(WLAN)WLAN(Access Point)?Port-based - 802.1X 9-1 9.1.1 9.1.2 9-2 9.2.1 WEP 9.2.2 802.1X+WEP 9.2.3 WPA 9.2.4 WPA29-3 802.1X (Port-based ) 9.3.1 9.3.2 IEEE 802.1x 9.3.3 Extensible Authentication Protocol (EAP)
9.1.1 (WWAN)WWAN (Wireless Wide Area Network)(WLAN)WLAN (Wireless Local Area Network)WLANLAN802.11(WPAN)WPAN (Wireless Personal Area Network)(PDA)(Bluetooth)WPAN
9.1.1 IEEE 802.11IEEEIEEE 802.11a802.11b802.11g802.11a1999IEEE5GHz ISM54Mbit/s802.11a128432Mbps4802.11b1999IEEE2.4GHz ISM11Mbit/s802.11b125.511Mbps802.11g2003IEEE2.4GHz ISM54Mbit/s802.11g
9.1.1 802.11 IEEE (Authentication)
(1) (Open System Authentication)SSID (Service Set ID)Windows XP (Access Point)SSID
(2) (Closed System Authentication)SSIDSSIDSSID
(3) (Shared-Key Authentication)Shared KeyWEP (Wired Equivalent Privacy)WEPKeyAPClient
9.1.1 (Confidentiality) IEEEWired Equivalent Privacy (WEP)WEPWEPWPAWPA2
(Integrity) 802.11802CRC Checksum
9.1.2 802.11WEPIEEEWEPWEPWEP9.2WEP
Network Attacks
Passive Attack
Active Attack
Eavesdropping
Traffic Analysis
Masquerade
Replay
Message Modification
DoS
9.1.2 TelnetTelnet(Access Point)Telnet
TFTPTrivial File Transfer Protocol (TFTP):TFTPAccess PointWEP
WWWWWWWWW
9.1.2 SNMPSimple Network Management Protocol (SNMP) SNMPSNMPSNMP(SNMP Community String)(PublicPrivate)(PublicPrivate)
(Access Point)SSID
9.1.2 WEPWEPWEPWEP
SSID(SSID)
(Buffer overflow)(Access Point)
9.1.2
Denial of Service (DoS)DeauthenticationDisassociationTCP RST
(MITM)Man-In-The-Middle ()Man-In-The-Middle
9.2 WEP (Wired Equivalent Privacy)802.1x EAPWPA (Wi-Fi Protected Access)WPA2
9.2.1 WEPWEP(Symmetric Cryptography System)40-bits104-bitsWEPRC4 PRNG()(Key Stream)XORWEPCRC-32IV Generator24-bits IV (Initialization vector)IVRC41XOR()24-bitsIVWEPIVIVRC4XOR()CRC-32
IV Generator
ShareKey(40 or104 bits)
IV (24bits)
RC4Algorithm
ICV
Plaintext
CRC-32Algorithm
Plaintext
||
||
CRC-32Algorithm
RC4Algorithm
||
IV
Plaintext
Key Stream
Key Stream
ICV
ICV = ICV?
