9.7 802.11i | The Practice of Network Security: Deployment Strategies for Production Environments

The IEEE is painfully aware of the security holes that have cropped up as the popularity of the 802.11a and 802.11b series has increased. To that end, a new series, 802.11i, has been introduced. 802.11i is not a physical specification as much as it is a security specification. This series is designed to help vendors develop compatible best practice security standards, which will allow secure communication between devices on a WLAN network.

The migration to more secure WLAN networks will occur in gradual phases. As new standards are introduced, they will need to be tested for backward compatibility with older 802.11a and 802.11b devices. Part of the reason that 802.11x products have enjoyed so much success recently is that they have become much more compatible, thanks in large part to the work of the WECA. To introduce a new standard that breaks compatibility would be a mistake.

9.7.1 TKIP

To that end, the first step in advancing security issued by the 802.11i task force was to introduce a new security protocol. The protocol was originally supposed to be called WEP2, but the name was changed to Temporal Key Integrity Protocol (TKIP). TKIP is designed to be backward compatible with WEP, and it allows vendors to provide firmware updates to their hardware products. This means companies will be able to run TKIP on existing equipment, rather than having to purchase all new hardware. TKIP is also a requirement for 802.11 standards compliance.

TKIP is actually a means of encapsulating WEP session information. TKIP addresses four security concerns associated with WEP:

Forged packets
Replay attacks
Weak encryption keys
Rekeying

TKIP uses message authentication codes to tag data and to prevent forged packets from being accepted by the access point. Message authentication codes use keys, which are encrypted, provided by the WLAN device and the access point and combine them using a tagging algorithm. If the result of the tagging algorithm attached to the message is what the receiver expects, the message is accepted. Otherwise, the message is dropped.

NOTE

The acronym for message authentication code is MAC. Because the IEEE already uses the acronym MAC for media access control, the 802.11i working group has opted to label this tagging message integrity code (MIC).

Replay attacks occur when an attacker captures a valid packet and resends it to the access point. The data being sent back passes the security requirements that the message authentication code tests for, but it is still a forged packet.

To address the issue of replay attacks, TKIP introduces initialization value sequence enforcement. Each packet sent between a WLAN device and the access point has a sequence number associated with its TKIP encryption key. Whenever a new TKIP encryption key is initialized , the sequence number is reset. An attacker with the old data will be attempting to send an out-of-sequence number and the access point will drop the packet.

To deal with the problems associated with the weak keys generated by WEP, which uses an algorithm to combine the base key with a key based on the initialization value, a new method of per-packet keying has been developed for TKIP. TKIP uses a two-phase key process. The first phase involves combining the MAC address of the WLAN network card with a temporal key to create an intermediate key. In the second phase the packet sequence number, under the intermediate key, is encrypted creating a 128-bit key for each packet. Because temporal keys have a low Time to Live (TTL), the encryption is only used for a short period of time before the process is restarted, making it very difficult for an attacker to decrypt the keys.

The last step in the TKIP process is management of the encryption keys. The TKIP process uses three different keys: temporal, key encryption, and master. Because each has to be reset whenever a WLAN device and an access point connect, or re-connect, to monitor this process, TKIP uses rekey key messages. The rekey key message ensures that neither the WLAN device nor the access point attempts to regenerate keys that have been used in previous communications.

TKIP provides the level of encryption that is needed for data on an enterprise network. Because TKIP is also designed to be backward compatible with existing WEP-enabled 802.11a and 802.11b devices, it should be deployed within the network. It may take a year or more for WECA to certify all TKIP-enabled devices to ensure interoperability; however, if a network is running with equipment from a single vendor, there is no reason not to upgrade to TKIP.

9.7.2 AES

The second type of encapsulation the 802.11i working group is developing is based on the Advanced Encryption Standard (AES). Because there is significantly more overhead involved in AES encryption, it is not compatible with most existing equipment. When the standard is finalized, sometime in late 2003, it will most likely require the purchase of new equipment to implement, as opposed to a simple firmware upgrade.

AES is the encryption standard adopted by the Unites States Government. It replaced the old standard, DES, in November 2001. AES on WLAN devices meets the same standards of security as TKIP, and provides even greater levels of encryption.

AES, like TKIP, is a symmetric key block cipher, which means the same key is used for encryption and decryption. AES supports encryption keys that are up to 256 bits in length, double the length supported by TKIP.

Block ciphers encrypt data in blocks, as opposed to a byte-by-byte basis ”like RC4 encryption. AES encrypts data in 128-bit blocks, filling in packets with white space when they are not a multiple of 128.

At this time the 802.11i working group has not determined a standard for AES encapsulation, but AES will figure more prominently in future 802.11 standards.