Beruflich Dokumente
Kultur Dokumente
11i Overview
Jesse Walker
Intel Corporation
jesse.walker@intel.com
1
Presentation Objectives
Outline
security problems in
802.11-1999
Communicate what IEEE 802.11i is
and how it works
Agenda
What is it?
WEPs Goals:
Walker (Oct 2000), Borisov et. al. (Jan 2001), FluhrerMantin-Shamir (Aug 2001)
802.11 Hdr
IV
Data
ICV
ICV
24 bits
c2 = p 2 b
c1 c2 = (p1 b) (p2 b) = p1 p2
6
Collision attacks
802.11 Hdr
IV
24 luxurious bits
Data
ICV
WEP expands each RC4 key into 224 per-packet keys data can be
recovered if IV is ever repeated with same key RC4 key must be
changed at least every 224 packets or data is exposed through IV collisions!
Some implemented IV selection strategies:
Random: Collision probability Pn two packets will share same IV after n
packets is P2 = 1/224 for n = 2 and Pn = Pn1+(n1)(1Pn1)/ 224 for n > 2.
50% chance of a collision exists already after only 4823 packets!!!
Increment from 0: Collision probability = 100% after two devices transmit
802.11 Hdr
IV
Data
ICV
Class of RC4 weak keys exists where patterns in the 1st 3 bytes of key causes
corresponding patterns in 1st few bytes of the generated RC4 key stream.
For each packet, use IV and exposed key stream to identify potential weak
keys
Iterate over potential weak keys from a sequence of packets until the RC4
base key is found
Replay attacks
Good guy STA
Authorized WEP communications
Forgery attacks
802.11 Hdr
IV
Data
ICV
0 New ICV
Sample Attack 1:
Recv-Addr, Src-Addr, Dest-Addr are all unprotected
On packets from a STA to the AP, corrupt the Dest-Addr
The AP will decrypt data and send it to the forged destination
Sample Attack 2:
create a blank message with same number of data bytes
Flip some bits and compute the ICV
XOR resulting bit-flipped message + ICV into captured message
10
Message Forgery
Replay
S.S. WEP
11
Architecture
Architectural Components
Goals
EAP/802.1X/RADIUS
Operational Phases
12
Architecture
Goals
13
Architecture
Wireless
Station
Access
Point
Out of scope
of 802.11i
standard
Authentication
Server
EAP-TLS
EAP
802.1X (EAPoL)
RADIUS
802.11
UDP/IP
14
Architecture
Station
Authentication
Server
Access
Point
Security capabilities
discovery
802.1X authentication
802.1X key management
RADIUS-based key
distribution
Data protection
15
Architecture
Discovery
802.1X authentication
16
Architecture
17
Data Transfer
18
Data Transfer
19
Data Transfer
Filtering
STA
AP
Association Request
Association Response
20
Data Transfer
Replay Mechanisms
21
Data Transfer
TKIP Summary
TKIP:
22
Data Transfer
On existing AP hardware
23
Data Transfer
FC
Dur
A1
A2
A3
Seq
Ctl
A4
Qos Packet
Ctl number
Data
C= 1
C=2
MIC FCS
C=n-1 C=n
Header part
Encry pted
Extended IV
4 octets
IV / KeyID
4 octets
Rsv d
b0
Ext
IV
MIC
8 octets
Key
ID
b4 b5 b6
b7
TSC2
TSC3
TSC4
ICV
4
octets
TSC5
IV32
24
Data Transfer
TKIP Keys
TKIP Keys
25
Data Transfer
Michael
Authentication Key
26
Data Transfer
TKIP Countermeasures
Check
using keys
Rate limit key generation to 1 per minute
27
Data Transfer
Wireless
Station
Hdr
Packet n
Hdr
Packet n + 1
Hdr
Packet n
Access
Point
28
Data Transfer
Phase 1
Mixer
4 msb
Phase 2
Mixer
Per-packet key
2 lsb
29
Data Transfer
CCMP
30
Data Transfer
31
Data Transfer
Header
Payload
MIC
Authenticated
Counter values 1, 2, 3,
Counter value 0
32
Data Transfer
...
...
padding
B0
B1
...
Bk 0
padding
Bk+1
Header
...
Br
0
MIC
Payload
A1
S1
...
