Master Thesis in Software Engineering Thesis no: MSE-2003:01 January 2003 Securing a wireless local area network - using standard security techniques Dan Ekström Department of Software Engineering and Computer Science Blekinge Institute of Technology Box 520 SE - 372 25 Ronneby Sweden
This thesis is submitted to the Department of Software Engineering and Computer Science at Blekinge Institute of Technology in partial fulfilment of the requirements for the degree of Master of Science in Software Engineering. The thesis is equivalent to 10 weeks of full time studies. Contact Information: Author(s): Dan Ekström Address: Ulrikedalsvägen 2 U, 224 58 Lund E-mail: dan@ekstrom.com University advisor(s): Håkan Grahn Department of computer science Department of Software Engineering and Computer Science Blekinge Institute of Technology SE - 372 25 Ronneby Sweden Internet Phone Fax : www.ipd.bth.se : +46 457 38 50 00 : + 46 457 271 25
Abstract Wireless equipment offers several possibilities which make it more attractive than the wired alternative. Meetings or temporary office spaces could be assigned with less consideration of the presence of permanent networking facilities. It also makes it possible for users to create ad-hoc networks simply by being within a certain range of each other, which facilitates information sharing. Since information is broadcasted in the air, it also requires stringent security measures. Vendors of wireless equipment have their non-standard security solutions which lock-in the acquirer. For this purpose I study standard security schemes which could be applied independent of the wireless device manufacturer. The techniques that I have chosen are IPSec, Kerberos and MS Passport. The study describes each technique from the perspectives of manageability, security, performance, compatibility, cost and ease of implementation. The result is a comparison of the studied techniques. I conclude with a recommendation to use a combination of IPSec and Kerberos to enhance the security of a wireless local area network and a reservation towards MS Passport. Keywords: Security, Kerbeos, IPSec, MS Passport, Wireless local area network
Table of contents Introduction...1 Background.....................1 Research questions..................1 Methodology..................... 2 Scope of this thesis.................. 2 Thesis outline....................2 Introduction to computer security...3 Security services...................3 Security mechanisms.................4 Threats........................ 4 Summary.......................5 Introduction to wireless local area networks 7 Wireless local area network topology......... 7 Bluetooth......................8 HiperLAN and HiperLAN/2.............8 HomeRF.......................8 IEEE 802.11..................... 8 Comparison of WLAN techniques......... 10 Summary...................... 10 Security issues in IEEE 802.11b...11 Service set identifier................ 11 MAC-address access list.............. 12 Wireless equivalent privacy............. 12 Deployment of access points............ 13 Criteria....................... 14 The standard security techniques.......... 14 Summary...................... 15 Internet Protocol Security...17 Security databases................. 17 Security policy database (SPD)............... 17 Security association database (SAD)............ 18 Public key infrastructure (PKI)........... 18 RSA............................ 19 The digital signature.................... 19 Message authentication code (MAC)............ 19 MD5.............................19 The secure hash standard (SHA-1) and the secure hash algorithm (SHA)...........................19 Keyed-hashing for message authentication code (HMAC)..20 Digital certificate.......................20 Scenario...........................20 Internet key management protocol........ 22 Tunnel and transport mode............ 24 AH..............................24 ESP.............................24 Setting up an IPSec Tunnel............ 25 Evaluation..................... 26 Manageability........................26 Implementation.......................26 Cost.............................27 Level of security.......................27 Scalability..........................28 Compatibility........................28 Performance.........................28 Summary..................... 29 Kerberos...31 Basic authentication procedure.......... 31 Kerberos version 5................. 35 Differences between version 4 and version 5.........35 Cross realm authentication..................35 Key salt............................35 Evaluation..................... 36 Manageability........................36 Implementation.......................36 Cost.............................36 Security level.........................37 Scalability..........................38 Compatibility........................38 Performance.........................38 Summary..................... 39 Microsoft Passport...41 Introduction.................... 41 Domain...................... 44 Authentication................... 44 Secure Socket Layer (SSL)............. 45 Evaluation..................... 46 Manageability........................46
Implementation...................... 46 Cost............................ 46 Level of security...................... 46 Scalability......................... 47 Compatibility....................... 47 Performance........................ 48 Summary...................... 48 Comparison...49 Manageability................... 50 Implementation.................. 50 Performance.................... 50 Authentication................... 50 Access control................... 50 Confidentiality................... 51 Data integrity................... 51 Non-repudiation.................. 51 Compatibility................... 51 Cost........................ 51 Scalability..................... 51 Summary...................... 51 Conclusions...53 References...55 A Glossary...60
1 Introduction Historically information has been protected physically and information security has been a matter of thick walls and good locks. This concept changed with the introduction of computer systems. Electronic document have inherent different properties than physical documents. It is possible to makes changes to them or to make copies without leaving fingerprints, DNA or other distinctive marks. They need security services to be able to possess the same qualities as physical documents and hence similar security. Another major influence on information security has been network security. Information has to be secure during transmission. The Internet has worked as a catalyst for wired networks security. Recently wireless computer networks have been introduced to the broad masses. The inherent properties of radio communication offers even further challenges to security experts. 1.1 Background Recent research [50, 49] has found that the wireless local area networks (WLAN) standard 802.11b implements a poor encryption scheme that could compromise the WLANs security. Because WLANs have been deployed in such a fast pace, security issues have to great extent been left in the background by equipment manufacturers. In Sweden, Stockholm 2002-09-18 it was reported that only 30% percent of the investigated WLANs had proper security measures [12]. Although some proprietary security solutions exist, they limit the possibilities for end-users, providing a user lock-in and a future income source for the manufacturer of WLAN devices. The findings during the past year have lead to a debate concerning security in 802.11b WLANs. This thesis will address the important issues regarding 802.11b WLAN security. 1.2 Research questions What standard techniques exist that could be used to strengthen the security flaws of 802.11b? First I will examine the IEEE 802.11b WLAN standard and rele- 1
Introduction vant research to be able to identify weaknesses. Based on the weaknesses I will address certain areas of the standard techniques in the evaluation. The evaluated techniques will then be compared in each area and this will lead to recommendations of which techniques that are suited for the IEEE 802.11b WLAN. 1.3 Methodology I will conduct literature studies in the area of computer network security to get a broad perspective of the domain in which this thesis lies. Then I will study literature about WLANs and finally the literature about Institute of Electrical and Electronics Engineers (IEEE) 802.11b WLAN. This will lead to suggestions to improve the security in 802.11b and criteria to evaluate complementary techniques. The proceeding studies will be in the area of the various techniques that complement IEEE 802.11b. These will be evaluated with recommendations based on the criteria. The recommendation could be used to make an 802.11b WLAN more secure. 1.4 Scope of this thesis This thesis will not revise the 802.11b standard and it will not make suggestions to the existing techniques used in the 802.11b standard. It will rather examine security techniques that are feasible to implement together with the 802.11b standard. 1.5 Thesis outline The outline of the thesis from this point and forward is as follows. The second chapter describes general electronic security objectives and electronic security services. The third chapter gives an introduction to the most popular WLANs. The forth chapter describes security issues in the IEEE 802.11b WLAN as well as the areas in which the techniques in the following chapters will be evaluated. The fifth chapter introduces the Internet Security Protocol and its evaluation. Chapter six introduces Kerberos and an evaluation. The seventh chapter introduces Microsoft Passport and its evaluation. Chapter eight compares the three previous evaluated techniques. In chapter nine the thesis is concluded with a recommendation of the most proficient techniques to use. 2 Securing a wireless local area network
2 Introduction to computer security Digital as well as physical documents need protection. Digital documents have special security challenges compared to physical documents, see Stallings [47]. They can be copied without reduced quality, tampered with without leaving physical evidence and physical proof of authentication such as handwriting does not exist. They need additional security measures to be able to maintain the same level of security as physical documents. 2.1 Security services By using various security services, Stallings argues in [47] that it is possible for electronic documents to possess the same security attributes as paper documents. The IEEE defines such security services as mentioned above. They appear in the Open Systems Interconnection (OSI) Security Architecture Standard ISO/IEC 7498-2 [50]. The concept comprehends the security-related services of the OSI Basic Reference Model. Unfortunately the terminology used in this area is not completely consistent. The term authentication is commonly used for referring to both verification of identity and integrity. The services from ISO/IEC 7498-2 [50] are summarized briefly below: Authentication exists in two forms. The peer identity authentication and the data origin authentication. The peer identity authentication exists to prevent masquerading. The data origin authentication could be used to reduce damage caused by denial of service attacks. Access control services use peer authentication in combination with certain rules to control access to certain resources. This is used to prevent authorization violation and denial of services. Confidentiality services are used to prevent that information may be vied by an unauthorized third party. Four types of this service exist: connection confidentiality, connectionless confidentiality, selective field confidentiality and traffic flow confidentiality. 3
Introduction to computer security These four types are various degrees of protection. It ranges from the protection of an entire session to the protection of a single message. Except for protection against eavesdropping the confidentiality service could protect against traffic analysis. It should not be possible to observe the source or destination of the data as well as any other characteristics of the data. Data integrity services make it possible to prevent that data is tampered with. As with confidentiality various degrees of protection exist. Of course it is preferable to have session integrity. It prevents an unauthorized third party to insert, delete or replay data. Non-repudiation services exist to make sure that participants in a communication session do not repudiate a transaction. Two forms of protection against this exist: non-repudiation with proof of origin and non-repudiation with proof of delivery. The first makes sure that the sender may not claim to not have performed a transaction or to not have sent certain data. The second provides some kind of proof that the transaction was performed or that data actually was accepted by the recipient. To provide a security service, one or several mechanisms that prevent or interfere with attacks need to exist. 2.2 Security mechanisms A security mechanism needs to be implemented in order to provide security service. Various mechanisms exist to provide the security services defined in Section 2.1. The quality of an implementation of a mechanism may also vary. The functionality of security mechanisms does often have the use of cryptographic techniques as a common denominator, see [47]. Examples of mechanisms are: encryption and digital signatures. 2.3 Threats Several fundamental threats to secure information handling and secure computer communication exist, and they could all be derived from the security objectives above. Security attacks vary much depending on the environment that is exploited. But they could be divided into these general areas, according to [47]: Interruption is when a system becomes unavailable or unusable. This attacks the availability of the system. Interception of traffic is an attack of confidentiality. Modification of data is an attack of integrity. Fabrication is an attack of authenticity of data. Another classification of attacks is to divide them into passive and active attacks. Passive attacks comprehend analysis of traffic and release of message content. The 4 Securing a wireless local area network
