SlideShare a Scribd company logo

802.11i

Download as PPTX, PDF
akruthi k
akruthi k

ieee 802.11i TKIP CCMP

Engineering
1 of 41
IEEE 802.11i Robust Security Networks TKIP CCMP
WEP Cryptographic Operations • Confidentiality and integrity are handled simultaneously in WEP WEP Data Processing
• 802.1X addresses two of the major flaws in WEP 1. authentication 2. key management • The major remaining flaw to be addressed – Lack of confidentiality • idea to overcome this problem – Link Layer encryption technique.
802.11i ? • 802.11i defines 2 protocols for link layer protection 1. Temporal Key Integrity Protocol (TKIP) 2. Counter Mode with CBC-MAC Protocol (CCMP)
• First new link layer encryption technique. • upgraded the security of WEP-based hardware • Retains the basic architecture and operations of WEP. • Initially called “WEP2” The Temporal Key Integrity Protocol (TKIP)
The Temporal Key Integrity Protocol (TKIP) 1. Key hierarchy and automatic key management – Use of master keys for deriving key for frame encryption. – key management operations automatically refreshes key. 2. Per-frame keying – Every frame has a unique RC4 key from the master key. – This process is called key mixing Differences from WEP (Features of TKIP)
The Temporal Key Integrity Protocol (TKIP) 3. Sequence counter Use: 1. out-of-order frames can be flagged, 2. mitigating against replay attacks 4. New message integrity check – CRC replaced with Michael integrity check – more robust cryptographic Algorithm – easier to detect frame forgeries Differences from WEP
The Temporal Key Integrity Protocol (TKIP) 5. Countermeasures on message integrity check failures – Michael can be compromised in an active attack – so TKIP includes countermeasures Differences from WEP
The Temporal Key Integrity Protocol (TKIP) • Doubles the length of the IV from 24 to 48 bits. • This made attackers difficult to predict the keys • key mixing – RC4 key unique to each frame – key mixing calculation is done by including temporal key+transmitter address+ sequence counter . TKIP initialization vector use and key mixing
The Temporal Key Integrity Protocol (TKIP) • TKIP IV also serves as a sequence counter. • When a new master key is installed it sets sequence counter to 1 and increments as the frames are transmitted. • following are the steps to defend replay attacks: – TKIP maintains the most recent sequence counter – The sequence counter is checked against the most recently received sequence counter – If it is larger than any previous value, the frame is accepted – If smaller, it is rejected. – If equal, duplicate frame for error. – Duplicate sequence numbers may represent an error. TKIP sequence counter and replay protection
The Temporal Key Integrity Protocol (TKIP) • WEP uses CRC which proved un suitable. • Major challenge of TKIP is to strengthen integrity check and also able to run on a low power processor – Michael is implemented entirely with bitwise operations – Can run on any processor without harming performance – MIC better than CRC , but fails against a sustained and determined attack • countermeasures detect the active attack and shut down the network and refresh the keys The Michael Integrity Check and countermeasures
TKIP Data Processing and Operation • Like WEP, TKIP provides confidentiality and integrity together. • Confidentiality is achieved through encryption using RC4 hardware with string security belts of key management.
TKIP Data Processing and Operation TKIP Inputs 1. The frame 2. A temporal key 3. A MIC key 4. The transmitter address 5. A sequence counter
TKIP Design – Key Mixing
TKIP data transmission 1. The 802.11 frame is queued for transmission. 2. The Message Integrity Check (MIC) is computed. 3. Sequence numbers are assigned to fragments. 4. Each frame is encrypted with a unique per-frame WEP key. 5. The frame plus Michael message integrity check value from step 2 and the RC4 key from step 4 are passed to WEP.
TKIP Data Processing and Operation
TKIP reception process
1. When a frame is received by the wireless interface and passes the frame check sequence . 2. The first step TKIP takes is to check the sequence number to prevent replay attacks. 3. The WEP seed used to encrypt the packet is recovered. 4. With the WEP seed in hand, the outer WEP layer around the frame can be removed and the contents recovered. 5. If fragmentation was applied, it may be necessary to wait for further frames to arrive before reassembling a complete payload. 6. Once the frame is reassembled, Michael is calculated over the contents of the frame. TKIP reception process
The Michael Integrity Check • Michael operates on frames passed down to it at the MAC service layer from higher-layer protocols • Michael is not a secure cryptographic protocol and it does not protect individual 802.11 frames • It protects the reassembled data unit given to 802.11 for transmission • Several attacks on WEP served as the motivation for Michael. • Message integrity check (MIC) value calculated on data, destination address (DA) and source address (SA). It also adds four zero bytes before the unencrypted data.
