By Ramin Hedayatzadeh

“IEEE 802.11i or WPA2”Introduction

Integrity of WEP to WPA (necessity)WPA and its second generation

WPA2 conceptsDefinitionPortions

WPA2 - Personal mode Authentication method (PSK)

WPA2 - Enterprise mode Authentication method (802.1x /EAP)

Ports (controlled n uncontrolled)EAP types supported on new Wi-Fi Certified products

EAP-TLS EAP-TTLS/MSCHAP v2

PEAPv0/EAP-MSCHAP v2 PEAPv1/EAP-GTC

EAP-SIM

Introduction con…

Encryption method (AES)HistoryCCMP conceptsCTR (counter mode)CBC-MAC (Data Authentication

and Integrity)WPA2 Technical considerations

Specifications & FeaturesUpgrade problems

Resources

IntroductionIntroduction

Integrity of WEP to WPA (necessityIntegrity of WEP to WPA (necessity))

By 2001, a series of independent studies from various academic and commercial institutions had identified weaknesses in Wired Equivalent Privacy (WEP), the original native security mechanism for wireless local area networks (WLANs) in the Institute of Electrical and Electronics Engineers (IEEE) 802.11 specification.

WPA and its second generationWPA and its second generation

Introduction cont…Introduction cont…

To address this situation, Wi-Fi® Alliance introduced 2 new interoperable Wi-Fi security specifications for both

enterprise and home networks: In 2003, the Wi-Fi Alliance introduced Wi-Fi Protected

Access (WPA™) as a strong, standards-based interoperable Wi-Fi security specification.

In 2004, the Wi-Fi Alliance introduced Wi-Fi Protected Access 2 (WPA2™), the second generation of WPA

security.

ConceptsConcepts

DefinitionDefinition

WPA2 (Wi-Fi Protected Access 2) provides network administrators with a high level of assurance that only authorized users can access the network. Based on the ratified IEEE 802.11i standard, WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm.

Concepts cont..Concepts cont..

WPA2 can be enabled in two WPA2 can be enabled in two versions - Personal and Enterprise:versions - Personal and Enterprise:

WPA2 - Personal protects unauthorized WPA2 - Personal protects unauthorized network access by utilizing a set-up network access by utilizing a set-up password. password.

WPA2 - Enterprise verifies network users WPA2 - Enterprise verifies network users through a server through a server

Scientific definitionScientific definition

WPA2 is a security method in which it WPA2 is a security method in which it supports IEEE 802.1X/EAP authentication supports IEEE 802.1X/EAP authentication or PSK technology and a new advanced or PSK technology and a new advanced encryption mechanism using the Counter-encryption mechanism using the Counter-Mode/CBC-MAC Protocol (CCMP) called Mode/CBC-MAC Protocol (CCMP) called the Advanced Encryption Standard (AES).the Advanced Encryption Standard (AES).

PortionsPortions

WPA2 concludes 2 portions in each mode WPA2 concludes 2 portions in each mode (personal and enterprise)(personal and enterprise)

Authentication Authentication EncryptionEncryption

In comparison both modes use the same In comparison both modes use the same encryption which is AES. but they are encryption which is AES. but they are different in authentication completely:different in authentication completely:

WPA2 - Personal modeWPA2 - Personal mode

Authentication method (PSK)Authentication method (PSK)Personal Mode is designed for home and Personal Mode is designed for home and

small office/home office (SOHO) users small office/home office (SOHO) users who do not have authentication servers who do not have authentication servers available. It operates in an unmanaged available. It operates in an unmanaged mode that uses a pre-shared key (PSK) mode that uses a pre-shared key (PSK) for authentication instead of IEEE 802.1X. for authentication instead of IEEE 802.1X.

WPA2 - Enterprise modeWPA2 - Enterprise mode

Authentication method (802.1x /EAP)Authentication method (802.1x /EAP)

Enterprise Mode is a term given to products that are tested to be interoperable in both PSK and IEEE 802.1X/EAP modes of operation for

authentication.

