The Inside Secrets Of WiFi Security

The 802.11i standard offers wireless security using cryptographically proven techniques. Here's a look inside the key security elements provided under 802.11i.

February 24, 2005

11 Min Read
NetworkComputing logo in a gray background | NetworkComputing

As wireless LAN (WLAN) equipment becomes more popular and widely deployed, the same care that has been paid to securing wired networks must be applied to wireless networks. In a wired LAN, only those stations physically connected to the wire may hgfear can send or receive LAN traffic, thus granting a minimum level of physical security. This is not the case with a wireless shared medium, as any 802.11 client may receive and transmit traffic to any other client within range.

Based largely on enterprise demands for more secure WLAN solutions, the IEEE developed the 802.11i specification, which allows for security improvements in existing WLAN products through firmware upgrades. Most available products can be upgraded to use certain features, such as temporal key integrity protocol (TKIP) and IEEE 802.1x authentication. This provides a considerable security improvement over the wired equivalent privacy (WEP) standard, which was not designed for ultimate security but rather to be "at least as secure as a wire". 802.11i also allows for backward compatibility with the original 802.11 standard. Even greater security can be gained in products available since 2003, which include new hardware supporting encryption. Products currently on the market are able to use the most advanced features of 802.11i, such as AES encryption for bulk data protection, key caching which allows mobile stations to switch from one access point to another without incurring the time overhead of a key exchange each time, and pre-authentication which allows a client to establish security state in an access point prior to associating to it..

It is best to think of 802.11i not as a single protocol but rather a security framework (Figure 1), using existing, proven security standards — like a recipe listing the ingredients to bake a cake. Just as a chef will select the best ingredients for a particular type of cake, so too can a network administrator select the best mix of encryption types, authentication mechanisms, and PKIs to address their organization's requirements.


Figure 1: diagram showing the elements that make up the 802.11i protocol.

ABCs of 802.11 Security
Customers who deploy WLAN solutions need to be confident of the system's ability to address integrity, privacy, and reliability. Solving these challenges in securing WLANs requires addressing many facets of security, including:

  • Strong mutual authentication — The client and access point must cryptographically prove their identities to each other.

  • Messages must have data origin protection — It must be possible to prove that sender of a message is genuine and not a man-in-the-middle.

  • Messages must have data integrity protection— It must be possible to prove that messages are not altered in transit.

  • Messages must have confidentiality — The contents of messages must only be viewable by the sender and receiver.

To achieve these goals, 802.11i leverages a number of security features including AAA and PKI/ Let's look at both below.

1. AAA,

Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security.

AAA services are often provided by a dedicated AAA server, a program that performs these functions. A commonly used standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS).

PKI
Public-key infrastructure (PKI) is a hierarchy of trust using public key cryptography. The top of the hierarchy is a root certification authority (CA), the leaves of this hierarchy are individuals identified by a certificate, and intermediate nodes of the hierarchy are individual, non-root, CAs. Each CA, both root and non-root, is an entity which is trusted to verify the identity of others and to issue certificates, a kind of online passport, to them (Figure 2).

Click here for Figure 2
Figure 2: Diagram showing the digital certificate generation process.CAs allow the establishment of trust to scale because the CA vouches for identity of other people. If the CA is trusted all people whose identities are vouched for by the CA can be proven. For example, if 50 people trust a CA it is trivial to add a 51st person to the ring of trust — merely give it a certificate signed by the CA. But if there is no CA, no trusted third party, it is necessary to introduce the 51st person to all 50 other people in order to establish the same amount of trust. That just does not scale.

Certificates issued by a CA bind identities to public keys. They are tamper-proof because the CA signs them and any alteration to the certificate after the signing could be detected. If a certificate is valid, that is it has not been altered, and the CA is trusted then the identity contained in the certificate can be authenticated.

There are two types of digital certificates that are important when building secure wireless networks: server certificates and personal certificates. Both of them must be signed by a CA to be truly effective.

Server certificates identify network entities like access points or WLAN switches. They allow clients to authenticate the network entity to which it is trying to gain access. This prevents a rogue access point from trying to attract legitimate clients and induce them to provide it with their credentials.

Personal certificates identify clients and allow network entities like access points or WLAN switches to authenticate clients. This ensures that the only people allowed onto your network are people you want to allow.802.1x Authentication: Halt! Who Goes There?
802.1x defines port-based, network access control that is used to provide authenticated network access. While this standard is designed for wired Ethernet networks, it has been adapted for use on 802.11 WLANs. 802.1x defines the following terms that have been carried into the wireless world:

  • Supplicant: The client. The supplicant requests network access by associating to an access point and obtains network connectivity after authentication.

  • Authenticator: A wireless access point (AP) or WLAN switch. The authenticator keeps a WLAN closed to all unauthenticated traffic. It does not do authentication directly, but instead tunnels the extensible authentication protocol (EAP) to an authentication server.

  • Authentication server: The authentication server performs the client authentication and instructs the authenticator whether to allow the supplicant's traffic to pass, whether to open the port, or not. The authentication server might be a component of a WLAN switch or a separate entity, typically a RADIUS server (Figure 3).
    Figure 3: Diagram showing an EAP implementation on a RADIOS server.

