authentication across the airwaves

13

AUTHENTICATION

February 2007 Network Security

To set the scene, let’s see where wireless authentication fits in. We can define sev-eral components that make up wireless networks, as shown in figure 1

Users can employ devices such as laptops, smartphones, PDAs, or BlackBerrys to connect to the Internet or the corporate network via an access point. Connections between devices and access points are usually based on wireless LAN or cellular/mobile tech-nologies; connections from the access point to the corporate network may use the telecommunications infrastructure and may travel over an IP-based net-

work, such as the internet. These mobile devices and connections combine to provide users with location-independent access to the corporate network and the Internet.

Authentication in wireless networks addresses a combination of users, devic-es, and networks. We will examine how the most popular wireless technologies, Wi-Fi, WiMAX and cellular/mobile, handle authentication in the corpo-rate environment. We will explore the authentication mechanisms in the early versions of the popular IEEE 802.11 (Wi-Fi) standard, moving on to IEEE

802.11i (also known as Wi-Fi Protected Access, WPA). We will explain the authentication mechanisms used in cel-lular phone networks, and those used in IEEE 802.16 (Wi-MAX).

Wi-FiIn Wi-Fi, management frames are used by the wireless device and the access point to negotiate and control the relationship between device and access point. An example is a device send-ing a management message to request access to an access point. Management frames provide services such as authen-tication, association and disassociation. The management frames used in Wi-Fi have a generic structure, as shown in figure 2.

The frame body is made up of fixed fields and elements. Fixed fields (which have a fixed length in bytes) provide information such as authentication algorithm number, authentication trans-action, beacon interval and capability information. The elements are of vari-able length and can be used to provide information on frequency hopping, challenge text for authentication, robust security network capability and sup-ported data rates. Management frames are used in authentication processes in all versions of Wi-Fi.

In the early versions of 802.11, includ-ing 802.11b, authentication to the net-work could take one of two forms: open and shared key. Open authentication is simple. A wireless device sends a request to be authenticated to the wireless net-work. The access point then replies with a success message.

Shared key authentication uses a chal-lenge/response mechanism. The device first sends a request to join the network and this time the access point returns a challenge in a second message. The challenge is composed of 128 bytes of randomly generated text. The device then responds by sending a third message, with the challenge text encrypted by wired equivalent privacy (WEP). The access point then decrypts the challenge text and compares it with the challenge text sent in message two. If the decrypted

Adrian Davis, senior research consultant, Information Security Forum

Authentication of users and devices lies at the heart of network security. Organizations have spent a lot of time and money trying to prove that people are who they claim to be, which is the basis of authentication. It is one of the most challenging areas for wireless networks.

Users Devices Accesspoint

Organisationinfrastructure

Corporatenetwork

Edgedevice

Corporatewireless LANaccess point

Publicor hotspotwireless

access point

Cellular/mobilebase station

Internet

Figure 1: Components of wireless networks

Authentication across the airwaves

Adrian Davis

14Network Security February 2007

challenge text matches the original chal-lenge text, a fourth message, notifying authentication success, is sent to the device.

Both authentication mechanisms have flaws. Open authentication basi-cally authenticates any device that wants to join the wireless network; shared key authentication can be attacked (and the key recovered) by collecting the challenge text and the encrypted reply. In shared key authentication, there is considerable over-head in distributing the key to all mobile devices and then periodically updating it. If a device is not updated, it cannot then authenticate and connect. Both forms of authentication require the device to authenticate to the network, but the net-work does not authenticate to the device.

Once the device has authenticated to the network and a connection formed, the user can then be prompted to enter his or her credentials (e.g. username and password) for user authentication. Depending on how the connection between the device and the organization-al infrastructure is created, this may take the form of a Windows login prompt or a login for a VPN application.

