IEEE 802.11i WLAN Security Protocol – A Software ... - CiteSeerX

IEEE 802.11i WLAN Security Protocol – A Software Engineer’s Model Elankayer Sithirasenan, V. Muthukkumarasamy, Danny Powell School of Information and Communication Technology Griffith University, Queensland, Australia [email protected], {v.muth, Danny.Powel}@griffith.edu.au ABSTRACT Wireless local area networks (WLANs) based on the IEEE 802.11 standards are one of today’s fastest growing technologies in businesses, schools, and homes, for good reasons. As WLAN deployments increase, so does the challenge to provide these networks with security. Security risks can originate either due to technical lapse in the security mechanisms or due to defects in software implementations. Standard Bodies and researchers have mainly used UML state machines to address the implementation issues. In this paper we propose the use of GSE methodology to analyse the incompleteness and uncertainties in specifications. The IEEE 802.11i security protocol is used as an example to compare the effectiveness of the GSE and UML models. The GSE methodology was found to be more effective in identifying ambiguities in specifications and inconsistencies between the specification and the state machines. Resolving all issues, we represent the robust security network (RSN) proposed in the IEEE 802.11i standard using different GSE models. Keywords: WLAN Security, IEEE 802.11i, RSN, Genetic Software Engineering (GSE), Behavior Trees. 1 Introduction The first wireless security solution for 802.11-based networks, the Wired Equivalent Privacy (WEP), received a great deal of coverage due to various technical failures in the protocol [1]. Standards bodies and industry organizations are spending more time and money on developing and deploying next-generation solutions that address growing wireless network security problems. The IEEE 802.11i standard proposes a Robust Security Network (RSN) with muchimproved authentication, authorization, and encryption capabilities. The Wi-Fi Alliance, a wireless industry organization, has created the Wi-Fi Protected Access (WPA) standard, a subset of the 802.11i. These new standards are more complicated than their predecessors but are more scalable and secure than existing wireless networks. They also dramatically raise the bar for attackers and administrators. The new standards will employ a phased adoption process because of the large installed base of 802.11 devices. Proper migration to 802.11i and mitigating the legacy wireless risks will be a bumpy road. However, the end result will provide users a secure base for mobile distributed processing needs [2]. Nevertheless, the strong security mechanisms can still be in vain if not implemented properly. Software Engineers must be able to correctly interpret and comprehend the standards. A naive implementation of the security protocol can lead to the same security breaches caused by technical flaws. In this regard, firstly, we have formulated a set of requirements for the RSN from the IEEE 802.11, 802.1X, and 802.11i standards. Next, we use the GSE methodology [3] to analyze these requirements for incompleteness, uncertainties, and inconsistencies. Thus identified ambiguities are resolved using appropriate domain expertise to derive at a complete and consistent set of requirements. Thereafter, we have used this new set of requirements to

