Standardization efforts and status • Open Source software status w/ new standards • Consider this presentation as a light (?) tutorial! Wi-Fi security: What’s next? – p.2
Mantin and Shamir paper (August 2001): attack on RC4’s implementation in IEEE 802.11 specification • Integrity is not efficient • Shared Secret independent • No key management • No dynamic key distribution • Shared Secret distribution issues, one loss is sufficient! Wi-Fi security: What’s next? – p.4
on ACLs • MAC addresses are spoofable, should be only used for identification, not for authentication • Group authentication • Difficult to accept, especially in corporate environment • Management frames are not authenticated • Layer 2 DoS attacks Wi-Fi security: What’s next? – p.5
at any key size; An Analysis of the WEP encapsulation"; Jesse Walker • January 2001 - July 2001: several publications • "Security of the WEP algorithm"; University of California at Berkeley • "Your 802.11 Wireless Networks has No Clothes"; University of Maryland • August 2001: major publication • "Weaknesses in the Key Scheduling Algorithm of RC4"; Fluhrer, Mantin and Shamir Wi-Fi security: What’s next? – p.6
• Access was "cool & smooth"... Before all publications! • New security mechanisms are currently being drafted • These solutions should migitate security risks • Confidentiality / Integrity / Access Control: use of layer >2 secure procotols (IPsec) • Access Control: use of captive portal Wi-Fi security: What’s next? – p.9
version based on Perl • First release: mid-2001 • Current release: 0.82 (May 2003) • OS: Linux, *BSD Serveur Auth Serveur Auth AP Gateway BDD Auth Internet Internet SSL Wi-Fi security: What’s next? – p.11
Born on March 2001 from TGe (QoS and security) • Currently draft 4.1 (June 2003) • Very active! • More than 10 drafts during last year • Intended to be ratified Q4 ’03 • Susceptible to modifications • Important: WRAP is deprecated, CCMP is mandatory • Light: Typographic changes Wi-Fi security: What’s next? – p.13
• Conceptually, layer 2 security should be better than upper layer secure solutions • Goals: • New authentication and access control framework, with high flexibility • New confidentiality and integrity protocols • Access control must be performed at edge (APs) upon authentication result • Authentication methods are independent from IEEE 802.11 TGi Wi-Fi security: What’s next? – p.14
Short-medium term solution • Should only requires a firmware upgrade, theory! • Must migitate all know WEP security issues • Internal aspects • Based on RC4 • 48-bit IV (TKIP Sequence Counter) • Mixing function before injection in RC4 • Enhanced integrity check (keyed-MIC) Wi-Fi security: What’s next? – p.15
solution • Should require a hardware upgrade • Internal aspects • Based on AES • 48-bit IV (44-bit used as counter) Wi-Fi security: What’s next? – p.16
IEEE 802.1X-2001 (June 2001) • Authentication is based on EAP • Access control is upon authentication • Runs over all 802 LANs (originally intended to 802.3) • Controlled / Uncontrolled Port • Controlled: Allows data to go through if authentication is successfull • Uncontrolled: Allows authentication data to go through Wi-Fi security: What’s next? – p.17
• Amendement to IEEE 802.1X-2001 • Modifications on key management frames (EAPOL-Key) • IEEE 802.1X key management was designed for wired communications • IEEE 802.11 TGi uses 802.1aa EAPOL-Key frames format • IEEE 802.1X EAPOL-Key frames format can be used for dynamic WEP-(re)keying Wi-Fi security: What’s next? – p.18
(March 1998) • Intended initially for PPP, but 802.1X uses it also • Goals: • Flexible authentication framework, only carries an authentication method • Authenticator is transparent, upgrades are not necessary • Authentication relies more on EAP method than EAP itself Wi-Fi security: What’s next? – p.20
