TABLE OF CONTENTS

LIST OF TABLES LIST OF FIGUERS xll xlll

Chapter 3 WLAN Security

3.1 8 0 2 . 11 F a m i l y . 1 3.1.1 IEEE 802.11.....1 3.1.2 IEEE 802.11a..2 3.1.3 IEEE 802.11b..2 3.1.4 IEEE 802.11g..3 3.1.5 Modification...4 3.2 WLAN Architecture ..5 3.2.1 Ad-hoc mode..............5 3.2.2 Infrastructure mode........6 3.2.3 BSS.....7 3.2.4 ESS.....8 3.2.5 DS.......8 3.3 Authentication in 802.11 9 3.3.1 Open system authentication.........10 3.3.2 Share key authentication..10 3.4 Encryption and Decryption ..11 3.4.1 WEP..12 3.4.2 WPA.....14 3.4.3 WPA2.......14 3.5 IEEE 802.1X .. 15 3.5.1 802.1x Framework........................15 3.5.2 802.1x Communication/ Authentication...16 3.5.3 802.1xKey management.18 3.6 802.11i 20 3.6.1 RSN20 3.6.2 Key Hierarchy22 3.6.3 TKIP...26
I

3.6.4 CCMP30 3.7 Security Threats: Passive 33 3.7.1 Eavesdropping33 3.7.2 Traffic Analysis..34 3.8 Security Threats: Active 3.8.1 3.8.2 3.8.3 3.8.4 3.8.5 3.8.6 . 34

Message Injection/Active Eavesdropping....34 Message Deletion and Interception..34 Masquerading and Malicious AP......35 Session Hijacking.....35 Man-in-the-Middle...36 DOS attack ..36

3.9 Summary ..37

II

LIST OF TABLES

3.1 comparison among 802.11 families ... 4 3.2 WEP, WPA, WPA2 comparison...14

III

LIST OF FIGURES

3.1 Ad Hoc mode6 3.2 Infrastructure mode..7 3.3 Basic Service Set(BSS)....................................................................................7 3.4 Extened Service Set(ESS)................................................................................8 3.5 Open System authentication...10 3.6 Share Key authentication....11 3.7 Wired Equivalent Privacy (WEP) encryption.....12 3.8 Wired Equivalent Privacy (WEP) decryption.....13 3.9 IEEE 802.1x framework.....16 3.10 802.1x Communication/ Authentication......17 3.11 IEEE 802.1x four-way handshake........19 3.12 IEEE802.1x group-key handshake...20 3.13 Pairwise key hierarchy..24 3.14 Transient key component..25 3.15 Group key hierarchy.....26 3.16 TKIP key mixing.. ..28 3.17 3.18 3.19 3.20 TKIP encapsulation.. ...28 TKIP decapsulation... ..29 Counter mode...31 CBC mode.. .31

3.21 CCMP encapsulation.. .32 3.22 CCMP decapsulation ...33

IV

Chapter 3 WLAN Security

Wireless Local Area Network (WLANs) is getting more and more popular. WLAN has the advantage of mobility. In a WLAN, wireless packets are transmitted via airwave instead of physical medium (such as wires or cable) to interconnect wireless devices or stations. For this reason, WLAN needs to face more challenges than wired networks. Today, wireless LANs have become the most interesting target for attackers. There are many attacks on WLANs, such like DoS attack, man in the middle attack, session hijacking. In order to successfully deploy wireless LANs, the security issues of wireless LANs must be addressed. In this chapter, we will introduce the 802.11 families, including authentication, message encryption and decryption in IEEE 802.11i standard. The security issues and threats of IEEE 802.1x will be also introduced in details.

3.1 802.11 Family

This section introduces the family of 802.11, which includes data rate, transmission distance, frequency band, modulation, and so on.

3.1.1 IEEE 802.11

IEEE 802.11 also known by the brand Wi-Fi (stands for "Wireless Fidelity") is the original version of the standard. IEEE 802.11 released in 1997 specifies two raw
1

data rates of 1 and 2 megabits per second (Mbps) to be transmitted via infrared (IR) signals or by either frequency hopping spread spectrum(FHSS) or Direct-sequence spread spectrum (DSSS) in the frequency band at 2.4 GHz. Unfortunately, 802.11 only supported a maximum bandwidth of 2 Mbps. For this reason, ordinary 802.11 wireless products are no longer being manufactured.

3.1.2 IEEE 802.11a

IEEE ratified 802.11a in 1999, and 802.11b was approved about the same time. Due to its high cost, 802.11a is usually found on business networks, whereas 802.11b better serves the home market. 802.11a supports bandwidth up to 54 Mbps, uses frequency band at 5 GHz, and operates in orthogonal frequency-division multiplexing (OFDM) modulation. This higher frequency compared to 802.11b limits the range of 802.11a networks. The higher frequency also means 802.11a signals have more difficulty penetrating walls and other obstructions. Because 802.11a and 802.11b utilize different frequencies, the two technologies are incompatible with each other. Some vendors offer hybrid 802.11a/b network gear, but these products simply implement the two standards side by side (each connected devices must use one or the other).

3.1.3 IEEE 802.11b

IEEE expanded on the original 802.11 standard in July 1999, creating the 802.11b specification. 802.11b supports bandwidth up to 11 Mbps and uses the frequency band at 2.4 GHz - as the original 802.11 standard. However, 802.11b only used DSSS spread spectrum and complementary code keying (CCK), is not the same as 802.11. Since there are many appliances used at this frequency, 802.11b devices can incur
2

interference from microwave ovens, cordless phones, and other appliances using the same 2.4 GHz. 802.11b cards can operate at 11 Mbps, but will scale back to 5.5, then 2, then 1 Mbps if signal quality becomes an issue. Extensions have been made to the 802.11b protocol (for example, channel bonding and burst transmission techniques) in order to increase speed to 22Mbps, but the extensions are proprietary and have not been endorsed by the IEEE. Many companies call enhanced versions "802.11b+".

