Beruflich Dokumente
Kultur Dokumente
3.6.4 CCMP30 3.7 Security Threats: Passive 33 3.7.1 Eavesdropping33 3.7.2 Traffic Analysis..34 3.8 Security Threats: Active 3.8.1 3.8.2 3.8.3 3.8.4 3.8.5 3.8.6 . 34
Message Injection/Active Eavesdropping....34 Message Deletion and Interception..34 Masquerading and Malicious AP......35 Session Hijacking.....35 Man-in-the-Middle...36 DOS attack ..36
II
LIST OF TABLES
3.1 comparison among 802.11 families ... 4 3.2 WEP, WPA, WPA2 comparison...14
III
LIST OF FIGURES
3.1 Ad Hoc mode6 3.2 Infrastructure mode..7 3.3 Basic Service Set(BSS)....................................................................................7 3.4 Extened Service Set(ESS)................................................................................8 3.5 Open System authentication...10 3.6 Share Key authentication....11 3.7 Wired Equivalent Privacy (WEP) encryption.....12 3.8 Wired Equivalent Privacy (WEP) decryption.....13 3.9 IEEE 802.1x framework.....16 3.10 802.1x Communication/ Authentication......17 3.11 IEEE 802.1x four-way handshake........19 3.12 IEEE802.1x group-key handshake...20 3.13 Pairwise key hierarchy..24 3.14 Transient key component..25 3.15 Group key hierarchy.....26 3.16 TKIP key mixing.. ..28 3.17 3.18 3.19 3.20 TKIP encapsulation.. ...28 TKIP decapsulation... ..29 Counter mode...31 CBC mode.. .31
IV
This section introduces the family of 802.11, which includes data rate, transmission distance, frequency band, modulation, and so on.
IEEE 802.11 also known by the brand Wi-Fi (stands for "Wireless Fidelity") is the original version of the standard. IEEE 802.11 released in 1997 specifies two raw
1
data rates of 1 and 2 megabits per second (Mbps) to be transmitted via infrared (IR) signals or by either frequency hopping spread spectrum(FHSS) or Direct-sequence spread spectrum (DSSS) in the frequency band at 2.4 GHz. Unfortunately, 802.11 only supported a maximum bandwidth of 2 Mbps. For this reason, ordinary 802.11 wireless products are no longer being manufactured.
IEEE ratified 802.11a in 1999, and 802.11b was approved about the same time. Due to its high cost, 802.11a is usually found on business networks, whereas 802.11b better serves the home market. 802.11a supports bandwidth up to 54 Mbps, uses frequency band at 5 GHz, and operates in orthogonal frequency-division multiplexing (OFDM) modulation. This higher frequency compared to 802.11b limits the range of 802.11a networks. The higher frequency also means 802.11a signals have more difficulty penetrating walls and other obstructions. Because 802.11a and 802.11b utilize different frequencies, the two technologies are incompatible with each other. Some vendors offer hybrid 802.11a/b network gear, but these products simply implement the two standards side by side (each connected devices must use one or the other).
interference from microwave ovens, cordless phones, and other appliances using the same 2.4 GHz. 802.11b cards can operate at 11 Mbps, but will scale back to 5.5, then 2, then 1 Mbps if signal quality becomes an issue. Extensions have been made to the 802.11b protocol (for example, channel bonding and burst transmission techniques) in order to increase speed to 22Mbps, but the extensions are proprietary and have not been endorsed by the IEEE. Many companies call enhanced versions "802.11b+".