build an implementation model for the RSN. We believe that this study on the 802.11i will provide sufficient information for software engineers enabling effective implementation of the RSN. The GSE methodology enables systematic modelling of complex systems with good traceability, control and accommodation of change [4]. The next section presents an overview of the various security standards and the currently known security threats. Section 3 gives an overview of the IEEE 802.11i system as applied to RSN. The requirements analysis and modeling details are presented in section 4. A comparison of our models with the models given in the standards is described in sections 5. Section 6 describes the results and section 7 concludes the paper. 2. Wireless LANs There are two modes of operation for WLANs - ESS and IBSS. The Extended Service Set (ESS) is typically part of a larger network with interfaces to a wired LAN with an access point (AP) bridging the Stations (STA) to the wired LAN. The wireless stations have network interface cards (NIC) that interface the stations to the APs by radio frequency (RF) transmissions. Another WLAN configuration consists of a standalone RF network that is made up of only STAs. It operates as an independent WLAN known as an ad-hoc or Independent Basic Service Set (IBSS). This study is mainly focused on ESS. 2.1 WLAN security standards The evolution of today’s WLAN security standards begins with 802.11 [5]. This standard helped launch practical WLANs that were ideal for the home and most small offices, but lacking in features required by the large enterprise. Authentication was essentially ignored by the standard. The data privacy solution was WEP. It is an implementation of the RC4 algorithm. The RC4 encryption technique is strong enough, but a weak implementation in 802.11 meant it was only strong enough to protect against casual eavesdropping. In addition, the proliferation of readily available hacking tools led to WEP being generally discredited for enterprise wide distributed processing environments [6]. IEEE 802.1X was introduced to specifically address the WLAN authentication function. In addition, 802.1X endorsed a distributed architecture for WLANs that significantly increased scalability [7]. The Wi-Fi Alliance introduced a security solution that counters the known weaknesses of WEP called Wi-Fi Protected Access (WPA) [8]. It is a subset of the abilities of 802.11i, including better encryption with Temporal Key Integrity Protocol (TKIP), easier setup using a pre-shared key, and the ability to use RADIUS-based 802.1X authentication of users. WPA is designed to work with existing 802.11-based products with firmware upgrade and offers forward compatibility with 802.11i. All of the known shortcomings of WEP are addressed by WPA, which features packet key mixing, a message integrity check, an extended initialization vector, and a re-keying mechanism [9]. IEEE 802.11i [10] and WPA2 are future WLAN standards introduced by the IEEE and Wi-Fi Alliance respectively. The new features in 802.11i/WPA2 are AES (Advanced Encryption Standard), message integrity, and fast-roaming support (pre-authentication). Vendor interoperability, as well as forward and backward compatibility, has been consistent themes for the IEEE and Wi-Fi Alliance as WLAN standards have evolved [11].

2.2 Common Security Threats in the Air There are numerous tactics used by hackers to intrude enterprise wide networks via the more vulnerable wireless LANs. Following are some of the common attacks: • • • • •

•

Malicious or Accidental Association: A hacker can force an unsuspecting user station to connect to an undesired/spoofed 802.11 network, or alter the configuration of the station to operate in an ad-hoc networking mode [12]. Identity Theft (MAC Spoofing): Knowledgeable hackers can pick off authorized SSIDs and MAC addresses and steal bandwidth, corrupt or download files, and wreak havoc on the entire network. This is also called an Impersonation attack [12]. Man-in-the-Middle Attacks: Connections between authorized stations and access points are intercepted by inserting a malicious station between the victim’s station and the access point [13]. Session Hijack: A more advanced version of the above with the adversary gaining access to session information and intruding the network [13]. Denial of Service Attacks: Directed against a specific user station to prevent that station from communicating with the network, against a specific access point to prevent stations from connecting with it, or as an attack against all network devices. In this last case, the attack shuts down all wireless LAN activity [14]. Network Injection Attacks: Eexploits improperly configured wireless LANs or rogue access points to target the entire network [15].

The above list provides some idea of the security issues and threats posed to today’s wireless networks. It should not however be considered an exhaustive list of all the wireless threats known to exist, and new threats continue to evolve. Let us now focus on the RSN as described in the IEEE 802.11i standard. 3 The 802.11i The IEEE 802.11i standard defines two classes of security framework for IEEE 802.11 WLANs: RSN and pre-RSN as shown in Fig. 1. A station is called RSN-capable equipment if it is capable of creating RSN associations (RSNA). Otherwise, it is called pre-RSN equipment. The network that only allows RSNA with RSN-capable equipments is called a RSN security framework. The major difference between RSNA and pre-RSNA is the 4-way handshake. If the 4-way handshake is not included in the authentication/association procedures, stations are said to use pre-RSNA. 802.11i Security

