Static WEP Keys
There is no way to dynamically generate keys which is a major problem because with the basic WEP Open or Shared Key Authentication, WEP keys are easily cracked and/or the MAC address is easily spoofed as the key is tied to the client device rather than the user. Because the key is within the client machine it can reside in accessible part such as an application or the memory. Changing WEP keys manually is unmanageable in a large network, plus there is no accounting features or integration with existing authentication databases such as LDAP or RADIUS.Wi-Fi Protected Access (WPA)
The problem with WEP is that the key is static and it is shared. Not only can the key become known by a number of users, it can also be cracked relatively easily now using a 'Man-in-the-Middle' and a software tool such as AirSnort. Enhancements were introduced to deal with these issues. First off was Cisco with the following improvements:
- Cisco Temporal Key Integrity Protocol (CKIP) - key hashing on a per-packet basis to protect against Initialisation Vector (IV) attacks
- Cisco Message Integrity Check (CMIC) - to protect against Replay or 'Man-in-the-Middle' attacks
- Broadcast Key Rotation so that the broadcast key changes and diminishes the chance of it being obtained
WPA was introduced to provide some standardisation whilst the 802.11 committee instigated a more permanent solution to the security issues. WPA was based on Draft 3 of 802.11i. The additional benefits of WPA are as follows:
- Pairwise Transient Key (PTK) - A new session key is given to the user each time the user connects to the network i.e. on a per session basis
- Authenticated Key Management - where the user is authenticated first, followed by the generation of a Pairwise Master key (PMK) on the client and the server. The Pairwise Master Key is used to generate the keys used to encrypt the session. Either 802.1X or a Pre-Shared Key (PSK) may be used as the PMK
- Key management of unicast and broadcast keys
- Initialisation Vector (IV) increased from 24 to 48 bits so that the chance of a reuse of the vector (collision) is minimised
- Migration - co-existence of WEP users is allowed, although when WPA is used the WEP Shared key mechanism is turned off, only Open Authentication is used.
- Temporal Key Integrity Protocol (TKIP) - A key hierarchy and management system where keys are generated per packet, per session and per user, plus there is Message Integrity Check (MIC)
Both Cisco's solution and WPA allows existing equipment to be used with only firmware or software upgrades required. This is because the existing RC4 WEP encryption was still being utilised, the new features were designed to protect the WEP keys, the encryption techniques used to generate the keys remained unchanged.
It may be worth making yourself familiar with 802.1X by following the link to802.1X. For WPA using EAP and RADIUS, the general sequence of events runs as follows for a Wi-Fi client gaining access to a network via an Access Point:
- The client associates with an AP, however in addition to the normal 802.11 association requirements both the client and the AP MUST agree a security capability. The SSID within the beacon probe indicates the authentication type required, the client selects the SSID and the cypher suite that goes with the SSID.
- The client enters their credentials e.g. username and password
- Via 802.1X and an EAP method, the next sequence of steps involve the client and the RADIUS server mutually authenticating via the AP as follows:
- The server sends a challenge to the client.
- The client carries out a hash on the password.
- The client sends this hashed password to the RADIUS in its response.
- The RADIUS server performs a hash on the password for that client in its user database.
- The RADIUS server compares the two hashed values and authenticates the client if the two values match.
- The process is then repeated in reverse so that the client can authenticate the RADIUS server that it is meant to be using.
- Once authenticated via 802.1X the server sends the client a Master Key (MK)
- Next, each of the RADIUS server and the client independently create a client-specific 256-bit Pairwise Master Key (PMK) from the Master Key. If 802.1X is not being used, then this PMK is derived from the 64 hexadecimal Pre-Shared Key (PSK) instead. This is moved via a RADIUS protocol attribute, to the AP by the RADIUS server and uses the Diffie-Hellman method (see Encryption for more information).
- Now the famous WPA 4-way handshake between the client and the AP begins:
- The AP creates a Nonce (Number used ONCE) or a random number and sends this to the client
- The client generates a nonce or random number and a Pairwise Transient Key (PTK) is generated from the PMK. Both client and AP random numbers (nonces), plus their MAC addresses are fed into a pseudo-random function in order to create the PTK. The PTK is used in authenticating the encryption key and a unique PTK is unicast to each client. The client sends its own nonce, the PTK and the MIC information to the AP
- The AP sends the nonce again with its PTK that it created, and MIC key information. If this is the same PTK as that produced by the client then this validates the client.
- The client sends MIC key information and PTK to the AP for verification, the 4-way handshake is complete because it has been proved that the client and AP share the same PTK key information and PMK, and they are who they say they are. In addition, the client and AP have negotiated a PTK that may be used for further key generation.
- All wireless devices associated with an access point must be able to decrypt the broadcast and multicast traffic. They do so with the same Group Transient Key (GTK). If the AP changes the GTK because it was compromised, for example, the AP issues a replacement key using a two-way handshake with the KEK encrypting the GTK. The Group Key 2-way handshake operates as follows:
- The AP uses a random number or the PTK to generate a Group Master Key (GMK). A group random number is generated and this is used in conjunction with the AP MAC address to create a Group Transient Key (GTK). The GTK is then encrypted with the EAPOL-Key Encryption Key (KEK) and broadcast (or multicast) along with the MIC key to the clients
- The client decrypts the GTK and sends a message back to say it has done so, plus the MIC
WPA2's PTK consists of three key types. These key types are as follows:
- Key Confirmation Key (KCK) - used to check the integrity of an EAPOL-Key frame (used in the MIC)
- Key Encryption Key (KEK) - encrypts the GTK
- Temporal Keys (TK) - secure data traffic
All wireless devices associated with an access point must be able to decrypt the broadcast and multicast traffic. They do so with the same group key, or GTK. If the AP changes the GTK because it was compromised, for example, the AP issues a replacement key using the simpler two-way handshake with the KEK encrypting the GTK.
Because this entire process of client authentication to the RADIUS server can take up hundreds of milliseconds (if not seconds) when a device is roaming from one AP to another, it's unacceptable for Wi-Fi phones or streaming applications on laptops. So most enterprise wireless products have 802.11i features that help minimize roaming latency--preauthentication and PMK caching.
Preauthentication lets a mobile client authenticate with other APs in its vicinity while remaining associated with its primary AP. With PMK caching, a roaming client need not fully reauthenticate over 802.1X when it returns "home
No comments:
Post a Comment