Wireless Data Network Security Dr. N. Usha Rani, VP, Development NMSWorks Software Pvt. Ltd. 2 Aug,...
-
Upload
ralf-joseph -
Category
Documents
-
view
224 -
download
0
Transcript of Wireless Data Network Security Dr. N. Usha Rani, VP, Development NMSWorks Software Pvt. Ltd. 2 Aug,...
Wireless Data Network Security
Dr. N. Usha Rani,VP, Development
NMSWorks Software Pvt. Ltd.2 Aug, 2007
Organization
• Introduction• WLAN technology• WiMax technology• Network security• Security issues in WLAN• Security issues in WiMax• Conclusions• References
Wireless Technologies for Data Networks
• Communications industry driven by largely by services
• Convenience inherent in wireless technology has seen the growth of– WLAN – Data services– Cellular – Predominantly voice service with data
service provided as add-on– WiMax – Data/voice services for wide area
User Expectations
• Eliminate physical and logical barriers– Eliminate house wiring– Eliminate tethering to outlets (access from
anywhere)– High speed
• Mobility– Anytime Anywhere Service
• Low cost communication– Affordable telephone, TV, PC, and appliances– Enable new applications
Challenges to growth of wireless
• Power• Bandwidth• Range• Reliability• QoS• Management• Interoperability • Economics• Security
Well known vulnerabilities
• “War (Wide Area Roaming) driving” and listening in on a WLAN connection – Access to a WLAN network is inherently
much easier than to a fixed network– Motorists, pedestrians access private
WLANS– Open source attack software (eg.,
NetStumbler)
• Denial of service attacks due to jamming
Security Attack Example
Some reasons
• Flaws in the standard design itself– Eavesdropping because rogue Access Points
are easily installed– Security specifications in the standard are
usually optional and can be turned off– Flaws in the security protocol
• Weakness in the cryptography used in the standard
Organization
• Introduction• WLAN technology• WiMax technology• Network security• Security issues in WLAN• Security issues in WiMax• Conclusions• References
WLAN Uses
• Key drivers are mobility and accessibility
• Easily change work locations in the office
• Internet access at airports, cafes, conferences, etc.
Source: LBL
Enterprise WLAN
InternetInternetLayer 2/3Switch
802.11802.3
IP
• Layer 2/3 switch is traditional Ethernet hub• AP (Access Point) performs security functions
AP
User
802.11 sublayers
PHY
MAC
Higher layers
802.11a802.11b802.11g
802.11d802.11e802.11h802.11i
802.11c802.11f
IEEE 802.11 Standards
802.11a 54 Mbps data rate 5 GHz
802.11b 11 Mbps data rate at 2.4 GHz
802.11e Addresses QoS issues
802.11f Addresses multi-vendor AP interoperability
802.11g Higher data rate extension to 54 Mbps in the 2.4 GHz
802.11h Dynamic frequency selection and transmit power control for operation of 5 GHz products
802.11i Addresses security issues
802.11j Addresses channelization in Japan’s 4.9 GHz band
802.11k Manages medium and network resources more efficiently
Standard
Frequency
Mechanism
Max Data Rate
Notes
802.11 2.4 GHz FHSS/DSSS
2 Mbps First std., limited rate
802.11a 5 GHz OFDM 54 Mbps Shortest range, more non-overlapping chls
802.11b 2.4 GHz DSSS 11 Mbps Widely used, low speeds
802.11g 2.4 GHz OFDM 54 Mbps Higher rates, higher range at 2.4 GHz
PHY Characteristics
Physical layer
• OFDM (Orthogonal Frequency Division Multiplexing)
• DSSS (Direct Sequence Spread Spectrum)
• FHSS (Frequency Hopping Spread Spectrum)
• Multiple channels each 20 MHz • Uses unlicensed frequency bands
Distance & Speed
• NLOS range – About 70 to 100 m depending on the PHY• LOS range with directional antennas
– Can be 10s of kms
MAC
• MAC similar to 802.3 Ethernet and 802.2 LLC• 802.3 – CSMA-CD, 802.11 – CSMA-CA• CSMA/CD
– Before transmit, listen for activity on the network– If medium busy, wait to transmit– On medium clear, start transmitting– During transmission, monitor for collision– If collision detected
• Abort• Wait for random time (backoff increases exponentially
with number of collisions)• Retransmit
CSMA/CA
• In wireless, can not transmit and receive at the same time – Instead of CD, on medium idle delay a
random amount of time (random backoff), then transmit
– To take care of wireless errors and collisions, receiver sends immediate ACK
CSMA/CA
Architecture
STA1STA2
STA3
STA1 STA2 STA1 STA2
AP APBSS BSS
IBSS
STA – Wireless clientCell – Coverage provided by APBSS – Stations + APIBSS – Stations operate in ad-hoc modeESS – Collection of cells in an infrastructure network
STA – StationBSS – Basic Svc SetIBSS – Independent BSSESS – Extended Svc Set
Operation of WiFi
• Access point links a wireless network to a wired network (via LAN, ADSL or WAN interface)
• Stations or clients are laptops, desktops or wireless handheld device with wireless NIC
• An AP has a “network name” or Service Set Identifier (SSID)
• AP periodically broadcasts SSID to advertise itself
• A client having the same SSID can connect to the network
Adhoc Mesh between villages
20 m
5 m
10 m
• Terrain and trees => tower in each village• Cost of tower >> cost of WiFi
5 m
Organization
• Introduction• WLAN technology• WiMax technology• Network security• Security issues in WLAN• Security issues in WiMax• Conclusions• References
WiMax - Introduction
• Ever increasing demand for broadband wireless access to compete with DSL, cable etc.
