mcintosh tutorial 1 0303 - ieee 802...doc.: ieee 802.11-00/xxx submission key management • this is...
TRANSCRIPT
March 2003
Bill McIntoshSlide 1
doc.: IEEE 802.11-00/xxx
Submission
Link SecurityA Tutorial
Bill McIntoshFortress Technologies, Inc.
March 2003
Bill McIntoshSlide 2
doc.: IEEE 802.11-00/xxx
Submission
Five basic security services
• Data confidentiality • Data integrity • Access control and access rights • Authentication/Roaming• Non-repudiation
These services provide assurance against the security threats of unauthorized resource use, masquerade, unauthorized data disclosure, unauthorized data modification, and repudiation, respectively.
March 2003
Bill McIntoshSlide 3
doc.: IEEE 802.11-00/xxx
Submission
Part 1: What is Link Level Security?
We need to define what is link level security and why we need it?
March 2003
Bill McIntoshSlide 4
doc.: IEEE 802.11-00/xxx
Submission
Link Layer Security?A method of securing a packet and its information above the
MAC layer on a point-to-point connection:1. hide the data contents and upper layer (above layer two)
protocol information.2. protect a packet from having its contents changed.3. limit who or what is allowed to gain access to the overall
network through the point-to-point connection.4. limit denial of service attacks on a point-to-point segment.5. eliminate denial of service attacks being perpetrated further in
the network.
March 2003
Bill McIntoshSlide 5
doc.: IEEE 802.11-00/xxx
Submission
Link Layer and Upper Layer
Laptop Router RouterServer
End-to-endSecurity
IPSec/ SSL
Point to PointSecurity
IEEE 802.10wLLS
Laptop Router RouterServer
End-to-endSecurity
IPSec/ SSL
Point to PointSecurity
WEPCCMP
Access Point
IEEE 802.11
MAC Layer and Upper Layer
March 2003
Bill McIntoshSlide 6
doc.: IEEE 802.11-00/xxx
Submission
Why is it Needed?• Many forms of data link technologies are vulnerable to
compromise:– WLAN– WPAN (Bluetooth)– Fixed Wireless– Any Public Segment
• Two Rules of Thumb:– It’s the responsibility of the network provider that every link in the
network is protected (i.e. Link Level Security).– It’s the responsibility of the user and application provider that the
application is secure (i.e. SSL, IPSec, Application Security).
March 2003
Bill McIntoshSlide 7
doc.: IEEE 802.11-00/xxx
Submission
Packet Layouts
DataDLC Hdr TrlIP
HdrTCP/UDP
SessionHdr
DataDLC Hdr TrlIP
HdrTCP/UDP
SessionHdr
SecHdr
Encrypted Payload
RegularPacket
SessionSecurityProtocol
IPSec
Link
DataDLC Hdr TrlIP
HdrTCP/UDP
SessionHdr
SecHdr
Encrypted Payload
DataDLC Hdr TrlIP
HdrTCP/UDP
SessionHdr
SecHdr
Encrypted Payload
Trl
Trl
SecHdr
SecHdr
SecHdr Trl
March 2003
Bill McIntoshSlide 8
doc.: IEEE 802.11-00/xxx
Submission
Part 1 Conclusion• Answered what link layer security is and why it is needed .
– Cannot view IP or other upper layer header information (such as IP addresses):
• With IP addresses exposed, hackers can easily compromise a network.• ARP poisoning Denial-of-Service attacks can be launched if IP header
information is not protected– You can’t fool with my packet and cause damage.– If no end-to-end security protocol (like IPSec) is used, it will
guarantee that, at least on that segment, no one will view or compromise by message.
– A hacker cannot attach to that segment to steal valuable networkbandwidth.
– Control who enters and where they go.
March 2003
Bill McIntoshSlide 9
doc.: IEEE 802.11-00/xxx
Submission
Part 2: The Mechanics
What are the protocols, technologies and methods that make up link level security?
