Adhoc only requires wireless devices on each computer.
Infrastructure requires wireless devices on each computer AND a base station (with built in DHCP server and firewall)
Wireless devices have no access point connection and each device communicates with each other directly
Client/Server (infrastructure networking)
Extends an existing wired LAN to wireless devices by adding an access point (bridge and central controller)
Advantages to Infrastructure Mode
Automatic use of Network Address Translation (NAT) firewall –blocks all outside port requests
Local reserved IP addresses only used by clients. Those IP addresses will not show up on the internet.
The DCHP server (gateway) that is built into this NAT firewall does not require that any one computer be on (and functioning) in order to use the connection.
By nature, wireless networks need to advertise their beacons to show their existence
Service set identifier (SSID)
Beacons frames broadcast network parameters are sent unencrypted
Media Access Control (MAC) address filtering
802.11 uses 48 bit station identifiers in the frame headers
-check mac address to insure station has access
not part of 802.11 standard but used anyway to identify
Wired Equivalent Privacy (WEP)
Was supposed to provide authentication and privacy
Secret 40 bit keys, but unsafe at any length
Weakness due to long life of keys and they are shared among many users
The IEEE 802.11 standard
- Solves user authentication problem
-Standard for passing EAP over a wired or wireless LAN
-EAP messages are packaged in Ethernet frames and don’t use PPP.
-It is only authentication
-Provides a security framework for port-based access control
-Resides in the upper layers to enable new authentication and key management methods without changing current network devices.
-The latest security technology should still work with your existing infrastructure
802.1X architecture overview AP Client Authenticator Supplicant Authentication Server Concrete Authentication Protocol EAP carries concrete authentication protocol between Supplicant and Authentication Server 802.1: carries EAP over 802 LAN between Supplicant and Authenticator RADIUS/UDP/IP: carries EAP between Authenticator and Authentication Server
A client device connects to a port on an 802.1x switch and AP
The switch port can determine the authenticity of the devices
The services offered by the switch can be made available on that port
Only EAPOL frames can be sent and received on that port until authentication is complete.
When the device is properly authenticated, the port switches traffic as through it were a regular port.
Authentication Server Access point Laptop 5 1 3 2 4
1 -Client Associates with Blocked Access Point
2 -User Provides Login Authentication Credentials
3 a)-Server<->user authentication
b)-Server delivers Unicast WEP key to Access Point
-Access point delivers broadcast WEP key Encrypted with
Unicast WEP key to client
5 -Client and Access Point activate WEP and Use Unicast and Broadcast WEP keys for transmission
EAP Transport “Authentication” Protocol
Unicast-communication single host single receiver packets sent to a unicast address are delivered to the interface identified by that address
Multicast is communication between a single host and multiple receivers Multicast Sends Packets to a Subnet, and defined devices listen for Multicast Packets
What is EAP
Beyond simple user names and passwords
Easily encapsulated within any data link protocol
Provides a generalized framework for all sorts of authentication methods.
Simpler interoperability and compatibility across authentication methods
For example, when you dial a remote access server(RAS) and use EAP as part of your PPP connection, the RAS doesn’t need to know any of the details about your authentication system. Only you and the authentication server have to be coordinated.
The RAS server gets out of the business and just re-packages EAP packets to hand off to a RADIUS server to make the actual authentication decision.