3.1.4 IEEE 802.11g

In June 2003, IEEE802.11g was ratified. This standard works in the 2.4 GHz band, which is the same as 802.11b, but operates at a maximum data rate of 54 Mb/s, or about 24.7 Mb/s net throughputs (just like 802.11a). 802.11g hardware is compatible with 802.11b hardware. Details of making b and g work well together occupied much of the lingering technical process. In older networks, however, the presence of an 802.11b participant significantly reduces the speed of an 802.11g network. The modulation scheme used in 802.11g is orthogonal frequency-division multiplexing (OFDM) modulation for the data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps, and reverts to CCK (like the 802.11b standard) for 5.5 and 11 Mbps. Even though 802.11g operates in the same frequency band as 802.11b, it can achieve higher data rates (maximum data rate is 54Mbps). The maximum range of 802.11g gears are slightly greater than that of 802.11b gears, but the range in which a client can achieve the full 54 Mbps data rate is much shorter than an 802.11b client can reach 11 Mbps. The comparisons are shown in table 2.1 which contain modulation, spread spectrum, data rate distance, frequency band, interference, data transmission, voice transmission, and security among 802.11 families:

Table 3.1 comparison among 802.11 families

3.1.5 Modification
Several other standards for wireless local area networks have been ratified. introduction is given below. IEEE 802.11c: IEEE 802.11c was ratified in October of 1998. It provides requirements of 802.11-specific MAC procedures to the ISO/IEC (International Organization for Standardization/International Electrotechnical Commission). In particular, it adds a sub-clause under 2.5 Support of the Internal Sublayer Service, to cover bridge operations with 802.11 MACs. IEEE 802.11d: IEEE 802.11d, ratified in July of 2001, is an amendment to the base 802.11 specification that adds support for "additional regulatory domains". This support includes the addition of a country information element to beacons, probe requests, and probe responses. This modification make 802.11 standard to operate in countries that
4

A brief

not served by the standard. IEEE 802.11e: IEEE 802.11e has been approved as a standard which attempts to enhance the 802.11 MAC to increase the quality of service (QoS) possible for LAN applications. The standard is considered critical importance for delay-sensitive applications, such as Voice over Wireless IP and Streaming multimedia. IEEE 802.11f: IEEE 802.11f was finished in 2002. The standard developed for practice that provides AP communication among multiple servers. The purpose is to increase compatibility between Access Point devices from different vendors IEEE 802.11h: IEEE 802.11f is the IEEE standard for spectrum and transmit power management in the 5 GHz band. The standard solves problems like interference with rador in some European countries. It provides Dynamic Frequency Selection (DFS) and Transmit Power Management (TPM). DFS means the channal selection to reduce interference to rador. TPM means the average power is less than the regulatory maximum power to decrease interference to rador.

3.2 WLAN Architecture

IEEE defines two types of architecture on wireless LAN 802.11: ad hoc mode and infrastructure mode. The 802.11 architecture is comprised of several components such like basic service set (BSS), service set (ESS), distribution system (DS). In this section, we will introduce two architectures and their components on wireless LAN 802.11.

3.2.1 Ad Hoc mode

Ad-hoc mode is useful for establishing a network where wireless infrastructure does not exist or where services are not required. In this framework, Wireless devices or stations communication directly in peer-to-peer mode without involving access point. The primary feature in Ad-hoc mode is that all wireless devices cannot connect to the Internet, so that this mode always uses in a provisional environment. is comprised of some wireless device as shown in fig. 2.1 Ad hoc mode

Figure 3.1 Ad Hoc mode

3.2.2 Infrastructure mode

In Infrastructure mode, wireless devices communicate with each other by first going through access point. The main difference between Ad Hoc mode and Infrastructure mode is that all wireless devices can connect to Internet in infrastructure mode. In order to join the WLAN, the AP and all wireless devices must be configured to use the same SSID. Then AP is able to join the Internet and allow wireless devices to access the network. The Infrastructure mode is shown in fig 3.2:

Figure 3.2 Infrastructure mode

3.2.3 Basic Service Set (BSS)

Ad shown in Fig 3.3, A BSS is a group of 802.11 stations or devices comunicating with each other. We can know the framework from Fig 3.3. A BSS requires an access point which is the central point of communicaqtion for all stations. The stations do not communicate directly with each other. They first communicate with the access point, and then access point delivers the frames to the destination stations.
D is trib u te d s y s te m (D S )

Figure 3.3 Basic Service Set (BSS)

3.2.4 Extened Service Set (ESS)

An ESS is composed of two or more BBSs. In other words, the collection of BBSs is known as ESS. BSSs communicate via distribution system (DS). Fig 3.4 shows an atthitecture of ESS. The DS can be wired or wireless network, but for the most part, DS uplinks are wired network.

D is tr ib u te d s y s te m ( D S )

Figure 3.4 Extened Service Set (ESS)

3.2.5 Distribution System (DS)

A distribution system is a system that interconnects several BSSs. DS can be constructed of either a wired network or wireless network but usually wired network. The system provides five services: association, de-association, re-association, distribution, and integration, we now start to introduce the details of five services. Association: The association service is used to make a connection between a mobile devices and an access point. Each device must become associated with an access point before it is
8

allowed to send data through the access point to the distribution system. The connection is necessary for the distribution system to know where to deliver data to the mobile station. De-association: The de-association is used to disconnect between mobile devices and an access point. The situation is occurred when the mobile devices no longer require the service of distribution system. If the station or wireless devices want to obtain the service, it must begin a new association with access point again. Re-association: The re-association service is similar to the association service. The situation is occurred when the mobile devices leave the ESS, lose connection with the access point that it is associated, and need to become associated with a new access point. Distribution: Distribution is the primary service used by an 802.11 station. The devices uses the distribution service every time it sends MAC frames through the distribution system. The distribution service provides the distribution with only enough information to determine the proper destination BSS for the MAC frame. Integration: The integration service connects the 802.11 WLAN to other LANs, including one or more wired LANs or 802.11 WLANs. The integration service delivers 802.11 frames to another network or from other networks to 802.11 WLANs.

