Securing a wireless local area network - using standard security techniques
Dan Ekström
Department of
Software Engineering and Computer Science Blekinge Institute of Technology
Box 520 January 2003
This thesis is submitted to the Department of Software Engineering and Computer Science at Blekinge Institute of Technology in partial fulfilment of the requirements for the degree of Master of Science in Software Engineering. The thesis is equivalent to 10 weeks of full time studies.
Author(s):
Dan Ekström
Address: Ulrikedalsvägen 2 U, 224 58 Lund E-mail: dan@ekstrom.com
University advisor(s):
Håkan Grahn
Department of computer science Contact Information:
Department of
Software Engineering and Computer Science Blekinge Institute of Technology
SE - 372 25 Ronneby Sweden
: www.ipd.bth.se : +46 457 38 50 00 : + 46 457 271 25 Internet
Phone Fax
Wireless equipment offers several possibilities which make it more attractive than the wired alternative. Meetings or temporary office spaces could be assigned with less consideration of the presence of permanent networking facilities. It also makes it possible for users to create ad-hoc networks simply by being within a certain range of each other, which facilitates information sharing. Since information is broadcasted in the air, it also requires stringent security measures. Vendors of wireless equipment have their non-standard security solutions which lock-in the acquirer. For this purpose I study standard security schemes which could be applied independent of the wireless device manufacturer. The techniques that I have chosen are IPSec, Kerberos and MS Passport. The study describes each technique from the perspectives of manageability, security, performance, compatibility, cost and ease of implementation. The result is a comparison of the studied techniques.
I conclude with a recommendation to use a combination of IPSec and Kerberos to enhance the security of a wireless local area network and a reservation towards MS Passport.
Keywords: Security, Kerbeos, IPSec, MS Passport, Wireless local area network
Introduction ...1
Background . . . . 1
Research questions . . . . 1
Methodology . . . . 2
Scope of this thesis . . . . 2
Thesis outline . . . . 2
Introduction to computer security ...3
Security services . . . . 3
Security mechanisms . . . . 4
Threats . . . . 4
Summary . . . . 5
Introduction to wireless local area networks 7 Wireless local area network topology . . . . 7
Bluetooth . . . . 8
HiperLAN and HiperLAN/2 . . . . 8
HomeRF . . . . 8
IEEE 802.11 . . . . 8
Comparison of WLAN techniques . . . 10
Summary . . . 10
Security issues in IEEE 802.11b ...11
Service set identifier . . . 11
MAC-address access list . . . 12
Wireless equivalent privacy . . . 12
Deployment of access points . . . 13
Criteria . . . 14
The standard security techniques . . . 14
Summary . . . 15
Internet Protocol Security ...17
Security databases . . . 17
Security policy database (SPD) . . . 17
Security association database (SAD) . . . 18
Public key infrastructure (PKI) . . . 18
RSA . . . 19
The digital signature . . . 19
Message authentication code (MAC) . . . 19
MD5 . . . .19
The secure hash standard (SHA-1) and the secure hash algorithm (SHA) . . . .19
Keyed-hashing for message authentication code (HMAC) . .20 Digital certificate . . . .20
Scenario . . . .20
Internet key management protocol . . . 22
Tunnel and transport mode . . . 24
AH . . . .24
ESP . . . .24
Setting up an IPSec Tunnel . . . 25
Evaluation . . . 26
Manageability . . . .26
Implementation . . . .26
Cost . . . .27
Level of security . . . .27
Scalability . . . .28
Compatibility . . . .28
Performance . . . .28
Summary . . . 29
Kerberos ... 31
Basic authentication procedure . . . 31
Kerberos version 5 . . . 35
Differences between version 4 and version 5 . . . .35
Cross realm authentication . . . .35
Key salt . . . .35
Evaluation . . . 36
Manageability . . . .36
Implementation . . . .36
Cost . . . .36
Security level . . . .37
Scalability . . . .38
Compatibility . . . .38
Performance . . . .38
Summary . . . 39
Microsoft Passport ... 41
Introduction . . . 41
Domain . . . 44
Authentication . . . 44
Secure Socket Layer (SSL) . . . 45
Evaluation . . . 46
Manageability . . . .46
Table of contents
Scalability . . . 47
Compatibility . . . 47
Performance . . . 48
Summary . . . 48
Comparison ...49
Manageability . . . 50
Implementation . . . 50
Performance . . . 50
Authentication . . . 50
Access control . . . 50
Confidentiality . . . 51
Data integrity . . . 51
Non-repudiation . . . 51
Compatibility . . . 51
Cost . . . 51
Scalability . . . 51
Summary . . . 51
Conclusions ...53
References ...55
A Glossary ...60
1
1 Introduction
Historically information has been protected physically and information security has been a matter of thick walls and good locks. This concept changed with the introduction of computer systems. Electronic document have inherent different properties than physical documents. It is possible to makes changes to them or to make copies without leaving fingerprints, DNA or other distinctive marks. They need security services to be able to possess the same qualities as physical docu- ments and hence similar security. Another major influence on information secu- rity has been network security. Information has to be secure during transmission.
The Internet has worked as a catalyst for wired networks security. Recently wire- less computer networks have been introduced to the broad masses. The inherent properties of radio communication offers even further challenges to security experts.
1.1 Background
Recent research [50, 49] has found that the wireless local area networks (WLAN) standard 802.11b implements a poor encryption scheme that could compromise the WLANs security. Because WLANs have been deployed in such a fast pace, security issues have to great extent been left in the background by equipment manufacturers. In Sweden, Stockholm 2002-09-18 it was reported that only 30%
percent of the investigated WLANs had proper security measures [12]. Although some proprietary security solutions exist, they limit the possibilities for end-users, providing a user lock-in and a future income source for the manufacturer of WLAN devices. The findings during the past year have lead to a debate concern- ing security in 802.11b WLANs. This thesis will address the important issues regarding 802.11b WLAN security.