Port Access EntityPort Access Entity

A PAE, also known as a LAN port, is a A PAE, also known as a LAN port, is a logical entity that supports the IEEE logical entity that supports the IEEE 802.1X protocol that is associated with a 802.1X protocol that is associated with a port. A LAN port can adopt the role of port. A LAN port can adopt the role of authenticator, supplicant, or both.authenticator, supplicant, or both.

SupplicantSupplicant

For wireless connections, the supplicant is the For wireless connections, the supplicant is the logical LAN port on a wireless LAN network logical LAN port on a wireless LAN network adapter, operating in infrastructure mode that adapter, operating in infrastructure mode that requests access to the wired network by proving requests access to the wired network by proving its credentials with authentication. its credentials with authentication.

Supplicants may be included in the client Supplicants may be included in the client operating system, integrated into drivers, or operating system, integrated into drivers, or installed as third-party standalone software. installed as third-party standalone software.

Authenticator:Authenticator:

For wireless connections, the For wireless connections, the authenticator is the logical LAN port authenticator is the logical LAN port through which wireless clients, operating through which wireless clients, operating in infrastructure mode, gain access to the in infrastructure mode, gain access to the wired network.wired network.

Authentication ServerAuthentication Server

. The authentication server checks the . The authentication server checks the credentials of the supplicant on behalf of credentials of the supplicant on behalf of the authenticator, and then responds to the authenticator, and then responds to the authenticator, indicating whether or not the authenticator, indicating whether or not the supplicant is authorized to access the the supplicant is authorized to access the authenticator's services. authenticator's services.

Authentication Server Authentication Server

A component of the APA component of the AP

This is typically not implemented for This is typically not implemented for wireless APs.wireless APs.

A separate entityA separate entity

Typically, a wireless AP uses the Remote Typically, a wireless AP uses the Remote Authentication Dial-In User Service Authentication Dial-In User Service (RADIUS) protocol to send the connection (RADIUS) protocol to send the connection attempt parameters to a RADIUS server.attempt parameters to a RADIUS server.

EAP traffic is exchanged between the client EAP traffic is exchanged between the client (supplicant) and AP (authenticator) over the (supplicant) and AP (authenticator) over the layer 2 EAPol protocol. The supplicant doesn’t layer 2 EAPol protocol. The supplicant doesn’t have layer 3 connectivity to the RADIUS server. have layer 3 connectivity to the RADIUS server. When the AP received EAP traffic from the When the AP received EAP traffic from the Client it converts it to the appropriate RADIUS Client it converts it to the appropriate RADIUS request and then passes it to the RADIUS server request and then passes it to the RADIUS server for processing.for processing.

If the supplicant encrypts the data, the If the supplicant encrypts the data, the authenticator can't inspect the content of the authenticator can't inspect the content of the request, but can extract from the response request, but can extract from the response attributes such as the client’s VLAN assignment.attributes such as the client’s VLAN assignment.

After 802.1x authentication, the client After 802.1x authentication, the client receives the master key (MK) from the receives the master key (MK) from the authentication server. The master key is authentication server. The master key is tied to that authentication session. From tied to that authentication session. From the MK, the same primary master key the MK, the same primary master key (PMK) is generated on both the client and (PMK) is generated on both the client and the authentication server. the authentication server.

Once the user has been authenticated, the Once the user has been authenticated, the authentication server and the client authentication server and the client simultaneously generate a Master Key (PMK).simultaneously generate a Master Key (PMK).

All wireless devices associated with an access All wireless devices associated with an access point must be able to decrypt the broadcast and point must be able to decrypt the broadcast and multicast traffic. They do so with the same group multicast traffic. They do so with the same group key, or GTK.if the AP changes the GTK because key, or GTK.if the AP changes the GTK because it was compromised, the AP issues a it was compromised, the AP issues a replacement key using a simpler two-way replacement key using a simpler two-way handshake with the KEK encrypting the GTK.handshake with the KEK encrypting the GTK.

