a history of 802 11 security
play

A History of 802.11 Security Jesse Walker Communications Technology - PowerPoint PPT Presentation

A History of 802.11 Security Jesse Walker Communications Technology Lab Intel Corporation jesse.walker@intel.com Jesse Walker, A History of 802.11 1 Security Goal and Agenda Goal: What is 802.11i, and where did it come from?


  1. A History of 802.11 Security Jesse Walker Communications Technology Lab Intel Corporation jesse.walker@intel.com Jesse Walker, A History of 802.11 1 Security

  2. Goal and Agenda • Goal: – What is 802.11i, and where did it come from? • Agenda – In the beginning … – Constraints and requirements – Architecture – Data protection – Discovery, authentication, and keying – Evaluation Jesse Walker, A History of 802.11 2 Security

  3. Today’s Countermeasures In the beginning … Chronology of Events 2004 1997 2003 2001 WPA = pre- 802.11i Original 802.11 WEP issues standard subset • 802.1x Security: documented of 802.11i authentication • Native 802.11 October 2000- • 802.1X • enhanced 802.1X authentication August 2001 authentication key management • WEP encryption 802.1X with WEP • 802.1X key • AES-based data • 802.1X management protection authentication • TKIP data • enhanced support • 802.1X key protection infrastructure rotation • Ratified June 23 • WEP data protection Jesse Walker, A History of 802.11 3 Security

  4. In the beginning … WEP: What is it? • IEEE Std 802.11-1997 (802.11a) defined Wired Equivalent Privacy (WEP) – Unchanged in ISO/IEC 8802-11:1999 • WEP’s Goals: – Create the privacy achieved by a wired network – Simulate physical access control by denying access to unauthenticated stations Jesse Walker, A History of 802.11 4 Security

  5. In the beginning … WEP Description WEP Key 802.11 Hdr Data Per-Frame Key || RC4 Encryption CRC-32 PN 802.11 Hdr IV Data ICV ICV Jesse Walker, A History of 802.11 5 Security

  6. In the beginning … WEP Analysis • Attacks against WEP published before the ink was dry – Walker, “Unsafe at any Key Size” , IEEE 802.11 doc. 00-362, October 2000 – Arbaugh, “An inductive Chosen Plaintext Attack against WEP”, IEEE 802.11 doc. 01-230, May 2001 – Borisov, Goldberg, Wagner, “The insecurity of 802.11”, Proceedings of International Conference on Mobile Computing and Networking, July 2001 – Fluhrer, Mantin, Shamir, “Weaknesses in the key schedule algorithm of RC4”, Proceedings of 4 th Annual Workshop of Selected Areas of Cryptography, August 2001 • 802.11 instituted remediation in November 2000 – Specification of a replacement for WEP became a TGe work item Jesse Walker, A History of 802.11 6 Security

  7. Constraints and Requirements Protection Requirements • Migration path or compatibility with WEP-only equipment • Never send or receive unprotected data frames • Message origin authenticity — prevent forgeries • Sequence frames — prevent replays • Don’t reuse keys – a key establishment protocol needed • Avoid complexity: avoid rekeying — 48 bit frame sequence space • Protect source and destination addresses – prevent header forgeries • Use one cryptographic primitive for both confidentiality and integrity – minimize implementation cost • Interoperate with proposed quality of service (QoS) enhancements (IEEE 802.11 TGe) – don’t compromise performance Jesse Walker, A History of 802.11 7 Security

  8. Constraints and Requirements Design Constraints Constraint 3: Multicast integral to modern networking (ARP, UPnP, Active Directory, SLP, …) and cannot be ignored Access Point Wired Server Station 1 Station 2 Ethernet Constratint 1: All messages Constraint 2: WLAN uses short flow through access point; 1st range radios, so APs must be generation AP MIP budget = 4 ubiquitous, so low cost Million instructions/sec Jesse Walker, A History of 802.11 8 Security

  9. Architecture 802.11i Architecture Data Station Management MAC_SAP Entity 802.1X 802.1X 802.1X Authenticator/Supplicant Controlled Uncontrolle Data Link Port d Port TK 802.11i Key WEP/TKIP/CCMP Management State Machines MAC PTK ← PRF(PMK) (PTK = KCK | KEK | TK) Physical PHY PMD Jesse Walker, A History of 802.11 9 Security

  10. Architecture 802.11i Phases Station Authentication Access Server Point Security capabilities discovery Security negotiation 802.1X authentication RADIUS-based key 802.11i key management distribution Data protection: TKIP and Jesse Walker, A History of 802.11 10 CCMP Security

