1© 2002, Cisco Systems, Inc.

WLAN Standards and Security Solutions

Dan CusickMobility Marketing Manager

Cisco Systems, Inc.dcusick@cisco.com

2© 2002, Cisco Systems, Inc.

Agenda

• 802.11 standards activities

• Wireless LAN Security – Authentication and Encryption

• Security Enhancements

• Future trends

3© 2002, Cisco Systems, Inc.

Wireless Technologies

PAN(Personal Area

Network)

LAN(Local Area Network)

WAN(Wide Area Network)

MAN(Metropolitan Area Network)

PANPAN LANLAN MANMAN WANWAN

StandardsStandards BluetoothBluetooth 802.11802.11HiperLAN2HiperLAN2

802.11802.11MMDS, LMDSMMDS, LMDS

GSM, GPRS,GSM, GPRS,CDMA, 2.5-3GCDMA, 2.5-3G

SpeedSpeed < 1Mbps< 1Mbps 11 to 54 Mbps11 to 54 Mbps 11 to 100+ Mbps11 to 100+ Mbps 10 to 384Kbps10 to 384Kbps

RangeRange ShortShort MediumMedium Medium-LongMedium-Long LongLong

ApplicationsApplications Peer-to-PeerPeer-to-PeerDevice-to-DeviceDevice-to-Device Enterprise networksEnterprise networks T1 replacement, last mile T1 replacement, last mile

accessaccessPDAs, Mobile Phones, PDAs, Mobile Phones,

cellular accesscellular access

4© 2002, Cisco Systems, Inc.

WLAN “Alphabet Soup”:IEEE 802.11 Standards Activities

• 802.11a: 5GHz, 54Mbps• 802.11b: 2.4GHz, 11Mbps• 802.11d: Multiple regulatory domains • 802.11e: Quality of Service (QoS)• 802.11f: Inter-Access Point Protocol (IAPP)• 802.11g: 2.4GHz, 54Mbps• 802.11h: Dynamic Frequency Selection

(DFS) and Transmit Power Control (TPC)• 802.11i: Security

5© 2002, Cisco Systems, Inc.

802.11a

• 5 GHz, 54 Mbps, OFDM technologyData rates supported: 54, 48, 36, 24, 12, and 6 MbpsCan “downshift” to lower data rates for longer range

• 802.11a products now available

• Worldwide compatibility issues for 5 GHz bandEffort underway to allow 802.11a operation in European countriesLong-term: Worldwide usage with adoption of Transmit Power Control (TPC) and Dynamic Frequency Selection (DFS) per 802.11h standard

• 5 GHz band has more channels than 2.4 GHz bandUNII-1 + UNII-2 = 8 non-overlapping channels (vs. 3 channels for 2.4GHz)

• 5 GHz band subject to less interference than 2.4 GHz ISM bandHowever, 2.4GHz interference not a major problem in most business environments

6© 2002, Cisco Systems, Inc.

Europe19 Channels(*assumes noantenna gain)

1W200mW

Understanding the 5 GHz Spectrum

5.15 5.35 5.470 5.725 5.8255 GHzUNII Band

5.25

UNII-1: Indoor Use, antenna must be fixed to the radioUNII-2: Indoor/Outdoor Use, fixed or remote antennaUNII-3: Outdoor Bridging Only (EIRP limit is 52 dBm if PtP)

UNII-140mW

(22 dBm EIRP)

UNII-2200mW

(29 dBm EIRP)

US (FCC)12 Channels(*can use up to

6dBi gain antenna)

UNII-3800mW

(35 dBm EIRP)

4 Channels

*if you use a higher gain antenna, you must reduce the transmit power accordingly

4 Channels 4 Channels11 Channels

7© 2002, Cisco Systems, Inc.

802.11g

• 2.4 GHz, up to 54 Mbps, OFDM/CCK technology

• Preliminary draft standard submitted Dec. 2001; currently on 802.11g draft standard v3.0

• Goal: Full forward/backward compatibility with 802.11b

Provide upgrade path & investment protection for 802.11b users

The coming of 802.11g “future proofs” 802.11b purchases today

• Initial SOHO 802.11g products released

• 54 Mbps enterprise-class 802.11g products expected 2nd half of 2003

8© 2002, Cisco Systems, Inc.

