Wireless Security White Paper

7/31/2019 Wireless Security White Paper

1/50

Technical Education

An Introduction to 802.11Wireless Security

Rev. 4.0

TT145 802.11 Wireless Security 1-1 April 2, 2008


2/50

Technical Education



3/50

Technical Education

Table of Contents

1.0 Introduction..................................................................................................................................... 62.0 802.11 Security................................................................................................................................ 7

2.1 802.11 Authentication....................................................................................................................... 72.1.1 Open Authentication ......................................................................................................................... 82.1.2 Shared-Key Authentication............................................................................................................... 92.1.3 Broadcast of SSID ...........................................................................................................................102.1.4 MAC address authentication............................................................................................................102.2 802.11 WEP ....................................................................................................................................102.2.1 WEP RC4 ........................................................................................................................................112.2.2 WEP CRC-32 ..................................................................................................................................12

3.0 Weaknesses in 802.11 Security....................................................................................................153.1 Weaknesses in 802.11 Authentication.............................................................................................153.2 Use of SSID and MAC Address Authentication ...............................................................................173.3 Weaknesses with WEP....................................................................................................................173.3.1

Weaknesses with the RC4 Stream Cipher.......................................................................................18

3.3.2 CRC-32............................................................................................................................................193.3.3 Lack of Key Distribution...................................................................................................................21

4.0 IEEE 802.1X (Port-Based Network Access Control) ........... .......... ........... .......... ........... .......... ....234.1 802.1X Authentication Process........................................................................................................254.2 Dynamic Encryption Keys................................................................................................................264.3 EAP Authentication Methods ...........................................................................................................274.3.1 EAP-TLS..........................................................................................................................................294.3.2 EAP PEAP-MSCHAPv2...................................................................................................................304.3.3 Cisco LEAP .....................................................................................................................................324.3.4 EAP-FAST .......................................................................................................................................334.4 A little bit about importing Certificates..............................................................................................364.5 Advantages of 802.1X Authentication..............................................................................................37

5.0 Wi-Fi Protected Access.................................................................................................................385.1 WPA Authentication.........................................................................................................................395.2 WPA TKIP .......................................................................................................................................395.2.1 Message Integrity Check .................................................................................................................415.3 Advantages of WPA.........................................................................................................................42

6.0 IEEE 802.11i (WPA2)......................................................................................................................437.0 Cisco Compatible Extensions ......................................................................................................458.0 Putting It All Together ...................................................................................................................479.0 Glossary .........................................................................................................................................48



4/50

Technical Education



5/50

Technical Education

802.11 Security

(In The Beginning)



6/50

Technical Education

1.0 Introduction

An 802.11 wireless network (WLAN) has many advantages over a traditional wirednetwork. However, 802.11 wireless technology introduces security risks that a wirednetwork is not susceptible to. Without a robust wireless security solution, organizationsleave themselves vulnerable to attack through their WLAN.

Access control, data privacy and data integrity are key components in preventingunauthorized access to a WLAN and compromising confidential information.

Unfortunately, the security protocols defined in the original IEEE 802.11 specification(8802-11:1999) were defined at a time when the primary concerns for deploying an802.11 wireless network were interoperability and ease of use - not security - and as aresult are relatively weak in preventing the types of attacks that can be executed todayagainst any 802.11 wireless network. A number of papers have been published on theInternet which expose the vulnerabilities in the authentication, data privacy and dataintegrity protocols defined in the 802.11 specification.

Today, however, there are a number of enhanced wireless security solutions that aredesigned to combat these vulnerabilities and provide strong security for 802.11networks.

The primary focus of this document is to provide the reader with:

An introduction to the security protocols defined in the original IEEE 802.11specification.

A description of the vulnerabilities of these protocols and the attacks used to exploitthese vulnerabilities

An introduction to the enhanced wireless security solutions available today that weredeveloped to mitigate these vulnerabilities and attacks.



7/50

Technical Education

2.0 802.11 Security

The 802.11 specification (8802-11:1999) defines two mechanisms for providing securityto 802.11 WLANs:

1. Station authentication (mobile device authentication)

2. Data encryption / integrity

The specification defines two methods for authenticating mobile devices to a WLAN:Open authentication and Shared-Key authentication, and defines the Wired EquivalentPrivacy (WEP) protocol for data encryption and data integrity.

2.1 802.11 Authentication

The authentication methods defined in the 802.11 specification are based on one-waycommunication; that is, mobile devices wishing to join a WLAN must authenticate to itfirst (i.e. authenticate to the AP). This one-way communication implies that the AP isconsidered a trusted part of the network infrastructure.

The authentication process for mobile devices consists of the following transactions:

1. The mobile device broadcasts a probe request on every channel supported bythe mobile device.

2. The APs within signal range respond with a probe response.3. The mobile device decides which AP is best for access and sends an

authentication request.4. The AP sends an authentication response.5. Upon successful authentication, the mobile device sends an association request

to the AP.6. The AP responds with an association response.7. The mobile device is then able to transmit data to the AP (i.e. to the network).

Figure 1. illustrates the 802.11 authentication process.

Figur e 1. 802.11 authentication process



8/50

Technical Education

2.1.1 Open Authentication

Open authentication is the default authentication method for 802.11. It is the simplest ofthe two authentication mechanisms defined in the 802.11 specification. Essentially, it isa null authentication algorithm designed to provide any mobile device quick access to aWLAN.

The Open authentication process consists of two transactions: the authenticationrequest and the corresponding authentication response. A mutual relationship isestablished between two 802.11 devices following a successful authenticationexchange, this relationship can exist between a mobile device and AP (infrastructure) orbetween two mobile devices (ad-hoc).

Open authentication can be used with or without WEP encryption enabled. The mobile

device will perform the normal Open authentication procedure whether WEP encryptionis enabled or not. Once authentication of the mobile device is complete the datatransmitted between the mobile device and AP will be sent either in clear-text(unencrypted) or encrypted using the configured WEP key. Keep in mind, however, thatif WEP encryption is enabled the WEP keys configured on the mobile device and APmust match, otherwise the mobile device will be able to associate to the AP but not passdata through the AP.

Figure 2. illustrates Open authentication and the effect of using different WEP keys.

Figur e 2. Open Authentication using different WEP keys



9/50

Technical Education

2.1.2 Shared-Key Authentication

Shared-key authentication on the other hand requires WEP encryption as part of itsauthentication process and requires the mobile device and AP be configured with thesame WEP key for successful authentication of the mobile device to occur.

The 802.11 specification does not define a mechanism for the dynamic distribution ofWEP keys; therefore the WEP keys must be manually configured.

Shared-key authentication uses a challenge-text along with WEP to provideauthentication.

The Shared-key authentication process consists of the following transactions:

1. The station sends an authentication request to the AP requesting shared-keyauthentication.

2. The AP responds with an authentication response containing challenge-text,which is sent as plain-text.

3. The station uses its WEP key to encrypt the challenge-text and responds to theAP with a subsequent authentication request containing the encrypted challenge-text.

4. The AP compares the encrypted challenge-text against its copy of the encryptedchallenge-text. If the two challenges match, the AP allows the station access tothe network.

Figure 3. illustrates the shared-key authentication process.

Figur e 3. Shared-Key Authentication

Two additional network access control methods are used as a means for ensuring amobile device can or cannot connect to a WLAN. Although these methods aresupported and recommended by many 802.11 equipment vendors they are not definedin the 802.11 specification:

Broadcast of SSID

MAC address authentication



10/50

Technical Education

2.1.3 Broadcast of SSID

An SSID can be loosely defined as a network name used for identifying one WLAN fromanother. It is an identifier used to logically separate WLANs. Mobile devices wishing to

join a specific WLAN must be configured with that WLANs SSID.