The 4-Way HandshakeThe 4-Way Handshake

Once a shared PMK is agreed upon Once a shared PMK is agreed upon between the authenticator and the between the authenticator and the supplicant, the authenticator may begin a supplicant, the authenticator may begin a 4-Way Handshake By itself or upon 4-Way Handshake By itself or upon request from the supplicant. request from the supplicant.

The authentication processThe authentication process 1) You can initiate the authentication process either by 1) You can initiate the authentication process either by

the supplicant or the access point. the supplicant or the access point. 2) The supplicant provides its identity by responding to 2) The supplicant provides its identity by responding to

the access point with an EAP-Response/Identity packet. the access point with an EAP-Response/Identity packet. 3) The authentication server sends an 3) The authentication server sends an

EAP-Request/Authentication packet to the access point EAP-Request/Authentication packet to the access point over RADIUS and forwards this to the supplicant over over RADIUS and forwards this to the supplicant over EAPOL. EAPOL.

If the supplicant supports the authentication type, it If the supplicant supports the authentication type, it responds with the EAP-Response/Authentication packet responds with the EAP-Response/Authentication packet to the access point, which forwards this packet to the to the access point, which forwards this packet to the authentication server. authentication server.

Ports (Controlled n Uncontrolled)Ports (Controlled n Uncontrolled)

To control access to a network, the access To control access to a network, the access point uses the concept of "controlled" and point uses the concept of "controlled" and "uncontrolled" ports. Both these ports are "uncontrolled" ports. Both these ports are logical and virtual, but they use a single logical and virtual, but they use a single wireless association (link) between the wireless association (link) between the supplicant and the access point. supplicant and the access point.

Uncontrolled port:Uncontrolled port:The uncontrolled port allows an uncontrolled The uncontrolled port allows an uncontrolled

exchange of data between the authenticator (the exchange of data between the authenticator (the wireless AP) and other networking devices on wireless AP) and other networking devices on the wired network, regardless of any wireless the wired network, regardless of any wireless client's authorization state. The uncontrolled port client's authorization state. The uncontrolled port allows only authentication traffic through it.allows only authentication traffic through it.

Controlled port:Controlled port:The controlled port allows data to be sent The controlled port allows data to be sent between a wireless client and the wired network, between a wireless client and the wired network, the controlled port is initially in an "unauthorized" the controlled port is initially in an "unauthorized" state that makes the supplicant unable to access state that makes the supplicant unable to access the network until it proves its credentials with the the network until it proves its credentials with the authentication server. authentication server.

EAP types supported on new Wi-EAP types supported on new Wi-Fi Certified productsFi Certified products

Extensible Authentication ProtocolExtensible Authentication Protocol

As the name suggests, EAP is designed in As the name suggests, EAP is designed in such a way that the authentication such a way that the authentication mechanisms that EAP uses are mechanisms that EAP uses are extensible. The protocol is flexible enough extensible. The protocol is flexible enough to allow any type of authentication to allow any type of authentication mechanism over it. mechanism over it.

EAP TypesEAP Types

EAP-TLSEAP-TLS PEAPv0/EAP-MSCHAPv2 PEAPv0/EAP-MSCHAPv2 PEAPv1/EAP-GTC PEAPv1/EAP-GTC EAP-TTLS EAP-TTLS

EAP-SIMEAP-SIM

EAP-TLSEAP-TLS

Is the original wireless LAN EAP Is the original wireless LAN EAP authentication protocol. Although it’s rarely authentication protocol. Although it’s rarely implemented due to a steep deployment implemented due to a steep deployment curve, it is still considered one of the most curve, it is still considered one of the most secure EAP standards available and is secure EAP standards available and is universally supported by all manufacturers universally supported by all manufacturers of wireless LAN hardware and software of wireless LAN hardware and software including Microsoft. including Microsoft.

PEAPv0/EAP-MSCHAPv2PEAPv0/EAP-MSCHAPv2

Is the technical term for what people most Is the technical term for what people most commonly refer to as "PEAP". Whenever commonly refer to as "PEAP". Whenever the word PEAP is used, it almost always the word PEAP is used, it almost always refers to this form of PEAP since most refers to this form of PEAP since most people have no idea there are so many people have no idea there are so many flavors of PEAP. Behind EAP-TLS, flavors of PEAP. Behind EAP-TLS, PEAPv0/EAP-MSCHAPv2 is the second PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in most widely supported EAP standard in the world. the world.

