WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3

WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3 -4, 2004 Workshop: Mobile and Wireless Security Nidal Aboudagga*, Jean-Jacques Quisquater UCL Crypto Group Belgium DIMACS Nov 3 - 4, 2004

Outline • • Introduction WEP IEEE 802. 1 X WPA IEEE 802. 11 i Roaming Conclusion DIMACS Nov 3 - 4, 2004 2

Why Wireless? • Mobility • Flexibility – Rapid deployment – Easy administration • Low cost • Simplicity of use • used in two modes: – Ad-Hoc – Infrastructure mode DIMACS Nov 3 - 4, 2004 3

Wired Equivalent Privacy (WEP) (1) • Tried to ensure – – • • Confidentiality Integrity Authenticity Replaces the so-known MAC-address filtering Uses the RC 4 encryption algorithm to generate a key stream Uses a shared key K (40 bit/104 bit) DIMACS Nov 3 - 4, 2004 4

Wired Equivalent Privacy (WEP) (2) DIMACS Nov 3 - 4, 2004 5

Wired Equivalent Privacy WEP (3) • Uses standard challenge response • An initialization vector, IV/(24 bit): per packet number, sent in clear • WEP failed, because of many known attacks – – – IV Collision Message injection Authentication spoofing Brute Force Attack Weaknesses in the Key Scheduling Algorithm of RC 4……) DIMACS Nov 3 - 4, 2004 6

Network port authentication 802. 1 x (1) • Adapted to wireless use by IEEE 802. 11 group • Based on Extensible Authentication Protocol (EAP) • Three elements are in use with 802. 1 x – Supplicant (user) – Authenticator (access point) – Authentication server (usually RADIUS) • Uses key distribution messages DIMACS Nov 3 - 4, 2004 7

IEEE 802. 1 x Access Control DIMACS Nov 3 - 4, 2004 8

IEEE 802. 1 x EAP authentication DIMACS Nov 3 - 4, 2004 9

802. 1 X / EAP: Authentication methods • EAP-MD 5: Vulnerable to a lot of attacks and did not support dynamic WEP keys • EAP-TLS: Uses certificates for servers and users. The user’s identity is revealed • EAP-TTLS: Uses server’s certificate. Protects user’s identity • PEAP: Similar to EAP-TTLS, used by Cisco and Microsoft in their products • LEAP: A Cisco proprietary vulnerable to dictionary attacks, • EAP-SIM, EAP-SPEKE, … DIMACS Nov 3 - 4, 2004 10

Wifi-Alliance Protected Access (1) • Built around IEEE 802. 11 i (draft 3) and compatible with existing material • Address WEP vulnerability • Supports mixed environment • Uses Temporal Key Integrity Protocol (TKIP), 128 bit RC 4 key • The use of AES is optional DIMACS Nov 3 - 4, 2004 11

Wifi-Alliance Protected Access (2) • A suite of 4 algorithms composes TKIP – A Message Integrity Code (MIC), called Michael to defeat forgeries – A new Initial Vector sequencing discipline, to prevent replay attacks – A key mixing function, to have a per-packet key – A re-keying mechanism, to provide fresh keys to the key mixing function DIMACS Nov 3 - 4, 2004 12

TKIP encapsulation DIMACS Nov 3 - 4, 2004 13

Wifi-Alliance Protected Access (3) • Solves the problems of integrity, authentication, forgery and replay attack in network with RADIUS server • In small network, WPA uses shared secret pass-phrase. This mode is vulnerable to the dictionary attack and impersonation • Preserves the RC 4 algorithm with its known weakness to ensure compatibility DIMACS Nov 3 - 4, 2004 14

802. 11 i / Robust Security Network (RSN) • Uses AES by default to replace RC 4 – Used in CCM mode: CTR + CBC-MAC • CCMP fixes 2 values of CCM parameters • M=8, indicating that the MIC is 8 octets • L=2, indicating the lenght field is 2 octets • Support Quality of Service • Support of preauthentication to enhance the roaming in wireless network DIMACS Nov 3 - 4, 2004 15

CCMP Encapsulation DIMACS Nov 3 - 4, 2004 16

Roaming • Roaming with full authentication IEEE 802. 1 x/EAP or PSK (very big latency time) • Roaming to AP with whish cached a shared PMK from previous SA – skip authentication steps – use 4 -way handshake key management protocol to negociate session key (PTK) and send (GTK) – useless when user roams to new AP • Preauthentication: the STA authenticate without association to another AP before leaving the old one DIMACS Nov 3 - 4, 2004 17

Full authentication DIMACS Nov 3 - 4, 2004 18

Preauthentication DIMACS Nov 3 - 4, 2004 19

Problems of preauthentication • Preauthentication enhances the performance of roaming but the handoff latency limits the performance for multimedia applications • Preauthentification can only be used in the same ESS (extended set of service) • Preauthentication is an expensive computational load which may be useless DIMACS Nov 3 - 4, 2004 20

Fast roaming • IEEE 802. 11 r WG to enhance fast roaming performance • It reduces the hand-off latency of the 4 -way handshake protocol (creating alternative optional 3 -way handshake) • Adopt roaming key hierarchy – to minimize computational load – time dependency of KMP and – precomputation of roaming key R-PTK • Other works attempt to reduce probing latency IEEE 802. 11 f DIMACS Nov 3 - 4, 2004 21

Conclusion • When IEEE 802. 11 k is ratified, will improve roaming decisions with a site report sent to client STA • Until now no efficient agreed solution to the inter-LAN and inter-WAN roaming • When the work of IEEE 802. 11 r group is finished, the wireless network will be more convenient to mobile users with multimedia applications • The IEEE 802. 11 i is new and will need time to reach maturity. It solves many problems of security. Many others are not under its responsibility (Do. S, RF jamming, …) DIMACS Nov 3 - 4, 2004 22