March 2003
Bill McIntoshSlide 10
doc.: IEEE 802.11-00/xxx
Submission
Here they are!• Data confidentiality
– Encryption – Key Management
• Data integrity– Hashing– Replay Protection
• Access Control/Rights– Port Components– 802.1x
• Authentication/Roaming– EAP– Radius– Roaming
• Non-repudiation
March 2003
Bill McIntoshSlide 11
doc.: IEEE 802.11-00/xxx
Submission
Encryption
• Encryption technology converts network messages into formats that are specially-designed to prevent third parties from accessing their contents.
• There are two types of encryption protocol:– Stream Cipher– Block Cipher
March 2003
Bill McIntoshSlide 12
doc.: IEEE 802.11-00/xxx
Submission
Encryption
MemoDate ToFromSubject
MemoDate ToFromSubject
Encryption Engine
&*%$%^^&&^*%$#@
&*%$%^^&&^*%$#@
Plain Text Encrypted Text
Encryption Key
March 2003
Bill McIntoshSlide 13
doc.: IEEE 802.11-00/xxx
Submission
Stream Cipher• A stream cipher is a method of encrypting text (to
produce cipher text) in which a cryptographic key and algorithm are applied to each binary digit in a data stream, one bit at a time.
• Encryption is accomplished by combining the key stream with the plaintext, usually with the bitwise XOR operation.
• Types– RC-4 (Used in WEP)
March 2003
Bill McIntoshSlide 14
doc.: IEEE 802.11-00/xxx
Submission
Example: WEP (RC4)
S e cre t Ke y
Initia liza tion Ve ctor (IV)
⊕ P la inte xt
P DU Da ta
Ciphe rte xt
IV
se e d ⊕
Me ssage
Ke y S e que nce
CRC-32 Inte grity Che ck Va lue (ICV)
RC4 PRNG
| |
WEP Key
Plaintext Key stream
Message
Ciphertext
IV
ICV' = ICV?
Integrity Algorithm
RC4 PRNG
⊕ ICV’
ICV
Seed
||
a. Transmit
b. Receive
March 2003
Bill McIntoshSlide 15
doc.: IEEE 802.11-00/xxx
Submission
Block Cipher
• A block cipher is a method of encrypting text (to produce cipher text) in which a cryptographic key and algorithm are applied to a block of data (for example, 64 contiguous bits) at once as a group rather than to one bit at a time.
• Types – DES– Triple DES– AES
March 2003
Bill McIntoshSlide 16
doc.: IEEE 802.11-00/xxx
Submission
Modes of Operation• The modes specify how data will be encrypted
(cryptographically protected) and decrypted (returned to original form).
• Encryption algorithms are seldom used directly, cryptographic mode is used instead.
• A cryptographic mode usually combines:– the basic cipher– some sort of feedback– some simple operations
• Ensures that an identical block of text produces different encrypted data.
March 2003
Bill McIntoshSlide 17
doc.: IEEE 802.11-00/xxx
Submission
Some Modes
• Some modes of operation for use with an underlying symmetric key block cipher algorithm: – Electronic Codebook (ECB),– Cipher Block Chaining (CBC), – Cipher Feedback (CFB), – Output Feedback (OFB),– Counter (CTR). – Counter with Cipher Block Chaining Message
Authentication Code (CCM),
March 2003
Bill McIntoshSlide 18
doc.: IEEE 802.11-00/xxx
Submission
Example: IEEE 802.11i Mode
• Defines the CCMP protocol.• Based on AES using the CCM mode of
operation.• The CCM mode combines:
– Counter (CTR) mode privacy and; – Cipher Block Chaining Message
Authentication Code (CBC-MAC) authentication.
March 2003
Bill McIntoshSlide 19
doc.: IEEE 802.11-00/xxx
Submission
Example: CCMP Encapsulation
EncodePN
Plaintext MPDU Plaintext MPDU with PN
ComputeMIC usingCBC-MAC
andappend to
MPDU
Temporal Key
AES CTR-mode
encryptdata
Cipher TextPlaintext MPDU with MIC
DLEN
TA
IncrementPN
PN
ConstructInitialization
Block
MIC
_IV
TA
PN
PN
ConstructCounter C
ounter
PN=Packet NumberTA=Transmitter AddressDLEN=MPDU Data LengthMPDU=MAC Protocol Data UnitTemporal Key=Crypto and Integrity Key
March 2003
Bill McIntoshSlide 20
doc.: IEEE 802.11-00/xxx
Submission
Example: CCMP Decapsulation
Ciphertext MPDU
Ciphertext MPDU
ComputeMIC usingCBC-MAC
andappend to
MPDU
Temporal Key
AES CTR-mode
decryptdata
Plaintext MPDU
Plaintext MPDUwith MIC
TA
DiscardMPDU
PNConstructCounter
MIC
_IV
PN Good?
