網路認證機制之需求. 2 what is network access authentication? a mechanism by which access to...

網路認證機制之需求

2

What is Network Access Authentication? A mechanism by which access to the network is restricted

to authorized entities Identities used are typically userIDs NB: each user on a multi-user machine does not need to authentic

ate once the link is up, so this doesn’t guarantee that only the authenticated user is accessing the network

Once authenticated, the session needs to be authorized Authorization can include things like VLAN-ID, rate limits, filters, tu

nneling, etc. To prevent hijacking, you need per-packet authentication

as well Encryption orthogonal to authentication Per-packed MIC based on key derived during the authentication pr

ocess, linking each packet to the identity claimed in the authentication

No MIC support in PPP and WEP!

Source from Microsoft

3

Network Access Alternatives (I)

Network access authentication has already been implemented at every layer.

PHY Example: 802.11b Pros: no MAC or TCP/IP changes required (all support in firmwar

e) Cons: requires firmware changes in NICs and NASes to support n

ew auth methods, requires NAS to understand new auth types, slows delivery of bug fixes (e.g. WEP v1.0), hard to integrate into AAA

MAC Examples: PPP , 802.1X Pros: no firmware changes required for new auth methods, easier

to fix bugs, easy to integrate into AAA, no network access needed prior to authentication, extensible (RFC 2284)

Cons: requires MAC layer changes unless implemented in driver


4

Network Access Alternatives (II)

IP Examples: hotel access (based on ICMP re-direct to access web server) Pros: no client MAC or TCP/IP changes required (for ICMP re-direct

method) Cons: Doesn’t work for all apps, no mutual authentication, partial

network access required prior to auth, need to find access control server if not at first hop, typically not extensible, may not derive encryption keys, no accounting (no logoff)

UDP/TCP Examples: Proprietary token card protocols Pros: No client MAC or TCP/IP changes required – can be

implemented purely at the application layer Cons: requires client software, partial network access required prior to

auth, need to find access control server if not at first hop, typically not extensible, no accounting (no logoff)


5

Why Do Auth at the Link Layer?

It’s fast, simple, and inexpensive Most popular link layers support it: PPP, IEEE 802 Cost matters if you’re planning on deploying 1 million ports!

Client doesn’t need network access to authenticate No need to resolve names, obtain an IP address prior to auth

NAS devices need minimal layer 3 functionality 802.11 access points, 1 Gbps switch ports go for $300, support 802.

1D, 802.1X, SNMP & RADIUS, may have no layer 3 filtering support Authentication, AAA support typically a firmware upgrade

In a multi-protocol world, doing auth at link layer enables authorizing all protocols at the same time Doing it at the network layer would mean adding authentication withi

n IPv4, IPv6, AppleTalk, IPX, SNA, NetBEUI Would also mean authorizing within multiple layers Result: more delay


6

What is IEEE 802.1X? – (I)

The IEEE standard for authenticated and auto-provisioned LANs. Ratified June 2001 Based on EAP, IETF RFC 2284

A framework for authentication and key management IEEE 802.1X derives keys which can be used to provide per-

packet authentication, integrity and confidentiality Typically used along with well-known key derivation algorithms

(e.g. TLS, SRP, etc.) IEEE 802.1X does not mandate security services – can do

authentication, or authentication & encryption Encryption alone not recommended (but that’s what WEP does)


7

What is IEEE 802.1X? – (II)

What 802.1X is not Purely a wireless standard – it applies to all IEEE 802

technologies (e.g. Ethernet First Mile applications) PPP over Ethernet (PPPOE) – only supports EAP

authentication methods (no PAP or CHAP), packets are not encapsulated

A cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc.

But 802.1X can be used to derive keys for any cipher A single authentication method

But 802.1X can support many authentication methods without changes to the AP or NIC firmware


8

A History of IEEE 802.1X

The idea started with customers who wanted to control access to a public network

Universities, government agencies Existing approaches were inadequate

Customers wanted something that could be implemented inexpensively – on existing switches

Customers wanted to utilize existing network access infrastructure (RADIUS, LDAP, etc.)

PPPOE – too much overhead VPN – too many interoperability issues DHCP – designed for addressing and configuration, not access control

Concept developed by 3Com, HP, and Microsoft We examined alternatives, and settled on a Layer 2 approach A small group wrote the spec and built prototypes Consensus and running code! Not designed by committee!

IEEE 802.1X PAR approved in January 1999 Approved as an IEEE standard June 2001


9

802.1X Topologies

Authenticator/EtherNASAuthenticator/EtherNAS(e.g. Access Point or Bridge)(e.g. Access Point or Bridge)

SupplicantSupplicant

Enterprise or ISP Enterprise or ISP NetworkNetwork

Semi-Public Network /Semi-Public Network /Enterprise EdgeEnterprise Edge

AuthenticationSAuthenticationServererver

RADIUS

EAP Over Wireless (EAPOW)

EAP Over Wireless (EAPOW)

EAP over LAN (EAPOL)

EAP over LAN (EAPOL)

EAP Over RADIUS

EAP Over RADIUS

PAEPAE

PAEPAE

EtherCPEEtherCPE

SupplicantSupplicantNon-802.1XNon-802.1X Source from Microsoft

10

802.1X Security Philosophy

Approach: a flexible security framework Implement security framework in upper layers Enable plug-in of new authentication, key management methods without

changing NIC or Access Point Leverage main CPU resources for cryptographic calculations