In an open network the AP broadcasts the SSID in its beacons and any mobile devicewithin signal range can learn the SSID and attempt to connect to the WLAN. In a closednetwork the AP does not broadcast the SSID in its beacons and therefore only thosemobile devices configured with the SSID can connect to the WLAN. Administratorsconfigure the APs to either broadcast or not broadcast the SSID.

The use of SSIDs is strictly for ensuring that a mobile device is attempting to connect tothe correct WLAN. SSIDs do not provide any authentication or encryption capabilities.

2.1.4 MAC address authentication

MAC address authentication verifies the MAC address of a mobile device against a listof allowable addresses configured on the AP, or external authentication server. If theMAC address of a mobile device is defined in the list of allowed addresses, then themobile device is permitted access to the WLAN via that AP. If the MAC address is notdefined in the list then the mobile device is denied access.

2.2 802.11 WEP

The primary goal of the WEP protocol is to protect the confidentiality of data (at the data-link layer) as it travels across the wireless medium, and is intended to provide the samelevel of functionality as the security mechanisms inherent to a wired network.

The WEP protocol is intended to achieve three main security goals:

1. Data ConfidentialityThe fundamental goal of WEP is to protect data fromcasual eavesdropping.

2. Access Control The 802.11 specification includes an optional feature todiscard all packets that are not properly encrypted using WEP.

3. Data Integrity An integrity checksum value (ICV) is included in transmittedmessages to prevent tampering of the message.

WEP uses the RC4stream cipher to encrypt data and the Cyclical RedundancyChecksum (CRC-32) algorithm to ensure that data is not tampered with or modifiedduring transmission.



11/50

Technical Education

WEP requires that each 802.11 device share the same key for proper encryption anddecryption of data, and is based on a 40-bit encryption key length. When the 802.11specification was ratified (approved) in 1997 it was illegal to ship products that used 128-bit encryption outside of the U.S. As a result, the specification defines the use of a 40-bit

key length.

Today, however, 802.11 products support WEP key lengths of 104 bits, offering both 40bit and 104 bit WEP encryption. 104-bit WEP keys do provide more security, but even104-bit keys are susceptible to attack.

2.2.1 WEP RC4

The WEP protocol uses the RC4 stream cipher to encrypt data. Stream ciphers operateby taking a secret key and expanding it into a pseudorandom keystream that is the same

length as the plain-text message. The exclusive OR (XOR) boolean function is thenapplied to the keystream and plain-text message to generate the cipher-text message(encrypted message).

Figure 4. illustrates the RC4 stream cipher operation.

Figur e 4. The RC4 Stream Cipher Operation

The strength (security) of stream ciphers rests entirely on the randomness of thekeystream; therefore, the design of the secret key-to-keystream operation is veryimportant.

Unfortunately, the major weakness with any stream cipher is the reuse of keystreams;that is, encrypting two different plain-text messages with the same keystream createssimilar patterns in the cipher-text messages. This introduces a security threat becauseattackers can analyze the patterns in the cipher-text messages.



12/50

Technical Education

If the attacker manages to obtain the contents of one of the plain-text messages, thenthey can decipher the contents of the second plain-text message based on the patternsin the cipher-text messages and the known plain-text message.

To overcome the possibility of keystream reuse, WEP uses an Initialization Vector (IV) toalter the keystream so that no one keystream will be the same. The IV is a dynamically

generated 24-bit numeric value which generates 224

or 16, 777, 216 possible keystreamvalues and is concatenated to the key before the keystream is generated. Every timethe IV changes, so does the keystream, despite using the same key.

The IV provides two functions as part of the WEP protocol:

It is the mechanism used to generate a new, unique keystream for every plain-text message.

It provides synchronization by keeping the encryption / decryption process

synchronized in the event of lost or retransmitted messages.

In the final steps of the WEP encryption process the IV is transmitted in clear-text alongwith the cipher-text message so that the receiving device will know the value of the IVand be able to decrypt the received cipher-text message.

2.2.2 WEP CRC-32

The WEP protocol also uses an Integrity Checksum Value (ICV) to ensure that data isnot tampered with or modified as it travels across the wireless medium. The ICV is

based on the CRC-32 algorithm and is calculated using the data to be transmitted. Thechecksum value is then concatenated to the data to produce the plain-text message.

The complete WEP encryption process consists of the following transactions:

1. The ICV is calculated using CRC-32 and the data.

2. The ICV is concatenated to the data to produce the plain-text message.

3. The RC4 stream cipher generates a keystream based on the configured key anddynamically generated IV.

4. The XOR function is applied to the keystream and plain-text message to obtain

the cipher-text message

5. The cipher-text message and IV are transmitted in the 802.11 frame.

Figure 5. illustrates the 802.11 WEP encryption process which incorporates theInitialization Vector and Integrity Checksum Value.



13/50

Technical Education

Figur e 5. The 802.11 WEP Encryption Process

Although it is commonly referred to as 64-bit and 128-bit WEP encryption (40-bit key +24-bit IV or 104-bit key + 24-bit IV) the strength of the keys are actually only 40 bits and104 bits because the 24-bit IV is sent unencrypted in the frame header.

To decrypt the message, the receiving device simply reverses the encryption process:

1. The receiving device generates a keystream based on its configured WEP key

and the IV sent in the frame header of the message.2. The receiving device then applies the XOR function to the keystream and cipher-

text message to recover the initial plain-text message.

3. It then separates the plain-text message into the data and ICV and computes anintegrity checksum value on the received data and compares the calculated ICVto the received ICV.

4. If the two checksum values match the receiving device accepts the message asvalid data and places the data on the wired LAN.

For proper encryption and decryption of data all devices must be configured with the

same key.

802.11 management frames are sent in clear-text(unencrypted) even when WEP encryption is enabled.



14/50

Technical Education

Weaknesses in 802.11 Security



15/50

Technical Education

3.0 Weaknesses in 802.11 Security

It is important to emphasize that when security mechanisms were being defined for the802.11 specification the primary concerns being addressed by the specification wereinteroperability and ease of use. As a result, the security mechanisms defined in thespecification are relatively weak by todays standards.

Beginning in 2001, several papers have been published on the Internet which exposethe vulnerabilities of 802.11 security; including ways to compromise it. Numerousstudies have shown that persistent attackers can quickly breach WLAN security evenwith WEP encryption enabled. The papers expose the vulnerabilities evident in theauthentication services and WEP protocol defined in the 802.11 specification, as well aswith SSID and MAC address authentication.

The Wi-Fi Alliance warns against the use of WEP as the only means of security for aWLAN by stating:

It is important to emphasize that WEP was never intended to be a complete end-to-end security solution. It protects the wireless link between the client machinesand access points. Whenever the value of the data justifies such concern, bothwired and wireless should be supplemented with additional higher-levelsecurity mechanisms such as access control, end-to-end encryption, passwordprotection, authentication, virtual private networks, or firewalls.

3.1 Weaknesses in 802.11 Authentication

Open authentication is designed to authenticate any mobile device that requests accessto a WLAN, including an attackers wireless laptop. The AP has no way of determiningwhether the user of the mobile device is authorized to access the WLAN, or not. Onceauthenticated, an attacker can launch a utility such as Airsnort or WEPCrack to quicklydetermine the WEP key.

Shared-key authentication is considered even less secure than Open authenticationbecause of the challenge-text transaction. In late March 2001, the University ofMaryland published a paper that focused on the vulnerability of Shared-keyauthentication.