1.2 Research questions
What standard techniques exist that could be used to strengthen the security flaws of 802.11b? First I will examine the IEEE 802.11b WLAN standard and rele-
vant research to be able to identify weaknesses. Based on the weaknesses I will address certain areas of the standard techniques in the evaluation. The evaluated techniques will then be compared in each area and this will lead to recommenda- tions of which techniques that are suited for the IEEE 802.11b WLAN.
1.3 Methodology
I will conduct literature studies in the area of computer network security to get a broad perspective of the domain in which this thesis lies. Then I will study litera- ture about WLANs and finally the literature about Institute of Electrical and Elec- tronics Engineers (IEEE) 802.11b WLAN. This will lead to suggestions to improve the security in 802.11b and criteria to evaluate complementary techniques.
The proceeding studies will be in the area of the various techniques that comple- ment IEEE 802.11b. These will be evaluated with recommendations based on the criteria. The recommendation could be used to make an 802.11b WLAN more secure.
1.4 Scope of this thesis
This thesis will not revise the 802.11b standard and it will not make suggestions to the existing techniques used in the 802.11b standard. It will rather examine secu- rity techniques that are feasible to implement together with the 802.11b standard.
1.5 Thesis outline
The outline of the thesis from this point and forward is as follows. The second chapter describes general electronic security objectives and electronic security ser- vices. The third chapter gives an introduction to the most popular WLANs. The forth chapter describes security issues in the IEEE 802.11b WLAN as well as the areas in which the techniques in the following chapters will be evaluated. The fifth chapter introduces the Internet Security Protocol and its evaluation. Chapter six introduces Kerberos and an evaluation. The seventh chapter introduces Microsoft Passport and its evaluation. Chapter eight compares the three previous evaluated techniques. In chapter nine the thesis is concluded with a recommenda- tion of the most proficient techniques to use.
3
2 Introduction to computer
security
Digital as well as physical documents need protection. Digital documents have special security challenges compared to physical documents, see Stallings [47].
They can be copied without reduced quality, tampered with without leaving physical evidence and physical proof of authentication such as handwriting does not exist. They need additional security measures to be able to maintain the same level of security as physical documents.
2.1 Security services
By using various security services, Stallings argues in [47] that it is possible for electronic documents to possess the same security attributes as paper documents.
The IEEE defines such security services as mentioned above. They appear in the Open Systems Interconnection (OSI) “Security Architecture Standard ISO/IEC 7498-2” [50]. The concept comprehends the security-related services of the OSI Basic Reference Model. Unfortunately the terminology used in this area is not completely consistent. The term authentication is commonly used for referring to both verification of identity and integrity. The services from ISO/IEC 7498-2 [50]
are summarized briefly below:
• Authentication exists in two forms. The peer identity authentica- tion and the data origin authentication. The peer identity authen- tication exists to prevent masquerading. The data origin authentication could be used to reduce damage caused by denial of service attacks.
• Access control services use peer authentication in combination with certain rules to control access to certain resources. This is used to prevent authorization violation and denial of services.
• Confidentiality services are used to prevent that information may be vied by an unauthorized third party. Four types of this service exist: connection confidentiality, connectionless confidentiality, selective field confidentiality and traffic flow confidentiality.
These four types are various degrees of protection. It ranges from the protection of an entire session to the protection of a single message. Except for protection against eavesdropping the confi- dentiality service could protect against traffic analysis. It should not be possible to observe the source or destination of the data as well as any other characteristics of the data.
• Data integrity services make it possible to prevent that data is tampered with. As with confidentiality various degrees of pro- tection exist. Of course it is preferable to have session integrity. It prevents an unauthorized third party to insert, delete or replay data.
• Non-repudiation services exist to make sure that participants in a communication session do not repudiate a transaction. Two forms of protection against this exist: non-repudiation with proof of origin and non-repudiation with proof of delivery. The first makes sure that the sender may not claim to not have performed a transaction or to not have sent certain data. The second pro- vides some kind of proof that the transaction was performed or that data actually was accepted by the recipient.
To provide a security service, one or several mechanisms that prevent or interfere with attacks need to exist.
2.2 Security mechanisms
A security mechanism needs to be implemented in order to provide security ser- vice. Various mechanisms exist to provide the security services defined in Section 2.1. The quality of an implementation of a mechanism may also vary. The func- tionality of security mechanisms does often have the use of cryptographic tech- niques as a common denominator, see [47]. Examples of mechanisms are:
encryption and digital signatures.
2.3 Threats
Several fundamental threats to secure information handling and secure computer communication exist, and they could all be derived from the security objectives above. Security attacks vary much depending on the environment that is exploited. But they could be divided into these general areas, according to [47]:
• Interruption is when a system becomes unavailable or unusable.
This attacks the availability of the system.
• Interception of traffic is an attack of confidentiality.
• Modification of data is an attack of integrity.
• Fabrication is an attack of authenticity of data.
Another classification of attacks is to divide them into passive and active attacks.
Passive attacks comprehend analysis of traffic and release of message content. The
Securing a wireless local area network 5 Summary
active attacks comprehend masquerade as another entity, replay of earlier cap- tured data, modification of data, and denial of service by rendering a computer resources useless. Concerning the passive attacks it is important to keep a high level of protection at all times since it is hard to know when an attack is taking place. In the case of active attacks, they may be easier to discover and prevent when they are taking place. If it is not possible to prevent them, it is possible to take countermeasures to limit the damage.