How it works Security conversation carried out between supplicant and authentication

server NIC, Access Point acts as a pass through device

Advantages Decreases hardware cost and complexity Enables customers to choose their own security solution Can implement the latest, most sophisticated authentication and key

management techniques with modest hardware Enables rapid response to security issues


11

What is EAP? – (I)

The Extensible Authentication Protocol (RFC 2284) Provides a flexible link layer security framework Simple encapsulation protocol

No dependency on IP ACK/NAK, no windowing No fragmentation support

Few link layer assumptions Can run over any link layer (PPP, 802, etc.) Does not assume physically secure link

• Methods provide security services Assumes no re-ordering Can run over lossy or lossless media

• Retransmission responsibility of authenticator (not needed for 802.1X or 802.11)


12

What is EAP? – (II)

EAP methods based on IETF standards Transport Level Security (TLS) (supported in

Windows 2000) Secure Remote Password (SRP) GSS_API (including Kerberos)


13

EAP Architecture


EAPEAPLayerLayer

MethodMethodLayerLayer

EAPEAPEAPEAP

TLSTLSTLSTLS

MediaMediaLayerLayer

NDISNDIS

APIsAPIs

EAP EAP

APIsAPIs

PPPPPP 802.3802.3 802.5802.5 802.11802.11

SRPSRPSRPSRPAKAAKA

SIMSIM

AKAAKA

SIMSIM

14

IEEE 802.1X Conversation

EthernetLaptop computer

Switch

Radius Server

EAPOL-Start

EAP-Response/Identity

Radius-Access-Challenge

EAP-Response (credentials)

Access blockedPort connect

Radius-Access-Accept

EAP-Request/Identity

EAP-Request

Access allowed

EAP-Success

Radius-Access-Request


RADIUSEAPOL

15

802.1X On 802.11

Ethernet

Access Point

Radius Server

EAPOW-Start

EAP-Response/Identity

Radius-Access-Challenge

EAP-Response (credentials)

Access blockedAssociation

Radius-Access-Accept

EAP-Request/Identity

EAP-Request



RADIUS

EAPOW

Laptop computer

Wireless

802.11802.11 Associate-Request

EAP-Success

Access allowedEAPOW-Key (WEP)

802.11 Associate-Response

16

Advantages of IEEE 802.1X

Open standards based Leverages existing standards: EAP (RFC 2284),

RADIUS (RFC 2865, 2866, 2867, 2868, 2869) Enables interoperable user identification, centralized

authentication, key management Enables automated provisioning of LAN connectivity

User-based identification Identification based on Network Access Identifier (RFC

2486) enables support for roaming access in public spaces (RFC 2607).

Enables a new class of wireless Internet Access Dynamic key management

Improved security for wireless (802.11) installations


17

The Role of RADIUS

RADIUS is the key to enabling 802.1X applications RADIUS enables per-user compulsory tunneling assignment

More flexible than static or realm-based tunneling RADIUS enables per-user VLAN assignment

More flexible than static per-port or MAC-based VLAN assignment RADIUS enables accounting and auditing

Both switch/AP and tunnel server can use RADIUS Allows enterprise to audit usage, do alarming BIGCO can match accounting records from tunnel server with accou

nting records from ISP for auditing purposes RADIUS enables use of a single userID/password pair

Both bridge/access point and tunnel server can authenticate against the same database

RADIUS server backend LDAP backend


18

Vendors Supporting 802.1X

Dec, 2001 Microsoft, AirWave, Compaq, Dell, IBM, Intel, HP, Symb

ol, Toshiba, Telson, Wayport 3Com Agere Enterasys Intersil Cisco

Catalyst switches 802.11 access points


19

Windows Wireless Architecture


NDIS 5.1NDIS 5.1

NetworkingNetworking APIs APIs

NDIS WANNDIS WAN

PPTPPPTP AsyncAsync BluetoothBluetooth

EthernetEthernet TRTR 802.11802.11

TCP/IPTCP/IP ProtocolProtocolstacksstacks

WinSock 2.0WinSock 2.0

RSVPRSVP

Packet schedulerPacket scheduler

Packet classifierPacket classifier

TAPI 3.0 TAPI 3.0 Dial-upDial-up

Networking Networking APIsAPIs

IP packetIP packetfilteringfiltering

IPIP forwarder forwarder

RoutingRoutingAPIsAPIs

NetworkNetworkstreamingstreaming

(DirectX)(DirectX)

RNDISRNDIS

DHCPDHCP

IGMPIGMP

802.1X802.1X DNSDNS

IRDPIRDP

NetworkingNetworking Services Services

Affected byAffected byWirelessWireless

Route tableRoute table

Network Network LocationLocation

802.1D802.1D

NetBTNetBT

UPnPUPnP

WPA

Wi-Fi Protected Access

21

What is the Wi-Fi Alliance?

The Wi-Fi Alliance (formerly WECA) is a nonprofit organization formed in 1999 to certify interoperability of IEEE 802.11 products and to promote Wi-Fi as the global, wireless LAN standard across all market segments.