Michael data processing  Operates on 32-bit blocks of data.  Padding is used , if required, and only for the computation of the MIC, but not transmitted.  MIC is added on to the tail of the data frame  The data-plus-MIC is given to 802.11 for transmission  During the fragmentation process, the MIC value may be split across multiple 802.11 fragments
Michael countermeasures If an attacker is able to bypass replay protection and the WEP integrity check, it would be possible to mount a brute-force attack on the Michael integrity check. When a station detects a MIC failure 1. The MIC failure is noted and logged. Before the MIC is validated, the frame must pass through the replay protection hurdle as well as the legacy WEP integrity check. Getting a frame to Michael for validation is not a trivial undertaking. Therefore, any MIC validation error is likely to be an extremely security-relevant matter that should be investigated by system administrators. 2. If the failure is the second one within a 60-second window, countermeasures dictate shutting down communications for a further 60 seconds. When the second MIC failure within 60 seconds is detected, all TKIP communication is disabled for 60 seconds. Instituting a communication blackout makes it impossible for an attacker to mount a sustained attack quickly. 3. Keys are refreshed. Stations delete their copies of the master keys and request new keys from the authenticator; authenticators are responsible for generating and distributing new keys.
Counter Mode with CBC-MAC Protocol (CCMP) So far interpretation ?? –TKIP is better than WEP Still Problem ?? – TKIP relies on WEP encryption technique which is again proved insecure. What is the solution ?? – IEEE began working with AES technique for encryption. CCMP is the protocol that uses AES for encryption.
Counter Mode with CBC-MAC Protocol (CCMP) CCMP is basically a combination of counter(CTR) mode privacy and Cipher Block Chaining(CBC) message authentication with AES technique. The CCM mode combines CTR for confidentiality and CBC-MAC for authentication and integrity. Basically AES is flexible to use with any key size and block size. But all AES processing used within CCMP mandates AES with a 128 bit key and a 128 bit block size. Like TKIP, CCMP uses a fresh temporal key (TK) for every session. CCMP also requires a unique nonce value for each frame protected by a given TK, and CCMP uses a 48-bit packet number (PN) for this purpose.
CCMP Data Processing- encryption(Transmission) CCMP Inputs • The frame • A temporal key • A key identifier • A packet number
CCMP data transmission. 1. 802.11 frame is queued for transmission MAC header + payload. 2. A 48 bit packet number is assigned: 3. The Additional Authentication Data (AAD) field is constructed using MAC header of the frame: 4. Construct CCMP Nonce block : Packet number + sender address 5. CCMP Header is constructed: Packet number + key id 6. Run CCM encryption using the temporal key (TK), AAD, Nonce and data to form the ciphertext and Message Integrity Check (MIC): 7. The Encrypted frame is formed by concatenating the original MAC Header, the CCMP header, the Encrypted Data and the MIC. CCMP Data Processing
CCMP reception It’s the reverse of encryption and transmission process 1. When a frame is received by the wireless interface and checks Frame check sequence and if valid passes to CCMP. 2. The additional authentication data (AAD) is recovered from the received frame. 3. The CCMP nonce is also recovered from the frame. 4. The receiver decrypts the ciphertext. 5. The integrity check is calculated over the plaintext data and the additional authentication data. 6. Finally replay detection is done.
Data Transfer Summary WEP TKIP CCMP Cipher RC4 RC4 AES Key Size 40 or 104 bits 128 bits 128 bits encryption, 64 bit auth Key Life 24-bit IV, wrap 48-bit IV 48-bit IV Packet Key Concat. Mixing Fnc Not Needed Integrity Data CRC-32 Michael CCM Header None Michael CCM Replay None Use IV Use IV Key Mgmt. None EAP-based EAP-based
• These are the standard operations that will set the procedure for key derivation and distribution. • Defines two keys : 1. Pairwise keys 2. Group keys Robust Security Network (RSN) Operations
Robust Security Network (RSN) Operations • 802.11i pairwise Key Hierarchy Key Confirmation Key : to compute integrity checks on keys Key Encryption Key : to encrypt keying messages
• Group key hierarchy (for broadcast and multicast transmissions) Robust Security Network (RSN) Operations
802.11i Key Derivation and Distribution • This section explains the technique of key derivation and distribution securely- pairwise key and group key • The process is often called key exchange process. • Also explains the method of updating the keys.
802.11i Key Derivation and Distribution Updating pairwise keys: the four-way handshake
