1 / 34

TGi security overview

TGi security overview. Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies. Section numbers based on Draft 1.8 Beacon/Probe/Associate 802.1X authentication using RADIUS EAP/EAP-TLS Key Hierarchy Key derivations Nonces Key Management Per packet TKIP Per packet AES

martello
Download Presentation

TGi security overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TGi security overview Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies Tim Moore, Microsoft; Clint Chaplin, Symbol

  2. Section numbers based on Draft 1.8 • Beacon/Probe/Associate • 802.1X authentication using RADIUS • EAP/EAP-TLS • Key Hierarchy • Key derivations • Nonces • Key Management • Per packet TKIP • Per packet AES • Re-associate Tim Moore, Microsoft; Clint Chaplin, Symbol

  3. Beacon • Search for APs that support Enhanced security • Select ESN • Capability bit (bit 11) (7.3.1.4) • Select Authentication Suite • Beacon • Authentication Suite IE (7.3.2.17) • OUI 00:00:00:03 is 802.1X (default) • Since optional should attempt to associate if no Auth suite IE • Select cipher suites (7.3.2.X) • Beacon • Contains unicast and multicast cipher suite IE (7.3.2.18, 19) • OUI 00:00:00:01 TKIP • OUI 00:00:00:02 AES (default) • Since optional should attempt to associate if no Cipher suite IE Tim Moore, Microsoft; Clint Chaplin, Symbol

  4. Probe Request/Response • Select ESN • Capability bit (bit 11) (7.3.1.4) • Select Authentication • Probe response • Authentication IE (7.3.2.17) • OUI 00:00:00:03 is 802.1X (default) • Since optional should attempt to associate if no Auth suite IE • Select cipher suite • Probe response • Contains unicast and multicast cipher suite IE (7.3.2.18, 19) • OUI 00:00:00:01 TKIP • OUI 00:00:00:02 AES (default) • Since optional should attempt to associate if no cipher suite IE Tim Moore, Microsoft; Clint Chaplin, Symbol

  5. Association Request/Response • Select ESN • Capability bit (bit 11) (7.3.1.4) • Select Authentication • Associate request/response • Authentication IE (7.3.2.17) • OUI 00:00:00:03 is 802.1X (default) • Select cipher suite • Associate request/response • Contains unicast and multicast cipher suite IE (7.3.2.18, 19) • OUI 00:00:00:01 TKIP • OUI 00:00:00:02 AES (default) Tim Moore, Microsoft; Clint Chaplin, Symbol

  6. 802.1X • 802.1X – IEEE 802.1X standard • Starts after association • Packets sent as unencrypted data • Credentials supported • Pre-shared key • Authentication (using a Radius server) • EAPOL-Start • Initiates 802.1X from client • EAPOL-Packet • Carries EAP messages • EAPOL-Key • Carries key updates Tim Moore, Microsoft; Clint Chaplin, Symbol

  7. 802.1X/Radius (RFC2865) • 802.1X exchange to radius server • 802.1X carries EAP packets (RFC2284) • EAP packet carried over Radius in a EAP attribute • Authentication completes when Radius server sends either • Radius-Access-Accept: AP sends EAP_Success (in EAPOL-Packet) to station • Radius-Access-Reject: AP sends EAP_Failure • Master session keys need to be moved from Radius server to AP • Note the initial master session key derivation is at the Radius server • Described in Annex J – also used for pre-shared secret • Carried in Radius-Access-Accept • Radius attribute Annex K Tim Moore, Microsoft; Clint Chaplin, Symbol

  8. EAP (RFC2284) • EAP-Request • Identity – Request for user id • Notification – display message to user • MD5 – MD5 authentication • TLS – EAP-TLS authentication • … - other authentication methods • EAP-Response • Identity – user id • Notification – ack of display message • Nak – EAP auth method not supported • MD5 – MD5 auth • TLS – TLS auth • … - other auth methods • EAP-Success • Auth successful • EAP-Failure • Auth Failed Tim Moore, Microsoft; Clint Chaplin, Symbol

  9. Association Access blocked 802.11 Associate EAPOL-Start EAP-Request/Identity Radius-Access-Request EAP-Response/Identity Radius-Access-Challenge EAP-Request Radius-Access-Request EAP-Response (credentials) Radius-Access-Accept EAP-Success Access allowed 802.1X/Radius On 802.11 Wireless Access Point Radius Server Laptop computer Ethernet 802.11 RADIUS Tim Moore, Microsoft; Clint Chaplin, Symbol

  10. EAP-TLS (RFC2716) • A possible authentication method • Client cert auth to radius server • Server cert auth to client (optional) • Certs are often larger than an Ethernet frame so fragmented across multiple round trips • Master key generation • Master session key derivation • On station and Radius server • Fast reconnect • Re-authentication • Server caches TLS session information after TLS session terminates • Client and Server prove possession of master secret • Generates new master session key material • Reduces number of round trips and size of messages (no certs sent) Tim Moore, Microsoft; Clint Chaplin, Symbol

