Network Access Control and Wirelessver.miun.se/courses/security/lectures/wireless.pdf · AuthenticationMethods Extensible Authentication Protocol Figure:[1]. EAP authentication methods.

Network Access Control and Wireless

Lennart Franked

Avdelningen för informationssystem och -teknologi (IST)Mittuniversitetet

December 4, 2014

Lennart Franked (MIUN IST) Network Access Control and Wireless December 4, 2014 1 / 42

Overview

1 Network Access Control (NAC) and IEEE 802.1XNetwork Access ControlExtensible Authentication ProtocolIEEE 802.1x

2 Wireless Network SecurityWireless Security

3 802.11 Wireless Overview802.11 - Wireless LANWireless LAN Security


Literature

The lecture covers chapter 5.1 - 5.3 and chapter 7 “Wireless NetworkSecurity” in [1]. To check that you have fully understood these chapters,you should solve problems 7.1, and 7.2


Network Access Control

Figure: [1].Lennart Franked (MIUN IST) Network Access Control and Wireless December 4, 2014 4 / 42

Access RequestorNetwork Access Control

Figure: [1].

Access RequestorAccess Requestor, Client,Supplicants, peerAccess the network.


Policy ServerNetwork Access Control

Figure: [1].

Policy ServerEnforce access restrictions.


Network Access ServerNetwork Access Control

Figure: [1].

Network Access ServerControl access to Network.


Network Access Enforcement MethodsNetwork Access Control

IEEE 802.1X - EAP over LAN.VLAN.Firewall.DHCP management.











Extensible Authentication Protocol

Figure: [1].

Framework for network accessand authentication protocols.Mostly encountered in wirelessnetworks and PPP-connections.Extension to PPP



Figure: [1].




Figure: [1].



Authentication MethodsExtensible Authentication Protocol

Figure: [1].

EAP authentication methods.EAP-TLS.EAP-TTLS.EAP-GPSK.EAP-IKEv2.



Figure: [1].




Figure: [1].




Figure: [1].



EAP ExchangesExtensible Authentication Protocol

Figure: EAP Protocol Exchange [1]


EAP MessagesExtensible Authentication Protocol

Figure: EAP Message Flow [1]


IEEE 802.1x

Figure: IEEE 802.1x operation [1]


IEEE 802.1x EAPOL Message typesIEEE 802.1x

EAPOL-EAP – Encapsulated EAP packet.EAPOL-Start – Initiates the start of EAP authentication process.EAPOL-Logoff – Closes the EAP session.EAPOL-Key – Exchange key information.











Overview





Wireless Security

Wireless Network Security


Security issuesWireless Security

Why wireless network are more susceptible to attacks.Broadcast communication allows eavesdropping.Jamming trafficMobile devicesImplemented on a variety of devices with limited memory andcomputational resources.Easy to access.














Wireless Network ThreatsWireless Security

ThreatsAccidental AssociationMalicious AssociationAd hoc NetworksNontraditional NetworksMAC SpoofingMan-in-the-middle attacksDoSNetwork Injection























CountermeasureWireless Security

Signal-hiding techniquesI Hide SSID (Security by obscurity)I Reducing Signal Strength

Encryption (Confidentiality)AuthenticationMAC (Integrity)IEEE 802.1x


























Mobile device SecurityWireless Security

Lack of physical ControlUse of untrusted mobile devicesUse of untrusted networkUse of applications created by unknown partiesInteraction with other systemsUse of untrusted contentUse of location services




















Overview





802.11 - Wireless LAN

IEEE 802 work group.I Develops standards for LAN.I 802.11 was formed 1990

Wi-Fi AllianceI Wireless Ethernet Compatibility Alliance (WECA)I Certifies compatibility between Wi-Fi vendors.I 802.11a,b,g,n,ac,adI Creates security standards as well.






























