Previous Page
Next Page

WPA/802.11i BACKGROUND

Once the IEEE realized that WEP was going to need to be replaced, they started task group i (sexy name, I know). This group was tasked with creating a new set of security protocols to protect 802.11 against all of the things that WEP didn't. The amendment proposed by task group i is referred to as 802.11i, and it was ratified in 2004.

The Wi-Fi Alliance, however, didn't want to wait for the amendment to be ratified. In 2003, they created WPA. WPA is a subset of the 802.11i standard. While task group i had to be concerned with keeping wireless networks secure for many years to come, the Wi-Fi Alliance was more concerned with securing them this month. The 802.11i amendment specifies two different data confidentiality protocols, Temporal Key Integrity Protocol (TKIP) and Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). The bulk of the 802.11i standard remains the same, regardless of which confidentiality protocol is used.

TKIP uses cryptographic functions that hardware running WEP can compute. Specifically, TKIP uses RC4 (the same stream cipher used in WEP) and a new Message Integrity Check (MIC), called Michael. Both of these algorithms can be computed by wireless cards currently on the market. By contrast, CCMP uses AES-based cryptographic functions exclusively. While using AES-based cryptography is forward looking, it also requires more hardware be added to wireless cards.

WPA is essentially the draft form of 802.11i, minus the AES-based cryptography. WPA2 was released after ratification of the 802.11i standard and implements all of the mandatory elements of 802.11i. Practically speaking, WPA is 802.11i without AES, and WPA2 is 802.11i with AES. WPA2 is the approved Wi-Fi Alliance interopable implementation of 802.11i.

802.11i Groundwork

When the IEEE created the 802.11i amendment, they successfully grafted much of the infrastructure used to secure wired networks onto the wireless world. This immediately improved the security of 802.11 networks tremendously. It also required network administrators become familiar with many protocols they might not have run into before. This section aims to clear up the mystery behind all of the protocols that the 802.11i amendment sits on top of.

Few people realize that at 802.11i's core is a protocol with roots going as far back as 1992. This protocol is the Extensible Authentication Protocol (EAP), and in order to understand what 802.11i does (and the myriad of intertwined protocols it uses under the covers), it helps to study EAP and where it came from.

Technically, EAP didn't become its own protocol until 1998, when RFC 2284 was first published. However, the beginnings of EAP are evident in the Point-to-Point Protocol (PPP) RFCs (see section 7.2 of RFC 1331), where EAP evolved and first came into use.

PPP is a popular protocol used by dialup ISPs. PPP acts a sort of link layer on your phone line between you and your ISP. It allows you to encapsulate more than one network layer protocol, though it is currently used for IP almost exclusively. PPP includes features that you probably never thought you needed, but it addresses issues that had been quite a problem. The most obvious is how do you handle IP address configuration across a dialup link? Your phone line is not an Ethernet cable; you cannot simply send a DHCP request to the broadcast address. PPP addresses this and various other network layer configuration problems through a library of what it calls Network Control Protocols (NCPs). The particular protocol used to configure IP over PPP is IPCP, and it is specified in RFC 1332.

As PPP matured, it became clear that a method for authenticating users was required. Initially, the standard specified two ways for users to authenticate: PAP and CHAP. PAP stands for Password Authentication Protocol, but it should really be named Plaintext Authentication Protocol. PAP is a euphemism for sending a username and password across the wire in the clear; they had to call it something.

CHAP stands for Challenge Handshake Authentication Protocol. CHAP is probably the forerunner to any other challenge-response protocol you might have seen. Basically, the ISP sends you a random challenge, and you compute a hash of a function that takes your password and the challenge as input and sends the hash back. If you know the password, you can compute the hash; if not, you can't. The ISP does the same, and if your hashes match, you must know the secret.