  11. EAP-TLS Station AP <- PPP EAP-Request/EAP-Type=EAP-TLS ( TLS Start) PPP EAP-Response/EAP-Type=EAP-TLS (TLS client_hello) -> <- PPP EAP-Request/EAP-Type=EAP-TLS ( TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done) PPP EAP-Response/EAP-Type=EAP-TLS (TLS certificate, TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <- PPP EAP-Request/EAP-Type=EAP-TLS (TLS change_cipher_spec, TLS finished) PPP EAP-Response/EAP-Type=EAP-TLS -> Tim Moore, Microsoft; Clint Chaplin, Symbol

  12. EAP-TLS – fast reconnect Station AP <- PPP EAP-Request/EAP-Type=EAP-TLS( TLS Start) PPP EAP-Response/EAP-Type=EAP-TLS (TLS client_hello) -> <- PPP EAP-Request/EAP-Type=EAP-TLS (TLS server_hello, TLS change_cipher_spec TLS finished) PPP EAP-Response/EAP-Type=EAP-TLS (TLS change_cipher_spec, TLS finished) -> Tim Moore, Microsoft; Clint Chaplin, Symbol

  13. 802.1X pre-shared key • Pre-shared Key on stations that authenticate to each other • Pre-shared Key is the Master Key • Annex J is used to derive initial Master Session Keys • Nonce is not live: Source | Destination MAC address • Temporal keys not derived from initial Master Session Keys • EAPOL-Key messages send Nonce for key mapping keys • Next Master Session Key derivation includes liveness • Derived Temporal Keys Tim Moore, Microsoft; Clint Chaplin, Symbol

  14. Key Hierarchy • Master key • Pre-shared key • Or Master key created by EAP method • During EAP authentication • Master session key (derived from APEncn-1, APIVn-1) • Expand from master key or from the previous temporal key • Sent from Radius server if using EAP via Radius server • Transient session key (derived from PAEnc) • Derived from master session key • Temporal Encrypt key (128bits) • Truncated transient session key • Used as AES-OCB key • Temporal Auth key (64bits) • Used in TKIP • EAPOL-Key message encryption key (APEnc) • Used to encrypt nonce or key material • EAPOL-Key message authentication key (PAAuth) • EAPOL-Key IV (PAIV) • Authenticator IE MIC key (APAuth) • Used to MIC key message • Per-packet key (TKIP only) • Derived from Temporal key Tim Moore, Microsoft; Clint Chaplin, Symbol

  15. TKIP Temporal Key Mapping Key Hierarchy Tim Moore, Microsoft; Clint Chaplin, Symbol

  16. Master key -> Master Session Key • Annex J • RFC2716 • RFC2246 • Takes a Nonce and expands from Master Temporal Key to 128bytes of key material • PRF1 = PRF (K, "client EAP encryption", Nonce) • APEnc • PAEnc • APAuth • PAAuth • Generate 64bytes of IV (Nonce) • PRF2 = PRF ("","client EAP encryption", Nonce) • APIV • PAIV Tim Moore, Microsoft; Clint Chaplin, Symbol

  17. Master Session Key Derivation Tim Moore, Microsoft; Clint Chaplin, Symbol

  18. PRF • TLS Section 5 – RFC2246 • PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed); • S1 is first half of secret • S2 is second half of secret Tim Moore, Microsoft; Clint Chaplin, Symbol

  19. Temporal key -> Master Session Key • Annex J • RFC2716 • RFC2246 • Takes a Nonce and expands from Temporal Key to 128bytes of key material • PRF1 = PRF (K, "key expansion“, Nonce) • APEnc • PAEnc • APAuth • PAAuth • Generate 64bytes of IV (Nonce) • PRF2 = PRF ("","IV block", Nonce) • APIV • PAIV Tim Moore, Microsoft; Clint Chaplin, Symbol

  20. Master Session Key -> Transient Session Key • Annex I • RFC3078/3079 • On PAEnc Tim Moore, Microsoft; Clint Chaplin, Symbol

  21. Transient Session Key Truncation to Temporal key • Annex I • Last 128 bits of transient session key • From PAEnc • Go back 2 slides for next key Tim Moore, Microsoft; Clint Chaplin, Symbol

  22. Nonce • Master session key derivation needs a nonce • First Master session key derivation • Nonce is generated by EAP method • Nonce needs to be same on both station and radius server so master session key material is the same • Following master session key derivation • Nonce is from the previous derivation • Sent from AP to station Tim Moore, Microsoft; Clint Chaplin, Symbol