Terminology802.11 - Wireless LAN

Access pointBasic Service SetExtended Service SetDistribution SystemProtocol Data UnitService Data Unit

















IEEE 802.11 protocol stack802.11 - Wireless LAN

Figure: 802.11 protocol stack [1]


IEEE 802.11 Architectural Model802.11 - Wireless LAN

Figure: 802.11 Architectural Model [1]


802.11 services802.11 - Wireless LAN

Table: IEEE 802.11 Services [1]

Service Provider Used to support

Association Distribution system MSDU deliveryReassociation Distribution system MSDU deliveryAuthentication Station LAN access and SecurityDeauthentication Station LAN access and SecurityPrivacy Station LAN access and SecurityDisassociation Distribution system MSDU deliveryDistribution Distribution system MSDU deliveryIntegration Distribution system MSDU deliveryMSDU delivery Station MSDU delivery















































Security Comparison – Wired vs. WirelessWireless LAN Security

Wireless LANAny station within then range of a wireless AP can transmit and receivedata on the LAN.

Wired LANOnly devices with a physical connection to the network can send andreceive data on the LAN.


Security Comparison – Wired vs. WirelessWireless LAN Security

Wireless LANAny station within then range of a wireless AP can transmit and receivedata on the LAN.

Wired LANOnly devices with a physical connection to the network can send andreceive data on the LAN.


IEEE 802.11iWireless LAN Security

Wired Equivalent Privacy (WEP)Wi-Fi Protected Access (WPA)


IEEE 802.11iWireless LAN Security

Wired Equivalent Privacy (WEP)Wi-Fi Protected Access (WPA)


WEPWireless LAN Security

Use RC4 stream cipher.128 bit random number used as a challange.64 bit (40 bit user generated) or 128 bit (104 bit user generated) keysizes.24 bit initialization vector











WEP Encryption processWireless LAN Security

Figure: WEP encryption process


Wi-Fi Protected Access (WPA)Wireless LAN Security

Replace WEP802.11i - Robust Security NetworkRSN services

I AuthenticationI Access ControlI Privacy with message integrity






















WPAWireless LAN Security

Figure: Elements of 802.11i [1]


WPAWireless LAN Security

Figure: 802.11i Phases of operation [1]


802.11i - Discovery/Authentication phaseWireless LAN Security

Figure: Discovery, authentication and association [1]


802.11i - Key HierarchiesWireless LAN Security

Figure: Key Hierarchies [1]


Keys used in Wi-Fi Protected AccessWireless LAN Security

Pairwise KeysI Used for communication between a pair of devices.

Pre-Shared KeyI A secret key installed outside the scope of 802.11i

Master Session KeyI Master key generated using IEEE 802.1x EAPOL

Pairwise Master KeyI Derived from MSK or PSK

Pairwise Transient KeyI Consists of three keys:I Key Confirmation Key (KCK)I Key Encryption Key (KEK)I Temporal Key (TK)


Group KeysWireless LAN Security

Used for multicast communicationTwo keys are used

I Group Master Key - Used to generate Group Temporal KeyI Group Temporal Key - Used to encrypt the MPDUsI Changed every time a devices leaves the group.


IEEE 802.11i Four-way HandshakeWireless LAN Security

Figure: Four-way handshake and Group Key Handshake [1]


Protected Data TransferWireless LAN Security

TKIP (Temporal Key Integrity Protocol)I Software backward compatible with WEP devicesI Message integrity using a MAC (Michael)I Encrypts data using RC4.

CCMP (Counter Mode-CBC MAC Protocol)I Use CBC-MAC for message integrityI Encrypts data using AES-CTR.


IEEE 802.11i PRFWireless LAN Security

Used for amongst other things generating nonces.Built on the HMAC-SHA1 hash algorithm.


IEEE 802.11i PRFWireless LAN Security

Figure: IEEE 802.11i PRF [1]Lennart Franked (MIUN IST) Network Access Control and Wireless December 4, 2014 41 / 42

Referenser

[1] William Stallings. Network security essentials : applications andstandards. 5th ed. International Edition. Pearson Education, 2013.ISBN: 978-0-273-79336-6.


Network Access Control and Wirelessver.miun.se/courses/security/lectures/wireless.pdf · AuthenticationMethods Extensible Authentication Protocol Figure:[1]. EAP authentication methods.

Documents