The end-user is very likely to be interested in security outside the WLAN as well as security in the WLAN. If a user sends traffic that is bridged to a LAN the user need a security mechanism that provides protection to the end point of the traffic flow. End-to-end security makes sure the data is secure all the way to the receiver.
Techniques such as Internet Protocol Security (IPSec) could be used together with the WLAN to provide end-to-end security services.
2.4 Summary
Electronic documents need special protection since they possess unique qualities compared to paper documents. A generic model for security services are pre- sented by ISO/IEC. Security mechanisms implement security services to prevent or ward off attacks. The security services and categorizations of the attacks pro- vide an important security framework and vocabulary.
7
3 Introduction to wireless local area networks
Wireless local area network devices have recently gained immense popularity.
The reasons for the success are that the equipment for setting up a WLAN has become cheap and is very easy to use. It lets laptops remain cordless within a cer- tain area. This implies that meetings or temporary office spaces could be assigned with less consideration of the presence of permanent networking facilities. It also makes it possible for users to create ad-hoc networks simply by being within a certain range of each other, which facilitates information sharing.
Several competing WLAN standards exist. The most successful are Bluetooth, IEEE 802.11b, HiperLAN and Home RF. They will be described briefly below.
They all have similar charachteristics and could be used in a similar manner. The network topology which they employ are describes in the next section.
3.1 Wireless local area network topology
No common vocabulary exists in the WLAN sphere. I use the words AD (access- ing device) for the laptop, terminal, or other intelligent AD. I use the word AP (access point) for the permanent devices that could be used to bridge the WLAN to a wired local area network (LAN). Two basic topologies exist: are ad-hoc- and infrastructure topology. The distinction in their names is basically the distinction in their topologies. The infrastructure topology has APs that act as central control- lers for the WLAN. The AP coordinates transmissions and receptions from multi- ple wireless devices within a specific range. It could also be used to bridge the WLAN to a wired LAN. The AP and the AD can find each other in two ways. A laptop or other smart device could identify the available APs by sending out
“probing” frames to announce itself to the AP. The APs could also be configured to announce themselves by using “beacon” frames. An authentication and associ- ation process is started when the AD has settled for a specific AP.
In an ad-hoc topology the LAN is created by the wireless devices themselves.
There is no central point for controlling traffic flow. Each device communicates directly with other devices in the network. In ad-hoc mode the ADs carry out authentication and associations processes.
3.2 Bluetooth
The Bluetooth consortium represents an alliance between mobile communications and mobile computing companies. The alliance was formed in 1998 by prominent manufacturers such as Ericsson, Nokia, IBM, Intel and Toshiba.
One of the reasons for the development of Bluetooth was that a jungle of connec- tivity options allowing different gadgets to interoperate exist, [40]. The protocol stack of Bluetooth is not represented by the classic seven layer International Stan- dards Organisation (ISO) OSI reference model. This is because Bluetooth is intended to interoperate with modems, telephones and other devices. Bluetooth is meant to be the silver bullet of desktop gadgets connectivity, [19].
It could in its original form be categorized as a personal local area network (PLAN). Its reach has been extended and it can be used to set up ad hoc WLANs although this was not its primary purpose. Its greatest advantage is that is has low energy consumption.
3.3 HiperLAN and HiperLAN/2
HiperLAN is developed by European Telecommunications Standards Institute (ETSI) and recently released. It could be argued that this standard is technical superior to 802.11b [41], e.g. HiperLAN has a higher transfer rate. It is not as near as popular as 802.11b, [19]. IEEE and ETSI are now working on a complements to respectively standard to make them compatible. HiperLAN/2 is an emerging standard with a theoretical transfer speed of 54 Mbps.
3.4 HomeRF
HomeRF is developed by HomeRF Industry Group and is a standard foremost aimed at residential homes. The standard comprises integrated voice, data and entertainment, [41]. Today the equipment of 802.11b is just as cheap as HomeRF and it has lost some of its important advantages compared to 802.11b.
3.5 IEEE 802.11
Ethernet has become the predominant LAN technology in the wired world.
Defined by the IEEE with the 802.3 standard, it has provided an evolving, high- speed, widely available and interoperable networking standard.
The open IEEE 802.3 standard resulted in a wide range of suppliers, products and price points for Ethernet users. Ethernet standards guarantee interoperability, enabling users to select products from different vendors, reasonably secure that they would work together.
In 1991 realizing that in order for wireless LANs to gain broad market acceptance, to govern wireless LAN technology Aironet pushed with other wireless makers for standards.
Around 1992, wireless LAN makers began developing products operating in the unlicensed 2.4 GHz frequency band. This opened two additional vertical markets.
Securing a wireless local area network 9 IEEE 802.11
Healthcare, with a highly mobile workforce, began using portable computers to access patient information. And as computers made their way into the class- rooms, educational institutions began installing wireless networks to avoid the high cost of wiring buildings.
In June, 1997 the IEEE, the body that defined the dominant 802.3 Ethernet stan- dard, released the 802.11 standard for wireless local area networking. IEEE 802.11 standard supports transmission in infrared light and two types of radio transmis- sion within the unlicensed 2.4GHz frequency band: Frequency Hopping Spread Spectrum (FHSS) and Direct Sequence Spread Spectrum (DSSS).