There are nearly 700 Wi-Fi CERTIFIED products to date

22

What is Wi-Fi Protected Access?(WPA)

Powerful, standards-based, interoperable security technology for Wi-Fi networks

Strong data protection – encryptionStrong access control – user authenticationSubset of the 802.11i draft standard and will

maintain forward compatibilitySoftware upgradeable to the nearly 700 Wi-

Fi Certified products

23

History of Wi-Fi Security - WEP

The 1997 IEEE 802.11 spec called for an optional security mechanism called Wired Equivalent Privacy, or WEP

WEP had modest goals Baseline security Comply with US export guidelines at the time

WEP had problems even before it was “broken” One static key Manual distribution of keys No user authentication

In 2001, several research papers pointed to WEP’s cryptographic weaknesses

Led to development of software tools to break WEP WEP still offered basic level of security, and remained useful for cas

ual, home use (most never even used it) Not appropriate by itself for securing a busy corporate network

24

History of Wi-Fi Security -alternatives Some vendors responded with their own proprietary

solutions Some good, some not But all were proprietary to that specific brand of gear

Virtual Private Network (VPN)+ Wi-Fi Effective, but: Expensive (overkill), not what VPN’s were designed to d

o, or what their ROI’s promised Still not interoperable

802.1X + WEP (Dynamic WEP)

25

The Industry Responds

Market was calling for strong, interoperable Wi-Fi security

In late 2001, the Wi-Fi Alliance, in conjunction with IEEE 802.11 TGi, began an effort to develop strong, standards-based, interoperable Wi-Fi security to market quickly

The result of that effort is Wi-Fi Protected Access WPA announced October 31, 2002 First round of WPA products announced today

26

WPA’s technology parts

User authentication 802.1X + Extensible Authentication Protocol

(EAP)Encryption

Temporal Key Integrity Protocol (TKIP) 802.1X for dynamic key distribution Message Integrity Check (MIC) a.k.a. “Michael”

WPA = 802.1X + EAP + TKIP + MICPre-Shared Key for SOHO authentication

27

WPA Design Goals

Resolve WEP’s cryptographic weaknesses Add user authentication Be applicable to the nearly 700 Wi-Fi CERTIFIE

D products on the market Be available in 2003 Be certified interoperable Exceeding goals

Automatic key distribution Per user, per session, unique master keys Unique per packet encryption keys

28

How WPA Works - Enterprise

29

How WPA Works - Enterprise

Step1. Client associates with Access Point (AP) Step 2. AP blocks LAN access until client is

authenticated Step 3. Client provides credentials to

authentication server. If not authenticated, client stays blocked from LAN If authenticated, process continues

Step 4. Authentication server automatically distributes encryption keys to AP and client

Step 5. Client joins LAN, encrypting data back and forth with AP

30

How WPA Works - SOHO

31

Deploying WPA – Enterprise -Hardware

Authentication server, typically RADIUS Common in LE for remote user access

WPA enabled Access Points WPA at ship, or Upgraded to WPA

WPA enabled clients WPA at ship, or Upgraded to WPA

32

Deploying WPA – Enterprise -Software

Authentication server (RADIUS) – Strong EAP type such as TLS, TTLS, PEAP

WPA enabled Access Points – 802.1X – TKIP

WPA enabled clients 802.1X TKIP Supplicant to support EAP/ 802.1X

33

Deploying WPA – SOHO -Hardware

WPA enabled Access Points or home gateway WPA at ship, or Upgraded to WPA

WPA enabled clients WPA at ship, or Upgraded to WPA

34

Deploying WPA – SOHO - Software

WPA enabled Access Points 802.1X TKIP

WPA enabled clients 802.1X TKIP Supplicant, or partial supplicant to run 802.1X

and PSK

Runs in Pre-Shared Key (PSK) mode

35

Wi-Fi Alliance Security Timeline

1999 – WEP2003 – Wi-Fi Protected Access (WPA)2004 – WPA2 (802.11i)

36

WPA is a snapshot of 802.11i(WPA2)

42

Summary Comparison

43

Summary

WPA provides a dramatic improvement in Wi-Fi security

Enterprise class but suitable for SOHO Reasonable deployment costs The strong, standards-based Wi-Fi security solut

ion the market has been seeking Best of all . . . It’s here now! For more information, go to:

http://www.wi-fi.org/OpenSection/protected_access.asp

無線區域網路之安全標準

工研院電通所無線網路技術組顧問明新科技大學計算機中心網路組組長資訊管理學系助理教授林文宗博士

45

References

IEEE 802.11 Standard, 1999 EditionIEEE 802.11i/D3, 2003 Edition

IEEE 802.11i

Enhanced Security

47

網路安全架構 RSN – Robust Security Network

支援 802.11i 標準安全性功能之 WLAN 。建置在 IEEE 802.1X 的標準之上，藉以傳遞認證資訊及

金鑰管理 (key management) 的服務。因此，在 RSN 中的所有工作站與 APs 皆必須內建 IEEE

802.1X 的功能。 Pre-RSN

只提供原本 802.11 所制訂的網路安全功能標準之 WLAN 。 TSN – Transition Security Network

支援 RSN 與 Pre-RSN 混合組成的 WLAN ，是從 IEEE 802.11 WLAN 過渡到支援 IEEE 802.11i 安全標準的一個暫時性 WLAN 架構。