3.1.5 Modification
Several other standards for wireless local area networks have been ratified. introduction is given below. IEEE 802.11c: IEEE 802.11c was ratified in October of 1998. It provides requirements of 802.11-specific MAC procedures to the ISO/IEC (International Organization for Standardization/International Electrotechnical Commission). In particular, it adds a sub-clause under 2.5 Support of the Internal Sublayer Service, to cover bridge operations with 802.11 MACs. IEEE 802.11d: IEEE 802.11d, ratified in July of 2001, is an amendment to the base 802.11 specification that adds support for "additional regulatory domains". This support includes the addition of a country information element to beacons, probe requests, and probe responses. This modification make 802.11 standard to operate in countries that
4
A brief
not served by the standard. IEEE 802.11e: IEEE 802.11e has been approved as a standard which attempts to enhance the 802.11 MAC to increase the quality of service (QoS) possible for LAN applications. The standard is considered critical importance for delay-sensitive applications, such as Voice over Wireless IP and Streaming multimedia. IEEE 802.11f: IEEE 802.11f was finished in 2002. The standard developed for practice that provides AP communication among multiple servers. The purpose is to increase compatibility between Access Point devices from different vendors IEEE 802.11h: IEEE 802.11f is the IEEE standard for spectrum and transmit power management in the 5 GHz band. The standard solves problems like interference with rador in some European countries. It provides Dynamic Frequency Selection (DFS) and Transmit Power Management (TPM). DFS means the channal selection to reduce interference to rador. TPM means the average power is less than the regulatory maximum power to decrease interference to rador.
D is tr ib u te d s y s te m ( D S )
allowed to send data through the access point to the distribution system. The connection is necessary for the distribution system to know where to deliver data to the mobile station. De-association: The de-association is used to disconnect between mobile devices and an access point. The situation is occurred when the mobile devices no longer require the service of distribution system. If the station or wireless devices want to obtain the service, it must begin a new association with access point again. Re-association: The re-association service is similar to the association service. The situation is occurred when the mobile devices leave the ESS, lose connection with the access point that it is associated, and need to become associated with a new access point. Distribution: Distribution is the primary service used by an 802.11 station. The devices uses the distribution service every time it sends MAC frames through the distribution system. The distribution service provides the distribution with only enough information to determine the proper destination BSS for the MAC frame. Integration: The integration service connects the 802.11 WLAN to other LANs, including one or more wired LANs or 802.11 WLANs. The integration service delivers 802.11 frames to another network or from other networks to 802.11 WLANs.
provide access control equivalent to a wired LAN. After authentication and association process, wireless devices can begin to transmit and receive data. If wireless devices are configured with a key that different from access point, the devices will not be able to encrypt or decrypt data frames correctly. Consequently, the frames will be discarded by both the client and the access point. In this section, we will first introduce open system authentication and then shared key
authentication.
10
1. The supplicant sends a registration request that contains the identity of supplicant to the authenticator. 2. The authenticator then responds with a plaintext challenge packet to the supplicant. 3. The supplicant encrypts the challenge packet using the shared WEP key and sends the result back to authenticator. 4. If the authenticator can decrypt the response packet and retrieve the original challenge, he sends the supplicant a success message.
supplicant
1. registration request
authenticator
2. challenge (a random number R) 3. response (sign R by shared key) 4. build up authentication relationship
11
802.11i protocol, which called WPA. WPA was intended to still have security concerns in wireless network. When the IEEE ratified the 802.11i protocol in 2004, the WiFi alliance adopted the protocol as WPA2. In section 3.4, we first introduce WEP in section 3.4.1; include its encryption and decryption algorithms, and then introduce WPA in section 3.4.2. Finally, WPA2 is introduced in section 3.4.3.
IV
IV
IV
Key
RC4 PRNG
Cipher Text
Key ICV
Plain text
Plain text
CRC32
CRC32
12
Figure 3.7 Wired Equivalent Privacy (WEP) encryption. In contrast, WEP decryption as shown in Figure 3.8, the received encrypted packet consists of the Initial Vector (IV), ciphertext, and ICV. encrypted while transmitted. Initial Vector is not
The IV is concatenated with the shared secret key and The decrypted data
(plaintext) is obtained by XORing the key stream and ciphertext with the ICV. Then the plaintext uses the same integrity algorithm (CRC-32) when used in WEP encryption to generate new ICV. This ICV is compared with the original ICV appended to the data. If the two ICVs match with each other, the data is valid. Otherwise, the data must be modified during the transmission and will be rejected by the system.