Today several 802.11 standards exist. The WLAN that will be addressed in this thesis is the IEEE 802.11b standard. The standard first emerged as 802.11 in 1997 and it was revised in 1999 where the supplement 802.11b was added. The stan- dard “covers systems in which an omni directional wireless radio generates a nominal 2.4-GHz carrier wave that communicates over theoretical range of 1,000 feet (and a prac- tical limitation of less than 350 feet) with devices - typically laptops- equipped with 802.11b transceivers”, [53]. Further reading about the standard is found in the orig- inal proposal from 1997 [50] or in the revised proposal from 1999 [23]. When 802.11b was developed it was thought of as a replacement for wired networks.
The architecture of the 802.11b standard comprises the following layers of the OSI model:
• Physical 802.11 layer
• MAC 802.11 layer
• Data link 802.2 layer
This thesis will focus on the 802.11b standard because of its popularity and its needs of enhances security. Since the first standard 802.11 emerged in 1997 several revisions have been made. The revisions include:
• 802.11j which purpose is to be compatible with HiperLAN.
• 802.11i introduces a new security scheme.
• 802.11h counters EU-area interference legislation issues.
• 802.11e add quality of service capabilities to 802.11h.
• 802.11g rases transfer rate to 54Kbit/sec.
For further reading about the revisions a starting point would be in [22]. Below is a short summary and comparison of the most important qualities of the WLANS.
3.6 Comparison of WLAN techniques
Table 1 summarizes origin, data transfer rate and range of the techniques that are described above.
The range of the technologies is hard to define since it may vary depending on the environment such as indoor and outdoor deployment and which antennas that are used. Bluetooth has the shortest range and slowest data transfer rate, [19].
HiperLAN/2 has the highest data transfer rate and also a high range, [41]. Hiper- LAN, HiperLAN/2, HomeRF and 802.11b are all very power consuming com- pared to Bluetooth. Bluetooth suits handheld and other similar devised best due to its low energy consumption. 802.11b is the most popular technique and its pop- ularity is growing despite it is not most technical proficient, most secure or least power consuming.
3.7 Summary
Several capable techniques exist to create a WLAN. The most popular standard today is 802.11b. Although is does not excel in technology, security or low energy consumption. Attempts are made by all standard organizations to make them more compatible. Some of the revisions of 802.11 comprise attempts to introduce further security mechanisms. A large organisation will find it inconvenient to wait for standards to evolve and much easier to integrate various vendors prod- ucts if standard security techniques are used. This thesis will focus on how to make the 802.11b standard more secure using standard security techniques.
Protocol Origin Data transfer
rate (Mbps) Topology
HiperLAN ETSI 19 Peer to peer
HiperLAN/2 ETSI 54 Peer to peer or
APs
802.11b IEEE 11 Peer to peer or
APs
Bluetooth Bluetooth
Consortium
1 Peer to peer
HomeRF HomeRF
Industri Group
10 Peer to peer or
APs
TABLE 1. Comparison of WLAN techniques
11
4 Security issues in IEEE 802.11b
Recent research implies that WLAN devices have several potential vulnerabilities as they are delivered in their standard edition [53, 50, 49]. The vulnerabilities exploit the nature of radio communication which implies the possibility to com- promise confidentiality of data. Additional security measures have to be taken to strengthen the weak default security schemes.
Since WLANs replace Ethernet cables with broadcast radio, confidentiality con- siderations are inherent different than in wired local area networks. In an unpro- tected WLAN anyone within reach from the radio signals could receive and send traffic. The 802.11b standard provides some basic technologies for authentication:
• Service set identifier.
• Media access control (MAC) address access lists.
The 802.11b standard tries to ensure integrity, confidentiality and authentication by the wireless equivalent protocol (WEP).
4.1 Service set identifier
The service set identifier (SSID) is used to let the ADs user chose from APs within the same reach or to create a roaming domain between multiple APs. The APs come with a default SSID for each manufacturer [17]. If the APs are configured not to send out “beacon” frames [7], they must know the right SSID to make use of an AP. If the wireless encryption protocol (WEP) is disabled as it often is when the AP is delivered [7], the SSID is sent in clear text, see [17] and it could easily be sniffed. SSID is a very weak measure of security because of the following reasons:
• Wireless equipment of the same brand has the same default SSID.
• In some configurations the SSID is broadcasted in clear text by default.
• The SSID is stored by the AP and by the network interface card driver.
• Weather an association is allowed when the SSID is unknown by the AD is controlled locally by the network interface card’s driver.
• The SSID does not provide an encryption scheme.
The paragraphs above show that a WLAN could hardy relay on an SSID solution to make the WLAN secure.
4.2 MAC-address access list
A stronger authentication is achieved by providing the AP with the unique MAC- address that the AD carries. Each AP could be configured to contain a list of ADs’
MAC addresses that are allowed to access the WLAN. Access control could be based on this rather strong authentication. It also makes it less possible that the equipment is stolen and then used on the WLAN.
It exists no standard tool for updating all MAC-address lists on all APs from a central point. In addition to the administrative drawback, a MAC-address could easily be spoofed [53] by a potential malicious user. Another important point is that it identifies an AD, and not a user. Although MAC-list filtering provides a strong means of identifying s it has the following drawbacks:
The administration for a large network becomes very demanding since no stan- dard for central point updating of APs MAC-address listings [7].
• A MAC-address could be spoofed by a malicious user [53].
• It authenticates the network interface card, not a user.
4.3 Wireless equivalent privacy
Wired Equivalent Privacy (WEP) algorithm is as the name implies a means to pro- vide the WLAN with the equivalent security of wired LAN. The definition of what equivalent security is can not be found in the IEEE standard [50]. WEP pro- vides the 802.11b standard with authentication, and confidentiality services. The WEP algorithm defines the use of a 40-bit secret key for authentication and encryption. Many IEEE 802.11b implementations also allow 128-bit secret keys.
