Wireless network technology today suffers from poor security.
Fortunately, remedial work is underway.
In the next year or two, new standards
will be released enabling a new generation of wireless technology to function with
security that will be adequate for most purposes.
In this homework assignment we briefly survey both existing and future
mechanisms for wireless network security.
We describe one of these in detail.
I have chosen the authentication mechanism called the RADIUS server.
Flaws in Current WLAN Security Schemes
Effective network security protects user data from a variety of threats.
These include man-in-the-middle, authentication forging,
weak IV attack (AirSnort), packet forgery (replay attack), and dictionary attacks.
Description of these threats is beyond the scope of this paper.
However, it should be clear that each presents a distinct challenge
and demands explicit planning and design for its mitigation.
Two of the most commonly-used (and flawed) defense mechanisms are:
Access Control Lists (ACLs) --
An ACL grants network
access to machines whose MAC addresses have been
entered into a table in the access point.
When the access point receives a request from one of
the machines listed in the ACL, it grants access.
By contrast, most conventional security
schemes grant access to users (equipped with
passwords, dongles, SecureID cards, or other such mechanisms)
rather than to machines.
Wired Equivalent Privacy (WEP) --
This is another popular mechanism for WLAN security.
It is an optional part of the 802.11 standard;
access point manufacturers can adhere to the standard
yet omit it from their products.
However, I know of none that have done so.
WEP uses a key (encryption password)
that is known at both ends
of the connection (the wirelessly-networked
computer and the access point).
This is known as a shared private key.
Flaws in WEP's algorithm are notorious; the implementation of
the algorithm (RC4) is poor, and the 24-bit initialization vector
can be cracked with conventional equipment.
Using software (see references below) that today is freely
available on the Internet, a hacker can deduce a WEP key
in under an hour.
Furthermore, good security practice dictates that
shared private keys should be replaced
periodically yet network administrators find it cumbersome to do so.
When the key is changed on the access point,
all the wireless computer users must be notified of the new key
and they must update it in their configurations in order to
continue to use the WLAN.
Even with access points that can support several keys simultaneously,
key management is difficult and therefore rarely done.
Fortunately, new mechanisms are under development that will remove the
necessity of conducting this onerous task.
Improved Schemes
Here are the main areas of activity to improve
wifi security.
802.11i -- This IEEE standard
will remedy weaknesses in 802.11 wireless network security,
particularly WEP. It is currently under development
by an IEEE working group.
802.1x -- When completed, this IEEE standard will
provide strong security for both wireless and wired networks.
It will support multiple authentication modes, including RADIUS
(see below).
Wireless Protected Access (WPA)
-- This interim implementation of wireless security is not perfect but is better
than WEP and serves as a temporary fix while 802.11i is under development.
It is designed so that existing access point equipment can be upgraded by
means of firmware updates and thus needn't yet be replaced.
WPA includes the following features, each described briefly in later paragraphs.
802.1x authentication is required in WPA.
In the 802.11 standard, 802.1x authentication was optional.
RADIUS
For environments without a RADIUS infrastructure,
WPA supports the use of a preshared key.
EAP
TKIP
Michael
AES (optional because it may not always be possible
to add AES support through a firmware update to existing wireless equipment,
or some vendors may choose not to)
Advanced Encryption Standard (AES)
-- This encryption is strong and will replace WEP in 802.1x.
It was developed to replace DES, the algorithm chosen for
use by U.S. government organizations. It will also be widely used
outside of the government.
AES uses the Rijndael algorithm which was developed by
Drs. Daemen and Rijmen of Belgium.
The National Institute of Standards and technology (NIST) selected
the Rijndael algorithm for AES because it offers a combination of
security, performance, efficiency, ease of implementation, and
flexibility. The AES specifies three key sizes: 128, 192 and 256 bits.
Temporal Key Integrity Protocol (TKIP) -- This new mechanism
replaces WEP with a stronger encryption algorithm.
TKIP changes the key for every frame,
and the change is synchronized between the wireless client and the AP.
TKIP also verifies the security configuration after the encryption keys are determined.
Michael --
With 802.11 and WEP, data integrity is provided
by a 32-bit integrity check value (ICV)
that is appended to the 802.11 payload and encrypted with WEP.
However, this does not prevent a hacker using cryptanalysis from changing
bits in the encrypted payload and updating the encrypted ICV
without being detected by the receiver.
In WPA, this form of attack is prevented by an algorithm called Michael.