||
Seed
Seed
Air
Ciphertext || IV
ShareKey(40 or104 bits)
Ciphertext || IV
Plaintext || ICV
9.2.1.1 RC4 Algorithm1987RSA SecurityRon RivestRC4 (Stream Cipher)(Secure Socket Layer)WEPRC4
RC4(Pseudo random number generator)XOR(K)0255bytes(key)(Key Stream)(Plaintext)XOR
RC4(Key Stream)(Stream Cipher)
Plaintext
Ciphertext
Plaintext
key
key
K
K
9.2.2 WEP+802.1XWEPWEP KeyWEP KeyIETF802.1XRADIUS ServerWEP KeyWEP KeyWEP KeyWEP KeyWEP KeyWEP KeyWEP802.1XWEP keyWEP KeyWEP KeyWEP KeyWEP Key
9.2.3 WPAIEEE 802.11i(WPA2)WEPIEEE 802.11iWIFIWIFI Protected Access (WPA)IEEE 802.11i DraftIEEE 802.11iWEPWPAWPA2(RADIUS)Access Point(Presharekey)WPATKIP (Temporal Key Integrity Protocol)WEP24-bitIV24bits48-bit IVIV WPA2AESAESAESWPA2WPAMIC (Message Integrity Code/Michael)WPA2CCM (Counter with CBC-MAC, IETF RFC 3610)WikiPedia
9.2.3.1 TKIP WPAWEP48bitsIVTKIPWEP128bitsWEPWEP KeyIVRC4TKIP Sequence CounterTransmitter AddressTemporalPhase1Phase2MichaelMichaelMICMICMICCRC-32ICVTTAK := Phase1(TSC, TA, TK)WEP Seed := Phase2(TTAK, TSC, TK)TTAK := Phase1(TSC, TA, TK)WEP Seed := Phase2(TTAK, TSC, TK)
CRC
Payload
IV
ICV
48Bits
Ciphertext
16Bits
RC4
Keystream
Phase 1KeyMixing
Michael
Phase 2KeyMixing
Payload|| MIC || ICV
MIC
128Bits WEP Key
Temporal Key (128 Bits)
32Bits
Transmitter Address (48 Bits)
First 80Bits
TKIP Sequence Counter (48bit)
80Bits
Last 24Bits
DA||SA||Payload
MIC Key(64bits)
||
Phase 1KeyMixing
Payload
ICV= ICV?
Phase 2KeyMixing
RC4
Temporal Key (128 Bits)
32Bits
Transmitter Address (48 Bits)
First 80Bits
TKIP Sequence Counter (48bit)
80Bits
Last 24Bits
MIC Key(64 bits)
DA||SA||Payload
Michael
Payload|| MIC || ICV
MIC= MIC?
128Bits WEP Key
CRC
16Bits
Ciphertext
9.2.4 WPA2: CCMPCounter Mode with Cipher Block Chaining MAC Protocol (CCMP)802.1i128CCMAESRFC 3610Computation of some cryptographic parameters prior to the receipt of packets to enable fast comparisons when they arrive, which reduces latency Small security-related packet overhead()Counter ModeCounterMX=(CX) DK(Counter+X)CBC ModeBlockX=DK(CX) CX-1, C0=IV1()
Counter
Counter+1
AES
AES
M1
XOR
XOR
K
K
C0
C1
M0
Block1
Block2
IV
Encryption
Enryption
XOR
XOR
C1
C2
9.2.4.1 CCMP(PN, Packet Number)PNnonceTemporal Key(TK)KeyIDPNCCMAdditional Authentication Data(AAD)22bytes28bytesQoSAADnonceCCMTemporal Key(TK)CCMAADnoncePNA2(Transmit address)PrioritynonceCCMTemporal Key(TK)AADnonceMICMICPNPNPN
MAC header
Data
Plaintext MPDU
Increment PN
Construct CCMP Header
Construct Nonce
Construct AAD
CCM Encryption
AES
MAC header
CCM header
Ciphertext MPDU
Encrypted Data
MIC
PN(48 bits)
KeyID(48 bits)
A2Priority
TK(128bits)
nonce
AAD
Key=16 octer, MIC= 8 octer, Length=2 octer
MAC header
CCM header
MAC header
Data
Plaintext MPDU
