Authentication

Wireless network media of any sort are open to all sorts of malicious tampering because attackers can literally immerse themselves in the network medium. Gaining a foothold is trivial if you are standing in it. Prepare now to enter the authentication twilight zone. There are multiple forms of "authentication" offered by 802.11, many of which would not pass the laugh test from serious security experts.

When most network administrators refer to authentication, the implication is that only strong authentication is worth considering as authentication. Anything that is not based on cryptography does not prove identity. With the right EAP method, 802.1X authentication can be quite strong, but 802.1X messages can only be exchanged once a system has performed a lower-level 802.11 "authentication" prior to association.

802.11 "Authentication"

802.11 requires that a station establish its identity before sending frames. This initial 802.11 "authentication" occurs every time a station attaches to a network. It should be stressed, however, that they provide no meaningful network security. There are no cryptographic secrets that are passed around or validated, and the authentication process is not mutual. It is far more accurate to think of 802.11's low-level authentication as an initial step in the handshake process that a station uses to attach to the network, and one that identifies the station to the network.

802.11 authentication is a one-way street. Stations wishing to join a network must perform 802.11 authentication to it, but networks are under no obligation to authenticate themselves to a station. The designers of 802.11 probably felt that access points were part of the network infrastructure and thus in a more privileged position.

Open-system authentication

Open-system authentication is the only method required by 802.11. Calling it authentication is stretching the meaning of the term a great deal. In open-system authentication, the access point accepts the mobile station at face value without verifying its identity. (Imagine a world where similar authentication applied to bank withdrawals!) Providing network security requires building something on top of the resulting network session. An open-system authentication exchange consists of two frames, shown in Figure 8-4.

Figure 8-4. Open-system authentication exchange

The first frame from the mobile station is a management frame of subtype authentication. 802.11 does not formally refer to this frame as an authentication request, but that is its practical purpose. In 802.11, the identity of any station is its MAC address. Like Ethernet networks, MAC addresses must be unique throughout the network and can readily double as station identifiers. Access points use the source address of frames as the identity of the sender; no fields within the frame are used to further identify the sender.

There are two information elements in the body of the authentication request. First, the Authentication Algorithm Identification is set to 0 to indicate that the open-system method is in use. Second, the Authentication Transaction Sequence number is set to 1 to indicate that the first frame is in fact the first frame in the sequence.

The access point then processes the authentication request and returns its response. Like the first frame, the response frame is a management frame of subtype authentication. Three information elements are present: the Authentication Algorithm Identification field is set to 0 to indicate open-system authentication, the Sequence Number is 2, and a Status Code indicates the outcome of the authentication request. Values for the Status Code are shown in Table 4-6.

Address Filtering (MAC Authentication) Roaming is not a word used in the 802.11 standard at all. (A task group recently formed to address roaming issues, but it is far from completing its work.) However, people use the word roaming informally a great deal when talking about 802.11. Generally speaking, most people are referring to the process of moving from one access point to another. WEP is not required by 802.11, and a number of earlier products implement only open-system authentication. To provide more security than straight open-system authentication allows, many products offer an "authorized MAC address list." Network administrators can enter a list of authorized client addresses, and only clients with those addresses are allowed to connect. While address filtering is better than nothing, it leaves a great deal to be desired. MAC addresses are generally software-or firmware-programmable and can easily be overridden by an attacker wishing to gain network access. Distribution of lists of authorized devices can be painful because it typically must be done for each device in the network. Furthermore, there is a fair amount of churn on the list. New cards are purchased, old cards break down, employees leave the organization and take cards with them, and so on. Authorized address filtering may be part of a security solution, but it should not be the linchpin. Rather than depend on MAC address, use 802.1X-based user authentication if possible. Once network administrators have made the effort to authenticate users, authentication will be as secure as standards provide for, and address filtering will only add complexity without any substantial additional security benefit.

 

The legacy of shared-key authentication

Shared-key authentication makes use of WEP and therefore can be used only on products that implement WEP, though non-WEP products are now nearly impossible to find. Shared-key authentication, as its name implies, requires that a shared key be distributed to stations before attempting authentication. The fundamental theoretical underpinning of shared-key authentication is that a challenge can be sent to the client, and a response proves possession of the shared key. A shared-key authentication exchange consists of four management frames of subtype authentication, shown in Figure 8-5.

The first frame is nearly identical to the first frame in the open-system authentication exchange. Like the open-system frame, it has information elements to identify the authentication algorithm and the sequence number; the Authentication Algorithm Identification is set to 1 to indicate shared-key authentication.

Figure 8-5. Shared-key authentication exchange

Instead of blindly allowing admission to the network, the second frame in a shared-key exchange serves as a challenge. Up to four information elements may be present in the second frame. Naturally, the Authentication Algorithm Identification, Sequence Number, and Status Code are present. The access point may deny an authentication request in the second frame, ending the transaction. To proceed, however, the Status Code should be set to 0 (success), as shown in Figure 8-5. When the Status Code is successful, the frame also includes a fourth information element, the Challenge Text. The Challenge Text is composed of 128 bytes generated using the WEP keystream generator with a random key and initialization vector.

The third frame is the mobile station's response to the challenge. To prove that it is allowed on the network, the mobile station constructs a management frame with three information elements: the Authentication Algorithm Identifier, a Sequence Number of 3, and the Challenge Text. Before transmitting the frame, the mobile station processes the frame with WEP. The header identifying the frame as an authentication frame is preserved, but the information elements are hidden by WEP.

After receiving the third frame, the access point attempts to decrypt it and verify the WEP integrity check. If the frame decrypts to the Challenge Text, and the integrity check is verified, the access point will respond with a status code of successful. Successful decryption of the challenge text proves that the mobile station has been configured with the WEP key for the network and should be granted access. If any problems occur, the access point returns an unsuccessful status code.

Defeating shared-key authentication

Shared key authentication is subject to a trivial attack. At the heart of the shared-key authentication procedure is the encryption of the challenge text. Upon receipt of the random challenge, a station in posession of the WEP key is able to generate a keystream from the WEP key, then perform an exclusive-OR operation between the keystream and the data. However, the exclusive-OR is a reversible operation that relates the challenge text, keystream, and the response text. With any two items, recovering the third is a matter of reversing the right operation. An attacker can observe the challenge text and response, and use that to derive a keystream. Although this allows an attacker to authenticate to a network by playing back the recovered keystream on a new challenge, it does not allow an attacker to send arbitrary data without recovering the WEP key first. Figure 8-6 illustrates the keystream recovery procedure.

Figure 8-6. Defeating shared-key authentication

Nevertheless, attacks against shared key authentication are effective enough that it is generally not recommended. 802.11i does not allow a station that performed 802.11 authentication via shared keys to become associated to a Robust Security Network.