ExtractPN &DLen MIC
=MIC?
MIC
MIC
MIC OK
Previous PN
PN
PN
TA
DLEN
Counter
ConstructInitialization
Block
March 2003
Bill McIntoshSlide 21
doc.: IEEE 802.11-00/xxx
Submission
Key Management• This is how you come up with the keys that will
be used for encryption and authentication.• Two kinds:
– Shared Static Keys– Dynamic Keys
• Generally-speaking, there are three types of dynamic key establishment techniques: 1. techniques based on asymmetric (public key) algorithms, 2. techniques based on symmetric (secret key) algorithms.3. hybrid techniques are also commonly used, whereby public key
techniques are used to establish symmetric (secret) key encryption keys, which are then used to establish other symmetric (secret) keys.
March 2003
Bill McIntoshSlide 22
doc.: IEEE 802.11-00/xxx
Submission
Shared Static Key
MemoDate ToFromSubject
MemoDate ToFromSubject
Encryption Engine
&*%$%^^&&^*%$#@
&*%$%^^&&^*%$#@
Plain Text Encrypted Text
Encryption Key
MemoDate ToFromSubject
MemoDate ToFromSubject
Encryption Engine
&*%$%^^&&^*%$#@
&*%$%^^&&^*%$#@
Plain Text Encrypted Text
Encryption Key
Common Session Key
&*% $% ^^&&^*% $#@
&*% $% ^^&&^*% $#@
Encrypted Text
Common Session Key
Bob Many
March 2003
Bill McIntoshSlide 23
doc.: IEEE 802.11-00/xxx
Submission
Public Key AlgorithmsDifferent key on each side
• RSA• Knapsack• El-Gamal• Elliptic Curve Cryptosystems
March 2003
Bill McIntoshSlide 24
doc.: IEEE 802.11-00/xxx
Submission
Public Key
MemoDate ToFromSubject
MemoDate ToFromSubject
Encryption Engine
&*%$%^^&&^*%$#@
&*%$%^^&&^*%$#@
Plain Text Encrypted Text
Encryption Key
MemoDate ToFromSubject
MemoDate ToFromSubject
Encryption Engine
&*%$%^^&&^*%$#@
&*%$%^^&&^*%$#@
Plain Text Encrypted Text
Encryption Key
Mary’s Public Key
Bob’s Public Key
Mary’s Private Key
&*% $% ^^&&^*% $#@
&*% $% ^^&&^*% $#@
Encrypted Text
Bob Mary
Bob’s Private Key
Public Key Distribution Center
March 2003
Bill McIntoshSlide 25
doc.: IEEE 802.11-00/xxx
Submission
Secret Key AlgorithmsSame key on each side.
• DES• Triple DES• AES
March 2003
Bill McIntoshSlide 26
doc.: IEEE 802.11-00/xxx
Submission
Agreeing on a Secret KeyDiffie-Hellman
Pick a Secret NumberSecret Key
Ya = gXa mod p
Select a large prime number p.Select g, a primitive root of p.
Xa Ya
Yb = gXb mod pXbYb
Pick a Secret NumberSecret Key
K=YaXb mod p
K=YbXa mod p
K CommonCrypto Key
K CommonCrypto Key
March 2003
Bill McIntoshSlide 27
doc.: IEEE 802.11-00/xxx
Submission
Data Integrity• The integrity of a packet is checked by using a secure hash
algorithm.• Hash functions take a message as input and produce an
output referred to as a hashcode, hash-result, hash-value, or simply hash.
• Hash functions are used for data integrity in conjunction with digital signature schemes, where for several reasons a message is typically hashed first, and then the hash-value, as a representative of the message, is signed in place of the original message.