Shared-key authentication requires the mobile device use its configured WEP key toencrypt the challenge-text sent by the AP. The AP authenticates the mobile device bycomparing the encrypted challenge-text sent by the mobile device and validating itagainst its own copy. If the copies match, the AP allows the mobile device access to theWLAN.



16/50

Technical Education

The Maryland paper explains that the process of exchanging the clear-text version andencrypted version of the challenge over the wireless medium is susceptible to a man-in-the-middleattack; the attacker uses sniffer software to capture both the clear-textversion of the challenge and the encrypted response transmitted between the mobile

device and AP. The attacker can then derive the keystream by simply performing theXOR function on the clear-text and encrypted challenges.

The attacker then requests authentication to the AP, at which point the AP will send aclear-text challenge. The attacker then performs the XOR function on the clear-textchallenge and the derived keystream to generate a valid authentication response. Theattacker computes a new ICV and responds to the AP with a valid authenticationresponse message. The AP authenticates the attacker and grants them access to theWLAN.

At this point, the attacker has successfully associated to the AP without actualknowledge of the WEP key. Once successfully associated, the attacker can launch

another attack to determine the WEP key, allowing them to transmit messages to theAP. Once an attacker has successfully executed a man-in-the-middle attack, mobiledevices will view the attacker as an authorized AP and conversely the AP views theattacker as an authorized mobile device. Both the mobile device and AP fail to detectthe attacker and continue transmitting information.

Figure 6. illustrates the vulnerability of Shared-key authentication to a man-in-the-middleattack.

Figur e 6. Vulnerability of Shared-Key Authentication

Due to the inherent vulnerability of Shared-key authentication, it is stronglyrecommended that it not be used. Shared-key authentication is part of the 802.11specification and therefore vendors are required to support it to be 802.11compliant. It is recommended that Open authentication be used with WEPencryption enabled as opposed to Shared-key authentication.



17/50

Technical Education

3.2 Use of SSID and MAC Address Authentication

The Maryland paper also elaborates on the issues associated with SSIDs and MACaddress authentication.

The SSID is simply a clear-text string used to logically separate one WLAN fromanother. It is not designed to provide any level of data encryption or authentication.With an open network, the SSID is broadcast in the APs beacons. An attacker withinsignal range can quickly learn the SSID and attempt to connect to the WLAN.

In an effort to increase security, 802.11 equipment vendors have implemented the Nobroadcast SSID feature that prevents the AP from broadcasting the SSID. Only thosemobile devices configured with the SSID can connect to the WLAN. However, thisfeature provides no defense against a man-in-the-middle attack because attackers cansimply capture messages being transmitted between an AP and mobile device and

quickly learn the SSID.

MAC addresses are also transmitted in clear-text. As a result, WLANs using MACaddress authentication are susceptible to MAC address spoofing attacks.

MAC address spoofing is possible because many 802.11 network interface cards (NICs)allow the hard-coded MAC address of a device to be overwritten with a MAC addressconfigured by the user. Once an attacker has captured enough messages, they canquickly learn the MAC address of an authorized mobile device and AP and overwritetheir (the attackers mobile device) hard-coded MAC address with the MAC address ofthe authorized mobile device or AP.

When spoofing an AP, the attacker appears as an authorized AP with the intent toassociate with the authorized mobile device and access data on that device. Whenspoofing an authorized mobile device, the attacker appears as an authorized device,with the intent to gain unauthorized access to the WLAN through the AP.

3.3 Weaknesses with WEP

WEPs design flaws came to light when the Internet Security, Applications,Authentication and Cryptography (ISAAC) group at the University of California, Berkeleypublished a paper in February 2001 that described in detail the security weaknesses inthe WEP protocol. WEP was found to be insecure due to its improper implementation of

the RC4 stream cipher and the use of the Cyclical Redundancy Checksum (CRC-32)algorithm for data integrity.

WEPs vulnerabilities are compounded by the fact that keys are manually configured andrarely changed because the 802.11 specification does not specify a key distributionmechanism.



18/50

Technical Education

3.3.1 Weaknesses with the RC4 Stream Cipher

The two primary weaknesses of WEPs implementation of the RC4 stream cipher are:

The derivation (generation) of weak IVs

Keystream reuse

In 2001, crypto-analysts Fluhrer, Mantin, and Shamir published a paper that explainedhow a WEP key could easily be cracked due to WEPs poor implementation of the KeyScheduling Algorithm(KSA) of the RC4 stream cipher. In their paper, Fluhrer, Mantin,and Shamir describe in detail how the first byte in a subset of IVs, referred to as weakIVs, could be correlated with individual bytes of the WEP key and that if enoughmessages containing these weak IVs are captured, they can be statistically analyzed to

derive the WEP key used for encryption.

The 24-bit IV value generates 224

or 16, 777, 216 possible keystream values. Out of the16 million IV values about 9,000 represent weak IVs. Many WEP cracking tools such asAirsnort and WEPCrack analyze captured messages for the existence of these weakIVs.

Researchers at AT&T/Rice University as well as the developers of the Airsnortapplication put this vulnerability to the test and verified that WEP keys of either 40 or104-bit key lengths can be derived after analyzing as few as 100,000 packets encryptedwith weak IVs. For high-usage WLANs, this translates to roughly 3-4 hours until a 104-bit WEP key is cracked.

In addition to the weak IVs, it was determined that encrypting two messages using thesame RC4 generated keystream would reveal information about both messages; aphenomenon referred to as keystream reuse. Researchers at the University ofCalifornia, Berkeley found that WEPs 24-bit IV was inadequate in preventing keystreamreuse because the same IV would be reused within a relatively short period of time.

As mentioned, the 24-bit IV yields 16, 777, 216 unique IV values. Given a networkrunning at 11 Mbps and constantly transmitting 1500-byte packets, an IV would bereused in approximately 5 hours, as explained by the following calculation:

11 Mbps (1500 bytes/pkt 8 bits per/byte) = 917 pkts transmitted each second

16,777,216 IVs 917 pkts/second = 18296 seconds required to use all IVs18296 seconds 60 seconds/min. 60 min./hour = 5.08 hours to use up all IVs

Recall that the IV is sent in clear-text along with the cipher-text message. Attackers cansimply launch a man-in-the-middle attack and passively collect cipher-text messagesuntil they have collected enough messages with the same IV. The attacker can thenperform statistical analysis on the messages until they have successfully derived thekeystream. Once the keystream has been determined, the attacker can use it to decryptother captured messages with the same IV. This type of attack is referred to as an IVreplay attack.



19/50

Technical Education

Since there are a little more than 16 million possible IV values, it is important how eachIV is chosen in order to mitigate the attacks that focus on the weaknesses of the IV.Unfortunately, the WEP protocol doesn't specify how IVs are chosen or how often theyrechanged. Some 802.11 vendor implementations start the IV at zero and increase it

incrementally for each packet, rolling back to zero after the 16 millionth packet has beensent. Some vendor implementations choose IVs randomly which sounds like a goodidea but really isn't because with a randomly chosen IV theres a 50% chance ofkeystream reuse after less than 5,000 packets.

3.3.2 CRC-32

The Berkeley paper goes on to describe the weaknesses in the CRC-32 checksumalgorithm. The researchers show that the CRC-32 algorithm is inadequate in ensuringdata integrity because it is a linear checksum and is susceptible to a bit-fliporreplay

attack.

