Securing Wireless Networks


Public and private key encryption and authentication techniques are both used in real-world systems. For wireless security, symmetric-key encryption is a fundamental building block in both IEEE 802.11i and IEEE 802.15.4 (ZigBee), which together cover high- and low-data-rate, low-power wireless applications. IEEE 802.11i, IEEE 802.15.4, and Bluetooth all use a cross-layered approach to security. Bluetooth, however, currently implements SAFER+ for baseband encryption, while 802.11i and 802.15.4 use the Advanced Encryption Standard (AES) for both encryption and authentication. All three wireless protocols rely on private encryption keys; therefore, key management and distribution are at least as important as the underlying encryption cipher chosen.

Rijndael is a symmetric block cipher that processes 128-bit data blocks using cipher keys of 128-, 192-, or 256-bit lengths. NIST chose the algorithm from five finalists to be the AES used in cryptographic systems throughout the U.S. Dept. of Defense and Federal Agencies for high-security wireless LANs. Although Rijndael was not the leading contender based on strength of security—all were equally strong—it won because it requires fewer rounds (calculation cycles) to produce a sufficient level of entropy. As a result, you can implement Rijndael to run at unusually fast speeds for a block cipher on general-purpose Pentium-based processors and implement it on a Smart Card, with a small amount of RAM and using a small number of clock cycles.

A disadvantage of the algorithm is that the inverse cipher (required for decryption) is more processing intensive and so less suited for implementation of a Smart Card than is the forward cipher. Also, the cipher and its inverse use different code and tables; in hardware, the inverse cipher can only partially reuse the circuitry that implements the forward one.

Strengths of AES CCMP
AES CCMP mode provides both authentication and encryption using the AES block cipher. CCMP combines Counter (CTR) mode encryption for data privacy or confidentiality, and Cipher Block Chaining Message Authentication Code (CBC-MAC) authentication, for an authenticate-and-encrypt security process on each data block processed. CCMP has two main advantages for IEEE 802.11 security. First, it computes the CBC-MAC over the IEEE 802.11 header length, selected parts of the IEEE 802.11 MAC Payload Data Unit (MPDU) header, and the plaintext MPDU data, whereas the old IEEE 802.11 WEP mechanism provided no protection to the MPDU header. Second, both CCMP encryption and decryption use only the forward AES block cipher function rather than the more costly and processing-intensive inverse AES cipher. Using only the AES forward cipher leads to significant savings in code and hardware size. Also, the CCMP implementation does not have to complete calculation of the message authentication code before CTR encryption can begin, allowing parallel implementation and further streamlining of AES CCMP in hardware or software. The CCMP mode of AES encryption is currently under consideration by the 802.11i task group for use in future wireless devices.

Secure Key Management and Distribution
The IEEE 802.11i proposed standard goes beyond the flawed encryption mechanism of the 1999 802.11 WEP standard to include specifications on encryption, authentication, and key management in a multilayered approach to security. IEEE 802.1X-based authentication mechanisms are used, with AES in CCMP mode, to establish an 802.11 Robust Security Network (RSN). IEEE 802.1X-2001 defines a framework based on the Extensible Authentication Protocol (EAP) over local area networks (also known as EAPoL). EAPoL is used to exchange EAP messages, which execute an authentication sequence and are used for key derivation between a Station (STA) and an EAP entity known as the Authentication Server. IEEE 802.11i defines a four-way handshake using EAPoL for key management as well as pairwise and group key derivation (see Figure 1).

Figure 1. Here we see the dynamic key exchange process. Note that the certificates at the Client and Security Server devices are currently X.509, generated from a Microsoft certificate authority (CA). 3e is migrating to DOD PKI compliance, with certificates from the JITC CA. HMAC-SHA1 (not shown) is used in addition to Diffie-Hellman to prevent "man-in-the-middle" attacks.

OSI Layer 2 Protection with IPSec Layer 3 VPNs
For readers familiar with networking, the Open System Interconnection (OSI) 7-layer model defines a networking framework for implementing protocols in these layers. IPSec is intended to provide confidentiality, data origin authentication, anti-replay, and data integrity services to Internet Protocol (IP) frames. Virtual Private Networks (VPNs) typically rely on IPSec to implement secure tunnels. IPSec provides an Encapsulating Security Payload (ESP), which is a protocol header inserted into an IP datagram at the network layer (layer 3). The drawback to this approach is that for wireless systems, the datalink layer (layer 2) and physical layer (layer 1) frames are completely unprotected using IPSec alone. Spoofing and replay attacks on the MPDU and physical layer packets are possible. In general, for wireless traffic, security at layer 2 and above is advisable to protect both data and routing information. As mentioned earlier, AES CCMP computes the CBC-MAC over the 802.11 header length, selected parts of the 802.11 MAC packet header, and the plaintext MAC packet payload. This approach, combined with dynamic key exchange and careful key management, provides strong protection of the wireless frames. IPSec can and should be used in the network above AES CCMP, for multilayer security. Note that AES CCMP is recommended, although FIPS 140-2 currently mandates use of the simpler AES ECB mode. A "best practice" recommendation would be that NIST incorporate the CCMP mode into its FIPS 140-2 standard.