• Unkeyed or a keyed hash function.
March 2003
Bill McIntoshSlide 28
doc.: IEEE 802.11-00/xxx
Submission
Hash Data
Hash
March 2003
Bill McIntoshSlide 29
doc.: IEEE 802.11-00/xxx
Submission
Unkeyed Hash Algorithms
• Hash functions based on:– block ciphers, – customized hash functions, – hash functions,– modular arithmetic.
March 2003
Bill McIntoshSlide 30
doc.: IEEE 802.11-00/xxx
Submission
Keyed Hash (MAC/MIC)• A distinct class of hash functions, called message
authentication codes (MACs) or message integrity code (MICs), allows message authentication by symmetric techniques.
• MAC algorithms may be viewed as hash functions which take two functionally distinct inputs, a message and a secret key, and produce a fixed-size (say n-bit) output, with the design intent that it be infeasible in practice to produce the same output without knowledge of the key.
March 2003
Bill McIntoshSlide 31
doc.: IEEE 802.11-00/xxx
Submission
Anti-Replay
• Anti-replay ensures packet security by making it impossible for a hacker to intercept message packets and insert changed packets into the data stream between a source computer and a destination computer.
• By detecting packets that match the sequence numbers of those that have already arrived, the anti-replay mechanism helps to ensure that invalid packets are discarded.
March 2003
Bill McIntoshSlide 32
doc.: IEEE 802.11-00/xxx
Submission
Access Control/Access Rights• Access Control is any mechanism by which a system
grants or revokes the right to access a network.• Access Control can be performed by allowing or denying
access base on:– a user requiring to submit a Login and Password that will be sent
to an authentication server for approval. – The user has a particular device that would be approved by an
access control server.– The user contacts an administrator, the administrator configures
packet filters.• Access Rights is any mechanism that limit where in a
network or on a devices a user can access.
March 2003
Bill McIntoshSlide 33
doc.: IEEE 802.11-00/xxx
Submission
Authentication System802.1x Model
March 2003
Bill McIntoshSlide 34
doc.: IEEE 802.11-00/xxx
Submission
RADIUS Servers• RADIUS (Remote Authentication Dial-In User Service)• An IETF-defined protocol for administering and securing
remote access to a network.• User Login and Password information is forwarded to a
RADIUS authentication server that validates the user and returns the information necessary for the access server to initiate a session with the user.
• A dictionary file kept in the RADIUS database determines the types of attributes that can be included in the user profile. The user repeats this process to initiate every session.
March 2003
Bill McIntoshSlide 35
doc.: IEEE 802.11-00/xxx
Submission
Forms of Authentication
• Device Authentication– Used to allow a particular device onto a network (My
PDA can go on a network).
• User Authentication– Used to allow a particular user onto a network (Bill is
allowed on the engineering network).
• Hybrid – A user has access to a network with a particular device.
March 2003
Bill McIntoshSlide 36
doc.: IEEE 802.11-00/xxx
Submission
Roaming
• Three types of roaming:– Roam between authenticator gateways on the same IP
subnet without requiring new user and password input.– Roam between authenticator gateways on different IP
subnets without requiring new user and password input.– Roam between authenticator gateways on different IP
subnets while perserving IP addressing and state information.
March 2003
Bill McIntoshSlide 37
doc.: IEEE 802.11-00/xxx
Submission
Roaming same Subnet
Router
Laptop
Laptop
Server
Bridge or Access Point Bridge or Access Point
Authentication Server
User Authenticates toBridge or Access Point
March 2003
Bill McIntoshSlide 38
doc.: IEEE 802.11-00/xxx
Submission
Roaming between Subnets
Router
Laptop
Laptop
Server
Bridge or Access Point Bridge or Access Point
Roams
Authentication Server
User Authenticates toBridge or Access Pointon Subnet 192.32.8.x
Router
User roams to Subnet192.48.1.x
Application ConnectionSubnet 192.36.0.X
March 2003
Bill McIntoshSlide 39
doc.: IEEE 802.11-00/xxx
Submission
Non-Repudiation
• Usually a higher layer function.• "Non-repudiation with proof of origin" provides
the recipient of data with evidence that proves the origin of the data, and thus protects the recipient against an attempt by the originator to falsely deny sending the data. This service can be viewed as a stronger version of a data origin authentication service, in that it proves authenticity to a third party.
