網路認證機制之需求. 2 what is network access authentication? a mechanism by which access to...
TRANSCRIPT
網路認證機制之需求
2
What is Network Access Authentication? A mechanism by which access to the network is restricted
to authorized entities Identities used are typically userIDs NB: each user on a multi-user machine does not need to authentic
ate once the link is up, so this doesn’t guarantee that only the authenticated user is accessing the network
Once authenticated, the session needs to be authorized Authorization can include things like VLAN-ID, rate limits, filters, tu
nneling, etc. To prevent hijacking, you need per-packet authentication
as well Encryption orthogonal to authentication Per-packed MIC based on key derived during the authentication pr
ocess, linking each packet to the identity claimed in the authentication
No MIC support in PPP and WEP!
Source from Microsoft
3
Network Access Alternatives (I)
Network access authentication has already been implemented at every layer.
PHY Example: 802.11b Pros: no MAC or TCP/IP changes required (all support in firmwar
e) Cons: requires firmware changes in NICs and NASes to support n
ew auth methods, requires NAS to understand new auth types, slows delivery of bug fixes (e.g. WEP v1.0), hard to integrate into AAA
MAC Examples: PPP , 802.1X Pros: no firmware changes required for new auth methods, easier
to fix bugs, easy to integrate into AAA, no network access needed prior to authentication, extensible (RFC 2284)
Cons: requires MAC layer changes unless implemented in driver
Source from Microsoft
4
Network Access Alternatives (II)
IP Examples: hotel access (based on ICMP re-direct to access web server) Pros: no client MAC or TCP/IP changes required (for ICMP re-direct
method) Cons: Doesn’t work for all apps, no mutual authentication, partial
network access required prior to auth, need to find access control server if not at first hop, typically not extensible, may not derive encryption keys, no accounting (no logoff)
UDP/TCP Examples: Proprietary token card protocols Pros: No client MAC or TCP/IP changes required – can be
implemented purely at the application layer Cons: requires client software, partial network access required prior to
auth, need to find access control server if not at first hop, typically not extensible, no accounting (no logoff)
Source from Microsoft
5
Why Do Auth at the Link Layer?
It’s fast, simple, and inexpensive Most popular link layers support it: PPP, IEEE 802 Cost matters if you’re planning on deploying 1 million ports!
Client doesn’t need network access to authenticate No need to resolve names, obtain an IP address prior to auth
NAS devices need minimal layer 3 functionality 802.11 access points, 1 Gbps switch ports go for $300, support 802.
1D, 802.1X, SNMP & RADIUS, may have no layer 3 filtering support Authentication, AAA support typically a firmware upgrade
In a multi-protocol world, doing auth at link layer enables authorizing all protocols at the same time Doing it at the network layer would mean adding authentication withi
n IPv4, IPv6, AppleTalk, IPX, SNA, NetBEUI Would also mean authorizing within multiple layers Result: more delay
Source from Microsoft
6
What is IEEE 802.1X? – (I)
The IEEE standard for authenticated and auto-provisioned LANs. Ratified June 2001 Based on EAP, IETF RFC 2284
A framework for authentication and key management IEEE 802.1X derives keys which can be used to provide per-
packet authentication, integrity and confidentiality Typically used along with well-known key derivation algorithms
(e.g. TLS, SRP, etc.) IEEE 802.1X does not mandate security services – can do
authentication, or authentication & encryption Encryption alone not recommended (but that’s what WEP does)
Source from Microsoft
7
What is IEEE 802.1X? – (II)
What 802.1X is not Purely a wireless standard – it applies to all IEEE 802
technologies (e.g. Ethernet First Mile applications) PPP over Ethernet (PPPOE) – only supports EAP
authentication methods (no PAP or CHAP), packets are not encapsulated
A cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc.
But 802.1X can be used to derive keys for any cipher A single authentication method
But 802.1X can support many authentication methods without changes to the AP or NIC firmware
Source from Microsoft
8
A History of IEEE 802.1X
The idea started with customers who wanted to control access to a public network
Universities, government agencies Existing approaches were inadequate
Customers wanted something that could be implemented inexpensively – on existing switches
Customers wanted to utilize existing network access infrastructure (RADIUS, LDAP, etc.)
PPPOE – too much overhead VPN – too many interoperability issues DHCP – designed for addressing and configuration, not access control
Concept developed by 3Com, HP, and Microsoft We examined alternatives, and settled on a Layer 2 approach A small group wrote the spec and built prototypes Consensus and running code! Not designed by committee!