Key IV IV Key RC4 PRNG
CRC32
Yes
CRC32
CRC32'
Figure 3.8 Wired Equivalent Privacy (WEP) decryption. Two main vulnerabilities in WEP are the use of a 32-bit CRC checksum and a 24-bit Initialization Vector (IV) for the encryption algorithm. The CRC checksum is intended to detect unintentional errors in the packet. Attackers can still modify the
packet and calculate a new CRC checksum as if the packet was not modified. The problem with the 24-bit IV is that the IV domain is not large enough to guarantee use
13
only for once. Attackers can observe sufficient network traffic to completely exhaust the entire domain of the 24-bit IVs. The attacker can eavesdrop two encrypted packets with the same IV to reduce the probability of cracking the encryption key. Consequently, WEP is insecure.
possible to monitor initial key exchanges and launch dictionary attacks to break the key. WPA was never intended as a robust security solution, it is only a better wireless security solution than WEP when WPA2 was not ratified.
Table 3.2 WEP, WPA, WPA2 comparison WEP Transport protocol Encryption algorithm Key management Cryptographic digest WEP RC4 NONE None WPA 802.1x/EAP RC4 TKIP MIC WPA2 802.1x/EAP AES CCMP MIC
network switches, and can be configured to authenticate hosts which are equipped with client software, denying unauthorized access to the network at the data link layer.
15
before the supplicant is authenticated. In this state, the authenticator blocks all traffic except 802.1x messages. 802.1x also defines EAP protocol that compresses EAP messages between the supplicant and authenticator. EAP messages are delivered from the supplicant to the authenticator server by PAE. In order to let server authenticate user information, the authenticator PAE compresses the same EAP messages in server (RADIUS) packet format and sends them to the authenticator server. Once the supplicant is authenticated successfully, the controlled port is authorized. The supplicant can obtain services through the controlled port. [J-C CHEN, M-C JIANG, AND Y-W LIU] WIRELESS LAN SECURITY AND IEEE 802.11I, February 2005
Supplicant system
Authenticator server system EAP protocol exchanges carried in higherlayer protocol Authenticator server
Supplicant PAE
Authenticator PAE
Uncontrolled port
LAN
2. The authenticator sends an EAP-request identity message to obtain supplicants identity. 3. Upon receipt of the EAP-request/identity message from the authenticator, the supplicant responds with the EAP-response/identity packet along which includes the client's identity. 4. Upon receipt of the EAP-response/identity, the authenticator PAE state transits to the authenticating state and then encapsulates the EAP-response/identity message in RADIUS-access-request and sends it to the authentication server. 5. The authentication server challenges the supplicants to prove themselves by sending a RADIUS-access-challenge to the authenticator. 6. The authenticator encapsulates RADIUS-access-challenge in EAP-request/Auth and then sends to the supplicant. Upon receipt of the message, state of the supplicant changes to authenticating state. 7. The supplicant respond with an EAP-response/Auth to the authenticator. 8. The authenticator relays to the authentication server in the form of RADIUSaccess-request. The authentication server then either accepts or rejects the client's request for connection. 9. If the authentication server accepts the connection, it sends a RADIUS-access accept to the authenticator and then authenticator PAE state transits to authenticated state. Afterwards, the authenticator PAE sends EAP-success to the supplicant. 10. Otherwise, the authentication server rejects the connection, and sends a RADIUS-access-reject to the authenticator. The authenticator PAE state transits
17
s u p p lic a n t E A P O L - s ta rt
A u th e n tic a to r
A u th e n tic a tio n se rv e r
E A P O L - r e q u e s t/id e n tity E A P O L - re s p o n s e /id e n tity R A D IU S -a c c e ss -re q u e st R A D IU S -a c c e s s -c h a lle n g e A u th e n tic a tio n m essag e exchan ge R A D IU S -a c c e ss -re q u e st M u lti- r o u n d a u th e n tic a tio n m e s s a g e e x c h a n g e s R A D IU S -a c c e ss-a c c e p t E A P -su c c e ss R A D IU S -a c c e s s -re je c t E A P - f a ilu r e A u th e n tic a tio n su ccess
E A P -lo g o ff
lo g o ff
used once. After receiving the first message, the supplicant checks the validity of the message by using the replay counter. The replay counter will be incremented by each EAPOL-key message. Once the replay counter is smaller or equal to the value kept in the supplicant, the message will be discarded. Otherwise, the supplicant sends the second message that contains its own nonce-value (SNonce), key information, message integrity code (MIC), and supplicants RSN IE (Robust Security Network