802.11 Positioning

5GHz - 802.11a• 54Mbps• Higher expected throughput than

802.11g• 8 channels for indoor use (allows

“honeycomb” network deployment)

• 12 channels total• Global Acceptance • 5 GHz band has less interference

2.4GHz - 802.11b & g• 11Mbps 36Mbps 54Mbps• 3 channels• Worldwide• 802.11g is forward-and-backward

compatible with 802.11b• Easy upgrade path to 802.11g• 802.11b has advantages on cost, size,

& power consumption, so will continue to be popular, especially with PDA’s, phones

Both frequency bands will be successful!

9© 2002, Cisco Systems, Inc.

Agenda

• 802.11 standards activities

• Wireless LAN Security – Authentication and Encryption

• Security Enhancements

• Future trends

10© 2002, Cisco Systems, Inc.

Wireless LAN (WLAN)

Wireless LAN Security Issues

Issue• Wireless sniffer can view all

WLAN data packets• Anyone in AP coverage area

can get on WLAN

802.11 WEP Solution• Encrypt all data transmitted

between client and AP• Without encryption key, user

cannot transmit or receive data

Wired LAN

Goal: Make WLAN security equivalent to that of wired LANs (Wired Equivalent Privacy)

client access point (AP)

11© 2002, Cisco Systems, Inc.

TKIP and AES

Limitations of 802.11 WEP Security

• Shared, static WEP keysNo centralized key managementPoor protection from variety of security attacks

• No effective way to deal with lost or stolen adapter

Possessor has network accessRe-keying of all WLAN client devices is required

• No mutual authentication

• Lack of integrated user administration

Need for separate user databases; no use of RADIUSPotential to identify user only by device attribute like MAC address

• Inherent weaknesses in RC4-based WEP keys

802.1X

WPA

12© 2002, Cisco Systems, Inc.

“Business Class” Security:802.11i Task Group Recommendations

• Mutual Authentication• Dynamic Session Key• Message Integrity Check (MIC)• Temporal Key Integrity Protocol (TKIP)

— Per-packet Key Hashing— Initialization Vector Sequencing— Rapid Re-Keying

• Future— Stronger encryption schemes such as AES

13© 2002, Cisco Systems, Inc.

802.1X/EAP Advantages for 802.11i

• Part of 802.11i draft• Mutual authentication

Supports various authentication types

• Encryption keys dynamically derived after authentication

• Centralized policy control, scalable, user based authentication

14© 2002, Cisco Systems, Inc.

RADIUS server

802.1X Mutual Authentication Process

AP

Start

identity

Request identity

AP blocks all requests until authentication

completes

RADIUS server authenticates client

Client authenticates RADIUS server DerivekeyDerive

key

client

Server message received

15© 2002, Cisco Systems, Inc.

802.1X Authentication Types

• LEAP (EAP Cisco Wireless)– User authentication via user ID and password– Supports Windows, CE, Linux, Mac OS, and DOS – Aggressive licensing program by Cisco to other vendors

• EAP-TLS (EAP-Transport Layer Security)– User authentication via client certificates and server certificates– Supported in XP and soon other Windows versions

• PEAP (Protected EAP)– User authentication via user ID and password or OTP– Supported by Cisco Aironet client adapters and by Microsoft in various Windows versions– Uses server-side TLS, which requires only server certificates

• EAP-TTLS– User authentication via user ID and password or OTP– Supported by Funk Software’s Odyssey– Uses server-side TLS

16© 2002, Cisco Systems, Inc.

802.1X/LEAP Mutual Authentication

clientAP

RADIUS server

Start

identity

AP blocks all requests until authentication completes

identity

RADIUS server authenticates client

Request identity

Client authenticates RADIUS server DerivekeyDerive

key

Mutual Authentication is required to prevent rogue clients (e.g. in the parking lot) from accessing your network, AND to prevent rogue AP’s from “stealing” data from your clients

Mutual Authentication is required to prevent rogue clients (e.g. in the parking lot) from accessing your network, AND to prevent rogue AP’s from “stealing” data from your clients

17© 2002, Cisco Systems, Inc.

PEAP Authentication

Use server-side EAP-TLS to authenticate RADIUS server…

user-supplied

token

userdatabase

…and buildSSL-encrypted tunnel

Use tunnel to authenticate user via token, OTPassword, or other

data

PEAP sets up a secure, encrypted tunnel between client and RADIUS server

PEAP sets up a secure, encrypted tunnel between client and RADIUS server

18© 2002, Cisco Systems, Inc.

