Wireless security: Port-based security, EAP, AKM
Do you know the 4-way handshake that helps wireless networks increase security? IEEE 802.1X is a wired protocol that has been adapted for use in wireless networks. It is not, however, a wireless security protocol. In port-based security, a client device seeking to access network resources engages the access point (AP) in negotiations through an uncontrolled port; upon successfully authenticating, the client is then connected to the controlled port and the wireless network. The controlled port remains blocked if the client fails to properly authenticate. The entire process is known as an extensible authentication protocols (EAP), of which there are several in use.
Authentication and key management (AKM) is the term used to describe the process of 802.1X/EAP authentication and subsequent encryption key generation. Authentication and key generation are mutually dependent upon one another. There are three entities to a wireless authentication transaction: the supplicant (client), the authenticator (access point), and the AS-the authentication server. It is also known as remote access dial-in user service (RADIUS) and is typically a dedicated server containing a database of security credentials. A RADIUS server is typically used in larger, enterprise networks with a large number of users. A small office/home office (SOHO) type of network typically cannot justify the expense of installing or maintaining a RADIUS server and relies on passphrase or pre-shared key (PSK) authentication. In the former setup, the RADIUS server generates encryption key material, while the latter "maps" the password to the keying material. These terms and concepts are the basis for a discussion of wireless authentication.
The first step in the process is the discovery phase. A client device detects a beacon from a nearby AP and reads the AP’s security capabilities from the beacon’s robust security network (RSN) field. An open system authentication is performed as previously described. The controlled port stays closed at this stage. Refer to Figure 1.
The next step is the AKM authentication and master key generation phase:
- The client (supplicant; S) and the AP (authenticator; A) begin the authentication process by identifying each other as valid entities. The authenticator or the supplicant can begin the process; in this case, the supplicant will transmit an EAPOL (EAP over LAN) to the authenticator.
- The authenticator responds with an EAP-Request/Identity message. The supplicant responds with an EAPOL-Response/Identity to the authenticator (or the AS through the authenticator).
- The next step is a negotiation between the supplicant, authenticator, and AS, if used, to determine the EAP method to be used for authentication.
- The A/AS then sends an EAP Request to the supplicant, which returns its credentials via the appropriate EAP response.
- The A/AS sends an EAP Success or EAP Failure message back to the supplicant and opens the controlled port.
This process is illustrated in Figure 2. Bear in mind that an AS might not be used on all systems; AS resources are expensive to implement and maintain, and usually only exist in enterprise scale networks, as previously noted. In small networks, the authenticator and the authentication server are the same device.
After the authentication process is complete, the master session key (also called the AAA key) is generated and installed on both the supplicant and the authenticator/authentication server. The MSK is generated either through a password or through 802.1X/EAP authentication. From the MSK, the pairwise master key (PMK) is generated and installed on the supplicant and the A/AS. The PMK exists for this pair of devices only. Generation of these keys is not possible unless a successful authentication has occurred. From the master keys, a set of temporal keys are generated by which subsequent data transmissions will be encrypted.
Single-use encryption keys
Temporal keys are encryption keys that are generated for use on a given transaction and then are discarded. The keys are generated per transaction, per user, using a process known as the 4-way handshake. There are two types of temporal keys: pairwise transient keys and group temporal keys. It should be noted that master keys are so named because the encryption keys are derived from them; master keys are not used to encrypt data. The illustration below shows the RSN key hierarchy.
As shown in Figure 3, several types of keys are derived from the MSK. At the top of the hierarchy is the MSK, also referred to as the AAA key. The MSK is derived either from the 802,1X /EAP process or from password/phrase authentication. In actuality, a password, or passphrase, is mapped to a PSK. The 64-octet MSK is provided to the supplicant and to the authenticator following derivation during the authentication process. The MSK is then used as seeding material for the creation of the pairwise master key (PMK), which is exported to the supplicant and authenticator. It should be understood that the PMK is unique to each supplicant and is regenerated each time a supplicant authenticates. If an AS is used, it will generate the PMK and send it to the authenticator. To reiterate, master keys are not used to encrypt data; master keys are used to derive temporal keys during the 4-way handshake described below, which are used to encrypt data.
Temporal keys are generated per transaction, per user, and are unique for every supplicant/authenticator pair. When the transaction completes, the keys are discarded. The pairwise transient key (PTK) is the primary means of encrypting unicast transmissions; unicast traffic is between two distinct entities. The group temporal key (GTK) may or may not be generated depending upon the type of traffic. A GTK is used to encrypt broadcast or multicast traffic, and is shared between all supplicants involved in the transmission and one authenticator.
Pairwise transient key
Note the three additional keys at the lower left of the diagram. These three keys make up the PTK. Briefly:
- Key confirmation key (KCK): Used to provide data integrity during the 4-way handshake
- Key encryption key (KEK): Used by the EAPOL frames for data privacy during the 4-way and Group Key handshakes.
- Temporal key (TK): Used to encrypt and decrypt the data frames exchanged between the supplicant and authenticator.
The Group Key handshake is a two-frame exchange used to distribute a GTK to supplicants already in possession of a PTK and the original GTK; this process is used upon reauthentication of a client station following disassociation or deauthentication.
The final stage in the AKM process is the 4-way handshake. This is a 4-message exchange between the supplicant and the authenticator resulting in the generation of the temporal keys used for data encryption. Essentially, it is an exchange and validation of keys between the entities, ensuring that all parties are using the same keys. The preceding authentication process provides the seed material for these keys in the form of the master keys. The 4-way handshake is shown in Figure 4:
- Message 1: The authenticator and supplicant each generate a random nonce, the Anonce and Snonce, respectively. The authenticator sends the Anonce to the supplicant, which then derives a PTK from the Anonce, the PMK, the Snonce, and MAC addresses. The generation of the PTK follows the formula:
- PTK – PRF (PMK+Anonce+Snonce+AA+SA)
- Where PRF is a pseudo-random function, AA and SA are the authenticator and supplicant MAC addresses, respectively. A nonce is a one-time, randomly generated numerical value.
- Message 2: The supplicant sends the Snonce to the authenticator, along with any RSN parameters and a MIC. The authenticator derives a PTK using the same method as the supplicant and validates the MIC.
- Message 3: The authenticator, if required, sends the supplicant a message to install the temporal keys, including the GTK. The GTK is encrypted by the PTK inside a unicast frame.
- Message 4: The supplicant sends a final message to the authenticator confirming the temporal keys have been installed.
At this stage, the virtual controlled port is opened and secure data communication can begin. Each time a client associates or re-associates, the entire AKM process must occur. This results in an extremely secure and robust network.
– Daniel E. Capano, owner and president, Diversified Technical Services Inc. of Stamford, Conn., is a certified wireless network administrator (CWNA), firstname.lastname@example.org. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, email@example.com.
www.controleng.com/blogs has other wireless tutorials from Capano on the following topics:
Wireless security: IEEE 802.11 and CCMP/AES
Wireless security legacy, background
Wireless security basics
www.controleng.com/webcasts has wireless webcasts, some for PDH credit.
Control Engineering has a wireless page.