LAN Security - IEEE Xplore

9 downloads 24957 Views 1MB Size Report
that employs elliptic curve digital signature algorithm (ECDSA) and elliptic curve Diffie-Hellman (ECDH) exchange intended for mutual authentication and key ...
An Efficient Elliptic Curve Cryptography based Authenticated Key Agreement Protocol for Wireless LAN Security Mohammad Abdul A i m and Abbas Jamalipour School of Electrical and Information Engineering The University of Sydney, NSW 2006, Australia EmaiI:(azim, abbasj6Jee.usyd.edu.m Abstract-Failure of the wired equivalent privacy (WEP)protocol largely stimulated the research and development of a security protocols far wireless local area networks. Industry alliances and IEEE responded with WGFi Protected Access (WPA) and IEEE 8UZ.lli for the solutions to the aforementioned problem. This paper proposes a mutually authenticated key agreement protocol that employs elliptic curve digital signature algorithm (ECDSA) and elliptic curve Diffie-Hellman (ECDH) exchange intended for mutual authentication and key exchange respectively. To support both the basic service set (BSS) network and extended service set (ESS) network two different vers&ns of the protocol have also been derived from the original one. The design objective was the efficiency and compatibility to 802.11i standard.

standard in counter with cipher block chaining message authentication code (AES-CCM) for both encryption and data integrity verification. IEEE 802.11i standard does not define any particular authentication key agreement protocol. Rather, it uses other authentication protocols to provide security in WLAN by providing a mechanism to use them. Designed for the other specific networks, some of the protocols lack adequate strength while the rest lack efficiency in incorporating WLAN. To address these two issues we propose an efficient elliptic curve base authenticated key agreement protocol for both the basic service set (BSS) and the extended service set (ESS) modes of the WLAN. The remaining of the paper is organized as follows. Section I. ~NTRODUCTION I1 describes the related works. Section I11 provides a general review of the current WLAN authentication protocols. Low cost, ease of use, mobility and enhancing productivity Section IV summarizes the advantages of elliptic curve cause the popularity and the growth of the wireless LAN cryptography {ECC) for WLAN, Diffie-Hellman exchange (WLAN) both in corporate and personal environment. The (ECDH) and elliptic curve digital signature algorithm IEEE 802.1 1 [l] WLAN standard describes communication (ECDSA). In Section V, we present the proposed protocol channels using radios including the wired equivalent privacy itself, how it fits with the BSS and the ESS networks and its (WEP) security protocol. Elm, because of design flaws in the compatibility with the IEEE802.1li. The key conclusions that WEP standard, WLAN lacks the security attributes can be drawn from this paper are stated in section VI. (authenticity, privacy, integrity etc) and becomes vulnerable to both active and passive attacks. 11. RELATED WORKS Wireless-fidelity (Wi-Fi) alliance’s security specification, “Wi-Fi Protected Access (WPA)” [2] which is a subset of An authenticated key agreement protocol concurrently 802.1 li [ 3 ] , addresses these network weaknesses of the WEP offers the mutual authentication and a secured way of by incorporating data integnty protection and access control deriving a shared secret key where both the entities contribute based on the user authentication that was principally missing information for the key agreement rather than trusting or in WEP. WPA, which has both forward and backward depending on one party as a key transport protocol. compatibility with the IEEE 802.11 i and WEP, can easily be implemented in the existing hardware through software up- A, Mutual Authenricution In IEEE 802.11 security specification, mutual gradation. Moreover, for the long-term solution of robust security authentication was largely absent. The authentication was network (RSN), IEEE 802.1 li utilizes IEEE 8 0 2 . 1 ~standard required only for the stations but not for the access points [4],(the port based access control mechanism for LANs and (APs), under the assumptions that APs are trusted entities. But metropolitan area networks (MAN)), as a basis for access as the assumption was fundamentally incorrect, exploiting control, authentication and key management. It also uses a this one-way authentication, rogue APs were able to connect strong authenticated encryption scheme, advanced encryption with the legitimate stations without much effort.

0-7803-8924-7/05/$20.00 (c)ZOOS

DEE.