Updating pairwise keys: the four-way handshake Step1: i. Authenticator sends nonce(random value) to the supplicant. Nonce prevents the replay attack ii. After receiving this supplicant expands pairwise master key . Expansion = MAC address supplicant + MAC address MAC address of Authenticator + PMK + two nonces. Step 2: i. Supplicant sends supplicant nonce and a copy of security parameters from initial association with network. Whole message is authenticated by EAPOL KCK. ii. Authenticator extracts supplicant nonce which allows authenticator to derive full pairwise key through this. Authenticator validates the message. If invalid handshake fails.
Updating pairwise keys: the four-way handshake Step3: i. At this point keys are in place both sides but requires confirmation. ii. Authenticator sends supplicant a message indicating sequence number+ GTK which is encrypted using KEK and entire message is authenticated using KCK Step 4: i. Supplicant sends a final confirmation message that it has received the keying messages so that authenticator can start using the keys ii. Entire message is authenticated using KCK
1. The authenticator sends the supplicant a nonce, which is a random value that prevents replay attacks. There is no authentication of the message, but there is no danger from tampering. If the message is altered, the handshake fails and will be rerun. At this point, the supplicant can expand the pairwise master key into the full pairwise key hierarchy. Expansion requires the MAC addresses of the supplicant and authenticator, the pairwise master key, and the two nonces. 2. The supplicant sends a message that has the supplicant nonce and a copy of the security parameters from the initial association with the network. The whole message is authenticated by an integrity check code calculated using the EAPOL Key Confirmation Key. The authenticator receives the message and extracts the supplicant nonce, which allows the authenticator to derive the full pairwise key hierarchy. Part of the key hierarchy is the key used to "sign" the message. If the authenticator cannot validate the message, the handshake fails. Updating pairwise keys: the four-way handshake
3. Keys are now in place on both sides of the handshake, but need to be confirmed. The Authenticator sends the supplicant a message indicating the sequence number for which the pairwise key will be added. It also includes the current group transient key to enable update of the group key. The group transient key is encrypted using the EAPOL Key Encryption Key, and the entire message is authenticated using the Key Confirmation Key. 4. The supplicant sends a final confirmation message to the authenticator to indicate that it has received the keying messages and the authenticator may start using the keys. The message is authenticated using the Key Confirmation Key. Updating pairwise keys: the four-way handshake
Updating group keys: the group key handshake Because the group transient key is encrypted with the Key Encryption Key from the pairwise hierarchy, the group key handshake requires that a successful four-way handshake has already occurred. 1. The authenticator sends the group transient key (GTK), encrypted with the Key Encryption Key from the pairwise key hierarchy. The message is also authenticated with a code calculated with the Key Confirmation Key. 2. The supplicant sends an acknowledgment message, indicating the authenticator should begin to use the new key for group frames. This message is also authenticated using the Key Confirmation Key.
Improved 802.11i Architecture Stage 1: Network and Security Capability Discovery Stage 2: 802.1X Authentication (mutual authentication, shared secret, cipher suite) Stage 3: Secure Association (management frames protected) Stage 4: 4-Way Handshake (PMK confirmation, PTK derivation, and GTK distribution) Stage 5: Group Key Handshake Stage 6: Secure Data Communications Michael MIC Failure or Other Security Failures Group Key Handshake Timout 4-Way Handshake Timout Association Failure 802.1X Failure
State 1 Unauthenticated , Unassociated State 2 Authenticated, Unassociated State 3 Authenticated, and Associated Successful MAC layer Authentication Successful Association or Reassociation Disassociation Notification DeAuthentication Notification Deauthentica tion notification Class 1 Frames Class 1 & 2 Frames Class 1, 2 & 3 Frames Classic 802.11 State Machine
State 1 Unauthenticated, Unassociated State 2 Authenticated, Unassociated State 3 Authenticated, and Associated Successful MAC layer Authentication Successful Association or Reassociation Disassociation Notification DeAuthentication Notification Deauthentication notification Class 1 Frames + ESN Class 2 frames Class 1 & 2 Frames Class 1, 2 & 3 Frames 802.11i State Machine State 4 ESN Associated ESN Association or Reassociation ESN Disassociation Notification Successful upper layer Authentication Class 1, 2 & 3 Frames except Authentication & Deauthentication
802.11i Fast Handoff STAAPold APnew Associate-Request Associate-Response ACK DS Notified Reassociate-Request (Authenticated) Reassociate-Response (Authenticated) ACK DS Notified Disassociate (Authenticated) Transition Period ~ RTTSTA-AP 802.1X/Identity Request EAP-Success 802.1X/Identity Response EAP-Request EAP-Response Transition Period ~ nRTTSTA-AP n =3.5 (TLS), 2.5 (TLS continuation)