March 2003
Bill McIntoshSlide 40
doc.: IEEE 802.11-00/xxx
Submission
Part 2: Conclusion
• Five areas of security.• Two type of encryption algorithm.• Modes of Operation• Data Integrity and Hash• Anti-Replay• Access Control/Rights/Authentication/Roaming• Non-Repudiation
March 2003
Bill McIntoshSlide 41
doc.: IEEE 802.11-00/xxx
Submission
Part 3: Some MAC/Link Protocols
• IEEE 802.11i• IEEE 802.10• Wireless Link Level Security Protocol
March 2003
Bill McIntoshSlide 42
doc.: IEEE 802.11-00/xxx
Submission
Problems with WEP
• 40-bit WEP key• Weak IVs• IV Replay• Known packet attack• Known packet start attack• Bit Flipping attack
March 2003
Bill McIntoshSlide 43
doc.: IEEE 802.11-00/xxx
Submission
IEEE 802.11i• A Robust Security Network provides a number of security features to
the IEEE 802.11 architecture. These features notably include:– improvement specifically for legacy wLAN equipment in TKIP. – enhanced data security and encapsulation mechanism, called CCMP– key management algorithms;– dynamic cryptographic keys; – enhanced authentication mechanisms for both APs and STAs;
• An RSN makes extensive use of IEEE 802.1X protocols with IEEE 802.11 to provide the authentication and key management.
• An RSN introduces several components into the IEEE 802.11architecture. These components are only present in RSN systems:– The first new component is an IEEE 802.1X Port. – A second component is the Authentication Server (AS).
March 2003
Bill McIntoshSlide 44
doc.: IEEE 802.11-00/xxx
Submission
TKIP fixes WEP• The Temporal Key Integrity Protocol (TKIP) is a cipher suite enhancing the
WEP protocol on pre-RSN hardware.• TKIP computes the MIC over the MSDU source address, destination
address, priority, and data, and appends the computed MIC to the MSDU; TKIP discards any MIC padding prior to appending the MIC.
• TKIP fragments the MSDU into one or more MPDUs; TKIP assigns a monotonically incrementing TSC value to each MPDU it generates, taking care that all the MPDUs generated from the same MSDU use counter values from the same 16-bit counter space.
• For each MPDU, TKIP uses the key mixing function to compute the WEP seed.
• TKIP represents the WEP seed as a WEP IV and RC4 key, and passes these with each MPDU to WEP for encapsulation. WEP uses the WEP seed as a WEP default key, identified by a key id associated with the temporal key.
March 2003
Bill McIntoshSlide 45
doc.: IEEE 802.11-00/xxx
Submission
TKIP
MIC Ke y
TS C
S A + DA + priority P la inte xt MS DU
Da ta
Ciphe rte xt MPDU(s )
WEP Enca psula tion
MIC
TTAK Ke y
P la inte xt MS DU +
MIC Fra gme nt(s )
P ha se 2 ke y mixing
P la inte xt MP DU(s )
WEP se e d(s ) (re pre se nte d a s WEP IV + RC4
ke y)
P ha se 1 ke y mixing TA
Te mpora l Ke y
MIC Ke y
TKIP IV
P la inte xt MS DU
Ciphe rte xt MPDU
WEP De ca psula tion
Micha e l
TTAK Ke y S A + DA + priority + P la inte xt MS DU
Re a ss e mble
Ke y mixing
P la inte xt MP DU
WEP S e e d
P ha se 1 ke y mixing
TA
Te mpora l Ke y
TS C Unmix IV
In-se que nce MP DU
Out-of-se que nce MP DU
MIC
MIC ′
MIC = MIC ′?
MP DU with fa ile d WEP ICV
MS DU with fa ile d TKIP MIC
Counte rme a sure s
A: Transmit
B:Receive
March 2003
Bill McIntoshSlide 46
doc.: IEEE 802.11-00/xxx
Submission
CCMP• The CCMP protocol is based on AES using the
CCM mode of operation. • The CCM mode combines Counter (CTR) mode
privacy and Cipher Block Chaining Message Authentication Code (CBC-MAC) authentication.
