Lecture 3. WPA and 802.11i

Similar documents
CS 356 Lecture 29 Wireless Security. Spring 2013

UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

Wireless security. Any station within range of the RF receives data Two security mechanism

WiFi Security: WEP, WPA, and WPA2

UNIK4250 Security in Distributed Systems University of Oslo Spring Part 7 Wireless Network Security

Network security, TKK, Nov

freeradius A High Performance, Open Source, Pluggable, Scalable (but somewhat complex) RADIUS Server Aurélien Geron, Wifirst, January 7th 2011

How To Get A Power Station To Work With A Power Generator Without A Substation

Symm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2

The 802.1x specification

EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE i (WPA2)

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Certified Wireless Security Professional (CWSP) Course Overview

A Dynamic Extensible Authentication Protocol for Device Authentication in Transport Layer Raghavendra.K 1, G. Raghu 2, Sumith N 2

Wi-Fi Protected Access for Protection and Automation

Network Security: WLAN Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Chapter 6 CDMA/802.11i

How To Secure Wireless Networks

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

Chapter 10 Security Protocols of the Data Link Layer

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Lecture 4b AAA protocols (Authentication Authorization Accounting)

Authentication in WLAN

IEEE 802.1X Overview. Port Based Network Access Control

WLAN Access Security Technical White Paper. Issue 02. Date HUAWEI TECHNOLOGIES CO., LTD.

How To Authenticate With Port Based Authentication

CS549: Cryptography and Network Security

Network Access Control and Cloud Security

Executive Summary. This white paper includes the following sections: A.What Does 802.1x Do? B. An Overview of the 802.1x Standard

CS 336/536 Computer Network Security. Summer Term Wi-Fi Protected Access (WPA) compiled by Anthony Barnard

WiFi Security: Deploying WPA/WPA2/802.1X and EAP in the Enterprise

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

Wireless Technology Seminar

Network Access Security. Lesson 10

Attacks Due to Flaw of Protocols Used In Network Access Control (NAC), Their Solutions and Issues: A Survey

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

Security in IEEE WLANs

WLAN Security. Giwhan Cho Distributed/Mobile Computing System Lab. Chonbuk National University

Wireless Local Area Network Security Obscurity Through Security

chap18.wireless Network Security

Network Access Control and Cloud Security

Configuring Wired 802.1x Authentication on Windows Server 2012

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

How To Test An Eap Test On A Network With A Testnet (Networking) On A Pc Or Mac Or Ipnet (For A Network) On An Ipnet Or Ipro (For An Ipro) On Pc Or Ipo

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Authentication and Security in IP based Multi Hop Networks

WIRELESS SECURITY IN (WI-FI ) NETWORKS

Chapter 2 Wireless Networking Basics

WLAN - Good Security Principles. WLAN - Good Security Principles. Example of War Driving in Hong Kong* WLAN - Good Security Principles

Extensible Authentication Protocol (EAP) Security Issues

How To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)

Belnet Networking Conference 2013

Authentication, Authorization and Accounting (AAA) Protocols

Application Note: Onsight Device VPN Configuration V1.1

Data Link Protocols. TCP/IP Suite and OSI Reference Model

Computer Networks. Secure Systems

Huawei WLAN Authentication and Encryption

802.11b Wireless LAN Authentication, Encryption, and Security

EAP Authentication Protocols for WLANs

7.1. Remote Access Connection

Network Security Protocols

Distributed Systems Security

RA-MPLS VPN Services. Kapil Kumar Network Planning & Engineering Data. Kapil.Kumar@relianceinfo.com

Network Security 1 Module 4 Trust and Identity Technology

Network Security Essentials Chapter 5

Wireless VPN White Paper. WIALAN Technologies, Inc.

A DISCUSSION OF WIRELESS SECURITY TECHNOLOGIES

The Importance of Wireless Security

Evaluation of EAP Authentication Methods in Wired and Wireless Networks

HP AP8760 Dual Radio a/b/g Access Point Overview

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

CONNECTING THE RASPBERRY PI TO A NETWORK

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

Certficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN. Daniel Schwarz

Chapter 7 Transport-Level Security

Setting up a WiFi Network (WLAN)

802.1x in the Enterprise Network

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK

Application Note User Groups

IEEE 802.1X For Wireless LANs

QuickSpecs. Model. Key features Can connect wired device to a wireless network Single radio IEEE a/b/g Two external antennas Indoor enclosure

Network Security Part II: Standards

HP E-M110 Access Point Series. Product overview. Key features. Data sheet

Network Security and AAA

Wireless LAN Access Control and Authentication

Implementing Security for Wireless Networks

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

Abstract. Avaya Solution & Interoperability Test Lab

Transcription:

