Standardization efforts and status • Current software status w/ new standards • Consider this presentation as a light (?) tutorial! Wi-Fi security: What’s next? – p.2
Mantin and Shamir paper (August 2001): attack on WEP in IEEE 802.11 specification • Integrity is not efficient • Shared Secret independent • No key management • No dynamic key distribution • Shared Secret distribution issues, one loss is sufficient! Wi-Fi security: What’s next? – p.4
on ACLs • MAC addresses are spoofable, should be only used for identification, not for authentication • Group authentication • Difficult to accept, especially in corporate environment • Management frames are not authenticated • Layer 2 DoS attacks Wi-Fi security: What’s next? – p.5
• Access was ”cool & smooth”... Before all publications! • New security mechanisms are currently being drafted • These solutions should mitigate security risks • Confidentiality / Integrity / Access Control: use of layer >2 secure procotols (IPsec) • Access Control: use of captive portal Wi-Fi security: What’s next? – p.8
Born on March 2001 from TGe (QoS and security) • Currently draft 5.0 (August 2003) • Very active! • More than 10 drafts during last year • Intended to be ratified Q2 ’04 • Susceptible to modifications • Important: WRAP is deprecated, CCMP is mandatory • Light: Typographic changes Wi-Fi security: What’s next? – p.10
• Standardized layer 2 security should be better than upper layer secure solutions • Goals: • New authentication and access control framework, with high flexibility • New confidentiality and integrity protocols • Access control must be performed at edge (APs) upon authentication result • Authentication methods are independent from IEEE 802.11 TGi Wi-Fi security: What’s next? – p.11
Short-medium term solution • Should only requires a firmware upgrade, theory! • Must mitigate all known WEP security issues • (Short) internal aspects • Based on RC4 • 48-bit IV (TKIP Sequence Counter) • Mixing function before injection in RC4 • Enhanced integrity check (keyed-MIC) Wi-Fi security: What’s next? – p.12
IEEE 802.1X-2001 (June 2001) • Authentication is based on EAP • Access control is upon authentication • Runs over all 802 LANs (originally intended to 802.3) • Controlled / Uncontrolled Port • Controlled: Allows data to go through if authentication is successfull • Uncontrolled: Allows authentication data to go through Wi-Fi security: What’s next? – p.14
• Amendement to IEEE 802.1X-2001 • Modifications on key management frames (EAPOL-Key) • IEEE 802.1X key management was designed for wired communications • IEEE 802.11 TGi uses 802.1aa EAPOL-Key frames format • IEEE 802.1X EAPOL-Key frames format can be used for dynamic WEP-(re)keying Wi-Fi security: What’s next? – p.15
(March 1998) • Intended initially for PPP, but 802.1X uses it also • Goals: • Flexible authentication framework, only carries an authentication method • Authenticator is transparent, upgrades are not necessary • Authentication relies more on EAP method than EAP itself Wi-Fi security: What’s next? – p.17
Some specification issues • Being revised under RFC 2284bis-05 (September 2003) • Some issues: • No EAP state machine • Extend type space (was 1 byte) • http://www.drizzle.com/ aboba/EAP/eapissues.html Wi-Fi security: What’s next? – p.18
client and network authentication for GSM/UMTS-based networks • Dynamic keying • Good level of security • Standardized by Nokia / Ericsson / Cisco Wi-Fi security: What’s next? – p.20
Uses TLS, then uses another EAP method, encapsulated (secured) in TLS tunnel • Could ”secure” insecure methods • Asymetric authentication • Standardized by Microsoft / Cisco • EAP-TTLS: draft-02 (November 2002) • Nearly equivalent as PEAP • Was the first tunnelled authentication method available • Standardized by Funk Software Wi-Fi security: What’s next? – p.21
• New keys are derived from EAP master key • Protect both unicast and multicast traffic • MSK: Master Session Key • Directly from a successfull EAP authentication • PMK: Pairwise Master Key • Derived from MSK • Must be 256-bit Wi-Fi security: What’s next? – p.23
from PMK • 384/512-bit depending on cipher selection • Used to protect unicast traffic • GTK: Groupwise Transient Key • Equivalent to a random number • 40/104/128/256-bit depending on cipher selection • Used to protect multicast traffic Wi-Fi security: What’s next? – p.24
Handshake • Group Key Handshake • Goals: • Establish a fresh key between AP and STA • Liveness of peers • No man in the middle • Synchronizes pairwise key use Wi-Fi security: What’s next? – p.26
RSN IE (AP supports MCast /Ucast: WEP, TKIP and Auth: Dynamic Keys with 802.1X) 802.11 Open Authentication 802.11 Open Auth (success) Association Req + RSN IE (Client requests TKIP and dynamic keys with 802.1X) Association Response (success) 802.1X controlled port blocked for client Source : IEEE Wi-Fi security: What’s next? – p.27
• Should avoid hardware upgrades (NICs and APs) • Must be ”backward-compatible” • Provide a flexible, convenient and secure solution in all contexts (Corporate, Residential, Hot Spot) • Make business! Wi-Fi security: What’s next? – p.32
But management frames are not authenticated • IEEE 802.11 TGi is not ratified • But a lot work is stable • Efforts are now focused on PMK-caching • EAP methods standardization is critical! • Wireless security relies on EAP • WPA is here! • Good solution, perhaps WPA should be sufficient... Wi-Fi security: What’s next? – p.35
WPA should be a software solution, but hardware upgrade is sometimes necessary • Supplicant status: • XP support by Microsoft • XP/2000/98/Me support by Funk Software • *nix support with XSupplicant (WPA is planned) • Authenticator status: • Host AP driver supports 802.1X-2001 • Hope that WPA authenticator will be publicly available Wi-Fi security: What’s next? – p.36
Y Y MS XP Y N N MS XP SP1 Y N Y Odyssey v2.2 Y Y Y FreeRADIUS (CVS) Y Y close MS W2003 IAS Y N Y Steel Belted v4.5 Y Y Y Cisco ACS v3.1 Y N Y Tunnelled authentication methods can be various (PAP, CHAP, EAP...) Wi-Fi security: What’s next? – p.37
MS XP and XSupplicant • TTLS / TLS support in Funk Software supplicant for XP/2000/Me/98 • 802.1X support in several APs • Full PKI deployment • Q3 ’03: WPA and new EAP methods • TTLS / PEAP support • WPA hardware is available (APs and NICs) • Full or light PKI deployments Wi-Fi security: What’s next? – p.38
NIC firmwares • Supported in commercial supplicants • Support planned in XSupplicant • But: • EAP method choice is critical • Legacy 802.1X clients are still vulnerable, because they use dynamic WEP-(re)keying • WPA only network should mitigate this! Wi-Fi security: What’s next? – p.39