Now CHAP was a big improvement over PAP (since the password is never sent in the clear), and most dialup users still use either CHAP or PAP. However, the people writing the standard could see that they might be adding more and more authentication schemes as time progressed. Instead of modifying the PPP protocol every time a new authentication scheme was cooked up, they modified it so PPP could handle arbitrary authentication schemes. They did this by creating EAP.

Extensible Authentication Protocol (EAP)

EAP is a very small protocol. When most people think of protocols, their head immediately fills up with layer-two protocols such as Ethernet, layer-three protocols such as IP, and so on. EAP is very different than the protocols most people are familiar with. It is designed to run directly on top of layer-two protocols (such as Ethernet or PPP), but it is not really supposed to carry arbitrary network/transport protocols on top of it. Also, unlike most protocols that run directly on top of the link layer, there is no real addressing scheme. As far as EAP is concerned, there are only two entities: the entity requesting to be authenticated (for example, a dialup user or a wireless client) and the entity on the other end of the link doing the authenticating. EAP has been modified to use the same terms for these entities that 802.1X uses (EAP came first, but the 802.1X terminology became more ubiquitous). Consequentially, this means that EAP calls the entity that wants to be authenticated the supplicant, and the guy on the other end of the link doing the authentication is called the authenticator. The dialup user scenario is shown in Figure 3-8.

Image from book
Figure 3-8: Dialup authentication using EAP

To return to wireless security for a moment, consider the diagram in Figure 3-9. The layer labeled EAPOL stands for EAP over LAN, which is covered in the 802.1X section. Although EAP is certainly used in wireless authentication, we are going to continue with the dialup example because that is where the protocols covered in this section actually originated.

Image from book
Figure 3-9: Mapping dialup authentication to wireless authentication

Now that you know who EAP exchanges messages with, I'll describe those messages. EAP is deceptively simple; there are only four categories of messages defined in the standard (RFC 3748):

  • Request Request packets are sent by the authenticator (think access point or an ISP's modem bank) to the supplicant (user).

  • Response Responses are sent from the supplicant (user) to the authenticator (access point/modem bank).

  • Success Sent by the authenticator to the supplicant to indicate that authentication was successful.

  • Failure Sent by the authenticator to the supplicant to indicate that authentication was unsuccessful.

The layout of an EAP request/response is shown in Figure 3-10. In the packet, the Code field is used to determine if the EAP packet is a request, response, success, or failure message. The Identifier is used as a serial number to pair up responses with requests. Length specifies the size of the packet (in bytes, including the header). The interesting fields are the Type and Type-Data fields.

Image from book
Figure 3-10: EAP request/response format

Type indicates the specific authentication type being used. Only a few of these are defined in the standard. The people who created the EAP standard are not responsible for creating specific authentication schemes. Examples of authentication schemes include EAP-TLS, which authenticates the supplicant with the use of certificates, or EAP-MD5, which is a simple challenge-response authentication scheme using MD5. The important thing to remember is that the authentication-specific details of all these messages are buried inside the Type-Data field.

Once EAP authentication begins, any number of request and response packets may be exchanged. The only requirement is that the exchange ends with either a success or failure. Regardless of the authentication scheme being used, an EAP packet with the Code field set to 3 (success) will be sent if authentication is successful.

In the simple exchange shown in Figure 3-11, the authenticator asks the supplicant his name. When the supplicant responds, the authenticator decides to let the supplicant in. This might seem like a trivial authentication scheme, but it can be useful. For example, some sort of token device might generate the user's identity. The real motivation for this example, however, is to introduce the EAP request identity message.

Image from book
Figure 3-11: Simple EAP authentication exchange

One of the few authentication types that the EAP standard specifies is the EAP request identity type. If it is hard to conceptualize asking someone to identify themselves as being a reasonable authentication scheme, so be it. Just think of it as the standard overloading the Type field for a special case. Regardless of whether or not asking someone his or her identity is a real authentication scheme, the standard explicitly covers it, and it is used in the opening phases of almost any authentication scheme. Even if you are going to deny someone access, you at least want to know who they claim to be.