To execute a bit-flip/replay attack, an attacker uses wireless sniffer software to captureencrypted messages transmitted between a mobile device and AP. The following stepsdescribe how a bit-flip attack is executed:

1. The attacker sniffs a frame on the WLAN and flips random bits in the datapayload of the frame.

2. The attacker modifies the ICV (detailed later).

3. The attacker transmits the modified frame.

4. The receiver (either a mobile device or AP) receives the frame and calculates theICV based on the frame contents.

5. The receiver compares its calculated ICV with the value in the ICV field of theframe.

6. The receiver accepts the modified frame.

7. The receiver de-encapsulates the frame and processes the Layer 3 packet.

8. Because bits are flipped in the Layer 3 packet, the Layer 3 checksum fails.

9. The receiver IP stack generates a predictable error.

10. The attacker sniffs the wireless LAN looking for the encrypted error message.

11. Upon receiving the error message, the attacker derives the key stream as withthe IV replay attack.

Figure 7. illustrates a bit-flip/replay attack.



20/50

Technical Education

Figur e 7. Bit-Flip/Replay Attack

The basis of the bit-flip attack is in the failure of the CRC-32 algorithm. If the change tothe ICV reflects the change to the data payload, then the modified message will goundetected by the AP. The attacker is able to calculate the correct ICV by performingthe following operations:

1. A captured frame (F1) has an ICV (C1).

2. A new frame is generated (F2) the same length as F1, with bits flipped.

3. Frame F3 is produced by XORing F1 and F2.

4. The ICV for F3 is calculated (C2).

5. The correct ICV (C3) for F3 is generated by XORing C1 and C2

Figure 8. illustrates the steps for calculating the correct ICV during a bit-flip attack.

Figur e 8. Calculating the ICV for a Bit-Flip Attack



21/50

Technical Education

3.3.3 Lack of Key Distribution

The 802.11 specification does not define a method for how keys are generated anddistributed. As a result, keys must be manually configured on all devices which makes itincreasingly more difficult to manage and update keys as more devices and APs join thewireless network; therefore keys are rarely updated.

The randomness and strength of the keystream is dependant on the value of the IV andkey. If the value of the key remains constant, then it increases the risk of keystreamreuse.

Infrequent updates to the key allows attackers to build decryption dictionaries; a table ofkeystreams corresponding to each IV. A dedicated attacker can easily accumulateenough data to build a full decryption dictionary. It then becomes possible to launch a

dictionary attack and quickly decrypt each subsequent cipher-text message with littleeffort.



22/50

Technical Education

Enhanced Wireless SecuritySolutions for 802.11 WLANs



23/50

Technical Education

4.0 IEEE 802.1X (Port-Based Network Access Control)

The IEEE 802.1X standard defines a mechanism for port-based network access controland is supported by a number of IEEE 802 infrastructures such as Ethernet, Token-Ring,FDDI and 802.11. 802.1X provides an authentication framework on top of which variousauthentication methods such as certificates and one-time passwords are used to provideauthentication services, and prevents access in cases where authentication andauthorization fails.

The 802.1X standard brings a number of enhancements to 802.11 networks to addressthe shortcomings of the original 802.11 security mechanisms described earlier, such asuser authentication and a method for dynamic distribution of encryption keys.

802.1X has three components that combine to deliver strong authentication:

802.1X Supplicant (WZC, Summit Client Utility, Odyssey Access Client)

Authenticator (PTX 9160, autonomous AP, WLAN controller)

Authentication Server (Microsoft IAS, Cisco ACS)

With respect to 802.11, the supplicant is represented by the mobile device and theauthenticator is represented by the AP in an autonomous (Thick AP) environment, or bythe wireless controller in a centralized, controller-based environment. The mostcommon type of authentication server is RADIUS (Remote Authentication Dial-In UserService).

Figure 9. illustrates the IEEE 802.1X setup.

Figur e 9. IEEE 802.1X setup



24/50

Technical Education

802.1X uses the Extensible Authentication Protocol (EAP) to pass authenticationinformation between the mobile device and the authentication server. EAP effectivelycreates a session between the mobile device and authentication server, allowing theuser to forward their credentials to the authentication server. If the EAP authenticationmethod used supports mutual authentication, then the authentication server alsoprovides its credentials to the mobile device within the same session. The EAP sessionprovides the mobile device limited access to the network for authentication purposesonly. Once the user of the mobile device has successfully authenticated to the network,the session is terminated and the user is granted access.

The encapsulated form of EAP, known as EAP over LAN (or EAPOL), is used forcommunication between the mobile device and authenticator. The authenticator acts asan EAP proxy between the mobile device and authentication server, accepting EAPOLpackets from the mobile device and forwarding them to the authentication server over aprotocol such as RADIUS. The authentication server confirms the users credentials anddirects the authenticator to allow the mobile device access to the network. In turn, the

authenticator forwards all authentication server EAP packets over EAPOL to the mobiledevice.

RADIUS is a widely deployed protocol for enabling centralized authentication,authorization and accounting for network access. The authenticator sends the userscredentials and connection parameter information in the form of a RADIUS message tothe RADIUS server (authentication server). The RADIUS server authenticates andauthorizes the authenticators request and sends back a RADIUS message response.RADIUS messages are never sent between the mobile device and authenticator.

RADIUS messages are sent as User Datagram Protocol (UDP) messages. UDP port1812 is used for RADIUS authentication messages and UDP port 1813 is used for

RADIUS accounting messages. Some RADIUS servers support UDP port 1645 forRADIUS authentication messages and UDP port 1646 for RADIUS accountingmessages. Only one RADIUS message is included in the UDP payload of a RADIUSpacket.

The following provides a brief description of the various RADIUS message types:

Access-Request Sent by the authenticator to request authentication and authorizationfor network access.

Access-Accept Sent by the RADIUS server (authentication server) in response to anAccess-Request message. This message informs the authenticator that the connection

attempt is authenticated and authorized.

Access Reject Sent by the RADIUS server in response to an Access-Requestmessage. This message informs the authenticator that the connection attempt isrejected. The RADIUS server sends this message if either the users credentials are notauthentic or the connection attempt is not authorized.



25/50

Technical Education

Access-Challenge Sent by the RADIUS server in response to an Access-Requestmessage. This message is a challenge to the authenticator that requires a responseprovided by the mobile device.

Accounting-Request Sent by the authenticator to specify accounting information for aconnection that was accepted.

Accounting-Response Sent by the RADIUS server in response to the Accounting-Request message. This message acknowledges the successful receipt and processingof the Accounting-Request.

To provide additional security, the authenticator and authentication server are configuredwith a sharedsecret. The shared secret is used to secure RADIUS traffic and istypically configured as a text string on both the authenticator and authentication server.

4.1 802.1X Authentication Process

802.1X has the effect of creating two logical points of access to the authenticatorsphysical point of attachment to the network. The two logical points of access arereferred to as the controlled port and uncontrolled port. Uncontrolled ports andcontrolled ports are considered part of the same physical point of attachment to thenetwork. In 802.11 terms, the physical point of attachment is represented by theassociation between the mobile device and AP.

Figure 10. illustrates how 802.1X has the effect of creating two distinct logical points ofaccess to the authenticators physical point of attachment to the LAN.

Figur e 10. Authenticators controlled and uncontrolled ports



26/50

Technical Education

802.1X authentication typically occurs after the mobile device has established aconnection to the authenticator (i.e. associated to the AP) at startup or after roaming.Upon detecting the mobile devices connection, the authenticator enables the mobiledevices port and forces the port into an unauthorized state so that only EAP traffic is

forwarded; all other traffic is blocked. The mobile device at this point is unable to sendany network traffic - including critical traffic like DHCP requests - until the 802.1Xauthentication process is complete and the user of the mobile device has beensuccessfully authenticated.