3.3 Authentication in 802.11

Because WLANs have limited physical security to prevent unauthorized access, 802.11 defines two authentication modes, namely open system authentication and share

key authentication to control access to WLAN. The goal of authentication service is to

provide access control equivalent to a wired LAN. After authentication and association process, wireless devices can begin to transmit and receive data. If wireless devices are configured with a key that different from access point, the devices will not be able to encrypt or decrypt data frames correctly. Consequently, the frames will be discarded by both the client and the access point. In this section, we will first introduce open system authentication and then shared key
authentication.

3.3.1 Open System Authentication

This is the default authentication method, which is very simple. There are two message exchanges in open system authentication. The steps are shown in Fig 3.5. First the supplicant who wants to authenticate with authenticator sends an authentication management frame containing the sending supplicants identity. According to the identity, the authentication result is sent from the authenticator back to the supplicant.
S u p p lic a n t a u th e n tic a to r A s s o c ia tio n re q u e st A s s o c ia tio n re s p o n s e

Figure 3.5 Open System Authentication

3.3.2 Shared Key Authentication

Unlike open system authentication, shared key authentication requires that the wireless devices and access point have the same WEP keys. There are four messages

10

exchanged as shown in Fig 3.6. authentication process:

The following summaries the share key

1. The supplicant sends a registration request that contains the identity of supplicant to the authenticator. 2. The authenticator then responds with a plaintext challenge packet to the supplicant. 3. The supplicant encrypts the challenge packet using the shared WEP key and sends the result back to authenticator. 4. If the authenticator can decrypt the response packet and retrieve the original challenge, he sends the supplicant a success message.

supplicant
1. registration request

authenticator

2. challenge (a random number R) 3. response (sign R by shared key) 4. build up authentication relationship

Figure 3.6 Share-Key Authentication

3.4 Encryption and Decryption

Wireless networks ensure its security through the use of various security protocols, encryption algorithms, and authentication methods. IEEE first ratified WEP as a solution to wireless security. But WEP has some flaws in its implementation and its design. For this reason, WEP was replaced by the WiFi alliance with a subset of the

11

802.11i protocol, which called WPA. WPA was intended to still have security concerns in wireless network. When the IEEE ratified the 802.11i protocol in 2004, the WiFi alliance adopted the protocol as WPA2. In section 3.4, we first introduce WEP in section 3.4.1; include its encryption and decryption algorithms, and then introduce WPA in section 3.4.2. Finally, WPA2 is introduced in section 3.4.3.

3.4.1 Wired Equivalent Privacy (WEP)

WEP is a part of IEEE 802.11standard ratified in September 1999. WEP uses the stream cipher RC4 algorithm for confidentiality and and the CRC-32 for integrity. Standard 64-bit WEP uses a 40 bit key, which is concatenated to a 24-bit Initial Vector (IV). WEP encryption is depicted in Fig 3.7. The Initial Vector (IV) and secret key are passed into RC4 algorithm to generate the encryption key, also called RC4 key. On the other hand, the plaintext message is used to generate Integrity Check Value (ICV), which is appended to the message. The ciphertext is produced by XORing the RC4 key with the combined the message and ICV. After XOR operation, the result is transmitted to the wireless network.

IV

IV

IV

Key

RC4 PRNG

Cipher Text

Key ICV

Plain text

Plain text

CRC32

CRC32
12

Figure 3.7 Wired Equivalent Privacy (WEP) encryption. In contrast, WEP decryption as shown in Figure 3.8, the received encrypted packet consists of the Initial Vector (IV), ciphertext, and ICV. encrypted while transmitted. Initial Vector is not

The IV is concatenated with the shared secret key and The decrypted data

passed into RC4 algorithm to produce the key stream.

(plaintext) is obtained by XORing the key stream and ciphertext with the ICV. Then the plaintext uses the same integrity algorithm (CRC-32) when used in WEP encryption to generate new ICV. This ICV is compared with the original ICV appended to the data. If the two ICVs match with each other, the data is valid. Otherwise, the data must be modified during the transmission and will be rejected by the system.
Key IV IV Key RC4 PRNG

Cipher Text Plain text ICV

CRC32=CRC32'

CRC32

Yes

Right data No Wrong data

CRC32

CRC32'

Figure 3.8 Wired Equivalent Privacy (WEP) decryption. Two main vulnerabilities in WEP are the use of a 32-bit CRC checksum and a 24-bit Initialization Vector (IV) for the encryption algorithm. The CRC checksum is intended to detect unintentional errors in the packet. Attackers can still modify the

packet and calculate a new CRC checksum as if the packet was not modified. The problem with the 24-bit IV is that the IV domain is not large enough to guarantee use
13

only for once. Attackers can observe sufficient network traffic to completely exhaust the entire domain of the 24-bit IVs. The attacker can eavesdrop two encrypted packets with the same IV to reduce the probability of cracking the encryption key. Consequently, WEP is insecure.

3.4.2 Wireless Protected Access (WPA)

To cope with the weaknesses of WEP, the Wi-Fi alliance attempts to offer a better security solution than WEP. This subset protocol is called Wireless Protected Access (WPA). WPA specified the Temporal Key Integrity Protocol (TKIP) that replaced the weak 32-bit CRC checksum with a strong HMAC checksum. In addition, WPA adds a Message Integrity Check (MIC) based on the Michael algorithm, and replaces the 24-bit IV with a 48-bit IV. WPA also defined dynamic key rotation and Extensible Authentication Protocol (EAP) to allow strong authentication in wireless LAN. WPA is intended for upgrading legacy systems that use stream cipher RC4 and secure communication protocol WEP. Even though WPA is more secure than WEP, it still The use of weak stream cipher For example, it is

uses RC4 for the compatibility with legacy systems.