IEEE 802.1X PAR approved in January 1999 Approved as an IEEE standard June 2001
Source from Microsoft
9
802.1X Topologies
Authenticator/EtherNASAuthenticator/EtherNAS(e.g. Access Point or Bridge)(e.g. Access Point or Bridge)
SupplicantSupplicant
Enterprise or ISP Enterprise or ISP NetworkNetwork
Semi-Public Network /Semi-Public Network /Enterprise EdgeEnterprise Edge
AuthenticationSAuthenticationServererver
RADIUS
EAP Over Wireless (EAPOW)
EAP Over Wireless (EAPOW)
EAP over LAN (EAPOL)
EAP over LAN (EAPOL)
EAP Over RADIUS
EAP Over RADIUS
PAEPAE
PAEPAE
EtherCPEEtherCPE
SupplicantSupplicantNon-802.1XNon-802.1X Source from Microsoft
10
802.1X Security Philosophy
Approach: a flexible security framework Implement security framework in upper layers Enable plug-in of new authentication, key management methods without
changing NIC or Access Point Leverage main CPU resources for cryptographic calculations
How it works Security conversation carried out between supplicant and authentication
server NIC, Access Point acts as a pass through device
Advantages Decreases hardware cost and complexity Enables customers to choose their own security solution Can implement the latest, most sophisticated authentication and key
management techniques with modest hardware Enables rapid response to security issues
Source from Microsoft
11
What is EAP? – (I)
The Extensible Authentication Protocol (RFC 2284) Provides a flexible link layer security framework Simple encapsulation protocol
No dependency on IP ACK/NAK, no windowing No fragmentation support
Few link layer assumptions Can run over any link layer (PPP, 802, etc.) Does not assume physically secure link
• Methods provide security services Assumes no re-ordering Can run over lossy or lossless media
• Retransmission responsibility of authenticator (not needed for 802.1X or 802.11)
Source from Microsoft
12
What is EAP? – (II)
EAP methods based on IETF standards Transport Level Security (TLS) (supported in
Windows 2000) Secure Remote Password (SRP) GSS_API (including Kerberos)
Source from Microsoft
13
EAP Architecture
Source from Microsoft
EAPEAPLayerLayer
MethodMethodLayerLayer
EAPEAPEAPEAP
TLSTLSTLSTLS
MediaMediaLayerLayer
NDISNDIS
APIsAPIs
EAP EAP
APIsAPIs
PPPPPP 802.3802.3 802.5802.5 802.11802.11
SRPSRPSRPSRPAKAAKA
SIMSIM
AKAAKA
SIMSIM
14
IEEE 802.1X Conversation
EthernetLaptop computer
Switch
Radius Server
EAPOL-Start
EAP-Response/Identity
Radius-Access-Challenge
EAP-Response (credentials)
Access blockedPort connect
Radius-Access-Accept
EAP-Request/Identity
EAP-Request
Access allowed
EAP-Success
Radius-Access-Request
Radius-Access-Request
RADIUSEAPOL
15
802.1X On 802.11
Ethernet
Access Point
Radius Server
EAPOW-Start
EAP-Response/Identity
Radius-Access-Challenge
EAP-Response (credentials)
Access blockedAssociation
Radius-Access-Accept
EAP-Request/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Request
RADIUS
EAPOW
Laptop computer
Wireless
802.11802.11 Associate-Request
EAP-Success
Access allowedEAPOW-Key (WEP)
802.11 Associate-Response
16
Advantages of IEEE 802.1X
Open standards based Leverages existing standards: EAP (RFC 2284),
RADIUS (RFC 2865, 2866, 2867, 2868, 2869) Enables interoperable user identification, centralized
authentication, key management Enables automated provisioning of LAN connectivity
User-based identification Identification based on Network Access Identifier (RFC
2486) enables support for roaming access in public spaces (RFC 2607).
Enables a new class of wireless Internet Access Dynamic key management
Improved security for wireless (802.11) installations
Source from Microsoft
17
The Role of RADIUS
RADIUS is the key to enabling 802.1X applications RADIUS enables per-user compulsory tunneling assignment
More flexible than static or realm-based tunneling RADIUS enables per-user VLAN assignment
More flexible than static per-port or MAC-based VLAN assignment RADIUS enables accounting and auditing
Both switch/AP and tunnel server can use RADIUS Allows enterprise to audit usage, do alarming BIGCO can match accounting records from tunnel server with accou
nting records from ISP for auditing purposes RADIUS enables use of a single userID/password pair
Both bridge/access point and tunnel server can authenticate against the same database
RADIUS server backend LDAP backend
Source from Microsoft
18
Vendors Supporting 802.1X
Dec, 2001 Microsoft, AirWave, Compaq, Dell, IBM, Intel, HP, Symb
ol, Toshiba, Telson, Wayport 3Com Agere Enterasys Intersil Cisco
Catalyst switches 802.11 access points
Source from Microsoft
19
Windows Wireless Architecture
Source from Microsoft
NDIS 5.1NDIS 5.1
NetworkingNetworking APIs APIs
NDIS WANNDIS WAN
PPTPPPTP AsyncAsync BluetoothBluetooth
EthernetEthernet TRTR 802.11802.11
TCP/IPTCP/IP ProtocolProtocolstacksstacks
WinSock 2.0WinSock 2.0
RSVPRSVP
Packet schedulerPacket scheduler
Packet classifierPacket classifier
TAPI 3.0 TAPI 3.0 Dial-upDial-up
Networking Networking APIsAPIs
IP packetIP packetfilteringfiltering
IPIP forwarder forwarder
RoutingRoutingAPIsAPIs
NetworkNetworkstreamingstreaming
(DirectX)(DirectX)
RNDISRNDIS
DHCPDHCP
IGMPIGMP
802.1X802.1X DNSDNS
IRDPIRDP
NetworkingNetworking Services Services
Affected byAffected byWirelessWireless
Route tableRoute table
Network Network LocationLocation
802.1D802.1D
NetBTNetBT
UPnPUPnP
WPA
Wi-Fi Protected Access
21
What is the Wi-Fi Alliance?
The Wi-Fi Alliance (formerly WECA) is a nonprofit organization formed in 1999 to certify interoperability of IEEE 802.11 products and to promote Wi-Fi as the global, wireless LAN standard across all market segments.