• Provides fixed, nomadic and mobile wireless broadband access with non-LOS
• High capacity (upto 96 Mbps) and high range (upto 3 kms NLOS)
WiMax - Applications
• Provide backhaul for proliferating WiFi hotspots and aggregating traffic to high speed internet backbone
• Provide telephone access in hard to reach rural areas and cellular backhaul
• Support nomadic and mobile subscribers
Capability and Reach
• Simultaneous support for hundreds of SMEs with E1 connectivity and thousands of homes/SOHOs with DSL connectivity
• Potential of low cost and flexibility• Scalable solution to meet increasing
bandwidth demands• Cost effective answer to requirements
ranging from– high end requirements such as triple play– Rural communities and businesses, for basic
broadband Internet access
What is WiMax?
• Worldwide Interoperability for Microwave Access
• Based on technology standard defined by IEEE (802.16) for broadband wireless access for MANs
• Non-profit industry body to promote the technology and ensure interoperability between different vendor products
WiMax Components
• Base station (BS) connected to public networks
• Subscriber station (SS) typically serves a building – office or residence
• BS serves several SSes with different QoS priorities etc. simultaneously
Architecture
802.16 standard
• Original standard based on DOCSIS/HFC in wireless domain
802.16- 2001
802.16a - 2003
802.16d- 2004
802.16e - 2005
802.16c - 2002
• Original fixed wireless broadband, • 10 – 66 GHz• LOS only• PMP applications
802.16 AmendmentWiMAX System Profiles
10 - 66 GHz
• Extension for 2-11 GHz: • non-line-of-sight• PMP applications
• Adds WiMAX System Profiles • Errata for 2-11 GHz
• Enhancements to support mobility
Channel characteristics• 10-66 GHz (millimetre microwave)
– Very weak multipath components (LOS is required)
– Rain attenuation is a major issue– Single-carrier PHY
• 2-11 GHz (centimetre microwave)– Multipath– NLOS– Single and multi-carrier PHYs
Physical layer characteristics
• Flexible Channel Sizes (1.75 MHz -- 20 MHz)
• Designed to support smart antenna systems – useful in reducing interference and increasing system gain
• Adaptive coding – QPSK, 16-QAM, 64-QAM for higher data rates depending on signal quality
• Data rate depends on channel size and coding
Licensed License-Exempt
Better QoS Fast Rollout
Better NLOS reception at lower frequencies
Lower Costs
Higher barriers for entrance
More worldwide options
Licensed vs Unlicensed spectrum
MAC layer• Supports challenging service delivery
environment– Efficient use of bandwidth– High bandwidth, 100s of users per channel– Continuous and bursty traffic
• Protocol independent (IP, ATM, Ethernet…)• Multiple PHYs• Security
MAC layer• Supports Point-To-Multipoint (PMP) and
Mesh (PP) topologies– PMP: Traffic flows between Base Station (BS)
and Subscriber Stations (SS)– Uplink connection from SS to BS– Downlink from BS to numerous SS’es– Mesh
• TDM/TDMA with scheduling of transmissions by BS
• Connection-oriented – a Connection Id (CID) assigned to each connection
• Supports QoS
WiMAX Operation
Feature 802.16a 802.11b 802.11 a/g
Application BWA Wireless LAN
Wireless LAN
Frequency band
2-11 GHz, licensed and unlicensed
2.4 Ghz unlicensed
2.4 GHz(g) 5 GHz (a) unlicensed
Channel bandwidth
1.25 to 20 MHz
20 MHz 20 MHz
Bw efficiency
~4.0 bps/Hz ~.44 bps/Hz ~2.7 bps/Hz
FEC Reed Solomon
None Convolutional code
Mobility 802.16e In development
In development
Mesh Yes Proprietary Proprietary
Encryption Mandatory Optional Optional
Organization
• Introduction• WLAN technology• WiMax technology• Network security• Security issues in WLAN• Security issues in WiMax• Conclusions• References
The need for security
• Prior to this “computer era”, information felt to be valuable was protected by physical
and administrative means
Acknowledged and known surveillance systems
• Carnivore is a network traffic interceptor • Is deployed at ISPs• The traffic of interest can be filtered out
from the mainstream traffic • Magic lantern is a key stroke logger• FBI motto:
In God we trust, the rest we monitor…….