WEP is useful because of the following reasons:
• It is built around the RC4 algorithm which is supposed to be indifferent to linear and differential analysis, [40].
• It is adaptable to environments where nodes move in and out of a WLAN coverage area.
• It is exportable to a variety of countries.
WEP operates using a shared key between the ADs and the APs. The key is stored in a memory that is write-only. This makes it impossible for attackers to read the key from a device that already has been authenticated. The shared key approach
Securing a wireless local area network 13 Deployment of access points
makes updating of keys quite a manual job since it exist no secure way to update keys.
Authentication with WEP from a mobile device to an AP is a four step process, and it is described in the paragraphs below:
• The AD sends an authentication request to an AP in plain-text.
• The AP responds by generating a 128 bytes random challenge text that is sent to the AD in plain-text.
• The AD copies the data into an authentication frame and encrypts the frame using the shared key. The shared key has pre- viously been distributed to the AD.
• The AP then decrypts the frame using the shared key. Depending on the outcome of the decryption the AD is granted access to the WLAN or not.
WEP also uses a symmetric key infrastructure. A principal limitation to this secu- rity mechanism is that the standard does not define a key management protocol for distribution of these keys [7]. This presumes that the secret shared keys are delivered to the AP via a secure channel independent of IEEE 802.11b. This becomes even more challenging when a large number of stations are involved.
The WEP algorithm is rather unsuccessful in several areas. It has several flaws first discovered by [50] and exploited by [49] and has been widely criticized. The WEP algorithm is vulnerable to traffic analysis and depending on how much the WLAN is utilized the encryption could be cracked in a few hours. The critique is summarized in the paragraphs below:
A part of the encryption scheme called an initialization vector uses a pattern that is possible to predict and makes it possible to decrypt WEP messages. Hence it is vulnerable to the passive traffic analysis attack.
• Static-key architecture makes it hard to protect keys.
• No standard exist for updating shared keys at APs or devices.
• Another critique is that WEP is not an end-to-end solution only allowing secure traffic between the AP and the or between two devices.
4.4 Deployment of access points
According to [39] many APs are deployed behind a firewall. This threat is most obvious when there is no encryption or authentication. Deployed behind the fire- wall, the AP transmits authorized packets from within the firewall to anyone out- side the firewall. A potential intruder could get the opportunity to exploit inside trust from outside the firewall. This is a classic technique used by prominent hacker Kevin Mitnick. To avoid this the WLAN should be delimited from the LAN by residing in another subnet. An alternative would be to use a router which let the packets that belong in the address space of the wired LAN to remain in the
wired network. A bridge would be a security hazard since it let the packets of the wired LAN to be transmitted by wireless equipment.
4.5 Criteria
It is clear that the 802.11b standard needs more efficient security mechanisms than the default ones. Before evaluations of additional techniques are performed, crite- ria of which areas that are important to strengthen must be established. These are criteria that are essential to the evaluation:
• Manageability of the network should be high. Administration of keys and MAC-addresses is an overwhelming burden in a large network. Improvement in manageability is needed.
• Implementation of the additional security scheme should be straightforward.
• Performance in the WLAN should not be affected by the addi- tional security implementations.
• Level of security, various implementations of security services may offer various levels of security. Various users or applications may require different security levels. The level of security should be analyzed.
• Compatibility issues may hinder the use of other desirable tech- niques or implementation of a certain technique. The security technique should be compatible with existing techniques.
• Cost, the cost of various implementations should be analyzed.
• Scalability is preferable since enterprises could grow in high pace.
The network will maintain its security level while being able to scale.
4.6 The standard security techniques
In the next three chapters I will describe and evaluate three standard security techniques by using the criteria above. IPSec is comprehended by the IPv6 proto- col and may also be used in 3G. It is foremost know for its capabilities of creating a virtual private network over a TCP/IP connection. This may be very convenient combined with a 802.11b WLAN. It resides on the transport level in the OSI model which make it transparent to applications. Kerberos aims at user authentication and access control which also need to be enhanced in 802.11b. Kerberos have been around for a while this have resulted in a robust security protocol. It resides on the application level and could be combined with IPSec. IPSec and Kerberos suited closed environments best. The last technique is chosen because it aims at being used in a non-closed environment, e.g. a Motel or Internet café. It also resides at the application level in the OSI model and could be combined with IPSec.
Securing a wireless local area network 15 Summary
4.7 Summary
The SSID should not be considered as a security mechanism. The 802.11b WLAN have several strong mechanisms to provide us with security services, but they all need improvement. The MAC-address authentication is a strong way to authenti- cate hardware but the administration process needs improvement and it also needs to be complemented with human authentication. The WEP security scheme need improvement in shared keys distribution and another technique needs to be used to ensure confidentiality since the encryption algorithm is vulnerable to traf- fic analysis. IEEE promises to bring wired equivalent security with WEP. What IEEE means by that is unclear, but it implies that the 802.11b WLAN needs the additional security measures that the wired LANs need today. An end-to-end security solution would be preferable for the end-user. The next chapter will describe improvements to the current techniques.
17
5 Internet Protocol Security
The Internet and its protocol suite were designed to be used by the department of defence and its main design objective was to be able to provide flexible routing possibilities. Security was not an issue, [42]. Today from a security perspective it is considered to be obsolete, [46]. To make up for the craving demand of security in TCP/IP, Internet Protocol Security (IPSec) was developed. It is used in 3G, the next generation Internet protocol suite IPv6 and it is common in virtual private net- work (VPN) solutions. It provides services that are convention in modern and future security contexts, such as:
• Access control
• Connectionless integrity
• Origin authentication
• Replay protection
• Privacy/confidentiality
The degree of security and manageability is affected by the configuration of the Internet Security Association Key Management Protocol (ISAKMP), IPSec mode, selected encryption levels and hash algorithms. This is explained in more detail below.