SSmm
... Am
S0Sm
A0
E
33
Data Transfer
CCM Properties
CTR
CCM
is packet oriented
CCM can leave any number of initial blocks of the
plaintext unencrypted
CCM has a security level as good as other proposed
combined modes of operation, including OCB
34
Data Transfer
35
Data Transfer
FC
Dur
A1
A2
A3
Seq
Ctl
A4
Qos Packet
Ctl number
Data
C= 1
C=2
MIC FCS
C=n-1 C=n
C=0
Header part
Encrypted (note)
Extended IV
4 octets
IV / KeyID
4 octets
IV0
IV1
Rsvd
Rsvd
b0
Rsvd
b3 b4
Ext
IV
Key
ID
Data
>= 0 octets
IV2
IV3
IV4
MIC
8 octets
IV5
b5 b6 b7
36
Data Transfer
37
Data Transfer
38
Key Management
Limitations:
39
Key Management
Key
Confirmation
Key (KCK) PTK
bits 0127
Key Encryption
Key (KEK) PTK
bits 128255
40
Key Management
AP
AS
41
Key Management
42
Key Management
Key Length 2
octets
Data n octets
43
Key Management
AP
STA
PMK
PMK
Pick Random ANonce
EAPoL-Key(Reply Required, Unicast, ANonce)
Install TK
44
Key Management
STA
AP
PTK
Pick Random
GNonce, Pick
Random GTK
Encrypt GTK with KEK
EAPoL-Key(All Keys Installed, ACK, Group Rx,
Key Id, Group , RSC, GNonce, MIC, GTK)
Decrypt GTK
EAPoL-Key(Group, MIC)
unblocked data traffic
45
Key Management
46
Key Management
4-Way Handshake
47
Authentication
Authentication Requirements
48
Authentication
Authentication Components
Wireless
Station
Authentication
Server
Access
Point
EAP-TLS
EAP
802.1X (EAPoL)
RADIUS
802.11
UDP/IP
49
Authentication
STA
Authentication Overview
AP
AS
802.1X/EAP-Request Identity
802.1X/EAP-Response
Identity (EAP type specific)
RADIUS Access
Request/Identity
EAP type specific
mutual authentication
Derive Pairwise Master Key (PMK)
802.1X/EAP-SUCCESS
802.1X
RADIUS
50
Authentication
51
Authentication
Authentication decisions
Authorization decisions
Minimizes AP cost by moving expensive authentication to AS
AP unaware of the authentication protocol
52
Authentication
Request/Response protocol
STA cant recover from AS or AP problems
This affords AS with limited DoS attack protection
53
Authentication
54
Authentication
802.1X
55
Authentication
RADIUS (1)
4 messages
56
Authentication
RADIUS (2)
57
Authentication
RADIUS (3)
58
Authentication
59
Authentication
STA
AP
AP-RADIUS Key
802.1X/EAP-Request Identity
802.1X/EAP-Response
Identity (My ID)
802.1X/EAP-Request(TLS)
RADIUS Access
Challenge/EAP-Request
802.1X/EAP-Response(TLS
ClientHello(random1))
802.1X/EAP-Request(TLS
ServerHello(random2) || TLS
Certificate || TLS
CertificateRequest || TLS
server_key_exchange || TLS
server_done)
AS
RADIUS Access
Challenge/EAP-Request
60
Authentication
STA
AS
AP
AP-RADIUS Key
MasterKey = TLS-PRF(PreMasterKey, master secret || random 1 || random2)
802.1X/EAP-Response(TLS
client_key_exchange || TLS || TLS
certificate || TLS certificateVerify ||
TLS change_cipher_suite || TLS
finished
802.1X/EAP-Request(TLS
change_cipher_suite || TLS
finished)
802.1X/EAP-Response
RADIUS Access
Challenge/EAP-Request
RADIUS Access Request/EAPResponse Identity
802.1X/EAP-Success
61
Authentication
Authentication Summary
62
Discovery Overview
63
Discovery
Station
Probe Request
Access
Point
64
Discovery Summary
STA knows
65
Other Features
66
Other Features
Pre-authentication
1
1
2
AP 1
2
STA
AS
2
AP 2
67
Other Features
PEAP Overview
Wireless
Station
AP
Authentication
Server
68
Other Features
MitM
PEAP
Server
AP
AAA-H
Server
EAP/Identity Request
EAP/Identity Response (anonymous@realm)
Tunnel establishment
Tunnel Keys Derived
EAP-Method in Tunnel
EAP/Identity Request
EAP/Identity Response (user id@realm)
EAP/ Request / Method Challenge
EAP/Response/ Method Response
EAP/ Success
Inner Method
Keys Derived
WLAN Session Stolen
69
Other Features
Pre-shared Key
Wireless
Station
AP
Other Features
Ad hoc networks
71
Other Features
Password-to-Key Mapping
72
Other Features
Randomness Needed
Software-based sampling
Hardware-based sampling
73
802.11i Summary
74
Feedback?
75