Summary active attacks comprehend masquerade as another entity, replay of earlier captured data, modification of data, and denial of service by rendering a computer resources useless. Concerning the passive attacks it is important to keep a high level of protection at all times since it is hard to know when an attack is taking place. In the case of active attacks, they may be easier to discover and prevent when they are taking place. If it is not possible to prevent them, it is possible to take countermeasures to limit the damage. The end-user is very likely to be interested in security outside the WLAN as well as security in the WLAN. If a user sends traffic that is bridged to a LAN the user need a security mechanism that provides protection to the end point of the traffic flow. End-to-end security makes sure the data is secure all the way to the receiver. Techniques such as Internet Protocol Security (IPSec) could be used together with the WLAN to provide end-to-end security services. 2.4 Summary Electronic documents need special protection since they possess unique qualities compared to paper documents. A generic model for security services are presented by ISO/IEC. Security mechanisms implement security services to prevent or ward off attacks. The security services and categorizations of the attacks provide an important security framework and vocabulary. Securing a wireless local area network 5
Introduction to computer security 6 Securing a wireless local area network
3 Introduction to wireless local area networks Wireless local area network devices have recently gained immense popularity. The reasons for the success are that the equipment for setting up a WLAN has become cheap and is very easy to use. It lets laptops remain cordless within a certain area. This implies that meetings or temporary office spaces could be assigned with less consideration of the presence of permanent networking facilities. It also makes it possible for users to create ad-hoc networks simply by being within a certain range of each other, which facilitates information sharing. Several competing WLAN standards exist. The most successful are Bluetooth, IEEE 802.11b, HiperLAN and Home RF. They will be described briefly below. They all have similar charachteristics and could be used in a similar manner. The network topology which they employ are describes in the next section. 3.1 Wireless local area network topology No common vocabulary exists in the WLAN sphere. I use the words AD (accessing device) for the laptop, terminal, or other intelligent AD. I use the word AP (access point) for the permanent devices that could be used to bridge the WLAN to a wired local area network (LAN). Two basic topologies exist: are ad-hoc- and infrastructure topology. The distinction in their names is basically the distinction in their topologies. The infrastructure topology has APs that act as central controllers for the WLAN. The AP coordinates transmissions and receptions from multiple wireless devices within a specific range. It could also be used to bridge the WLAN to a wired LAN. The AP and the AD can find each other in two ways. A laptop or other smart device could identify the available APs by sending out probing frames to announce itself to the AP. The APs could also be configured to announce themselves by using beacon frames. An authentication and association process is started when the AD has settled for a specific AP. In an ad-hoc topology the LAN is created by the wireless devices themselves. There is no central point for controlling traffic flow. Each device communicates directly with other devices in the network. In ad-hoc mode the ADs carry out authentication and associations processes. 7
Introduction to wireless local area networks 3.2 Bluetooth The Bluetooth consortium represents an alliance between mobile communications and mobile computing companies. The alliance was formed in 1998 by prominent manufacturers such as Ericsson, Nokia, IBM, Intel and Toshiba. One of the reasons for the development of Bluetooth was that a jungle of connectivity options allowing different gadgets to interoperate exist, [40]. The protocol stack of Bluetooth is not represented by the classic seven layer International Standards Organisation (ISO) OSI reference model. This is because Bluetooth is intended to interoperate with modems, telephones and other devices. Bluetooth is meant to be the silver bullet of desktop gadgets connectivity, [19]. It could in its original form be categorized as a personal local area network (PLAN). Its reach has been extended and it can be used to set up ad hoc WLANs although this was not its primary purpose. Its greatest advantage is that is has low energy consumption. 3.3 HiperLAN and HiperLAN/2 HiperLAN is developed by European Telecommunications Standards Institute (ETSI) and recently released. It could be argued that this standard is technical superior to 802.11b [41], e.g. HiperLAN has a higher transfer rate. It is not as near as popular as 802.11b, [19]. IEEE and ETSI are now working on a complements to respectively standard to make them compatible. HiperLAN/2 is an emerging standard with a theoretical transfer speed of 54 Mbps. 3.4 HomeRF HomeRF is developed by HomeRF Industry Group and is a standard foremost aimed at residential homes. The standard comprises integrated voice, data and entertainment, [41]. Today the equipment of 802.11b is just as cheap as HomeRF and it has lost some of its important advantages compared to 802.11b. 3.5 IEEE 802.11 Ethernet has become the predominant LAN technology in the wired world. Defined by the IEEE with the 802.3 standard, it has provided an evolving, highspeed, widely available and interoperable networking standard. The open IEEE 802.3 standard resulted in a wide range of suppliers, products and price points for Ethernet users. Ethernet standards guarantee interoperability, enabling users to select products from different vendors, reasonably secure that they would work together. In 1991 realizing that in order for wireless LANs to gain broad market acceptance, to govern wireless LAN technology Aironet pushed with other wireless makers for standards. Around 1992, wireless LAN makers began developing products operating in the unlicensed 2.4 GHz frequency band. This opened two additional vertical markets. 8 Securing a wireless local area network
IEEE 802.11 Healthcare, with a highly mobile workforce, began using portable computers to access patient information. And as computers made their way into the classrooms, educational institutions began installing wireless networks to avoid the high cost of wiring buildings. In June, 1997 the IEEE, the body that defined the dominant 802.3 Ethernet standard, released the 802.11 standard for wireless local area networking. IEEE 802.11 standard supports transmission in infrared light and two types of radio transmission within the unlicensed 2.4GHz frequency band: Frequency Hopping Spread Spectrum (FHSS) and Direct Sequence Spread Spectrum (DSSS). Today several 802.11 standards exist. The WLAN that will be addressed in this thesis is the IEEE 802.11b standard. The standard first emerged as 802.11 in 1997 and it was revised in 1999 where the supplement 802.11b was added. The standard covers systems in which an omni directional wireless radio generates a nominal 2.4-GHz carrier wave that communicates over theoretical range of 1,000 feet (and a practical limitation of less than 350 feet) with devices - typically laptops- equipped with 802.11b transceivers, [53]. Further reading about the standard is found in the original proposal from 1997 [50] or in the revised proposal from 1999 [23]. When 802.11b was developed it was thought of as a replacement for wired networks. The architecture of the 802.11b standard comprises the following layers of the OSI model: Physical 802.11 layer MAC 802.11 layer Data link 802.2 layer This thesis will focus on the 802.11b standard because of its popularity and its needs of enhances security. Since the first standard 802.11 emerged in 1997 several revisions have been made. The revisions include: 802.11j which purpose is to be compatible with HiperLAN. 802.11i introduces a new security scheme. 802.11h counters EU-area interference legislation issues. 802.11e add quality of service capabilities to 802.11h. 802.11g rases transfer rate to 54Kbit/sec. For further reading about the revisions a starting point would be in [22]. Below is a short summary and comparison of the most important qualities of the WLANS. Securing a wireless local area network 9
Introduction to wireless local area networks 3.6 Comparison of WLAN techniques Table 1 summarizes origin, data transfer rate and range of the techniques that are described above. Protocol Origin Data transfer rate (Mbps) Topology HiperLAN ETSI 19 Peer to peer HiperLAN/2 ETSI 54 Peer to peer or APs 802.11b IEEE 11 Peer to peer or APs Bluetooth Bluetooth 1 Peer to peer Consortium HomeRF HomeRF Industri 10 Peer to peer or APs Group TABLE 1. Comparison of WLAN techniques The range of the technologies is hard to define since it may vary depending on the environment such as indoor and outdoor deployment and which antennas that are used. Bluetooth has the shortest range and slowest data transfer rate, [19]. HiperLAN/2 has the highest data transfer rate and also a high range, [41]. Hiper- LAN, HiperLAN/2, HomeRF and 802.11b are all very power consuming compared to Bluetooth. Bluetooth suits handheld and other similar devised best due to its low energy consumption. 802.11b is the most popular technique and its popularity is growing despite it is not most technical proficient, most secure or least power consuming. 3.7 Summary Several capable techniques exist to create a WLAN. The most popular standard today is 802.11b. Although is does not excel in technology, security or low energy consumption. Attempts are made by all standard organizations to make them more compatible. Some of the revisions of 802.11 comprise attempts to introduce further security mechanisms. A large organisation will find it inconvenient to wait for standards to evolve and much easier to integrate various vendors products if standard security techniques are used. This thesis will focus on how to make the 802.11b standard more secure using standard security techniques. 10 Securing a wireless local area network
4 Security issues in IEEE 802.11b Recent research implies that WLAN devices have several potential vulnerabilities as they are delivered in their standard edition [53, 50, 49]. The vulnerabilities exploit the nature of radio communication which implies the possibility to compromise confidentiality of data. Additional security measures have to be taken to strengthen the weak default security schemes. Since WLANs replace Ethernet cables with broadcast radio, confidentiality considerations are inherent different than in wired local area networks. In an unprotected WLAN anyone within reach from the radio signals could receive and send traffic. The 802.11b standard provides some basic technologies for authentication: Service set identifier. Media access control (MAC) address access lists. The 802.11b standard tries to ensure integrity, confidentiality and authentication by the wireless equivalent protocol (WEP). 4.1 Service set identifier The service set identifier (SSID) is used to let the ADs user chose from APs within the same reach or to create a roaming domain between multiple APs. The APs come with a default SSID for each manufacturer [17]. If the APs are configured not to send out beacon frames [7], they must know the right SSID to make use of an AP. If the wireless encryption protocol (WEP) is disabled as it often is when the AP is delivered [7], the SSID is sent in clear text, see [17] and it could easily be sniffed. SSID is a very weak measure of security because of the following reasons: Wireless equipment of the same brand has the same default SSID. In some configurations the SSID is broadcasted in clear text by default. 11
Security issues in IEEE 802.11b The SSID is stored by the AP and by the network interface card driver. Weather an association is allowed when the SSID is unknown by the AD is controlled locally by the network interface card s driver. The SSID does not provide an encryption scheme. The paragraphs above show that a WLAN could hardy relay on an SSID solution to make the WLAN secure. 4.2 MAC-address access list A stronger authentication is achieved by providing the AP with the unique MACaddress that the AD carries. Each AP could be configured to contain a list of ADs MAC addresses that are allowed to access the WLAN. Access control could be based on this rather strong authentication. It also makes it less possible that the equipment is stolen and then used on the WLAN. It exists no standard tool for updating all MAC-address lists on all APs from a central point. In addition to the administrative drawback, a MAC-address could easily be spoofed [53] by a potential malicious user. Another important point is that it identifies an AD, and not a user. Although MAC-list filtering provides a strong means of identifying s it has the following drawbacks: The administration for a large network becomes very demanding since no standard for central point updating of APs MAC-address listings [7]. A MAC-address could be spoofed by a malicious user [53]. It authenticates the network interface card, not a user. 4.3 Wireless equivalent privacy Wired Equivalent Privacy (WEP) algorithm is as the name implies a means to provide the WLAN with the equivalent security of wired LAN. The definition of what equivalent security is can not be found in the IEEE standard [50]. WEP provides the 802.11b standard with authentication, and confidentiality services. The WEP algorithm defines the use of a 40-bit secret key for authentication and encryption. Many IEEE 802.11b implementations also allow 128-bit secret keys. WEP is useful because of the following reasons: It is built around the RC4 algorithm which is supposed to be indifferent to linear and differential analysis, [40]. It is adaptable to environments where nodes move in and out of a WLAN coverage area. It is exportable to a variety of countries. WEP operates using a shared key between the ADs and the APs. The key is stored in a memory that is write-only. This makes it impossible for attackers to read the key from a device that already has been authenticated. The shared key approach 12 Securing a wireless local area network