Recommended

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Mukul Agarwal
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)
Omar Ghazi
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
samprada123
 
Rsa and diffie hellman algorithms
Rsa and diffie hellman algorithmsRsa and diffie hellman algorithms
Rsa and diffie hellman algorithms
daxesh chauhan
 
Chapter 31
Chapter 31Chapter 31
Chapter 31
Faisal Mehmood
 
Methods for handling deadlocks
Methods for handling deadlocksMethods for handling deadlocks
Methods for handling deadlocks
A. S. M. Shafi
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMS
Kathirvel Ayyaswamy
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
Dr.Florence Dayana
 

Recommended

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Mukul Agarwal
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)
Omar Ghazi
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
samprada123
 
Rsa and diffie hellman algorithms
Rsa and diffie hellman algorithmsRsa and diffie hellman algorithms
Rsa and diffie hellman algorithms
daxesh chauhan
 
Chapter 31
Chapter 31Chapter 31
Chapter 31
Faisal Mehmood
 
Methods for handling deadlocks
Methods for handling deadlocksMethods for handling deadlocks
Methods for handling deadlocks
A. S. M. Shafi
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMS
Kathirvel Ayyaswamy
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
Dr.Florence Dayana
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
UTD Computer Security Group
 
Token, Pattern and Lexeme
Token, Pattern and LexemeToken, Pattern and Lexeme
Token, Pattern and Lexeme
A. S. M. Shafi
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemes
ravik09783
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
management of distributed transactions
management of distributed transactionsmanagement of distributed transactions
management of distributed transactions
Nilu Desai
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
Vivek Gandhi
 
Np cooks theorem
Np cooks theoremNp cooks theorem
Np cooks theorem
Narayana Galla
 
3. the dempster shafer combination rule
3. the dempster shafer combination rule3. the dempster shafer combination rule
3. the dempster shafer combination rule
monircse2
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposure
abodiford
 
I. Alpha-Beta Pruning in ai
I. Alpha-Beta Pruning in aiI. Alpha-Beta Pruning in ai
I. Alpha-Beta Pruning in ai
vikas dhakane
 
Control Strategies in AI
Control Strategies in AIControl Strategies in AI
Control Strategies in AI
Amey Kerkar
 
Message passing in Distributed Computing Systems
Message passing in Distributed Computing SystemsMessage passing in Distributed Computing Systems
Message passing in Distributed Computing Systems
Alagappa Govt Arts College, Karaikudi
 
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
k33a
 
RANDOM ACCESS PROTOCOL IN COMMUNICATION
RANDOM ACCESS PROTOCOL IN COMMUNICATION RANDOM ACCESS PROTOCOL IN COMMUNICATION
RANDOM ACCESS PROTOCOL IN COMMUNICATION
AMOGHA A K
 
Monoalphabetic Substitution Cipher
Monoalphabetic Substitution CipherMonoalphabetic Substitution Cipher
Monoalphabetic Substitution Cipher
SHUBHA CHATURVEDI
 
network security
network securitynetwork security
network security
Srinivasa Rao
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
Information Security Awareness Group
 
Conceptual dependency
Conceptual dependencyConceptual dependency
Conceptual dependency
Jismy .K.Jose
 
Sliding window protocol
Sliding window protocolSliding window protocol
Sliding window protocol
Shehara Abeythunga
 
Dining philosopher problem operating system
Dining philosopher problem operating system Dining philosopher problem operating system
Dining philosopher problem operating system
anushkashastri
 
KRACK attack
KRACK attackKRACK attack
KRACK attack
VadimDavydov3
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2
Tushar Anand
 

More Related Content

What's hot

management of distributed transactions
management of distributed transactionsmanagement of distributed transactions
management of distributed transactions
Nilu Desai
 

What's hot (20)

Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
 
Token, Pattern and Lexeme
Token, Pattern and LexemeToken, Pattern and Lexeme
Token, Pattern and Lexeme
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemes
 
Intruders
IntrudersIntruders
Intruders
 
management of distributed transactions
management of distributed transactionsmanagement of distributed transactions
management of distributed transactions
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
Np cooks theorem
Np cooks theoremNp cooks theorem
Np cooks theorem
 
3. the dempster shafer combination rule
3. the dempster shafer combination rule3. the dempster shafer combination rule
3. the dempster shafer combination rule
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposure
 
I. Alpha-Beta Pruning in ai
I. Alpha-Beta Pruning in aiI. Alpha-Beta Pruning in ai
I. Alpha-Beta Pruning in ai
 
Control Strategies in AI
Control Strategies in AIControl Strategies in AI
Control Strategies in AI
 
Message passing in Distributed Computing Systems
Message passing in Distributed Computing SystemsMessage passing in Distributed Computing Systems
Message passing in Distributed Computing Systems
 
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
 
RANDOM ACCESS PROTOCOL IN COMMUNICATION
RANDOM ACCESS PROTOCOL IN COMMUNICATION RANDOM ACCESS PROTOCOL IN COMMUNICATION
RANDOM ACCESS PROTOCOL IN COMMUNICATION
 
Monoalphabetic Substitution Cipher
Monoalphabetic Substitution CipherMonoalphabetic Substitution Cipher
Monoalphabetic Substitution Cipher
 
network security
network securitynetwork security
network security
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
 
Conceptual dependency
Conceptual dependencyConceptual dependency
Conceptual dependency
 
Sliding window protocol
Sliding window protocolSliding window protocol
Sliding window protocol
 
Dining philosopher problem operating system
Dining philosopher problem operating system Dining philosopher problem operating system
Dining philosopher problem operating system
 

Similar to 802.11i

Wireless security837
Wireless security837Wireless security837
Wireless security837
mark scott
 
Wireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring ApplicationsWireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring Applications
cmstiernberg
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_k
Rama Krishna M
 

Similar to 802.11i (20)