PN(48bits)
Construct Nonce
Construct AAD
CCM Encryption
AES
Ciphertext MPDU
Encrypted Data
MIC
PN(48 bits)
A2, Priority
TK(128bits)
MPDUOK
nonce
AAD
Key=16 octer, MIC= 8 octer, Length=2 octer
PN Check
9.2.4.2 WPAPairwise Keys Group Keys
9.2.4.2.1 Pairwise Key Policy Decision PointSupplicantAuthentication Server (AS)Policy Enforcement PointPolicy Enforcement PointAccess Point (AP)Policy Decision PointSupplicantMK (Master Key)SupplicantAS(Session key)PMK (Pairwise Master Key)SupplicantASMKASAPMKAPASSupplicantPMK=PreShareKeySupplicantAP802.11SessionPTK ( Pairwise Transient Key)SupplicantAPPMKKCKKEKTK
Supplicant
AuthenticationServer
Authenticator
Pairwise Transient Key(PTK)
Pairwise Master Key(PMK)
TLS-PRF(MK, Client EAP encryption|| STAHello.random || ASHello.random)
TLS-PRF(PreMasterKey, master secret|| STAHello.random ||ASHello.random)
PersonalMode
Master Key (MK)
PRF-X(PMK, Pairwise Key expansion|| Min(AP MAC Addr., STA MAC Addr.) || Max(AP MAC Addr., STA MAC Addr.) || Min(Anonce, Snonce) || Max(Anonce, Snonce)
PreShareKey
9.2.4.2.1 PTK4-WaySupplicantASPMKAuthenticatorPairwise Transient Key4-Way(TK)4-WayAuthenticatorAnonceSupplicantSupplicantReplay Counter(Sequence number)EAPoL-KeySnoncePMKAnonceAPMAC PTK SupplicantSnonceMIC(2)RSN IE( Robust Security Network Information Element)AuthenticatorAuthenticator3Replay CounterEAPoL-KeyPTKAuthenticator: PTKPTKKCK()MICReplay RequiredMICRSN IE( Robust Security Network Information Element)Supplicant Supplicant5Replay CounterEAPoL-KeyAuthenticatorRSN IEMICSupplicant6Authenticator TK( Temporal Key)
9.2.4.2.1 PTK4-Way4-WayPMKSupplicantAuthenticator802.1XASPMKAuthentication Server4-WaySupplicantAuthenticator:SupplicantPTK4-WayAuthenticatorSupplicant: AuthenticatorPTK
9.2.4.2.1 PTK ( Pairwise Transient Key)KCK (Key Confirmation Key) 128BitsIEEE 802.1X4-WayKEK (Key Encryption Key) 128BitsEAPOL-Key() 4-WayTK (Temporal Key) 128Bits or 256BitsSupplicantAP256Bits for TKIP (PTK bits 256~511)128 bitsTKIP TKPhase1Phase2128 bitsTKIP MIC KeyMichaelSupplicantAuthenticator(64 bits)128Bits for CCMP (PTK bits 256~383)128 bitsCCM
802.11iPTK
Pairwise Transient Key (PTK)
KCK
KCK
KEK
CCMP TK
KEK
TKIP TK
TKIPMIC Key
TKIP
CCMP
128 bits
128 bits
128 bits
128 bits
128 bits
128 bits
128 bits
9.2.4.2.2 Group-KeySupplicantAS4-WayPTKGroup Key2-WayGroup KeyMulticastBroadcast2-WayAuthenticatorGnonceGTKGTKPTKKEK{MICGnonceKey RSC(Sequence Number)(GTKKey ID)}SupplicantSupplicantKey RSCEAPoL-KeyMICGTKSupplicantMICAuthenticatorAuthenticatorKey Replay CounterMIC
9.2.4.2.2 GTK Key GTK (Group Transient Key) 128Bits or 256BitsSupplicantAPMulticastBroadcast256Bits for TKIP128 bitsTKIP TKPhase1Phase2128 bitsTKIP MIC KeyMichaelSupplicantAuthentication(64 bits)128Bits for CCMP128 bitsCCM
