COMP4337/9337: Securing Fixed and Wireless Networks
Professor Sanjay K. Jha
WK05: WLAN 802.1X Authentication
Copyright By PowCoder代写 加微信 powcoder
• SecurityatLayer2
• AuthenticationandAuthorizationinWLAN
• 802.1X Extensible Authentication Protocol (EAP)
– Authentication and Authorisation for both wired and wireless network
• RobustSecureNetwork(RSN)/802.11iforKey Management
The outline for this week is to learn security at layer 2, particularly authentication andauthorizationinwireless LAN.
There is a protocol called The 802.1 X which is used for controlling ports, the entry point to a network.
I’ll talk a bit more about it and then we’ll finally look at the robust security network. Robust Secure Network is part of IEEE802,11 protocol.
The whole document is 200 pages or something close.
We’re not going to learn all of it. However, having done this subject, you should be able to understand all of these bits and pieces
WLAN Security Summary
Wired Equivalent Privacy (WEP)
The privacy portion of the 802.11 standard
Contained major weaknesses
Wi-Fi Protected Access (WPA)
A set of security mechanisms that eliminates most 802.11 security issues
Based on the current state of the 802.11i standard
Robust Security Network (RSN)
Final form of the 802.11i standard
The figure summarizes everything in the context of the wireless security that we have seen so far.
Security can be very challenging and you have learnt many techniques on how it can be broken via your lab work.
The good news is that a lot of new equipment doesn’t implement old standards.
The course has been more about defensive techniques. However, we are also teaching you some attack techniques.
Ideally I should have covered this lecture earlier, but given that TLS and Kerberos material and other protocol design aspects, it makes make sense to delay a bit.
So as we learned earlier, there were problems with WPA1 was introduced with better crypto then a new version WPA2 evolved. With a rapidly changing field, we now have WPA3 in place now.
We have problems with RC4 and then TKIP protocol was introduced with multiple keys. RSN has extended many security features particularly for the enterprise.
Challenges for Enterprise
• Pre Shared Key (PSK) not scalable
– Max 64 hex characters, configure manually in each device
• E.g. 100 Employees, all share same Key.
• One leaves the company
– Configure99deviceswithnewkey
• We have learnt the vulnerability with WEP/WPA – and labs.
• WPA2 provides CCMP/AES.
• We learnt about SSL and IPSec
– Providelotofflexibility/Optioninconfiguringsecurityatnetwork and transport layers
• Advanced Authentication Methods based on “Extensible Authentication Protocol (EAP)” – topic of this lecture
So far we looked at the pre-shared key mechanisms.
You configure a key then in your wireless access point and then an identical key in your device.
For small groups like a family with few members and their devices, one can handle this. However, if you have a lot of people at work, it becomes difficult to manage keys.
So we want some kind of automated way of managing the keys which can scale, and devices could join and leave, we don’t have to change the whole setup.
So we looked at several higher-layer protocols like SSL and IPSec.
Today we’ll look at the extensible authentication protocol. EAP, so that we can build a secure enterprise network.
• Authentication: verification of user identity and credentials – May be multifactor: biometric etc.
• Authorization: granting access to resources and services – Needs authentication first.
• Accounting: tracking network use by users – Important to keep log
– Required by many industry regulators – Helpful for billing/charging
So when we are looking at networking, generally lot of people, would be familiar with the term Triple A.
If you’re not, then I think it’s worth learning about them. So, you’ve learned a lot about authentication.
User identity and credentials prove who you are. We talked about multi-factor authentication. Have we learned anything about authorization? Anything that can provide authorization.
We discussed all these things like granting service in Kerberos, such as which resources can be used by who.
Accounting again is like if someone is using a network and the operator wants to keep track of usage of resources.
However, it becomes an issue of privacy, because for an operator they need to know who is using what. However, this may also leak personal information, a tiouc quite hotly debated.
Many industry regulators require operators to keep this information. Also, accounting is important from the perspective of billing and charging.