48

Pre-RSN 的網路安全機制

IEEE 802.11 Std. in 1999 WEP privacy

Wired Equivalent Privacy Algorithm IEEE 802.11 Authentication

Open System Shared Key

49

RSN 的安全機制 (I)

Data privacy mechanism TKIP – Temporal Key Integrity Protocol

提供一適用於 Pre-RSN 網路中最簡化的資料隱密性功能。 WRAP – Wireless Robust Authenticated Protocol

一個以 AES 為基礎的通訊協定選項功能，為長遠考量所設計的資料安全機制。

• Advanced Encryption Standard CCMP – CCM Protocol

CCM: Counter mode with CBC-MAC CBC-MAC: CBC Message Authentication Code CBC: Cipher-Block Chaining RSN 的未來預設標準功能，另外一種以 AES 為基礎的通

訊協定。

50

RSN 的安全機制 (II)

Security association management RSN negotiation procedure

用以建立一個 security context• Access control

IEEE 802.1X authentication 取代 IEEE 802.11 的認證方法

IEEE 802.1X key management 提供加密金鑰

• Key distribution

IEEE 802.11

Privacy

52

有線等效保密演算法 (WEP)

在所有無線技術中，竊聽是一大家所熟知的問題。為此， IEEE 802.11 標準中制訂了一套有線區域網路等效的資料機密演算法。並建議使用此保密方法而不使用認證方法，但此建議卻讓系統面臨安全的重大威脅。 Wired Equivalent Privacy Algorithm

利用 RSA RC4 的串流加密 (stream cipher) 方法。自我同步功能。效率佳。

• 可以用硬體或軟體技術解決製作。為 802.11 中的選項功能。

53

WEP 的運作理論基本名詞

加密 (encryption): E 解密 (decryption): D 明文 (plaintext): P 密文 (ciphertext): C

運作原理 Ek(P) = C Dk(C) = P Dk(Ek(P)) = C

Encryption Decryption明文

Plaintext

Key

密文ciphertext

Key Management Service

原始明文Plaintext

竊聽

54

加密運作理論 (II)

WEP 演算法為一電碼書 (electronic code book)的型式，其中一個明文區段與一個由 WEP 演算法所產生的同等長度之虛擬亂數鑰匙序列 (pseudorandom key sequence) 做 XOR 的運算。

Secret Key

InitializationVector (IV) WEP

PRNG(RC4)

XOR

Seed Key Sequence

Plaintext

Integrity Algorithm

IV

Ciphertext

Integrity Check Value (ICV) Message

55

加密運作理論 (III)

加密流程 Secret key 與 Initialization Vector (IV) 做連接 (concat

enate) ，而產生一個 seed ，並傳送給 PRNG 。 PRNG 輸出一個之虛擬亂數，其鍵序值 (key sequenc

e) k ，其長度等於 MPDU 資料長度加 4 。因為鍵序值是用來保護完整檢查值 (integrity check value,

ICV) ，如同保護 Data 一般。為了保護未被授權 (unauthorized) 的資料被修改，一個

完善健全的演算法會對明文 P 做運算後，產生一個 ICV (CRC-32) 。

之後明文 P 和 ICV 連接後，再以數學方式將鍵序值與之做結合，而完成加密的工作。

此輸出結果中將包含 IV 及密文 (ciphertext) 。

56

加密運作理論 (IV)

運作說明 WEP PRNG 是此加密流程中最重要的一個元件，它將一個非

常簡短的密匙 (secret key) 轉換成一個相當長度的鍵序值 (key sequence) 。

如此將大大簡化了密匙的分發工作，只有密匙須要在工作站間傳遞即可。

IV 延長了密匙的有效可用生命週期，並提供了此加密演算法的自我同步功能。

每一個新的 IV 會產生一個新的種籽 (seed) 和鍵序值，因此在 IV 和鍵序值 k 間有個一對一的對應關係。

IV 可以頻繁地被改變到隨著每一個 MPDU 改變 ( 因為它隨著訊息在傳遞 ) ，而接收端總是有辦法將每個訊息予以解密。

IV 可以明正言順地被傳送而不怕攻擊者的竊聽，因為它並不提供任何密匙的相關資訊，而且也因為它必須讓接收端拿來做解密用。

57

加密運作理論 (V)

其它各項元件說明對於 WEP 保護的訊框，訊框主體的前 4 個位元組為 MP

DU 的 IV 欄位。所以， IV 隨後接著 MPDU ，之後才是 ICV 。

此即為 WEP frame body 的擴展，從 2304 展為 2312 。 PRNG seed 為 64-bit ，其中 bit0 ~ bit23 為 IV 的 bit0 ~

bit23 ，而 bit24 ~ bit63 則為密匙的 bit0 ~ bit39 。 ICV 為 32-bit 。

WEP Integrity Check Algorithm 為 CRC-32 演算法。

IV (0~23) Secret Key(0~39)

0 23 24 63

PRNG Seed (64 bits)

58

WEP 訊框主體的擴展 (I)

IV4

DATA (PDU)(1 ~ 2304)

ICV4

Encrypted (Note)

Init. Vector3

1-octet

Pad6-bit

Key ID2-bit

Size in octets

59

WEP 訊框主體的擴展 (II)