18
Information Element) to the authenticator. RSN IE carries RSN security information including RSN capabilities, authentication, and cipher key selectors. An RSN IE can
be used to distinguish between pre-RSN stations and RSN-capable stations. RSN-capable stations shall include the RSN IE in beacons, probe response, association and re-association request, and the second and third messages of the four-way handshake. stations. In contrast, there is no RSN-IE in messages sent by pre-RSN
Upon receipt of the second message, the authenticator checks the validity of the message by using the replay counter. Besides, the authenticator also verifies the MIC. If the MIC is incorrect, the message is discarded. Otherwise, the authenticator sends the thirds message which contains Anonce, key information, MIC, and authenticators RSN IE to the supplicant. Upon receipt of the third message, the supplicant validates the message by checking the replay counter. It then compares the RSN IEs. If the RSN IEs are different, the connection between the supplicant and the authenticator will be disconnected. If RSN IE is correct, the supplicant checks the MIC later. The supplicant sends back the fourth message if the MIC is valid. When the authenticator receives the fourth message, it first checks the replay counter. If the replay counter is valid, it then keeps a check on MIC. The four-way handshake is completed if the MIC is valid.
19
Supplicant
Authenticator
2.EAPOL-key (key_info, Snonce, M IC, RSNIE) Supplicant delivers another nonce to AP so that it can generate PTK 3.EAPOL-key (key_info, Anonce, M IC, RSNIE) Ensure PTKis fresh 4.EAPOL-key (key_info, M IC) This frame servers only as an ACK
The group key handshake is shown in Fig 3.12. It is performed after the four way handshake. The authenticator first sends the message which contains key information, MIC, and GTK (Group Temporal Key) to the supplicant. After receiving the first
message, the supplicant checks the validity of the message by using the replay counter. It then checks the MIC if the replay counter is valid. The supplicant sends back the second message includes key information and MIC to the authenticator if MIC is valid. Once the second message is received by the authenticator, the
authenticator checks the validity of the message as before. If the replay counter and the MIC are valid, the group key handshake is completed.
20
Supplicant
EAPLO-key(key_info, MIC)
3.6 802.11i
IEEE 802.11i provides two classes of security mechanisms for wireless networks to improve security, namely, pre-RSN and RSN security mechanisms. The pre-RSN
security mechanism includes the original security mechanism in the IEEE 802.11 specifications such as shared key authentication for validating an unfamiliar station, and using WEP to enhance the confidentiality by protecting the transmitted data. The second one is RSN security mechanism, which is constructed from many different security mechanisms. The components of RSN will be introduced in the following sections.
21
main mission of is to define a standard named robust security networks (RSN). RSN is defined according to the IEEE 802.11i draft. It allows two devices in a wireless
network to construct a robust security network association (RSNA) to ensure the security. In this network, all the APs and stations contribute many RSNAs, and the RSNA has also been defined in IEEE
described earlier to make sure that both communication parties get a valid pairwise master key (PMK), establishes the temporal key, and confirm the cipher method used in the following session.. The RSNA focuses on the authentication frameworks such that using 802.1X, and it transits the authentication services and maintains the key management mechanisms, Four-way handshake provides much more robustness for managing the session keys. But it is not enough for just provide the authentication methods for a goal to achieve a robust and secure network, for many threats may occur. For confidentiality, IEEE
802.11 standard chooses some cryptography algorithms to ensure the confidentiality of
the transferred data, some hash functions for checking integrity of transferred frames and the data origin authentication, and some other algorithms for key generation. All of these algorithms have the same characteristics, that is, they are all symmetric algorithms. These algorithms are listed below.
