Dr. Kemal Akkaya E-mail: [email protected]
-
Upload
eaton-fulton -
Category
Documents
-
view
36 -
download
0
description
Transcript of Dr. Kemal Akkaya E-mail: [email protected]
Wireless & Network Security 1 Kemal Akkaya
Department of Computer ScienceSouthern Illinois University Carbondale
Wireless and Network SecurityLecture 9: IEEE 802.11 Security - 2
Dr. Kemal AkkayaE-mail: [email protected]
Wireless & Network Security 2 Kemal Akkaya
How about using Virtual Private Networking (VPN) for better Security?
Deploying a secure VPN over a wireless network can greatly increase the security of your data
Idea behind this is to treat the wireless network the same as an insecure wired network (the internet). Any user get authenticates through a server Can use the network as if he/she is on the network
Campus network, business etc.
Not a good solution: Overhead
Deployment Performance
Susceptible to denial of service (DOS) attacks, along with any attack against the specific VPN
Wireless & Network Security 3 Kemal Akkaya
Solutions for better IEEE 802.11 Security
IEEE 802.1x Per-user authentication Key distribution mechanism
Wi-Fi Protected Access (WPA) Proposed in 2003 Subset of 802.11i Two forms:
802.1x + EAP + TKIP + MIC Pre-shared Key + TKIP + MIC
IEEE 802.11i – WPA2 802.1x + EAP + AES + CCM
But WEP is still in wide use
802.11i
WPA
802.1x
Wireless & Network Security 4 Kemal Akkaya
IEEE 802.1X 802.1X is a port-based, layer 2 (MAC address layer)
authentication framework on IEEE 802 networks. Uses EAP (Extensible Authentication Protocol) for
implementation It works along with the 802.11 protocol to manage
authentication for WLAN clients Centralized authentication All clients go through APs
Interoperability: Can work along with NICs running WEP Three main components:
Supplicant Authenticator Authentication Server
Wireless & Network Security 5 Kemal Akkaya
IEEE 802.1X Authentication ProcessClient makes an association with APAP places client in an unauthenticated holding
area; AP sends an authentication request to clientClient sends user ID to AP, which forwards it to
serverServer sends challenge via AP to client
Challenge type up to vendorSecret info is not sent over air in plaintext
Client responds to challengeServer verifies response, provides fresh session
keys
Wireless & Network Security 6 Kemal Akkaya
IEEE 802.1X Authentication Process Authentication session
Auth Server“RADIUS”
APClient
Let me in!
What’s your ID?
ID = [email protected] [email protected] OK?
Prove to me that you are [email protected]
The answer is “xxx”
Let him in. Here is the session key.
Come in. Here is the session key.
http://www.yahoo.comnetwork
EAP Challenge/Authentication
Encryptedsession
Wireless & Network Security 7 Kemal Akkaya
WPA (Wi-Fi Protected Access) Pre-standard subset of IEEE 802.11i Interim solution to run on existing wireless hardware Uses Temporal Key Integrity Protocol (TKIP) for data
encryption and confidentiality On October 31, 2002, the Wi-Fi Alliance endorsed TKIP under the
name Wi-Fi Protected Access (WPA). TKIP Changes
Still uses RC4, 128 bits for encryption Key mixing function for combining the secret root key with the IV
Merely concatenation in WEP Provisions for changing base keys
Secret part of encryption key changed in every packet Avoids weak keys IV acts as a sequence counter
Starts at 0, increments by 1 Against replay attacks Packets received out of order will be rejected by the AP
Wireless & Network Security 8 Kemal Akkaya
WPA Changes for Integrity
Includes Michael: a Message Integrity Code (MIC) 64 bits Replaces the CRC Different keys for MIC and encryption Observer cannot create new MIC to mask changes to data Computationally Efficient
Increases IV from 24 bits to 64 bits 900 years to repeat an IV at 10k packets/sec For WEP this is done in 30 mins
Authentication 2 forms based on 802.1X:
Per-user based: Public key Pre-shared key: same key – WPA-PSK
Wireless & Network Security 9 Kemal Akkaya
Final Standard: 802.11i The long-awaited security standard for wireless
Ratified in June 2004 Also known as WPA2 for the market Another name is Robust Security Network (RSN) Hardware manufactured before 2002 is likely to be
unsupported AES requires a new dedicated chip
From March 2006, WPA2 certification is mandatory for all new devices
Addresses the main problems in WEP Components:
802.1X based Authentication CCMP (Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol) RSN based associations
Wireless & Network Security 10 Kemal Akkaya
More WPA2 CCMP
Uses Advanced Encryption Standard (AES) Unlike in TKIP, key management and message integrity is handled
by a single component built around AES using a 128-bit key and a 128-bit block.
Uses CCM Encrypts data and MIC
Key Caching Skips re-entering of the user credential by storing the host
information on the network APs can store keys Fast re-connection
Pre-authentication If previously authenticated
Allows client to become authenticated with an AP before moving to it Uses previous authentication info
Useful in encrypted VoIP over Wi-Fi Fast Roaming
Wireless & Network Security 11 Kemal Akkaya
802.11i Summary