WEP: AirSnort “Weak IV” Attack

• Attack is based on Fluhrer/Mantin/Shamir paper• Initialization vector (IV) is 24-bit field that changes with

each packet• RC4 Key Scheduling Algorithm creates IV from base key • Flaw in WEP implementation of RC4 allows creation of

“weak” IVs that give insight into base key• More packets = more weak IVs = better chance to

determine base key• To break key, hacker needs 100,000-1,000,000 packets

IV encrypted data WEP framedest addr src addr

19© 2002, Cisco Systems, Inc.

TKIP: WEP Key Hashing

IV base key

RC4

stream cipher

plaintext data

encrypted data

RC4

stream cipher

IV base key

hash

Because packet key is hash of IV and base key, IV no longer

gives insight into base key

XOR

packet keyIV

no key hashing key hashing

20© 2002, Cisco Systems, Inc.

WEP: Bit-Flipping and Replay Attack

• Hacker intercepts WEP-encrypted packet• Hacker flips bits in packet and recalculates ICV CRC32• Hacker transmits to AP bit-flipped frame with known IV• Because CRC32 is correct, AP accepts, forwards frame• Layer 3 device rejects and sends predictable response• AP encrypts response and sends it to hacker• Hacker uses response to derive key (stream cipher)

message XOR

plain text

1234

stream cipher

XXYYZZ

cipher text

XOR 1234

stream cipher

message

predicted plain text

21© 2002, Cisco Systems, Inc.

Message Integrity Check (MIC)

IV encrypted datadest addrWEP frame

stream cipher XOR

Sender adds MIC to packet

stream cipher XOR

Recipient examines MIC; discards packet

if MIC is not intact

src addr

MICseq #plaintext ICV

MICseq #plaintext ICV

22© 2002, Cisco Systems, Inc.

Agenda

• 802.11 standards activities

• Wireless LAN Security – Authentication and Encryption

• Security Enhancements • Future trends

23© 2002, Cisco Systems, Inc.

WPA = “Wi-Fi Protected Access”

• WPA = 802.1X + TKIPWPA requires authentication & encryption802.1X authentication choices include LEAP, PEAP, TLS

• Industry suppliers are strong supporters of WPABuilds on 802.1X and TKIP, similar to what Cisco has been supporting since December 2000Widespread adoption of WPA will remove the “security cloud” from the WLAN industryWPA is as secure as Cisco’s current security offering, WPA will become accepted as the standard

• WPA compliance is needed for Wi-Fi certification of new products beginning in August 2003

Cisco AP currently being tested for use as a WPA reference platform at the Wi-Fi Plugfest

24© 2002, Cisco Systems, Inc.

4 Security Profiles

VirtualPrivate

Network (VPN)

No WEP and Broadcast Mode

Public Access

Open Access 40-bit and 128-bitStatic Encryption Key

Telecommuter & SOHO

Basic SecurityDynamic Encryption Key Scalable Key Managem’t

Mutual 802.1x/EAP Authentication

TKIP/WPA

Mid-Market and Enterprise

Enhanced Security

Public NetworkSecurity

Special Apps./

Business Traveler

25© 2002, Cisco Systems, Inc.

Firewall Enterprise

High Speed

Hotel/Airport

Wireless

SecureIntranet Using VPN

Remote Access Security using VPN

Internet

26© 2002, Cisco Systems, Inc.

VPN for 802.11 Access

Pros• Familiar

In use in most organizationsMakes WLAN and remote access UIs consistent

• Trusted for authentication and privacy

Supports central security managementEnsures 3DES encryption from client to concentrator

• Compatible with Aironet and other WLAN products

Cons• Cost: Requires VPN

concentrators behind APs• Performance: Encryption is

done in software on client• Roaming: Roaming between

VPN concentrators forces application restarts

• QoS: All traffic is IPSec traffic; no QoS, multicast, or multiprotocol support)

• Clients: Not supported on phones, scanners, or other specialized devices

27© 2002, Cisco Systems, Inc.

Client Differentiation without VLANs

SSID: phoneSecurity: WEP

SSID: laptopSecurity: PEAP, TKIP

SSID: pdaSecurity: LEAP, CKIP

Channel: 11SSID: phoneVLAN: 3

802.1Q wired network w/ VLANs

Channel: 6SSID: pdaVLAN: 2

Channel: 1SSID: laptopVLAN: 1

28© 2002, Cisco Systems, Inc.

Client Differentiation with VLANs

SSID: phoneSecurity: WEP

SSID: laptopSecurity: PEAP, TKIP

SSID: pdaSecurity: LEAP, CKIP

Channel: 6SSID laptop = VLAN 1SSID pda = VLAN 2 SSID phone = VLAN 3

802.1Q wired network w/ VLANs

29© 2002, Cisco Systems, Inc.

Wireless LAN Security Architecture

• IEEE 802.1x/EAP –Standard network protocol that makes wireless networking as secure as wired.

• Encryption – Enhancements to WEP with TKIP secure all data transmissions

Dynamic Session KeysKey hashing to prevent weak IV’sMessage Integrity Check

• Authentication – Network access is blocked until mutual authentication complete

Selection of authentication type derived from mobile application and devices (TLS, PEAP, LEAP,…)

• VLANs - users can segment traffic and offer differentiated services and policies to different user groups

• WPA – WiFi Protected AccessStandard encryption architecture based on TKIP to be supported as a WECA test standard in August ’03

30© 2002, Cisco Systems, Inc.

Agenda

• 802.11 standards activities

• Wireless LAN Security – Authentication and Encryption

• Security Enhancements • Future trends

31© 2002, Cisco Systems, Inc.

Momentum Continues in Deploying Wireless LANs

• Wireless LANs are an “addictive” technology

• Strong commitment to Wireless LANs by technology heavy-weights–Cisco, IBM, Intel, Microsoft

• Embedded market is growing–Laptop PC’s with “wireless inside”–PDA’s are next

• The WLAN market is expanding from Industry-Specific Applications, to Universities, Homes, & Offices

32© 2002, Cisco Systems, Inc.

Future Trends

• Enterprise wireless applications begin to explodeAvailability of notebooks with imbedded wirelessPDA’s, Web Pads, Phones w/ 802.11Dual band (802.11a/b/g) supported

• Widespread availability of 802.11 accessVLAN’s in the enterprise common areasFranchise locations offering wireless accessService Providers offering wireless access in the public venue

• Mobile worker staying connected at work, home and on the road!

• Multiple Authentication types to be supported in the Enterprise

333333© 2002, Cisco Systems, Inc.

34© 2002, Cisco Systems, Inc.

What is Cisco Wireless Security Suite?

• 802.1X-EAP based security solution that closely parallels the security available in a wired LAN

• Enterprise-class security with scalable, centralized management

• Dynamic per-user, per-session WEP encryption keys• Authentication: Support for Extensible Authentication

Protocol (EAP) types such as LEAP, PEAP, EAP-TLS • Encryption: Dynamic privacy protection via Temporal

Key Integrity Protocol (TKIP), Message Integrity Check (MIC), Per-packet Key Hashing, and Broadcast Key Rotation

• Roadmap to WPA and AES (hardware)

35© 2002, Cisco Systems, Inc.

What is PEAP?

• 802.1x framework, certificate-based authentication• Creates encrypted tunnel between client and Radius

server, similar to VPN• Leverages server-side EAP-TLS using digital certificates • Supports a variety of different client authentication

methods, including log-on passwords and one-time passwords (OTPs)

PEAP supported in Cisco ACS Server software ver. 3.1 (target FCS: 3Q’02)

One-Time Password (“OTP”) is a Cisco enhancement to PEAP, similar to Softoken or OTP cards

• Based on a RFC Draft jointly submitted by Cisco Systems, Microsoft and RSA Security to the IETF

• Initial support on Windows XP (Win 2K CQ2’03)

36© 2002, Cisco Systems, Inc.

TKIP and AES

• TKIP: Temporal Key Integrity ProtocolEnhancements to RC4-based WEP keys

Key hashing (per-packet keying): Strengthens encryptionMessage integrity check (MIC): Ensures message

integrity

Works with static and dynamic (802.1X) keys

• AESProvides stronger encryption algorithm than RC4Includes MICSupports key lengths of up to 256 bitsWorks with static and dynamic (802.1X) keysIs accepted by U.S. federal government for FIPS complianceFor best performance, requires hardware (radio) implementation

37© 2002, Cisco Systems, Inc.

PEAP Authentication Overview

RADIUS server

EAPOL Start

EAP-Request/Identity

EAP -Response/Identity(NAI)

EAP success

RADIUS Access request

Start EAP Authentication

Ask client for identity

Access Request with NAI

Deliver broadcast key encrypted with session key && session parameters

Perform sequence defined by PEAP

AP

Client derives session key

key

keyRADIUS Access Accept

(Pass session key to AP)

EAPOL-Key (multicast)

EAPOL-Key (session parameters)

Supplicant

EnterpriseNetwork

Server-side TLS

Client-side Authentication