Lecture 3 WPA and 802.11i Lecture 3 WPA and 802.11i 1. Basic principles of 802.11i and WPA 2. IEEE 802.1X 3. Extensible Authentication Protocol 4. RADIUS 5. Efficient Handover Authentication 1

Lecture 3 WPA and 802.11i 1. Basic principles of 802.11i and WPA 2. IEEE 802.1X 3. Extensible Authentication Protocol 4. RADIUS 5. Efficient Handover Authentication What is 802.11i? Working Group IEEE 802.11 Task Group.11b.11 a.11 g.11i New generation of security 2

IEEE 802.11i and WPA Robust Security Network (RSN) WEP IEEE 802.11i and WPA Robust Security Network (RSN) Wi-Fi Protected Access (WPA) WEP 3

IEEE 802.11i and WPA Robust Security Network (RSN) Wi-Fi Protected Access (WPA) Wi-Fi Alliance WEP IEEE 802.11i and WPA (cont) Share a common architecture (RSN architecture) WPA focus on TKIP and RADIUS 802.11i more flexible AES and TKIP RADIUS as one option 4

Security Layers Authentication Client Authentication Layer Authentication Server Corprate Network Operating System Access Control Layer (Access Control) Supplicant Wireless LAN Access Point Wireless LAN Mobile Device Wireless LAN Layer RSN Architecture Authentication Client High layer authentication (TLS, Kerberos, etc.) RADIUS Authentication Layer Authentication Server Operating System Supplicant 802.1X (Access Control) Access Control Layer Wireless LAN 802.11 Wireless LAN Wireless LAN Layer Mobile Device Access Point 5

Transport Layer Security (TLS) RFC2246 Based on Secure Socket Layer (SSL) which is widely used for protecting Web applications Public key based authentication Produce a 48-byte master key TLS Layers Application Application TLS Handshake protocol TLS Handshake protocol TLS Record Protocol TLS Record Protocol TCP/IP TCP/IP Network Hardware Network Hardware 6

TLS Message Exchange Client Hello!! Server Hello!!! Server Certificate Client Certificate Request Server Done Client Certificate Client Key Exchange Certificate Verify Change Connection State Finished Change Connection State Finished RSN Keys Pairwise key Key =DEF X Y Z Key = GHI Key = JKL Group key Key X = DEF Key Y = GHI Key Z = JKL X Y Z Key = ABC Key = ABC Key = ABC Key = ABC 7

Pairwise Key Hierarchy Pairwise Master Key (PMK) From upper-layer authentication or a pre-shared key Data Encryption key Data Integrity key Pairwise Transient Key (PTK) EAPOL-Key Encryption Key EAPOL-Key Integrity key Main Standards in an RSN Solution Based on TLS Mobile Device Access Point Authentication Server 802.11 802.1X EAPOL EAP RFC 2284 TLS Over EAP RFC 2716 TLS RFC 2246 EAP over RADIUS RCF 2869 RADIUS RFC 2865 TCP/IP 802.3 (or other) 8

Organization of Dial-in Network Authentication Server RADIUS NAS Modem s PPP User User Point of Presence User Authentication of Dial-in Users PAP (Password Authentication Protocol) user name and password sent in cleartext CHAP (Challenge Handshake Authentication Protocol) challenge/response scheme 9

Authentication of Dial-in Users PAP (Password Authentication Protocol) user name and password sent in cleartext CHAP (Challenge Handshake Authentication Protocol) challenge/response scheme EAP (Extensible Authentication Protocol) allow different authentication methods Lecture 3 WPA and 802.11i 1. Basic principles of 802.11i and WPA 2. IEEE 802.1X 3. Extensible Authentication Protocol 4. RADIUS 5. Efficient Handover Authentication 10

IEEE 802.1X Port Based Access Control Port: the point at which a device connects to the network - physical port (e.g. each connector of Ethernet switch) - logical port (e.g. 802.11 association) Authentication between device and network Access control based on authentication result Role of IEEE 802.1X Supplicant Ethernet Hub Input Port Requesting Device Supplicant Output Port Initial State of IEEE 802.1X Switched LAN Hub 11

Role of IEEE 802.1X Ethernet Hub Input Port 0 Supplicant Connected Device Output Port 1 2 3 Role of Authentication Server Output Port Authentication Server Ethernet Hub Input Ports 0 1 2 Supplicant Connected Device Supplicant Requesting Device 3 12