There are nearly 700 Wi-Fi CERTIFIED products to date
22
What is Wi-Fi Protected Access?(WPA)
Powerful, standards-based, interoperable security technology for Wi-Fi networks
Strong data protection – encryptionStrong access control – user authenticationSubset of the 802.11i draft standard and will
maintain forward compatibilitySoftware upgradeable to the nearly 700 Wi-
Fi Certified products
23
History of Wi-Fi Security - WEP
The 1997 IEEE 802.11 spec called for an optional security mechanism called Wired Equivalent Privacy, or WEP
WEP had modest goals Baseline security Comply with US export guidelines at the time
WEP had problems even before it was “broken” One static key Manual distribution of keys No user authentication
In 2001, several research papers pointed to WEP’s cryptographic weaknesses
Led to development of software tools to break WEP WEP still offered basic level of security, and remained useful for cas
ual, home use (most never even used it) Not appropriate by itself for securing a busy corporate network
24
History of Wi-Fi Security -alternatives Some vendors responded with their own proprietary
solutions Some good, some not But all were proprietary to that specific brand of gear
Virtual Private Network (VPN)+ Wi-Fi Effective, but: Expensive (overkill), not what VPN’s were designed to d
o, or what their ROI’s promised Still not interoperable
802.1X + WEP (Dynamic WEP)
25
The Industry Responds
Market was calling for strong, interoperable Wi-Fi security
In late 2001, the Wi-Fi Alliance, in conjunction with IEEE 802.11 TGi, began an effort to develop strong, standards-based, interoperable Wi-Fi security to market quickly
The result of that effort is Wi-Fi Protected Access WPA announced October 31, 2002 First round of WPA products announced today
26
WPA’s technology parts
User authentication 802.1X + Extensible Authentication Protocol
(EAP)Encryption
Temporal Key Integrity Protocol (TKIP) 802.1X for dynamic key distribution Message Integrity Check (MIC) a.k.a. “Michael”
WPA = 802.1X + EAP + TKIP + MICPre-Shared Key for SOHO authentication
27
WPA Design Goals
Resolve WEP’s cryptographic weaknesses Add user authentication Be applicable to the nearly 700 Wi-Fi CERTIFIE
D products on the market Be available in 2003 Be certified interoperable Exceeding goals
Automatic key distribution Per user, per session, unique master keys Unique per packet encryption keys
28
How WPA Works - Enterprise
29
How WPA Works - Enterprise
Step1. Client associates with Access Point (AP) Step 2. AP blocks LAN access until client is
authenticated Step 3. Client provides credentials to
authentication server. If not authenticated, client stays blocked from LAN If authenticated, process continues
Step 4. Authentication server automatically distributes encryption keys to AP and client
Step 5. Client joins LAN, encrypting data back and forth with AP
30
How WPA Works - SOHO
31
Deploying WPA – Enterprise -Hardware
Authentication server, typically RADIUS Common in LE for remote user access
WPA enabled Access Points WPA at ship, or Upgraded to WPA
WPA enabled clients WPA at ship, or Upgraded to WPA
32
Deploying WPA – Enterprise -Software
Authentication server (RADIUS) – Strong EAP type such as TLS, TTLS, PEAP
WPA enabled Access Points – 802.1X – TKIP
WPA enabled clients 802.1X TKIP Supplicant to support EAP/ 802.1X
33
Deploying WPA – SOHO -Hardware
WPA enabled Access Points or home gateway WPA at ship, or Upgraded to WPA
WPA enabled clients WPA at ship, or Upgraded to WPA
34
Deploying WPA – SOHO - Software
WPA enabled Access Points 802.1X TKIP
WPA enabled clients 802.1X TKIP Supplicant, or partial supplicant to run 802.1X
and PSK
Runs in Pre-Shared Key (PSK) mode
35
Wi-Fi Alliance Security Timeline
1999 – WEP2003 – Wi-Fi Protected Access (WPA)2004 – WPA2 (802.11i)
36
WPA is a snapshot of 802.11i(WPA2)
37
38
39
40
41
42
Summary Comparison
43
Summary