Dynamic Key Exchange and AES Encryption
  Dynamic Key Exchange. 3eTI has developed a dynamic key exchange (DKE) technique for key management in wireless systems, which involves a security server (SS), an access point (AP), and multiple wireless client devices. The communications channel between the AP and the client devices is wireless IEEE 802.11, while the channel between the AP and SS is wired. The description of the DKE process is this. First, the SS and Client devices must obtain X.509 certificates (proving trustworthiness at a particular node in the network system) from a third-party certificate authority. This can be accomplished in a number of ways; typically, RSA is used to authenticate these certificates.

Once the X.509 certificates are in place, a client device associates with an AP to initiate the DKE sequence. Once association is successful, authentication messages and only authentication messages are permitted to flow between the Client and the SS through the AP.

Next a mutual authentication process among the Client, AP, and SS ensues, followed by a key exchange process. EAP-TLS, an authentication protocol, encapsulates EAPoL, which is used to achieve mutual authentication between the Client and the AP. Meanwhile, RADIUS, using HMAC-SHA1 (a keyed hashing algorithm), is used between the AP and the SS, for mutual authentication over the wired channel. EAP-TLS is then used to establish mutual authentication between the Client and the SS. At this point, authentication, or proof of valid identity, has been established throughout the wireless network (Client, AP, SS).

Following successful authentication, the dynamic key exchange process is initiated. As a result of the completed authentication process, a pairwise transient key (PTK) is generated at the Client device and SS. Diffie-Hellman protocol is used to exchange an AES encryption key between the SS and the AP. Then an AES-encrypted message transfers the PTK from the SS to the AP; both the Client and the AP now have the PTK. This key will be used to AES-encrypt all single-node-to-single-node traffic between the AP and the Client. A FIPS 140-2 compliant random key generator is used at the AP to generate the key that will be used to AES-encrypt all broadcast traffic between the AP and the Client. Next, an AES-encrypted message transfers the broadcast key from the AP to the Client. At this point, the AP and the Client have both unicast broadcast keys to perform layer 2 AES protection of the wireless channel. This DKE process can be selectively re-invoked whenever a client device initiates the process by associating to an AP, or when a new client joins the wireless network.

  FIPS 140-2 Validation. The 3eTI DKE process and 3eTI AP and Client devices have received FIPS 140-2 validation (refer to NIST certificates #355 and #367). The FIPS 140-2 validation process entails rigorous testing and proof-of-secure-design administered by a NIST-endorsed independent laboratory. FIPS 140-2 validation is required for all federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems), as defined in Section 5131âof the Information Technology Management Reform Act of 1996, Public Law 104-106. FIPS 140-2 ensures correct construction and implementation of the cryptographic functions within a rigorously defined "cryptographic boundary."

  Common Criteria Certification. The common criteria (CC) contains 15 international recognition participants and is an international standard for information assurance (ISO/IEC 15408). All IT security products purchased by the U.S. government for national security systems must be common-criteria-certified as of July 2002 if corresponding protection profiles are approved for that type of product. In anticipation of protection profiles gaining final approval, many government agencies (especially the DOD) are writing CC validation into new RFPs requiring government vendors to comply with this directive.

Future Initiatives
IEEE 802.11i, AES CCMP, ECC, and IPSec are useful, but all are passive network intrusion prevention techniques. 3eTI sees a growing trend toward including active intrusion prevention, along with traditional passive encryption, authentication, and network-based and host-based intrusion detection techniques to secure future networks. Certain emerging active intrusion prevention constructs are designed primarily to protect wireless networks, including the use of directional antennas to effectively provide an "invisible fence," or RF-boundary (layer 1), around the deployed wireless LAN. The cost of smart antennas is dropping, making them more practical for enterprise- or company-wide 802.11 networks. These smart antennas will add physical-layer security techniques to the existing data link and higher-layer techniques previously described in this article. Adaptive beam forming and beam steering, coupled with 802.11i constructs and other higher-layer intrusion prevention techniques, provide a multilayered approach to security—necessary for wireless LANs to become a transparent and fully used extension of traditional wired networks.


AES Advanced Encryption Standard. This is a symmetric 128-bit block data encryption technique adopted by the U.S. government in October 2000. Rijndael, the algorithm used, was developed by Belgian cryptographers Joan Daemen and Vincent Rijmen.

AES-CCMP This mode of AES automatically adds a Message Integrity Check to every packet, and this acts as a digital signature, protecting against accidental as well as deliberate changes. CTR mode encryption is included in AES-CCMP.