Authentication in WLAN – recap
• Username and passwords
• Digital Certificates
• Dynamic/One Time passwords
• Smartcards or credential on USBs
• Machine authentication (based on embedded identity)
• Pre-shared Keys (We saw WEP, WPA using this earlier)
• Wi-Fi Protected Setup (WPS) – push button/Pin
• WLAN Example of MF: A registered computer and a legitimate user which has entry in a DB e.g. A Microsoft Active Directory
We covered a variety of these authentication mechanisms so we will not spend much time on these.
You are familiar with username and passwords.
We talked about digital certificates and then there are a whole bunch of other mechanisms.
Authorization in WLAN
• Various applications and higher layer protocols have their own authorization schemes.
• WLAN can provide authorization via 801.X framework at Layer-2 (can be used with Robust Security Network (RSN))
– Port based access control (more later), for both wired and wireless network
– Lot of standard documents for various bits/pieces – not focus of this subject
• Accounting is an important part but not within scope of WSN
– Useful for forensics though 7
Lets look at authorization issues now.
What happens is that the network has these layer two devices: like switches or access points.
And that in itself is like a gate where they access can be blocked. So, a user or device cannot even log into the network or send any packets to the network beyond that access point unless one gets authenticated has authorization to use resources.
So that’s where the port based of authentication and authorization comes into play.
Any kind of network router or switches which has ports, they can block the ports so you will not be able to forward anything to on that port until without proper authentication and authorisation.
I should remind you that this is not applicable just to wireless but also to wired networks.
IEEE 802.1X Port based Authentication
• Port Based: User must authenticate to switch they are physically connected to.
• Involves 3-party communications (nomenclature from 802.1X standard)
– Supplicant o User
– Authenticator
o Ethernet switch, wireless access point
– Authentication server
o RADIUS (Remote access dial-in user service) database, Kerberos, LDAP or AD (Can be co-
located with Authenticator)
Authentication Server
Protected infrastructure
Authenticator
Supplicant
LDAP, Active Directory Server..
So, let’s dive deeper into port-based authentication.
The figure shows a user device in a wireless context connecting to an access point (or a switch in wired network).
Now every standard has ended up introducing new terminologies.
So user a client becomes a supplicant.
The access point in this case is called authenticator. It can also be a switch or router.
Then you have a wired IP network which has an authentication server connected to it. The authentication server can then communicate with a server implementing a directory service.
What is the directory service doing? Have we seen something like this before in any other context? Have you seen authentication server before?
We basically also we talked about X509. Do you Remember X509?
Did you make any connection to X500?
I said that it is an extension of X500 which is a directory servicen for keeping your credentials, authorization to resources.
X 509 as the capability of storing the Certificate, public certificate, so it’s all coming up together.
I should say that this is not mandated. There are many ways of developing this. We could have radius, which is a famous protocol. It could also have Kerberos or LDAP.
We talked about Active Directory, If you’re working in Microsoft Environment.
In the picture we showed that the authentication server is separate, but you could also have both running on the same device. if you’re creating a separate server, then you must share secrets, so we need to have configured passwords between these two.
Supplicant
• Device to be authenticated for resource use
• Uses EAP protocol to connect to Auth. Server
• Until identity verified – can’t use higher layer protocols (3 – 7)
• Can be software/app running 802.1X client
• OS based supplicants:
– Microsoft Wireless Zero Conf – WZC
Known problems with supplicant software
– Apple’s airport client
• Chipset vendors may provide supplicant software
– Intel, Atheros, Broadcom 9
The device to be authenticated for a resource is called Supplicant, which lives on this client or a server.
The supplicant is typically software running on a device.
It uses EAP protocols to connect the authentication server.
Until the identity is verified, you cannot use any higher layer protocols.
if you send IP packets, the access point will drop them.
We learnt that all other packets will be dropped unless the ports are open.
There are different client software that is used as supplications. Also, hardware chips are available.
I’m not going to ask you what is the name of the Microsoft supplicant, so no need to memorize.