5.1 Security databases
Two databases are required to set up one inbound and one outbound communica- tion link: a security association database and security policy database, [55].
5.1.1 Security policy database (SPD)
This database contains which services that can be offered to a client. It contains which network addresses that uses IPSec to communicate and which level of
security they offer. It also defines which addresses that IPSec not are offered at, [55].
5.1.2 Security association database (SAD)
The SAD contains information for each security association. An association is an IPSec tunnel i.e. an instantiation during a particular time of the parameters that the SA provides. Associated with the tunnel is the type of security encapsulation that is to be used. The encapsulation types are: the authentication header (AH) [26] and the encapsulation security payload (ESP) [27].
A security association is created in a two-stage process. The first stage in the con- struction of a security association is concerned primarily with authentication and the exchange of encryption keys. The second stage involves the security associa- tion addresses, what traffic is to be protected and what encryption method will be used. A single SA negotiation results in two security associations- one inbound and one outbound, [55].
5.2 Public key infrastructure (PKI)
Whitfield Diffie and Martin Hellman are the fathers of the foundation for public key encryption and decryption, [6]. The problem of key distribution is that if two users want to communicate over a secure channel, they must share a secret key. To accomplish this Diffie and Hellman realized that the key had to be asymmetric so that a third unauthorized party not could reverse engineer the encryption to cre- ate a key that would decrypt the communicated data. The public key can be used by anyone who whishes to communicated securely with the party to whom it belongs. The other half of the key, the private key is the only key that can decrypt the public keys encryption.
Authentication is needed to protect Diffie-Hellman exchanges against the classic man-in-the-middle attack, [9]. Without authentication a man-in-the-middle attack could plant alternate keys to one of the participants. If the key exchange mecha- nism is protected by an authentication scheme, then Diffie-Hellman allows you to generate new shared keys to use for symmetric encryption which are independent of older keys providing perfect forward secrecy.
The client and IPSec gateway and the client have to agree on a few things to do a Diffie-Hellman exchange, thus the Diffie-Hellman parameters in the ISAKMP negotiation. The parameters define material used for generating keys. This includes two numbers: a large prime number and a seed. By default, ISAKMP/
Oakley specifies two sizes of prime numbers and seeds. It is optional to add other sizes.
Diffie and Hellman did never solve all problems regarding the asymmetric key. It did not exist an asymmetric key mathematically at that time. It was Ron Rivest, Adi Shamir, and Len Adleman (RSA) who took the ideas of Diffie and Hellman to the next level and created an asymmetric key.
Securing a wireless local area network 19 Public key infrastructure (PKI)
5.2.1 RSA
RSA created an asymmetric key based on multiplication of two prime numbers.
Two prime numbers k and l are multiplied together to equal N, which becomes the public key. It is computationally infeasible to reverse engineer N to see which prime numbers that were multiplied. The derivation of k and l is known as factor- ing. This is performed by choosing prime numbers until one is found that divides perfectly into N. If k65 were multiplied with l65 that would give N130, which would take about 10 years to factor on a 500MHz computer, [6]. This makes N suitable as the public part of the asymmetric key.
5.2.2 The digital signature
Asymmetric keys may also be used for authentication. In this case N should be considered to be the private key and k and l the public parts of the key. N is used to encrypt a known value, this creates a signature. Anyone that wishes to confirm that the private key was used to encrypt the value uses the k and l part, which is public, to decrypt the signature and compare the value to the original value.
5.2.3 Message authentication code (MAC)
The problem with a digital signature is that is does not guarantee that the mes- sage that is associated with the signature is not altered. The solution to this is to use a one-way hash function to reduce the information to a message digest. The digest is then encrypted with a one-time symmetric key. At the receiver the decrypted message is hashed once again to be able to compare it to the decrypted message digest.
5.2.4 MD5
This message digest algorithm (RFC 1321) was invented by Ron Adleman and it is a widely used hashing function. Although it has been proved to be vulnerable to attack it is protected by IPSec with an operation called key hashing for message authentication (HMAC), [6].
5.2.5 The secure hash standard (SHA-1) and the secure hash algorithm (SHA)
The secure hash algorithm (SHA) is generally referred to as the secure hash stan- dard (SHA-1). These hashing techniques are based on the predecessor to MD5, called MD4. The main difference is that SHA-1 produces a 160-bit message digest.
The MDs produces a 128-bit message digest.
5.2.6 Keyed-hashing for message authentication code (HMAC)
Typically, MACs are used between two parties that share a secret key in order to validate information transmitted between these parties, see Section 5.2.4. HMAC is such a MAC mechanism based on cryptographic hash functions. HMAC can be used in combination with any iterated cryptographic hash function such as MD5 and SHA-1. HMAC also uses a secret key for calculation and verification of the message authentication values.
5.2.7 Digital certificate
A digital certificate is: “an electronic data structure that binds the public key values to identify information about the subject listed, and is digitally signed by the issuing certifi- cate authority”, [54]. The certification assures any party that is using the public key that the associated private key is held by the correct remote subject. The issuing certificate authority (CA) has to be trusted in that assurance.
