Solutions for WEP
28
Solutions for WEP Bracha Hod June 1, 2003
description
Solutions for WEP. Bracha Hod June 1, 2003. 802.11i Task Group. Addresses WEP issues No forger y protection No protection against replays Attack through weak keys IV re-use But has constraints Needs a firmware patch: large market already Access Points have cheap proc essor - PowerPoint PPT Presentation
Transcript of Solutions for WEP
Solutions for WEP
Bracha HodJune 1, 2003
2
802.11i Task Group Addresses WEP issues
– No forgery protection – No protection against replays– Attack through weak keys– IV re-use
But has constraints– Needs a firmware patch: large market
already– Access Points have cheap processor– Part is hardwired in the devices
3
Robust Secure Network
Interim solution– Use constrains– 802.1x - authentication and key
management– TKIP - data encapsulation
Longterm solution– Ignore constrains– 802.1x - authentication and key
management– AES - data encapsulation
802.1X
5
802.1x Architecture Allows choice of auth. methods using
EAP– Chosen by peers at authentication time– Access point doesn’t care about EAP
methods Requires some authentication server
– RADIUS is the de facto back-end protocol
802.1X (EAPoL)
802.11
EAP-TLS
EAP
RADIUS
UDP/IP
6
802.1X Terminology
Port-based access control mechanism – Ports for passing data without authentication– Parts for passing data only after authentication
Supplicant Authentication ServerAuthenticator
Controlled port
Uncontrolled port
7
802.1x Model
SupplicantAuthentication
ServerAuthenticator
Authentication traffic
Normal Data
Port Status:
EAP Identity Request
Associate
EAP Auth Response EAP Auth Response
EAP Auth Request EAP Auth Request
EAP Identity Response EAP Identity Response
Radius
802.1x
EAP-SuccessEAP-Success
8
802.1x Advantages Standards-based Flexible authentication Scalable to large enterprise networks Centrally managed Roaming can be made as transparent as
possible Keys are dynamically generated and
propagated
9
802.1x Flaws Possible attacks
– Man-in-the-middle– Session hijacking– Denial-of-service attacks
Solutions– Strong mutual authentication by protocols
like EAP-TLS, EAP-TTLS and EAP-PEAP which provide strong master-key in the end
– The area of coverage of an access point is small enough that an attacker would have a substantial risk of discovery
TKIP
11
Temporal Key Integrity Protocol Designed as a wrapper around WEP
– Can be implemented in software– Reuses existing WEP hardware– Runs WEP as a sub-component
Components– Cryptographic message integrity code– Packet sequencing– Per-packet key mixing– Re-keying mechanism
12
MIC Sender and receiver share 64-bit secret key MIC = h (src MAC|dst MAC|frame body)K If receivers computation matches the MIC sent,
then message presumed authentic If 2 forgeries in a second, then assume under
attack (delete keys, disassociate, and reassociate)
8 byte MICSA DA Payload
Michael
Michael
Authentication Key
13
Packet Sequencing Reuse 16-bits of WEP IV packet field for
sequence number Initialize seq# to 0 on new encryption key Increment seq# by 1 on each packet Discard any packet out of sequence
Access Point
Wireless
Station
Hdr Packet n
Hdr Packet n + 1
Hdr Packet n
14
Key Mixing Phase 1:
– Key_mix1(128-bit temporal key, 48-bit MAC)– 128-bit result– Ensure unique key if clients share same
temporal key
Phase 2:– Key_mix2(phase1 result,seq#) – The result is 128-bit per-packet key– Incrementing seq# ensure unique key for
each packet Keystream = RC4(128-bit per-packet key)
15
Key Mixing The keys are 128-bit The transmitter address is 48-bit The sequence number is 16-bit
Transmitter Address: 00-A0-
C9-BA-4D-5F
Temporal key
Phase 1Mixer
Intermediate key
Per-packet key
Phase 2MixerPacket
Sequence #
16
Rekeying Key hierarchy
– Master key • Established via 802.1x or manually• Used to securely communicate key encryption keys
– Key encryption keys (2) • Secure messages containing keying material for deriving temporal keys• Key 1: encryption data 128-bit • Key 2: data integrity 64-bit
– Temporal keys (2)• Key 1: encrypting data 128-bit • Key 2: data integrity 64-bit
17
Putting The Pieces Together
18
Summery Advantages
– Fixes several issues in WEP– Companies having existing WEP-based equipment can
upgrade to TKIP through relatively simple firmware patches
Disadvantages– Relies on the original 802.11 security specifications– Not ideal solution
“We should all realize that TKIP is really a kludge. We are trying to make the best of a difficult situation, but TKIP should be phased out as soon as possible…”
AES
20
Requirements Use encryption properly
– In particular The protocol must never reuse nonces or IVs or other information used to randomize the encryption function
Defend against forgeries and replays– In particular, a design must never reuse keys
Protect the source and destination addresses from modification
Minimize the cost:– Minimize the number of cryptographic primitives
used– Minimize the software expenses
Use the best practice cryptographic primitives
21
AES-based Encapsulations Replaces RC4 with AES for encryption
and integrity Requires coprocessor, therefore new
hardware deployment AES
– Symmetric key block cipher– Require sequence counter, 128-bit key
Two cryptographic modes:– AES-CCM (CCMP): Counter Mode with CBC-
MAC– AES-OCB (WRAP): Offset Codebook
22
Counter Mode & CBC-MAC
EK
ctr1
c1
m1
EK
ctr2
c2
m2
EK
ctr3
c3
m3
EK
ctrn-1
cn-1
mn-1
EK
ctrn
cn
mn
EK EK EK
mn-
1
EK
mn
cm
IV c0=IV
cj=EK(mj cj-1)
MAC=cm
cj=EK(ctrj)mj
m1 m2
23
AES-CCM Use CBC-MAC to compute a MIC on the MPDU
+ header fields CTR mode to encrypt the payload and the MIC The counter for encryption and the IV for MIC
are made by concatenation of the sequence counter and header fields
Header Payload
Encrypted
MIC
Authenticated
01000011101010148-bit sequence
counterAES key
Seq CTR
24
OCB
…
Full tag
offset
EK
checksum
offset
offset
EK
m1
c1
offset
L(0)
offset
offset
EK
m2
c2
offset
L(1)
EK
mn
cn
L(-1)
Pad
Len(mn)
offset
L(ntz(n))
ossfet
EK
Nonce
Offset
L
L = EK(0)
25
AES-OCB OCB provides both data privacy and data
authenticity by a single AES-key and 28-bit sequence counter
The nonce of OCB is made by concatenation of the sequence counter and header fields
Header Payload
Encrypted
MIC
Authenticated
01000011101010128-bit sequence
counterAES key
Seq CTR
26
CCM vs. OCB
Security– OCB mode appears to be superior for
data authentication
Performance– In hardware there are no difference– In software, AES-OCB enjoy about 2:1
performance advantage over AES-CCM
Patent situation – OCB has patent, while CCM doesn’t
27
Today & The Future 2000 – WEP
– Better than no security 2001-2002 - 802.1x–WEP
– Fixes authentication issues for legacy equipment
2002-2003 - 802.11i–TKIP– Fixes known encryption issues for legacy
equipment 2003-2004 - 802.11i-AES
– Next generation security for future products
Thank You!