EAPoL packet structure EAP messages are packaged in ethernet frames and don’t use PPP Body (e.g. EAP frame) Body Length Vers | Type Ether type = 888E Destination Ethernet Addr Source Ethernet Addr
A typical EAPOL protocol run Supplicant Authenticator EAPOL start EAP request/identity EAP response/identity EAP request/MD5-challenge EAP response/MD5-challenge EAP success
Temporal key MAC addr SEQ # Integrity key Shared secret key P1 P2 RC4 IV/SEQ RC4 S | D | body hash ciphertext | | | MIC TKIP WEP IV IV | ciphertext | | S | D | body | ICV CRC-32
TKIP (Temporal Key Integrity Protocol)
Addresses weak IVs, IV collisions
Firmware upgrade deployable to existing 802.11 hardware
-Cryptographic message integrity code
-Per-packet key generation
Sender and receiver share 64-bit secret integrity key
MIC = H(src MAC|dst MAC|frame body) K
If receivers computation matches the MIC sent, then message presumed authentic
If 2 forgeries in a second, then assume under attack
-Delete keys, disassociate, and reassociate
Reuse 16-bits of WEP IV packet field for sequence number
Initialize sequence # to 0 for new encryption key
Increment sequences # by 1 on each packet
Discard any packet out of sequence
Key_mix(128-bit temporal key, 48-bit MAC)=128-bit result
Ensures unique key if clients share same temporal key
Incrementing seq# ensures unique key for each packet
Keystream=RC4(128-bit per-packet key)
Established via 802.1x or manually
Used to securely communicate key encryption keys
- Key encryption keys (2)
Secure messages containing keying material for deriving temporal keys
Key 1: encryption Key 2: integrity
Key 1: encrypting data Key 2: data integrity
If master key compromised, then TKIP is voided
The lack of PKI represents a huge issue on the AP side.
Standard EAP with TKIP WLAN Design Attack Mitigation Roles for Standard EAP WLAN Design
802.1X/EAP with TKIP Threats mitigated
Wireless packet sniffers
-per packet keying
-only authenticated users are able to access the wireless and wired network
-optional access control on the Layer 3 switch limits wired network access
-the mutual authentication nature of several EAP authentication types combined with the MIC can prevent hackers from inserting themselves in the path of wireless communications.
-have to first authenticate to WLAN
-layer 3 switch restricts any spoofing to the local subnet range
-have to first authenticate to WLAN
Network topology discovery
-have to first authenticator to WLAN
-know network exist by SSID, but cannot access the network.
802.1X/EAP with TKIP Additional Threats mitigated
802.1X/EAP with TKIP Threats not mitigated
-passive monitoring 802.1X/EAP exchanges between client and the access point
- Protected EAP mitigates this by establishing a TLS tunnel from the client to the server before asking for user authentication credentials.
Back End (EAP) Server EAP Method CipherSuite Client Laptop Network Access Server (NAS) Trust EAP method CipherSuite EAP Conversation (over PPP, 802.11, etc.) Determines authentication encryption and MAC algorithms. Select by Server Default Cipher Suite TLS_DHE_CSS_WITH_3DES_EDE_CBC_SHA Keys for Link Layer CipherSuites
IEEE 802.11i Embraces 802.1x and TKIP Replaces RC4 with AES for encryption and integrity 48-bit sequence counter, 128-bit key Requires coprocessor, therefore new hardware deployment
Mobile communication technology will continue to grow encouraged by switching to packet-switched 3G cellular phones
Results in natural progression to accessing the internet without wires
Results in requiring more privacy/security protection mechanisms
Standards/vendor products eventually evolve to meet customers’ needs
The Alliance announced the first certified products with WPA April 29, 2003
The Wi-Fi Alliance created Wi-Fi Protected Access (WPA) in October of 2002 as a stepping stone between the sullied Wired Equivalent Privacy (WEP) encryption that has long been part of the 802.11 specifications, and the upcoming 802.11i standard that will bring IEEE endorsed security to WLANs.
P. Nikander, Authorization and charging in public WLANs using FreeBSD and 802.1x, Ericsson Research NomadicLab, firstname.lastname@example.org
IEEE Draft P802.1X/D11: Standard for Portbased Network Access Control, LAN MAN StandardsCommittee of the IEEE Computer Society,March 27, 2001.
L. Blunk and J. Vollbrecht, RFC2284, PPP ExtensibleAuthentication Protocol (EAP), IETF,March 1998.
C. Rigney, S. Willens, A. Rubens, W. Simpson, RFC2865, Remote Authentication Dial In User Service (RADIUS) , IETF, June 2000.
If access is approved, the authenticator hands over a unique per-supplicant master key from which the supplicant's network adapter derives the TKIP key, the packet integrity key, and other cryptographic necessities. The user can then be authenticated
EAP is used to frequently refresh the master key, reducing the window of opportunity for intercepting packets for cracking.