Beyond Traditional IEEE 802.11 Security to 802.1X/Extensible Authentication ProtocolTwo types of WLANAdhoc ModeFigure 1.0 An Adhoc NetworkInfrastructure ModeFigure 2.0 An Infrastructure Mode Client/Server NetworkIEEE 802.11OSI Reference ModelEAP System ArchitectureFigure 3.0 EAPEAP Extensible Authentication Protocol (EAP)Figure 4.0 EAP in RADIUS RFC 2869802.1xFigure 5.0- 802.1xFuture Work/Protocols802.1x/EAP=802.11iConclusions:Figure 6.0- Relationship between EAP client, backend authentication server and NASFigure 7.0- EAP/MD5 ConversationFigure 8.0- EAP/TLSTable 1.0 Definitions of AcronymsAcronymPhrasePPPEAPIEEE 802.11IETF802.11a/b/g/…802.1xRadiusWEPTLS or TTLSCiphersuiteWi-Fi AllianceReferences802.1x/Extensible Authentication ProtocolBeyond Traditional IEEE 802.11 Security to 802.1X/ExtensibleAuthentication ProtocolDocument Revision #: 0.4Date of Issue: April 13, 2003Project Members: Marie WaldrickRevision 0.4/ April 13, 2003 Page 1802.1x/Extensible Authentication ProtocolTable of ContentsBeyond Traditional IEEE 802.11 Security to 802.1X/Extensible Authentication Protocol 1Two types of WLAN 3Adhoc Mode 3Figure 1.0 An Adhoc Network 3Infrastructure Mode 4Figure 2.0 An Infrastructure Mode Client/Server Network 4IEEE 802.11 5OSI Reference Model 7EAP System Architecture 8Figure 3.0 8EAP Extensible Authentication Protocol (EAP) 9Figure 4.0 EAP in RADIUS RFC 2869 9802.1x 10Figure 5- 802.1x 10Future Work/Protocols 10802.1x/EAP=802.11i 10Figure 6- Relationship between EAP client, backend authentication server and NAS 13Figure 6- EAP/MD5 Conversation 14Figure 7- EAP/TLS 15Table 1.0 Definitions of Acronyms 16References 17Revision 0.4/ April 13, 2003 Page 2802.1x/Extensible Authentication ProtocolTwo types of WLANAdhoc ModeFigure 1.0 An Adhoc NetworkRevision 0.4/ April 13, 2003 Page 3ISPWeb ServerAccess pointLaptop134Laptop802.1x/Extensible Authentication ProtocolInfrastructure ModeClient/ServerFigure 2.0 An Infrastructure Mode Client/Server NetworkRevision 0.4/ April 13, 2003 Page 4File ServerAuthentication ServerAccess pointLaptop51324802.1x/Extensible Authentication ProtocolIEEE 802.11IEEE 802.11 WLAN security is in the Data Link Layer of the OSI reference model. Part of the IEEE 802.11 standard provides a mechanism to protect the privacy of information that is transmitted through the air.The IEEE 802.11 standard provides three things. - Service set identifier (SSID) - Media Access Control (MAC) address filtering - Wired Equivalent Privacy (WEP) The first is called open authentication where the service set ID (SSID) is supplied. The SSID is short for Service Set Identifier which is a 32-character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the Basic Service Set (BSS). The SSID differentiatesone WLAN from another, so all access points and all devices attempting to connect toa specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network. An SSID is also referred to as a Network Name because essentially it is a name that identifies a wireless network. The second type is by a shared key. The access point sends the client device a challenge text packet that the client must then encrypt with the correct WEP key and return to the Access Point. If the client has the wrong key, no authentication will occur and no association will take place with the Access Point. Static wired equivalent privacy (WEP) keys are either 40 or 128 bits that are staticallydefined by the network administrator on the access point and all clients that communicate with the access point. This mechanism, Wired Equivalent Privacy (WEP) defines an encryption method but does not define how the secret keys are to be distributed to the client and to the Access Point nodes. In the network community, it is now generally agreed that IEEE 802.11 is insecure forwireless networks.Access points are open signals that can potentially be picked up by anyone. Sharing compatible WLAN adapters and settings in the adhoc mode without an access point may allow an attacker to gain unauthorized access to clients. These are 802.11 b or 802.11a WLAN cards. Revision 0.4/ April 13, 2003 Page 5802.1x/Extensible Authentication ProtocolIf the infrastructure mode is used with an Access Point, the default settings must havebeen changed on the Access Points to enable the WEP encryption protocol. By now however, the encryption protocol has been broken: 802.11a/b WEP RFBy itself, 802.11 has management methods that are not authenticated. These messages are listed below:beaconprobe request or responseassociation request or responsere-association request or responsedisassociationde-authenticationThese messages are open to denial-of-service (DoS) attacks. Possible Solutions:Change the default SSID to something that does not identify your company or address. Filter addresses at MAC (Media Access Control) level. This means define which clients can have access to the network via the Access Point. This can be too administratively overbearing. Another option is to use a RADIUS Server where user-based authentication is centrally managed. A RADIUS (Remote Authentication Dial-in User Service) server does not address security of communications while they are “in the air”, it only prevents unauthorized people from accessing the ”wired” network. By far, the most secure way to protect a network(s) is through a Virtual Private Network (VPN) with a firewall installed before the wireless network structure. Then with the wireless network, a combination of 802.1x and Extensible Authentication Protocol (EAP)can be used. EAP and 802.1x are discussed in the following report. Revision 0.4/ April 13, 2003 Page 6802.1x/Extensible Authentication ProtocolOSI Reference ModelRevision 0.4/ April 13, 2003 Page 7Physical Layer One OSIFrequency Hoping Spread SpectrumDirect Sequence Spread SpectrumInfrared Data Link Layer TwoOSINetwork Layer ThreeOSIPresentationLayer SixOSI802.11 (Media Access Control)TransportLayer FourOSIIPSec, SSL, SSH (Encapsulation)Transport Control Protocol (TCP)Session Layer FiveOSIApplication Layer SevenOSIInternet Protocol (IP)L2TP-vpn encryption802.1x/Extensible Authentication ProtocolEAP System Architecture PPP is well known and well deployed in many
View Full Document