Deployment of access points makes updating of keys quite a manual job since it exist no secure way to update keys. Authentication with WEP from a mobile device to an AP is a four step process, and it is described in the paragraphs below: The AD sends an authentication request to an AP in plain-text. The AP responds by generating a 128 bytes random challenge text that is sent to the AD in plain-text. The AD copies the data into an authentication frame and encrypts the frame using the shared key. The shared key has previously been distributed to the AD. The AP then decrypts the frame using the shared key. Depending on the outcome of the decryption the AD is granted access to the WLAN or not. WEP also uses a symmetric key infrastructure. A principal limitation to this security mechanism is that the standard does not define a key management protocol for distribution of these keys [7]. This presumes that the secret shared keys are delivered to the AP via a secure channel independent of IEEE 802.11b. This becomes even more challenging when a large number of stations are involved. The WEP algorithm is rather unsuccessful in several areas. It has several flaws first discovered by [50] and exploited by [49] and has been widely criticized. The WEP algorithm is vulnerable to traffic analysis and depending on how much the WLAN is utilized the encryption could be cracked in a few hours. The critique is summarized in the paragraphs below: A part of the encryption scheme called an initialization vector uses a pattern that is possible to predict and makes it possible to decrypt WEP messages. Hence it is vulnerable to the passive traffic analysis attack. Static-key architecture makes it hard to protect keys. No standard exist for updating shared keys at APs or devices. Another critique is that WEP is not an end-to-end solution only allowing secure traffic between the AP and the or between two devices. 4.4 Deployment of access points According to [39] many APs are deployed behind a firewall. This threat is most obvious when there is no encryption or authentication. Deployed behind the firewall, the AP transmits authorized packets from within the firewall to anyone outside the firewall. A potential intruder could get the opportunity to exploit inside trust from outside the firewall. This is a classic technique used by prominent hacker Kevin Mitnick. To avoid this the WLAN should be delimited from the LAN by residing in another subnet. An alternative would be to use a router which let the packets that belong in the address space of the wired LAN to remain in the Securing a wireless local area network 13
Security issues in IEEE 802.11b wired network. A bridge would be a security hazard since it let the packets of the wired LAN to be transmitted by wireless equipment. 4.5 Criteria It is clear that the 802.11b standard needs more efficient security mechanisms than the default ones. Before evaluations of additional techniques are performed, criteria of which areas that are important to strengthen must be established. These are criteria that are essential to the evaluation: Manageability of the network should be high. Administration of keys and MAC-addresses is an overwhelming burden in a large network. Improvement in manageability is needed. Implementation of the additional security scheme should be straightforward. Performance in the WLAN should not be affected by the additional security implementations. Level of security, various implementations of security services may offer various levels of security. Various users or applications may require different security levels. The level of security should be analyzed. Compatibility issues may hinder the use of other desirable techniques or implementation of a certain technique. The security technique should be compatible with existing techniques. Cost, the cost of various implementations should be analyzed. Scalability is preferable since enterprises could grow in high pace. The network will maintain its security level while being able to scale. 4.6 The standard security techniques In the next three chapters I will describe and evaluate three standard security techniques by using the criteria above. IPSec is comprehended by the IPv6 protocol and may also be used in 3G. It is foremost know for its capabilities of creating a virtual private network over a TCP/IP connection. This may be very convenient combined with a 802.11b WLAN. It resides on the transport level in the OSI model which make it transparent to applications. Kerberos aims at user authentication and access control which also need to be enhanced in 802.11b. Kerberos have been around for a while this have resulted in a robust security protocol. It resides on the application level and could be combined with IPSec. IPSec and Kerberos suited closed environments best. The last technique is chosen because it aims at being used in a non-closed environment, e.g. a Motel or Internet café. It also resides at the application level in the OSI model and could be combined with IPSec. 14 Securing a wireless local area network
Summary 4.7 Summary The SSID should not be considered as a security mechanism. The 802.11b WLAN have several strong mechanisms to provide us with security services, but they all need improvement. The MAC-address authentication is a strong way to authenticate hardware but the administration process needs improvement and it also needs to be complemented with human authentication. The WEP security scheme need improvement in shared keys distribution and another technique needs to be used to ensure confidentiality since the encryption algorithm is vulnerable to traffic analysis. IEEE promises to bring wired equivalent security with WEP. What IEEE means by that is unclear, but it implies that the 802.11b WLAN needs the additional security measures that the wired LANs need today. An end-to-end security solution would be preferable for the end-user. The next chapter will describe improvements to the current techniques. Securing a wireless local area network 15
Security issues in IEEE 802.11b 16 Securing a wireless local area network
5 Internet Protocol Security The Internet and its protocol suite were designed to be used by the department of defence and its main design objective was to be able to provide flexible routing possibilities. Security was not an issue, [42]. Today from a security perspective it is considered to be obsolete, [46]. To make up for the craving demand of security in TCP/IP, Internet Protocol Security (IPSec) was developed. It is used in 3G, the next generation Internet protocol suite IPv6 and it is common in virtual private network (VPN) solutions. It provides services that are convention in modern and future security contexts, such as: Access control Connectionless integrity Origin authentication Replay protection Privacy/confidentiality The degree of security and manageability is affected by the configuration of the Internet Security Association Key Management Protocol (ISAKMP), IPSec mode, selected encryption levels and hash algorithms. This is explained in more detail below. 5.1 Security databases Two databases are required to set up one inbound and one outbound communication link: a security association database and security policy database, [55]. 5.1.1 Security policy database (SPD) This database contains which services that can be offered to a client. It contains which network addresses that uses IPSec to communicate and which level of 17
Internet Protocol Security security they offer. It also defines which addresses that IPSec not are offered at, [55]. 5.1.2 Security association database (SAD) The SAD contains information for each security association. An association is an IPSec tunnel i.e. an instantiation during a particular time of the parameters that the SA provides. Associated with the tunnel is the type of security encapsulation that is to be used. The encapsulation types are: the authentication header (AH) [26] and the encapsulation security payload (ESP) [27]. A security association is created in a two-stage process. The first stage in the construction of a security association is concerned primarily with authentication and the exchange of encryption keys. The second stage involves the security association addresses, what traffic is to be protected and what encryption method will be used. A single SA negotiation results in two security associations- one inbound and one outbound, [55]. 5.2 Public key infrastructure (PKI) Whitfield Diffie and Martin Hellman are the fathers of the foundation for public key encryption and decryption, [6]. The problem of key distribution is that if two users want to communicate over a secure channel, they must share a secret key. To accomplish this Diffie and Hellman realized that the key had to be asymmetric so that a third unauthorized party not could reverse engineer the encryption to create a key that would decrypt the communicated data. The public key can be used by anyone who whishes to communicated securely with the party to whom it belongs. The other half of the key, the private key is the only key that can decrypt the public keys encryption. Authentication is needed to protect Diffie-Hellman exchanges against the classic man-in-the-middle attack, [9]. Without authentication a man-in-the-middle attack could plant alternate keys to one of the participants. If the key exchange mechanism is protected by an authentication scheme, then Diffie-Hellman allows you to generate new shared keys to use for symmetric encryption which are independent of older keys providing perfect forward secrecy. The client and IPSec gateway and the client have to agree on a few things to do a Diffie-Hellman exchange, thus the Diffie-Hellman parameters in the ISAKMP negotiation. The parameters define material used for generating keys. This includes two numbers: a large prime number and a seed. By default, ISAKMP/ Oakley specifies two sizes of prime numbers and seeds. It is optional to add other sizes. Diffie and Hellman did never solve all problems regarding the asymmetric key. It did not exist an asymmetric key mathematically at that time. It was Ron Rivest, Adi Shamir, and Len Adleman (RSA) who took the ideas of Diffie and Hellman to the next level and created an asymmetric key. 18 Securing a wireless local area network
Public key infrastructure (PKI) 5.2.1 RSA RSA created an asymmetric key based on multiplication of two prime numbers. Two prime numbers k and l are multiplied together to equal N, which becomes the public key. It is computationally infeasible to reverse engineer N to see which prime numbers that were multiplied. The derivation of k and l is known as factoring. This is performed by choosing prime numbers until one is found that divides perfectly into N. If k 65 were multiplied with l 65 that would give N 130, which would take about 10 years to factor on a 500MHz computer, [6]. This makes N suitable as the public part of the asymmetric key. 5.2.2 The digital signature Asymmetric keys may also be used for authentication. In this case N should be considered to be the private key and k and l the public parts of the key. N is used to encrypt a known value, this creates a signature. Anyone that wishes to confirm that the private key was used to encrypt the value uses the k and l part, which is public, to decrypt the signature and compare the value to the original value. 5.2.3 Message authentication code (MAC) The problem with a digital signature is that is does not guarantee that the message that is associated with the signature is not altered. The solution to this is to use a one-way hash function to reduce the information to a message digest. The digest is then encrypted with a one-time symmetric key. At the receiver the decrypted message is hashed once again to be able to compare it to the decrypted message digest. 5.2.4 MD5 This message digest algorithm (RFC 1321) was invented by Ron Adleman and it is a widely used hashing function. Although it has been proved to be vulnerable to attack it is protected by IPSec with an operation called key hashing for message authentication (HMAC), [6]. 5.2.5 The secure hash standard (SHA-1) and the secure hash algorithm (SHA) The secure hash algorithm (SHA) is generally referred to as the secure hash standard (SHA-1). These hashing techniques are based on the predecessor to MD5, called MD4. The main difference is that SHA-1 produces a 160-bit message digest. The MDs produces a 128-bit message digest. Securing a wireless local area network 19
Internet Protocol Security 5.2.6 Keyed-hashing for message authentication code (HMAC) Typically, MACs are used between two parties that share a secret key in order to validate information transmitted between these parties, see Section 5.2.4. HMAC is such a MAC mechanism based on cryptographic hash functions. HMAC can be used in combination with any iterated cryptographic hash function such as MD5 and SHA-1. HMAC also uses a secret key for calculation and verification of the message authentication values. 5.2.7 Digital certificate A digital certificate is: an electronic data structure that binds the public key values to identify information about the subject listed, and is digitally signed by the issuing certificate authority, [54]. The certification assures any party that is using the public key that the associated private key is held by the correct remote subject. The issuing certificate authority (CA) has to be trusted in that assurance. 5.2.8 Scenario Alice and Bob share a common trust point. They both use the same CA to have their certificates signed. This implies that they do not have to evaluate a chain of trust to determine the credibility of any other CA. The steps are describes below: 1. Alice and Bob each generate a public and a private key. 2. Alice and Bob each provide their public keys, name, and descriptive information to an CA. 3. The CA generates a certificate for Alice and Bobʹs public keys by formatting their public keys and other information, and then signs the certificate with the CAʹs private keys. 4. The results of this operation are that Alice and Bob each have a public and a private key and a public key certificate. 5. Alice and Bob each generate a secret symmetric key. Now Alice and Bob each have a public and a private key, a digital key certificate issued by a common trusted third party, the CA and a secret symmetric key. In this example, steps 1-5, Alice sends data that needs confidentiality and integrity to Bob, using a digital signature. Steps 6-10 involve Bobs decryption of the data. The steps taken to perform the transaction are as follows: 1. Alice hashes her message. The hash provides a unique value for the message and will later be used by Bob to test the validity and integrity of the message. 2. Alice concatenates the message and the hash and then signs (i.e. encrypts) these with her private key. Her signing provides message integrity. Bob is assured that only Alice could have generated the signature because only Alice has access to the private 20 Securing a wireless local area network