Generally, the identity sent back is a username of some sort. The standard doesn't lay out any hard and fast rules, however. An identity could be a computer name, for example.

The most important thing to remember about EAP is that any authentication scheme can be put on top of it. This allows new authentication schemes to be deployed without disrupting the basic protocols carrying EAP messages around.

Introduction to RADIUS

So far in the dialup authentication example, the user can authenticate to the ISP using any authentication scheme that takes place over EAP. The problem with this model is that the EAP messages are only being passed from the user to the ISP's modem bank (or point of presence, as it is called). If the user were authenticating with a username and password, every modem bank would need its own copy of the username/password database. This is clearly inefficient. A more desirable model is shown in Figure 3-12. In this model, the authentication server is a central repository of usernames and passwords.

Image from book
Figure 3-12: Authentication using RADIUS

The protocol that forwards EAP messages from the authenticator to the authentication server is called Remote Access Dial-In User Service (RADIUS). RADIUS was originally defined to solve the username/password database problem when using the built-in CHAP/PAP authentication over PPP. Once EAP was created, and advanced authentication techniques implemented on top of it, RADIUS was modified to transport EAP. This is specified in RFC 2869.

As far as wireless security is concerned, RADIUS is really just a crunchy old protocol being used to transport EAP packets from an access point to an authentication server, and that is how we are going to treat it. This crunchy old protocol happens to run on top of UDP, so you can finally get the authentication packets from the end-users (who have no network layer connectivity) routed somewhere. RADIUS actually contains other complicated features related to accounting and so on, but these features aren't strictly related to wireless security and so will be overlooked for now.

RADIUS terminology, unfortunately, does not match up with that used in EAP or 802.1X. This biggest difference is that RADIUS calls the point of presence (or access point in the wireless world) a Network Access Server (NAS). This is confusing because as far as RADIUS is concerned, the access points and POPs are really clients. EAP and 802.1X both refer to these entities as authenticators.

RADIUS resembles EAP in some sense (or more accurately, EAP resembles RADIUS since RADIUS came first). Like EAP, it has four important messages related to authentication:

  • Access-request Packets sent from the NAS (access point, POP) to the authentication server

  • Access-challenge Responses sent from the authentication server to the NAS (access point, POP)

  • Access-accept Sent by the authentication server to the NAS to indicate successful authentication

  • Access-reject Sent by the authentication server to the NAS to indicate unsuccessful authentication

You can see from the terminology used for the RADIUS messages that RADIUS was designed with CHAP in mind. This is why access-challenge is called access-challenge, not access-response. Nonetheless, there is an orderly relationship between these four RADIUS packet types and EAP. When using EAP over RADIUS, EAP request messages are sent to the authentication server inside access-request messages. EAP responses are sent back to the authenticator (or NAS, in RADIUS speak) in access-challenges.

The original motivation presented for this three-tier authentication architecture was to avoid duplicating copies of a username/password database to all the POPs an ISP operates. A more general consequence of this is that the authenticator no longer has to process (or even comprehend) the authentication scheme employed between the end-user and the authentication server. As shown in Figure 3-13, consider what the authenticator is doing in general now.

Image from book
Figure 3-13: Sample authentication exchange between a dialup user and authentication server

The authenticator simply takes the end-user (supplicant's) EAP packets, wraps them up in a RADIUS packet, and sends them to the authentication server. Similarly, when it receives a response for the authentication server, it strips off the RADIUS packet, pulls out the EAP frame, and forwards it on to the client. The authenticator continues proxying these messages back and forth (without having to understand them) until it receives a RADIUS access-accept/access-reject message from the authentication server. The net result of this is that you can drastically change the authentication scheme on your wireless network (or dialup network) without having to modify any settings on your access points/POPs.