RADIO MAC IEEE 802.1X Model Supplicant System System Authentication System Server Supplicant PAE Service offered by 's System PAE port unauthorized EAP protocol exchanges carried in higher layer protocol Authentication Server LAN Logical IEEE 802.1X Ports in Access Point Wireless Device Network Access Wireless Device Access Point 13

Lecture 3 WPA and 802.11i 1. Basic principles of 802.11i and WPA 2. IEEE 802.1X 3. Extensible Authentication Protocol 4. RADIUS 5. Efficient Handover Authentication Extensible Authentication Protocol (EAP) RFC2284 Allow multiple authentication methods No security itself 14

EAP Message Format Code Identifier Length Data 01: Request 02: Response 03: Success 04: Failure EAP Request/Response Message Code Identifier Length Type Req/Rsp Data 1: Identity 2: Notificaiton 3: NAK 13: TLS 15

8 EPA Message Flow Start Request Identity Supplicant Response Identity Request 1 Response 1... Request n Response Identity Request 1 Response 1... Request n Authentication Server Response n Response n Success Success EAP TLS Handshake Client Server EPA Response Identity EAP TLS : Hello!! EAP TLS : (Client Certificate) Client Key Exchange (Certificate Verification) Change Cipher Finished EAP TLS (empty) 3 1 2 4 5 6 7 EAP Request Identity EAP TLS (start) EAP TLS : Hello!! TLS Certificate Client Certificate Request Server Done EAP TLS : Change Cipher Finished 9 EPA - Success 16

EAP Over LAN (EAPOL) Ethernet MAC Header Protocol Version Packet Type Packet Body Length Packet Body EAPOL-Start EAPOL-Key EAPOL-Packet EAPOL-Logoff EAPOL-Encapsulated-ASF-Alert Lecture 3 WPA and 802.11i 1. Basic principles of 802.11i and WPA 2. IEEE 802.1X 3. Extensible Authentication Protocol 4. RADIUS 5. Efficient Handover Authentication 17

Remote Access Dial-In User Service (RADIUS) RFC2865 Authentication, Authorization and Accounting (AAA) protocol RADIUS server and client share a secret key Basic Format of RADIUS Message Code Identifiers Length Attributes... 1: Access-Request 2: Access-Accept 3: Access-Reject 11: Access-Challenge 18

PAP Operation RADIUS Server NAS Dial-up User Access Request (PAP) Access Accept User name / password OK CHAP Operation RADIUS Server NAS Dial-up User User name / password Challenge Access Request (CHAP) Access Accept Response OK 19

EAP over RADIUS RFC2869 EAP Request inside RADIUS Access-Challenge EAP Response inside RADIUS Access-Request Authentication Exchange using EAP over RADIUS Client Device Access Point (NAS) RADIUS Server EAPOL Start EAP Start (Req) Identity (Req) Identity Identity Identity -User name Request Request Success Success Encapsulated in EAPOL Encapsulated in RADIUS 20

Mobile device 802.11i Example Access point Authentication server TLS/EAP/EAPOL TLS/EAP/RADIUS Mobile device and Authentication Server authenticate each other generate Pairwise Master Key (PMK) Authentication server send PMK to Access Point EAPOL-Key Mobile device and Access Point authenticate each other Derive Pairwise Transient Keys (PTKs) from PMK User data protected with PTKs Lecture 3 WPA and 802.11i 1. Basic principles of 802.11i and WPA 2. IEEE 802.1X 3. Extensible Authentication Protocol 4. RADIUS 5. Efficient Handover Authentication 21

Why handover authentication? Access Point Authorised mobile radio link Wired fixed network Impostor Handover authentication has to be efficient Frequent handover due to user movement Physical constraints of wireless device Lower bandwidth than wired counterparts Limited computational power Limited storage space User expectation of seamless mobility 22

Approaches to Efficient Handover Authentication Reuse of security association - No explicit authentication at handover Token based - Use token to convey trust Security context transfer Context Transfer Protocol Transfer security context, QoS and other state information between edge mobility devices Avoid repeated context establishment Facilitate seamless mobility http://www.ietf.org/internet-drafts/draft-ietf-seamoby-ctp-11.txt 23

802.11f - Inter Access Point Protocol (IAPP) Specify necessary info to be exchanged between access points to support 802.11 DS Achieve multi-vendor access point interoperability Facilitate fast handover Lecture 3 WPA and 802.11i 1. Basic principles of 802.11i and WPA 2. IEEE 802.1X 3. Extensible Authentication Protocol 4. RADIUS 5. Efficient Handover Authentication 24

Questions 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information