5.2.8 Scenario
Alice and Bob share a common trust point. They both use the same CA to have their certificates signed. This implies that they do not have to evaluate a chain of trust to determine the credibility of any other CA. The steps are describes below:
1. Alice and Bob each generate a public and a private key.
2. Alice and Bob each provide their public keys, name, and descrip- tive information to an CA.
3. The CA generates a certificate for Alice and Bobʹs public keys by formatting their public keys and other information, and then signs the certificate with the CAʹs private keys.
4. The results of this operation are that Alice and Bob each have a public and a private key and a public key certificate.
5. Alice and Bob each generate a secret symmetric key. Now Alice and Bob each have a public and a private key, a digital key certif- icate issued by a common trusted third party, the CA and a secret symmetric key.
In this example, steps 1-5, Alice sends data that needs confidentiality and integ- rity to Bob, using a digital signature. Steps 6-10 involve Bobs decryption of the data. The steps taken to perform the transaction are as follows:
1. Alice hashes her message. The hash provides a unique value for the message and will later be used by Bob to test the validity and integrity of the message.
2. Alice concatenates the message and the hash and then signs (i.e.
encrypts) these with her private key. Her signing provides mes- sage integrity. Bob is assured that only Alice could have gener- ated the signature because only Alice has access to the private
Securing a wireless local area network 21 Public key infrastructure (PKI)
key used to sign the message. Note that anyone with access to Alice’s public key can recover the signed message. The message does not yet have confidentiality.
3. Alice encrypts the signed message and hash with her secret sym- metric key. This key is only shared between Alice and Bob.
4. Alice must provide Bob with her secret symmetric key to enable Bob to decrypt the message. Alice encrypts her secret symmetric key using Bobʹs public key. This provides confidentiality over the transmission of Alice’s secret symmetric key to Bob.
5. Alice forwards to Bob the original message and the hash that are both encrypted with her secret symmetric key and the digital envelope containing the secret key encrypted with Bobʹs public key.
Figure 1. Illustrates Alice using a digital signature to send data to Bob, [51] (steps 1-5).
6. Bob takes the digital envelope he received from Alice and decrypts it with his private key. The results of performing this operation provide Bob with the secret symmetric key that Alice
previously used to encrypt the message and the hash of the mes- sage.
7. Bob can now decrypt the encrypted message and hash using Aliceʹs secret symmetric key. Bob now has the signed clear text message and the signed hash of it.
8. Bob now decrypts the signed message and hash of the message by using Alice’s public key.
9. To ensure that no modifications have been made to the message, Bob takes the original message and hashes it using the same algorithm that Alice used originally.
10. Finally, Bob compares the hash he has just produced with the hash he recovered from the original message. If they match he is assured of the messageʹs integrity.
Figure 2. Illustrates Bob decrypting information from Alice, [51] (steps 6-10).
5.3 Internet key management protocol
The aim of the Internet Key Management Protocol is to establish, negotiate, mod- ify and delete the parties SADs (security association databases) so that they agree on algorithms and parameters and to perform a key exchange.
In other words, the protocol establishes and maintains the security associations that the Authentication Header and Encapsulating Security Protocols are to use.
Securing a wireless local area network 23 Internet key management protocol
The current protocol version combines the Internet Security Association Key Management Protocol (ISAKMP, RFC 2408) developed by the US National Secu- rity Agency (NSA) and the Oakley key determination protocol developed at the University of Arizona. The ISAKMP [30] is used to negotiate mutually supported algorithms and mathematical structures for the Diffie-Hellman key exchange and the subsequent authentication step. The Oakley protocol [43] is used to actually exchange keys. More recently, ISAKMP/Oakley has been renamed the Internet Key Exchange (IKE) and will probably replace the ISAKMP at some point, [40].
The RFC document [20], which specifies the IKE will ultimately result in a proto- col that is elective for IPv4 implementations and mandatory for IPv6 implementa- tions, [42].
The ISAKMP/Oakley and IKE proposal combines a key exchange with a subse- quent authentication of the parameters. A key exchange occurs in three phases:
• Main mode uses an exchange of six different messages between the two IPSec endpoints to complete negotiation of authentica- tion of the endpoints and keying material. This negotiation, if required, will provide Perfect Forward Secrecy (PFS), which means that, after the first two messages are exchanged, subse- quent communication is protected.
• Aggressive mode authenticates the endpoints with only three mes- sages, but it does not provide PFS. The negotiation of SAD prop- erties is limited with aggressive mode.
• Quick mode is used after the tunnel is established to regenerate fresh key material. This mode does not authenticate the end- points. The new key data is used to encrypt subsequent commu- nications data. This is why 56-bit DES could be used in spite of its flaws.
To summarize the procedure the main mode negotiation takes place with PFS hid- ing the negotiation of the first encryption hash and setting the tunnel. Once that is established quick mode can be run as often as desired. E.g. as long as quick mode runs every 30 minutes, if someone breaks the tunnel and acquires the encrypted data stream, a maximum of 30 minutes of data can be compromised.
The authentication is accomplished using either a pre-shared secret or digital cer- tificate. In both cases the IKE protocol allows the authentication to be accom- plished through derivative calculations thus preventing the user’s private key from directly being exposed in transmissions to the IPSec gateway.
Before any ISAKMP/Oakley session starts the IPSec gateway device has identified itself and it has obtained the CA certificate and submitted its own identity and public key information over the SCEP (Simple Certificate Enrolment Protocol) protocol. A protocol originally developed by CISCO.
After negotiations are completed, communication between the client and the server takes place encrypted, with whatever encryption algorithm desired, in an authenticated tunnel. When the communication is complete, the tunnel is destroyed.
