1. KAIS T Comparative studies on authentication and key exchange methods for 802.11 wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers & Security (2007) 2007/09/11 CS Div. NS Lab. Young joo Shin

2. 2/16 Contents Introduction Authentication & Key Exchange(AKE) method requirements for IEEE 802.11 WLANs AKE methods overview Comparison results Multi-layer AKE framework and its design guidelines Conclusion

3. Introduction IEEE 802.11 A set of wireless LAN (WLAN) standards (802.11, 802.11b, 802.11a, etc) Designed to offer reliable data transmission under diverse environments Provides higher data transmission rate and lower cost Two key security aspects of IEEE 802.11 Authentication of wireless user/device Data confidentiality between the wireless device and the network 3/16

4. Introduction Authentication and Key Exchange (AKE) mechanism An important building block for authentication & confidentiality Many AKE methods for WLANs EAP-TLS, PEAP, 802.1X, WPA, 802.11i, etc In this paper The general requirements for WLAN AKE methods are identified WLAN AKE methods are reviewed and compared against the requirements A multi-layer AKE framework is proposed based on the analysis 4/16

5. AKE method requirements for IEEE 802.11 WLANs AKE method requirements Mandatory Recommended/desired Additional operational Mandatory requirements Mutual authentication Credential security Resistance to dictionary attack Man-in-the-middle attack protection Immune to forgery attacks Anti-replay (packet forgery) protection Strong session key 5/16

6. AKE method requirements for IEEE 802.11 WLANs Recommended/desired requirements Management message authentication Authenticate users Key integrity check Weak key protection Additional operational requirements No computational burden Ease implementation Fast reconnection 6/16

7. AKE methods overview Proposed WLAN AKE methods are classified into Legacy AKE method Layered AKE method Access control-based layered AKE method Legacy AKE method The simplest and default method for legacy 802.11 Wired Equivalent Privacy (WEP) protocol (1997) Pre-shared key, challenge/response No protection to forgery attacks No replay protection Extremely weak to key attacks (due to misusing RC4 algorithm) One key is used for authentication and traffic encryption 7/16

8. AKE methods overview Layered AKE methods The security mechanisms in a single layer would not be sufficient Some deployments of 802.11 WLANs use layered AKE methods EAP-TLS, EAP-TTLS, PEAP, EAP-SPEKE, EAP-FAST, EAP-PSK EAP (Extensible Authentication Protocol) Framework offering a basis for carrying other authentication methods High extensibility due to independence from any particular authentication algorithm Two of layered AKE methods TLS embedded protocol Layered method with cryptographic design 8/16

9. AKE methods overview TLS embedded protocol TLS (Transport Layer Security) is a certificate-based method EAP-TLS Provides mutual authentication EAP-TTLS, PEAP Address the weakness of insecure authentication channel during the authentication phase Credential security, anti-replay 9 /16 TLS embedded protocol layered modelEAP-TTLS protocol

10. AKE methods overview Layered method with cryptographic design Incorporates with cryptographic algorithms during authentication phase Password-based authentication Gains the security of public key encryption without the costs of certificates EAP-FAST(Flexible Authentication via Secure Tunneling) EAP-PSK (Pre-Shared Key) EAP-SPEKE (Simple Password Exponential Key Exchange) Layered AKE methods Provide a highly efficient, easily deployable authentication framework Secure than WEP Contain certain disadvantages such as No identity protection No protected ciphersuite negotiation No fast reconnection capability 10/16

11. AKE methods overview Access control-based layered AKE method IEEE 802.1X provides a port-based network access control Layered AKE methods based on 802.1X Transitional solution, long-term scheme Transitional solution WPA (Wi-Fi Protected Access) WEP + 802.1X with EAP + TKIP(Temporal Key Integrity Protocol) Compatible with legacy 802.11 hardware e.g., RC4 11/16

12. AKE methods overview Long-term scheme WPA2 (IEEE 802.11i) 802.1X access control + EAP authentication + AES-CCMP traffic encryption Four-way handshake Crucial security enhancements to legacy 802.11 Not deployable and complicated to implement 12/16 4-way handshake

13. Comparison Results 13/16 LegacyLayeredAccess control-based Layered

14. Multi-layer AKE framework and its design guidelines Multi-layer AKE framework The protected ciphersuite negotiation, mutual authentication and key management Flexible framework for various user authentication and key distribution (password, certificate, smart card, etc) New functionalities could be easily incorporated into the framework The framework can address threats caused new security concerns or development challenges of wireless technologies 14/16 A multi-layered AKE framework for 802.11 WLANs

15. Multi-layer AKE framework and its design guidelines Multi-layer AKE framework design guidelines Conduct a risk analysis to determine the required protection level and then find the most cost-effective protection against attacks Consider preventing from some types of DoS attacks Make decision on how to find the tradeoff between easy implementation and strong security Consider combination of existing mechanisms to overcome existing problems 15/16

16. Conclusion The AKE requirements for 802.11 WLAN have been identified The proposed AKE methods are reviewed and compared against the requirements Legacy AKE methods Layered AKE methods Access control-based layered AKE methods A new framework for 802.11 AKE method is proposed Fairy strong security, flexibility and extensiblity 16/16