PEAPv1/EAP-GTC PEAPv1/EAP-GTC

Was created by Cisco as an alternative to Was created by Cisco as an alternative to PEAPv0/EAP-MSCHAPv2. It allows the PEAPv0/EAP-MSCHAPv2. It allows the use of an inner authentication protocol use of an inner authentication protocol other than Microsoft’s MSCHAPv2. Even other than Microsoft’s MSCHAPv2. Even though Microsoft (along with RSA and though Microsoft (along with RSA and Cisco) co-invented the PEAP standard, Cisco) co-invented the PEAP standard, Microsoft never added support for PEAPv1 Microsoft never added support for PEAPv1 in general, which means PEAPv1/EAP-in general, which means PEAPv1/EAP-GTC has no native Windows OS support. GTC has no native Windows OS support.

EAP-TTLS EAP-TTLS

Was created by Funk software and Was created by Funk software and Certicom and is primarily backed by Funk Certicom and is primarily backed by Funk software and is supported by other third-software and is supported by other third-party server and client software. party server and client software.

EAP-SIMEAP-SIM

Was created for the GSM (Group Special Was created for the GSM (Group Special Mobile, or Global System for Mobile Mobile, or Global System for Mobile Communications. A 2G digital standard for Communications. A 2G digital standard for cellular phone communications adopted by cellular phone communications adopted by many countries around the world. Its many countries around the world. Its frequency bands range from 900-frequency bands range from 900-1800MHz) mobile telecom industry, which 1800MHz) mobile telecom industry, which favors the use of SIM cards for favors the use of SIM cards for authentication. authentication.

Encryption method (AES)Encryption method (AES)

HistoryHistoryIn 1997, the National Institute of Standards and In 1997, the National Institute of Standards and Technology (NIST) initiated a process to select a Technology (NIST) initiated a process to select a symmetric-key encryption algorithm to be used symmetric-key encryption algorithm to be used to protect sensitive (unclassified) Federal to protect sensitive (unclassified) Federal information in furtherance of NIST’s statutory information in furtherance of NIST’s statutory responsibilities. In 1998, NIST announced the responsibilities. In 1998, NIST announced the acceptance of fifteen candidate algorithms and acceptance of fifteen candidate algorithms and requested the assistance of the cryptographic requested the assistance of the cryptographic research community in analyzing the candidates. research community in analyzing the candidates.

Encryption method (AES)Encryption method (AES)

In cryptography, the Advanced Encryption In cryptography, the Advanced Encryption Standard (AES) is a block cipher adopted Standard (AES) is a block cipher adopted as an encryption standard by the U.S. as an encryption standard by the U.S. government. It is expected to be used government. It is expected to be used worldwide and analyzed extensively, as worldwide and analyzed extensively, as was the case with its predecessor, the was the case with its predecessor, the Data Encryption Standard (DES). Data Encryption Standard (DES).

CCMP conceptsCCMP concepts

AES uses the Counter-Mode/CBC-Mac AES uses the Counter-Mode/CBC-Mac Protocol (CCMP). CCM is a new mode of Protocol (CCMP). CCM is a new mode of operation for a block cipher that enables a operation for a block cipher that enables a single key to be used for both encryption single key to be used for both encryption and authentication. and authentication.

WPA2 Temporal KeysWPA2 Temporal Keys

Data encryption key A 128-bit key Data encryption key A 128-bit key Data integrity key A 128-bit key Data integrity key A 128-bit key EAPOL-Key encryption key A 128-bit key EAPOL-Key encryption key A 128-bit key EAPOL-Key integrity key A 128-bit key EAPOL-Key integrity key A 128-bit key

The 2 underlying modes employed in CCM The 2 underlying modes employed in CCM include Counter mode (CTR) that achieves include Counter mode (CTR) that achieves data encryption/privacy and Cipher Block data encryption/privacy and Cipher Block Chaining Message Authentication Code Chaining Message Authentication Code (CBC-MAC) to provide authentication and (CBC-MAC) to provide authentication and integrity. integrity.

