802.11 Frame Exchanges – Security #CWAP7
802.11 Frame Exchanges section account for 25% of syllabus for CWAP-403 exam. Potentially around 15 questions out of 60 in the exam can be expected from this section. This blog post focuses on the “security” component of 802.11 Frame Exchange. I will be focusing on other sections in the subsequent posts in the next week or two. Let’s begin!
1st step required to connect to 802.11 BSS. Both authentication and association must occur in order to successfully pass wireless traffic over to the AP and further. IEEE 802.11i-2004 defines RSNA. Open System & Shared Key Authentication are Prior to RSNA (Pre-RSNA) methods. The 802.11 authentication merely establishes an initial connection between the client and the access point, basically validating or authenticating that the STA is a valid 802.11 device.
- Open System Authentication > Allows any device to authenticate and then attempt to communicate with the AP. The STA can communicate only its Wired Equivalent Privacy(WEP) keys match the AP
- Shared Key Authentication > Not used anymore. Requires static WEP key configured on STA and AP.
Open System authentication and association between client STA and AP occurs prior to 802.1x/EAP authentication exchange between client STA and Radius server.
WLAN Encryption Methods
- Weak / Vulnerable / No Protection against replay attacks
- Open/Shared Authentication
- TKIP (Temporal Key Integrity Protocol) (RSN)
- Uses dynamically created encryption keys as opposed to static keys.
- 128-bit temporal key can either be a pairwise transient key (PTK) or group temporal key (GTK) used to encrypt
- WPA-PSK & WPA-Enterprise
- Can be vulnerable against certain attacks.
- CTR with CBC-MAC Protocol (CCMP) (RSN)
- CTR – Counter mode is used for data confidentiality
- CBC MAC(Cipher-block chaining message authentication code) is used for integrity.
- Used with AES block cipher suite with 128 bit key
- SAE (Simultaneous Authentication of Equals)
- Uses SAE known as Dragonfly Key Exchange, with forward secrecy feature
- WPA3 Personal – 128 Bit SAE, Enterprise – 192 bit SAE
- Not Vulnerable to KRACK attacks and offline dictionary attacks.
The info that is protected by these L2 encryption methods is data found in layers of 3-7. L2 encryption methods are used to provide data privacy for 802.11 data frames. These methods encrypt MSDU payload of an 802.11 data frame.
|Security Protocols||WEP||TKIP (WPA)||CCMP (WPA2)||OWE (Opportunistic Wireless Encryption)|
|Cipher||RC4||RC4||AES||AES-GCM & Elliptical Curve Cryptography|
|Key||40/104 bits||128 bits||128 bits||192 bits|
|Authentication||N/A||IEEE 802.1X/EAP/PSK||IEEE 802.1X/EAP/PSK||WPA3 Personal / Enterprise|
|Data integrity||CRC32||MIC||CCMP||Secure Hash Algorithm-2 for each input|
|IV Length||24 bits||48 bits||48 bits||24 bits|
RSNA (Robust Security Network Association)
First published & ratified as IEEE 802.11i-2004, defined stronger encryption and better authentication methods. Now part of 802.11-2007 standard. Association between two stations is referred to as RSNA which means the two radios should share dynamic encryption keys that are unique between those two radios. CCMP/AES s mandatory, TKIP RC4 is optional. All client stations have to undergo a unique RSNA process called the 4-way handshake.
The RSN information element field is found in 4 management frames: beacon, probe, association request and reassociation request frames. Client STA use the association request frame & reassociation request (in case of roaming to/from) to inform the AP about their security capabilities.
RSN information element – AES(CCMP) used in the below frame example.
The 802.1X standard is port-based access control standard which provides an authorization framework that allows or disallows traffic to pass through port thereby granting access to the network resources. 802.1X can be implemented in either wireless/wired environments. The L2 protocol called EAP (Extensible Authentication Protocol) is used and consists of 3 major components of this framework.
- Supplicant > Client STA
- Authenticator > AP or WLAN Controller.
- Authentication Server > Usually Radius(NPS), ISE (Cisco)
Defined in IETF RFC 2284 and ratified in the IETF RFC 3748, provides support to many authentication methods.
- L2 Protocol
- Two way authentication also called as mutual authentication.
