The Inside Secrets Of WiFi Security

Strong mutual authentication — The client and access point must cryptographically prove their identities to each other.

Messages must have data origin protection — It must be possible to prove that sender of a message is genuine and not a man-in-the-middle.

Messages must have data integrity protection— It must be possible to prove that messages are not altered in transit.

Messages must have confidentiality — The contents of messages must only be viewable by the sender and receiver.

Supplicant: The client. The supplicant requests network access by associating to an access point and obtains network connectivity after authentication.

Authenticator: A wireless access point (AP) or WLAN switch. The authenticator keeps a WLAN closed to all unauthenticated traffic. It does not do authentication directly, but instead tunnels the extensible authentication protocol (EAP) to an authentication server.

Authentication server: The authentication server performs the client authentication and instructs the authenticator whether to allow the supplicant's traffic to pass, whether to open the port, or not. The authentication server might be a component of a WLAN switch or a separate entity, typically a RADIUS server (Figure 3).
Figure 3: Diagram showing an EAP implementation on a RADIOS server.

Choosing the Right EAP
EAP was originally defined for use with the PPP protocol (RFC 2284). It was then adapted by the IEEE to perform the actual authentication for 802.1x. Because of this, another name for 802.1X isor EAP over LAN (EAPoL).Unlike other authentication protocols, EAP does not force users into certain types of authentication, and it truly is extensible. Each type of EAP authentication is called a method. Some EAP methods use certificates and others use smart cards or usernames and passwords. Some EAP methods do mutual authentication while others only authenticate the client. Since 802.11 security requires mutual authentication it is obvious that not all EAP methods are appropriate for use in a wireless network.

Different network installations have different security requirements and network administrators must choose the EAP method that best matches their requirements of security, ease-of-use, and ease-of-management. Some may also require leveraging of an existing authentication infrastructure such as a database of usernames and passwords in a RADIUS database.

Choosing which EAP method to deploy in your network is an important aspect of developing a secure WLAN design. Not only does it impact every user it also potentially imposes significant administrative requirements. As its name implies, EAP is extensible to many different authentication protocols, such transport layer security (TLS), Microsoft's Challenge Handshake Authentication Protocol (MSCHAPv2), tunneled TLS (TTLS), and subscriber identification modules (SIM), each of which provides different features.

The most commonly used authentication method is PEAP/MSCHAPv2 that actually performs two EAP methods in one. The first is to authenticate the access point or WLAN switch using TLS while the second is to authenticate the client using Microsoft's MSCHAPv2. PEAP/MSCHAPv2 is widely deployed and ships by default on all recent versions of Microsoft operating systems, covering PCs, laptops, PDAs, and smartphones. PEAP/MSCHAPv2 requires a username/password combination on the client side (the supplicant) and a server side certificate on the network side (the authenticator).

Another common EAP method (EAP-TLS) also uses a server-side digital certificate, and additionally requires the client to authenticate using a digital certificate. This solution has the benefit of strong security but is balanced by its more stringent administrative requirements (because of the necessity of a PKI) as well as end-user education.Encryption
Upon the conclusion of 802.1x and EAP, the authenticator and supplicant share an authenticated key, called the pairwise master key (PMK). This key is used with an 802.11i exchange called the "four-way handshake" to establish per-client keys to perform bulk data protection (as mentioned above, message source authentication, message integrity assurance, and message confidentiality) for use with:

In addition to the above, it is possible to use the result of the 802.1x/EAP exchange directly and not use any post authentication handshake. The PMK can directly be used to provide:

It must be noted, though, that both of these techniques still suffer from the use of WEP and should be avoided.

Fast-Handoff
A hand-off occurs when a user roams from one access point to another. This starts a discovery phase and the user's client begins to scan different channels for an AP with which to associate. When an AP is detected that has the right level of services — such as encryption and quality of service — the client tries to obtain network access by associating (or re-associating) with an AP.

In a pre-802.11i implementation (WPA or dynamic WEP), it is necessary to perform a full 802.1x/EAP exchange between the supplicant and the authentication server to derive a new PMK with which to perform bulk data protection.With 802.11i, a full 802.1x/EAP re-authentication can be skipped because the client has already been authenticated. The client and WLAN switch forgo the key management and authentication protocol by retaining the PMK in a cache, and go straight to the four-way handshake to establish a new set of session keys on a new AP. When session keys are established, the client finishes the hand-off process. This reduces the latency to establish security state on the new AP from the hundreds of milliseconds to the tens of milliseconds, enough to maintain a VoIP call.

The client initiates PMK caching by asserting a "PMK ID" in its associate request. It says, "I already have a PMK identified by this PMK ID and I want to use it". If the 802.1x authenticator has a PMK identified by that PMK ID it can just jump to the "four-way handshake". If it doesn't, then it requires full re-authentication and indicates this by initiating an 802.1x exchange..

Eliminating the re-authentication step and trimming upwards of 800 milliseconds off the hand-off time when mobile users roam from AP to AP makes the deployment of delay-sensitive applications like voice over wireless much more practical and reliable.

Wrap Up
With the introduction of 802.11i it is possible to provide wireless security using cryptographically proven techniques. In addition, it is possible to use 802.11i constructs to establish security state on a new AP to effect a fast handoff. When deliberating on new wireless security offerings make sure that 802.11i with CCMP and PMK caching is provided. It solves real security problems using cryptographically proven methods in a forward-looking manner.

About the Authors

Dan Harkins is the chief security architect at Trapeze Networks and the author of Internet Key Exchange (IKE) standard for IPsec. Dan can be reached at [email protected].0