Michael calculates an 8-byte message integrity code (MIC)
that is placed between the data portion of the 802.11 frame and the 4-byte ICV.
The MIC field is encrypted together with the frame data and the ICV.
Michael also provides replay protection.
A new frame counter in the IEEE 802.11 frame is used to prevent replay attacks.
Extensible Authentication Program (EAP) --
EAP is the generic concept of protocols for the
secure transportation of authentication data,
including passwords, over 802.11 wireless networks.
The protocol is communicated between an access point
and an authentication server (such as a RADIUS.)
The access point initiates the conversation with the
server when it is contacted by a client (most often a PC)
requesting access to the wireless network.
EAP is not an implementation, it is a framework
for implementations. Several implementations (see below)
have been created and others are under development.
It supports multiple authentication mechanisms.
It is the "back-end" server that actually does the authentication while the
access point merely passes through the authentication exchange.
Typically, the server will send an initial Identity Request
followed by one or more Requests for authentication information.
The client sends a Response packet in reply to each Request.
The server ends the authentication phase with a Success or Failure packet.
LEAP, Cisco's Lightweight EAP --
LEAP includes Cisco's proprietary extensions to 802.1X to communicate
authentication data between Cisco Aironet wireless LAN access points
and the Cisco Secure Access Control Server.
It is a proprietary implementation of the generic EAP concept.
To satisfy the authentication challenge specified
by LEAP, the PC of the user to be authenticated must first supply
a valid user ID and later a correct 24 octet MSCHAP response
to an 8 octet random MSCHAP peer challenge. If it satisfies
both tests, the PC receives a session key which the Cisco access
point recognizes and permits the PC's the session to proceed.
LEAP was superceded in 2003 by PEAP.
PEAP (Protected EAP) --
PEAP was developed by Microsoft, Cisco and RSA Security,
and is now an IETF (Internet Engineering Task Force, an
industry consortium like IEEE) draft standard.
This EAP implementation uses tunneling
(see below) between clients and an authentication server.
Though PEAP is not proprietary, Microsoft's
Windows XP is currently the only operating system that supports it.
Tunneled Transport Layer Security (TTLS) --
This EAP was developed by Funk Software and Certicom and is now
an IETF draft standard. It is an alternative to PEAP.
Without the backing of Microsoft and Cisco, its survival is dubious.
Extensible Authentication Protocol -
Flexible Authentication via Secure Tunneling (EAP-FAST) --
This protocol was developed by Cisco and has been submitted as
a draft (proposed standard) to the IETF.
Since it's only a draft, it doesn't have an RFC number.
The following succinct description is quoted
from that draft as of February, 2004, EAP
Flexible Authentication via Secure Tunneling (EAP-FAST):
EAP-FAST enables secure
communication between a client and a server by using the EAP based
Transport Layer Security (EAP-TLS) to establish a mutually
authenticated tunnel. However, unlike current existing tunneled
authentication protocols, EAP-FAST also enables the establishment
of a mutually authenticated tunnel by means of symmetric
cryptography. Furthermore, within the secure tunnel, EAP
encapsulated methods can ensue to either facilitate further
provision of credentials, authentication or authorization policies
by the server to the client.
Benefits of EAP-FAST include:
Does not require enforcement of a strong password policy.
Does not require digital certificates.
Supports a variety of user and password database types.
Supports password expiration and change.
Tunneling --
A tunnel is an encrypted connection that connects two computers
across an untrusted network.
For example, retrieving e-mail from a POP server ordinarily
requires sending a login and password "in the clear."
This is vulnerable to eavesdroppers such as network sniffers.
To protect from such threats, tunneling can be done with an encryption
program such as Secure Shell (SSH).
Rather than connecting to the POP server directly,
the user establishes an SSH connection to the internal network
where the mail server resides.
The SSH client software then sets up a port forwarding mechanism,
so that POP traffic is forwarded through the encrypted tunnel.
At the server end, it is delivered to the POP port.
At the client end, the e-mail program thinks it is talking to the POP server
though in fact it is connected to the SSH program.
Transparently to both client and server,
all communication between them is encrypted.
Virtual Private Networks (VPNs) --
VPNs are used by workers working at home, on the road,
or at branch offices to connect in a secure fashion
to a remote corporate server via the Internet.
They are a generalized version of the tunneling
technique described above. That is, they securely deliver
not just e-mail but a wide variety of data.
For example, by tunneling the SMB file server protocol,
VPNs are often used to grant remote
access to the files on a corporate file server.
The user thus has access from home to all the
data she or he has on her or his PC in the office.