  11. Data protection TKIP Overview • Legacy hardware addressed second – I never believed it was feasible • TKIP: T emporal K ey I ntegrity P rotocol – Conform to 1 st generation access point MIP budget: 4 Million Instructions/sec o Must reuse existing WEP hardware – Special purpose Message Integrity Code – costs 5 instructions/byte ≈ 3.5 M instructions/sec, and protects source, destination addresses (Ferguson, “A MAC- implementable MIC for 802.11”, November 2001) – Prevent Replay: WEP IV extended to 48 bits, used as a packet sequence space (Stanley, 802.11 doc. 02-006) – New Per-frame key constructed using a cryptographic hash (Whiting/Rivest, 802.11 doc 02-282, May 2002) – costs 200 instructions/frame ≈ 300K instructions/sec • Designed to permit migration to new hardware Jesse Walker, A History of 802.11 11 Security

  12. Data protection TKIP Overview 802.11 Hdr Data MIC Integrity Key Compute Message Integrity Code PN Mix per-frame WEP key Temporal Key Per-Frame Key Jesse Walker, A History of 802.11 12 Security

  13. Data protection AES CCMP • Long term problem addressed first – Backward compatibility always hard(er) • All new protocol with few concessions to WEP • First attempt: protocol based on AES-OCB (Walker, 802.11 doc. 01-018) – OCB = Rogaway’s Offset Code Book mode – Costs about 20 instruction/byte in software ≈ 15 M instr/sec – Removed in July 2003 due to IPR issues • Second attempt: similar protocol based on AES-CCM (Ferguson- Housley-Whiting, 802.11 doc. 02-001) – Prevent replay – Frame sequence number enforcement – Provide confidentiality – AES in Counter mode – Provide forgery protection through CBC-MAC – Costs about 40 instructions/byte in software ≈ 30 M instr/sec – Replaced AES-OCB in July 2003 • Requires new AP hardware – CPU Budget of 1 st generation AP: 4 M Instructions/sec – RC4 off-load hardware doesn’t do AES or CCMP Jesse Walker, A History of 802.11 13 Security

  14. Data protection Frame Format IV used as frame sequence space to defeat replay Key IV ID Cryptographic Message Integrity Code to defeat forgeries encryption used to provide data confidentiality Encrypted 802.11 802.11i Data MIC FCS Hdr Hdr Authenticated by MIC Jesse Walker, A History of 802.11 14 Security

  15. Discovery, authentication, and keying Authentication Overview • Authentication, not WEP flaws, led to new security work in 802.11 – Original authentication was 802.11 specific – Enterprise market refused to deploy WLANs if legacy RADIUS authentication could not be reused • Candidate solutions considered – 802.1X (Aboba, Halasz, Zorn, 2000) – Kerberos/GSSAPI (Beach, Walker 802.11 doc. 00- 292) • 802.1X adopted in November 2000 – Business, not technical decision, drove selection Jesse Walker, A History of 802.11 15 Security

  16. Discovery, authentication, and keying IEEE 802.1X Layering Wireless Authentication Access Station Server Point Concrete EAP Method, e.g., EAP-TLS EAP RADIUS 802.1X (EAPOL) 802.11 UDP/IP Jesse Walker, A History of 802.11 16 Security

  17. Discovery, authentication, and keying Authentication Overview STA AP AS STA 802.1X blocks AP 802.1X blocks controlled port controlled port 802.1X/EAP-Request Identity 802.1X/EAP-Response Identity (EAP type specific) RADIUS Access Request/Identity EAP type specific mutual authentication Derive Master Key (MK), Pairwise Derive Master Key (MK), Pairwise Master Key (PMK) Master Key (PMK) RADIUS Accept (with PMK) 802.1X/EAP-SUCCESS Jesse Walker, A History of 802.11 17 802.1X RADIUS Security

  18. Discovery, authentication, and keying Keying Overview • Requirements: – Prevent WEP’s key reuse (guarantee fresh keys) – Synchronize key usage – Verify liveness and proof of possesion – Bind key to STA and AP • Candidate solutions considered – Authenticated Key Exchange (Cam-Winget, Housley, Walker, 802.11 doc. 01-573, November 2001) – 802.1X keying (Moore, November 2001) • 802.1X adopted in November 2001 • Definciencies of each redesign noted in January, February, March, May of 2001 • “Final” design completed in May 2002 (Moore, 02-298) Jesse Walker, A History of 802.11 18 Security

  19. Discovery, authentication, and keying 802.11i Key Hierarchy Master Key (MK) Pairwise Master Key (PMK) = kdf(MK, AP information | STA information) Pairwise Transient Key (PTK) = PRF(PMK, AP Nonce | STA Nonce | AP MAC Addr | STA MAC Addr) Analog of the WEP key Key Key Encryption Temporal Key – PTK bits 256– n – can Confirmation Key (KEK) – PTK have cipher suite specific structure Key (KCK) – PTK bits 128–255 bits 0–127 Jesse Walker, A History of 802.11 19 Security

Recommend


More recommend