RSN Capable Equipment

Data Privacy

Pre-RSN Equipment

Security Management

WEP Privacy

IEEE 802.11 Authentication

TKIP

RSN Selection

Open System Authentication

WRAP

IEEE 802.1X Authentication

Shared Key Authentication

CCMP

IEEE 802.1X Key Management

Figure 1. The 802.11i Security Framework

In addition to enhancing the security in pre-RSN, the RSN security defines key management procedures for IEEE 802.11 networks. It also enhances the authentication and encryption in preRSN. The enhanced features of RSN are as follows: Authentication Enhancement: IEEE 802.11i utilizes IEEE 802.1X for its authentication and key management services. It incorporates two components into the IEEE 802.11 architecture IEEE 802.1X Port and Authentication Server (AS). IEEE 802.1X port represents the association between two peers. There is a one-to-one mapping between IEEE 802.1X Port and association. Key Management and Establishment: Two ways to support key distribution are introduced in IEEE 802.11i: manual key management and automatic key management. Manual key management requires the administrator to manually configure the key. The automatic key management is available only in RSNA. It relies on IEEE 802.1X to support key management services. More specifically, the 4-way handshake is used to establish each transient key for packet transmission. Encryption Enhancement: In order to enhance confidentiality, two advanced cryptographic algorithms are developed: Counter-Mode/CBC-MAC Protocol (CCMP) and Temporal Key Integrity Protocol (TKIP). In RSN, CCMP is mandatory. TKIP is optional and is recommended only to patch pre-RSN equipment. Fig. 2 shows an example RSNA establishment between a supplicant (STA) and the authenticator (AP) in an Extended Service Set (ESS). It assumes no use of pre-shared key. Flows 1-6 are the IEEE 802.11 association and authentication process prior to attaching to the authenticator. During this process, security information and capabilities could be negotiated using the RSN Information Element (IE). The Authentication in Flows 3 and 4 refer to the IEEE 802.11 open system authentication. After the IEEE 802.11 association is completed, the IEEE 802.1X authentication indicated in Flow 7 is initiated. EAP messages will be exchanged between supplicant, authenticator, and authentication server. If the supplicant and the authentication server authenticate each other successfully, both of them independently generate a Pairwise Master Key (PMK). The authentication server then transmits the PMK to the authenticator through a secure channel (for example, IPsec or TLS). Fig. 3 illustrates the steps involved in the handshake process. 802.1X SUPPLICANT

802.1X AUTHENTICATOR 1. 802.11 Probe Request 2. 802.11 Probe Response

802.1X SUPPLICANT

802.1X AUTHENTICATOR

8.1 EAPOL-Key (key_info, Anonce) 8.2 EAPOL-Key (key_info, Snonce, MIC, RSN IE)

3. Open System Authentication Request

8.3 EAPOL-Key (key_info, Anonce, MIC, RSN_IE)

4. Open System Authentication Response

8.4. EAPOL-Key (key_info, MIC)

4-way Handshake

5. 802.11 Association Request 6. 802.11 Association Response

9.1 EAPOL-Key (key_info, Key ID, Key RSC, MIC, GTK)

7. 802.1X Authentication

9.2 EAPOL-Key (key_info, MIC)

Group Key Handshake

8. 4-Way Handshake 9. Group Key Handshake DATA PRIVACY

DATA PRIVACY

Figure 2. RSN Association

Figure 3. 802.1X Handshake

The 4-way handshake uses the PMK to derive and verify a Pairwise Transient Key (PTK) guaranteeing fresh session key between the supplicant and the authenticator. Thereafter, the group key handshake is initiated. The group key handshake is used to generate and refresh the

group key, which is shared between a group of stations and APs. Using this key, broadcast and multicast messages are securely exchanged in the air. In the next section the above-described RSN is modeled. The complete modeling, from requirements analysis to the final design models is carried out using the GSE techniques. 4 MODELING In the process of modeling the RSN, we first model the WLAN environment using the Structure and Composition Trees. Thereafter, the requirements translation is accomplished followed by the development of the requirements behavior trees (RBTs). 4.1 WLAN Structure The behavior of a system takes place on a network structure. This structure can be defined using the analogous of behavior trees called structure trees. The structure tree is used in our analysis to demonstrate the connection structure of two STAs in an ESS. The model shows how the connecting STAs coordinate with other components in the system. STA/In #