WPA provides a dramatic improvement in Wi-Fi security
Enterprise class but suitable for SOHO Reasonable deployment costs The strong, standards-based Wi-Fi security solut
ion the market has been seeking Best of all . . . It’s here now! For more information, go to:
http://www.wi-fi.org/OpenSection/protected_access.asp
無線區域網路之安全標準
工研院電通所無線網路技術組顧問明新科技大學計算機中心網路組組長資訊管理學系助理教授林文宗博士
45
References
IEEE 802.11 Standard, 1999 EditionIEEE 802.11i/D3, 2003 Edition
IEEE 802.11i
Enhanced Security
47
網路安全架構 RSN – Robust Security Network
支援 802.11i 標準安全性功能之 WLAN 。 建置在 IEEE 802.1X 的標準之上,藉以傳遞認證資訊及
金鑰管理 (key management) 的服務。 因此,在 RSN 中的所有工作站與 APs 皆必須內建 IEEE
802.1X 的功能。 Pre-RSN
只提供原本 802.11 所制訂的網路安全功能標準之 WLAN 。 TSN – Transition Security Network
支援 RSN 與 Pre-RSN 混合組成的 WLAN ,是從 IEEE 802.11 WLAN 過渡到支援 IEEE 802.11i 安全標準的一個暫時性 WLAN 架構。
48
Pre-RSN 的網路安全機制
IEEE 802.11 Std. in 1999 WEP privacy
Wired Equivalent Privacy Algorithm IEEE 802.11 Authentication
Open System Shared Key
49
RSN 的安全機制 (I)
Data privacy mechanism TKIP – Temporal Key Integrity Protocol
提供一適用於 Pre-RSN 網路中最簡化的資料隱密性功能。 WRAP – Wireless Robust Authenticated Protocol
一個以 AES 為基礎的通訊協定選項功能,為長遠考量所設計的資料安全機制。
• Advanced Encryption Standard CCMP – CCM Protocol
CCM: Counter mode with CBC-MAC CBC-MAC: CBC Message Authentication Code CBC: Cipher-Block Chaining RSN 的未來預設標準功能,另外一種以 AES 為基礎的通
訊協定。
50
RSN 的安全機制 (II)
Security association management RSN negotiation procedure
用以建立一個 security context• Access control
IEEE 802.1X authentication 取代 IEEE 802.11 的認證方法
IEEE 802.1X key management 提供加密金鑰
• Key distribution
IEEE 802.11
Privacy
52
有線等效保密演算法 (WEP)
在所有無線技術中,竊聽是一大家所熟知的問題。為此, IEEE 802.11 標準中制訂了一套有線區域網路等效的資料機密演算法。並建議使用此保密方法而不使用認證方法,但此建議卻讓系統面臨安全的重大威脅。 Wired Equivalent Privacy Algorithm
利用 RSA RC4 的串流加密 (stream cipher) 方法。 自我同步功能。 效率佳。
• 可以用硬體或軟體技術解決製作。 為 802.11 中的選項功能。
53
WEP 的運作理論 基本名詞
加密 (encryption): E 解密 (decryption): D 明文 (plaintext): P 密文 (ciphertext): C
運作原理 Ek(P) = C Dk(C) = P Dk(Ek(P)) = C
Encryption Decryption明文
Plaintext
Key
密文ciphertext
Key Management Service
原始明文Plaintext
竊聽
54
加密運作理論 (II)
WEP 演算法為一電碼書 (electronic code book)的型式,其中一個明文區段與一個由 WEP 演算法所產生的同等長度之虛擬亂數鑰匙序列 (pseudorandom key sequence) 做 XOR 的運算。
Secret Key
InitializationVector (IV) WEP
PRNG(RC4)
XOR
Seed Key Sequence
Plaintext
Integrity Algorithm
IV
Ciphertext
Integrity Check Value (ICV) Message
55
加密運作理論 (III)
加密流程 Secret key 與 Initialization Vector (IV) 做連接 (concat
enate) ,而產生一個 seed ,並傳送給 PRNG 。 PRNG 輸出一個之虛擬亂數,其鍵序值 (key sequenc
e) k ,其長度等於 MPDU 資料長度加 4 。 因為鍵序值是用來保護完整檢查值 (integrity check value,
ICV) ,如同保護 Data 一般。 為了保護未被授權 (unauthorized) 的資料被修改,一個
完善健全的演算法會對明文 P 做運算後,產生一個 ICV (CRC-32) 。
之後明文 P 和 ICV 連接後,再以數學方式將鍵序值與之做結合,而完成加密的工作。
此輸出結果中將包含 IV 及密文 (ciphertext) 。
56
加密運作理論 (IV)
運作說明 WEP PRNG 是此加密流程中最重要的一個元件,它將一個非
常簡短的密匙 (secret key) 轉換成一個相當長度的鍵序值 (key sequence) 。
如此將大大簡化了密匙的分發工作,只有密匙須要在工作站間傳遞即可。
IV 延長了密匙的有效可用生命週期,並提供了此加密演算法的自我同步功能。
每一個新的 IV 會產生一個新的種籽 (seed) 和鍵序值,因此在 IV 和鍵序值 k 間有個一對一的對應關係。
IV 可以頻繁地被改變到隨著每一個 MPDU 改變 ( 因為它隨著訊息在傳遞 ) ,而接收端總是有辦法將每個訊息予以解密。
IV 可以明正言順地被傳送而不怕攻擊者的竊聽,因為它並不提供任何密匙的相關資訊,而且也因為它必須讓接收端拿來做解密用。
57
加密運作理論 (V)
其它各項元件說明 對於 WEP 保護的訊框,訊框主體的前 4 個位元組為 MP
DU 的 IV 欄位。所以, IV 隨後接著 MPDU ,之後才是 ICV 。
此即為 WEP frame body 的擴展,從 2304 展為 2312 。 PRNG seed 為 64-bit ,其中 bit0 ~ bit23 為 IV 的 bit0 ~
bit23 ,而 bit24 ~ bit63 則為密匙的 bit0 ~ bit39 。 ICV 為 32-bit 。
WEP Integrity Check Algorithm 為 CRC-32 演算法。
IV (0~23) Secret Key(0~39)
0 23 24 63
PRNG Seed (64 bits)
58
WEP 訊框主體的擴展 (I)
IV4
DATA (PDU)(1 ~ 2304)
ICV4
Encrypted (Note)
Init. Vector3
1-octet
Pad6-bit
Key ID2-bit
Size in octets
59
WEP 訊框主體的擴展 (II)
ICV 32-bit ,由 PDU 所計算出來的 CRC-32 。
IV 3-octet 的 initialization vector 。 2-bit 的 Key ID 。
用來選擇四個 secret key 中的一個,用以解密。 6-bit 的 padding ,為 0 。
60
解密運作理論 接收端的解密從訊息的接收開始,接收進來的訊息所帶的 IV 被用來產生解密所必需的鍵序值。結合密文和鍵序值會產生出原來的明文和 ICV 。而正確的解密還須要經由完整檢查演算法在已解開的明文上做 ICV’ 及 ICV 的驗證。
Secret Key
WEPPRNG
XOR
Seed
KeySequence
Plaintext
IntegrityAlgorithm
IV
CiphertextICV
Message
ICV’
ICV’ = ICV?