ICV 32-bit ，由 PDU 所計算出來的 CRC-32 。

IV 3-octet 的 initialization vector 。 2-bit 的 Key ID 。

用來選擇四個 secret key 中的一個，用以解密。 6-bit 的 padding ，為 0 。

60

解密運作理論接收端的解密從訊息的接收開始，接收進來的訊息所帶的 IV 被用來產生解密所必需的鍵序值。結合密文和鍵序值會產生出原來的明文和 ICV 。而正確的解密還須要經由完整檢查演算法在已解開的明文上做 ICV’ 及 ICV 的驗證。

Secret Key

WEPPRNG

XOR

Seed

KeySequence

Plaintext

IntegrityAlgorithm

IV

CiphertextICV

Message

ICV’

ICV’ = ICV?

IEEE 802.11 Authentication

62

Authentication

目的確認對方身份的合法性。

IEEE 802.11 提供兩種認證型態開放式系統 (Open System)

內定的認證方法共享密匙 (Shared Key)

認證型態被包在認證管理訊框中的 frame body 裡面。因此，認證訊框是自我辨識且對應於認證演算法的。

雙方工作站在提出認證要求時可指定採用哪一種方式進行雙向認證。認證訊框應為兩工作站成對的單播訊框，沒有所謂的群播認

證。取消認證為一通告，因此可以有群體位址的訊框出現。

63

Open System (I)

特徵 Simplest 。不須認證演算法的認證方法。任何提出此方法進行認證的工作站都可以通過認證，只

要對方支援並允許開放式認證。兩個步驟

要求認證者聲明自己的身份 (Identity Assertion) ，並送出認證訊框 (Authentication frame) 。

要求被認證者回送一個認證訊框，其中記錄認證結果。

Authentication Algorithm Number = 0

Authentication Transaction

Sequence Number = 1 (要求 )

Status Code (保留 )



Sequence Number = 2 (回覆 )

Status Code = 成功或失敗

64

Open System (II)

Open System Authentication flow First frame

Message type: Management Message subtype: Authentication Information Items:

• Authentication Algorithm Identification = “Open System”• Station Identity Assertion (in SA field of header)• Authentication transaction sequence number = 1• Authentication algorithm dependent information (none)

Direction of message: From authentication initiating STA to authenticating STA

65

Open System (III)

Open System Authentication flow Final frame

Message type: Management Message subtype: Authentication Information Items:

• Authentication Algorithm Identification = “Open System”• Authentication transaction sequence number = 2• Authentication algorithm dependent information(none)• The result of the requested authentication as definition.

Direction of message: From authenticating STA to initiating STA

66

Shared Key (I)

Shared Key 認證方法支援工作站間的認證，不管這些工作站間是否知道這一共享的密匙 (shared secret key) 。 802.11 中此認證方法可以毋須傳送此密匙而

完成認證程序，但需要 WEP 隱密性方法。須支援 WEP 選項。須假設此分享密匙已被傳送至所有參與的工作站，

其所經由的安全通道與 802.11 無關。

67

Shared Key (II)

四個步驟 (WEP = off) 要求認證者送出認證訊框要求對方認證，

利用訊框標頭中的 SA 欄位內容 (SID) 。 (WEP = off) 被要求認證者先檢查雙方認證的方法是否

相同。若相同，則被要求認證者利用 WEP 演算法產生一個長度

為 128 bytes 之盤問全文 (Challenge text) ，目的在於檢驗對方的密匙，因此內容並不重要。

(WEP = on) 要求認證者將此盤問全文由前一個認證訊框中拷貝至此第三個認證訊框，並且再送給對方。

(WEP = off) 被要求認證者將收到的密文用手邊的 shared key 解密，再將認證結果用第四個認證訊框通知要求認證者。

68

Shared Key (III)



Sequence Number = 1 (要求 )

Status Code (保留 )




Status Code = 成功或失敗Challenge text (盤問全文 )



Sequence Number = 3 (再要求 )

Status Code = 成功或失敗Challenge text (加密盤問全文 )




Status Code = 成功或失敗

69

Shared Key (IV)

Authentication flow First frame

Message type: Management Message subtype: Authentication Information Item:

• Station Identity Assertion (in SA field header)• Authentication Algorithm identification = “Shared Key”• Authentication transaction sequence number = 1• Authentication algorithm dependent information (none)

Direction of message: From requester to responder

70

Shared Key (V)

Authentication flow Second frame


• Authentication Algorithm identification = “Shared Key”• Authentication transaction sequence number = 2• Authentication algorithm dependent information = the authent

ication result• The result of the requested authentication as definition.

