IEEE 802.11

Wireless Local Area Networks(WLAN’s)

Two modes of operation:

2. Infrastructure ModeClients and stations. Stations – Computers with NIC (Network Interface Cards) and Access Points (APs)

1. Ad-Hoc ModeThe clients communicate directly with each other. No mediation is needed.

Communication With APs

3 stages:

1 .Unauthenticated and Unassociated.

2 .Authenticated and Unassociated.

3 .Authenticated and Associated.

IEEE 802.11WEP for securityChallenge/Response with symmetric key

for authentication

Wireless Protocols

IEEE 802.1XWEP for securityEAP for authentication

WEP- Wired Equivalent Privacy

Link layer security protocol.

Secures IEEE 802.11 communications.

Based upon RC4 stream cipher encryption system, with symmetric key.

RC4SharedSecret key

Original text

CRC32Encrypted text

IV clear

IVInitialization

vector

RC4 Original text

Shared Secret key

IVInitialization

vector

Encrypted text

IV clear

CRC

40 bits 64 bits

24 bits

IV used

IV used

40 bits 64 bits

WEP protocol

Security problems in WEP

During the years, a lot of security problems have been discovered in WEP.

We will discuss the most important of those problems, which is known as the “IV Collisions” problem.

IV Collisions

Every once in a while, an IV gets reused.

C1 = P1 RC4(v,k) C2 = P2 RC4(v,k)

IV Collisions (2)

We get the following equation: C1C2 = (P1RC4(v,k))(P2RC4(v,k))

XOR is associative, and therefore: C1 C2 = P1 P2

WEP security is better than no security at all, but not

by much

The Bottom line

The Problem

EAP assumes a secured connection to work with

Problems over an unsecured connection

Snooping the user IDForging / changing EAP packetsDenial of serviceOffline dictionary attackMan-in-the-middleAuthentication method downgrading attackBreaking a weak key

Man-in-the-middle

A B E

MD5 EAP Request <R>

MD5 EAP Request <R>

H(ID || KEY || R)

EAP Failure

H(ID || KEY || R)

EAP Success

Possible Solutions

Mutual authenticationCryptographic connection between

authentication methods Using a limited number of unsecured

authentication methodsPreferring one strong method over a large

number of weak ones.

Possible Solutions (2)

Using authentication method that derives a symmetric key, prevents replay attack and promises message integrity

The authentication method should be safe against dictionary attack

One method has all the above advantages:

Quick summary of TLS

CCS

Application

Handshake protocol Alert

Record Protocol

TCP

Quick summary of TLS (2)

Client Server TCP three-way handshake

Client Hello <Client Random, Proposed algorithms >

Server Hello

<Server random, Selected algorithm>

CA Certificate

Server done

Client Key Exchange

Enc (Pub(s),>Pre-Master secret<)

Both sides perform a known calculation to derive the Master Key

Quick summary of TLS (3)

Client Server

CCS (ID)

FIN

MAC authentication of all former messages

CCS (ID)

FIN

MAC authentication of all former messages

Data transfer (encrypted by the Master Key)

EAP - TLS

Code Identifier Length

Type Flags TLS message length

TLS message length

TLS Data

EAP –TLS (2)Peer Authenticator

EAP Request

<Identity >

EAP Response

<Identity (MyID)>

EAP Request, type = EAP-TLS

<TLS Start>

EAP Response, type = EAP-TLS

<TLS Client Hello>

EAP Request, type = EAP-TLS

<TLS Server Hello, TLS Certificate, TLS Certificate Request, TLS Server Done>

EAP-TLS (3)

Peer Authenticator

EAP Response, type = EAP-TLS

<TLS Certificate, TLS Client Key Exchange, TLS CCS, Certificate verify, TLS FIN>

EAP Request, type = EAP-TLS

<TLS CCS, TLS FIN>

EAP Response, type = EAP-TLS

EAP Success / EAP Failure

Session resumption

The SessionID field in the TLS Client Hello Message should be the same as the ID of the session to return to.

The authenticator sends EAP request with TLS Server Hello, TLS CCS (using the former session CCS ID), and TLS FIN.

The peer sends EAP response with TLS CCS using the same ID, and TLS FIN.

The protocol continues as in the standard EAP-TLS.

Session resumption (2)

Advantages of session resumption:

Quick renewal of connections.

Handling roaming in WLAN.

Key Derivation

PRF1 = PRF (Master Secret, "Client EAP Encryption",

Random)PRF2 = PRF ("", "Client EAP Encryption", Random)

PRF1 is 128 bytes long.

PRF2 is 64 bytes long.

Key Derivation (2)

PRF1

Client’s ENC Key Server’s ENC Key Client’s Auth Key Server’s Auth Key

0 32 64 96 128

PRF2

Client’s IV Server’s IV

0 32 64

Fragmentation

The first fragment raises the L, M and S flags. The total TLS message length is also included.

All other fragments, except the last, raise the M flag. The identification field in the EAP header increases by 1 with each fragment.

Every EAP with a TLS fragment is responded by an EAP packet with no data as an Ack.