Confidentiality: TKIP (RC4) WEP (RC4) CCM (AES - CTR) NIST Key Wrap Integrity: HMAC SHA 1
22
HMAC MD5 TKIP (Michael MIC) CCM (AES CBC MAC) Key generation: HMAC SHA 1 RFC 1750 Proprietary
the specifications because WEP only uses a single key for all devices in a wireless local area network, and they key is entered manually. keys to stations. In RSN systems, RSNA needs keys for encryption, integrity, and authentication. This makes the legacy method inefficient because each key is distributed manually. IEEE 802.11i specifications define two key hierarchies for RSNAs. One is Pairwise Key Hierarchy, designed for unicast protection. The other is Group Key Hierarchy for multicast/broadcast protection. The following is the introduction to these two key hierarchies. There is no need to distribute
Pairwise Key Hierarchy Figure 3.13 shows the key hierarchy of pairwise key hierarchy. The two keys on top of the whole hierarchy are called root keys. The root keys are the basis of all other keys in the key hierarchy. The two root keys in Pairwise Key Hierarchy represent two ways other keys may be set up in an 802.11 RSNA device. follows : Pre-Shared Key (PSK): A PSK key should be put into wireless devices before establishing, and the delivery of the key should in an out-of bound channel, that is, the establisher may need input the key into device manually. In the 802.11i standard, there is no specification for how to generate or distribute the PSKs. The implementation of generation or distribution of PSKs is left to the implementers. The PSKs can be generated using any kind of pseudo random generator and distributed by
a USB device which can be brought to anywhere, etc. No matter how the PSK is generated
or distributed, the implementer should be careful for any possible threats and design the process of key distribution in an effective fashion. Authentication, Authorization, and Accounting Key (AAA Key) : An AAA key,
24
which is also called Master Session Key (MSK), is handed over through the Extensible Authentication Protocol (EAP) to APs when establish an RSNA. The AAA key will be changed every time a user authentication request is invoked, and an AAA key will be used in a users session. The AAA key expires when its lifetime ends or the user initiates re-authentication. For the delivery of the AAA key, it needs EAP authentication method to provide key generation method. All of the EAP mechanisms that support RSNs should have the capability to generate the AAA key for the RSN. The EAP method to be selected is up to the implementers decision. Different AP or STAs may have different implementation of EAP methods.
Pairwise Master Key 256 bits Pairwise Transient Key 384 bits for CCMP 512 bits for TKIP
Figure 3.13 Pairwise key hierarchy In the Figure 3.13, a Pairwise Master Key (PMK) will be derived from the two root keys, either the PSK or the AAAK. The PMK is used as a key-generating key, which is used for generating another key Pairwise Transient Key (PTK). The PTK is
derived from the MAC addresses of STA and AP, and a nonce created each time in the key generation process. The STA and AP addresses are used to protect against session hijacking and impersonation, the nonce is used to add additional random material. A
25
PTK is composed of three components as follows: EAP over LAN (EAPOL) Key Confirmation Key (EAPOLKCK): the EAPOLKCKs purpose is to provide the integrity and the data origin authenticities for the STAtoAP control frames during the setup of the RSN. The process also performs proofofpossession of the PMK. EAPOL Key Encryption Key (EAPOL-KEK): EAPOLKEK can provide protection for confidentiality of keys or data in some RSN processes. Temporal Key: Temporal Key (TK) is used to encrypt and protect all the user traffic. Figure 3.13 shows length of the keys. The two root keys, PSK is of 256 bits long, and on the other hand the AAA key can be of 256 bits long or larger. PMK is 256 bits long, and it needs a pseudo-random function to deliver the TK. The length of the TK may be different for different confidentiality and integrity protocols used. In this case,
512 bits for TKIP and 384 bits for CCMP are used. The components of these two different TK are shown in Figure 3.14.