Failure: last frame of the transaction sequence Successful: WEP pseudo-random number generator (P

RNG) 所產生的 128-octet challenge text. Direction of message: From responder to requester

71

Shared Key (VI)

Authentication flow Third frame


• Authentication Algorithm identification = “Shared Key”• Authentication transaction sequence number = 3• Authentication algorithm dependent information =

challenge text from sequence two frame Direction of message: From requester to responder

72

Shared Key (VII)

Authentication flow Final frame


• Authentication Algorithm identification = “Shared Key”• Authentication transaction sequence number = 4• Authentication algorithm dependent information = the

authentication result (successful/unsuccessful) Direction of message: From responder to requester

IEEE 802.11i

Authentication

74

Authentication and Key Management Overview

IEEE 802.1XAuthenticator

Port Access Entity

EAP Client

IEEE 802.1XSupplicant

Port Access Entity

STA

EAPoL AuthenticationServer (AS)

SecureChannel

EAP Server EAP

STA

75

IEEE 802.11 連線的建立與協調

76

IEEE 802.1X EAP Authentication

77

Establishing pairwise Key

78

Group Key Delivery

79

IEEE 802.1X Authentication Exchange

80

4-way Handshake

Supplicant(STA)

Authenticator(AP)

AuthenticationServer (AS)

EAPoL

Secure Channel(e.g., RADIUS with MPPE)

EAPoL-Key (ANonce)

EAPoL-Key (Install, ANonce, RSN IE, MIC)

EAPoL-Key (SNonce, RSN IE, MIC)

EAPoL-Key (Install, SNonce, MIC)

AS sends the Pairwise Master Key to theAuthenticator (AP) over their securechannel (e.g., using RADIUS with MPPE)

81

Example

802.11 Station802.1X Supplicant

802.11Access Point802.1X Authenticator

EAPOL-Key (0, 1, 1, 1, 0, P, KeyIV, ANonce, MIC, SSN IE)

Set Temporal Encryption and MIC Keys from PTK in Keyindex for Tx/Rx

Set Temporal Encryption and MIC Keys from PTK inKey index for Tx/Rx

EAPOL-Key (0, 0, 1, 0, 0, P, 0, ANonce, 0, 0)

Calculate PTK using ANonce and SNonce

EAPOL-Key (0, 1, 0, 0, 0, P, 0, SNonce, MIC, SSN IE)

Calculate PTK using ANonce and SNonce

ANonce = Get next Key Counter

EAP-Success

SNonce = Get next Key Counter

EAPOL-Key (1, 1, 1, 0, Key Index, G, KeyIV, GNonce, MIC, GTK)

EAPOL-Key (0, 1, 0, 0, 0, G, 0, 0, MIC, 0)

EAPOL-Key (0, 1, 0, 0, 0, P, 0, 0, MIC, 0)

82

Group Key Handshake

Supplicant(STA)

Authenticator(AP)

EAPoL

GNonce = Get next Key Counter

Decrypt GTK and set in Key Index

Set GTK in Key Index

EAPoL-Key (0,1,0,0,0, G, 0, MIC, 0)

EAPoL-Key (1,1,1,0,Key Index, G, GNonce, MIC, GTK)

83

Example

802.11 Station802.1X Supplicant

802.11Access Point802.1X Authenticator

EAPOL-Key (1, 1, 1, 0, Key Index, G, KeyIV, GNonce, MIC, GTK)

Decrypt GTK and set in Key index

EAPOL-Key (0, 1, 0, 0, 0, G, 0, 0, MIC, 0)

Set GTK in Key Index

GNonce = Get next Key Counter

IEEE 802.11i

Data Privacy Mechanism

85

TKIP Encapsulation

MIC Key

TSC

SA + DA + priority Plaintext MSDU

Data

Ciphertext MPDU(s)

WEP Encapsulation

MIC

TTAK Key

Plaintext MSDU +

MIC Fragment(s)

Phase 2 key mixing

Plaintext MPDU(s)

WEP seed(s) (represented as WEP IV + RC4

key)

Phase 1 key mixing TA

Temporal Key

TA: Transmitter AddressTTAK: TKIP mixed Transmit Address and Key

86

TKIP Decapsulation

MIC Key

TKIP IV

Plaintext MSDU

Ciphertext MPDU

WEP Decapsulation

Michael

TTAK Key SA + DA + priority + Plaintext MSDU

Reassemble

Key mixing

Plaintext MPDU

WEP Seed

Phase 1 key mixing

TA

Temporal Key

TSC

Unmix IV

In-sequence MPDU

Out-of-sequence MPDU

MIC

MIC

MIC = MIC?

MPDU with failed WEP ICV

MSDU with failed TKIP MIC

Countermeasures

87

Construction of Expanded TKIP MPDU

Note: The encipherment process has expanded the original MPDU size by 20 octets, 4 f or the Initialization v ector (IV) / KeyID f ield, 4 f or the extended IV f ield, 8 f or the Message Integrity Code (MIC) and 4 f or the Integregty Check Value (ICV).

RC4Key[0]

b4 b5 b6 b7b0

RC4Key[1]

RC4Key[2]

TSC5TSC4TSC3TSC2Rsv d KeyID

ExtIV

IV / KeyID4 octets Data >= 1 octets

MIC8 octets

Encry pted(note)

Extended IV4 octets

ICV4

octets

IV32Expanded IV16

88

WEP 訊框主體的擴展 (I)

IV4

DATA (PDU)(1 ~ 2304)

ICV4

Encrypted (Note)