Hacking no longer esoteric
• Hackers develop tools that are freely available, accessible and easy to use
• Anyone with browser access can download them from common sites like rootshell.com, securityfocus.com, insecure.org
Goals of security
• Provide confidentiality of sensitive information – only intended persons can see the information
• Authenticate legitimate entities – make sure they are who they claim to be• Provide access control - prevent
unauthorized entry to information systems
Goals of security
• Enforce non-repudiation of transactions – an entity cannot later disavow a transaction
• Ensure availability of systems and services to legitimate users
A classification of attacks
• Most security attacks can be classified into one of the following generic types– Interruption– Interception– Modification– Fabrication
Electronic security services and mechanisms
• Most mechanisms that provide the services of confidentiality, integrity, authentication, access control and non-repudiation are cryptography based
• Ensuring availability is difficult• Availability of systems and services
requires other mechanisms as well
Technologies to implement electronic
security services
• Identification, authentication: passwords, biometrics, cryptography based techniques
• Confidentiality: Cryptography• Access control: ACLs, Access control
matrices, cryptography based techniques, firewalls
• Integrity: Checksums, hash functions• Non-repudiation: Cryptography based
techniques
Ensuring availability
• Provision for alternate network paths• Provision for redundancy of critical servers and services
• Computing power• Storage
• Provision for redundancy of data and within data
Organization
• Introduction• WLAN technology• WiMax technology• Network security• Security issues in WLAN• Security issues in WiMax• Conclusions• References
Security attacks in WLANs
• Physical layer– Jamming
• MAC layer attacks• Security protocol design weaknesses• We shall consider mainly protocol
design weaknesses
Possible DoS attacks
• DOS attack on CSMA– Send small packets rapidly so that
legitimate users feel carrier is not available– Similar virtual sense carrier attack possible
• Deauthentication/Disassociation attack– Rogue AP can sit between AP and clients
and send de-authentication/disassociation messages
Wired Equivalent Privacy
• 802.11 specifies Wired Equivalent Privacy• Aims at providing
– Confidentiality• Uses RC4 (standard specifies 64 bit key)
– Access control– Integrity of data – Authentication
• Challenge-Response using same encryption primitive
• Unfortunately, as we shall see, none of the aims were achieved!
Wired Equivalent Privacy
• Standard finalized in 1999• Soon after, in the year 2001 there were 3 major
papers that demonstrated great weaknesses in WEP
1. Intercepting Mobile Communications: The Insecurity of 802.11(Borisov, Goldberg, and Wagner 2001) (Berkeley paper)
2. Your 802.11 Wireless Network Has No Clothes(Arbaugh, Shankar, and Wan 2001) (Maryland paper)
3. Weaknesses in the Key Scheduling Algorithm of RC4(Fluhrer, Mantin, and Shamir 2001) (FMS attack)
Wired Equivalent Privacy
• The Berkeley paper shows that even without the secret key, WEP security goals can be compromised– Discussed in detail in this presentation
• The Maryland paper mainly concentrates on weaknesses in 802.11 itself
• FMS is a devastating attack to recover the RC4 key itself from a knowledge of ciphertext and IV
• Implies that WEP is useless for secure use
Header Payload ICVPayload
802.11 Frame
WEP
ICV computed – 32-bit CRC of payload RC4, a stream cipher is applied on this
payload This is a well-known cipher, and the
designers were wise to choose it
CRC
32
ICV = Integrity Check Value
Concat
IV
Key
SeedRC4
Key stream
CRCPlaintext
Concat
ICV
Ciphertext
IV
WEP frame
IV – Initialization Vector, one per packetKey – Shared secret keyICV – Integrity check value
WEP encryption
Concat
IV
Key
SeedRC4
Key stream
Plaintext
IV
IV – Initialization Vector, one per packetKey – Shared secret keyICV – Integrity check value
Ciphertext
ICV
CRCPlaintextICV’
If ICV’ = ICV, integritypreserved
WEP decryption
Stream ciphers – some pitfalls• C = P KS• Key streams must never be reused
– C1 C2 = (P1 KS) (P2 KS) = P1 P2• => if a part of one plaintext is known, corresponding part of
the other can be obtained
• Forgery is easy – Bit flip attack– If P2 = P1 X– Then C2 = C1 X
• WEP solution to above– ICV – Prevents forgery
• Checksum on the data prevents bit flipping– IV – Prevents key reuse
• Each packet a new key that starts a new stream is used
Points to ponder• The keystream for WEP is RC4(IV,K), which depends
only on IV and K– k is a fixed shared secret - every user in WLAN shares the
same k
• So the keystream depends only on IV– If two packets ever get transmitted with the same value of IV
means keystream reuse
• Since IV gets transmitted in the clear for each packet, the adversary can even easily tell when a value of IV is reused (a "collision").
• At most 2^24, or about 16 million possible values of IV• After 16 million packets, you have to repeat one!
In practice
• Many 802.11 cards reset their IV counter to 0 every time they were activated, and incremented by 1 for each packet transmitted
• This means that low IV values get reused at the beginning of every wireless session
• IV collisions possible between packets sent by different people!
Dictionary attack• Suppose the adversary knows both the
ciphertext and the plaintext for some packets encrypted with a given IV v
• Reveals the keystream RC4(k,v) by XORing the plaintext and the ciphertext
• Keystream can be stored in a table, indexed by IV
• The next time a packet with an IV stored in the table is seen, just look up the keystream, XOR it against the packet, and read the data!
• Vulnerability to attack independent of key size
Weaknesses in data integrity check
• CRC is a poor choice– Used to detect random errors; they are useless
against malicious errors.
• CRC-32 has two main properties of importance here:– It is independent of the shared secret and the IV– It is linear: crc(M XOR D) = crc(M) XOR crc(D)
• Can be exploited to modify/inject messages undetected
WEP Authentication• The goal is for the AP to verify that a client joining
the network really knows the shared secret key k• The AP sends a challenge string to the client• The client sends back the challenge, WEP-
encrypted with the shared secret k• The base station checks if the challenge is
correctly encrypted, and if so, accepts the client=> the adversary has now just seen both the
plaintext and the ciphertext of this challenge!• This is enough not only to inject packets (as in
the previous attack), but to execute the authentication protocol
Shortcomings of WEP
• Encryption wasn’t being used properly.• There was no means to prevent message forgeries• Encryption keys were reused, allowing others to
read data without knowing the encryption key.• Authentication didn’t work, transmitting in the
open everything needed for an attacker to authenticate
Learnings
• Designing security protocols is hard!