    Choosing the Right EAP
    EAP was originally defined for use with the PPP protocol (RFC 2284). It was then adapted by the IEEE to perform the actual authentication for 802.1x. Because of this, another name for 802.1X isor EAP over LAN (EAPoL).Unlike other authentication protocols, EAP does not force users into certain types of authentication, and it truly is extensible. Each type of EAP authentication is called a method. Some EAP methods use certificates and others use smart cards or usernames and passwords. Some EAP methods do mutual authentication while others only authenticate the client. Since 802.11 security requires mutual authentication it is obvious that not all EAP methods are appropriate for use in a wireless network.

    Different network installations have different security requirements and network administrators must choose the EAP method that best matches their requirements of security, ease-of-use, and ease-of-management. Some may also require leveraging of an existing authentication infrastructure such as a database of usernames and passwords in a RADIUS database.

    Choosing which EAP method to deploy in your network is an important aspect of developing a secure WLAN design. Not only does it impact every user it also potentially imposes significant administrative requirements. As its name implies, EAP is extensible to many different authentication protocols, such transport layer security (TLS), Microsoft's Challenge Handshake Authentication Protocol (MSCHAPv2), tunneled TLS (TTLS), and subscriber identification modules (SIM), each of which provides different features.

    The most commonly used authentication method is PEAP/MSCHAPv2 that actually performs two EAP methods in one. The first is to authenticate the access point or WLAN switch using TLS while the second is to authenticate the client using Microsoft's MSCHAPv2. PEAP/MSCHAPv2 is widely deployed and ships by default on all recent versions of Microsoft operating systems, covering PCs, laptops, PDAs, and smartphones. PEAP/MSCHAPv2 requires a username/password combination on the client side (the supplicant) and a server side certificate on the network side (the authenticator).

    Another common EAP method (EAP-TLS) also uses a server-side digital certificate, and additionally requires the client to authenticate using a digital certificate. This solution has the benefit of strong security but is balanced by its more stringent administrative requirements (because of the necessity of a PKI) as well as end-user education.Encryption
    Upon the conclusion of 802.1x and EAP, the authenticator and supplicant share an authenticated key, called the pairwise master key (PMK). This key is used with an 802.11i exchange called the "four-way handshake" to establish per-client keys to perform bulk data protection (as mentioned above, message source authentication, message integrity assurance, and message confidentiality) for use with:

    • 802.11i (also known as WPA2) using counter-mode/CBC-MAC protocol (CCMP) — Based on AES using the CCM mode of operation, which combines counter mode and CBC-MAC for encryption and message integrity.

    • Wi-Fi Protected Access (WPA) using TKIP — Leverages an early, non-standard version of the 802.11i four-way handshake and the 802.11i group key handshake for key derivation and distribution. It changes the WEP key and IV with every packet and adds a keyed-hash message integrity protocol called "Michael" to improve message integrity checking.

    In addition to the above, it is possible to use the result of the 802.1x/EAP exchange directly and not use any post authentication handshake. The PMK can directly be used to provide:

    • Dynamic WEP

    • — The WEP algorithm is used to provide confidentiality but no message integrity or message source authentication is provided. The unique nature of each PMK (it is unique to a particular supplicant and authenticator) provides an improvement on using WEP with a static key but should not be used in place of either TKIP or CCMP.

    • Dynamic WEP with Broadcast/Multicast Key Rotation — Builds on dynamic WEP by automatically refreshing broadcast/multicast keys at regular intervals without user intervention or knowledge. This automatic rotation scheme helps mitigate one of WEP's major vulnerabilities.

    It must be noted, though, that both of these techniques still suffer from the use of WEP and should be avoided.

    Fast-Handoff
    A hand-off occurs when a user roams from one access point to another. This starts a discovery phase and the user's client begins to scan different channels for an AP with which to associate. When an AP is detected that has the right level of services — such as encryption and quality of service — the client tries to obtain network access by associating (or re-associating) with an AP.

    In a pre-802.11i implementation (WPA or dynamic WEP), it is necessary to perform a full 802.1x/EAP exchange between the supplicant and the authentication server to derive a new PMK with which to perform bulk data protection.With 802.11i, a full 802.1x/EAP re-authentication can be skipped because the client has already been authenticated. The client and WLAN switch forgo the key management and authentication protocol by retaining the PMK in a cache, and go straight to the four-way handshake to establish a new set of session keys on a new AP. When session keys are established, the client finishes the hand-off process. This reduces the latency to establish security state on the new AP from the hundreds of milliseconds to the tens of milliseconds, enough to maintain a VoIP call.

    The client initiates PMK caching by asserting a "PMK ID" in its associate request. It says, "I already have a PMK identified by this PMK ID and I want to use it". If the 802.1x authenticator has a PMK identified by that PMK ID it can just jump to the "four-way handshake". If it doesn't, then it requires full re-authentication and indicates this by initiating an 802.1x exchange..

    Eliminating the re-authentication step and trimming upwards of 800 milliseconds off the hand-off time when mobile users roam from AP to AP makes the deployment of delay-sensitive applications like voice over wireless much more practical and reliable.

    Wrap Up
    With the introduction of 802.11i it is possible to provide wireless security using cryptographically proven techniques. In addition, it is possible to use 802.11i constructs to establish security state on a new AP to effect a fast handoff. When deliberating on new wireless security offerings make sure that 802.11i with CCMP and PMK caching is provided. It solves real security problems using cryptographically proven methods in a forward-looking manner.

    About the Authors

    Dan Harkins is the chief security architect at Trapeze Networks and the author of Internet Key Exchange (IKE) standard for IPsec. Dan can be reached at [email protected].0

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights