Welcome to Volume 4, Issue 4 of The Internet Security Conference newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is this newsletter. We promise to provide something useful each issue. If we don't, flame me. If you like the issue, let us know!
Enjoy, and be safe,
Dave
You can't travel far these days, on business or pleasure, without seeing someone, somewhere, using a wireless LAN. And you can't pick up a trade publication, or read a security mailing list where the issue of WLAN security isn't raised. In today's column, my partner and colleague Lisa Phifer explains current, future, and emerging security features for 802.11 Wireless LANs.
Lisa Phifer, Core Competence
Increasingly, 802.11b wireless is being used to extend the reach of traditional LANs, providing Intranet and Internet access in hard-to-wire public "hot spots" - conference rooms, airport lounges, hotel rooms, and cafes. In these environments, controlling network access can be challenging. Any wireless laptop or PDA within a several hundred foot radius can easily discover and transmit traffic to an 802.11b access point (AP) or nearby peers.
The current 802.11b standard provides weak station authentication and no real data integrity. The default mode, open system authentication, permits any station to associate with any access point. The alternative, shared key authentication, relies on a group secret known to all stations. Group passwords are notoriously weak, but it turns out that 802.11 authentication keys are even more vulnerable.
This authentication key doubles as one of four encryption keys that are used with the RC4 stream cipher to provide Wired Equivalent Privacy (WEP). Researchers have proven that WEP keys can be compromised in as little as 15 minutes, using nothing more than an inexpensive laptop, an 802.11 NIC, and freely-available tools like AirSnort and WEPCrack. (To learn more about WEP, see the papers at the end of this column.)
Complementary measures should be applied at the network, session, and/or application layers to secure traffic end-to-end and defend the wired network's perimeter. However, these measures do not stop unauthorized stations from competing for wireless bandwidth or launching DoS attacks against the local LAN segment. Doing so requires port-level access control at the access point, combined with stronger authentication.
IEEE 802.1x defines a generic framework for port-based access control and LAN station authentication. In this framework, an authenticator (an Ethernet switch or wireless AP) authenticates a supplicant (an Ethernet or wireless NIC) by consulting a local ACL or an external authentication server [Figure 1].
If authentication succeeds, the supplicant is granted access to the LAN port and associated network resources. If authentication fails, the supplicant is effectively locked out of the AP and thus the network behind it.
On the surface, this sounds much like traditional PPP session control, as implemented with PAP/CHAP authentication. Indeed, the 802.1x framework is based on the Extensible Authentication Protocol (EAP) originally developed for use with PPP LCP. With 802.1x, the authenticator and supplicant exchange EAP messages over the LAN (EAPOL). The authenticator proxies EAP Authentication messages to a back-end AAA server by encapsulating them inside RADIUS Access and Access-Challenge requests.
The 802.1x framework can be applied to any IEEE 802 LAN technology. The rest of this column explains how this generic framework is used today with 802.11 wireless LANs.
When an 802.11 wireless station associates with an AP that requires 802.1x authentication, the AP blocks the port to all traffic except for EAPOL. The station sends the AP an EAP over wireless (EAPOW) start message [Figure 2]. The AP responds with an EAP request for stations's identity (i.e., its MAC address).
The AP can reject the request at this point. But, in most cases, the AP relays the EAP ID along to an AAA server, using a RADIUS Access Request. Depending upon the EAP type being used, the AAA server responds with one or more RADIUS Access Challenge(s). Each Challenge carries an EAP message that requests authentication information from the station.
The station must respond to each Challenge with appropriate credentials, which are relayed back to the AAA server in RADIUS Access Requests. This exchange is open-ended, allowing for authentication method negotiation, loss, and data-entry errors. When authentication is successful, the exchange ends with a RADIUS Access Accept and EAP Success. The AP removes the EAPOL filter from the port and henceforth accepts any 802.11 traffic from the authenticated station.
Note that the AP does not need to recognize the station's credentials or know the station's access privileges. 802.1x lets this knowledge and control be centralized at the AAA server, simplifying administration in larger networks with many APs.
As the name suggests, EAP is an extensible authentication framework. It was designed to support many different authentication methods. Before a wireless station can authenticate itself, all parties - the station, AP, and AAA server - must support the same EAP type. Once again, the problem with standards is that there are so many of them:
EAP types like TLS and TTLS use a secure tunnel to provide confidentiality and message integrity for the authentication dialog. They also have the ability to support dynamically-generated session keys.
Access control is ultimately ineffective if intruders can simply replay captured messages or send forged messages, masquerading as the authenticated station. Therefore, it is critical to combine 802.1x with confidentiality and integrity measures. In today's wireless LANs, this usually means WEP.
As previously mentioned, WEP is not very robust. Without a standard for key distribution, WEP keys tend to be static - manually configured into every node and rarely updated. Furthermore, WEP's initialization vector and key scheduling algorithm are inadequate. Once a WEP key is cracked, security for the entire WLAN can be compromised for a long time.
802.1x reduces WEP key vulnerability by delivering dynamic session keys to each authenticated station. An optional EAPOW Key message at the end of 802.1x authentication can deliver keys generated by the AP or AAA server. Unicast keys are known to a single station and have a finite lifetime, encrypting frames on one port until the station disconnects or re-authenticates. Dynamic session keys shorten an attacker's window of opportunity and narrow the impact of any compromised key.
Although 802.1x improves WLAN security, it does not actually fix or replace WEP. Other IEEE standards must do that. Later this year, a Temporal Key Integrity Protocol (TKIP) will add a true message integrity check and improve the WEP key scheduling algorithm. These will be combined with rapid re-keying - so rapid that re-keying may not depend on re-authentication. Next year, WEP will be replaced by an entirely new encapsulation, carrying payload encrypted by AES.
To implement 802.1x port access control and authentication in your wireless LAN, you'll need stations, access points, and an AAA server that speak the same language.
Currently, Windows XP is the only operating system with out-of-the-box 802.1x EAP-TLS support [Figure 3]. Add-on 802.1x clients are also available from Cisco (LEAP) and Funk (EAP-TTLS). By the time you read this, there may well be others.
Wireless NIC and AP vendors that support 802.1x include Agere, Cisco, and Enterasys. Several AAA servers are beginning to roll out EAP support, including Microsoft IAS, Funk SBR and Odyssey, Interlink RAD-E and RAD-P, and Cisco ACS.
Depending upon the EAP type that you choose, you may also need digital certificates. If you have already deployed Microsoft's Active Directory and CA, you can leverage these to create and distribute certificates to Windows XP wireless clients. Those companies without a PKI in place - or that simply prefer not to use client-side certificates - may prefer EAP-TTLS or LEAP.
802.1x is a giant stride forward, but it isn't yet perfect. Conventional RADIUS shared secret vulnerabilities apply between the AP and AAA server. MAC address spoofing is easy if 802.1x is used without encryption. Even with encryption, there's still a race condition during key delivery that enables session hijacking. EAP types that lack mutual authentication may be vulnerable to man-in-the-middle attacks.
In February, researchers at the University of Maryland published a report describing MiTM and hijack attacks that might work against 802.1x. These attacks exploit known vulnerabilities that are being addressed by IEEE 802.11 TGi. Emerging security measures like the new message integrity check in TKIP will help.
Ultimately, it is important to realize that 802.1x is a relatively new standard. Like any new standard, 802.1x must be road-tested and refined through field trials and active deployment. With backing from major industry players, this standard is fast finding its way into commercial products. If you have these products at your disposal, start experimenting with 802.1x now. Doing so may improve the security of your WLAN today - and leave you well-positioned to adopt advanced security standards tomorrow.
IEEE Std 802.11-1999 Wireless LAN MAC and PHY Specifications
Weaknesses in the Key-Scheduling Algorithm of RC4 (Fluhrer, Mantin, Shamir)
IEEE Std 802.1x-2001 Port-Based Network Access Control
An Initial Security Analysis of the IEEE 802.1x Standard (Arbaugh, Mishra)
PPP EAP TLS Authentication Protocol (Aboba, Simon)
EAP Tunneled TLS Authentication Protocol (Funk, Blake-Wilson)
The Unofficial 802.11 Security Web Page (Aboba)
© 2002 - 2006 Core Competence & Mactivity, Inc.