The controlled port only accepts packets from authenticated devices and can be thoughtof as a logical switch. If the user is authenticated, then the switch is closed and trafficmay flow through that port. If the user is in the process of authentication or failsauthentication, then the switch is open and traffic may not flow through that port. Theauthenticator uses the uncontrolled port to exchange EAP protocol information betweenthe mobile device and authentication server. Protocol exchanges between theauthenticator and authentication server can be conducted via one or more of the

authenticators controlled or uncontrolled ports.

A pair of controlled ports one on the AP or WLAN controller and one on the mobiledevice is created for each mobile device connected to the AP or WLAN controller.This creates a one-to-one relationship between the authenticator and each of itsassociated mobile devices.

Once the user is authenticated and authorized, the mobile device is granted networkaccess and can transmit data to the network through its controlled port.

4.2 Dynamic Encryption Keys

Encryption protocols can be used in conjunction with 802.1X. This is because the802.1X standard provides a mechansim for transmitting encryption keysincircumstances where encryption is enabled. EAP authentication methods that supportmutual authentication introduce strong improvements to how encryption keys aregenerated, managed and distributed by enabling dynamic per-packet keying.

Heres how dynamic per-packet keying works: Once mutual authentication between themobile device and authentication server is successfully complete, a session key ismutually computed in both the authentication server and mobile device during the802.1X authentication process.

The authentication server sends a success message to the authenticator along with thesession key. Using the session key, the mobile device and authenticator derive thesame encryption key for encrypting unicast traffic. The session key is never transmittedover the wireless link. In addition to the unicast encryption key the authenticator alsogenerates an encryption key for encrypting broadcast traffic, which it encrypts using thesession key and forwards to the mobile devices.



27/50

Technical Education

The length of a session is defined on the authentication server. When a session expiresor the mobile device roams from one authenticator to another, re-authentication occursand a new session key is generated, which in turn generates new encryption keys. If,somehow, an attacker does manage to intercept an encryption key, a new key is

generated after a specified period of time rendering the captured key invalid.

Figure 11. illustrates the 802.1X mutual authentication process with dynamic per-packetkeying.

Figur e 11. 802.1X authentication with dynamic per-packet keying

4.3 EAP Authentication Methods

EAP is an authentication framework which supports multiple authentication methods.EAP typically runs directly over the data-link layer without requiring IP. While EAP was

originally developed for use with PPP, it is also used with IEEE 802 based networks andis the authentication framework of choice for protecting wireless and wired networks,remote dial-up, and VPNs.

EAP authentication provides the means of securing an 802.11 connection. EAP is ageneral protocol and is extensible in that it supports multiple authentication methods.The actual EAP authentication method used is unknown to 802.1X. This allows 802.1Xto support future developed EAP authentication methods without the need for changesto the 802.1X standard.



28/50

Technical Education

The EAP authentication methods that are commonly used today include:

EAP-TLS EAP PEAP-MSCHAPv2

LEAP (Cisco proprietary) EAP-FAST

The EAP authentication method used during the 802.1X authentication process isnegotiated between the mobile device and authentication server (i.e. EAP authenticationmethods are configured on the mobile device and authentication server). Theauthenticator simply acts as a pass-through device passing EAP messages between themobile device and authentication server. The actual processing of EAP messagesoccurs at the mobile device and authentication server, not the authenticator.

The advantage of using EAP over RADIUS is that EAP authentication methods do notneed to be configured on the authenticator. The authenticator need only support the

capabilities to pass EAP messages between the mobile device and authenticationserver.

Figure 12. illustrates the EAP structure.

Figur e 12. EAP structure



29/50

Technical Education

4.3.1 EAP-TLS

EAP-TLS is a two-way (mutual) authentication protocol in which the mobile deviceauthenticates the authentication server, and in turn, the authentication serverauthenticates the user.

EAP-TLS is one of the original authentication methods specified by the IEEE when802.1X and EAP were initially proposed and established as a standard. TLS is used inmany environments and is intended to be an alternative to the Secure Sockets Layer(SSL) security protocol.

EAP-TLS relies on a Client Certificate for authenticating the user and a ServerCertificate for authenticating the authentication server. Certificates are issued by aCertificate Authority (CA) which is typically part of a Public Key Infrastructure (PKI); asystem of certificates, certificate authorities and other registration authorities that verifyand authenticate the validity of each user involved in transactions and exchanges ofinformation.

As part of the EAP-TLS authentication process, the mobile device and authenticationserver perform a TLS handshake to establish a secure, encrypted TLS tunnel throughwhich user credentials are forwarded for authentication. The nature of the encryptedTLS tunnel secures against man-in-the-middle-attacks, and the use of certificatessecures against dictionary attacks.

Figure 13. illustrates the EAP-TLS authentication process

Figur e 13. EAP-TLS Authentication Process



30/50

Technical Education

Encryption keys are dynamically generated and distributed after successfulauthentication to encrypt subsequent data transmissions.

EAP-TLS is an ideal authentication solution in environments which already have a PKI

deployed for user authentication. It is unlikely, however, that a customer would deploy aPKI to support authentication of wireless devices only.

Advantages of EAP-TLS include:

Encrypted TLS tunnel secures against man-in-the-middle attacks. Certificates provide strong authentication; secures against dictionary attacks. Widely supported.

Disadvantages of EAP-TLS include:

Certificates must be installed and managed on each mobile device; too

cumbersome. Requires a Certificate Authority.

4.3.2 EAP PEAP-MSCHAPv2

EAP PEAP-MSCHAPv2 is also a two-way (mutual) authentication protocol. PEAP-MSCHAPv2 relies on a Server Certificate for authenticating the authentication serverand uses MSCHAPv2 based user credentials (username and password) forauthenticating the user.

As part of the PEAP-MSCHAPv2 authentication process, the mobile device andauthentication server perform a TLS handshake to establish a secure, encrypted TLStunnel through which the users credentials are forwarded for authentication. The TLStunnel secures against man-in-the-middle-attacks.

The PEAP-MSCHAPv2 authentication process occurs in two phases:

1. The mobile device and authentication server perform a handshake in which theauthentication server forwards its Server Certificate to the mobile device forserver authentication and to establish the TLS tunnel.

2. The mobile device forwards MSCHAPv2 based user credentials to theauthentication server through the TLS tunnel for user authentication.

Encryption keys are dynamically generated and distributed after successfulauthentication to encrypt subsequent data transmissions.

Figure 15. illustrates the EAP PEAP-MSCHAPv2 authentication process.



31/50

Technical Education

Figur e 15. EAP PEAP-MSCHAPv2 Authentication Process

Since MSCHAPv2 is a password-based authentication protocol it is important foradministrators to configure strong passwords to prevent dictionary attacks.

Characteristics of strong passwords include:

A mixture of uppercase and lowercase letters. At least one numeric character (0-9) or non-alphanumeric characters (! @ # &). At least one special character within the password; not at the beginning or end. No resemblance to the users name or user ID. A word that is not found in the dictionary.

PEAP-MSCHAPv2 can be deployed against any user database that supports theMSCHAPv2 format, such as Windows NT and Active Directory. Since Microsoftcredentials can be used with PEAP-MSCHAPv2, mobile devices may be configured touse Windows login credentials to authenticate to the network.

Advantages of PEAP-MSCHAPv2 include: Encrypted TLS tunnel secures against man-in-the-middle attacks. Client Certificates not required; simplifies end user / device management. Can be deployed against existing authentication database. Widely supported.

Disadvantages of PEAP-MSCHAPv2 include:

Strong passwords must be used.



32/50

Technical Education

4.3.3 Cisco LEAP

LEAP is a Cisco proprietary authentication protocol that follows the 802.1X standard andprovides mutual authentication between the mobile device and authentication server.

The mobile device sends a challenge to the authentication server via the authenticator.The authentication server must correctly respond to the challenge for the mobile deviceto validate the server. User authentication is based on MSCHAP username andpassword credentials. Encryption keys are dynamically generated upon successfulauthentication to encrypt all subsequent data transmissions.

Cisco strongly recommends the use of strong, unique passwords to mitigate againstdictionary attacks; no common names, phrases or easily guessed strings. When used inconjunction with a strong password policy, Cisco LEAP provides a secure authentication

solution.

Figure 16. illustrates the LEAP authentication process.

Figur e 16. Cisco LEAP Authentication Process



33/50

Technical Education

Advantages of Cisco LEAP include:

Simple to deploy and operate; password-based.

Disadvantages of Cisco LEAP include:

Not supported by Microsoft. Cisco proprietary; not supported by all hardware vendors. Susceptible to dictionary attacks; strong passwords must be used.

4.3.4 EAP-FAST

EAP-FAST is an EAP authentication protocol developed by Cisco to supportorganizations that cannot enforce a strong password policy as required by LEAP, andwho wish to deploy an authentication method that does not require certificates.

EAP-FAST is a mutual authentication protocol that encrypts EAP messages via a TLStunnel. The tunnel is established using strong secrets called Protected AccessCredentials (PACs) which the authentication server generates using a master keyknown only to the server.

EAP-FAST authentication occurs in 3 phases:

Phase Zero (Automatic PAC Provisioning) Phase zero is a means fordynamically providing a mobile device with a PAC. A secure tunnel isestablished based on an anonymous Diffie-Hellman key exchange between themobile device and authentication server whereby the server sends the mobile

device a PAC through the secure tunnel. Providing a PAC to the mobile deviceis the only purpose for phase zero. Automatic provisioning of the PAC via phasezero is referred to as in-band provisioning.

Phase zero is optional. PACs can also be manually set up on each mobiledevice. This method is referred to as out-of-band provisioning. Administratorscan control whether the authentication server supports phase zero by enablingautomatic PAC provisioning on the server.

Phase zero relies on the MSCHAPv2 protocol to authenticate the user fromwhich the secure tunnel is established and the PAC is sent. Therefore, it may benecessary to use manual provisioning if youre using a non-Microsoft-format user

database such as LDAP, which does not support MSCHAPv2.

It is important to understand that the initial user authentication performedin phase zero is strictly done for the purposes of establishing the securetunnel through which the PAC is sent. The end result of phase zero is thedistribution of the PAC to the mobile device, not user authenticationrequired for access to the network.



34/50

Technical Education

After the PAC is successfully sent to the mobile device, the authentication server issuesan authentication failure to the authenticator and the mobile device is disassociated fromthe WLAN. The mobile device then re-initiates an EAP-FAST authentication requestwith the WLAN using the newly provisioned PAC. The process of authenticating the

user to the network begins with phase one.

Figure 17. illustrates EAP-FAST automatic PAC provisioning via phase zero.

Figur e 17. EAP-FAST Phase Zero: Automatic PAC Provisioning

Phase One In phase one, the authentication server and mobile device

establish a TLS tunnel based on the PAC. The authentication server sends themobile device an Authority ID (A-ID) and the mobile device selects the correctPAC from its storage by correlating the provided A-ID with its saved PACs, and aTLS tunnel is established.

Phase Two In phase two, the users credentials are forwarded to theauthentication server through the TLS tunnel for user authentication to thenetwork. EAP-FAST only supports EAP based user credentials within the TLStunnel.

The following EAP based user credentials are currently supported with EAP-

FAST:

o EAP-MSCHAPv2 (PACs manually or automatically provisioned)o EAP-GTC (PACs manually provisioned)o EAP-TLS (PACs manually provisioned)

Keep in mind that although user authentication occurs frequently, the provisioning ofPACs to mobile devices occurs infrequently and is based on policies configured on theauthentication server. A mobile device will use the same PAC many times when re-authenticating to the network.



35/50

Technical Education

Figure 18. illustrates phase one and two of EAP-FAST.

Figure 18. EAP-FAST Phase One and Phase Two

EAP-FAST was not intended to replace LEAP. It was designed for organizationswishing to deploy a secure authentication solution without the need for strong passwordsor certificates.

Advantages of EAP-FAST include:

Encrypted TLS tunnel secures against man-in-the-middle attacks. Digital certificates not required. Strong passwords not required.

Disadvantages of EAP-FAST include:

Limited vendor support; not supported by Microsoft



36/50

Technical Education

Table 1. provides a comparison summary of the EAP authentication methods described.

Table 1. Comparison of commonly used EAP authentication methods

4.4 A little bit about importing Certificates

As mentioned earlier, several EAP authentication methods rely on Client and CAcertificates for authentication. Certificates are issued by a Certificate Authority (CA) andare secure, confidential items which are not normally given to PTX personnel without co-operation and assistance from the customer.

Client certificates are typically in a .pfx file format and CA certificates are typically in a.cer file format.

Client certificates contain a private key which make them problematic to import onWindows CE based mobile devices when using either CEs native Wireless Zero Config.(WZC) or the Summit Client Utility (SCU), as CEs WZC and the current version of SCUdont support a certificate import utility for importing Client certificates in CE. TheOdyssey Access Client, however, does contain an import utility which allowsadministrators to import Client certificates into Windows CE based mobile devices viathe Odyssey Access Client.



37/50

Technical Education

Windows Mobile operating systems do contain a native certificate import utility. Thenative import utility automatically detects certificates. Therefore, there are no issues withimporting Client certificates on Windows Mobile based devices when using WZC orSCU.

CA certificates on the other hand dont contain private keys and therefore pose noissues to import into Windows CE or Windows Mobile based mobile devices when usingWZC, SCU, or the Odyssey Access Client.

Importing Client certificates on mobile devices is only an issue when deploying TLSauthentication. PEAP-MSCHAPv2 requires the mobile device contain only the CAcertificate, which raises no issue.

4.5 Advantages of 802.1X Authentication

Control at the network Edge802.1X allows a network to restrict access at the edge, where it is most easily managed.Controlled ports, wired or wireless, stop attackers from ever gaining access to yournetwork.

Because 802.1X provides access control for various networking technologies such asEthernet, Token Ring, FDDI and 802.11, it allows organizations to create a securitypolicy that can be implemented across their wired and wireless networks.

Dynamic Encryption Key Management802.1X provides a framework that allows a WLAN to dynamically generate and distribute

encryption keys, periodically change encryption keys, and periodically re-authenticateusers. This enhances security by eliminating static encryption keys and mitigatingattacks targeted at collecting large amounts of data encrypted with the same key.

Low Overhead802.1X is only employed during authentication and it permits encryption to be employedonly between the APs and mobile devices, so it adds no per-packet overhead

other than that imposed when enabling encryption and can be implemented onexisting switches and APs with little performance impact.

The primary considerations for determining which EAP authentication method to deployin a WLAN are:

The authentication mechanism that is in place in the enterprise; PKI, password-based database.

Whether the authentication mechanism is suitable for or adaptable toauthentication of wireless users.

The EAP authentication methods supported by the mobile devices.

The amount of impact on device performance that is tolerable.



38/50

Technical Education

5.0 Wi-Fi Protected Access

The Wi-Fi Alliance introduced WPA to address the weaknesses in the securitymechanisms defined in the original 802.11 specification. WPA is a subset of the IEEE802.11i security standard and addresses security requirements for AP-based 802.11networks (infrastructure). It was introduced to fill the security gap until the ratification ofthe 802.11i standard.

The idea behind WPA was to bring to market a security solution that took advantage ofthe stable components of 802.11i while the IEEE 802.11i task group continued their workto ratify the complete 802.11i standard, as illustrated in Figure 19.

Figur e 19. WPA

WPA provides an architectural framework on top of which standards-based securityprotocols are used to deliver authentication and encryption services for 802.11 networks.

The following key components make up WPA:

Mutual Authentication Either using 802.1X authentication or Pre-Shared Keys(PSK).

Unicast and Broadcast Encryption Keys Keys derived upon successfulauthentication for the encryption of unicast and multicast data.

Dynamic Key Management Dynamically generated per user, per session, perpacket encryption keys.

Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) Protocols that combine to provide strong data encryption and data integrity.

Larger IV Key Length Initialization Vector is expanded from 24 bits to 48 bits.



39/50

Technical Education

5.1 WPA Authentication

The initial WPA authentication process is essentially identical to standard 802.11authentication and association. The primary difference with WPA is in the initialassociation request (probe request) the mobile device and authenticator send. As partof WPA compliance, the authenticator must advertise its security capabilities within its802.11 beacons.

The security capabilities advertised describe the encryption protocols and authenticationmethods supported. The mobile device and authenticator must agree on a securityscheme during the association process.

WPA supports two authentication services:

802.1X/EAP

Pre-Shared Key (PSK)

In an enterprise environment, WPA relies on 802.1X authentication, as described insection 4.0, to provide centralized access control and management. This is referred toas WPA Enterprise.

In a smaller, cost-sensitive environment where there is no central authentication serveror EAP framework, such as a home or small office, WPA can be run in Pre-Shared Keymode (PSK) which relies on a manually configured passphrase on the mobile deviceand wireless router. The administrator or home user simply configures a passphrase ontheir wireless router and each mobile device. The use of PSK for authentication is

referred to as WPA Personal.

Successful authentication of the mobile device and wireless router is based on amatching passphrase. The passphrase must be 8 to 63 ASCII characters long; thelonger the passphrase the less susceptible the WLAN is against a dictionary attack.

5.2 WPA TKIP

The Temporal Key Integrity Protocol (TKIP) is an enhancement to WEP and WEPsimplementation of the RC4 algorithm. TKIP essentially acts as a wrapper around theWEP protocol to maximize the security of the encryption itself.

TKIP was chosen as the primary encryption cipher suite for WPA because it is easilydeployed and supported in legacy 802.11 hardware compared to other availableencryption protocols. Since the RC4 stream cipher is used for both WEP and TKIP,hardware that supports WEP encryption may be upgraded to support TKIP encryption.TKIP support on most legacy hardware is made available through a firmware or softwareupgrade.



40/50

Technical Education

The goal of TKIP is to address all of WEPs known problems:

Correct WEPs mis-use of encryption; RC4 implementation.

Prevent IV roll-over; keystream reuse.

Prevent bit flip and replay attacks.

Ensure data integrity; prevent frame forgeries.

To do this, TKIP surrounds the WEP protocol with four new elements:

1. An extended 48-bit IV and IV sequencing rules (compared to WEPs 24-bit IV).

2. Two additional key mixing functions.

3. A method for generating and distributing encryption keys.

4. A Message Integrity Check (MIC) algorithm a.k.a. Michael to ensuremessages havent been tampered with during transmission.

Figure 20. illustrates the WPA TKIP encryption process

Figur e 20. WPA TKIP Encryption Process

TKIP increases the key size from 40 bits to 128 bits and replaces WEPs single statickey with a key that is dynamically generated. In addition, TKIP uses a key hierarchy andkey management methodology that removes the predictability which attackers relied onto exploit the WEP key; that is, TKIP replaces WEPs single, manually configured key forsome 500 trillion possible keys that can be used on a given data packet.



41/50

Technical Education

The protocol employs two S-box mixing functions from which a base key, a 48-bit IVand MAC address of the transmitting device are used to derive the unique 128-bit key.The base key is derived using either the Pairwise Transient Key (PTK) or GroupTransient Key (GTK) generated during the 802.1X or PSK authentication process. The

S-box mixing functions are designed to prevent weak IV attacks described in section3.3.1.

TKIPs use of an extended 48-bit IV addresses WEPs issue in which the 24-bit IV wouldroll over in a short period of time resulting in the same keystream being reused toencrypt different messages. With a 48-bit key length the probability of an IV roll-over ishighly unlikely, thus making an attack impractical. To further reduce this probability,TKIP mandates that the base key be changed before the IV rolls over, thus preventingthe same keystream value from ever being generated.

Furthermore, IV sequencing rules specify how IVs are selected and verified. The IV isused as a sequence number and acts as an increasing 48-bit counter. A receiving

device will discard any packet associated with the same key where the IV value is lessthan a previously received packet. TKIPs use of a 48-bit IV and sequencing rulesdefends against bit flip and replay attacks.

5.2.1 Message Integrity Check

MICis a cryptographic checksum designed to make it computationally infeasible for anattacker to alter data. The MIC protocol uses an algorithm called Michael, which uses aunique MIC key to generate the MIC value itself, which is then concatenated to the datapayload; as illustrated in Figure 21. MIC is an efficient, lightweight algorithm making it

inexpensive to implement on radio firmware or wireless NIC cards.

Figur e 21. Message Integrity Check



42/50

Technical Education

The receiving device checks the CRC, ICV and IV of all packets first before checking theMIC; therefore a MIC failure almost always means an active attack. In addition, TKIPsupplements MIC with countermeasures that reduce the rate at which an attacker canmake message forgery attempts down to two tries every 60 seconds.

If a mobile device detects a MIC failure on the packets received, it sends a MIC failurereport. If the WLAN records two MIC failures (i.e. MIC failure reports or failures onreceived packets) within 60 seconds of each other, all mobile devices are disassociatedfrom the WLAN and will not be allowed to re-associate for the next 60 seconds.Stopping traffic for 60 seconds makes it impossible for an attacker to recover the MICkey. After the 60 second timeout new keys are generated to ensure the attacker cannotobtain any information about the key from the attack.

5.3 Advantages of WPA

ScalableWPA effectively addresses WLAN security requirements for both large enterpriseenvironments and smaller, cost-sensitive environments.

Investment ProtectionWPA can be implemented on most legacy 802.11 hardware via a software or firmwareupgrade.

Enhanced SecurityWPA brings three security enhancements to 802.11 networks to address theweaknesses of the original 802.11 security mechanisms;

1. Authentication services provided by 802.1X/EAP secures against man-in-the-middle attacks.

2. Stronger encryption and data integrity provided by TKIP and MIC secures againstweak IVs, keystream reuse and bit-flip/replay attacks.

3. Dynamic, per packet encryption keys secures against dictionary attacks.

All Psion Teklogix terminals support WPA security



43/50

Technical Education

6.0 IEEE 802.11i (WPA2)

The IEEE 802.11i security standard, adopted by the Wi-Fi Alliance as WPA2,incorporates strong authentication and data encryption mechanisms and effectivelyrepresents second-generation 802.11 security to address security concerns for legacyand new 802.11 hardware in AP (infrastructure) and ad-hoc based 802.11 networks.

WPA2 supports the following authentication services:

802.1X/EAP

Pre-Shared Key (PSK)

And supports the following data encryption protocols:

TKIP

AES-CCMP

Although TKIP improves security significantly for legacy hardware, a stronger solutionwas needed for newer 802.11 hardware. The IEEE 802.11i Task Group memberswanted a FIPS (Federal Information Processing Standards) certified solution. As aresult, the 802.11i Task Group decided on the Counter-Mode / CBC-MAC Protocol(CCMP).

CCMP is based on the Advanced Encryption Standard (AES) block cipher, a FIPS-197certified encryption algorithm approved by the National Institute of Standards and

Technology (NIST). For data encryption AES operates in Counter-Mode and for dataintegrity AES operates in Cipher Block Chaining-Message Authentication Code (CBC-MAC). AES itself is a very strong block cipher, but Counter-Mode makes it extremelydifficult for an attacker to spot patterns in messages and CBC-MAC ensures thatmessages have not been tampered with.

Just as with TKIP, AES-CCMP increases the key length from 40 bits to 128 bits.

Because 802.11i supports more than one encryption protocol, the standard provides away for mobile devices and authenticators to negotiate which protocol to use duringspecific traffic circumstances (i.e. unicast or broadcast traffic) and to discover anyunknown security parameters. The mobile device and authenticator must agree on a

security scheme during the association process.

Other features supported by 802.11i include:

Key caching

Pre-authentication



44/50

Technical Education

Mobile devices often roam back and forth between APs (authenticators). This has anegative effect on the WLANs performance. The basic concept behind key caching isthat the mobile device and authenticator maintain their authentication status even whenthe mobile device roams away from the authenticator. Essentially, key caching stores

user information so that if they leave and come back to an authenticator, they don't needto re-enter all their credentials. When the mobile device roams back to theauthenticator, the security association can then be restarted.

Key caching is based on the fact that the mobile device has previously been associatedto an authenticator. Pre-authentication on the other hand enables a mobile device toestablish a security association with an authenticator with which the mobile device hasnever been associated toby sending a pre-authentication packet that's routed throughthe authenticator the mobile device is currently associated with. Pre-authenticationprovides a way to establish a security association to a new authenticator before a mobiledevice has actually roamed to that authenticator allowing for faster roaming betweenauthenticators.

It is important to note that not all vendor implementations of 802.11i (WPA2)support features like pre-authentication.

All Psion Teklogix terminals with an 802.11g radio support802.11i (WPA2) security



45/50

Technical Education

7.0 Cisco Compatible Extensions

In early 2003, Cisco introduced their Cisco Compatible Extensions (CCX) program, a no-cost licensing program for 802.11 silicon manufacturers. Through the CCX program,Cisco makes their innovative WLAN technology and security features available toparticipating 802.11 silicon manufacturers, who in turn integrate Cisco WLAN technologyinto their 802.11 radio reference designs.

The CCX program is intended for 802.11 client products only; designed to take fulladvantage of Ciscos features when implemented in a Cisco WLAN environment.Participants in the CCX program design their client products around CCX Compatibleradio reference designs then submit their client products to Ciscos independent third-party testing centre to undergo extensive testing. This testing helps to ensure supportfor Ciscos technology as well as full interoperability with Cisco WLAN infrastructureproducts.

Each CCX version provides new features that improve performance, security, mobilityand management. Each new version builds upon the previous version.

In addition to Ciscos own unique WLAN technology, CCX also specifies IEEE and Wi-Fistandards such as WEP, IEEE 802.1X, EAP, WPA and IEEE 802.11i (WPA2).

Figure 22. illustrates the various features available with each CCX version.

Figur e 22. CCX versions and features.



46/50

Technical Education

Ciscos CKIP and CMIC are pre-standard versions of WPAs TKIP and MIC and wereintroduced by Cisco to resolve the known issues with WEP before WPAs standards-based TKIP and MIC were available.

The Cisco Centralized Key Management (CCKM) protocol is Ciscos proprietary keymanagement protocol that provides fast secure roaming of mobile devices in a Ciscobased WLAN.

With the integration of the RA2041 802.11g CF radio from Summit,Psion Teklogix mobile devices have received CCX v4 certificationstatus.

The RA2041 radio is now available in the following PTX mobile

devices: 7530 G2 7535 G2 8525 and 8530 G2 WAP G1 and WAP G2 8515 Ikon



47/50

Technical Education

8.0 Putting It All Together

Generally speaking, when you configure any supplicant (Summit Client Utility, OdysseyAccess Client, Wireless Zero Config.) you typically configure an authentication methodsuch as PEAP-MSCHAPv2 with an encryption protocol such as AES. Unfortunately, notall supplicants (and radio cards) support all, or the same, authentication and encryptioncombinations.

When making recommendations to the customer, you need to look at the big picture todetermine which authentication / encryption combination to deploy. You need toconsider all the components that make up the solution; the RADIUS server, the AP /WLAN controller, the supplicant (and radio card), and the backend database.For example, take LEAP authentication with WEP encryption. You can configure thiscombination using the Summit Client Utility (with the RA2041 radio) and OdysseyAccess Client (with the RA2040 radio), but if you are using a Microsoft RADIUS serverwith a 9160 AP this solution won't work because the Microsoft RADIUS server and 9160AP don't support LEAP.Another example is EAP-FAST. As mentioned earlier, this authentication methodsupports a feature known as automatic PAC provisioning, which is supported by theSummit Client Utility. However, if you're using an LDAP backend database, you can'tuse automatic PAC provisioning, because the LDAP database doesn't support theprotocol scheme required by automatic PAC provisioning.In addition to knowing which Psion Teklogix terminals will be deployed, it will also beimportant to familiarize yourself with the customers infrastructure to determine which

security combinations are supported by that infrastructure and which combination offersthe most robust security.



48/50

Technical Education

9.0 Glossary

ACS (Cisco): Access Control Server

AES: Advanced Encryption Standard

AP: Access Point

CA: Certification Authority

CCX: Cisco Compatible Extensions

CF: Compact Flash

CRC-32: Cyclical Redundancy Checksum 32

DHCP: Dynamic Host Configuration Protocol

EAP: Extensible Authentication Protocol

EAPOL: Extensible Authentication Protocol over LAN (EAP over LAN)

FAST: Flexible Authentication through Secure Tunneling

FDDI: Fiber Distributed Data Interface

GMK: Group Master Key

GTC: Generic Token Card

GTK: Group Transient Key

IAS (Microsoft): Internet Authentication Service

IBSS: Independent Basic Service Set

ICV: Integrity Checksum Value

IEEE: Institute of Electrical and Electronics Engineers

ISAAC: Internet Security, Applications, Authentication andCryptography Group

IV: Initialization Vector

KSA: Key Scheduling Algorithm



49/50

Technical Education

LDAP: Lightweight Directory Access protocol

LEAP: Light-weight Extensible Authentication Protocol

MAC: Media Access Control

MIC: Message Integrity Check

MS-CHAPv2: Microsoft Challenge-Handshake Authentication Protocolversion 2

NDS: Novell Directory Service

NIC: Network Interface Card

OTP: One Time Password

PAC: Protected Access Credential

PEAP: Protected Extensible Authentication Protocol

PKI: Public Key Infrastructure

PMK: Pairwise Master Key

PPP: Point-to-Point Protocol

PSK: Pre-Shared Key

PTK: Pairwise Transient Key

RADIUS: Remote Authentication Dial-In User Service

SCU: Summit Client Utility

SSID: Service Set Identifier

SSL: Secure Sockets Layer

TKIP: Temporal Key Integrity Protocol

TLS: Transport Layer Security

UDP: User Datagram Protocol

VLAN: Virtual Local Area Network

VPN: Virtual Private Network



50/50

Technical Education

WEP: Wired Equivalent Privacy

WLAN: Wireless Local Area Network

WPA: Wi-Fi Protected Access

WZC: Wireless Zero Configuration (Microsofts native Windowswireless configuration manager)

XOR: Exclusive OR (Boolean function)

Documents

Wireless Security White Paper