Authenticator (Access Point)
• For EAP, authenticator acts as a relay between Supplicant and Auth. Server
• Two Virtual Ports:
– Uncontrolled : allows EAP authentication traffic – Controlled: Only authenticated traffic
• With WLAN Bridging solution:
– Root bridge (a nominated bridge) is authenticator and
other connected ones are supplicant
• Configured with address of Authentication Server
– Possible co-location of Auth. Server with Authenticator – Shared Secret with Auth. Server
What is the job of an Authenticator, such as your access point? Access point is just acting as a relay. So it passes the supplicant’s identity or any protocol exchange to the authentication server.
It has typically 2 virtual ports. We are not talking about physical ports.
One of them is an uncontrolled port which only allows the EAP traffic through.
The other one is controlled port. Only once authenticated then it becomes open and allows higher layer protocols to get through.
Have you heard of bridging before?
In networking, it would have learnt that the switches are connected.
All these were also called bridge, and they can connect a larger network Layer 2 network. Root bridge (a nominated bridge) is authenticator and other connected ones are supplicant
Is there any situation where you don’t care about their layer 3 network?
The application is in real time part where your performance is critical. Any layer that you add means more processing.
If you are in the small business, you could possibly co-locate Authentication Server with the Authenticator
if you’re creating a separate server, then you must share secrets, so we need to have configured passwords between these two.
Authentication Server: RADIUS (1)
• RADIUS provides centralized authentication, authorization and accounting management for user/host to access a network service/resource
– Details in RFC 2865
• Supports AAA (Authentication, Authorization and Accounting) – a.k.a “ Triple A”
– RFC 3579 (AAA protocols such as RADIUS/EAP)
– RADIUS is used to shuttle RADIUS-encapsulated EAP Packets between authenticator
and an authentication server
• Most network equipment supports RADIUS
– Wireless AP, VPN appliance, SSL, etc.
• Keeps an audit log of user’s activity – accountability
• Radius Server
– Standalone – local DB
– Use External DB – e.g Active Directory
– UDP Port 1812 for Auth, 1813 for Acct.
• Any other server can also be directly used in place of RADIUS
Again, like you could have many types of authentication servers, but radius is popular.
It is almost free.
There are certain features of radius and there is an IETF standard protocol with details.
Again, no need to memorize any of this.
RADIUS (2)
• Radius Server and Authenticator configured with a shared secret.
• Authenticator sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol
– This request includes access credentials (e.g., username and password hash)
– Authentication server checks the credentials using the RADIUS server, Kerberos server, LDAP or Active Directory server
– returns one of three responses
o Access Accept, Access Reject, Access Challenge for extra credentials
As as we discussed earlier, the radius server and Authenticator, are configured with this shared secret.
Authenticator sense various access request messages to the Radius server. Each protocol has its messages and specific formats.
Don’t have to memorize any of this.
So when you are doing any kind of authentication, you need to present credentials such as username, or hash of password.
The radius server returns one of three responses:
Access Accept, Access Reject, Access Challenge for extra credentials
RADIUS server examples
• Elektron(US$750)isanentry-levelanduser- friendly server
• ClearBox(US$599)isdesignedforsmallnetworks, but it also scales to larger networks
• FreeRADIUS(opensource)isasolidand economical choice for Unix/Linux admins offering the most customization and flexibility
There is a IETF standard for Radius that you can easity download In fact, the news is much better.
You can buy them at a very small price.
You can build your own.
For any of you who is entrepreneur here, you want to build your own network. Grab one of these.
Four phases of operation (Short
STA Supplicant
AP: access point Story)
network Authentication
1 Discovery of security capabilities
2 STA and AS mutually authenticate, together
generate Master Key (MK). AP serves as “pass through”
3 STA derives Pairwise Master Key (PMK)
4 STA, AP use PMK to derive
Temporal Key (TK) used for message encryption, integrity
3 AS derives same PMK, sends to AP
déjà vu SSL/TLS
so let’s have a quick night look at the short story of this whole WPA2 and RSN.
Want to join a network?
In the first phase it is discovery of security capabilities, and these things happen during the association. Revise your basic networking.
In second phase the station and the Authentication server will mutually authenticate and generate a master key.
Does this look familiar? Have we covered this before? The answer is Kerberos.
This access point at this time is just a relay as, it’s passing EAP messages through.