  23. Key Management • EAPOL-Key for default/broadcast • Contains actual temporal key • Same key sent to all stations • EAPOL-Key for key mapping • Contains nonce used to derived temporal key • Key updates • Management policy for when keys are updated • Most efficient to look at IV space used • MIB contains max IV and current sent IV (Annex D) • Need to add current receive IV • SetKeys.Indication for MLME indication of IV space exhaustion (10.3.11.3) Tim Moore, Microsoft; Clint Chaplin, Symbol

  24. Key Messages • Contains • Key index • Flags • Key mapping/default: what type of key • Tx/Rx: What use the key should be put to • Reset IV: Whether to reset the IV space or not • Key length • Key material (Temporal key or Nonce) • Key material length • TKIP key message • Encrypts using RC4, MIC using HMAC-MD5 • AES key message • Encrypts using AES-CBC, MIC using AES-CBC-MAC Tim Moore, Microsoft; Clint Chaplin, Symbol

  25. EAPOL-Key Keys Tim Moore, Microsoft; Clint Chaplin, Symbol

  26. Ping – Pong (8.5.8) Tim Moore, Microsoft; Clint Chaplin, Symbol

  27. Per packet keying TKIP (8.6.1) • TKIP Phase 1 key • Done once per temporal key • Mixing Transmitter Ethernet address into temporal key • 128 bits • TKIP Phase 2 key • Done once per packet • Mixing IV into phase 1 output • 128 bits • Truncated to 104 bits for RC4 Tim Moore, Microsoft; Clint Chaplin, Symbol

  28. TKIP • Encryption is WEP using TKIP Phase 2 key • IV selection rules (8.6.2) • MIC: Michael (8.6.3) • Uses Temporal Auth Key • Covers • Source and destination MAC address • Unencrypted data payload • Requires Counter measures to limit attack rate (8.6.3.3) Tim Moore, Microsoft; Clint Chaplin, Symbol

  29. Michael( 8.6.3) • Michael message processing: MICHAEL((K0, K1) , (M0,...,MN)) • Input: Key (K0, K1) and message M0,...,MN • Output: MIC value (V0, V1) (L,R)  (K0, K1) for i=0 to N-1 L  L  M­i (L, R) b( L, R ) return (L,R) • Michael block function: b(L,R) • Input: (L,R) • Output: (L,R) R  R  (L <<< 17) L  (L + R) mod 232 R R  XSWAP(L) L  (L + R) mod 232 R R  (L <<< 3) L  (L + R) mod 232 R R  (L >>> 2) L  (L + R) mod 232 return (L,R) Tim Moore, Microsoft; Clint Chaplin, Symbol

  30. Per packet processing AES • Temporal key is used as the encryption key • Encryption AES-OCB (8.7.2) • Requires a Nonce • Includes replay counter, QoS traffic class, Source and Destination MAC address • 28bit replay counter/sequence number per QoS class • 64bit MIC Tim Moore, Microsoft; Clint Chaplin, Symbol

  31. Re-associate Request/Response • Select ESN • Capability bit (bit 11) (7.3.1.4) • Select Authentication • Authentication IE (7.3.2.17) • OUI 00:00:00:03 is 802.1X (default if no IE) • Select cipher suite • Contains unicast and multicast cipher suite IE (7.3.2.18, 19) • OUI 00:00:00:01 TKIP • OUI 00:00:00:02 AES (default if no IE) • Fast handoff • Authenticator IE (7.3.2.21) • Passing station MIC to the old AP Tim Moore, Microsoft; Clint Chaplin, Symbol

  32. Re-associate Request/Response • If no IAPP or no Auth IE in Re-associate request then • Re-associate to new AP • Go back to slide 6 • Else • Auth IE processing rules (7.3.2.21) • Use IAPP to move station Auth IE to old AP • Old AP checks station MIC • Old AP calculates new AP MIC • IAPP moves Auth IE and original master session keys to new AP • New AP passes Auth IE in re-association response • New AP puts 1X state machine in authenticated state and sends EAP_Success • Go to slide 19 • Endif Tim Moore, Microsoft; Clint Chaplin, Symbol

  33. Authenticator IE Tim Moore, Microsoft; Clint Chaplin, Symbol

  34. STA IAPP Move IAPP Send SecBlock IAPP Send SecBlock Ack IAPP Move Ack Reassociate Request Query New AP Query Response Reassociate Response IAPP Fast Hand-off of TGi Keys Old AP AS • Query transaction supplies IPsec security association material  only needed once if New AP caches SAs; requires AS to maintain registry of IPsec SAs • SendBlock transaction copies keying material from old AP to new AP • Move transaction deletes keying material off old AP Tim Moore, Microsoft; Clint Chaplin, Symbol

More Related