CBC-MAC (Data Authentication CBC-MAC (Data Authentication and Integrity)and Integrity)

The CBC-MAC algorithm produces a message The CBC-MAC algorithm produces a message integrity code (MIC) that provides data origin integrity code (MIC) that provides data origin authentication and data integrity for the wireless authentication and data integrity for the wireless frame. frame.

A Packet Number field A Packet Number field 1) Included in WPA2-protected wireless frame1) Included in WPA2-protected wireless frame 2) Incorporated into the encryption (CTR)2) Incorporated into the encryption (CTR) 3) and MIC calculations 3) and MIC calculations provides replay protection.provides replay protection.

CBC-MAC is used to generate an authentication CBC-MAC is used to generate an authentication component as a result of the encryption process. component as a result of the encryption process. This is different from prior MIC implementations, This is different from prior MIC implementations, in which a separate algorithm for integrity check in which a separate algorithm for integrity check is required. To further enhance its advanced is required. To further enhance its advanced encryption capabilities, AES uses a 48-bit encryption capabilities, AES uses a 48-bit Initialization Vector (IV).Initialization Vector (IV).

AES has no known attacks and the current AES has no known attacks and the current analysis indicates that it takes 2^120 operations analysis indicates that it takes 2^120 operations to break an AES key—making .it an extremely to break an AES key—making .it an extremely secure cryptographic algorithm. secure cryptographic algorithm.

Strictly speaking, AES is not precisely Strictly speaking, AES is not precisely Rijndael (although in practice they are Rijndael (although in practice they are used interchangeably) as Rijndael used interchangeably) as Rijndael supports a larger range of block and key supports a larger range of block and key sizes; AES has a fixed block size of 128 sizes; AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits, bits and a key size of 128, 192 or 256 bits, whereas Rijndael can be specified with whereas Rijndael can be specified with key and block sizes in any multiple of 32 key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a bits, with a minimum of 128 bits and a maximum of 256 bits.maximum of 256 bits.

AES is fast in both software and hardware, AES is fast in both software and hardware, is relatively easy to implement, and is relatively easy to implement, and requires little memory. As a new requires little memory. As a new encryption standard, it is currently being encryption standard, it is currently being deployed on a large scale.deployed on a large scale.

WPA2 Technical considerationsWPA2 Technical considerations

Is WPA still secure?Is WPA still secure?

Why is the Alliance introducing Why is the Alliance introducing WPA2?WPA2?

WPA2 Mixed ModeWPA2 Mixed ModePMK CachingPMK CachingPreauthenticationPreauthentication

New featuresNew features

ResourcesResources WiFi planet 2004WiFi planet 2004 intel.com - mobile and wireless protection intel.com - mobile and wireless protection technet.microsoft.com - cable guy 2002technet.microsoft.com - cable guy 2002 technet.microsoft.com - cable guy may 2005 technet.microsoft.com - cable guy may 2005 Microsoft Encyclopedia of Networking 2004Microsoft Encyclopedia of Networking 2004 Microsoft Encyclopedia of security 2004Microsoft Encyclopedia of security 2004 Cisco Systems - FAQ on Aironets 2005Cisco Systems - FAQ on Aironets 2005 WiFi alliance - knowledge center 2006WiFi alliance - knowledge center 2006 WiFi alliance - WPA2 Q&AWiFi alliance - WPA2 Q&A WiFi alliance - Deploying WPA™ and WPA2™ in the EnterpriseWiFi alliance - Deploying WPA™ and WPA2™ in the Enterprise Wikipedia.orgWikipedia.org TechTarget 2006TechTarget 2006 IBM - developerWorksIBM - developerWorks http://blogs.zdnet.com/Ou/?p=67http://blogs.zdnet.com/Ou/?p=67