• CCM uses the same temporal key for both CTR mode and the CBC-MAC.
• CCM assumes a fresh temporal key for every session. Reuse of a temporal key and packet number voids all security guarantees.
March 2003
Bill McIntoshSlide 47
doc.: IEEE 802.11-00/xxx
Submission
CCMP encapsulation block diagram
EncodePN
Plaintext MPDU Plaintext MPDU with PN
ComputeMIC usingCBC-MAC
andappend to
MPDU
Temporal Key
AES CTR-mode
encryptdata
Cipher TextPlaintext MPDU with MIC
DLEN
TA
IncrementPN
PN
ConstructInitialization
Block
MIC
_IV
TA
PN
PN
ConstructCounter C
ounter
March 2003
Bill McIntoshSlide 48
doc.: IEEE 802.11-00/xxx
Submission
CCMP decapsulation block diagram
Ciphertext MPDU
Ciphertext MPDU
ComputeMIC usingCBC-MAC
andappend to
MPDU
Temporal Key
AES CTR-mode
decryptdata
Plaintext MPDU
Plaintext MPDUwith MIC
TA
DiscardMPDU
PNConstructCounter
MIC
_IV
PN Good?
ExtractPN &DLen MIC
=MIC?
MIC
MIC
MIC OK
Previous PN
PN
PN
TA
DLEN
Counter
ConstructInitialization
Block
March 2003
Bill McIntoshSlide 49
doc.: IEEE 802.11-00/xxx
Submission
RSN security association management
• IEEE 802.11 uses the notion of a security association to describe secure operation.
• Secure communications are possible only within the context of a security association, as this is the context providing the state—cryptographic keys, counters, sequence spaces, etc.—needed for correct operation of the IEEE 802.11 cipher suites.
March 2003
Bill McIntoshSlide 50
doc.: IEEE 802.11-00/xxx
Submission
Establishing the IEEE 802.11 connection and negotiation
APSTA
Probe Request
Probe Response + RSN IE (AP supports MCast/Ucast: CCMP, WRAP, TKIP, WEP and 802.1X EAP
Authentication)IEEE 802.11 Open Authentication (request)
IEEE 802.11 Open Authentication (response)
Association Response (success)
Association Req + RSN IE (Client requests TKIP and 802.1X EAP Authentication)
802.1X controlled port blocked for client AID
March 2003
Bill McIntoshSlide 51
doc.: IEEE 802.11-00/xxx
Submission
IEEE 802.1X EAP authentication STA AP
802.1X/EAP-Request Identity
802.1X/EAP-Response Identity (EAP type
specific)EAP Access
Request/IdentityEAP type specific mutual authentication
802.1X controlled port still blocked for client AID
Derive Pairwise
Master Key (PMK)
Derive Pairwise
Master Key (PMK)
EAP Accept (with PMK via MS-MPPE)
802.1X/EAP-SUCCESS
March 2003
Bill McIntoshSlide 52
doc.: IEEE 802.11-00/xxx
Submission
Establishing pairwise keys STA AP
PMK PMK
Derive SNonce Derive ANonce
EAPoL-Key(Reply Required, Unicast, ANonce)
EAPoL-Key(Unicast, SNonce, MIC, STA RSN IE)
EAPoL-Key(Reply Required, Install PTK, Unicast, ANonce, MIC, AP RSN IE)
Derive PTK
Derive PTK
Install Keys Install Keys
EAPoL-Key(Unicast, ANonce, MIC)
802.1X controlled port still blocked for client AID
March 2003
Bill McIntoshSlide 53
doc.: IEEE 802.11-00/xxx
Submission
Group key delivery STA AP
GMK
Derive GNonce & GTK
Encrypt GTK field
EAPoL-Key(All Keys Installed, Reply Required, Group Rx, Key Index, Group, GNonce, MIC, GTK)
EAPoL-Key(Group, MIC)
802.1X controlled port still blocked for client AID
March 2003
Bill McIntoshSlide 54
doc.: IEEE 802.11-00/xxx
Submission
IEEE 802.10• This entity provides services that permit the secure
exchange of data at Layer 2.• As part of the Logical Link Control (LLC) sublayer, the
SDE entity provides a connectionless service immediately above the Medium Access Control (MAC) sublayer in IEEE 802 LANs and MANs.