KRACK attack
KRACK attackKRACK attack
KRACK attack
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
 
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 8 – FRSecure CISSP Mentor Program
Slide Deck Class Session 8 – FRSecure CISSP Mentor Program
 
Resilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential ModeResilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential Mode
 
spins
spinsspins
spins
 
Wpa vs Wpa2
Wpa vs Wpa2Wpa vs Wpa2
Wpa vs Wpa2
 
WEP/WPA attacks
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacks
 
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
Understanding IT Network Security for Wireless and Wired Measurement Applicat...Understanding IT Network Security for Wireless and Wired Measurement Applicat...
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
 
Wired equivalent privacy by SecArmour
Wired equivalent privacy by SecArmour Wired equivalent privacy by SecArmour
Wired equivalent privacy by SecArmour
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
 
WEP
WEPWEP
WEP
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
Packet Processing Application
Packet Processing ApplicationPacket Processing Application
Packet Processing Application
 
Packet Processing Application
Packet Processing ApplicationPacket Processing Application
Packet Processing Application
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matter
 
Wireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring ApplicationsWireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring Applications
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_k
 

More from akruthi k

Wired equivalent privacy (wep)
Wired equivalent privacy (wep)Wired equivalent privacy (wep)
Wired equivalent privacy (wep)
akruthi k
 

More from akruthi k (10)

Unit i-introduction
Unit i-introductionUnit i-introduction
Unit i-introduction
 
Pattern matching programs
Pattern matching programsPattern matching programs
Pattern matching programs
 
Kmp
KmpKmp
Kmp
 
Boyer moore
Boyer mooreBoyer moore
Boyer moore
 
Physical layer overview
Physical layer overviewPhysical layer overview
Physical layer overview
 
Fhss
FhssFhss
Fhss
 
Dsss phy
Dsss phyDsss phy
Dsss phy
 
802.11 mgt-opern
802.11 mgt-opern802.11 mgt-opern
802.11 mgt-opern
 
802.1x
802.1x802.1x
802.1x
 
Wired equivalent privacy (wep)
Wired equivalent privacy (wep)Wired equivalent privacy (wep)
Wired equivalent privacy (wep)
 

Recently uploaded

Insurance management system project report.pdf
Insurance management system project report.pdfInsurance management system project report.pdf
Insurance management system project report.pdf
Kamal Acharya
 
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
MohammadAliNayeem
 
BURGER ORDERING SYSYTEM PROJECT REPORT..pdf
BURGER ORDERING SYSYTEM PROJECT REPORT..pdfBURGER ORDERING SYSYTEM PROJECT REPORT..pdf
BURGER ORDERING SYSYTEM PROJECT REPORT..pdf
Kamal Acharya
 
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Lovely Professional University
 

Recently uploaded (20)

Insurance management system project report.pdf
Insurance management system project report.pdfInsurance management system project report.pdf
Insurance management system project report.pdf
 
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfInvolute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
 
Supermarket billing system project report..pdf
Supermarket billing system project report..pdfSupermarket billing system project report..pdf
Supermarket billing system project report..pdf
 
Introduction to Heat Exchangers: Principle, Types and Applications
Introduction to Heat Exchangers: Principle, Types and ApplicationsIntroduction to Heat Exchangers: Principle, Types and Applications
Introduction to Heat Exchangers: Principle, Types and Applications
 
How to Design and spec harmonic filter.pdf
How to Design and spec harmonic filter.pdfHow to Design and spec harmonic filter.pdf
How to Design and spec harmonic filter.pdf
 
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
 
Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2
 
Circuit Breaker arc phenomenon.pdf engineering
Circuit Breaker arc phenomenon.pdf engineeringCircuit Breaker arc phenomenon.pdf engineering
Circuit Breaker arc phenomenon.pdf engineering
 
BURGER ORDERING SYSYTEM PROJECT REPORT..pdf
BURGER ORDERING SYSYTEM PROJECT REPORT..pdfBURGER ORDERING SYSYTEM PROJECT REPORT..pdf
BURGER ORDERING SYSYTEM PROJECT REPORT..pdf
 
15-Minute City: A Completely New Horizon
15-Minute City: A Completely New Horizon15-Minute City: A Completely New Horizon
15-Minute City: A Completely New Horizon
 
Geometric constructions Engineering Drawing.pdf
Geometric constructions Engineering Drawing.pdfGeometric constructions Engineering Drawing.pdf
Geometric constructions Engineering Drawing.pdf
 
Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)
 
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
 
5G and 6G refer to generations of mobile network technology, each representin...
5G and 6G refer to generations of mobile network technology, each representin...5G and 6G refer to generations of mobile network technology, each representin...
5G and 6G refer to generations of mobile network technology, each representin...
 