RC4 makes WPA not strong enough against various attacks.

possible to monitor initial key exchanges and launch dictionary attacks to break the key. WPA was never intended as a robust security solution, it is only a better wireless security solution than WEP when WPA2 was not ratified.

3.4.3 Wireless Protected Access Version 2 (WPA2)

In 2004, the IEEE ratified the 802.11i protocol, which provides Robust Security Network (RSN) capabilities that is more secure than WEP and WPA. The main difference between WEP and WPA2 is that the encryption algorithm used in WPA2 is Advanced Encryption Standard (AES) for data confidentiality. The comparison among WEP, WPA, and WPA2 are shown in table 3.2:
14

Table 3.2 WEP, WPA, WPA2 comparison WEP Transport protocol Encryption algorithm Key management Cryptographic digest WEP RC4 NONE None WPA 802.1x/EAP RC4 TKIP MIC WPA2 802.1x/EAP AES CCMP MIC

3.5 IEEE 802.1X

IEEE 802.1X is part of IEEE 802.1 group of protocol. It provides point-to-point connection and prevents access from a port with authentication failure. It is used for certain access point, and is based on EAP. EAP is an authentication framework used in wireless networks and point-to-point connections. 802.1X is available on certain

network switches, and can be configured to authenticate hosts which are equipped with client software, denying unauthorized access to the network at the data link layer.

3.5.1 802.1x Framework

IEEE 802.1x framework is depicted in Fig 3.9. Both supplicant and authenticator have a port access entity (PAE). The PAE controls the authorized/unauthorized state when the supplicant is not authenticated successfully. We can find in Fig 3.9 that the authenticator uses an uncontrolled port to communicate with the supplicant PAE

15

before the supplicant is authenticated. In this state, the authenticator blocks all traffic except 802.1x messages. 802.1x also defines EAP protocol that compresses EAP messages between the supplicant and authenticator. EAP messages are delivered from the supplicant to the authenticator server by PAE. In order to let server authenticate user information, the authenticator PAE compresses the same EAP messages in server (RADIUS) packet format and sends them to the authenticator server. Once the supplicant is authenticated successfully, the controlled port is authorized. The supplicant can obtain services through the controlled port. [J-C CHEN, M-C JIANG, AND Y-W LIU] WIRELESS LAN SECURITY AND IEEE 802.11I, February 2005

Supplicant system

Authenticator system Service offered by authenticator system

Controlled port

Authenticator server system EAP protocol exchanges carried in higherlayer protocol Authenticator server

Supplicant PAE

Authenticator PAE
Uncontrolled port

LAN

Figure 3.9 IEEE 802.1x framework

3.5.2 802.1x Communication/ Authentication

Fig 3.10 depicts a typical 802.1x communication and authentication process between the supplicant and the authenticator. The following summaries the 802.1x communication/authentication process: 1. The supplicant sends an EAP-start message to start the communication.
16

2. The authenticator sends an EAP-request identity message to obtain supplicants identity. 3. Upon receipt of the EAP-request/identity message from the authenticator, the supplicant responds with the EAP-response/identity packet along which includes the client's identity. 4. Upon receipt of the EAP-response/identity, the authenticator PAE state transits to the authenticating state and then encapsulates the EAP-response/identity message in RADIUS-access-request and sends it to the authentication server. 5. The authentication server challenges the supplicants to prove themselves by sending a RADIUS-access-challenge to the authenticator. 6. The authenticator encapsulates RADIUS-access-challenge in EAP-request/Auth and then sends to the supplicant. Upon receipt of the message, state of the supplicant changes to authenticating state. 7. The supplicant respond with an EAP-response/Auth to the authenticator. 8. The authenticator relays to the authentication server in the form of RADIUSaccess-request. The authentication server then either accepts or rejects the client's request for connection. 9. If the authentication server accepts the connection, it sends a RADIUS-access accept to the authenticator and then authenticator PAE state transits to authenticated state. Afterwards, the authenticator PAE sends EAP-success to the supplicant. 10. Otherwise, the authentication server rejects the connection, and sends a RADIUS-access-reject to the authenticator. The authenticator PAE state transits

to the held state, and then sends EAP-failure to the supplicant.

17

s u p p lic a n t E A P O L - s ta rt

A u th e n tic a to r

A u th e n tic a tio n se rv e r

E A P O L - r e q u e s t/id e n tity E A P O L - re s p o n s e /id e n tity R A D IU S -a c c e ss -re q u e st R A D IU S -a c c e s s -c h a lle n g e A u th e n tic a tio n m essag e exchan ge R A D IU S -a c c e ss -re q u e st M u lti- r o u n d a u th e n tic a tio n m e s s a g e e x c h a n g e s R A D IU S -a c c e ss-a c c e p t E A P -su c c e ss R A D IU S -a c c e s s -re je c t E A P - f a ilu r e A u th e n tic a tio n su ccess

E A P - r e q u e s t/A u th e n tic a tio n E A P - re s p o n s e /A u th e n tic a tio n

A u th e n tic a tio n f a ilu r e

E A P -lo g o ff

lo g o ff

Figure 3.10 802.1x Communication/ Authentication

3.5.3. 802.1x Key Management

In this section, key management of the authentication process in IEEE 802.1x is described. Both the four-way handshake and group-key handshake are introduced. Fig 3.11 gives the four-way handshake messages exchanged. In the four way handshake, the authenticator first sends an Anonce and key information to the supplicant. Anonce is a nonce value generated by the authenticator and will only be

used once. After receiving the first message, the supplicant checks the validity of the message by using the replay counter. The replay counter will be incremented by each EAPOL-key message. Once the replay counter is smaller or equal to the value kept in the supplicant, the message will be discarded. Otherwise, the supplicant sends the second message that contains its own nonce-value (SNonce), key information, message integrity code (MIC), and supplicants RSN IE (Robust Security Network
18