Public key infrastructure (PKI) key used to sign the message. Note that anyone with access to Alice s public key can recover the signed message. The message does not yet have confidentiality. 3. Alice encrypts the signed message and hash with her secret symmetric key. This key is only shared between Alice and Bob. 4. Alice must provide Bob with her secret symmetric key to enable Bob to decrypt the message. Alice encrypts her secret symmetric key using Bobʹs public key. This provides confidentiality over the transmission of Alice s secret symmetric key to Bob. 5. Alice forwards to Bob the original message and the hash that are both encrypted with her secret symmetric key and the digital envelope containing the secret key encrypted with Bobʹs public key. Figure 1. Illustrates Alice using a digital signature to send data to Bob, [51] (steps 1-5). 6. Bob takes the digital envelope he received from Alice and decrypts it with his private key. The results of performing this operation provide Bob with the secret symmetric key that Alice Securing a wireless local area network 21
Internet Protocol Security previously used to encrypt the message and the hash of the message. 7. Bob can now decrypt the encrypted message and hash using Aliceʹs secret symmetric key. Bob now has the signed clear text message and the signed hash of it. 8. Bob now decrypts the signed message and hash of the message by using Alice s public key. 9. To ensure that no modifications have been made to the message, Bob takes the original message and hashes it using the same algorithm that Alice used originally. 10. Finally, Bob compares the hash he has just produced with the hash he recovered from the original message. If they match he is assured of the messageʹs integrity. Figure 2. Illustrates Bob decrypting information from Alice, [51] (steps 6-10). 5.3 Internet key management protocol The aim of the Internet Key Management Protocol is to establish, negotiate, modify and delete the parties SADs (security association databases) so that they agree on algorithms and parameters and to perform a key exchange. In other words, the protocol establishes and maintains the security associations that the Authentication Header and Encapsulating Security Protocols are to use. 22 Securing a wireless local area network
Internet key management protocol The current protocol version combines the Internet Security Association Key Management Protocol (ISAKMP, RFC 2408) developed by the US National Security Agency (NSA) and the Oakley key determination protocol developed at the University of Arizona. The ISAKMP [30] is used to negotiate mutually supported algorithms and mathematical structures for the Diffie-Hellman key exchange and the subsequent authentication step. The Oakley protocol [43] is used to actually exchange keys. More recently, ISAKMP/Oakley has been renamed the Internet Key Exchange (IKE) and will probably replace the ISAKMP at some point, [40]. The RFC document [20], which specifies the IKE will ultimately result in a protocol that is elective for IPv4 implementations and mandatory for IPv6 implementations, [42]. The ISAKMP/Oakley and IKE proposal combines a key exchange with a subsequent authentication of the parameters. A key exchange occurs in three phases: Main mode uses an exchange of six different messages between the two IPSec endpoints to complete negotiation of authentication of the endpoints and keying material. This negotiation, if required, will provide Perfect Forward Secrecy (PFS), which means that, after the first two messages are exchanged, subsequent communication is protected. Aggressive mode authenticates the endpoints with only three messages, but it does not provide PFS. The negotiation of SAD properties is limited with aggressive mode. Quick mode is used after the tunnel is established to regenerate fresh key material. This mode does not authenticate the endpoints. The new key data is used to encrypt subsequent communications data. This is why 56-bit DES could be used in spite of its flaws. To summarize the procedure the main mode negotiation takes place with PFS hiding the negotiation of the first encryption hash and setting the tunnel. Once that is established quick mode can be run as often as desired. E.g. as long as quick mode runs every 30 minutes, if someone breaks the tunnel and acquires the encrypted data stream, a maximum of 30 minutes of data can be compromised. The authentication is accomplished using either a pre-shared secret or digital certificate. In both cases the IKE protocol allows the authentication to be accomplished through derivative calculations thus preventing the user s private key from directly being exposed in transmissions to the IPSec gateway. Before any ISAKMP/Oakley session starts the IPSec gateway device has identified itself and it has obtained the CA certificate and submitted its own identity and public key information over the SCEP (Simple Certificate Enrolment Protocol) protocol. A protocol originally developed by CISCO. After negotiations are completed, communication between the client and the server takes place encrypted, with whatever encryption algorithm desired, in an authenticated tunnel. When the communication is complete, the tunnel is destroyed. Securing a wireless local area network 23
Internet Protocol Security 5.4 Tunnel and transport mode IPSec can be implemented in one of two modes. Transport mode is used when two hosts converse directly with each other. Tunnel mode is used when a host converses with another through one or more secure gateways. The fundamental difference between tunnel and transport mode is how the IP datagram is encapsulated. The tunnel mode protects the original IP header and reveals only the IP address of the IPSec gateway machine. The transport mode does not protect this original IP header and encrypts only the payload. AH is used primarily for authentication and anti-replay protection. ESP is used primarily for authentication, encrypted data payload, anti-reply services or a combination of these features. A single SA can have AH or ESP but not both. AH ESP Transport Authentication of IP payload and selected portions of IP header Encrypts and optionally authenticates IP payload, but not IP header Tunnel Authenticate entire inner IP header and payload, and selected portions of outer IP header Encrypts and optionally authenticates inner IP header and payload TABLE 2. Summary of the relationship between AH, ESP, transport- and tunnel mode in IPSec, [6] The table above describes the relationship between the authentication header and the transport header in tunnel and transport mode. 5.4.1 AH The AH protocol is used to ensure that the endpoint one thinks they are communicating with is truly correct. AH is algorithm-independent, which means that AH will operate with the algorithm of choice, depending on the level of security required. The algorithm options are HMAC-MD5 or HMAC-SHA1. Optionally, AH will provide protection against replays (man-in-the-middle attacks). AH authenticates the packet including the upper protocol data, with the exception of the destination address. AH can be used alone, when only authentication is required or in combination with ESP when a higher level of security is required. 5.4.2 ESP The ESP is protocol is used to provide encryption and limited traffic flow confidentiality. ESP is also designed to be algorithm-independent. The algorithm options are: DES, 3DES, RC5, Blowfish, Idea and Cast. Other algorithms are currently being added. Only DES and 3DES are mandatory, DES in ESP is actually DES-CBC (Data Encryption Standard-Cipher Black Chaining), with explicit initialization vector (IV) of 64 bits preceding the encrypted payload [37]. Including the IV in each dat- 24 Securing a wireless local area network
Setting up an IPSec Tunnel agram ensures that decryption of each received datagram can be performed, even if some are dropped or reordered. It is common practice to use random data for the first IV and then the last 8 octets of encrypted data from the previous encryption for the next IV. This process has the advantage of limiting the leakage of information from the random number generator. 5.5 Setting up an IPSec Tunnel Below is a description of how IPSec works in terms of the IPSec components for two intranet computers. For simplicity, this example is of an intranet in which a computer has an active IPSec policy. 1. Alice is using a data application on Computer A, sends a message to Bob on Computer B. 2. The IPSec driver on Computer A checks with SPD to determine whether the packets should be secured. 3. The IPSec driver notifies ISAKMP/Oakley to begin negotiations. 4. The ISAKMP/Oakley service on Computer B receives a message requesting secure negotiation. 5. The two computers establish a main mode SA and shared master key. If Computer A and Computer B already have a main mode SA from a previous communication (and neither master key PFS is enabled nor have expired key lifetimes), the two computers can begin establishing the quick mode SA. 6. A pair of quick mode SAs are negotiated. One SA is inbound and one SA is outbound. The SAs include the SPI and the keys that are used to secure the information. 7. The IPSec driver on Computer A uses the outbound SA to sign and, if required, encrypt the packets. 8. The driver passes the packets to the IP layer, which forwards the packets to Computer B. 9. The network adapter driver at Computer B receives the encrypted packets and passes them to the IPSec driver. 10. The IPSec driver on Computer B uses the inbound SA to validate authentication and integrity and, if required, decrypt the packets. 11. The driver passes the validated and decrypted packets to the TCP/IP driver, which passes them to the receiving application on Computer B. Any routers or switches in the path between the communicating computers simply forward the encrypted IP packets to their destination. Securing a wireless local area network 25
Internet Protocol Security Security negotiations are not able to pass through a network address translator (NAT). ISAKMP/Oakley negotiation messages contain IP addresses within the encrypted or signed portion of the message. These addresses cannot be changed by a NAT because the NAT does not have the shared, secret key to either change the encrypted address within the message or change the unencrypted address, without invalidating the integrity check value (ICV). 5.6 Evaluation IPSec is intended to be used instead of the security measures that come with IEEE 802.11b. An IPSec gateway is deployed behind the APs and it is the first point of access on the on the network. Below IPSec is evaluated by the criteria defined in Section 4.5. 5.6.1 Manageability Manageability is the overriding concern in choosing which authentication method to use and how many types of users can be supported. In implementations that are going to experience only a few connections from a small number of users a pre-shared secret key makes sense. In a setting with numerous users and many conflicting security requirements a public key infrastructure (PKI) may be mandatory. Manageability is not an issue in choosing which encryption method, hash algorithm, and key size to utilize. 5.6.2 Implementation An IPSec tunnel is created from the client through the wireless gateway and is terminated at the IPSec gateway in order to gain access to the wired LAN. The client side is fairly easy to implement since support for IPSec exist in new versions of both free and proprietary operating systems. The procedure of connecting to an IPSec gateway is simple and should not be an issue for the user. An IPSec gateway could be implemented using cheap hardware and free software for 10000SEK. It should be installed with a wireless network interface card (NIC) card and a wired NIC card as well as being configures with the proper SA settings to create a valid VPN. Hardware solutions utilizing IPSec could be bought for 30000 SEK with ca 100 licenses from e.g. CISCO. The best reference to deploy a PKI with its own CA is Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527). The service of maintaining users certificates may as well be out-contracted. Both to out-contract and to implement it in-house is expensive. 26 Securing a wireless local area network
Evaluation 5.6.3 Cost The cost of software is minimal since IPSec is implemented on Windows 2000 and Windows XP. The IPSec gateway could be set up using a free UNIX or GNU/ Linux. Proprietary products cost 30000 SEK for 100 clients. Additional cost lies in the training of personnel to setup the gateway and security policies together with IPSec. The free solutions require more knowledge than the proprietary to setup. 5.6.4 Level of security The IPSec security protocol offers a strong encryption mechanism to prevent data being sent through the VPN tunnel from being decrypted if intercepted. Each phase in the creation of the SA s instantiation has an associated encryption level. According to the definition of IPSec, it must include the following encryption or hashing methods: Digital Encryption Standard (DES) in cipher block chaining mode, MD5, SHA and two public key sizes. Most implementations of IPSec include 3DES. Compared to MD5, SHA could be considered more safe since it has a higher resistance to collision of the same hash from two various inputs. It requires more computer power than MD5. The MD5 hash has recently been exploited [6], however an IPSec solution could use the non vulnerable HMAC-variant. The hash methods also have various demands on hardware and performance impact. SHA and Diffie-Hellman have higher demands on hardware. DES is desirable since it has relatively low demands on performance of the hardware. It has been repeatedly demonstrated that DES is vulnerable [15, 29]. As mentioned in Section 5.3 a timer can limit SA lifetimes using a certain key. Some implementations allow the lifetime to be set depending on the amount of traffic that passes between hosts. If the SA lifetime is kept sufficiently short DES is still a viable encryption method. In Section 5.3 it is also stated that this negotiation can be repeated often during the session, with the interval negotiated as part of the IKE protocol. The major differences that distinguish IPSec as being significantly more secure than WEP are: IPSec have a much longer key length than WEP. To be able to perform eavesdropping and decryption of an IPSec tunnel, acquisition of data from 2 36 new sessions each second for the next 20 years is required. These kinds of figures change fast with the introduction of new techniques and upgrade of current performance in hardware but today it offers a very attractive alternative to WEP, [46]. IPSec allows a maximum of 2 32 packets to be encrypted with a single key. This interval could be set to an even lower value. This avoids exhausting the available vector space and thus prevents a Securing a wireless local area network 27
Internet Protocol Security malicious user from performing a brute force attack even if every packet encrypted with the key could be captured, [46]. The vector that is used in IPSec is 64-bit in length (20 in WEP). Thus even though the chance of the IPSec vectors being reused is non-existent (no significant chance until after 2 32 packets), it would not create a significant exposure as with WEP, [46]. 5.6.5 Scalability A secure gateway, if it is used in a large environment, must have the ability to form many types of associations. A VPN gateway may have to accommodate a variety of user types. Access by any or all users may range from unlimited rights on the LAN to specific protocol service ports on designated machines. Manageability and scalability increases if you choose to implement digital signatures or public key encryption. The PKI is used to authenticate a user based on the user s presentation of a certificate. The certificate method provide a high performance means to instantiate individual SA s for the data flow between a vast range of devices with varying security requirements. To increase bandwidth it is possible to deploy several APs on a single IPSec gateway. Extended proprietary authentication should also be considered. Many vendors have implemented the ability to perform additional authentication using RADIUS [8] or TACACS+ [16]. Using an existing RADIUS server or TACAS+ would make the implementation and deployment much easier. 5.6.6 Compatibility IPSec is implemented in Windows 2000 and Windows XP, needless to write, they are both common in corporate environments. Support for IPSec exists in non proprietary environments such as free POSIX implementations. IPSec is encapsulated as payload in an IPv4 packet and it completely transparent to routers. It is also transparent to the users and their applications. 5.6.7 Performance The performance of the WLAN after an IPSec implementation boils down to three parameters, [19]: The number of client machines. The particular IPSec algorithm. The speed of the gateways processor that IPSec is implemented on. 28 Securing a wireless local area network
Summary In [18] the following data transfer rates was presented. The data transfer rates were elicited during an experiment using a WLAN and an IPSec gateway. The IPSec gateways computer had a 133MHz processor which obviously performs poorly compared to a desktop PC. The test was performed copying a 1 Mb file a client on the wireless network and a server on the wired network. It is clear that using IPSec degrades performance in this very limited environment, so more clients with different security preferences will degrade performance even more. It is possible during the ISAKMP negotiation phase to choose which encryption algorithm to use. This affects the performance of the session. If implemented on a PC, the requirement of a fast processor will increase as the network grows. It is possible to acquire PCI-card which handles DES or 3DES encryption in hardware. This will increase performance compared to a software solution. The performance investigation in [44] suggests that by obtaining a maximum bound for the parameters that define the service, maximum performance is attained. These are the parameters: Number of simultaneous VPN session requests. Rate of VPN session requests. Number of sited per VPN. Number of routes per VPN. Protocol Data transfer rates Unencrypted 604 Kb/s WEP 458 Kb/s IPSec (DES/MD5) 355 Kb/s IPSec (3DES/SHA) 209 Kb/s TABLE 3. Data transfer rates comparison Number of VPN s per provider equipment. In larger environments IPSec routers or VPN routers should be used, they are not likely to suffer from the poor performance of a software implemented VPN network. In [44] it is further suggested that the size of the transmitted packets should be increased to increase throughput. It is also recommended to reuse tunnel properties if possible as well as implementing a distributed SA. 5.7 Summary IPSec provides an excellent alternative to all of 802.11b s security mechanisms. Using IPSec it is possible to choose the level of security with respect to performance. Already the less hardware demanding encryption and hashing algorithms in IPSec are shown to be vulnerable. Compared to WEP it is in IPSec possible to Securing a wireless local area network 29
Internet Protocol Security choose on of the more hardware demanding encryption and hashing algorithms and enjoy the security. Deployment of keys in IPSec is much like WEP. IPSec uses keys that have to be pre-shared if PKI and certificates not are used. But on the contrary to WEP IPSec deployment could easily be scaled using certificates and PKI. The use of an PKI make the solution easy to manage compared to WEP where this not is possible at all. PKI could be demanding to implement in-house and out-contracting of the service should be considered. Considered the level of security PKI and certificates offer, it should be considered by large companies. The price of implementing IPSec is low considered that client implementations already exist in Win2000, WinXP, GNU/Linux and UNIX. Proprietary IPSec routers cost ca 30 SEK per user, buying 100 licenses. It is also possible to use a PC system if cost is an issue. However if is cost is an issue dedicated resources to setup and maintain such a system probably does not exist. Implementing PKI is cost much whether it is out-contracted or if it is in-house. The only reason for considering IPSec in a small network is that it offers the advantage of a higher level of privacy and authentication since scalability and manageability comes with the use of public key infrastructure. IPSec could be implemented in a manner so that it brings additional security to dialled-up remote access or access over the Internet to the wired network. It is possible to combine IPSec with existent authentication techniques such as RADIUS or TACAS+. 30 Securing a wireless local area network
6 Kerberos Kerberos [47, 40] is a widely deployed protocol, aimed at repeatedly authenticating a client to multiple application servers based on a single login. Kerberos makes use of various tickets, encrypted under a server s key unknown to the client, which when are forwarded in an appropriate request authenticate the user to the desired service. A formalization of Kerberos 4, the first publicly released version of this protocol, was given in [4]. It has since been revised resulting in Kerberos version 5 beta. 6.1 Basic authentication procedure Kerberos, developed in 1983 based on the work of Needham and Schroeder [36], is an authentication protocol used to identify a client in an open network. Network authentication using Kerberos involves a four step process. A simplified overview is found below: 1. A message is sent from the client to the key distribution centre (KDC), identifying itself and requesting a ticket in which to gain access to the network [40]. 2. The KDC receives the request, then selects a session key and generates the ticket to send back to the client. (The information that is stored in the ticket is the identification of the client, the session key, and the time stamp (which specifies the start and end times for the session)). This ticket is encrypted with a key, only known by the KDC and network server, and sent to the client [40]. 3. The client decrypts the message with the session key and caches the information (ticket and session key). The client then sends a message to the network server containing the ticket and a message encrypted with the session key [40]. 31
Kerberos 4. If the client requires a mutual authentication, then the network will encrypt a message with the session key and send it back to the client [40]. Once the client gains access to the network, it erases the ticket and session key because the key is only needed in order to gain a ticket from the ticket granting service authenticating the client [6]. As long as both the client and server are able to decrypt the information, the client will gain access to the network [40]. A client can use a ticket granting ticket to obtain several service tickets. A service ticket could be used for repeated service from the application service before it expires. In both cases a new authenticator is required for each use of the tickets, [7]. Figure 3. Abbreviations The abbreviations above in Figure 3 are going to be used in the remaining paper. A ticket is used to securely pass information about the person which the ticket was made out to. The ticket is sent between the authentication service and the service which contains the service that the user wants to have access to. The user gets a ticket per service and server. The ticket contains the name of the server that provides the service, the clients IP, a timestamp, a lifetime and a random session key. The information in the ticket is encrypted with a key that belongs to the server which provides the service. To summarize a Kerberos ticket consists of: {s, c, addr, timestamp, life, K s,c }K s. When the user logs on to a Kerberos system requesting a service he or she provides a username. The first thing that happens after that is that a request is sent to the authentication server containing the users name and the name of the ticket granting server. The Kerberos server looks up the user in its database and creates a ticket that is encrypted with the key that the user and the Kerberos server share. The content of the ticket is encrypted with a key that the authentication server and Kerberos share. The ticket contains the client s name, the name of the ticket grant- 32 Securing a wireless local area network
Basic authentication procedure ing server, the current time, a lifetime, the clients IP and a random session key. This is illustrated in Figure 4 below. Figure 4. Getting the initial ticket, [45]. When the user receives the encrypted ticket he or she is asked to provide the password which is used to decrypt the ticket and random session key. When the user wants to request a service it creates an authenticator which consists of the clients name, its IP and the workstations current time. This authentication is encrypted with the key that was part of the ticket. The client sends the authenticator and ticket to the server that provides the service. When the server receives the authentication and the ticket it decrypts the ticket and the authenticator. It then compares the information in the ticket to the information in the authenticator. It compares the time and IP address of the client. It it matches the client is allowed to proceed. Figure 5 below illustrates this session. Figure 5. Requesting a service, [45]. The client should not trust that the server providing the service is who it claims to be so it should request a mutual authentication. To do so the server adds one to the clients workstations timestamp and encrypts it with the session key. The procedure is illustrated in Figure 6. Figure 6. Mutual authentication, [45]. Securing a wireless local area network 33
Kerberos The service of obtaining a ticket to a service works in a similar fashion as described above. A client sends a request to the ticket-granting server. The request contains the name of the server for which a ticket is requested, the ticket-granting ticket and an authenticator built as described above. The ticket-granting server checks the authenticator and ticket-granting ticket as above. If the information provided by the clients is valid the server generates a new random session key to be used between the service which the client is requesting a ticket to and the client. This process is illustrated below in Figure 7. The ticket contains the clients name, the servers name, the current time, the clients IP and the new session that just was generated. Figure 7. Getting a service ticket, [45]. The service granting server sends the ticket and a session key back to the client. The package is encrypted with the session key in the ticket granting ticket. This way the user does not have to enter his or hers password again. This whole scenario is illustrated in Figure 8 below. Figure 8. Kerberos authentication protocols, [43]. 34 Securing a wireless local area network
Kerberos version 5 6.2 Kerberos version 5 Some of Kerberos most important features have been introduced in version 5. Below is a description and motivation of these features. 6.2.1 Differences between version 4 and version 5 Kerberos version 4 is still being used, mostly because version 5 is not considered to be completely stable. Here are changes in large in version 5: Support for other algorithms than DES. Support for forwardable, renewable, and postdatable tickets. Kerberos tickets can now contain multiple IP addresses and addresses for different types of networking protocols, e.g. UDP can be used. Support exists for storing the users authenticators on the server, so that authenticators are not vulnerable to replay. Support for transitive cross-realm authentication exist. 6.2.2 Cross realm authentication It is possible to configure a Kerberos realm so Kerberos servers in one realm can authenticate to Kerberos servers in another realms. This is called cross-realm authentication. Kerberos 5 supports a variant of this called transitive cross-realm authentication. This variant consists of a path of realms connected via cross-realm secrets. This path could be used to hop between realms until you get credentials in the desired realm. When you set up a cross-realm secret, you are in essence trusting the remote KDC to only issue cross-realm tickets for the correct users. This could bring insecurity to several realms if security is compromised in one realm compromised. 6.2.3 Key salt In Kerberos, as mentioned above you prove your identity by being able to decrypt or encrypt data using an encryption key that you share with the KDC. This key is actually being converted into a key by the password that the user types in when loging on. It is converted with a one-way hash algorithm. In version 4 of Kerberos this is a DES key and in version 5 it could be a key for any cryptographic algorithm. Another feature of version 5 is that a salt is used in conjunction with the password and passed on to the conversion function. In version 4 a compromised key could be compromised in one realm could compromise all the other realms that the user has the same password in [13]. Securing a wireless local area network 35
Kerberos In Kerberos 5 the complete principal name (including the realm) is used as the salt. This means that the same password will not result in the same encryption key in different realms or with two different principals in the same realm. 6.3 Evaluation Kerberos has several weaknesses and limitations. To adopt Kerberos these must be evaluated. 6.3.1 Manageability Kerberos users and servers keys are stored at the central Kerberos service where the items are easily updated. 6.3.2 Implementation Since Kerberos lies on the application level all client applications have to be Kerberised. They have to be recompiled with Kerberos enabled authentication. For some applications, this can be quite problematic due to size or frequency that Kerberos libraries must be called. For other applications, changes must be made to the way in which the server and client side communicate. Closed-source applications that do not have Kerberos support by default are often the most problematic. But a variety of common UNIX applications support Kerberos. Applications which not use Kerberos should not be used on the network since they eliminate the features of Kerberos. Kerberos is an all or nothing solution which is its foremost disadvantage. The database stored on the Kerberos machine is very sensitive for obvious reasons. This machine needs to be as secure as possible. Preferably it should not run any services other than the KDC. It should only allow logins from the console and be locked up in secure room. This machine also has to be reliable or you should have configured a slave server, or both. Running the Kerberos server requires very little CPU power and a small amount of disk. Backing up your Kerberos database is critical. The backups should of cause be treated with the same precautions as the server. Migrating user passwords from a the password file (/etc/passwd or /etc/shadow) to a Kerberos password database can be tedious since no automated mechanism to perform this task exists. 6.3.3 Cost Keberos is free to download from MIT and is implemented in Windows 2000 Active Directory. The cost of client software that is implemented to support Kerberos varies. 36 Securing a wireless local area network
Evaluation 6.3.4 Security level Kerberos is based on secret-key cryptography, it could be argued that it would have been more secure using public key cryptography. Some security issues are: Storing plain text keys in a workstation is generally considered to be a bad idea, [35]. If the workstation is compromised it is possible to carry out Kerberos requests using the keys stored on the workstation. A malicious user with physical access to a workstation may easily read the keys that are stored in an area were only root is allowed to read. Another variant of the issue above is that if a malicious user is logged in at the same time on an authorized computer. It is possible to exploit the cached keys. Although in Windows the keys are stored in memory that never gets cached to disk [33]. On workstations only serving a user at a time, it is not possible to login after another user trying to exploit cached keys since Kerberos attempts to erase old keys [35]. How extensively they are erased is not mentioned in [35]. Kerberos relies on that the clients and servers have synchronized clocks [13]. The authenticator that the clients created lives for about five minutes which as suggested in [35] is more than enough time to get access to new tickets. This threat is suggested in version 5 of Kerberos to be eliminated by storing current authenticators on the server. This may not be enough since the child process receiving the request have to use a pipe or shared memory to communicate the authentication to the forking process. This itself may require additional authentication. Nothing about this is mentioned in Kerberos version 5 or 4. To synchronize the clocks a synchronization protocol using some kind of authentication should be used so that the clock of a workstation may not be tampered with. Passwords may be guessed using brute force program integrated with Kerberos using the modularity in the public encryption system [37]. Kerberos hence relies on the user to choose a password that does not exist in a dictionary and is to long to crack in a perspicuous amount of time. The application that requires the users passwords could be altered [37]. Kerberos hence relies on that the client machine is secure. Kerberos version 5 makes it hard to implement the countermeasure of one-time passwords since the first response is encrypted using the users password [35]. Kerberos assumes that you are using trusted hosts on a non trusted network. Its primary goal is to prevent clear-text passwords from being sent across that network. However, if anyone other than the proper user has physical access to any of the hosts, Securing a wireless local area network 37
Kerberos especially the one that issues tickets used for authentication, the entire Kerberos authentication realm is at risk of being compromised. Some features of Kerberos are: It provides several security services, including: confidentiality, authentication and integrity. Ensures roaming between APs if they are setup to match the Kerberos realms. This brings uninterrupted application connectivity. Mutual authentication makes sure that rogue wireless APs cannot capture user data and encryption prevents an AD from operating in promiscuous mode from seeing user credentials in clear text. 6.3.5 Scalability It is possible to extend Kerberos to work with public key infrastructure as well as letting Radius or TACAS+ handling user credentials. Currently it is inherently very scalable and may potentially scale to support very large networks due to its origins. 6.3.6 Compatibility In [5] it pointed out that Kerberos is not a peer-to-peer protocol, neither a host-tohost protocol. It should only be used in a client-server environment to authenticate the end-user. It was designed to be used in a client/server environment such as the environment at MIT where it has its origins. Kerberos is a standard based security service (RFC-1510) available as an application suite and/or implemented in GNU/Linux, UNIX and Windows. Kerberos works the same in both a wireless and wired environment presuming the wireless environment is configured with APs. In Windows 2000 and Windows XP Kerberos is implemented in the network logon process [33] if Microsoft Active Directory is used. The Active Directory contains a copy of the usernames and hashed passwords. Microsoft claims to be compatible with Kerberos version 5 and it should be possible to use Windows clients with a UNIX server [33]. Although this have been a court issue between Microsoft and the creators of Kerberos at MIT. Kerberos has only partial compatibility with the Pluggable Authentication Modules (PAM) system used by most servers running GNU/Linux. 6.3.7 Performance Re-authentication to the network takes less than 40 milliseconds [7]. This is an exceptionally low overhead which suits well together with the bandwidth of 802.11b 38 Securing a wireless local area network
Summary The computer that runs Kerberos with a UNIX compliant operating system may be able to serve many users with low hardware requirements. Windows Active Directory requires more performance from hardware than the UNIX implementation. 6.4 Summary Kerberos is hard to deploy since it requires Kerberized applications. It also requires to have servers and workstations time synchronized with a time protocol that support authentication. Workstation should not be allowed to have several users logged in at the same time. It does have strong authentication mechanisms and it does not let users credentials to travel the network in clear text. However 802.11b needs a strong privacy mechanism to protect traffic while using application since it broadcast using radio. If already deployed it should be excellent to authorise users and lets users authorise servers making sure that they are not communicating with a rouge AP. If implemented to protect 802.11b traffic it should be used together with applications that provide a strong privacy mechanism such as SSH version 2. Securing a wireless local area network 39
Kerberos 40 Securing a wireless local area network
7 Microsoft Passport Microsoft (MS) Passport was created with the intentions of providing a security service which comprise authentication, privacy and is available at a vast range of web sites. It uses techniques that are already available to the user such as secure sockets, cookies and certificate handling which is implemented in all common web browsers. The registration, authentication and re-authentication is handled by servers which belong to Microsoft. 7.1 Introduction The objectives of MS Passport resemble Kerberos since a user should only be required to login once to access several services. MS Passport gives the user a ticket via http contained in a cookie that is valid on several sites. The difference with Kerberos compared to Passport is that Passport aims at trying to provide authentication with existent techniques with Internet as the realm/domain. The Passport protocol requires that the Passport server shares triple DES keys with each participating service. The keys are used to encrypt information transferred from Passport to the merchants in redirect messages. Described below is the steps required to register at a participating site or at passport.com, the steps are illustrated in Figure 9: 41
Microsoft Passport Figure 9. Microsoft Passport registration process, [36]. 1. The user browses to Site A, a participating site or service and then clicks the Sign In -button, [36]. 2. The user is redirected to a co-branded registration page displaying the registration fields that were chosen by Site A. The minimum number of fields required are two: email and password. Here the user chooses whether or not they want to share their information with other Passport-enabled sites that they sign in to, [36]. 3. The user reads and accepts terms of use and submits the form, [36]. 4. The user is then redirected back to Site A with their encrypted authentication ticket and profile information attached, [36]. 5. Site A decrypts the authentication ticket and profile information and continues their registration process, or grants access to their site, [36]. Below is a description of how Passport handles authentication of the user, the steps are illustrated in Figure 10: 42 Securing a wireless local area network
Introduction Figure 10. The Microsoft Passport authentication process, [36]. 1. User browses to participating site or service (Site A in this example). User clicks Sign In button or link, [36]. 2. User is redirected to Passport, [36]. 3. Passport checks if the user has a ticket granting cookie in their browserʹs cookie file that meets the rules that Site A has set. If one is detected the user skip to step 4 and never see the Passport login UI. If the ticket granting cookie does not satisfy the time since sign in was performed, then passport.com removes information that Site A passed on the query string and redirects the user to a page that asks for the currently signed-in users password. If the user enters the correct information, they proceed, [36]. 4. The user is redirected back to Site A with their encrypted authentication ticket and profile information attached (if the user has chosen to share it, and if it is present), [36]. 5. Site A decrypts authentication ticket and profile information, and signs the customer into their site, [36]. 6. User accesses the page, resource, or service they requested from Site A, [36]. Securing a wireless local area network 43
Microsoft Passport No direct server-to-server communication of a userʹs authentication and profile information between Passport and participating sites exist. The information exchange occurs through the clientʹs browser using HTTP redirects and cookies. However, MS Passport does perform server-to-server communication to periodically update operational information about the locations of Passport servers. This communication occurs from the participating servers to a set of MS Passport servers responsible for managing the MS Passport Network Map. According to Microsoft [36], this gives MS Passport the ability to provide redundancy without requiring your site to take on additional management burdens. 7.2 Domain MS Passport suites best in a public environment. An example of this is where a WLAN connection with Internet capabilities is rented out. Since the MS Passport authentication cookies are developed to contain additional information such as addresses and credit card information it is well suited to let a user login and then get billed for his or her time online. 7.3 Authentication Passport authentication messages are passed in the form of electronic tickets which are used to tell Passport server software at your site that the user has signed in successfully. A ticket consists of parameters such as: the time of the sign in, when the user last manually signed in and other information that is useful to the authentication process. The MS Passport system handles these tickets as web cookies. To get a ticket, a user with a Passport account clicks the standard Passport sign in logo on a participating site or tries to access a protected web page on a participating site. This redirects the user to a special page on passport.com. This page takes information that the participating site has appended to the URL and processes it. This allows the Passport service to know which site has referred the user, and which site to return the user to. Once the information has been processed, Passport redirects the user to a page on Passport.net. This is done for two reasons. The first is to shorten the URL in order to make it easy for the user to casually verify that the address of the page is owned by Passport. The second is to separate the user interface from the domain in which the authentication cookies were originally written, [36]. This helps prevent unauthorized access of the cookies, as browsers only allow you to read the contents of cookies that have been written at the site you are currently accessing, [36]. On the passport.net page the MS Passport user interface (along with the participating site) appears, with links to Passportʹs privacy statement, terms of use statement, and member services page. Once the user enters their credentials, they are sent back to the passport.com domain. Once there and verified, MS Passport writes a cookie to the userʹs browser which stores information about this sign in. This is called a ticket-granting-cookie and it is used in subsequent sign in attempts. Then Passport redirects the user back to the participating site. 44 Securing a wireless local area network
Secure Socket Layer (SSL) When the user arrives back at the participating site, they will bring two encrypted packets of information attached to the query string. A software called The Passport Manager reads those packets and writes them as encrypted cookies in the participating sites domain. The first cookie contains the authentication ticket information. The second contains any profile information that the user has chosen to share and any operational information and unique identifiers that need to be passed. These packets are encrypted with a secret key that is shared between Passport and the participating site. This helps to ensure that only the participating site can decode these messages. How the shared keys are distributed are not defined in [36], but it is defined that they are not shared over the Internet. At this point the participating site knows that the users are authorized by passport.com and it can use the MS Passport user id to look a user up in a database and perform authorization tasks. When the user navigates to another MS Passport participating site, the new site has several choices to make about how they will authenticate this user. When the user clicks the sign in button, they are directed to the MS Passport service exactly as they were at their first sign in. The difference is that this time there is a ticket granting cookie saved on their browser that MS Passport can read. Since the ticket contains the time that it was issued, it allows the referring site to decide how fresh the cookie needs to be in order for them to accept it. If the ticket meets the rules they have chosen, the user is redirected back to the referring site along with the encrypted ticket and profile cookies. If the ticket is too old, the user is prompted to re-enter their credentials. All participating sites can choose how old the ticket-granting-cookie can be before they will reject it. In addition, all participating sites have the option of requiring the user to re-enter his or her password regardless of what cookies they have, and their freshness. 7.4 Secure Socket Layer (SSL) SSL is used to ensure privacy between the user and the participating MS Passport site. Digital certificates encrypt data using SSL technology, the industry-standard method for protecting web communications developed by Netscape Communications Corporation. SSL is divided into two layers, with each layer using services provided by a lower layer and providing functionality to higher layers. The SSL record layer provides confidentiality, authenticity, and replay protection over a connection-oriented reliable transport protocol such as TCP, [18]. Layered above the record layer is the SSL handshake protocol, a key exchange protocol which initializes and synchronizes cryptographic state at the two endpoints. After the key-exchange protocol completes, sensitive application data can be sent via the SSL record layer. Because SSL is built into all major browsers and web servers, simply installing a digital certificate turns on their SSL capabilities. SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the session-key generated by every encrypted transaction, [18]. Since the introduction of Netscape Communicator 4.0, users are enabled to encrypt transactions in 128-bit Securing a wireless local area network 45
Microsoft Passport sessions. Global companies that require international transactions over the web can use global server certificates program to offer strong encryption to their customers. The certificate is used initially to exchange keys. Then symmetric encryption is used. The symmetric key s life length is the same as the sessions. SSL provides end-to-end security and has been around a while and therefore has been throughout examined, [10]. It has been proved to have several flaws which have been corrected. Today it is widely used on the Internet and it has high credibility, [10]. 7.5 Evaluation 7.5.1 Manageability The process of acquiring a passport account is easy. The functionality is integrated in Windows XP. The account data is stored at Microsofts central servers. By doing so the participating sites don t have any control over the users. The process of maintaining the status which complies with Microsofts standards could be demanding. Additional information if needed to know about this. Without knowing about all factors involved the manageability of MS Passport seem to be very high. 7.5.2 Implementation The implementation is straightforward. The requirements are the.net-server with the software called MS Passport Manager installed on it. A participating-siteaccount is setup at Microsoft when the server is purchased. Microsoft have additional requirements which may be requested from Microsoft before the purchase. These are probably the requirements which are audited by Microsoft at the compliance testing. 7.5.3 Cost It is free to sign up for a MS Passport account. To be a MS Passport participating site one must sign a three year agreement with Microsoft. The operating system required is Windows with.net server capabilities. The annual cost for being a participating site is 100000 SEK. Microsoft also preserves the right of performing a compliance testing at any time, which costs 15000 SEK. 7.5.4 Level of security Passport encrypts information for it self and stores the information in Passport Cookies on client machines. A single key is used to encrypt all of the cookies. This represents an unnecessary risk of exposure of that key [28]. Storing this information in a central location, while convenient, makes the server an extremely attractive target for attack, both for denial of service and unautho- 46 Securing a wireless local area network
Evaluation rized access. The centralized service model is antithetical to the distributed nature of the Internet that has made it so robust and so popular [28]. Passport leaves authenticators, in the form of browser cookies on the client machine. As the white paper states [36]: This option keeps a consumer signed in to Passport at all times on that computer even if the consumer disconnects from the Internet, closes the browser, or turns off the computer. The idea is to have a persistent authenticator so that users are not required to retype in their passwords. The Passport server does not have to reissue credentials if the cookie has not expired yet. Kerberos uses tickets, which are encrypted credentials, to establish continuous authentication within a specified amount of time, without requiring a return trip to the authentication server. However, MS Passport is lacking one of the fundamental properties of single signon with tickets. There is no concept of an authenticator. In Kerberos, the client must send an authenticator that proves knowledge of the key inside the ticket. To accomplish this, the client simply encrypts a timestamp. If the timestamp can be decrypted, the client must have used the correct key. This prevents theft and misuse of a ticket found lying on a machine. In Passport where cookies comprise tickets, possession of the cookie is all that is necessary to impersonate the valid user of that cookie [28]. Furthermore, the breach is undetected, and the attacker gets unlimited use of the victimʹs authentication information. This is especially dangerous if a user uses Passport on a public machine, or if the userʹs machine is broken into. Since MS Passport users get redirected at authentication the scheme is vulnerable to DNS-attacks, proxy-attacks and attacks that involve forging of the participating sites user interface [28]. This is possible since it the request of a redirection of the user may be spoofed as well as a real request for redirection of the user could be altered and send the user elsewhere. User information which MS contains for authentication purposes is encrypted with 3DES when written to Microsofts hard drive. 7.5.5 Scalability Hotmail and MSN Messenger uses MS Passport to authenticate users which implies that MS Passport already have a large base of regular users. It is probably hard for Microsoft to scale their servers to handle more requests with Internet as their domain. 7.5.6 Compatibility The MS Passport client is a web browser which supports SSL and cookies. This is the case with all modern web browsers. In my tests it was not possible to sign out using MS Passport on hotmail.com with Mozilla 1.2 as the web browser. The client requires a.net compatible operating system. The client may reside on any operating system that support that kind of web browser while the server operating system have to be a Microsoft Windows product. Securing a wireless local area network 47
Microsoft Passport 7.5.7 Performance The performance of MS Passport suffers from the encryption used during the user authentication. Re-authentication may vary depending on the local MS Passport participating site s settings. Since a redirection to passport.com is required the user may experience degraded performance due to local ISP maintenance tasks or other major Internet disturbances. Some countries may have geographic disadvantages since passport.com resides in Redmond. 7.6 Summary MS Passport presented a novel quite ambitious security scheme. Its target domain is the Internet and any user that wants to sign up. The user should only be required to login once to any MS Passport participating site and then when the user browses to other adjacent MS Passport participating sites they should be able to read the authentication cookie stored on the users hard drive. This lets the user remain logged in without being required to type his or hers password several times. Although specific participating sites may have specific demands regarding re-authentication, among other letting the user type his or her password again. Its compatibility with existing user environments is excellent using only a modern browser to provide all the security techniques required to log in. Although in spite of this my test with hotmail.com did not work with Mozilla. Its central architecture provides a great risk. It is also a great risk to store information that let the user log in without typing their password in a browser. The cookie may be copied or the user may be redirected to a malicious site requesting user authentication cookies. MS Passport should be considered to be insecure. 48 Securing a wireless local area network
8 Comparison Below is a comparison of the three techniques that is evaluated in the thesis. The chapter end with conclusions about the 802.11b WLAN the techniques. The legend used to grade the examined techniques: ++ Very Good + Good - Poor -- Very poor The grades are distributed in terms of to which extent the criteria is fulfilled. Criteria IPSec Kerberos MS Passport Manageability - - ++ Implementation + -- + Performance - ++ - Authentication ++ ++ - Access control N/A ++ N/A Confidentiality/Privacy ++ + + Data integrity ++ ++ -- Non-repudiation ++ N/A N/A Compatibility ++ -- ++ Cost + ++ -- Scalability ++ ++ - TABLE 4. Comparison of the security schemes 49
Comparison 8.1 Manageability The manageability of IPSec is easier if certificates are used. Otherwise it is just as unmanageable as WEP or MAC-authentication. Kerberos users and server keys are stored in the Kerberos server. IPSec and Kerberos could be extended to use RADIUS which makes them both more manageable. The MS Passport manageability is hard to estimate due to lack of information. Since the users and their credentials are handled by Microsoft there is no need for local manageability of users or their credentials which is considered excellent from the perspective of manageability. 8.2 Implementation Kerberos is hardest to implement since it resides on the application level and all applications have to be modified to support Kerberos. This is probably Kerberos greatest disadvantage. IPSecs implementation varies depending on the size of the company, whether hardware of software solutions is used and whether PKI is used. The implementation may be demanding if PKI is used. MS Passport requires an OS with.net-server capabilities and a software called MS Passport Manager. 8.3 Performance IPSec with decent security i.e. 3DES enabled will make an impact on the quite modest bandwidth offered by 802.11b. So will MS Passport which is using SSL, although only during its authentication phase. Kerberos like MS Passport will suffer from low throughput during authentication but not otherwise. The authentication in MS Passport may suffer from poor performance since MS Passport uses Internet as its domain. 8.4 Authentication IPSec if using PKI provides an excellent tool for authenticating users. Kerberos does this as well making users use the ticket system, each time providing the ticket server with their shared secret. MS Passport resembles Kerberos. The user keeps a cookie which may only be read by a server at passport.com. Although when the user is redirected to the MS Passport site, there is nothing that hinders the users http-redirect requests to be rewritten and the user to be redirected somewhere else. This gives MS Passport low scores. 8.5 Access control Access control is excellent using Kerberos. Access control also exists in IPSec using a policy to define which ports a group of users have access to. MS Passport does not comprehend access control features. 50 Securing a wireless local area network
Confidentiality 8.6 Confidentiality All services provide confidentiality, Kerberos and MS Passport during the authentication and IPSec during the session. 8.7 Data integrity MS Passport does not provide any data integrity while sending redirection commands. IPSec and Kerberos provide the service of data integrity since packets that have been tampered with are discarded by both security protocols. 8.8 Non-repudiation Non-repudiation is accomplished by e.g. digital signatures which could be used in IPSec. Kerberos and MS Passport do not provide this service. 8.9 Compatibility MS Passport uses existing web techniques and the user is only required to have a web browser installed. IPSec is transparent to user applications and may easily be integrated with a current network. Kerberized standard UNIX applications exist and also a lot of freely available modification which implement the authentication to various degree of success. Although if a program does not exist in a Kerberized version it has to be developed. Recompiling a program is only possible if the source code is available. These two reasons create quite an obstacle to deployment of Kerberos. Further the network will be limited to only acquiring and installing Kerberized applications in the future. This gives Kerberos low score in Table1. 8.10 Cost MS Passport is probably the most expensive due to its demand to sign up for three years. Kerberos is free and Kerberized applications are freely available in many cases. The cost of deploying IPSec varies depending on requirements but it is cheaper than MS Passport. 8.11 Scalability With Internet as its domain MS Passport will probably have a hard time scaling to the needs of a large user base. Serving several countries and the whole Internet, a large user base is in this case very large. IPSec could be extended with PKI which will scale the solution. IPSec as well as Kerberos could use RADIUS to store its user s credentials, keys and certificates. 8.12 Summary The three techniques have different objectives and provides different security mechanisms. IPSec provides privacy for a session using public key cryptography, Securing a wireless local area network 51
Comparison Kerberos provides authentication and services control and MS Passport provides a global authentication for public services. MS Passports strength lies in its manageability, compatibility. It does not provide access control, data integrity, non-repudiation and it is expensive. Kerberos strength is its elaborate authentication scheme and the strength of IPSec is its cryptography and with it let the user create a private communication tunnel over TCP/IP. IPSec and Kerberos complement each other in the sense that IPSec does not have any service control. IPSec is rather used to establish a connection to a LAN trough the Internet. A Kerberos system resides on a LAN granting or denying access to services. The MS Passport technique does not complement the two further with its global authentication scheme. 52 Securing a wireless local area network
9 Conclusions The 802.11b WLAN standard comprehends techniques with serious security flaws. The WEP-techniques that intends to provide the user with privacy is easily cracked. The authentication using MAC-addresses does not authenticate a user and it is very hard to manage in an environment where guest users bring their laptops. Vendors have additional non-standard non-compatible security techniques built-in their APs. It does not make sense to buy and use these and for some future be locked-in by that vendor. Thus the user needs to strengthen authentication and privacy with standard techniques. Kerberos provides an elaborate security scheme, letting users obtain tickets to various services once authenticated. The scheme provides an excellent means to authentication users and also let them roams over several domain and APs. It does not provide the user with privacy which is absolutely necessary considering the inherent broadcasting features of a WLAN. It is also takes great effort to implement since applications have to be Kerberize in order to utilize its security scheme. IPSec is transparent since it resides on the transport level going as payload in IPv4. IPSec provides a strong means of encryption and authentication. It greatest strength is its versatility being able to serve a home users and small companies up to enterprises. Kerberos and IPSec complement each other. IPSec with its strong privacy mechanisms and Kerberos with its strong authentication mechanisms. Both techniques suites a closed environment such as a company or a university. Finally MS Passport was evaluated. It is suitable for a public WLAN environment. It does provide end-to-end privacy using SSL but not data integrity when redirections are performed to authenticate the user. It has a high price compared to the other techniques. It is compatible with web browses and common Internet security techniques and it is excellent for providers looking to rent out WLAN bandwidth. Its security scheme is not very useful compared to IPSec or Kerberos. It should not be considered to be very secure. 53
Conclusions Since WLAN broadcast information using radio, privacy is essential. It is also essential to authenticate a user, so that persons may be held responsible for their actions and that stolen hardware does not get access to the WLAN. My recommendation is to implement a solution using IPSec and Kerberos. IPSec provides privacy and non-repudiation which Kerberos and MS Passport do not. Kerberos provides a strong means of authentication and access control, and it is implemented in e.g. Active Directory and could therefore be used with Win2000 as the client which is a common corporation operating system. Further if it is possible IPSec should be implemented using certificates and PKI in a larger organisation. These techniques are already part of many organizations infrastructure and can easily be extended to protect a 802.11b WLAN. 54 Securing a wireless local area network
10References [1] Al-Salqan Yahya, Future trends in Internet Security, 6th IEEE Workshop on Future Trends of Distributed Computing Systems (FTDCS ʹ97), 1997. [2] Avaya labs Inc., Configuration and Deployment of IPSec VPN Security for 802.11 WirelessLANs, 2001. [3] Baker G. Mary, Elliot Poger, Secure Public Internet Access Handler, In the proceedings of the USENIX Symposium on Internet Technologies and Systems, Stanford University Computer Science Department, 1997. [4] Bella G., Riccobene E., Formal Analysis of the, Kerberos Authentication System, Universal Comp. Sci. 3 no. 12 pp. 1337 1381, 1997. [5] Bellovin S., Merrit M., Limitations of the Kerberos authentication system, USENIX Conference Proceedings, pp. 253--267, Winter 1991. [6] Black Uyless, Internet security protocols - protecting IP traffic, ISBN 0-13- 014249-2, 2000. [7] Butler F., Cervesato I., Jaggard A., Scedrov A., A Formal Analysis of Some Properties of Kerberos 5 Using MSR, Proceedings of the 15th IEEE Computer Security Foundations Workshop, 2002 [8] Hassell Jonatahn, RADIUS, ISBN 0596003226, 2002 [9] Hill Associates, Camp K., ISAKMP/Oakley White Paper, 2001 [10] Chou W., Inside SSL: The Secure Sockets Layer Protocol, IEEE IT Pro July/ August vol. 4 no. 4, 2002. [11] Computer Sweden, 2002-10-04. [12] Computer Sweden, 2002-09-18. [13] Davis D., Geer D., Theodore T., Kerberos With Clocks Adrift: History, Protocols, and Implementation, Computing Systems Volume 9, Number 1, Winter, 1996, 1995. [14] DeKalb Dan, Merrit Kylene, Schultes William, Wiest Jessica, Security of an 802.11b wireless LAN in a public setting, Interdisciplinary Telecommunications Department, University of Colorado, 2002. 55
References [15] Diffie W., Hellman E. M., Exhaustive cryptanalysis of the NBS Data Encryption Standard, IEEE Computer no. 10 pp. 74-84, 1997. [16] Finseth C., RFC 1492 An Access Control Protocol, Sometimes Called TACACS, http://www.ietf.org/rfc/rfc1492.txt, 1993. [17] Fout Tom, Wireless LAN technologies and Windows XP, http:// www.microsoft.com/windowsxp/pro/techinfo/planning/wirelesslan/wirelesslantechnologiesandwindowsxp.doc, July 2001. [18] Gilmore C., Kormann D., Rubin A., Secure Remote Access to an Internal Web Server, IEEE Network November/December, 1999. [19] Godber Austin, Dasgupta Partha, Secure Wireless Gateway, ACM Proceeding, 2002. [20] Harkins D.,Carrel D., The Internet Key Exchange (IKE), http:// www.ietf.org/rfc/rfc2409.txt. [21] Held, Gilber, Data Over Wireless Networks - Blueooth, WAP, & Wireless LANs, ISBN 0-07-212621-3, 2001 [22] 802.11: Leaving the Wire Behind, IEEE Internet Computing January/February no. 85, 2002. [23] IEEE-SA Standards Board, IEEE Std 802.11b-1999, ISBN 0-7381-1811-7, 1999. [24] IEEE Standards Board, IEEE Std 802.11-1997, ISBN 1-55837-935-9, 1997. [25] International Organization for Standardization, Joint Technical Committee 1 / Subcommittee 21 (1989). ISO/IEC 7498-2:1989 Information processing systems -- Open Systems Interconnection -- Basic Reference Model -- Part 2: Security architecture. Geneva: International Organization for Standardization/International Electrotechnical Commission (ISO/IEC). [26] Kent S., Atkinson R., IP Authentication Header, RFC 2402, November 1998. [27] Kent S., Atkinson R., IP Encapsulation Security Payload, RFC 2402, November 1998. [28] Kormann D., Rubin A., Risks of the Passport Single Signon Protocol, Computer Networks, Elsevier Science Pres vol. 33 pp 51-58, 2000. [29] Matsui M., The first experimental cryptanalysis of the data encryption standard, Advances in Cryptology - Crypto ʹ94, Springer-Verlag 1-11, 1994. [30] Maughan D., Schertler M., Schneider M., Turner J., Internet Security Association and Key Management Protocol (ISAKMP), Internet--draft, IPSEC Working Group, http://www.ietf.org/rfc/rfc2408.txt, June 1996. [31] Metz C., AAA protocols: Authentication, authorization and accounting for the Internet, IEEE Internet Computing,November/December 1999 vol. 3, no. 6. [32] Microsoft, Microsoft.net passport - Review Guide, November 25, 2002 [33] Microsoft, Windows 2000 Kerberos Authentication, 1999. [34] Molta Dave, WLAN security on the rise, workshop on security, Network Computing Workshop, February 4 2002. [35] Morris R., Thompson, UNIX password security, Communications of the ACM 22(11) pp. 594. 56 Securing a wireless local area network
[36] Needham M., Schroeder M., Using Encryption for Authentication in Large Networks of Computers, Communications of the ACM, vol. 21 no. 12, pp. 993-99. [37] Neuman Clifford B., Ts o Theodore, Kerberos: An authentication Service for Computer Networks, IEEE Communications Magazine, September, 1994. [38] NextComm, Inc., 13555 SE 36th Street, Suite 150, Bellevue, WA 98006, USA, CMP Media LAB workshop, Network computing February 2, 2002. [39] NextComm, Inc., 13555 SE 36th Street, Suite 150, Bellevue, WA 98006, USA, Security in Wireless Networks, http://www.nextcomm.com, 2002. [40] Nichols, K. Randall, ICSA guide to cryptography, 1999, ISBN 0-07-913759-8. [41] Nix R., Beach A., Evei C., Umebira M., Araki M., High performance wireless LANs for future multimedia communications, Mobile Multimedia Communications (Digest No. 1996/248), IEEE Colloquium on the Future of, 6 Dec. 1996 pp. 2/1-2/7 [42] Oppliger R., Security at the Internet Layer, IEEE Computer Magazine, Vol. 31, No. 9, September 1998, pp. 43-47. [43] Orman H., The Oakley Key Determination Protocol, IETF http:// www.ietf.org/rfc/rfc2412.txt. [44] Paradells Josep, Arroyo Barcélo Francisco, Design of a mobile VPN to support a large number of users, Universal Multiservice Networks, 2002. EDUMN 2002. 2nd European Conference on, pp.219-222, 2002. [45] Schiller J., N. Clifford, Steiner J., Kerberos: An Authentication Service for Open Network Systems, Project Athena Massachusetts Institute of Technology, Usenix Conference Proceedings, pp. 191-202, 198. [46] Stallings William, IPv6: The New Internet Protocol, IEEE Communications Magazine July, 1996. [47] Stallings William, Network security essentials - applications and standards, ISBN 0-13-016093-8, 1999. [48] Stanley A. Richard, Wireless LAN Risks and Vulnerabilities, The information systems control journal, 2002. [49] Stubbelfield A., Ioannidis J., Rubin D. A., Using the Fluhrer, Mantin, and Shamir Attack to Break WEP, AT&T Labs Technical Report TD-4ZCPZZ, 2001. [50] Walker Jesse, Unsafe at any key size; An Analysis of the WEP encapsulation, IEEE Document 802.11-00/362, October 2000. [51] Weise J., Public Key Infrastructure Overview, Global Security Practice [52] Sun BluePrints OnLine, August, 2001. [53] Williams Joseph, The IEEE 802.11b Security Problem, Part 1, IT Pro 1520-9202/01, 2001. [54] Younglove R., Public key infrastructure - how it works, Computing & Control Engineering Journal, April 2001. Securing a wireless local area network 57
References [55] Younglove R., IP Security - what makes it work?, Computer & Control Engineering Journal, February, 2002. 58 Securing a wireless local area network
AGlossary AD AH AP CA DNS DSSS ETSI ESP FHSS HMAC IEEE IKE ISAKMP LAN MAC Accessing Device Authentication header Access Point Certificate Authority Domain Name Server Direct Sequence Spread Spectrum European Telecommunications Standards Institute Encapsulation Security Payload Frequency Hopping Spread Spectrum key Hashing for Message AuthentiCation Institute of Electrical and Electronics Engineers Internet Key Exchange Internet Security Association Key Management Protocol Local Area Network Media Access Control address 59
MIT NSA OFDM OSI PFS PKI RADIUS RSA SAD SCEP SHA SSID SSL TACACS+ VPN WEP WLAN Massachusetts Institute of Technology National Security Agency Orthogonal Frequency Division Multiplexing Open Systems Interconnection Perfect Forward Secrecy Public Key Infrastructure Remote Authentication Dial-In User Service Ron Rivest, Adi Shamir, and Len Adleman Security Association Database Simple Certificate Enrolment Protocol the Secure Hash Algorithm Service Det IDentifier Secure Socket Layer Terminal Access Controller Access Control System Plus Virtual Private Network Wireless Equivalent Privacy Wireless Local Area Network 60 Securing a wireless local area network