Lesson no16 application of Induction Generator in Wind.ppsx
Lesson no16 application of Induction Generator in Wind.ppsxLesson no16 application of Induction Generator in Wind.ppsx
Lesson no16 application of Induction Generator in Wind.ppsx
 
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
RM&IPR M5 notes.pdfResearch Methodolgy & Intellectual Property Rights Series 5
 
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptxSLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
 
Piping and instrumentation diagram p.pdf
Piping and instrumentation diagram p.pdfPiping and instrumentation diagram p.pdf
Piping and instrumentation diagram p.pdf
 
Interfacing Analog to Digital Data Converters ee3404.pdf
Interfacing Analog to Digital Data Converters ee3404.pdfInterfacing Analog to Digital Data Converters ee3404.pdf
Interfacing Analog to Digital Data Converters ee3404.pdf
 

802.11i

  • 1. IEEE 802.11i Robust Security Networks TKIP CCMP
  • 2. WEP Cryptographic Operations • Confidentiality and integrity are handled simultaneously in WEP WEP Data Processing
  • 3. • 802.1X addresses two of the major flaws in WEP 1. authentication 2. key management • The major remaining flaw to be addressed – Lack of confidentiality • idea to overcome this problem – Link Layer encryption technique.
  • 4. 802.11i ? • 802.11i defines 2 protocols for link layer protection 1. Temporal Key Integrity Protocol (TKIP) 2. Counter Mode with CBC-MAC Protocol (CCMP)
  • 5. • First new link layer encryption technique. • upgraded the security of WEP-based hardware • Retains the basic architecture and operations of WEP. • Initially called “WEP2” The Temporal Key Integrity Protocol (TKIP)
  • 6. The Temporal Key Integrity Protocol (TKIP) 1. Key hierarchy and automatic key management – Use of master keys for deriving key for frame encryption. – key management operations automatically refreshes key. 2. Per-frame keying – Every frame has a unique RC4 key from the master key. – This process is called key mixing Differences from WEP (Features of TKIP)
  • 7. The Temporal Key Integrity Protocol (TKIP) 3. Sequence counter Use: 1. out-of-order frames can be flagged, 2. mitigating against replay attacks 4. New message integrity check – CRC replaced with Michael integrity check – more robust cryptographic Algorithm – easier to detect frame forgeries Differences from WEP
  • 8. The Temporal Key Integrity Protocol (TKIP) 5. Countermeasures on message integrity check failures – Michael can be compromised in an active attack – so TKIP includes countermeasures Differences from WEP
  • 9. The Temporal Key Integrity Protocol (TKIP) • Doubles the length of the IV from 24 to 48 bits. • This made attackers difficult to predict the keys • key mixing – RC4 key unique to each frame – key mixing calculation is done by including temporal key+transmitter address+ sequence counter . TKIP initialization vector use and key mixing
  • 10. The Temporal Key Integrity Protocol (TKIP) • TKIP IV also serves as a sequence counter. • When a new master key is installed it sets sequence counter to 1 and increments as the frames are transmitted. • following are the steps to defend replay attacks: – TKIP maintains the most recent sequence counter – The sequence counter is checked against the most recently received sequence counter – If it is larger than any previous value, the frame is accepted – If smaller, it is rejected. – If equal, duplicate frame for error. – Duplicate sequence numbers may represent an error. TKIP sequence counter and replay protection
  • 11. The Temporal Key Integrity Protocol (TKIP) • WEP uses CRC which proved un suitable. • Major challenge of TKIP is to strengthen integrity check and also able to run on a low power processor – Michael is implemented entirely with bitwise operations – Can run on any processor without harming performance – MIC better than CRC , but fails against a sustained and determined attack • countermeasures detect the active attack and shut down the network and refresh the keys The Michael Integrity Check and countermeasures
  • 12. TKIP Data Processing and Operation • Like WEP, TKIP provides confidentiality and integrity together. • Confidentiality is achieved through encryption using RC4 hardware with string security belts of key management.
  • 13. TKIP Data Processing and Operation TKIP Inputs 1. The frame 2. A temporal key 3. A MIC key 4. The transmitter address 5. A sequence counter
  • 14. TKIP Design – Key Mixing
  • 15. TKIP data transmission 1. The 802.11 frame is queued for transmission. 2. The Message Integrity Check (MIC) is computed. 3. Sequence numbers are assigned to fragments. 4. Each frame is encrypted with a unique per-frame WEP key. 5. The frame plus Michael message integrity check value from step 2 and the RC4 key from step 4 are passed to WEP.
  • 16. TKIP Data Processing and Operation
  • 18. 1. When a frame is received by the wireless interface and passes the frame check sequence . 2. The first step TKIP takes is to check the sequence number to prevent replay attacks. 3. The WEP seed used to encrypt the packet is recovered. 4. With the WEP seed in hand, the outer WEP layer around the frame can be removed and the contents recovered. 5. If fragmentation was applied, it may be necessary to wait for further frames to arrive before reassembling a complete payload. 6. Once the frame is reassembled, Michael is calculated over the contents of the frame. TKIP reception process