CCMP
EAPOL KCK EAPOL KEK TK MIC key 128 bits 128 bits 128 bits 128 bits Figure 3.14 Transient key components
Another key hierarchy is Group Key Hierarchy shown in Figure 3.15, and the key derived from PMK is called Group Temporal Key (GTK). GTK is usually generated by the AP and delivered to its associated STA. The generation of a GTK is still undefined in IEEE 802.11 specification, and it depends on the implementation of different implementers. But every implementation should obey the rule that the value must computationally indistinguishable from random. Figure 3.15 shows that GTK is 256 bits long for TKIP and 128bits long for CCMP. Its standardization is still underway.
PRF
27
Message Integrity Code (MIC) called Michael to exclude forged packets, an IV sequencing discipline to remove the replay attack, a per-packet key mixing function to de-correlate the IVs from weak keys and a re-keying mechanism to provide fresh encryption and integrity keys. This section will show all of the TKIP features, the
encapsulation and de-capsulation procedures, and some countermeasures. The following is the feature of TKIP in IEEE 802.11: 1. Use RC4 algorithm for confidentially protection 2. Use Michael message digest algorithm to check the integrity against modification attacks. 3. Apply the frame sequencing mechanism for replay prevention. 4. Refresh the encryption key for each frame, its used to defend an attack named Fluhrer-Mantin-Shamir (FMS) attack, which can break the WEP-based WLAN. 5. Implement countermeasures when the SPAs or APs find a MIC error, this error usually means there exists some active attack. TKIP Encapsulation TKIP encapsulation is established from the WEP, but it includes some additional techniques through software, because it is required to be usable on legacy devices. The following is main features for TKIP encapsulation 1. In the Michael message digest algorithm, there needs two 64bits message integrity keys for producing the message integrity code. Each key is used for each half transmission between the STA and AP. The MIC is computed from user data, source address, destination address and priority bits for checking data integrity. TKIP also provide some countermeasure to mitigate the threats invoke by attackers, because the attackers can forge the MIC. 2. In the each frame, TKIP adds an additional sequence counter for avoiding replay attacks. The receiver drops the frame not in order.
28
3. Using a two-phase process to mix the cryptographic key refreshed per sending frame, TK and sequence counter are required to create the dynamic key. The key mixing function is shown in Figure 3.16.
The key mixing function, also called temporal key hash, produces the 128-bit RC4 per-frame encryption key. This function takes as input the 128-bit Temporal Key (TK), the 48-bit Transmitters Address (TA) and 48-bit IV. The 48-bit IV is often called the TKIP Sequence Counter (TSC). The 32 most significant bits of the TSC are represented by IV32 and the 16 least significant bits of the TSC are represented by IV16 here. The key mixing function outputs 128-bit WEP key, the three first bytes of which are derived from the TSC. TKIP key mixing has two phases. The input to phase 1 is
TK, TA and IV32. The output of phase is 80-bit Phase 1 Key (P1K). The P1K will be part of the input to phase 2. P1K is the same for consecutive frames from the same TK, TA and IV32. Therefore, P1K is often calculated only once for the first frame and is cached for the next phase, though it can be calculated for every frame in theory. In phase 2 it takes as input P1K, TK and IV16, and outputs the 128-bit WEP key for the RC4 encryption algorithm. d is a dummy byte designed to avoid weak keys. The key mixing process can be described as follows: P1K = Phase1 (TK, TA, IV32) RC4Key = Phase2 (P1K, TK, IV16)
128-bit TK
48-bitTA
Phase 1 TK
Phase 2
IV
IV
29
TK Phase 1
TA Sequence
MSDU plaintext
Figure 3.17 TKIP encapsulation TKIP decapsulation In the de-capsulation, it comes with some checks. sequence order. following one. The first is the check for the
The frame will be discarded if it is out of order. The MIC is the It compares the MIC in the frame and the MIC computed by the
receiver itself. The countermeasures are invoked if the two MIC is not matched. Figure 6 6 shows the procedure of TKIP de-capsulation.