Anti-replay Anti-replay prevents a third party from eavesdropping on a conversation, stealing packets, and injecting those packets into the session at a later time. For example, IPSec uses sequential counters to guarantee that packets are received and processed in order. Packets received out of sequence are dropped.

Asymmetric Encryption Asymmetric encryption uses pairs of keys. One key is used for encryption and the other for decryption. The decryption key is typically kept secret, and so it's called a "private," or "secret," key. The encryption key is spread to all who might want to send encrypted messages; it's called a "public" key. Anyone who has the public key can send encrypted messages to the owner of the secret key, but the secret key can't be reconstructed from the public key.

Ciphertext Text that has been encrypted.

Diffie-Hellman The Diffie-Hellman key agreement protocol (also called exponential key agreement) was developed by Diffie and Hellman (DH76) in 1976 and published in their groundbreaking paper "New Directions in Cryptography." The protocol allows two users to exchange a secret key over an insecure medium.

EAP-TLS Extensible Authentication Protocol (a general protocol for authentication) and Transport Level Security.

ECB Electronic Codebook mode. An operating mode for block ciphers.

ECC Elliptic Curve Cryptography. A class of cryptographic algorithms capable of doing asymmetric encryption and whose mathematics are elliptical and nonlinear, rendering a mathematical solution more difficult and leading to stronger security.

Encryption Any procedure used in cryptography to convert a message from the uncoded plaintext into ciphertext in order to prevent any but the intended recipient from reading the data.

FIPS 140-2 Federal Information Processing Standard 140-2 is a NIST policy for cryptographic modules.

HMAC-SHA1 Hashed Message Authentication Code (HMAC) and Secure Hashing Algorithm (SHA1). Together they form a keyed hashing algorithm.

Pairwise Transient Key To support the unique requirements of wireless on an 802.1X network, the 802.11i draft standard defines an 802.1X protocol called the 4-way handshake. The 4-way handshake takes place after successful authentication and generation of the pre-master key (PMK) in the case of a network using EAP-based authentication, or at the start of each session for a network operating in preshared key mode. The handshake completes the 802.1X authentication process by ensuring that the PMK is live, checking that it is still valid for use on the network, binding it to the MAC addresses of the stations communicating to each other (AP and STA, in most cases), and then synchronizing the use of lower-level encryption keys used to secure the channel between the stations.

Plaintext A message either before it is encrypted or after it has been decrypted, i.e., in a form that anyone can read.

Private Key Encryption In private key encryption, both parties share an encryption key. The same key is used to encrypt and decrypt the message. The difficulty lies in how to share the key securely before you start encrypting the message. Many private key encryption methods use public key encryption to transmit the private key for each data transfer session.

Protection Profiles A Protection Profile (PP) is an implementation-independent statement of security requirements that address threats existing in a specified environment used in the Common Criteria.

Public Key Encryption This uses two keys, one to encrypt and one to decrypt. The sender asks the receiver for the encryption key, encrypts the message, and sends the encrypted message to the receiver. Only the receiver can then decrypt the message—even the sender cannot read the encrypted message.

RADIUS Remote Authentication Dial-In User Service.

RSA Named after its inventors, Ron Rivest, Adi Shamir, and Leonard Adleman, RSA encryption transforms the number "char" into the number "cipher" with the formula

  cipher = char^e (mod n)

The numbers "e" and "n" are the two numbers you create and publish. They are your "public key." The number "char" can be simply the digital value of a block of ASCII characters. The formula says: multiply the number "char" by itself "e" times, then divide the result by the number "n" and save only the remainder. The remainder that we have called "cipher" is the encrypted representation of "char."

SAFER+ A secure and fast encryption routine, chosen by the European Bluetooth SIG Community.

Spoofing The creation of TCP/IP packets using a forged IP address. Routers use the destination IP address to forward packets through the Internet, but ignore the source IP address. The source IP address is only used by the destination machine when it responds back to the source.

Symmetric Encryption When using symmetric algorithms, both parties share the same key for encryption and decryption. To achieve privacy, this key must be kept secret. Once somebody else knows the key, it is no longer safe to use the encryption algorithm. Symmetric algorithms have the advantage of not consuming too much computing power. A few well-known examples are DES, Triple-DES (3DES), IDEA, CAST5, BLOWFISH, TWOFISH, and AES.

WEP Wired Equivalent Privacy, a security protocol for WLANS defined in the 802.11b standard.

X.509 Certificates A widely used standard for defining digital certificates. An X.509 certificate binds an identity to a pair of electronic keys that can be used for encrypting and signing digital information. The pair consists of two related keys: public and private. The public key can be used by anyone to verify a message signed with the private key or to encrypt a message that can be decrypted only by using the private key. The private key must be kept secure and protected against unauthorized use.

Certificates are issued by a Certification Authority, a trusted party that vouches for the identity of those to whom it issues certificates.