802.1x

What it is, How it’s broken, and How to fix it.

Bruce Potter The Shmoo Group [email protected]

Why Wireless?

• No cable plant – Lower cost (initially… TCO may be higher) – Rapid deployment • Enhanced mobility • Ad hoc relationships • Many different requirements

Why Not Wireless

• No physical security • Low throughput • Unregulated, noisy bands

802.11, 802.11b, etc.

• IEEE standard – based on well known Ethernet standards • 802.11 – FHSS or DSSS, WEP, 2.4 GHz, Infrastructure (BSS) or Ad-Hoc (iBSS) – Limited to 2Mb/s due to FCC limits on dwell times per frequency hop • 802.11b – DSSS only, WEP, 2.4 GHz, Infrastructure or Ad Hoc – Up to 11Mb/s – Also known as Wi-Fi • 802.11a and 802.11g

An Association

• Associations are a basic part of 802.11

• Client Requests authentication • AP responds with auth type (Open/WEP) • Authentication is performed • If successful, then Association is requested and granted • SSID is sent in the clear, so not advertising SSID is NOT a valid security mechanism

General Principles

• Deal with the basics – Integrity • Protecting your packets from modification by other parties – Confidentiality • Keeping eavesdroppers within range from gaining useful information • Keeping unauthorized users off the network – Free Internet!

– Risks to both internal and external network – Availability • Low level DoS is hard to prevent • Like any other environment, there are no silver bullets

Current Security Practices

• WEP –Wired Equivalent Privacy – Link Level – Very Broken • Firewalls/MAC Filtering • Reactionary – IDS/Active Portal • Higher level protocols

WEP In a Nutshell

• 40 bits of security == 64 bits of marketing spam. • 104 bits of security == 128 bits of marketing spam

Thoughts on WEP

• Key management beyond a handful of people is impossible – Too much trust – Difficult administration – Key lifetime can get very short in an enterprise • No authentication for management frames • No per packet auth • False Advertising!!!

What is Lacking?

• Scalability – Many clients – Large networks • Protection for all parties • Eliminate invalid trust assumptions

802.1x

• Port based authentication for all IEEE 802 networks (layer 2 authentication) • Originally for Campus networks • Extended for wireless • Allows for unified AAA services • Provides means for key transport

Pre-Authentication State

Post-Authentication State

EAP

• Extensible Authentication Protocol • Originally designed for PPP – Shoehorned into 802.1x

• Switch/Access point is a pass through for EAP traffic. New authentication mechanisms do not require infrastructure upgrades • LEAP – Cisco’s Lightweight EAP – Password based and (relatively) widely available • De facto mechanism between AS and AServ is RADIUS

EAP Methods

• EAP-TLS: Uses certs! If implemented properly, solves many problems • TTLS – Tunneled TLS. Allows encapsulation of other auth mechanisms.

– “machine” auth’d by TLS, person by the tunneled protocol • PEAP – IETF Draft – Like TTLS but with another EAP method encapsulated • TLS/TTLS and others require certs – We all have a PKI setup, right? and use it properly and regularly?

What’s Right

• Protection of the infrastructure • Authentication mechanism can – change as needed – address flaws in existing wireless security • Lightweight – No encapsulation, no per packet overhead… simply periodic authentication transactions

What’s Right

• In controlled environment, risks can be mitigated by higher level protocols – VPN/SSL/SSH • NOTE: exchange of WEP key material is not part of 802.1x specification – Remember: designed for wired campus networks

What’s Right

• Association happens BEFORE 802.1x transaction.

– Good: If 802.1x session is protected by default WEP key then the attacker must first compromise the WEP key to make use of 802.1x vulns – Bad: Key management anyone? Just how does the default key get there?

What’s Wrong

• www.missl.cs.umd.edu/wireless/1x.pdf

– First Open source supplicant – First holes in 802.1x

• One way authentication – Less of a concern in LAN environment • Traffic Interception • Session Highjacking

What’s Wrong – Technical

• One way Authentication – Gateway authenticates the client – Client has no explicit means to authenticate the Gateway – Rouge gateways put client at risk • Remember – the loudest access point wins • Still no Authentication of management frames (assoc/deassoc/beacons/etc…)

What’s Wrong - Technical

• MITM – Send “Authentication Successful” to client – Client associates with malicious AP • Hijacking – Send deassociation message to client… AP is in the dark – Change MAC to client and have live connection

What’s Wrong – Technical

• RADIUS uses shared secret with the Authenticator – Same issue as WEP, but on a more reasonable scale • Authentication after association presents roaming problems – Authentication takes a non-trivial amount of time… can disrupt data in transit • Failure of RADIUS server == failure of network – Many AP implementations don’t allow multiple RADIUS servers – Most RADIUS server failover is non-transparent

What’s Wrong – touchy feely

• They forgot about the client (trust assumptions) – Everyone is ask risk – Everyone is a threat – Lack of physical security requires encrypted channel to secure 802.1x

• Wired “port” is not the same as wireless “port” • Protocol designed to not require hardware replacement – Leads to less than stellar solution, esp WRT authentication of management frames.

What’s Wrong – touchy feely

• Extensibility leads to complexity – Complexity leads to mistakes in implementation – Read the MS Guide on create EAP methods as an example.

• Multivendor support is difficult • Using a shoehorn to force protocols to work together leads to problems

Why Did it Go Wrong?

• 802.1x – Designed for Campus networks • EAP – Designed for PPP • NEITHER designed with wireless threat model in mind • Lesson: Don’t apply old protocols to new problems without understanding the risk.

Where Are We Today?

• Several 802.1x implementations available – Windows XP (not PocketPC 2002) – Open1x.org

• EAP implementations – Windows IAS – FreeRADIUS – MD5 and TLS – Cisco – Other RADIUS servers

Where Are We Today?

• 802.1x capable Access Points – Cisco – Lucent • RG1000/RG1100 can be hacked with AP500 firmware to become 1x capable • Some drawbacks – OS authenticator from open1x.org

– others

What’s Next

• Integration of existing solutions to “raise the bar” • Limited 802.1x implementations • 802.11i (Task Group I – Security) – On track… the right track – Mutual auth, per packet auth – 802.1x a part of

What’s Next

• WEP has the right idea • End to End Solutions ala SSL, SSH, IPSec – Not likely

Temporal Key Integrity Protocol

• Fast Packet Keying • Packet MAC • Dynamic Rekeying • Key distribution via 802.1x

• 3Q product deployment • Still RC4 based to be backward compatible • AES with 802.1x keying in the distant future

Questions

http://www.shmoo.com/1x/