Init. Vector3

1-octet

Pad6-bit

Key ID2-bit

Size in octets

89

TKIP MIC relation to 802.11

90

WRAP

以 AES 為基礎，採用 OCB (Offset CodeBook) 方式的區塊加密法 (Block ciphering) 。

加密流程先把 key 擴展成多把 Round Key 啟始時先把資料與第一把 Round Key 做 XOR 進入重複的 N-1 次子回合

Byte substitute Shift Row Mix Column Round Key Addition

最後處理少掉之前的 Mix Column 動作

91

Construction of Expanded WRAP MPDU

92

CCMP Encapsulation

EncodePN

Plaintext MPDU Plaintext MPDU with PN

ComputeMIC usingCBC-MAC

andappend to

MPDU

Temporal Key

AES CTR-mode

encryptdata

Cipher TextPlaintext MPDU with MIC

DLEN

TA

IncrementPN

PN

ConstructInitialization

Block

MIC

_IV

TA

PN

PN

ConstructCounter C

ounter

93

CCMP Decapsulation

Ciphertext MPDU

Ciphertext MPDU

ComputeMIC usingCBC-MAC

andappend to

MPDU

Temporal Key

AES CTR-mode

decryptdata

Plaintext MPDU

Plaintext MPDUwith MIC

TA

DiscardMPDU

PN

ConstructCounter

MIC

_IV

PN Good?

ExtractPN &DLen MIC

=MIC?

MIC

MIC

MIC OK

Previous PN

PN

PN

TA

DLEN

Counter

ConstructInitialization

Block

94

Expanded CCMP MPDU

RSN Header8 octets

Data>= 1 octets

MIC8 octets

Encrypted (note)

Note: The encipherment process has expanded the original MPDU size by 16 octets, 4 for the PN0-1 / Key ID field, 4 forthe PN2-5 field and 8 for the Message Integrity Code (MIC).

PN0

b4 b5 b6 b7b3b0

PN1 Rsvd PN5PN4PN3PN2RsvdKeyID

RsvdExtIV

95

CBC – Cipher Block Chaining

IEEE 802.11eQoS Issues in 802.11 MAC

97

Outline

IntroductionQoS Limitations of 802.11MACOverview of 802.11eNew QoS mechanisms

EDCF HCF

Reference

98

Introduction

WLAN has gained widespread acceptance and deployment in Healthcare facilities Education institutions Corporate enterprise office spaces Public areas (airport, hotels, restaurant, etc)

Challenges Less bandwidth High error rate Pass Loss Interference

99

Overview of 802.11e

Formed in Sep. 1999 and Approved in March 2000

Aim to support both IntServ and DiffServ The new standard is still on debate and unstable New QoS mechanisms

EDCF (Enhanced DCF) HCF (Hybrid Coordination Function)

Backwardly compatible with the DCF and PCF

100

QoS Limitations of 802.11 MAC

DCF (Distributed Coordination Function) Only support best-effort services No guarantee in bandwidth, packet delay and jitter Throughput degradation in the heavy load

PCF (Point Coordination Function) Inefficient and complex central polling scheme Unpredictable beacon frame delay due to incompatible

cooperation between CP and CFP modes Transmission time of the polled stations is unknown

101

Limitations of PCF

Unknown transmission time of the polled stations Delays the transmission of time-bounded traffic Unpredictable time delays in each CFP

Hidden station problem Could transmit interfering frames during CFP

PC

STA1 STA2 STA3 STA4

CF-Poll

Collision

DataData

Data

PC

BSS1 BSS2

102

QoS Support Mechanism of 802.11e

Priority schemes Provides differentiated control of access to the medium

with differing priorities (8 priority queues) EDCF (Enhanced DCF) and HCF (Hybrid

Coordination Function) TXOP (Transmission Opportunity)

An interval of time when a particular STA has the right to initiate transmissions

Defined as an interval of time Define a starting time and a maximum duration

Allocated via contention (EDCF-TXOP) or granted through HCF (polled-TXOP)

103

IEEE 802.11e

PHY

DCF

PCF EDCFControlled

AccessHCF

Contention free(legacy)

Contention services (legacy) Differentiated service(new) Contention free(new)

PHY : Physical LayerDCF: Distributed coordination functionPCF: Point Coordination FunctionEDCH : Enhanced DCFHCF: Hybrid Coordination Function

104

QoS level in 802.11e

QoS LevelChannel Access

MechanismScheduling

policy

Level 3HCF (EDCF and HCF

controlled channel access)parameterized

Level 2HCF (EDCF and HCF

controlled channel access)prioritized

Level 1 HCF (EDCF only) prioritized

Level 0 DCF, PCF none

105

802.11e Access Category (AC)

Access category (AC) as a virtual DCF

4 ACs implemented within a QSTA to support 8 priorities

Multiple ACs contend independently

The winning AC transmits a frame

AC0 AC1 AC2 AC3

Virtual Collision Handler

Backo

ff A

IFS[0]

BO

[0]

Backo

ff A

IFS[1]

BO

[1]

Backo

ff A

IFS[2]

BO

[2]

Backo

ff A

IFS[3]

BO

[3]

Transmission Attempt

106

EDCF

Review of DCF CSMA/CA Transmit the frame directly if the medium is found idle

for DIFS (DCF InterFrame Space) Otherwise, defer the transmission and start the backoff

process Backoff_time = rand[0, CW], CWmin < CW < CWmax The backoff timer decreases only when the medium

become idle. Transmit the frame once backoff timer expires

107

EDCF (Cont.)