Information Element) to the authenticator. RSN IE carries RSN security information including RSN capabilities, authentication, and cipher key selectors. An RSN IE can

be used to distinguish between pre-RSN stations and RSN-capable stations. RSN-capable stations shall include the RSN IE in beacons, probe response, association and re-association request, and the second and third messages of the four-way handshake. stations. In contrast, there is no RSN-IE in messages sent by pre-RSN

Upon receipt of the second message, the authenticator checks the validity of the message by using the replay counter. Besides, the authenticator also verifies the MIC. If the MIC is incorrect, the message is discarded. Otherwise, the authenticator sends the thirds message which contains Anonce, key information, MIC, and authenticators RSN IE to the supplicant. Upon receipt of the third message, the supplicant validates the message by checking the replay counter. It then compares the RSN IEs. If the RSN IEs are different, the connection between the supplicant and the authenticator will be disconnected. If RSN IE is correct, the supplicant checks the MIC later. The supplicant sends back the fourth message if the MIC is valid. When the authenticator receives the fourth message, it first checks the replay counter. If the replay counter is valid, it then keeps a check on MIC. The four-way handshake is completed if the MIC is valid.

19

Supplicant

Authenticator

Authenticator delivers another nonce to AP so that it can generate PTK

1.EAPOL-key (key_info, Anonce)

2.EAPOL-key (key_info, Snonce, M IC, RSNIE) Supplicant delivers another nonce to AP so that it can generate PTK 3.EAPOL-key (key_info, Anonce, M IC, RSNIE) Ensure PTKis fresh 4.EAPOL-key (key_info, M IC) This frame servers only as an ACK

Figure 3.11 IEEE802.1x four-way handshake

The group key handshake is shown in Fig 3.12. It is performed after the four way handshake. The authenticator first sends the message which contains key information, MIC, and GTK (Group Temporal Key) to the supplicant. After receiving the first

message, the supplicant checks the validity of the message by using the replay counter. It then checks the MIC if the replay counter is valid. The supplicant sends back the second message includes key information and MIC to the authenticator if MIC is valid. Once the second message is received by the authenticator, the

authenticator checks the validity of the message as before. If the replay counter and the MIC are valid, the group key handshake is completed.

20

Supplicant

Authenticator EAPOL-key(key_info, key ID, keyRSN, MIC, GTK)

EAPLO-key(key_info, MIC)

Figure 3.12 IEEE802.1x group key handshake

3.6 802.11i
IEEE 802.11i provides two classes of security mechanisms for wireless networks to improve security, namely, pre-RSN and RSN security mechanisms. The pre-RSN

security mechanism includes the original security mechanism in the IEEE 802.11 specifications such as shared key authentication for validating an unfamiliar station, and using WEP to enhance the confidentiality by protecting the transmitted data. The second one is RSN security mechanism, which is constructed from many different security mechanisms. The components of RSN will be introduced in the following sections.

3.6.1 RSN (Robust Security Networks)

IEEE 802.11i has a working group on the MAC layer that is named Task Group I (TGi). TGi focus on the research of enhancing the security of IEEE 802.11i, and its

21

main mission of is to define a standard named robust security networks (RSN). RSN is defined according to the IEEE 802.11i draft. It allows two devices in a wireless

network to construct a robust security network association (RSNA) to ensure the security. In this network, all the APs and stations contribute many RSNAs, and the RSNA has also been defined in IEEE

RSN is formed by a large number of RSNAs. 802.11i draft.

It began its measure by applying a four-way handshake, which is

described earlier to make sure that both communication parties get a valid pairwise master key (PMK), establishes the temporal key, and confirm the cipher method used in the following session.. The RSNA focuses on the authentication frameworks such that using 802.1X, and it transits the authentication services and maintains the key management mechanisms, Four-way handshake provides much more robustness for managing the session keys. But it is not enough for just provide the authentication methods for a goal to achieve a robust and secure network, for many threats may occur. For confidentiality, IEEE
802.11 standard chooses some cryptography algorithms to ensure the confidentiality of

the transferred data, some hash functions for checking integrity of transferred frames and the data origin authentication, and some other algorithms for key generation. All of these algorithms have the same characteristics, that is, they are all symmetric algorithms. These algorithms are listed below.

Confidentiality: TKIP (RC4) WEP (RC4) CCM (AES - CTR) NIST Key Wrap Integrity: HMAC SHA 1
22

HMAC MD5 TKIP (Michael MIC) CCM (AES CBC MAC) Key generation: HMAC SHA 1 RFC 1750 Proprietary

3.6.2 Key Hierarchy

The security of keys is particularly important in 802.11 because the data confidentiality relies on the protection and use of the keys. key hierarchy which needs to meet the following requirements: 1. Keys should be generated randomly for reducing the probability that any adversary can get it by guessing. 2. Keys need to be changed frequently to prevent sophisticated cryptanalysis. 3. To protect enciphered data, keys should be protected in storage. 4. Keys cannot be eavesdropped while transmitted. 5. Keys should be deleted when not needed. In order to achieve these requirements, key management scheme is needed which defines the process of handling and controlling cryptographic keys and related material (such as initialization values) during their life cycle in a cryptographic system, including ordering, generating, distributing, storing, loading, escrowing, archiving, auditing, and destroying the material [S. Frankel, B. Eydt, L. Owens, K. Kent]. IEEE 802.11i has met the requirements and leave the details open for implementation. For pre-RSN or older security policies in 802.11, key management is not included in
23

802.11i introduce the

the specifications because WEP only uses a single key for all devices in a wireless local area network, and they key is entered manually. keys to stations. In RSN systems, RSNA needs keys for encryption, integrity, and authentication. This makes the legacy method inefficient because each key is distributed manually. IEEE 802.11i specifications define two key hierarchies for RSNAs. One is Pairwise Key Hierarchy, designed for unicast protection. The other is Group Key Hierarchy for multicast/broadcast protection. The following is the introduction to these two key hierarchies. There is no need to distribute