• Better to reuse old designs where possible– PPTP had some of the same problems as WEP– IPSec had to deal with many of the same issues
• The design process should be public and inviting review
WPA
• Wi-Fi Protected Access (WPA™) was an interim standard adopted by the Wi-Fi Alliance
• WPA supports – authentication through 802.1X (known as WPA
Enterprise) or with a preshared key (known as WPA Personal)
– a new encryption algorithm known as the Temporal Key Integrity Protocol (TKIP)
– a new integrity algorithm known as Michael
802.11i
• IEEE 802.11i standard formally replaces Wired Equivalent Privacy (WEP) and the other security features of the original IEEE 802.11 standard
• Two basic subsystems:– Data privacy mechanism
• TKIP (a protocol patching WEP), applies to legacy systems• AES-based protocol (long term), needs new hardware
– Security association management• RSN negotiation procedures, to establish a security context• IEEE 802.1X authentication, replacing IEEE 802.11
authentication• IEEE 802.1X key management, to provide cryptographic keys
Data Privacy Summary WEP TKIP CCMP
Cipher RC4 RC4 AES Key Size 40 or 104 bits 128 bits 128 bits
encryption,64 bit auth
Key Life 24-bit IV, wrap 48-bit IV 48-bit IVPacket Key Concat. Mixing Fn Not NeededData Integrity CRC-32 Michael CCMHeader integrity None Michael CCMReplay None Use IV Use IVKey Mgmt. None EAP-based EAP-based
802.11i Operational Phases
Data protection
802.1X authentication
802.1X key management RADIUS-based key distribution
Security capabilities discovery
Authentication Server
Access Point
Station
Purpose of each phase Discovery
Determine promising parties with whom to communicate AP advertises network security capabilities to STAs
802.1X authentication Centralize network admission policy decisions at the AS STA determines whether it does indeed want to
communicate Mutually authenticate STA and AS Generate Master Key as a side effect of authentication Use master key to generate session keys = authorization
token
Three roles- supplicant, authenticator, authentication server
802.1x authentication
802_11i_states.png
Derive pairwise transient keys
Derive pairwise transient keys
Key management
• 802.11i specifies a key hierarchy - different keys for different purposes– Pairwise Master Key (PMK), which is the same as
the pre-shared key or is created during authentication
– For unicast transmissions, unicast keys are defined for authentication, encryption, and integrity
• Derived from a PMK
– Group keys are used for the communication among a group of devices
• RADIUS-based key distribution– AS moves (not copies) session key (Pairwise Master Key)
to STA’s AP
Data Protection: AES - CCMP• 802.11i requires support for the AES Counter Mode-
Cipher Block Chaining Message Authentication Code Protocol (CCMP)
• AES Counter Mode - block cipher that encrypts 128-bit blocks of data at a time with a 128-bit encryption key
• The CBC-MAC algorithm produces a message integrity code (MIC) that provides data origin authentication and data integrity for the wireless frame.
• Packet Number field in the wireless frame provides replay protection
Challenges ahead
• Important to protect the control messages in a wireless network
• 802.11i keying and authentication are too slow to support real-time applications such as voice - the 802.11r task group has been created to solve this problem
• The Wi-Fi Alliance initiative to properly certify 802.11i referred to as WPA2
Summary
• Not all the security features advertised in the retail boxes of the 802.11 devices are effective
• The WEP protocol has several important weaknesses
• Many vendors offer software upgrade to WPA in their 802.11 products line
• Current and future wireless network users need to use 802.11i
• Treat WLAN network as being in untrusted Internet!
Organization
• Introduction• WLAN technology• WiMax technology• Network security• Security issues in WLAN• Security issues in WiMax• Conclusions• References
Threats in WiMAX • Service availability
– Rain– Jamming
• MAC layer– Sniffing– Masquerading– Content alteration– DOS attacks
• Next node in a mesh architecture is trusted
Security sublayer of MAC
• The main focus of the Privacy Sublayer is on protecting service providers against theft of service
• Privacy layer only protects data at the Open System Interconnection (OSI) layer two level (not end-to-end encryption of user data)
• Both physical and higher layer security technologies would need to be integrated
Authentication
• SS’es have manufacturer supplied digital certificates
• These are sent by SS to BS in Authorization Request and Authentication messages– Authorization request also contains SS’es
cryptographic capability
• If SS is authorized to join network, BS sends an Authorization Key encrypted with SS’es public key
Security Associations (SA)
• SA maintains security state relevant to a connection
• Data SA type and authorization SA type• Only data SA type explicitly defined
– A 16-bit SA identifier, or SAID.– A cipher (DES, CBC) to protect the data exchanged over
the connection. – Two traffic encryption keys (TEKs) to encrypt data: the
current operational key and a TEK for when the current key expires.