• It provides security across the MAC sublayer using cryptographic mechanisms and security services provided transparently at the boundary to the LLC entity.
• Develop its own Key Management Protocol
March 2003
Bill McIntoshSlide 55
doc.: IEEE 802.11-00/xxx
Submission
IEEE 802.10
March 2003
Bill McIntoshSlide 56
doc.: IEEE 802.11-00/xxx
Submission
Structure of the SDE PDU
March 2003
Bill McIntoshSlide 57
doc.: IEEE 802.11-00/xxx
Submission
802.10 Key Management
• The key management model and protocol support three key distribution techniques:– manual key distribution,– center-based key distribution, – certificate-based key distribution.
March 2003
Bill McIntoshSlide 58
doc.: IEEE 802.11-00/xxx
Submission
Manual Distributed Key
March 2003
Bill McIntoshSlide 59
doc.: IEEE 802.11-00/xxx
Submission
Center Based Key Distribution
March 2003
Bill McIntoshSlide 60
doc.: IEEE 802.11-00/xxx
Submission
Center-based key translation
March 2003
Bill McIntoshSlide 61
doc.: IEEE 802.11-00/xxx
Submission
Certificate-based key distribution
March 2003
Bill McIntoshSlide 62
doc.: IEEE 802.11-00/xxx
Submission
Multicast key distribution
March 2003
Bill McIntoshSlide 63
doc.: IEEE 802.11-00/xxx
Submission
wLLS
• Link Level Security Protocol• AES, 3DES• Dual Diffie-Hellman Key Engine• SHA-1 Packet Integrity• Anti Replay• Device Authentication• User Authentication using EAP• FIPS
March 2003
Bill McIntoshSlide 64
doc.: IEEE 802.11-00/xxx
Submission
wLLS Packet
March 2003
Bill McIntoshSlide 65
doc.: IEEE 802.11-00/xxx
Submission
wLLS Key Negotiation
March 2003
Bill McIntoshSlide 66
doc.: IEEE 802.11-00/xxx
Submission
Threat Protection• known-key attack. In this attack an adversary obtains some keys used
previously and then uses this information to determine new keys.• replay. In this attack an adversary records a communication session
and replays the entire session, or a portion thereof, at some later point in time.
• impersonation. Here an adversary assumes the identity of one of the legitimate parties
• in a network.• dictionary. This is usually an attack against passwords. Typically, a
password is stored in a computer file as the image of an unkeyed hash function. When a user logs on and enters a password, it is hashed and the image is compared to the stored value. An adversary can take a list of probable passwords, hash all entries in this list, and then compare this to the list of true encrypted passwords with the hope of finding matches.
March 2003
Bill McIntoshSlide 67
doc.: IEEE 802.11-00/xxx
Submission
Attacks on protocols• forward search. This attack is similar in spirit to the dictionary attack
and is used to decrypt messages. An example of this method was cited in Example 1.60.
• interleaving attack. This type of attack usually involves some form of impersonation in an authentication protocol.
March 2003
Bill McIntoshSlide 68
doc.: IEEE 802.11-00/xxx
Submission
Part 3: Conclusion
• The new IEEE 802.11i recommendations:– TKIP for legacy wLAN products– CCMP for highly secure networks– IEEE 802.1x Port Control– Authentication and Radius
• IEEE 802.10• wLLS• Threats
March 2003
Bill McIntoshSlide 69
doc.: IEEE 802.11-00/xxx
Submission
Editorial Comment• Proponent of using 802.11i.• Millions of wireless devices will support 802.11i very
soon. • I believe there are only minor changes to make it a link
level security protocol.• The changes have to do with:
– embedded functions at the MAC layer; – fragmentation.
• Our goal would be to secure a point-to-point connection from a gateway across access points and bridges to mobile devices
March 2003
Bill McIntoshSlide 70
doc.: IEEE 802.11-00/xxx
Submission
Questions or Comments