Some specification issues • Being revised under RFC 2284bis-04 (June 2003) • Issues: • No EAP state machine • Extend type space (was 1 byte) • http://www.drizzle.com/ aboba/EAP/eapissues.html Wi-Fi security: What’s next? – p.21
client and network authentication for GSM/UMTS-based networks • Dynamic keying • Good level of security • Standardized by Nokia / Ericsson / Cisco Wi-Fi security: What’s next? – p.23
Uses TLS, then uses another EAP method, encapsulated (secured) in TLS tunnel • Could "secure" insecure methods • Asymetric authentication • Standardized by Microsoft / Cisco • EAP-TTLS: draft-02 (November 2002) • Nearly equivalent as PEAP • Was the first tunnelled authentication method available • Standardized by Funk Software Wi-Fi security: What’s next? – p.24
• New keys are derived from EAP master key • Protect unicast and multicast traffic • MK: Master Key • Directly from a successfull EAP authentication • PMK: Pairwise Master Key • Derived from MK • Must be 256-bit Wi-Fi security: What’s next? – p.26
from PMK • 384/512-bit depending on cipher selection • Used to protect unicast traffic • GTK: Groupwise Transient Key • Equivalent to a random number • 40/104/128/256-bit depending on cipher selection • Used to protect multicast traffic Wi-Fi security: What’s next? – p.27
handshake • Group key handshake • Goals: • Establish a fresh key between AP and STA • Liveness of peers • No man in the middle • Synchronizes pairwise key use Wi-Fi security: What’s next? – p.29
RSN IE (AP supports MCast /Ucast: WEP, TKIP and Auth: Dynamic Keys with 802.1X) 802.11 Open Authentication 802.11 Open Auth (success) Association Req + RSN IE (Client requests TKIP and dynamic keys with 802.1X) Association Response (success) 802.1X controlled port blocked for client Source : IEEE Wi-Fi security: What’s next? – p.30
• Should avoid hardware upgrades (NICs and APs) • Must be "backward-compatible" • Provide a flexible, convenient and secure solution in all contexts (Corporate, Residential, Hot Spot) • Make business! Wi-Fi security: What’s next? – p.35
management frames are not authenticated • IEEE 802.11 TGi is not ratified • But a lot work is stable • Efforts are now focused on pre-authentication • WPA is here! • Good solution, perhaps WPA will be sufficient... Wi-Fi security: What’s next? – p.38
• Developpers: Bryan D. Payne, Chris Hessing, Terry Simons, Nick L. Petroni • Status • OS: Linux, *BSD (not yet complete), Mac OS X (not yet complete) • EAP: MD5, TLS, EAP-MS-CHAPv2, TTLS w/ PAP|CHAP|MS-CHAPv2, PEAP (in CVS) • Dynamic WEP-(re)keying Wi-Fi security: What’s next? – p.40
about security aspects • Other non Open Source driver from Jouni • WPA support • Available using other (not open source) type of licensing • Current strategy of the company Jouni work for • Difficult to predict if code will be publicly available • Contact • http://hostap.epitest.fi/ Wi-Fi security: What’s next? – p.43
• Developpers: Alan DeKok (main), and about 10 active developpers • Status • OS: Unixes • EAP: MD5, TLS • Cisco’s LEAP in CVS Wi-Fi security: What’s next? – p.44
of people are working on it, but Alan didn’t see any code yet (1 or 2 months to see it in CVS) • Contact • http://www.freeradius.org/ Wi-Fi security: What’s next? – p.45
Source software is possible • First step: With a full PKI • EAP-TLS authentication method • Supported in XSupplicant / FreeRADIUS • Dynamic WEP-(re)keying • Second step: With a light PKI • EAP-TTLS or EAP-TLS-EAP methods • Supported in XSupplicant / FreeRADIUS (close!) • Dynamic WEP-(re)keying Wi-Fi security: What’s next? – p.46
Supported in NIC firmwares • Perhaps authenticator WPA code will be publicly available • Support planned in XSupplicant • Idea: Support these people! • Send bug reports / feature requests Wi-Fi security: What’s next? – p.47