wireless network security - wordpress.com · wireless network security 1 it352 | network security...
TRANSCRIPT
Wireless Network Security
IT352 | Network Security |Najwa AlGhamdi 1
Wireless LAN Security
Slide from 2nd book
802.11 Wireless LAN Security
• Stations in LAN are connected physically while in WLAN any station in the radio range is connected , so in WLAN extra care should be considered because
1. Authentication in LAN is much robust since all sending stations are wired and already known.
2. Privacy problem in WLAN , since any station comes in the range of WLAN can send and receive messages.
• The original 802.11 specification included a set of security features
for privacy and authentication that were quite weak. • Wi-Fi Protected Access (WPA) as a Wi-Fi standard. WPA is a set of
security mechanisms that eliminates most 802.11 security issues. • The final form of the 802.11i standard is referred to as Robust
Security Network (RSN).
802.11i RSN Services and Protocols
• The 802.11i RSN security specification defines the following services:
• Authentication: A protocol is used to define an exchange between a user and an AS that provides mutual authentication and generates temporary keys to be used between the client and the AP over the wireless link.
• Access control: This function enforces the use of the authentication function, routes the messages properly, and facilitates key exchange. It can work with a variety of authentication protocols.
• Privacy with message integrity: MAC-level data (e.g., an LLC PDU) are encrypted, along with a message integrity code that ensures that the data have not been altered.
IT352 | Network Security |Najwa AlGhamdi 3
802.11i Phases of Operation
• IEEE 802.11i security is concerned only with Station and Access Point.
• The five phase are:
• Discovery:
1. An AP uses messages called Beacons and Probe Responses to advertise its IEEE 802.11i security policy.
2. The STA uses these to identify an AP for a WLAN with which it wishes to communicate.
3. The STA associates with the AP, which it uses to select the cipher suite and authentication mechanism when the Beacons and Probe Responses present a choice.
802.11i Phases of Operation
• Authentication:
• the STA and AS (Authentication) prove their identities to each other.
• The AP blocks non-authentication traffic between the STA and AS until the authentication transaction is successful.
• The AP does not participate in the authentication transaction other than forwarding traffic between the STA and AS.
802.11i Phases of Operation
• Key generation and distribution:
• The AP and the STA perform several operations that cause cryptographic keys to be generated and placed on the AP and the STA.
• Frames are exchanged between the AP and STA only
IT352 | Network Security |Najwa AlGhamdi 6
802.11i Phases of Operation
• Protected data transfer: Frames are exchanged between the STA and the end station through the AP.
• As denoted by the shading and the encryption module icon, secure data transfer occurs between the STA and the AP only;
• security is not provided end-to-end.
IT352 | Network Security |Najwa AlGhamdi 7
802.11i Phases of Operation
• Connection termination:
• The AP and STA exchange frames. During this phase, the secure connection is torn down and the connection is restored to the original state..
IT352 | Network Security |Najwa AlGhamdi 8
802.11i Discovery Phases
• The purpose of this phase is for an STA and an AP to
1. Recognize each other 2. Agree on a set of security
capabilities – Confidentiality – MPDU integrity protocols – Authentication method – Cryptography key management
approach
3. Establish an association for future communication using those security capabilities
• Discovery phase consists of three exchanges: 1. Network and security capability
discovery. 2. Open system authentication. 3. Association.
IT352 | Network Security |Najwa AlGhamdi 9
802.11i Discovery Phases
1. Network and security capability discovery.
• AP priodicaly broadcast its security capabilities through Beacon frame.
• SATS discover the access point by either
1. Monitoring Beacon frame.
2. Sending Prob frame.
IT352 | Network Security |Najwa AlGhamdi 10
802.11i Discovery Phases
2. Open system authentication
• STA & AP exchange their IDs
3.Association
• To Agree on set of security suit to be used.
IT352 | Network Security |Najwa AlGhamdi 11
802.11i Authentication Phases • The authentication phase
enables mutual authentication
between an STA and an
authentication server (AS)
located in the DS.
• Authentication is designed to
1. allow only authorized stations
to use the network
2. and to provide the STA with
assurance that it is
communicating with a
legitimate network
• Authentication phase consists of three exchanges:
1. Connect to AS.
2. EAP exchange.
3. Secure Key Delivery.
IT352 | Network Security |Najwa AlGhamdi 12
802.11i Authentication Phases 1. Connect to AS.
• STA sends To it AP a request for
connection to the AS.
• AP acknowledge this request this
request and forward it to AS.
2. EAP ( Extensible authentication
protocol) exchange :
• This exchange authenticates STA
and AS .
3. Secure Key Delivery:
• After authentication AS will
generate Master key session
(MSK) and send it to STA.
• All cryptographic keys used by
STA will be derived from MSK.
IT352 | Network Security |Najwa AlGhamdi 13
802.11i Key Management Phases
• During the key management phase, a
variety of cryptographic keys are
generated and distributed to STAs.
• Pairwise keys are used for
communication between a pair of
devices, typically between an STA and
an AP.
• These keys form a hierarchy,
beginning with a master key from
which other keys are derived
dynamically and used for a limited
period of time. 1. A pre-shared key (PSK) is a secret key shared
by the AP and a STA
2. The other alternative is the master session key
(MSK), which is generated using the IEEE 802.1X
protocol during the authentication phase, as
described previously.
IT352 | Network Security |Najwa AlGhamdi 14
802.11i Key Management Phases
• The pairwise master key (PMK) is
derived from the master key as follows:
1. If a PSK is used, then the PSK is used
as the PMK;
2. if a MSK is used, then the PMK is
derived from the MSK by truncation (if
necessary).
• By the end of the authentication phase (on
EAP Success message), both the AP and
the STA have a copy of their shared PMK.
• The PMK is used to generate the pairwise
transient key (PTK), to be used for
communication between an STA and AP
after they have mutually authenticated.
• PTK = HMAC( PMK ||the MAC addresses
of the STA and AP|| nonces ).
IT352 | Network Security |Najwa AlGhamdi 15