IEEE 802.11 Authentication
62
Authentication
目的 確認對方身份的合法性。
IEEE 802.11 提供兩種認證型態 開放式系統 (Open System)
內定的認證方法 共享密匙 (Shared Key)
認證型態被包在認證管理訊框中的 frame body 裡面。因此,認證訊框是自我辨識且對應於認證演算法的。
雙方工作站在提出認證要求時可指定採用哪一種方式進行雙向認證。 認證訊框應為兩工作站成對的單播訊框,沒有所謂的群播認
證。 取消認證為一通告,因此可以有群體位址的訊框出現。
63
Open System (I)
特徵 Simplest 。 不須認證演算法的認證方法。 任何提出此方法進行認證的工作站都可以通過認證,只
要對方支援並允許開放式認證。 兩個步驟
要求認證者聲明自己的身份 (Identity Assertion) ,並送出認證訊框 (Authentication frame) 。
要求被認證者回送一個認證訊框,其中記錄認證結果。
Authentication Algorithm Number = 0
Authentication Transaction
Sequence Number = 1 (要求 )
Status Code (保留 )
Authentication Algorithm Number = 0
Authentication Transaction
Sequence Number = 2 (回覆 )
Status Code = 成功或失敗
64
Open System (II)
Open System Authentication flow First frame
Message type: Management Message subtype: Authentication Information Items:
• Authentication Algorithm Identification = “Open System”• Station Identity Assertion (in SA field of header)• Authentication transaction sequence number = 1• Authentication algorithm dependent information (none)
Direction of message: From authentication initiating STA to authenticating STA
65
Open System (III)
Open System Authentication flow Final frame
Message type: Management Message subtype: Authentication Information Items:
• Authentication Algorithm Identification = “Open System”• Authentication transaction sequence number = 2• Authentication algorithm dependent information(none)• The result of the requested authentication as definition.
Direction of message: From authenticating STA to initiating STA
66
Shared Key (I)
Shared Key 認證方法支援工作站間的認證,不管這些工作站間是否知道這一共享的密匙 (shared secret key) 。 802.11 中此認證方法可以毋須傳送此密匙而
完成認證程序,但需要 WEP 隱密性方法。 須支援 WEP 選項。 須假設此分享密匙已被傳送至所有參與的工作站,
其所經由的安全通道與 802.11 無關。
67
Shared Key (II)
四個步驟 (WEP = off) 要求認證者送出認證訊框要求對方認證,
利用訊框標頭中的 SA 欄位內容 (SID) 。 (WEP = off) 被要求認證者先檢查雙方認證的方法是否
相同。若相同,則被要求認證者利用 WEP 演算法產生一個長度
為 128 bytes 之盤問全文 (Challenge text) ,目的在於檢驗對方的密匙,因此內容並不重要。
(WEP = on) 要求認證者將此盤問全文由前一個認證訊框中拷貝至此第三個認證訊框,並且再送給對方。
(WEP = off) 被要求認證者將收到的密文用手邊的 shared key 解密,再將認證結果用第四個認證訊框通知要求認證者。
68
Shared Key (III)
Authentication Algorithm Number = 0
Authentication Transaction
Sequence Number = 1 (要求 )
Status Code (保留 )
Authentication Algorithm Number = 0
Authentication Transaction
Sequence Number = 2 (回覆 )
Status Code = 成功或失敗Challenge text (盤問全文 )
Authentication Algorithm Number = 1
Authentication Transaction
Sequence Number = 3 (再要求 )
Status Code = 成功或失敗Challenge text (加密盤問全文 )
Authentication Algorithm Number = 0
Authentication Transaction
Sequence Number = 4 (回覆 )
Status Code = 成功或失敗
69
Shared Key (IV)
Authentication flow First frame
Message type: Management Message subtype: Authentication Information Item:
• Station Identity Assertion (in SA field header)• Authentication Algorithm identification = “Shared Key”• Authentication transaction sequence number = 1• Authentication algorithm dependent information (none)
Direction of message: From requester to responder
70
Shared Key (V)
Authentication flow Second frame
Message type: Management Message subtype: Authentication Information Item:
• Authentication Algorithm identification = “Shared Key”• Authentication transaction sequence number = 2• Authentication algorithm dependent information = the authent
ication result• The result of the requested authentication as definition.
Failure: last frame of the transaction sequence Successful: WEP pseudo-random number generator (P
RNG) 所產生的 128-octet challenge text. Direction of message: From responder to requester
71
Shared Key (VI)
Authentication flow Third frame
Message type: Management Message subtype: Authentication Information Item:
• Authentication Algorithm identification = “Shared Key”• Authentication transaction sequence number = 3• Authentication algorithm dependent information =
challenge text from sequence two frame Direction of message: From requester to responder
72
Shared Key (VII)
Authentication flow Final frame
Message type: Management Message subtype: Authentication Information Item:
• Authentication Algorithm identification = “Shared Key”• Authentication transaction sequence number = 4• Authentication algorithm dependent information = the
authentication result (successful/unsuccessful) Direction of message: From responder to requester
IEEE 802.11i
Authentication
74
Authentication and Key Management Overview
IEEE 802.1XAuthenticator
Port Access Entity
EAP Client
IEEE 802.1XSupplicant
Port Access Entity
STA
EAPoL AuthenticationServer (AS)
SecureChannel
EAP Server EAP
STA
75
IEEE 802.11 連線的建立與協調
76
IEEE 802.1X EAP Authentication
77
Establishing pairwise Key
78
Group Key Delivery
79
IEEE 802.1X Authentication Exchange
80
4-way Handshake
Supplicant(STA)
Authenticator(AP)
AuthenticationServer (AS)
EAPoL
Secure Channel(e.g., RADIUS with MPPE)
EAPoL-Key (ANonce)
EAPoL-Key (Install, ANonce, RSN IE, MIC)
EAPoL-Key (SNonce, RSN IE, MIC)
EAPoL-Key (Install, SNonce, MIC)
AS sends the Pairwise Master Key to theAuthenticator (AP) over their securechannel (e.g., using RADIUS with MPPE)
81
Example
802.11 Station802.1X Supplicant
802.11Access Point802.1X Authenticator
EAPOL-Key (0, 1, 1, 1, 0, P, KeyIV, ANonce, MIC, SSN IE)
Set Temporal Encryption and MIC Keys from PTK in Keyindex for Tx/Rx
Set Temporal Encryption and MIC Keys from PTK inKey index for Tx/Rx
EAPOL-Key (0, 0, 1, 0, 0, P, 0, ANonce, 0, 0)
Calculate PTK using ANonce and SNonce
EAPOL-Key (0, 1, 0, 0, 0, P, 0, SNonce, MIC, SSN IE)
Calculate PTK using ANonce and SNonce
ANonce = Get next Key Counter
EAP-Success
SNonce = Get next Key Counter
EAPOL-Key (1, 1, 1, 0, Key Index, G, KeyIV, GNonce, MIC, GTK)
EAPOL-Key (0, 1, 0, 0, 0, G, 0, 0, MIC, 0)
EAPOL-Key (0, 1, 0, 0, 0, P, 0, 0, MIC, 0)
82
Group Key Handshake
Supplicant(STA)
Authenticator(AP)
EAPoL
GNonce = Get next Key Counter
Decrypt GTK and set in Key Index
Set GTK in Key Index
EAPoL-Key (0,1,0,0,0, G, 0, MIC, 0)
EAPoL-Key (1,1,1,0,Key Index, G, GNonce, MIC, GTK)
83
Example
802.11 Station802.1X Supplicant
802.11Access Point802.1X Authenticator
EAPOL-Key (1, 1, 1, 0, Key Index, G, KeyIV, GNonce, MIC, GTK)
Decrypt GTK and set in Key index
EAPOL-Key (0, 1, 0, 0, 0, G, 0, 0, MIC, 0)
Set GTK in Key Index
GNonce = Get next Key Counter
IEEE 802.11i
Data Privacy Mechanism
85
TKIP Encapsulation
MIC Key
TSC
SA + DA + priority Plaintext MSDU
Data
Ciphertext MPDU(s)
WEP Encapsulation
MIC
TTAK Key
Plaintext MSDU +
MIC Fragment(s)
Phase 2 key mixing
Plaintext MPDU(s)
WEP seed(s) (represented as WEP IV + RC4
key)
Phase 1 key mixing TA
Temporal Key
TA: Transmitter AddressTTAK: TKIP mixed Transmit Address and Key
86
TKIP Decapsulation
MIC Key
TKIP IV
Plaintext MSDU
Ciphertext MPDU
WEP Decapsulation
Michael
TTAK Key SA + DA + priority + Plaintext MSDU
Reassemble
Key mixing
Plaintext MPDU
WEP Seed
Phase 1 key mixing
TA
Temporal Key
TSC
Unmix IV
In-sequence MPDU
Out-of-sequence MPDU
MIC
MIC
MIC = MIC?
MPDU with failed WEP ICV
MSDU with failed TKIP MIC
Countermeasures
87
Construction of Expanded TKIP MPDU
Note: The encipherment process has expanded the original MPDU size by 20 octets, 4 f or the Initialization v ector (IV) / KeyID f ield, 4 f or the extended IV f ield, 8 f or the Message Integrity Code (MIC) and 4 f or the Integregty Check Value (ICV).
RC4Key[0]
b4 b5 b6 b7b0
RC4Key[1]
RC4Key[2]
TSC5TSC4TSC3TSC2Rsv d KeyID
ExtIV
IV / KeyID4 octets Data >= 1 octets
MIC8 octets
Encry pted(note)
Extended IV4 octets
ICV4
octets
IV32Expanded IV16
88
WEP 訊框主體的擴展 (I)
IV4
DATA (PDU)(1 ~ 2304)
ICV4
Encrypted (Note)
Init. Vector3
1-octet
Pad6-bit
Key ID2-bit
Size in octets
89
TKIP MIC relation to 802.11
90
WRAP
以 AES 為基礎,採用 OCB (Offset CodeBook) 方式的區塊加密法 (Block ciphering) 。
加密流程 先把 key 擴展成多把 Round Key 啟始時先把資料與第一把 Round Key 做 XOR 進入重複的 N-1 次子回合
Byte substitute Shift Row Mix Column Round Key Addition
最後處理少掉之前的 Mix Column 動作
91
Construction of Expanded WRAP MPDU
92
CCMP Encapsulation
EncodePN
Plaintext MPDU Plaintext MPDU with PN
ComputeMIC usingCBC-MAC
andappend to
MPDU
Temporal Key
AES CTR-mode
encryptdata
Cipher TextPlaintext MPDU with MIC
DLEN
TA
IncrementPN
PN
ConstructInitialization
Block
MIC
_IV
TA
PN
PN
ConstructCounter C
ounter
93
CCMP Decapsulation
Ciphertext MPDU
Ciphertext MPDU
ComputeMIC usingCBC-MAC
andappend to
MPDU
Temporal Key
AES CTR-mode
decryptdata
Plaintext MPDU
Plaintext MPDUwith MIC
TA
DiscardMPDU
PN
ConstructCounter
MIC
_IV
PN Good?
ExtractPN &DLen MIC
=MIC?
MIC
MIC
MIC OK
Previous PN
PN
PN
TA
DLEN
Counter
ConstructInitialization
Block
94
Expanded CCMP MPDU
RSN Header8 octets
Data>= 1 octets
MIC8 octets
Encrypted (note)
Note: The encipherment process has expanded the original MPDU size by 16 octets, 4 for the PN0-1 / Key ID field, 4 forthe PN2-5 field and 8 for the Message Integrity Code (MIC).
PN0
b4 b5 b6 b7b3b0
PN1 Rsvd PN5PN4PN3PN2RsvdKeyID
RsvdExtIV
95
CBC – Cipher Block Chaining
IEEE 802.11eQoS Issues in 802.11 MAC
97
Outline
IntroductionQoS Limitations of 802.11MACOverview of 802.11eNew QoS mechanisms
EDCF HCF
Reference
98
Introduction
WLAN has gained widespread acceptance and deployment in Healthcare facilities Education institutions Corporate enterprise office spaces Public areas (airport, hotels, restaurant, etc)
Challenges Less bandwidth High error rate Pass Loss Interference
99
Overview of 802.11e
Formed in Sep. 1999 and Approved in March 2000
Aim to support both IntServ and DiffServ The new standard is still on debate and unstable New QoS mechanisms
EDCF (Enhanced DCF) HCF (Hybrid Coordination Function)
Backwardly compatible with the DCF and PCF
100
QoS Limitations of 802.11 MAC
DCF (Distributed Coordination Function) Only support best-effort services No guarantee in bandwidth, packet delay and jitter Throughput degradation in the heavy load
PCF (Point Coordination Function) Inefficient and complex central polling scheme Unpredictable beacon frame delay due to incompatible
cooperation between CP and CFP modes Transmission time of the polled stations is unknown
101
Limitations of PCF
Unknown transmission time of the polled stations Delays the transmission of time-bounded traffic Unpredictable time delays in each CFP
Hidden station problem Could transmit interfering frames during CFP
PC
STA1 STA2 STA3 STA4
CF-Poll
Collision
DataData
Data
PC
BSS1 BSS2
102
QoS Support Mechanism of 802.11e
Priority schemes Provides differentiated control of access to the medium
with differing priorities (8 priority queues) EDCF (Enhanced DCF) and HCF (Hybrid
Coordination Function) TXOP (Transmission Opportunity)
An interval of time when a particular STA has the right to initiate transmissions
Defined as an interval of time Define a starting time and a maximum duration
Allocated via contention (EDCF-TXOP) or granted through HCF (polled-TXOP)
103
IEEE 802.11e
PHY
DCF
PCF EDCFControlled
AccessHCF
Contention free(legacy)
Contention services (legacy) Differentiated service(new) Contention free(new)
PHY : Physical LayerDCF: Distributed coordination functionPCF: Point Coordination FunctionEDCH : Enhanced DCFHCF: Hybrid Coordination Function
104
QoS level in 802.11e
QoS LevelChannel Access
MechanismScheduling
policy
Level 3HCF (EDCF and HCF
controlled channel access)parameterized
Level 2HCF (EDCF and HCF
controlled channel access)prioritized
Level 1 HCF (EDCF only) prioritized
Level 0 DCF, PCF none
105
802.11e Access Category (AC)
Access category (AC) as a virtual DCF
4 ACs implemented within a QSTA to support 8 priorities
Multiple ACs contend independently
The winning AC transmits a frame
AC0 AC1 AC2 AC3
Virtual Collision Handler
Backo
ff A
IFS[0]
BO
[0]
Backo
ff A
IFS[1]
BO
[1]
Backo
ff A
IFS[2]
BO
[2]
Backo
ff A
IFS[3]
BO
[3]
Transmission Attempt
106
EDCF
Review of DCF CSMA/CA Transmit the frame directly if the medium is found idle
for DIFS (DCF InterFrame Space) Otherwise, defer the transmission and start the backoff
process Backoff_time = rand[0, CW], CWmin < CW < CWmax The backoff timer decreases only when the medium
become idle. Transmit the frame once backoff timer expires
107
EDCF (Cont.)
How to provide priorities Change the contention window size
newCW[TCi] = ((oldCW[TCi]) * PFi ) –1
Replace DIFS with AIFS (Arbitration InterFrame Space)
AIFS[i] = DIFS + TCi
108
802.11 DCF
Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)
BusyMedium
SIFS
PIFS
DIFS
BackoffWindow
Slot Time
Defer Access Select Slot and decrement backoffas long as medium stays idle
DIFS
Contention WindowImmediate access whenmedium is idle >= DIFS
Next Frame
109
Differentiated Channel Access of 802.11e EDCAEach AC contentds with
AIFS[AC] (instead of DIFS) and CWmin[AC] / CWmax[AC] (instead of CWmin / CWmax)
BusyMedium
SIFS
PIFS
AIFS[AC]
BackoffWindow
SlotTime
Defer Access Select Slot and decrement backoffas long as medium stays idle
AIFS[AC]+SlotTime
Contention Windowfrom [1,1+CWmin[AC]]
Immediate access whenmedium is idle >=AIFS[AC]+SlotTime
Next Frame
110
EDCF
CSMA/CA and Exponential Backoff Eight Traffic Categories (TCs) within one station
TC7
Backoff(AIFS)
TC6
Backoff(AIFS)
TC5
Backoff(AIFS)
TC4
Backoff(AIFS)
TC3
Backoff(AIFS)
TC2
Backoff(AIFS)
TC1
Backoff(AIFS)
TC0
Backoff(AIFS)
High priority Low priority
Scheduler(resolve virtual collisions by granting permission to highest priority)
Transmissionattempt
AIFS:Arbitration Inter-Frame Space
Backoff(AIFS)
Transmissionattempt
DCF
111
IFS on TCs
DATA
AckSIFS SIFS
PIFS
AIFS(TC7)
time
AIFS(TC4)
AIFS(TC1)
Contention Window(Counted in slots)
High Priority TC
Low Priority TC
Medium Priority TC
backoff
backoff
RTS
CTSSIFS
112
EDCF
Defer Access
Back-off Window
Contention Window
Next FrameBusy Media
Timeslot
SIFS
PIFS
AIFSD(TC0)
AIFSD(TC1)
AIFSD(TCn)
AIFSD(TC1)
1. 4 Access Class : 0,1,2,3 with different AIFS ans Cwmin and CW max parameters2. AIFSD[AC]: Replaces DIFS by AIFSD for different category of Access Class.3. Media Free: Wait AIFSD[AC] + Slot-time before transmission and Back-off timer for that channel is zero and these conditions are not met by higher priority classes.
AIFSD[AC] = AIFS[AC]*slot-time + SIFSEDCF Parameters of 4 classesAC CWmin CWmax AIFS 0 aCWmin aCWmax 2 1 aCWmin aCWmax 1 2 (aCWmin+1)/2 –1 aCWmax 1 3 (aCWmin +1)/4 –1 (aCWmax+1)/2 –1 1
113
Summary of EDCF
Different random backoff times to provide differentiated services
The relative performance is not easy to control The performance is NOT proportionally to the
backoff factor ratios It depends on the number of contending
stations
114
HCF (Hybrid CF)
Provides policing and deterministic channel access by controlling the channel through the HC (Hybrid Coordinator)
Operate in CFP and CP Support both IntServ and DiffServ
115
HCF
SUPERFRAME
Contention Free PeriodContention PeriodMedia access by EDCF Rules
Beacon
Beacon
CFEnd
CF Pool
TxOP
ACKACK
CF Pool
S1 S1 S2 S4 S4
AIFS+Back offPIFS
SIFS
TxOP
116
HCF (Cont.)
Detecting the channel as being idle for PIFS, shorter than DIFS, gives the HC high priority over EDCF
HCF model can provide Guaranteed Services with a much higher probability than pure EDCF
A signaling protocol can be used to facilitate admission control and specify service rate requirement
117
Hybrid Coordination Function (HCF)
Additional polling based Controlled Contention scheme for HC to learn the TXOPs needed by the stations
118
Superframe
CFP+ CP
Beacon
CF-PollCF-End
802.11 periodic Superframe
DATA DATA DATA
CFP(Contention Free Period) CP(Contention Period)
DATA DATA DATA
Beacon DATA DATA DATA
CFP(Contention Free Period)(Polling through HCF)
CP(Contention Period)
DATA DATA DATA DATA
802.11e periodic Superframe
PC
STAs
HC
STAs
TXOP
CF-Poll
DATA
TXOP
CCI
DATA
119
Emerging IEEE 802.11e MAC
New draft standard for QoS provisioning Expected to be finalized by early next year
Defining a new MAC backward compatible with the legacy MAC Legacy 802.11 MAC – DCF (+ PCF) 802.11e MAC – HCF with two access
mechanisms Controlled channel access Contention-based channel access (EDCA)
120
HCF
During CFP Poll STAs and give a station the permission to access channel Starting time and maximum duration of each TXOP are specified by HC
During CP HC can issue polled TXOPs in the CP by sending CF-Poll after a
PIFS idle period Controlled Contention
Allows STAs to request the allocation of polled TXOPs STAs send resource request frames with the requested TC and
TXOP duration HC sends an ACK for resource request to the STA