Pairwise Key Hierarchy Figure 3.13 shows the key hierarchy of pairwise key hierarchy. The two keys on top of the whole hierarchy are called root keys. The root keys are the basis of all other keys in the key hierarchy. The two root keys in Pairwise Key Hierarchy represent two ways other keys may be set up in an 802.11 RSNA device. follows : Pre-Shared Key (PSK): A PSK key should be put into wireless devices before establishing, and the delivery of the key should in an out-of bound channel, that is, the establisher may need input the key into device manually. In the 802.11i standard, there is no specification for how to generate or distribute the PSKs. The implementation of generation or distribution of PSKs is left to the implementers. The PSKs can be generated using any kind of pseudo random generator and distributed by
a USB device which can be brought to anywhere, etc. No matter how the PSK is generated

Details are described as

or distributed, the implementer should be careful for any possible threats and design the process of key distribution in an effective fashion. Authentication, Authorization, and Accounting Key (AAA Key) : An AAA key,
24

which is also called Master Session Key (MSK), is handed over through the Extensible Authentication Protocol (EAP) to APs when establish an RSNA. The AAA key will be changed every time a user authentication request is invoked, and an AAA key will be used in a users session. The AAA key expires when its lifetime ends or the user initiates re-authentication. For the delivery of the AAA key, it needs EAP authentication method to provide key generation method. All of the EAP mechanisms that support RSNs should have the capability to generate the AAA key for the RSN. The EAP method to be selected is up to the implementers decision. Different AP or STAs may have different implementation of EAP methods.

Pre-Shared Key 256 bits

AAA key >=256 bits

Possible truncation PRF

Pairwise Master Key 256 bits Pairwise Transient Key 384 bits for CCMP 512 bits for TKIP

Figure 3.13 Pairwise key hierarchy In the Figure 3.13, a Pairwise Master Key (PMK) will be derived from the two root keys, either the PSK or the AAAK. The PMK is used as a key-generating key, which is used for generating another key Pairwise Transient Key (PTK). The PTK is

derived from the MAC addresses of STA and AP, and a nonce created each time in the key generation process. The STA and AP addresses are used to protect against session hijacking and impersonation, the nonce is used to add additional random material. A
25

PTK is composed of three components as follows: EAP over LAN (EAPOL) Key Confirmation Key (EAPOLKCK): the EAPOLKCKs purpose is to provide the integrity and the data origin authenticities for the STAtoAP control frames during the setup of the RSN. The process also performs proofofpossession of the PMK. EAPOL Key Encryption Key (EAPOL-KEK): EAPOLKEK can provide protection for confidentiality of keys or data in some RSN processes. Temporal Key: Temporal Key (TK) is used to encrypt and protect all the user traffic. Figure 3.13 shows length of the keys. The two root keys, PSK is of 256 bits long, and on the other hand the AAA key can be of 256 bits long or larger. PMK is 256 bits long, and it needs a pseudo-random function to deliver the TK. The length of the TK may be different for different confidentiality and integrity protocols used. In this case,

512 bits for TKIP and 384 bits for CCMP are used. The components of these two different TK are shown in Figure 3.14.

Pairwise transient key TKIP

EAPOL KCK 128 bits EAPOL KEK 128 bits TK 128 bits

CCMP
EAPOL KCK EAPOL KEK TK MIC key 128 bits 128 bits 128 bits 128 bits Figure 3.14 Transient key components

Group Key Hierarchy

26

Another key hierarchy is Group Key Hierarchy shown in Figure 3.15, and the key derived from PMK is called Group Temporal Key (GTK). GTK is usually generated by the AP and delivered to its associated STA. The generation of a GTK is still undefined in IEEE 802.11 specification, and it depends on the implementation of different implementers. But every implementation should obey the rule that the value must computationally indistinguishable from random. Figure 3.15 shows that GTK is 256 bits long for TKIP and 128bits long for CCMP. Its standardization is still underway.

Pairwise master transient key key

PRF

TKIP - GTK GTK GMK

256 bits

CCMP - GTK GTK

128 bits

Figure 3.15 Group key hierarchy

3.6.3 Temporal Key Integrity Protocol (TKIP)

Although the RSN can provide some security mechanisms to enhance the security of IEEE 802.11 wireless network, the legacy devices may not have the capability to implement the mechanisms. For enhancing the security of legacy devices, pre-RSN was defined and TKIP is used for replace the WEP protocol. TKIP is a set of algorithms wrapping WEP. TKIP adds four new algorithms to WEP: a cryptographic

27

Message Integrity Code (MIC) called Michael to exclude forged packets, an IV sequencing discipline to remove the replay attack, a per-packet key mixing function to de-correlate the IVs from weak keys and a re-keying mechanism to provide fresh encryption and integrity keys. This section will show all of the TKIP features, the

encapsulation and de-capsulation procedures, and some countermeasures. The following is the feature of TKIP in IEEE 802.11: 1. Use RC4 algorithm for confidentially protection 2. Use Michael message digest algorithm to check the integrity against modification attacks. 3. Apply the frame sequencing mechanism for replay prevention. 4. Refresh the encryption key for each frame, its used to defend an attack named Fluhrer-Mantin-Shamir (FMS) attack, which can break the WEP-based WLAN. 5. Implement countermeasures when the SPAs or APs find a MIC error, this error usually means there exists some active attack. TKIP Encapsulation TKIP encapsulation is established from the WEP, but it includes some additional techniques through software, because it is required to be usable on legacy devices. The following is main features for TKIP encapsulation 1. In the Michael message digest algorithm, there needs two 64bits message integrity keys for producing the message integrity code. Each key is used for each half transmission between the STA and AP. The MIC is computed from user data, source address, destination address and priority bits for checking data integrity. TKIP also provide some countermeasure to mitigate the threats invoke by attackers, because the attackers can forge the MIC. 2. In the each frame, TKIP adds an additional sequence counter for avoiding replay attacks. The receiver drops the frame not in order.
28