ESS

ESS #1

) BSS * (

BSS #

AP #

DS #1

) STA * (

ESS #1

STA#

AP # ^

STA/Out#

Figure 4. Connection Structure

/

[ Name#, IP# ]

/

RSN IE #

AP # /

SSID#

/

RSN IE #a

Figure 5. ESS Composition

Fig. 4 shows the connection structure of the Extended Service Set (ESS). An STA in an ESS can either directly connect to another STA via a single AP or it can connect via a number of APs through the Distribution System (DS). The recursion symbol (^) used in the AP# component notify that there can be several reversions before an STA connects to another STA. 4.2 WLAN Composition The composition tree identifies the hierarchy of all components in the RSN, their characterizations, classifications, multiplicity, and their compositional properties. Fig. 5. shows the composition of an ESS. An ESS consists of one or more Basic Service Sets (BSS). The BSS is made of one AP and several STAs. An AP advertises the SSID of the associated ESS and its RSN capabilities using the RSN Information Element (IE). Similarly, the STAs have their own identifiers and IP addresses. The STAs also advertise their RSN capabilities in their RSN IE. The next step in GSE modeling is requirements analysis. Firstly, the requirements are assembled from the standard and translated. Thereafter, the RBTs are built. The RBTs are then integrated to derive at the Design Behavior Tree (DBT). Finally, the DBT is used to derive at the other GSE models for the analysis of the RSN. Detailed records of requirements translation, integration and defect identification can be found in [3].

4.3 RSN Modeling Requirements translation is the first formal step in the GSE design process. Its purpose is to translate each natural language functional requirement, one at a time, into one or more behavior trees. This translation identifies the components (including actors and users), the states they realize (including attribute assignments), the events and decision/constraints that they are associated with, the data exchange, and the casual, logical and temporal dependencies associated with component interactions. The IEEE 802.11i standard defines two classes of security framework for IEEE 802.11 WLANs: RSN and pre-RSN security frameworks. This study is mainly focused on the RSN security framework shown in Fig. 6. STAs in a RSN environment can make contact with an ESS in one of two ways: initial contact or Roaming. In case of roaming we are not concerned of whether the STAs are navigating inter-subnet or intra-subnet since the security policy in both cases will be the same. Clauses 8.4.1 to 8.4.10 in the IEEE 802.11i standard describe the steps involved in the RSN security association life cycle. We have made use of these steps to develop the RBTs for the RSN. Each individual functional requirement is translated into one or more corresponding RBTs. Altogether, we assembled twelve functional requirements and an RBT was developed for each. As an example we have listed the fifth requirement and shown the corresponding RBT here:

RSN Security Framework

Initial Contact

Roaming

RSN Selection Open System Authentication Filtering of data traffic IEEE 802.1X Authentication IEEE 802.11i Key Management

(Re-)Associate

Pre Authenticate

IEEE 802.1X Authentication Remove all Cryptographic Keys Follow same steps as in initial contact

Figure 6. RSN Security Framework

(5) 8.4.3 -

STA #1 [ CONNECTING ]

(5) 8.4.3 +

STA #1 [[Analyse] RSN IE #a ]

Intermediate State Clause 8.4.1 says the Association starts after Open System Authentication Check RSN IE received from the AP with that of the STA

(5) 8.4.3

STA #1 ? NOT: Feilds [Overlap] ?

(5) 8.4.3

STA #1 ? Feilds [Overlap] ?

(5) 8.4.3

STA #1 < Decline >

(5) 8.4.3

STA #1 < AsocReq + RSN IE #s / >

/ / /

Groupwise cipher suite

(5) 8.4.3

AP #1 > AsocReq + RSN IE #s /


(5) 8.4.3

STA #1 > Decline
Decline