Once the ISPs modem bank receives the RADIUS access-accept packet, it knows that the authentication server has authenticated the client, and it is okay to let her connect. Keep in mind that at no point during this exchange did the modem bank have to know what sort of authentication method the dialup user and authentication server employed.

802.1X: Bringing EAP to the LAN

I have been discussing authentication protocols in terms of dialup users for two reasons. One is that all of the protocols mentioned so far were developed in the context of dialup users. The other is that it let me avoid introducing even more cumbersome terminology.

802.1X is another standard controlled by the IEEE (the 802. is a dead giveaway). In some sense, 802.1X is unique because it is tightly related to EAP. EAP, however, is administered by the IETF and documented in RFCs. The simplest way to describe 802.1X is to say that it wants to bring the EAP-based authentication outlined previously to everyday LAN users. The most straightforward case to consider is Ethernet.

Port-based Access Control

802.1X basically splits every physical Ethernet port into two logical ones-the controlled port and the uncontrolled port. The idea is that anyone who plugs into the physical Ethernet port can communicate over the uncontrolled port. There is a catch, however; the only type of communication allowed over the uncontrolled port is related to authentication.

Once a user successfully authenticates (over the uncontrolled port), data is allowed to pass over the controlled port. As a not-so-subtle reminder that IEEE has a lot of electrical engineers, a port that allows data to flow across it is called closed. This makes sense if you think of the port as a switch in a circuit, but it is very counterintuitive for mortals who spend most of their time a few layers higher in the protocol stack, where the term closed port means precisely the opposite.

To recap, when a user plugs into an Ethernet port protected by 802.1X, the only thing the user is allowed to send at first are packets related to authentication (EAP packets). Once a user successfully authenticates, she is allowed to transmit normal Ethernet data packets.

EAP over LAN (EAPOL)

I mentioned earlier that EAP typically runs directly over the link layer, but that isn't entirely true. EAP could go directly on top of Ethernet; however, the IEEE decided it would be a good idea to wrap it in something called EAP over LAN (EAPOL). In the most minimalist sense, EAPOL is simply a way to ferry EAP packets from a supplicant to the authenticator. In this case, the supplicant is a user with a laptop plugged into an Ethernet port, and the authenticator is the 802.1X-enabled switch that the user is plugged in to. In practice, EAP is still too simple to go over the bare metal of Ethernet (or other link layer protocols such as 802.11). When doing port-based access control, EAP is not designed to address some things that need to be considered. Two of these things are notifying the authenticator that you would like to authenticate and informing the authenticator that you are officially disconnecting. While this might seem unnecessary in wired networks, it poses more of a problem in wireless settings. As you'll see later, the main reason you need a wrapper for EAP is actually key distribution. Figure 3-14 illustrates authentication using 802.1X on an Ethernet-based LAN.

Image from book
Figure 3-14: Authentication using 802.1X on an Ethernet-based LAN

The four basic types of EAPOL message are discussed here briefly:

  • EAPOL-packet The most intuitive type of EAPOL packet. These packets are simple containers for transporting EAP packets across a LAN, for example, from a user's laptop to the 802.1X-enabled switch or access point.

  • EAPOL-start The supplicant can use this packet to inform the authenticator it wants to authenticate. In many cases, this is unnecessary as the authenticator can sense the supplicant is connected before it transmits an EAPOL-start message.

  • EAPOL-logoff This message informs the authenticator that the supplicant is disconnecting from the network-also unnecessary in many cases.

  • EAPOL-key The 802.1X standard provides support for key distribution, which is very important when it comes to securing wireless networks.

802.1X Summary

802.1X defines a way to transport EAP packets across Ethernet and other link layer protocols to an authenticator embedded in an 802.1X-aware switch or access point. This allows organizations to use their authentication server (most likely RADIUS based) to authenticate users before they can use an Ethernet port (or, as you will see, wireless link) to transfer data. 802.1X also provides support for key distribution-important for securing wireless links.


Previous Page
Next Page