30
TKIP TSC TK Reverse mixing IV encrypted MDPU TSC Phase 1 key mixing Phase 2 key mixing WEP seed MIC MIC check MIC' fail
Discard Ordered non-ordered MDPU WEP MPDU MDPU plaintext Recombination MIC key Michael
sucess countermeasure
figure 3.18 TKIP decapsulation TKIP countermeasures Countermeasures are used when the MIC check is failed. Michael MIC check is much more stronger than usual CRC check, but it is still a weak protection against existing attacks, and the countermeasures is needed for any failure of the MIC checks. The following is the countermeasures: 1. Logging security events: Active attacks may occurs when the MIC check failed, the system administrator should check the events 2. Limiting MIC failures: For a large number of attacks in a limited time, the attacker may learn what the Michael key is. Therefore, it is required to limit the MIC failures
in a limited time. For example, permit 3 failures per minutes. 3. Changing the PTK or GTK: re-initialize the temporal key. 4. Blocking the IEEE 802.1X ports: block the control ports since the authentication mechanism is used.
31
3.6.4. Counter Mode with Cipher Block Chaining MAC Protocol (CCMP)
CCMP is another protocol for protect data confidentiality and integrity, but contrast to TKIP, CCMP is created with no constraint with old devices, and it is considered as a long-term solution for the IEEE 802.11 WLAN. CCMP uses CCM, which is an encryption block cipher mode for AES CCM can applied to any 128-bit long cipher system. There are two important components in the CCM: counter mode(CTR) and Cipher Block Chaining MAC (CBC-MAC) Protocol. Figure 6 7 and 6 8 shows the CTR and the CBC protocol. The following are the features of CCMP: 1. Use only one key for encipher and integrity check to improve the prerformance 2. Provide integrity check for both frame header and the frame payload. 3. Can compute some parameters for cryptography before the process for the frame, this can reduce the execution time for the mechanisms for security. 4. Less costs due to small fsoftware and hardware implementation size. 5. Minimize the size for security related fields. 6. No additional patents
32
M1 M2 Counter Counter+1
AES XOR
AES XOR
C1
figure 3.19 Counter mode
C2
Block2 XOR
Block1
IV
XOR Encryption
Encryption
Cyphered
Cyphered
Figure 3.20 CBC mode
CCMP Encapsulation
33
Following is the main steps of CCMP encapsulation: 1. Increases the packet number (PN) for each individual session 2. Derive nonce using the PN and part of the address field. 3. Compose the CCMP header from the Temporal Key ID and the PN. 4. Build the Additional Authentication Data by frame header (AAD) 5. Use nonce, AAD, and the plaintext data as the input to CCM with the TK as the key. 6. Concatenate the packet header, the CCM header, and the enciphered data as the ciphertext frame. Figure 6 9 shows the encapsulation of CCMP.
Plaintext MPDU
KeyID
48
PN
48
Data
A2 TK
Construct AAD
AAD
nonce
CCM encryption
AES
K=16, M=8, L=2
128 bits
MAC header
CCM header
Encrypted data
MIC
Ciphertext MPDU
figure 3.21 CCMP encapsulation CCMP Decapsulation Main steps of decapsulation of CCMP protocol is the following: 1. Parse the frame to rebuild the AAD and nonce, AAD comes from the header.
