DIMACS Nov 3 - 4, 2004

WIRELESS SECURITY AND

ROAMING OVERVIEW
DIMACS
November 3-4, 2004

Workshop: Mobile and Wireless Security

Nidal Aboudagga*, Jean-Jacques Quisquater
UCL Crypto Group
Belgium
DIMACS Nov 3 - 4, 2004 2
Outline
Introduction
WEP
IEEE 802.1X
WPA
IEEE 802.11i
Roaming
Conclusion
DIMACS Nov 3 - 4, 2004 3

Why Wireless?

Mobility
Flexibility
Rapid deployment
Easy administration
Low cost
Simplicity of use
used in two modes:
Ad-Hoc
Infrastructure mode
DIMACS Nov 3 - 4, 2004 4
Wired Equivalent Privacy (WEP) (1)
Tried to ensure
Confidentiality
Integrity
Authenticity
Replaces the so-known MAC-address filtering
Uses the RC4 encryption algorithm to
generate a key stream
Uses a shared key K (40bit/104bit)

DIMACS Nov 3 - 4, 2004 5
Wired Equivalent Privacy (WEP) (2)
DIMACS Nov 3 - 4, 2004 6
Wired Equivalent Privacy WEP (3)
Uses standard challenge response
An initialization vector, IV/(24bit): per packet
number, sent in clear
WEP failed, because of many known attacks
IV Collision
Message injection
Authentication spoofing
Brute Force Attack
Weaknesses in the Key Scheduling Algorithm of
RC4)

DIMACS Nov 3 - 4, 2004 7
Network port authentication 802.1x (1)
Adapted to wireless use by IEEE 802.11
group
Based on Extensible Authentication Protocol
(EAP)
Three elements are in use with 802.1x
Supplicant (user)
Authenticator (access point)
Authentication server (usually RADIUS)
Uses key distribution messages
DIMACS Nov 3 - 4, 2004 8
IEEE802.1x Access Control
DIMACS Nov 3 - 4, 2004 9
IEEE 802.1x EAP authentication
DIMACS Nov 3 - 4, 2004 10
802.1X / EAP: Authentication methods
EAP-MD5: Vulnerable to a lot of attacks and
did not support dynamic WEP keys
EAP-TLS: Uses certificates for servers and
users. The users identity is revealed
EAP-TTLS: Uses servers certificate. Protects
users identity
PEAP: Similar to EAP-TTLS, used by Cisco
and Microsoft in their products
LEAP: A Cisco proprietary vulnerable to
dictionary attacks,
EAP-SIM, EAP-SPEKE,
DIMACS Nov 3 - 4, 2004 11
Wifi-Alliance Protected Access (1)
Built around IEEE 802.11i (draft 3) and
compatible with existing material
Address WEP vulnerability
Supports mixed environment
Uses Temporal Key Integrity Protocol (TKIP),
128 bit RC4 key
The use of AES is optional

DIMACS Nov 3 - 4, 2004 12
Wifi-Alliance Protected Access (2)
A suite of 4 algorithms composes TKIP

A Message Integrity Code (MIC), called
Michael to defeat forgeries
A new Initial Vector sequencing discipline,
to prevent replay attacks
A key mixing function, to have a per-packet
key
A re-keying mechanism, to provide fresh
keys to the key mixing function
DIMACS Nov 3 - 4, 2004 13
TKIP encapsulation
DIMACS Nov 3 - 4, 2004 14
Wifi-Alliance Protected Access (3)
Solves the problems of integrity,
authentication, forgery and replay attack in
network with RADIUS server
In small network, WPA uses shared secret
pass-phrase. This mode is vulnerable to the
dictionary attack and impersonation
Preserves the RC4 algorithm with its known
weakness to ensure compatibility
DIMACS Nov 3 - 4, 2004 15
802.11i / Robust Security Network (RSN)
Uses AES by default to replace RC4
Used in CCM mode: CTR + CBC-MAC
CCMP fixes 2 values of CCM parameters
M=8, indicating that the MIC is 8 octets
L=2, indicating the lenght field is 2 octets
Support Quality of Service
Support of preauthentication to enhance the
roaming in wireless network
DIMACS Nov 3 - 4, 2004 16
CCMP Encapsulation
DIMACS Nov 3 - 4, 2004 17
Roaming
Roaming with full authentication IEEE
802.1x/EAP or PSK (very big latency time)
Roaming to AP with whish cached a shared
PMK from previous SA
skip authentication steps
use 4-way handshake key management protocol to
negociate session key (PTK) and send (GTK)
useless when user roams to new AP
Preauthentication: the STA authenticate
without association to another AP before
leaving the old one
DIMACS Nov 3 - 4, 2004 18





Full authentication
DIMACS Nov 3 - 4, 2004 19
Preauthentication
DIMACS Nov 3 - 4, 2004 20
Problems of preauthentication
Preauthentication enhances the performance
of roaming but the handoff latency limits the
performance for multimedia applications

Preauthentification can only be used in the
same ESS (extended set of service)

Preauthentication is an expensive
computational load which may be useless

DIMACS Nov 3 - 4, 2004 21
Fast roaming
IEEE 802.11r WG to enhance fast roaming
performance
It reduces the hand-off latency of the 4-way
handshake protocol (creating alternative
optional 3-way handshake)
Adopt roaming key hierarchy
to minimize computational load
time dependency of KMP and
precomputation of roaming key R-PTK
Other works attempt to reduce probing latency
IEEE802.11f
DIMACS Nov 3 - 4, 2004 22
Conclusion
When IEEE 802.11k is ratified, will improve
roaming decisions with a site report sent to
client STA
Until now no efficient agreed solution to the
inter-LAN and inter-WAN roaming
When the work of IEEE 802.11r group is
finished, the wireless network will be more
convenient to mobile users with multimedia
applications
The IEEE 802.11i is new and will need time to
reach maturity. It solves many problems of
security. Many others are not under its
responsibility (DoS, RF jamming,)