So once as an mutually authentication has finished, they derive a key called pairwise master key The authentication server also derives a pairwise master key.
This is not the same key as master key. It is derived from the master key.
So this idea is revisited, a standard practice in all kinds of security protocols.
And then. What happens is that now at this point the Authentication server is going to install the keys at access points.
So at this point the station and the authenticator can communicate directly. They exchange a number of keys as we did in SSL.
How many keys did we derive in SSL? For a pair of communicating parties, how many keys were there? Four, Good remember some of this.
EAP: extensible authentication protocol (Short Story)
• EAP: end-end client (mobile) to authentication server protocol
• EAP sent over separate “links”
– Wireless Device-to-AP (EAP over LAN)
– AP to authentication server (RADIUS over UDP)
W.Device – Supplicant Authenticator (AP)
wired network
RADIUS – Auth. Server
EAP over LAN (EAPOL)
RADIUS/LDAP/..
IEEE 802.11
We said, that the Authenticator, is acting as a relay. So how does it Work? It has. Two sides.
One side uses Just layer 2.
So this is either wireless 802,11 WLAN or other wired protocols for local area network 802 or 4-5
On the other side, it runs the IP protocol.
And then this authenticator does the bridging.
so it will be using UDP etc to communicate with this authentication server.
In this example we took radius. It could be any other server. Does that make sense?
They are the EAP extensible authentication protocols have many variants that we will cover later.
802.1X protocol – Long Story Continue
• When a new client (supplicant) is connected to an authenticator, the port on the switch/wireless AP (authenticator) is enabled and set to the “unauthorized” state
– In this state, only 802.1X traffic is allowed
– Other traffic, such as DHCP and HTTP, is blocked at the data link layer – Steps
o Authenticator sends out the EAP-Request identity to the supplicant o Supplicant responds with the EAP-response packet that the
authenticator forwards to the authenticating server
o If the authenticating server accepts the request, the authenticator sets the port to the “authorized” mode and normal traffic is allowed
o When the supplicant logs off, it sends an EAP-logoff message to the authenticator; the authenticator then sets the port to the “unauthorized” state, once again blocking all non-EAP traffic
So when a new client is connected to an authenticator, the port on the switch of the authenticator is enabled and set to unauthorized state.
So communication with the Server can happen using EAP. In this state, only EAP traffic can go through.
EAP if you did your lab on WPA then there were some EAP protocols at the back as a self reading.
Some of those messages get exchanged.
Other traffic has higher traffic such as DHCP, HTTP, all of them get blocked.
The Authenticator sends out the AP identity request to supplicants, The supplicant responds with the response packet.
Authentication server is then forwarded this message, which can either request accept or. Reject and then the port can be authorized.
When the supplicant finishes, it logs off, all state related to this connection gets discarded and the port gets blocked again.
Next time, If you want to log in, then you will have to go through the process again.
Association and EAP
• First step is usual 802.11 association to establish L2 connection
• If 802.1X framework used, network unusable unless the shown authorization process is complete.
Src: CSWP Text
So initially this is the open system authentication, that is, that’s the standard networking.
How do you associate with access point? You’ve learned that before, but now because this is enterprise network.
We don’t have shared key for each supplicant. In your house you have this pair.
The major difference here is that all your authentication information is stored at the server.
And the server on demand is going to install stuff for you to communicate. Maybe. So that’s the whole new thing.
And if you know this much, you will learn this lecture.
OK. What’s the advantage now?
If like they lose their password, we are not going to worry about the whole network because authentication server will not authenticate it you.
So that’s the main idea of this protocol.
Generic EAP Exchange
Src: CWSP Text
So everything taken together.
You have this association with Authenticator.
Then you have this EAP.
Authenticator requests for identity.
Once the identity is supplied, then only the port gets unblocked.
And from this point onward the authenticator starts to relay the message to the server.
Some exchanges follow.
Exactly like we learned in Kerberos,
so the two parties will mutually authenticate each other through this challenge method and generate the transient key and then the keys will be installed.
The Authenticator, now is not going to communicate with the s
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com