– Two 2-bit key identifiers, one for each TEK.– A TEK lifetime. – A 64-bit initialization vector for each TEK. – An indication of the type of data SA. Primary SAs are
established during link initialization; static SAs are configured on the BS; and dynamic SAs
Authorization SA
• An X.509 certificate identifying the SS• A 160-bit authorization key (AK). • A 4-bit quantity to identify the AK.• An AK lifetime, ranging from one to 70
days• A key encryption key (a 112-bit Triple-
DES key) for distributing TEKs• Downlink HMAC key• Uplink HMAC key• List of data SA’s
Data privacy• After exchange of Authentication Key, traffic
encryption keys (TEKs) are exchanged
KEK = Truncate-128(SHA1(((AK| 044) xor 5364)
Downlink HMAC key = SHA1((AK|044) xor 3A64)
Uplink HMAC key = SHA1((AK|044) xor 5C64)
Data Key Exchange
• Traffic Encryption Key (TEK)• TEK is generated by BS randomly• TEK is encrypted with one of
– Triple-DES (use 128 bits KEK)– RSA (use SS’s public key)– AES (use 128 bits KEK)
• Key Exchange message is authenticated by HMAC-SHA1 – (provides Message Integrity and AK confirmation)
Replay protection
• The BS is responsible for maintaining keying information for all Sas
• BS always prepared to send an AK to an SS upon request.
• BS has two active AKs during an AK transition period - the two active keys have overlapping lifetimes.
• Responsibility of SS to initiate rekeying request
TEK rekeying
• The BS maintains two sets of active TEKs per SA ID
• The two generations of TEKs have overlapping lifetimes determined by TEK Lifetime
• The newer TEK has a key sequence number one greater (modulo 4) than that of the older TEK.
• Each TEK becomes active halfway through the lifetime of its predecessor and expires halfway through the lifetime of its successor.
• It is the responsibility of the SS to update its keys in a timely fashion
Key life times
Some flaws
• Only one-way authentication– SS authenticates to BS– No protection against rogue BS
• Authentication key generation purely from BS side – no contribution of SS
• TEK uses 2-bit sequence number– Sequence number repeated every 4 keys!
• Increases vulnerability to replay
Recommendations
• Use AES CCMP mode• Two-way authentication using EAP • Low cost re-authentication during
roaming
WEP 802.11i 802.16
Authentication
Two-way,weak, shared key
Two-way, strong, shared key
One way, strong, based on public key
Crypto RC4 AES CCMP DES
Message integrity
CRC CCM HMAC
Replay None IV Periodic rekeying
Key mgmt None EAP based PKM
Organization
• Introduction• WLAN technology• WiMax technology• Network security• Security issues in WLAN• Security issues in WiMax• Conclusions• References
Conclusions
• Wireless - A spectrum of opportunities• WiFi
– Simple, mature, inexpensive, widely deployed– Useful for hotspots, building WLANs– Very inefficient use of frequency and bandwidth– Four security options – no security, WEP, WPA, WPA2
(802.11i) In most networks, weakest link= no security
• WiMAX– Flexible, evolving, expensive, experimental– Useful for WLANs and WMANs – Good for broadband and voice in rural areas – More efficient use of frequency and bandwidth– Security built in from the start– Expected to be inexpensive in 2-3 years
Open issues
• Performance impact of security– Even lightweight WEP degrades
performance
• Architecture for strong security in heterogeneous WiFi network– use of security gateway which grants access
based on level of station’s security?
• Mutual authentication between SS and BS based on Identity based cryptography?
References
• Wireless Communications and Networks (William Stallings, 2002)
• Intercepting Mobile Communications: The Insecurity of 802.11(Borisov, Goldberg, and Wagner 2001)
• Your 802.11 Wireless Network Has No Clothes (Arbaugh, Shankar, and Wan 2001)
• Weaknesses in the Key Scheduling Algorithm of RC4(Fluhrer, Mantin, and Shamir 2001)
• The IEEE 802.11b Security Problem, Part 1 (Joseph Williams,2001 IEEE)
• An IEEE 802.11 Wireless LAN Security White Paper (Jason S. King, 2001)
References• IEEE Std. 802.16-2001, IEEE Standard for Local and
Metropolitan Area Networks, part 16, “Air Interface for Fixed Broadband Wireless Access Systems,” IEEE Press, 2001.
• FIPS PUB 197, Advanced Encryption Standard (AES), Nat’l Inst. of Standards and Technology, Nov. 2001, http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.
• L. Blunk and J. Vollbrecht, “PPP Extensible Authentication Protocol (EAP),” RFC 3748, Internet Eng. Task Force, 2004.
• D. Whiting, R. Housley, and N. Ferguson, “Counter with CBC-MAC (CCM),” RFC 3610, Internet Eng. Task Force, Sept. 2003.
• R. Housley, “Advanced Encryption Standard (AES) Key Wrap Algorithm,” RFC 3394, IETF, Sept. 2002.