How to provide priorities Change the contention window size

newCW[TCi] = ((oldCW[TCi]) * PFi ) –1

Replace DIFS with AIFS (Arbitration InterFrame Space)

AIFS[i] = DIFS + TCi

108

802.11 DCF

Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)

BusyMedium

SIFS

PIFS

DIFS

BackoffWindow

Slot Time

Defer Access Select Slot and decrement backoffas long as medium stays idle

DIFS

Contention WindowImmediate access whenmedium is idle >= DIFS

Next Frame

109

Differentiated Channel Access of 802.11e EDCAEach AC contentds with

AIFS[AC] (instead of DIFS) and CWmin[AC] / CWmax[AC] (instead of CWmin / CWmax)

BusyMedium

SIFS

PIFS

AIFS[AC]

BackoffWindow

SlotTime

Defer Access Select Slot and decrement backoffas long as medium stays idle

AIFS[AC]+SlotTime

Contention Windowfrom [1,1+CWmin[AC]]

Immediate access whenmedium is idle >=AIFS[AC]+SlotTime

Next Frame

110

EDCF

CSMA/CA and Exponential Backoff Eight Traffic Categories (TCs) within one station

TC7

Backoff(AIFS)

TC6

Backoff(AIFS)

TC5

Backoff(AIFS)

TC4

Backoff(AIFS)

TC3

Backoff(AIFS)

TC2

Backoff(AIFS)

TC1

Backoff(AIFS)

TC0

Backoff(AIFS)

High priority Low priority

Scheduler(resolve virtual collisions by granting permission to highest priority)

Transmissionattempt

AIFS:Arbitration Inter-Frame Space

Backoff(AIFS)

Transmissionattempt

DCF

111

IFS on TCs

DATA

AckSIFS SIFS

PIFS

AIFS(TC7)

time

AIFS(TC4)

AIFS(TC1)

Contention Window(Counted in slots)

High Priority TC

Low Priority TC

Medium Priority TC

backoff

backoff

RTS

CTSSIFS

112

EDCF

Defer Access

Back-off Window

Contention Window

Next FrameBusy Media

Timeslot

SIFS

PIFS

AIFSD(TC0)

AIFSD(TC1)

AIFSD(TCn)

AIFSD(TC1)

1. 4 Access Class : 0,1,2,3 with different AIFS ans Cwmin and CW max parameters2. AIFSD[AC]: Replaces DIFS by AIFSD for different category of Access Class.3. Media Free: Wait AIFSD[AC] + Slot-time before transmission and Back-off timer for that channel is zero and these conditions are not met by higher priority classes.

AIFSD[AC] = AIFS[AC]*slot-time + SIFSEDCF Parameters of 4 classesAC CWmin CWmax AIFS 0 aCWmin aCWmax 2 1 aCWmin aCWmax 1 2 (aCWmin+1)/2 –1 aCWmax 1 3 (aCWmin +1)/4 –1 (aCWmax+1)/2 –1 1

113

Summary of EDCF

Different random backoff times to provide differentiated services

The relative performance is not easy to control The performance is NOT proportionally to the

backoff factor ratios It depends on the number of contending

stations

114

HCF (Hybrid CF)

Provides policing and deterministic channel access by controlling the channel through the HC (Hybrid Coordinator)

Operate in CFP and CP Support both IntServ and DiffServ

115

HCF

SUPERFRAME

Contention Free PeriodContention PeriodMedia access by EDCF Rules

Beacon

Beacon

CFEnd

CF Pool

TxOP

ACKACK

CF Pool

S1 S1 S2 S4 S4

AIFS+Back offPIFS

SIFS

TxOP

116

HCF (Cont.)

Detecting the channel as being idle for PIFS, shorter than DIFS, gives the HC high priority over EDCF

HCF model can provide Guaranteed Services with a much higher probability than pure EDCF

A signaling protocol can be used to facilitate admission control and specify service rate requirement

117

Hybrid Coordination Function (HCF)

Additional polling based Controlled Contention scheme for HC to learn the TXOPs needed by the stations

118

Superframe

CFP+ CP

Beacon

CF-PollCF-End

802.11 periodic Superframe

DATA DATA DATA

CFP(Contention Free Period) CP(Contention Period)

DATA DATA DATA

Beacon DATA DATA DATA

CFP(Contention Free Period)(Polling through HCF)

CP(Contention Period)

DATA DATA DATA DATA

802.11e periodic Superframe

PC

STAs

HC

STAs

TXOP

CF-Poll

DATA

TXOP

CCI

DATA

119

Emerging IEEE 802.11e MAC

New draft standard for QoS provisioning Expected to be finalized by early next year

Defining a new MAC backward compatible with the legacy MAC Legacy 802.11 MAC – DCF (+ PCF) 802.11e MAC – HCF with two access

mechanisms Controlled channel access Contention-based channel access (EDCA)

120

HCF

During CFP Poll STAs and give a station the permission to access channel Starting time and maximum duration of each TXOP are specified by HC

During CP HC can issue polled TXOPs in the CP by sending CF-Poll after a

PIFS idle period Controlled Contention

Allows STAs to request the allocation of polled TXOPs STAs send resource request frames with the requested TC and

TXOP duration HC sends an ACK for resource request to the STA

網路認證機制之需求. 2 what is network access authentication? a mechanism by which access to...

Documents