Enhanced Wi-Fi: IEEE 802.11iThe flaws in early versions of Wi-Fi have been addressed through the release of the

802.11i standard. The 802.11i standard defines robust security networks (RSN) and robust security network associations (RSNA). RSNA are security relationships established by the following:

• Exchanging information about net-work security and capability

• Authenticating the device and user using the IEEE 802.1X standard for port-based network access control and extensible authentication proto-col (EAP)

• Providing automatic cryptographic key management and secure distribution

Figure 2: Generic structure of 802.11 management frames

Corporatenetwork

Organisationalinfrastructure

Corporate wireless LANaccess point

Authenticate (request)

Authenticate (challenge)

Device

12

Authenticate (response)

Authenticate (success)

34

Figure 4: Pre-shared key authentication in 802.11

Corporatenetwork


Corporate wireless LANaccess point

Authenticate (request)

Authenticate (success)

Device

12

Figure 3: Open authentication in 802.11

AUTHENTICATION

Framecontrol

Destinationaddress

Sourceaddress

Sequencecontrol

Framebody

Basicserviceset ID

Framecheck

sequence

Length/bytes

Framecomponents

Duration

2 2 6 6 6 2 0-2312 4 • Using advanced encryption stand-ard counter-mode with cipher block chaining-message authentication code protocol (AES-CCMP) for encryp-tion and message integrity.

RSNs are composed exclusively of devices that can form RSNAs. Devices that do not use 802.11i cannot form an RSNA and so cannot join an RSN. Note that 802.11i provides security between the device and access point only, just like early 802.11 versions.

To allow flexibility of implementa-tion, a subset of the 802.11i standard, termed Wi-Fi Protected Access (WPA), has also been developed. WPA uses 802.1X, EAP and RC-4-based 128-bit key encryption, which has the advan-tage of being backwards-compatible with existing wireless equipment. To further enhance the encryption process, temporal key integrity protocol (TKIP) is used to provide a new encryption key for every packet sent. The original arithmetic integrity checksum in WEP is replaced by an encrypted integrity code generated by a new 64-bit key algorithm (called Michael). WPA and its successor WPA2 can be used in two different ways: Personal (using pre-shared keys) and Enterprise, which uses 802.1X and EAP.

An upgrade path from WEP is avail-able to organizations: a software upgrade

15February 2007 Network Security

to move to WPA, followed by a hard-ware and software upgrade to implement WPA2. Table 1 highlights the differences between the various flavours of WEP, WPA and WPA2.

Both WPA and WPA2 offer a pre-shared key authentication mechanism, termed Personal. This mechanism shares many of the flaws with the origi-nal 802.11 pre-shared key mechanism described above, including vulnerability to key recovery attacks from tools such as coWPAtty1.

In essence, 802.11i consists of four steps. First, the device, termed a suppli-cant, uses 802.11 management frames to discover whether WPA or WPA2 can be used. If the network supports either WPA or WPA2, then the authentication process can be initiated. In Enterprise implemen-tations, authentication information is communicated using the 802.1X protocol

and EAP or EAP over LAN (EAPOL). The authentication can involve the device, the user, the network, or a com-bination of the three. If it succeeds, then the cryptographic keys to be used can be generated and distributed using the four-way handshake, and the group key handshake if required. Finally, the fourth step allows for protected (encrypted) data exchange between the authenticated sup-plicant and the access point.

The IEEE 802.1X standard is used in 802.11i-capable wireless LANs to provide a mechanism to control access to a network and to pass authentica-tion information between a device and an authentication server. As used in 802.11i, the mechanism has four steps:

1. A device (termed a supplicant) try-ing to join a target network connects to an access point (termed an authentica-tor), using the 802.11 protocol. As the

device attempts to connect, the 802.1X protocol manages the connection and only allows the device to connect to the authenticator.

2. The device presents authentication information to an authenticator con-nected to the target network, using the 802.1X protocol.

3. The authenticator receives the infor-mation and then forwards the authenti-cation information to an authentication server, using the 802.1X protocol.

4. The authentication server sends a success or fail message to the authentica-tor. If the authentication information is valid, then the server sends a success message to the authenticator which tells the authenticator to form a connection between the device and the target net-work, which is mediated by the 802.1X protocol. If the authentication informa-tion is invalid, then the device cannot join the network and may have the con-nection between it and the authenticator closed.

In 802.1X, authentication messages are transferred using EAP or EAP over LAN (EAPOL). Both protocols can be used to encapsulate authentication information used by RADIUS, SSL or transport layer security (TLS), meaning that well-known and well-used authentication protocols can be used in the wireless environment. The 802.1X standard was originally developed for wired networks. As a result, when used in the wireless environment, the standard may not work as designed. Vulnerabilities have been identified when using 802.1X in the wireless environ-

Security standard Cryptographic algo-rithm

Cryptographic key length/bits

IV length/bits Message Integrity Check

Authentication Upgrade Path

WEP RC-4 40104

24unencrypted

Arithmetic CRC

OpenPre-shared key

N/A

WPA Personal RC-4 with TKIP 128 48 encrypted Michael encrypted 64 bit

Pre-shared key Software

WPA Enterprise RC-4 with TKIP 128 48 encrypted Michael encrypted 64 bit

802.1XEAP

Software

WPA2 Personal (802.11i)

AES-CCMP 128 48 encrypted CBC-MAC encrypt-ed 64 bit

Pre-shared key Software and Hardware

WPA2 Enterprise (802.11i)

AES-CCMP 128 48 encrytped CBC-MAC encrypt-ed 64 bit

802.1XEAPS

Software and Hardware

Authenticator(eg access point)

Authenticationserver

Security capabilities discovery

Supplicant

12

Key management Key distribution

Protected data exchange

34

Authentication with server

Figure 5: The four steps in 802.11i

AUTHENTICATION

Table 1: Differences between WEP, WPA, and WPA2.


ment, allowing attacks such as ‘person in the middle’ and masquerading.

EAP (and EAPOL) provide a framework in which messages can be transferred and information exchanged that is specific to the authentication mechanism in use. EAP doesn’t require the use of IP-based net-works. It actually only uses four messages:

1. Request from authenticator to sup-plicant

2. Response from supplicant to authenticator

3. Success authenticator to supplicant: access granted

4. Failure authenticator to supplicant: access refused.

The messages can be further divid-ed into types (eg request identity) through the use of type fields in the EAP message format, which carry information about the authentication method to be used and indicate the detailed information carried in the EAP message.

To allow EAP to work in the wireless environment, EAPOL was defined as part of the 802.1X standard. EAPOL encapsulates EAP messages and pro-vides a way of initiating supplicant and authenticator communications.

Authentication in EAP has the fol-lowing message flow: The process starts off with the supplicant sending an EAPOL-Start message. The authentica-tor then sends a request identity mes-sage, to which the supplicant responds. The EAP response identity is forwarded from the authenticator to the authenti-cation server. At this point, the chosen authentication mechanism can be used (eg RADIUS, TLS or Kerberos). The messages related to the authentication mechanism are then passed between the authentication server and the supplicant (via the authenticator).

Finally, when authentication is suc-cessful, an EAP Success message is sent. At this point, the 802.1X protocol takes over and the connection between the target network and the supplicant is formed once the four-way handshake is completed successfully. EAP provides a framework in which authentication methods can be used. Common exam-ples of authentication methods include TLS and RADIUS, which are now briefly discussed.

In EAP-TLS, devices and servers can be issued with certificates (deploying this many certificates requires substan-tial effort – after all, putting certificates on everything basically creates a PKI). During the TLS authentication proc-ess, the server authenticates to the client and a key exchange occurs, allowing the creation of an encrypted commu-nications link. The process used here is slightly different from the TLS hand-shake exchange, in that certain messages are grouped together. Additionally, the client does not have to authenticate to the server as this is an optional step. If certificates are not installed on clients, then this will significantly reduce the overhead associated with a TLS-based authentication mechanism.

RADIUS is widely used to support remote access solutions and can also sup-port wireless access. In EAP-RADIUS,



Security capabilities discovery

Supplicant

1234

Authentication (request) forwarded to

authentication server

Authentication (success) forwarded to

authenticatorAuthenticate (success)

passed to supplicant

Figure 6: Overview of 802.1X operation



EAPOL-start

Supplicant

EAP request identity

EAP response identity

EAP Request

EAP Response


Request

Response

Success

EAP success

Figure 7: Overview of EAPOL and EAP authentication messages

AUTHENTICATION


the authentication process is initiated by an EAPOL-Start message, as the follow-ing figure illustrates.

In this process, the RADIUS packets are encapsulated in EAP for transmission between the supplicant and the authen-ticator. The EAP wrapper is stripped off for transmission between the authentica-tor and the authentication server.

Despite its advantages, EAP suffers from noticeable security flaws. The EAP Identity and EAP Success / Failure messages are sent unencrypted and can be obtained by an attacker, potentially providing information that can be used in attacks. One solution is PEAP (Protected EAP Protocol), which uses TLS. In PEAP, TLS negotiation occurs first, creating an encrypted communica-tion link between the target network and the supplicant. In this first phase, the client specifically does not present its certificate (if it has one), thus not revealing any client authentication information. The second phase is a con-ventional EAP negotiation: however, all traffic is encrypted.

Developments in the 802.11 standard include the 802.11w standard, which will aim to protect the management frames used in 802.11 from attack. Currently, management frames are not encrypted or integrity checked and are potentially vulnerable to attack. Combined with 802.11i, this would address known vulnerabilities and pro-vide a more secure device to access point link. The target date for ratification of the 802.11w standard is March 2008.

Hotspots will offer very little in the way of authentication: most will prob-ably use open authentication to allow any wireless device to connect. The wireless service provider may require a user to pay for the use of the wireless hotspot (and associated access). Payment is often managed through the service provider’s infrastructure, by forcing the user to login to a webpage. If login and the payment transaction are successful, then the wireless device connects to the Internet and the user must then attempt to connect to the corporate network. Once connection is achieved, then the

authentication to the corporate network using the mechanisms discussed here can be used.

Cell authenticationNetworks based on GSM require the mobile station (the handset or data card) to authenticate to the network. The authentication is achieved in two parts. First, the international mobile equip-

ment identifier is checked against the network asset register to ensure that the mobile station is not stolen. The second part is a challenge/response mechanism, initiated by the mobile station send-ing the international mobile subscriber identifier to the network. The network will then send a challenge to the mobile station, which responds using unique information on the SIM card.

AUTHENTICATION

EAP responseidentity

ClientHello

ChangeCipherSpec

Finished

EAP-TLSsuccess

Certificate

CertificateVerify

ChangeCipherSpecFinished

EAP-TLS(empty)

ClientKeyExchange

EAP requestidentity

EAP-TLS (start)

ServerHelloTLS certificate

CertificateRequest

ServerHelloDone

2

4

6

8

1

3

5

7

9

Figure 8: Messages used in EAP-TLS authentication (steps 4 – 7 use EAP-TLS to encapsulate the mes-sages)



EAPOL-start

Supplicant

EAP request identity


EAP Request

EAP Response

RADIUS access request

RADIUS access challenge

RADIUS access request

RADIUS access accept

EAP success

Figure 9: Messages used in EAP-RADIUS authentication


Once the handset is authenticated to the network, a session key is generated by the handset and then shared with the cellular base station. Communication between the handset and the base sta-tion are encrypted using this session key, which has a length of 64 bits in 2G net-works and 128-bits in 3G networks. The network does not authenticate to the mobile station; authentication is one-way (ie mobile station to network).

CDMA-based networks use a similar system but have additional advantages

in the use of spread-spectrum trans-mission and unique user codes, making it very difficult to eavesdrop a transmission and then decrypt it.

After the mobile station is authen-ticated, the call is connected. The user can then connect to the tar-get network. Again, authentication mechanisms, such as RADIUS or TLS, discussed previously can be used for authentication to the target network. Efforts are also underway to produce

EAP-SIM, an authentication mecha-nism based on the use of SIM card information.

WiMAXIn wireless networks based on WiMAX, authentication is two-way and carried out using privacy key management-extensible authentication protocol (PKM-EAP). PKM uses digital certifi-cates (including X.509) to authenticate the client and manage cryptographic keys. EAP has been discussed previ-ously. Encryption is provided through the use of encryption algorithms such as DES, AES or its variants (eg AES-CCMP).Other authentication mecha-nisms

Added to the various mechanisms discussed here, applications (such as intranets, ERP systems and databases) can also require users to authenticate successfully before the application can be used. Edge servers or VPN concen-trators can force authentication, while network access quarantine can also force devices to authenticate to the target network and prove their status before connection is allowed. Finally, DIAMETER, the replacement for RADIUS, can be integrated into the wireless environment.

SummaryAuthentication can take place at a number of points in the wireless environ-ment. Figure 11 highlights where, using the OSI model to illustrate how the vari-ous authentication protocols interact.