  • 19. The Michael Integrity Check • Michael operates on frames passed down to it at the MAC service layer from higher-layer protocols • Michael is not a secure cryptographic protocol and it does not protect individual 802.11 frames • It protects the reassembled data unit given to 802.11 for transmission • Several attacks on WEP served as the motivation for Michael. • Message integrity check (MIC) value calculated on data, destination address (DA) and source address (SA). It also adds four zero bytes before the unencrypted data.
  • 20. Michael data processing  Operates on 32-bit blocks of data.  Padding is used , if required, and only for the computation of the MIC, but not transmitted.  MIC is added on to the tail of the data frame  The data-plus-MIC is given to 802.11 for transmission  During the fragmentation process, the MIC value may be split across multiple 802.11 fragments
  • 21. Michael countermeasures If an attacker is able to bypass replay protection and the WEP integrity check, it would be possible to mount a brute-force attack on the Michael integrity check. When a station detects a MIC failure 1. The MIC failure is noted and logged. Before the MIC is validated, the frame must pass through the replay protection hurdle as well as the legacy WEP integrity check. Getting a frame to Michael for validation is not a trivial undertaking. Therefore, any MIC validation error is likely to be an extremely security-relevant matter that should be investigated by system administrators. 2. If the failure is the second one within a 60-second window, countermeasures dictate shutting down communications for a further 60 seconds. When the second MIC failure within 60 seconds is detected, all TKIP communication is disabled for 60 seconds. Instituting a communication blackout makes it impossible for an attacker to mount a sustained attack quickly. 3. Keys are refreshed. Stations delete their copies of the master keys and request new keys from the authenticator; authenticators are responsible for generating and distributing new keys.
  • 22. Counter Mode with CBC-MAC Protocol (CCMP) So far interpretation ?? –TKIP is better than WEP Still Problem ?? – TKIP relies on WEP encryption technique which is again proved insecure. What is the solution ?? – IEEE began working with AES technique for encryption. CCMP is the protocol that uses AES for encryption.
  • 23. Counter Mode with CBC-MAC Protocol (CCMP) CCMP is basically a combination of counter(CTR) mode privacy and Cipher Block Chaining(CBC) message authentication with AES technique. The CCM mode combines CTR for confidentiality and CBC-MAC for authentication and integrity. Basically AES is flexible to use with any key size and block size. But all AES processing used within CCMP mandates AES with a 128 bit key and a 128 bit block size. Like TKIP, CCMP uses a fresh temporal key (TK) for every session. CCMP also requires a unique nonce value for each frame protected by a given TK, and CCMP uses a 48-bit packet number (PN) for this purpose.
  • 24. CCMP Data Processing- encryption(Transmission) CCMP Inputs • The frame • A temporal key • A key identifier • A packet number
  • 25. CCMP data transmission. 1. 802.11 frame is queued for transmission MAC header + payload. 2. A 48 bit packet number is assigned: 3. The Additional Authentication Data (AAD) field is constructed using MAC header of the frame: 4. Construct CCMP Nonce block : Packet number + sender address 5. CCMP Header is constructed: Packet number + key id 6. Run CCM encryption using the temporal key (TK), AAD, Nonce and data to form the ciphertext and Message Integrity Check (MIC): 7. The Encrypted frame is formed by concatenating the original MAC Header, the CCMP header, the Encrypted Data and the MIC. CCMP Data Processing
  • 26. CCMP reception It’s the reverse of encryption and transmission process 1. When a frame is received by the wireless interface and checks Frame check sequence and if valid passes to CCMP. 2. The additional authentication data (AAD) is recovered from the received frame. 3. The CCMP nonce is also recovered from the frame. 4. The receiver decrypts the ciphertext. 5. The integrity check is calculated over the plaintext data and the additional authentication data. 6. Finally replay detection is done.
  • 27. Data Transfer Summary WEP TKIP CCMP Cipher RC4 RC4 AES Key Size 40 or 104 bits 128 bits 128 bits encryption, 64 bit auth Key Life 24-bit IV, wrap 48-bit IV 48-bit IV Packet Key Concat. Mixing Fnc Not Needed Integrity Data CRC-32 Michael CCM Header None Michael CCM Replay None Use IV Use IV Key Mgmt. None EAP-based EAP-based
  • 28. • These are the standard operations that will set the procedure for key derivation and distribution. • Defines two keys : 1. Pairwise keys 2. Group keys Robust Security Network (RSN) Operations
  • 29. Robust Security Network (RSN) Operations • 802.11i pairwise Key Hierarchy Key Confirmation Key : to compute integrity checks on keys Key Encryption Key : to encrypt keying messages
  • 30. • Group key hierarchy (for broadcast and multicast transmissions) Robust Security Network (RSN) Operations
  • 31. 802.11i Key Derivation and Distribution • This section explains the technique of key derivation and distribution securely- pairwise key and group key • The process is often called key exchange process. • Also explains the method of updating the keys.
  • 32. 802.11i Key Derivation and Distribution Updating pairwise keys: the four-way handshake