RADIUS (Remote Authentication Dial In User Service) servers --
A software suite based on an RFC-standardized protocol for managing
network access. (Microsoft offers its own RADIUS-like server,
termed IAS.) The rest of this paper is devoted to the protocol
and software of RADIUS.
RADIUS Protocol
The RADIUS protocol standard is described in
RFC 2058.
A RADIUS conversation goes like this:
Laptop: Hello, access point? Let me in!
Access point: Hello, Radius? This guy wants to get in.
Radius: Ask him his name.
Access point: Laptop, what's your name?
Laptop: Mary.
Access point: Radius, it's a girl. She says she's Mary.
Radius: Ask her for her password.
Access point: Mary, what's your password?
Laptop: abc123.
Access point: Radius, Mary says abc123.
Radius: Hmm, let me check... Ok, let her in.
Access point: Ok Mary, you're cool.
Laptop: Thanks, access point. Now let's see, gimme my
e-mail, a buncha websites, a telnet session,
some instant messaging...
Of course, the technical terminology is more formal.
The access point is termed a Network Access Server (NAS)
and it operates as a client of RADIUS.
It passes user information to the RADIUS server
and acts on the response that is returned.
The RADIUS server receives user connection
requests, authenticates users, and returns any
configuration information necessary for the client to deliver
service to the user.
For example, users may be restricted by
bandwidth throttles or content filters.
RADIUS tells NAS what these rules are
for each user it authenticates
and then NAS must enforce them.
Communications between NAS and RADIUS must be secure.
These are authenticated through the use of a shared secret, which is never
sent over the network. In addition, user passwords are sent
encrypted between NAS and RADIUS, to protect from network snooping.
Each phase of the conversation has a name.
The initial contact from NAS to RADIUS is termed
an Access-Request. RADIUS's demand for a password
is an Access-Challenge. NAS's response is a Reply-Message.
RADIUS' final bestowing of
its blessing on Mary is an Access-Accept. Had it
not recognized Mary, it would have issued an Access-Reject.
Colloquially, the format of the conversation between NAS and RADIUS
is called A-V (attribute-value) Pairs. For example, a simplified
version of the first Reply-Message from NAS to RADIUS might have been
User-Name:Mary where User-Name is the attribute and
Mary is the value of that attribute.
It's convenient to think of the protocol as comprised of A-V Pairs
and much of the vendor documentation uses this terminology.
In fact, the complete specification calls for
variable length Attribute-Length-Value 3-tuples.
The first of the three parts is a Protocol:Attribute name;
the second is its length in bytes, and the third is the value.
The beauty of this scheme is that it is easily extended.
New attribute values can be added without
disturbing existing implementations of the protocol.
RADIUS Software
The RADIUS protocol definition (like any network protocol definition)
simply defines an interface, it does not decree how to implement it.
Thus, programmers are free to build software however they wish, as
long as it communicates according to the protocol.
There are several RADIUS server implementations.
Nor does the protocol specify an authentication method.
Server implementations support a variety of methods such as
PPP PAP or CHAP, UNIX login, and others.
RADIUS servers are often extended to provide ancillary services
such as resource accounting. They capture and store such data
as which users were authenticated and the time of day.
This data is useful for billing, for statistical analysis
of usage patterns, and for other services that customers may require.
Failures, too, can be logged.
This helps in detecting intrusion attempts.
Data collected by RADIUS servers can be stored in local files.
A more common and flexible approach is
for the server to format this data into SQL which is then
passed to a relational database.
Thus, instead of in files the data is stored in indexed tables.
Fine-tuned report generation
can then be done with SQL SELECT statements fed directly to
the database. This modular approach means that the RADIUS
server itself need have no reporting capability built-in.
Another common strategy is to drive the administrative user
interface from a web server. On the web server's backend is
a collection of PHP scripts (or JSP applets, or Perl/CGI, etc.)
that query and control the RADIUS server and its database.
Thus, for example, to add a user to the authenticated community,
an administrator would fill in an HTML form which would drive
the web server to run a PHP script that would generate SQL to
add a row to the user table in the database which, when
consulted by RADIUS, would
enable it to recognize and authenticate the new user.
And that's the RADIUS house that Jack built!
Airsnort is one of several
WEP-cracking tools.
It requires 5 to 10 million encrypted packets to be gathered.
Once enough packets have been gathered,
AirSnort can guess the key in under a second.
Wepcrack
is another tool for defeating WEP security. It can guess the
key after listening for a half hour.