Corporatenetwork

EdgedeviceDevice Cellular/mobile

base station(access point)

Internet

Link activated (call started)12 Network authentication

and encryption

Connection formed to corporate network/authentication

Connection formed to

Telecommunications infrastructure/internet34

Data transmission5


Figure 10: Overview of cellular/mobile phone wireless authentication

Application

Presentation

Session

Transport

Network

Data link

Physical

Application

Device

WEP, WPA,WPA2, 802.1X

EAP802.1X

EAP

Airinterface

Internet

Wireless access point

Application security (eg. authentication, digital signatures)

RADIUS authentication

TLS authentication

Target Network

Presentation

Session

Transport

Network

Data link

Physical

Network

Data link

Physical

Figure 11: authentication in the wireless environment

"In wireless networks based on WiMAX, authentication is two-way and carried out using privacy key man-agement-extensible authentication protocol."

AUTHENTICATION


The figure shows that many of the authentication methods, such as those used by Wi-Fi and WiMAX, oper-ate at the lower layers of the network stack, while RADIUS and TLS oper-ate at higher layers, giving a layered approach.

ConclusionsAuthentication in wireless networks has improved considerably since the original open authentication mecha-nism used in early versions of 802.11. The release of 802.11i and, in the future 802.11w, address many of the security and authentication issues

found in 802.11. However, organiza-tions will have to invest time and effort into selecting and implement-ing an EAP framework and associated authentication protocols.

The good news is that many of the tools already deployed, such as RADIUS, VPN and TLS, can assist in authenticating users and devices in the wireless environment. Organizations do not have to re-invent the wheel but can build on existing implementations to provide secure and reliable authen-tication in the wireless environment. Wireless authentication is not in the air – it is here, it is real and it can be implemented.

References1. CoWPAtty 4.0 project, Church

of WiFi, August 2006 <www.churchofwifi.org/Project_Display.asp?PID=95>

About the authorAdrian Davis is a senior research consult-ant for the Information Security Forum, an organization that provides information security solutions to over 290 Member organizations globally. His research inter-ests include managing security effectively, wireless networks, instant messaging and patch management. His article on return on security investment appeared in the November 2006 issue of Network Security.

This author has stated repeatedly that in many cases e-discovery seems like a less rigid practice than digital foren-sics in general. Nevertheless, practice has shown that in many cases, e-dis-covery adheres to scientific criteria proper to other disciplines. This is especially true during the preservation phase, in which everything technically possible must be done to guarantee the integrity of the evidence and to ensure repeatable analysis.

The difficulty of preparing for e-discoveryWhat is often given scant attention, especially when digital investigation, digital forensics, and e-discovery are not top company priorities, is the preparation phase. This defines the architectural perimeter, determin-ing the location of information, and implementing policies and tech-nologies governing its movement and storage.

Historically, companies could ignore the problem, but recent legislation in the United States could require some elements of e-discovery by law. Just when it seemed that the e-discovery market was showing normal growth, news emerged of a definitive rule change regarding e-discovery in the civil arena. These rules went into force in December 2006.

The new rules came from an advisory committee to the Judicial Conference of the United States, under the supervi-sion of the federal and supreme courts. They are listed in a 300-plus page doc-ument that was created by the advisory committee.

One of the most important elements in the new legislation regards discov-ery procedures and data readability. According to the rules, companies involved in civil litigation must meet within 30 days of the lawsuit’s filing to decide how to handle electronic data. Both parties must define beforehand the information to be shared and its electronic format.

Up to here this all appears perfectly normal, at least to lawyers, but looks can be misleading. Coming up with

AUTHENTICATION

E-DISCOVERY RULES

The negative effects of e-discovery rulesDario Forte, CEO, DFLabs Italy

For about two years now, companies have been warming up to elec-tronic discovery. ‘E-discovery’ refers to the acquisition and presen-tation of documents and digital evidence, and may be applicable in both civil and criminal law. E-discovery may be an obligatory road for a company if it finds itself citing, or being cited by, another com-pany in court.

Dario Forte

http://www.churchofwifi.org/Project_Display.asp?PID=95



authentication across the airwaves

Documents