Group Transient Key (GTK)
Group Master Key (GMK)
PRF-X(GMK, Group Key expansion || AP MAC Addr|| Gnonce )
CCMP TK
TKIP TK
TKIPMIC Key
TKIP
CCMP
128 bits
128 bits
128 bits
9.3 802.1x Port-based802.1x(1)(Supplicant)(2)(Authenticator)(Port Authentication Entities, PAE)(3)
802.1x
IEEE 802.1xExtensible Authentication Protocol (EAP)EAP-MD5EAP-TLSEAP-TTLSPEAPLEAP
SupplicantPAE
Service OfferedBy Authenticator
AuthenticationPAE
AuthenticationServer
Authentication Server
Authenticator
Supplicant
Controlled Port
Uncontrolled Port
MAC Enable
LAN
9.3.1 SupplicantAP
?SupplicantAPAPAP(RADIUS)
?Supplicant SupplicantAPSupplicantAP
SupplicantAP802.1xAuthentication Server
IEEE 802.11i
State 1:802.11 Unauthenticated, Unassociated
State 2:802.11 Authenticated, Unassociated
State 3:802.11 Authenticated, Associated
State 4:802.11 Authenticated, Associated802.1X Authenticated
SuccessfulAuthentication
DisassociationNotification
SuccessfulAuthenticationOrReassociation
Successful802.1X Authentication
EAPoL-Logoff
DeauthenticationNotification
Deauthentication Notification
802.11 / 802.1X State Machine
9.3.2 IEEE 802.1x802.1X? 802.1XRADIUS
802.1X/EAPRADIUSRADIUS
802.1X/EAPPer-User() Per-Session()
802.1X/EAP Wikipedia
9.3.3 Extensible Authentication Protocol (EAP)1998802.1X802.1XIEEE19991802.1x20016
EAP(Extended Authentication Protocol)PPP(Point-to-Point Protocol)PPPRADIIUSUsernamePasswordRFC2284EAP
802.1xEAPRADIUS
EAPEAP-MD5EAP-TLSEAP-TTLSEAP-PEAPEAP-LEAP
IP
IP
UDP
UDP
RADIUS
RADIUS
EAP-MD5PEAPLEAP..EAP-TTLSEAP-TLS
9.3.3.1 EAP-MD5MD5(RFC-2284)EAP-MD5()MD5IDMD5AuthenticatorSupplicantSupplicantAuthenticator
RFC 1994RFC 2284
9.3.3.2 EAP-TLSEAP-TLS()EAPTLS
EAP-TLS(AESTKIPWEP)
EAP-TLSMAC OS 10.310.3, Windows 2000 SP4, Windows XP, Windows Mobile 20032003, Windows CE 4.2
EAP-TLSPKI
Port Unauthorized
Port Authorized
EAP-Logoff
Port Unauthorized
Radius-Response/TLS Client_Hello
9.3.3.3 EAP-TTLSEAP-TTLS()Funk SoftwareCerticomEAP-TLSEAP-TLSPAP, CHAP, MSCHAP, MSCHAPV2
EAP-TTLSIDIDIDID
draft-ietf-pppext-eap-ttls-05
9.3.3.4 PEAPEAP(Request/Response)USEREAP(Fragmentation) (Reassembly)EAP-TLSPEAP
PEAP (Protected EAP)CiscoMicrosoftTLS TunnelEAP-TTLS
draft-josefsson-pppext-eap-tls-eap-03
9.3.3.5 LEAPLightweight EAP()Cisco Aironet WLANEAPWEPLEAPCisco (Cisco Compatible Extensions, CCX)CCXCiscoCisco APLEAP
LEAPCisco
802.1XIPSec
, IEEE 802.11i Overview v0.1 Nancy Cam-Winget, Tim Moore, Dorothy Stanley, Jesse Walker WPAHungLin Chou802.11 802.11Matthew S. Gast, 802.11IEEE 802.11i Standard2004draft-josefsson-pppext-eap-tls-eap-03.txtEstablishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, Sheila Frankel, Bernard Eydt Les Owens, Karen Scarfone