. The typical corporation probably wants the highest
overall score and is probably willing to sacrifice some power and computation to obtain it.
24
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
References
[1] Arbaugh, William A., Shankar, Narendar and Wan, Justin Y.C. Your 802.11 Wireless
Network Has No Clothes. March 30, 2001.
http://www.cs.umd.edu/~waa/wireless.pdf
[2] Bellardo, John and Savage, Stefan. 802.11 Denial-of-Service Attacks: Real Vulnerabilites
and Practical Solutions. USENIX Security Symposium. 2003.
http://www.usenix.org/events/sec03/tech/bellardo.html
[3] Borisov, Nikita, Goldberg, Ian, and Wagner, David. Intercepting Mobile Communications:
The Insecurity of 802.11. CiteSeer. 2001.
http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf
[4] Cam-Winget, Nancy, Housley, Russ, Wagner, David, and Walker Jesse. Security Flaws in
802.11 Data Link Protocols. Communications of the ACM Vol. 46, No. 5. May 2003.
[5] Callaway, Ed. Secure Low-Power Operation of Wireless Sensor Networks. Sensormag.com.
January 2004.
http://www.sensorsmag.com/articles/0104/22/main.shtml
[6] Cohen, Alan and O’hara, Bob. 802.11i Shores Up Wireless Security. Network World. July 26,
2003.
http://www.nwfusion.com/news/tech/2003/0526techupdate.html
[7] Faria, D.B. and Cheriton, D.R.. DoS and Authentication in Wireless Public Access Networks.
International Conference on Mobile Computing and Networking Proceedings of the ACM
Workshop on Wireless Security Atlanta, GA, USA. 2002.
[8] Gast, Matthew. Wireless LAN Security Protocols. O’Reilly Emerging Technology
Conference. April 2003.
http://conferences.oreillynet.com/presentations/et2003/gast_final.pdf
[9] Geier, Jim. Beware of ARP Attacks. Wi-Fi Planet. November 24, 2003.
http://www.wi-fiplanet.com/tutorials/article.php/3112991
[10] Glendinning, Duncan. 802.11 Security. Intel Developer Forum. September 17, 2003.
http://www.intel.com/idf/us/fall2003/presentations/F03USMOBS169_OS.pdf
[11] Klaus, Christopher W. WLAN FAQ. Internet Security Systems. October 6, 2002.
http://www.iss.net/wireless/WLAN_FAQ.php
[12] Knapp, Laura Jeanne and Hadley, Tom. Securing a Wireless LAN. IBM.
http://www.lauraknapp.com/images/Wiresec.pdf
25
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
[13] Microsoft. Overview of the WPA Wireless Security Update in Windows XP. Microsoft
Knowledge Base. September 23, 2004.
http://support.microsoft.com/?kbid=815485
[14] Mistano, Marco. Wireless LAN Security. Cicsco. 2003.
http://www.clusit.it/evento_ord_ing/misi_wlan.pdf
[15] SMU. Modern Stream Ciphers. Retrieved on December 10, 2004.
http://engr.smu.edu/~nair/courses/7349/stream.ppt#16
[16] Snyder, Joel and Thayer, Rodney. 802.11i: The Next Big Thing. Network World Fusion.
October 10, 2004.
http://www.nwfusion.com/reviews/2004/1004wireless80211i.html
[17] Tech-faq. The Tech FAQ – Wireless Networks. Tech-FAQ.com. December 10, 2004.
http://www.tech-faq.com/wireless-networks/wireless-networks.shtml
[18] Welch, Donald J and Lathrop Scott D. A Survey of 802.11a Wireless Security Threats and
Security Mechanisms, Information Technology and Operation Center, 2003
http://www.itoc.usma.edu/Documents/ITOC_TR-2003-101_(G6).pdf
[19] Wikapedia. Replay Attack. Wikapedia.com. December 10, 2004.
http://en.wikipedia.org/wiki/Replay_attack
26
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
Appendix
Comparison of Categorical Performance
% of Points
0%
20%
40%
60%
80%
100%
Performance Category
Authentication Capability
Encryption Strength
Integrity Guarantees
WEP
Prevention of Attacks
WPA
Identity Protection
RSN
Ease and Cost of Implementation
Power Consumption
Novel Ideas
Main Contributors to Each Protocol's Success
Novel Ideas
Power Consumption
% of Points
Ease and Cost of
Implementation
Identity Protection
Prevention of Attacks
Integrity Guarantees
Encryption Strength
WEP
WPA
Protocol
RSN
Authentication Capability
27
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
The color red means that it was chosen for scoring that particular characteristic.
28
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
29
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
30
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
31
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
32
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
33
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
34
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
35
David Rager
Kandaraj Piamrat
CS386M
Fall 2004
36
Download