- EAP messages are encapsulated in EAP over LAN (EAPOL)
- Five major types of EAPOL messages as shown below
The stronger and more commonly deployed methods of EAP use TLS (Transport Layer Security) or TLS-tunneled authentication. EAP-MD5 and EAP-LEAP have only 1 supplicant identity making them weaker EAP types. EAP-TLS uses 2 supplicant identities – outer and inner identity. The outer identity is effectively a bogus username and can be seen clear text, and then inner identity is the true identity protected with TLS tunnel. Table describes all the protocols with their characteristics.
|802.1X EAP Types Feature / Benefit||MD5 — Message Digest 5||TLS — Transport Level Security||TTLS — Tunneled Transport Level Security||PEAP (WIDELY USED) Protected Transport Level Security||FAST — Flexible Authentication via Secure Tunneling||LEAP — Lightweight Extensible Authentication Protocol|
|Client-side certificate required||no||yes||no||no||no (PAC)||no|
|Server-side certificate required||no||yes||yes||yes||no (PAC)||no|
|WEP key management||no||yes||yes||yes||yes||yes|
|Rogue AP detection||no||no||no||no||yes||yes|
|Authentication Attributes||One way||Mutual||Mutual||Mutual||Mutual||Mutual|
|Deployment Difficulty||Easy||Difficult (because of client certificate deployment)||Moderate||Moderate||Moderate||Moderate|
|Wi-Fi Security||Poor||Very High||High||High||High||High when strong passwords are used.|
802.11-2007 standard requires EAPOL-Key frames be used to exchange cryptographic information between STA supplicants and the authenticator, which is usually an AP. EAPOL key frames are used for the implementation of three different frames exchanges: 4-way handshake, group key exchange & peerkey handshake. 4 way handshake is the final process used to generate pairwise transient keys (PMK / GTK) for the encryption of unicast transmissions and the group temporal key for encryption of broadcast/multicast transmissions.
The 4-way handshake uses pseudorandom functions, it hashes various inputs to derive a value (PRF). The PMK is one of the inputs combined with other inputs to create the pairwise transient key (PMK). Some of the other inputs used by the PRF are called nonces. A nonce is a random numerical value that is generated one time only. In the case of 4-way handshake, a nonce is associated with the PMK. Two nonces are created in 4-way handshake – authenticator nonce (anonce), supplicant nonce (snonce).
PTK = PRF (PMK + anonce + snonce + aa(Authenticator Mac)+ spa (Supplicant Mac).
M1 – Message 1
- Authenticator sends EAPOL-Key frame containing “anonce” to supplicant
- With this info, supplicant have all the necessary input to generate PTK using PRF
M2 – Message 2
- Supplicant sends an EAPOL-Key frame containing “snonce” to the authenticator
- Authenticator has all the inputs to create PTK
- Supplicant also sends RSN IE capabilities to Authenticator & MIC (message integrity code)
M3 – Message 3
- If necessary, Authenticator will derive GTK from GMK
- Authenticator sends EAPOL-key frame containing “anonce”, RSN-IE and a MIC.
- GTP (encrypted with PTK) delivered to the supplicant.
- Message to supplicant to install temporal keys.
M4 – Message 4
- Supplicant sends final EAPOL-key frame to authenticator to confirm temporal keys have been installed.
Group Key Handshake
The 802.11-2007 standard also defines a two-frame handshake that is used to distribute a new group temporal key to client STA that have already obtained a PTK and GTK in a pervious 4-way handshake. The GKH is used only to issue a new group temporal key to client STA that have previously formed security associations. Effectively GKH is identical to M3/M4 in 4 way handshake.
Fast BSS Transition (FT)
Published in 2008, 802.11r – technical name for standardized fast secure roaming. An Amendment to improve handoff from one AP to another. The handoff is the same with or without 11r, the device is what ultimately decides when and where to roam. 802.11r are often discussed in context with WLAN controller architecture. Mobility domain is a group of AP that belong to the same ESS where the client STA can roam in a fast and secure manner. FT BSS transitions can happen over-the-air or over-the-DS (Distribution System).
FT over-the-air (AP to AP, Same Controller)
- Client associates with AP1 and requests to roam to AP2
- Client sends a FT authentication request to AP2 and receive FT authentication response from AP2.
- Client sends FT reassociation request to AP2 and receives FT re-association response from AP2.
- Client completes the roaming from AP1 > AP2
FT over-the-air (AP-CONTROLLER|CONTROLLER-AP)(Inter-Controller)
- Step 1 & 2 similar to above steps.
- WLC1 ends PMK and mobility message to WLC-2 about the roaming client that uses mobility infrastructure.
- Client completes the roaming from AP1 > AP2
FT over-the-DS (AP to AP, Same Controller)
- Client Associates to AP1 and requests to roam to AP2
- Client sends a FT authentication request to AP1 and receives a FT authentication response from AP1
- The controller sends the pre-authentication info to AP2 as the AP are member of same controller.
- Client sends a FT re-association request to AP2 and receives a FT re-association response from AP2.
- Client completes its roaming
FT over-the-DS (AP to AP, Different Controller)
- Step 1 and 2 are similar to above steps.
- WLC-1 sends PMK and mobility message to WLC-2 about the roaming client
- Client completes its roam from AP1 to AP2.
- CWAP Study by Rasika
- CWNP Whitepaper on FT BSS transition: http://www.cwnp.com/wp-content/uploads/pdf/802.11_RSN_FT.pdf
- CWAP Book, page 339 – 344
- FT in a nutshell