  • 33. Updating pairwise keys: the four-way handshake Step1: i. Authenticator sends nonce(random value) to the supplicant. Nonce prevents the replay attack ii. After receiving this supplicant expands pairwise master key . Expansion = MAC address supplicant + MAC address MAC address of Authenticator + PMK + two nonces. Step 2: i. Supplicant sends supplicant nonce and a copy of security parameters from initial association with network. Whole message is authenticated by EAPOL KCK. ii. Authenticator extracts supplicant nonce which allows authenticator to derive full pairwise key through this. Authenticator validates the message. If invalid handshake fails.
  • 34. Updating pairwise keys: the four-way handshake Step3: i. At this point keys are in place both sides but requires confirmation. ii. Authenticator sends supplicant a message indicating sequence number+ GTK which is encrypted using KEK and entire message is authenticated using KCK Step 4: i. Supplicant sends a final confirmation message that it has received the keying messages so that authenticator can start using the keys ii. Entire message is authenticated using KCK
  • 35. 1. The authenticator sends the supplicant a nonce, which is a random value that prevents replay attacks. There is no authentication of the message, but there is no danger from tampering. If the message is altered, the handshake fails and will be rerun. At this point, the supplicant can expand the pairwise master key into the full pairwise key hierarchy. Expansion requires the MAC addresses of the supplicant and authenticator, the pairwise master key, and the two nonces. 2. The supplicant sends a message that has the supplicant nonce and a copy of the security parameters from the initial association with the network. The whole message is authenticated by an integrity check code calculated using the EAPOL Key Confirmation Key. The authenticator receives the message and extracts the supplicant nonce, which allows the authenticator to derive the full pairwise key hierarchy. Part of the key hierarchy is the key used to "sign" the message. If the authenticator cannot validate the message, the handshake fails. Updating pairwise keys: the four-way handshake
  • 36. 3. Keys are now in place on both sides of the handshake, but need to be confirmed. The Authenticator sends the supplicant a message indicating the sequence number for which the pairwise key will be added. It also includes the current group transient key to enable update of the group key. The group transient key is encrypted using the EAPOL Key Encryption Key, and the entire message is authenticated using the Key Confirmation Key. 4. The supplicant sends a final confirmation message to the authenticator to indicate that it has received the keying messages and the authenticator may start using the keys. The message is authenticated using the Key Confirmation Key. Updating pairwise keys: the four-way handshake
  • 37. Updating group keys: the group key handshake Because the group transient key is encrypted with the Key Encryption Key from the pairwise hierarchy, the group key handshake requires that a successful four-way handshake has already occurred. 1. The authenticator sends the group transient key (GTK), encrypted with the Key Encryption Key from the pairwise key hierarchy. The message is also authenticated with a code calculated with the Key Confirmation Key. 2. The supplicant sends an acknowledgment message, indicating the authenticator should begin to use the new key for group frames. This message is also authenticated using the Key Confirmation Key.
  • 38. Improved 802.11i Architecture Stage 1: Network and Security Capability Discovery Stage 2: 802.1X Authentication (mutual authentication, shared secret, cipher suite) Stage 3: Secure Association (management frames protected) Stage 4: 4-Way Handshake (PMK confirmation, PTK derivation, and GTK distribution) Stage 5: Group Key Handshake Stage 6: Secure Data Communications Michael MIC Failure or Other Security Failures Group Key Handshake Timout 4-Way Handshake Timout Association Failure 802.1X Failure
  • 39. State 1 Unauthenticated , Unassociated State 2 Authenticated, Unassociated State 3 Authenticated, and Associated Successful MAC layer Authentication Successful Association or Reassociation Disassociation Notification DeAuthentication Notification Deauthentica tion notification Class 1 Frames Class 1 & 2 Frames Class 1, 2 & 3 Frames Classic 802.11 State Machine
  • 40. State 1 Unauthenticated, Unassociated State 2 Authenticated, Unassociated State 3 Authenticated, and Associated Successful MAC layer Authentication Successful Association or Reassociation Disassociation Notification DeAuthentication Notification Deauthentication notification Class 1 Frames + ESN Class 2 frames Class 1 & 2 Frames Class 1, 2 & 3 Frames 802.11i State Machine State 4 ESN Associated ESN Association or Reassociation ESN Disassociation Notification Successful upper layer Authentication Class 1, 2 & 3 Frames except Authentication & Deauthentication
  • 41. 802.11i Fast Handoff STAAPold APnew Associate-Request Associate-Response ACK DS Notified Reassociate-Request (Authenticated) Reassociate-Response (Authenticated) ACK DS Notified Disassociate (Authenticated) Transition Period ~ RTTSTA-AP 802.1X/Identity Request EAP-Success 802.1X/Identity Response EAP-Request EAP-Response Transition Period ~ nRTTSTA-AP n =3.5 (TLS), 2.5 (TLS continuation)