Wireless Security: The need for WPA and 802.11i

By Abuzar Amini

CS 265 Section 1

Wireless Security Timeline WEP - Part of original 802.11

specification published in 1999. WPA - Developed to fix numerous WEP

flaws. Ratified by Wi-Fi Alliance in 2003. 802.11i - More robust, permanent security

standard expected to be finalized soon. Currently in 7th draft.

WEP

Wired Equivalent Privacy Uses RC4 Stream cipher Has static 40-bit base key 64-bit per-packet key 24-bit Initialization Vector (IV) Uses Integrity Check Value (ICV) to verify

integrity

WEP Weaknesses (IV repetition)

Short 24-bit IV means RC4 key must be changed every 224 packets or data can be exposed via IV repetition. With repeated IV -> c1 c2 = p1 p2 Not very feasible to change WEP key after 16

million packets transmitted.

WEP Weaknesses (Replay Attack)

QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.

QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Alice

BobTrudy

Authorized WEP communications

Eavesdrop and record

Replay packets

WEP Weaknesses (Forgery Attack)

Packet data can be forged WEP uses ICV (CRC-32) to verify integrity. Create a blank message with same number of data

bytes, flip some bits and compute ICV. XOR bit-flipped message and ICV into captured

message. Result - Undetected forgery.

Identity can be forged Source address, Destination address not protected.

WEP Weaknesses (Keys)

WEP uses same key for authentication and encryption.

No way to manage keys. Same static key used on AP as well as all

clients.

WPA: The solution for today

Wi-Fi Protected Access (WPA) created to fix vulnerabilities of WEP while keeping the ability to run on legacy Access Points.

Subset of 802.11i Standard. Two major components: TKIP and 802.1X

Extensible Authentication Protocol (EAP) based authentication.

TKIP Temporal Key Integrity Protocol. Consists of new algorithms to wrap WEP

A new Message Integrity Code (MIC) called Michael.

IV sequencing to defeat replay attacks. A per-packet key mixing function to de-

correlate IVs from weak keys. A re-keying mechanism to provide fresh

encryption and integrity keys.

TKIP (Michael)

Uses two 64-bit keys, one for each link direction.

Unlike WEP, packet Sender Address and Destination Address are computed as part of the MIC.

8-byte MIC appended to the packet data.

TKIP (IV Sequencing)

IV sequencing used to protect against replay attacks. Reset packet sequence number to 0 on

rekey. Increment sequence number by 1 each time

packet transmitted. Packets received out of sequence are

dropped.

TKIP (Key mixing)

Per-packet mixing function implemented in 2 phases: Phase 1: Combines local MAC address and

temporal key. Then run through S-box to produce intermediate key.

Fistel cipher used to encrypt the packet sequence number under the intermediate key, producing 128-bit per-packet key.

TKIP (Keys)

One 128-bit encryption key Two 64-bit integrity keys Master keys assigned by Authentication

Server using the 802.1X architecture

802.1X EAP WPA uses 802.1X as an authentication and key

replacement mechanism. 802.1X specifies the following components:

Supplicant – A user or a client that wants to be authenticated.

Authentication server – An authentication system, such as a RADIUS server, that handles actual authentications.

Authenticator – A device that acts as an intermediary between a supplicant and an authentication server. Usually, an AP.

802.1X EAP Messages

QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture. QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.

EAP-identity request

EAP Identity Response

EAP Auth Request

EAP Success / Optional Master Key

Supplicant Authenticator Auth. ServerAttach

EAP Auth Response

Different forms of EAP EAP-Transport Layer Security(EAP-TLS)

Authentication requires use of PKI EAP-Tunneled TLS (EAP-TTLS)

Favored by some for use in 802.11i EAP-Protected EAP (PEAP)

Favored by some for use in 802.11i

802.11i:Robust Security for Tomorrows WLANs

Still uses some WPA features TKIP 802.1X Key hierarchy Key management

802.11i

New cipher AES block cipher replaces RC4 AP hardware needs to be upgraded to

support more complex AES computations. Mode of operation - AES Counter Mode

Encryption with CBC-MAC (CCM).

AES-CCM Mode

Header Payload MIC

Authenticated

Encrypted

CBC-MAC used to compute MIC on header and payload.

CTR mode is used to encrypt the payload and MIC.

802.11i (Other Features) EAP over an Ethernet LAN (EAPOL)

Roaming support Allows clients to pre-authenticate with different APs,

on wired or wireless LANs.

Independent Base Service Set (IBSS) Allows clients to authenticate to each other, even if

not in range of an AP.

Password-to-key mapping

WLAN Security SummaryWEP WPA 802.11i

Cipher Algorithm RC4 RC4 (TKIP) AES-CCMPEncryption Key 40-bit 128-bit 128-bitInitialization Vector 24-bit 48-bit 48-bitAuthentication Key None 64-bit 128-bitIntegrity Check CRC-32 Michael CCMKey Distribution Manual 802.1X (EAP) 802.1X (EAP)Key Unique To: Network Packet, Session, User Packet, Session, UserKey Hierarchy No Derived from 802.1X Derived from 802.1XAd-hoc Security (P2P) No No Yes (IBSS)Pre-authentication No No Yes (EAPOL)