5.4 Tunnel and transport mode
IPSec can be implemented in one of two modes. Transport mode is used when two hosts converse directly with each other. Tunnel mode is used when a host converses with another through one or more secure gateways. The fundamental difference between tunnel and transport mode is how the IP datagram is encapsu- lated. The tunnel mode protects the original IP header and reveals only the IP address of the IPSec gateway machine. The transport mode does not protect this original IP header and encrypts only the payload.
AH is used primarily for authentication and anti-replay protection. ESP is used primarily for authentication, encrypted data payload, anti-reply services or a combination of these features. A single SA can have AH or ESP but not both.
The table above describes the relationship between the authentication header and the transport header in tunnel and transport mode.
5.4.1 AH
The AH protocol is used to ensure that the endpoint one thinks they are commu- nicating with is truly correct. AH is algorithm-independent, which means that AH will operate with the algorithm of choice, depending on the level of security required. The algorithm options are HMAC-MD5 or HMAC-SHA1. Optionally, AH will provide protection against replays (man-in-the-middle attacks). AH authenticates the packet including the upper protocol data, with the exception of the destination address. AH can be used alone, when only authentication is required or in combination with ESP when a higher level of security is required.
5.4.2 ESP
The ESP is protocol is used to provide encryption and limited traffic flow confi- dentiality. ESP is also designed to be algorithm-independent. The algorithm options are: DES, 3DES, RC5, Blowfish, Idea and Cast. Other algorithms are cur- rently being added.
Only DES and 3DES are mandatory, DES in ESP is actually DES-CBC (Data Encryption Standard-Cipher Black Chaining), with explicit initialization vector (IV) of 64 bits preceding the encrypted payload [37]. Including the IV in each dat-
Transport Tunnel
AH Authentication of IP payload and selected portions of IP header
Authenticate entire inner IP header and payload, and selected portions of outer IP header
ESP Encrypts and optionally authen- ticates IP payload, but not IP header
Encrypts and optionally authen- ticates inner IP header and pay- load
TABLE 2. Summary of the relationship between AH, ESP, transport- and tunnel mode in IPSec, [6]
Securing a wireless local area network 25 Setting up an IPSec Tunnel
agram ensures that decryption of each received datagram can be performed, even if some are dropped or reordered. It is common practice to use random data for the first IV and then the last 8 octets of encrypted data from the previous encryp- tion for the next IV. This process has the advantage of limiting the leakage of information from the random number generator.
5.5 Setting up an IPSec Tunnel
Below is a description of how IPSec works in terms of the IPSec components for two intranet computers. For simplicity, this example is of an intranet in which a computer has an active IPSec policy.
1. Alice is using a data application on Computer A, sends a mes- sage to Bob on Computer B.
2. The IPSec driver on Computer A checks with SPD to determine whether the packets should be secured.
3. The IPSec driver notifies ISAKMP/Oakley to begin negotiations.
4. The ISAKMP/Oakley service on Computer B receives a message requesting secure negotiation.
5. The two computers establish a main mode SA and shared master key.
If Computer A and Computer B already have a main mode SA from a previous communication (and neither master key PFS is enabled nor have expired key life- times), the two computers can begin establishing the quick mode SA.
6. A pair of quick mode SAs are negotiated. One SA is inbound and one SA is outbound. The SAs include the SPI and the keys that are used to secure the information.
7. The IPSec driver on Computer A uses the outbound SA to sign and, if required, encrypt the packets.
8. The driver passes the packets to the IP layer, which forwards the packets to Computer B.
9. The network adapter driver at Computer B receives the encrypted packets and passes them to the IPSec driver.
10. The IPSec driver on Computer B uses the inbound SA to validate authentication and integrity and, if required, decrypt the pack- ets.
11. The driver passes the validated and decrypted packets to the TCP/IP driver, which passes them to the receiving application on Computer B.
Any routers or switches in the path between the communicating computers sim- ply forward the encrypted IP packets to their destination.
Security negotiations are not able to pass through a network address translator (NAT). ISAKMP/Oakley negotiation messages contain IP addresses within the encrypted or signed portion of the message. These addresses cannot be changed by a NAT because the NAT does not have the shared, secret key to either change the encrypted address within the message or change the unencrypted address, without invalidating the integrity check value (ICV).
5.6 Evaluation
IPSec is intended to be used instead of the security measures that come with IEEE 802.11b. An IPSec gateway is deployed behind the APs and it is the first point of access on the on the network. Below IPSec is evaluated by the criteria defined in Section 4.5.
5.6.1 Manageability
Manageability is the overriding concern in choosing which authentication method to use and how many types of users can be supported. In implementa- tions that are going to experience only a few connections from a small number of users a pre-shared secret key makes sense. In a setting with numerous users and many conflicting security requirements a public key infrastructure (PKI) may be mandatory.
Manageability is not an issue in choosing which encryption method, hash algo- rithm, and key size to utilize.
5.6.2 Implementation
An IPSec tunnel is created from the client through the wireless gateway and is ter- minated at the IPSec gateway in order to gain access to the wired LAN.
The client side is fairly easy to implement since support for IPSec exist in new ver- sions of both free and proprietary operating systems. The procedure of connect- ing to an IPSec gateway is simple and should not be an issue for the user.
An IPSec gateway could be implemented using cheap hardware and free software for 10000SEK. It should be installed with a wireless network interface card (NIC) card and a wired NIC card as well as being configures with the proper SA settings to create a valid VPN.
Hardware solutions utilizing IPSec could be bought for 30000 SEK with ca 100 licenses from e.g. CISCO.
The best reference to deploy a PKI with its own CA is “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework” (RFC 2527). The service of maintaining users’ certificates may as well be out-contracted.
Both to out-contract and to implement it in-house is expensive.