3. Using a two-phase process to mix the cryptographic key refreshed per sending frame, TK and sequence counter are required to create the dynamic key. The key mixing function is shown in Figure 3.16.
The key mixing function, also called temporal key hash, produces the 128-bit RC4 per-frame encryption key. This function takes as input the 128-bit Temporal Key (TK), the 48-bit Transmitters Address (TA) and 48-bit IV. The 48-bit IV is often called the TKIP Sequence Counter (TSC). The 32 most significant bits of the TSC are represented by IV32 and the 16 least significant bits of the TSC are represented by IV16 here. The key mixing function outputs 128-bit WEP key, the three first bytes of which are derived from the TSC. TKIP key mixing has two phases. The input to phase 1 is

TK, TA and IV32. The output of phase is 80-bit Phase 1 Key (P1K). The P1K will be part of the input to phase 2. P1K is the same for consecutive frames from the same TK, TA and IV32. Therefore, P1K is often calculated only once for the first frame and is cached for the next phase, though it can be calculated for every frame in theory. In phase 2 it takes as input P1K, TK and IV16, and outputs the 128-bit WEP key for the RC4 encryption algorithm. d is a dummy byte designed to avoid weak keys. The key mixing process can be described as follows: P1K = Phase1 (TK, TA, IV32) RC4Key = Phase2 (P1K, TK, IV16)

128-bit TK
48-bitTA

48-bit IV (TSC) Upper 32bits Lower 16bits

Phase 1 TK

Phase 2

IV

IV

Per packet key

RC4 encrypted key

Figure 3.16 TKIP key mixing

29

The procedure for TKIP encapsulation is shown in Figure 3.17

TK Phase 1

TA Sequence

MIC key SA+DA+MSDU Michal MSDU plaintext Fragmentation

TTAK Phase 2 WEP WEP key

MSDU plaintext

WEP encapsulation Encrypted MDPU MAC Protocol

Figure 3.17 TKIP encapsulation TKIP decapsulation In the de-capsulation, it comes with some checks. sequence order. following one. The first is the check for the

The frame will be discarded if it is out of order. The MIC is the It compares the MIC in the frame and the MIC computed by the

receiver itself. The countermeasures are invoked if the two MIC is not matched. Figure 6 6 shows the procedure of TKIP de-capsulation.

30

TKIP TSC TK Reverse mixing IV encrypted MDPU TSC Phase 1 key mixing Phase 2 key mixing WEP seed MIC MIC check MIC' fail

Discard Ordered non-ordered MDPU WEP MPDU MDPU plaintext Recombination MIC key Michael

sucess countermeasure

figure 3.18 TKIP decapsulation TKIP countermeasures Countermeasures are used when the MIC check is failed. Michael MIC check is much more stronger than usual CRC check, but it is still a weak protection against existing attacks, and the countermeasures is needed for any failure of the MIC checks. The following is the countermeasures: 1. Logging security events: Active attacks may occurs when the MIC check failed, the system administrator should check the events 2. Limiting MIC failures: For a large number of attacks in a limited time, the attacker may learn what the Michael key is. Therefore, it is required to limit the MIC failures

in a limited time. For example, permit 3 failures per minutes. 3. Changing the PTK or GTK: re-initialize the temporal key. 4. Blocking the IEEE 802.1X ports: block the control ports since the authentication mechanism is used.
31

3.6.4. Counter Mode with Cipher Block Chaining MAC Protocol (CCMP)
CCMP is another protocol for protect data confidentiality and integrity, but contrast to TKIP, CCMP is created with no constraint with old devices, and it is considered as a long-term solution for the IEEE 802.11 WLAN. CCMP uses CCM, which is an encryption block cipher mode for AES CCM can applied to any 128-bit long cipher system. There are two important components in the CCM: counter mode(CTR) and Cipher Block Chaining MAC (CBC-MAC) Protocol. Figure 6 7 and 6 8 shows the CTR and the CBC protocol. The following are the features of CCMP: 1. Use only one key for encipher and integrity check to improve the prerformance 2. Provide integrity check for both frame header and the frame payload. 3. Can compute some parameters for cryptography before the process for the frame, this can reduce the execution time for the mechanisms for security. 4. Less costs due to small fsoftware and hardware implementation size. 5. Minimize the size for security related fields. 6. No additional patents

32

M1 M2 Counter Counter+1

AES XOR

AES XOR

C1
figure 3.19 Counter mode

C2
Block2 XOR

Block1

IV

XOR Encryption

Encryption

Cyphered

Cyphered
Figure 3.20 CBC mode

CCMP Encapsulation
33

Following is the main steps of CCMP encapsulation: 1. Increases the packet number (PN) for each individual session 2. Derive nonce using the PN and part of the address field. 3. Compose the CCMP header from the Temporal Key ID and the PN. 4. Build the Additional Authentication Data by frame header (AAD) 5. Use nonce, AAD, and the plaintext data as the input to CCM with the TK as the key. 6. Concatenate the packet header, the CCM header, and the enciphered data as the ciphertext frame. Figure 6 9 shows the encapsulation of CCMP.
Plaintext MPDU

KeyID
48

PN
48

MAC header Increment PN Construct Construct

Data

A2 TK

Construct AAD
AAD

nonce

CCM encryption

AES
K=16, M=8, L=2

128 bits

MAC header

CCM header

Encrypted data

MIC

Ciphertext MPDU

figure 3.21 CCMP encapsulation CCMP Decapsulation Main steps of decapsulation of CCMP protocol is the following: 1. Parse the frame to rebuild the AAD and nonce, AAD comes from the header.
34

2. Nonce was rebuild from PN and destination address and priority field. 3. Check the MIC. 4. Recover the plaintext by using the TK, nonce, AAD, and the enciphered payload 5. Compare the PN in the frame and the counter counted for the session, the received one must be the greater one, or the frame will be discarded. The process for CCMP decapsulation is showed in figure 6 10.
Ciphertext MPDU PN
48

MAC header

CCM header

Encrypted data
PN

MIC

TK

A2

Construct Construct AAD

AAD nonce

PN
Out-of-se quence

CHECK

CCM encryption

AES
K=16, M=8, L=2

128 bits

MDPU OK

MAC header

Data
Plaintext MPDU

Figure 3.22 CCMP decapsulation

3.7 Security threats: passive

Passive security threats are the attacks start by an unauthorized part getting information about the traffic content. There are two kinds of passive attacks: eavesdropping and traffic analysis.