34
2. Nonce was rebuild from PN and destination address and priority field. 3. Check the MIC. 4. Recover the plaintext by using the TK, nonce, AAD, and the enciphered payload 5. Compare the PN in the frame and the counter counted for the session, the received one must be the greater one, or the frame will be discarded. The process for CCMP decapsulation is showed in figure 6 10.
Ciphertext MPDU PN
48
MAC header
CCM header
Encrypted data
PN
MIC
TK
A2
PN
Out-of-se quence
CHECK
CCM encryption
AES
K=16, M=8, L=2
128 bits
MDPU OK
MAC header
Data
Plaintext MPDU
3.7.1. Eavesdropping
35
In a wireless network the attacker can easily fetch the frame transfer from one to another in the same local area network. This characteristic is not bothered by encrypt and is performed for different purpose.
It seems impossible to delete a packet send in a wireless channel, for the characteristic of the wireless network. But there still exist methods to delete a frame in the wireless channel. It needs another antenna for interfering the receivers antenna, after the interfering the receiver will get a interfered frame and the integrity check may not pass. At the last the receiver can only drop the received packet, and the attacker achieve his goal. The way to message interception is alike the step of message deletion. But for interception, the attacker should have the ability to control the frame sent to the receiver. That is, the attacker can decide which packet will be sent and which will be discarded. To achieve this, the attacker need an antenna to delete the frame sent to the remote antennas, and another one get the frame. By the content in the frame, the attacker decides whether the packet will be sent or not. The receiver can only receive chosen frame and does not know there is an attacker interfering the frames, and modify or create other frame will be sentlate to the receiver.
session. But there has some mechanism to prevent this kind of attack, such like the protection of confidentiality and the integrity. In this circumstance, the attacker cant create valid frame to communicate with the AP, and the session hijacking cant get any benefit.
3.8.5. Man-in-the-Middle attack Contrast to message interception, the man-in-the-middle attack need to participate in the connection. If the attacker is not in any connection, it need to try to break another connection, and then involved into the connection to derive the man-in-the-middle attack. The attacker need to act as aP for the victim station and act as a station to the victim AP. Another way to implement man-in-the-middle attck is do the ARP spoofing just like in wired LAN.
The victim of deauthentication flood is a pair of AP and STA. Because the deauthentication frame is not encrypted, attackers can deauthentication any session easily. Large numbers of deauthentication frame nay make the pair of AP and STA spends lots of time in establishing connection.
3.9 Summary
With the development and enhancement in 802.11 wireless networks, this technique is widely spread. Although the nature wireless network make the message transferred on the fly get exposed easily, it is still become much more popular. The IEEE 802.11 alliance select WEP as their solution to provide security as the wired network, but WEP is proved a weak method in few years later. To fulfill the secure requirement for 802.11 WLAN, IEEE 802.11 provides a much more complete solution, 802.11i. 802.11i provides lots of security features such as adopting 802.1X port-based access control to support authentication and access control, two classes of key hierarchy for key generation and distribution, two protocols for enhancing data confidentiality and integrity in pre-RSN and RSN environment. The threats are also discussed. Various kinds of attack and threats occur in reports everyday and become more complicated. Though the secure mechanisms have large growth, there still no one can ensure the 802.11wireless network is safe.
3.10 Reference
[Arbaugh 01] William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan Your 802.11 Wireless Network has No Clothes, Mar. 2001 [CHENG 05] Jyh-Cheng Chen, Ming-Chia Jiang, and Yi-Wenliu Wireless LAN security and IEEE 802.11i, Feb. 2005
39
[Frankel 06] S. Frankel, B. Eydt, L. Owens, K. Kent Draft Guide to IEEE 802.11i Establishing Robust Security Networks, June 2006 [Gable 05] Eliot Gable 802.11WirelessAuthentication and Encryption, Mar. 2005 [He] C. He, J. C. Mitchell, Security Analysis and Improvements for IEEE 802.11i [Karygiannis 02] Tom Karygiannis, Les Owens Wireless Network Security 802.11, Bluetooth and Handheld Devices, Nov. 2002
40