3.7.1. Eavesdropping
35

In a wireless network the attacker can easily fetch the frame transfer from one to another in the same local area network. This characteristic is not bothered by encrypt and is performed for different purpose.

3.7.2. Traffic Analysis

According to last section, the attacker can get the information from the frame no matter what it is. Not only the content of payload is the target, other fields may provide some information of the key or about the MIC check, analyze these fields may find some part information about the key information and let the attacker have the chance to break the encryption or forge another MIC data.

3.8 Security threats: active

Active security threats are the attacks that may modify the content or traffic of messages. Sometimes the active attacks will success due to lack of defense mechanisms. Active attacks involves message injection/active eavesdropping, message deletion and interception, masquerading and malicious AP, session hijacking, man-in-the-middle attack, DOS attack.

3.8.1 Message Injection/Active Eavesdropping

Attackers can modify the content of the frame or other field by using some modified devices, though most of the devices was equipped to allow only 802.11 traffic. In this condition, the attacker can pass the integrity check by modify the MIC field, or modify the payload of a frame used for replay attack in a no replay attack prevention system.

3.8.2 Message Deletion and Interception

36

It seems impossible to delete a packet send in a wireless channel, for the characteristic of the wireless network. But there still exist methods to delete a frame in the wireless channel. It needs another antenna for interfering the receivers antenna, after the interfering the receiver will get a interfered frame and the integrity check may not pass. At the last the receiver can only drop the received packet, and the attacker achieve his goal. The way to message interception is alike the step of message deletion. But for interception, the attacker should have the ability to control the frame sent to the receiver. That is, the attacker can decide which packet will be sent and which will be discarded. To achieve this, the attacker need an antenna to delete the frame sent to the remote antennas, and another one get the frame. By the content in the frame, the attacker decides whether the packet will be sent or not. The receiver can only receive chosen frame and does not know there is an attacker interfering the frames, and modify or create other frame will be sentlate to the receiver.

3.8.3 Masquerading and Malicious AP

if there is no protection or integrity check about the MAC address, the attacker can easily modify the MAC address in its frame. It is more dangerous if the system use only the MAC address to identify another wireless device. So it is easy for an AP to masquerade as another AP, the STAs can also do this by spoofing. It is dangerous for a station associated with a malicious AP.

3.8.4. Session Hijacking

Session hijacking is happened when a session pass the authentication process. for an authenticated device, the attacker can disconnect it from this session. The second step the attacker masquerade as the victim and send and receive frames as the victim in the
37

session. But there has some mechanism to prevent this kind of attack, such like the protection of confidentiality and the integrity. In this circumstance, the attacker cant create valid frame to communicate with the AP, and the session hijacking cant get any benefit.

3.8.5. Man-in-the-Middle attack Contrast to message interception, the man-in-the-middle attack need to participate in the connection. If the attacker is not in any connection, it need to try to break another connection, and then involved into the connection to derive the man-in-the-middle attack. The attacker need to act as aP for the victim station and act as a station to the victim AP. Another way to implement man-in-the-middle attck is do the ARP spoofing just like in wired LAN.

3.8.6. DOS attack

DOS attack includes three main kinds of attack. beacon flood Lots of attackers masquerade as different APs and send lots of frames with different SSID to make the station sees ten or hundreds of APs in the network and make the traffic of the station slower. authentication flood Using a similar method as the last section but masquerading as lots of stations in this section. The attacker can send a large amount of authentication frames to the AP, since the AP spends a slice of time to process the authentication request, the authentication frames can hang the AP. deauthentication flood
38

The victim of deauthentication flood is a pair of AP and STA. Because the deauthentication frame is not encrypted, attackers can deauthentication any session easily. Large numbers of deauthentication frame nay make the pair of AP and STA spends lots of time in establishing connection.

3.9 Summary
With the development and enhancement in 802.11 wireless networks, this technique is widely spread. Although the nature wireless network make the message transferred on the fly get exposed easily, it is still become much more popular. The IEEE 802.11 alliance select WEP as their solution to provide security as the wired network, but WEP is proved a weak method in few years later. To fulfill the secure requirement for 802.11 WLAN, IEEE 802.11 provides a much more complete solution, 802.11i. 802.11i provides lots of security features such as adopting 802.1X port-based access control to support authentication and access control, two classes of key hierarchy for key generation and distribution, two protocols for enhancing data confidentiality and integrity in pre-RSN and RSN environment. The threats are also discussed. Various kinds of attack and threats occur in reports everyday and become more complicated. Though the secure mechanisms have large growth, there still no one can ensure the 802.11wireless network is safe.

3.10 Reference
[Arbaugh 01] William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan Your 802.11 Wireless Network has No Clothes, Mar. 2001 [CHENG 05] Jyh-Cheng Chen, Ming-Chia Jiang, and Yi-Wenliu Wireless LAN security and IEEE 802.11i, Feb. 2005

39

[Frankel 06] S. Frankel, B. Eydt, L. Owens, K. Kent Draft Guide to IEEE 802.11i Establishing Robust Security Networks, June 2006 [Gable 05] Eliot Gable 802.11WirelessAuthentication and Encryption, Mar. 2005 [He] C. He, J. C. Mitchell, Security Analysis and Improvements for IEEE 802.11i [Karygiannis 02] Tom Karygiannis, Les Owens Wireless Network Security 802.11, Bluetooth and Handheld Devices, Nov. 2002

40