376

The current standard IEEE 802.1 li provides strong mutual authentications t o solve this problem. Extensible authentication protocol (E.4P) IS] methods are used especially for the ESS networks where a dedicated authentication server such as Remote Authentication Dial-In User Service (RADIUS) 161 is always present to provide necessary authentication. Currently weaker shared key authentication is mostly applicable for the BSS networks. To make the strong public key based authentication and key generation scheme available for the these networks, IEEE 8 0 2 . 1 ~based ESS solution (for large scale corporate networks) may be employed in BSS networks by adding in a logical RADIUS server inside the AP. However, a straightforward incorporation of it in conjunction with the EAP methods (for the small office home office CSOHOj environment where an additional authentication server is absent) will not be a very efficient approach. E. Key agreentent Many solutions have been proposed for the remedy of the WEP encryption problems. Reference [73 proposes a simple and WEP compatible security protocol named synchronized random number generation (SPRiNG), that uses a counter and a pseudorandom number generator (PRNG) to synchronize and to generate encryption key per frame basis, The idea is to hide the plain initial vector (IV) behind the PRNG so that the key derivation methods used by the common tools do not work. One basic problem of using PRNG is that PRNGs repeat. Moreover, depending on the seed values, PRNGs could repeat earlier than the expected period. Even though the simulations were based on linear congruential generator (LCG) [XI, SPRiNG does not suggest any particular PRNG to be used. Though LCG has the property of reasonable randomness, it suffers from its own disadvantages, such as poor dimensional distribution and shorter than the expected periods for some seed state. LCG has the period of z3’ but could end up with a very small period depending on the particular seed value. Implementation of mersenne twister (MTi9937) [9] instead of LCG could be advantageous because of its fastness and extremely large period (31 454esooi). Years of transmission of a particular session are possible without repetition of the key. Nevertheless, since the requirements of the protocol is that the seeds remain fresh at all times and the protocol does not provide any mechanism to maintain the seeds fresh, the subsequent sessions starts with the same seed makes SPRiNG vulnerable to a dictionary attack even in the next session. Hence once again we come to the point where we need a cryptographically secured automated exchange mechanism to get seeds fresh for the SPRiNG as opposed to the need of a key exchange mechanism for the WEP. Reference [IO] proposes a cipher strengthening mechanism named variable encryption function (VRF) [IO] that increases diffusion by using block chaining algorithm to fix encryption vulnerability of the WEP. Function VRF is placed in the application layer. This function hardens the derivation of the

0-7803-8924-7/05/s20.00 (c)ZOOS IEEE.

plaintext from the cipher text by incorporating a jumbling algorithm. As the jumbling is based on the previous plaintext, it has a problem with the identical pattems in the plaintext where the output is also patterned. Additionally, the implementation requires keeping track of the data from the previous session and finally as the function stays before the &vest Cipher 4 (RC4) engine, it does not increase the life of the WEP key, Attacker can still derive the RC4 key with the same difficulty by the well-known attack tools and get connected with the wireless LAN. Similar reasoning is applicable for the arrangements using virtual private networks (VPN) in conjunction with WEP to enhance security. Modification of the algorithm by putting the VRF after the RC4 engine can strengthen the WEP by increasing the life of the WEP key. But an automated exchange mechanism is far enhanced a solution for fixing the WEP security vulnerability compare to the protocols [X-1 01. The following section provides a general review of current WLAN modes and their authentication schemes.

111. W~FELESS LAN AUTHENTICATION

WLAN structural modes can be categorized into two forms of networks: infrastructure and ad-hoc. In infrastructure mode all the communication of the mobile stations takes place through the AP. AP also provides WLAN with a link to the wired network. The WLAN consisting of a single AP in the core and one or multiple stations around it is known as BSS network, where the authentication takes place between the AP and station (STA). On the other hand, an ESS network consists of multiple BSS networks connected by a wired distributed system. In corporate network scenario where hundreds or thousands of network clients frequently connect, disconnect and roam, it is not feasible for all the APs to contain the authentication credentials of each of the clients to provide the authentication services. Therefore, a centralized authentication server is required to provide the service. Currently WLAN standard EEEE 802.1 1i supports two types of authentications: pre-robust security network association (pre-RSNA) and robust security network association (RSNA). Pre-RSNA comprises of both open system authentication and shared key authentication of IEEE 802.1 1 standard and supports backward compatibility. On the other hand, RSNA is only applicable to the RSN capable equipments. A . Pre-RSNA

Among the pre-RSNA authentications, open system authentication is not an authentication at all. In shared key authentication, the authentication takes place in the form of AP sending a random challenge where STA responds to it by encrypting the challenge with the knowledge of a shared secret by using WEP encryption algorithm.

377

B. RSNA RSNA exploits IEEE 802.1x, EAP and RADIUS to facilitate the network access control for WLAN. Under the framework the .4P only works as a pass-through device, where the original authentication has been conducted by the STAs and the authentication server, such as a RADIUS server. The communication between the AP and the authentication server takes place through the RADIUS protocol. EAP [5] does not specify any particular authentication mechanism instead it serves as a transport to the underlying authentication protocols. Four types of EAP messages are supported: EAP request, EAP response, EAP success and EAP failure. EAP-TLS [I 13, EAP-TTLS [12], EAP-SIM [13] and EAP-AKA [14] are well-known EAP types. The addressing mechanism between the STA and AP is provided by the EAP over LAN encapsulation. The communication between the AP and the authentication Server takes place by the RADIUS protocol [6] using it's attributes. RADIUS protocol also provides a mechanism to verify the per packet integrity, Since we have utilized elliptic curve based cryptographic (ECC) algorithms in our proposed key agreement protocol, a brief description of ECC is given in the following section.

B. ECC Algo&hms Used We have used ECDH [ 161 and ECDSA [ 171 for the session key generation and the entity authentications respectively. A very short review of ECDH and ECDSA is given below as a detailed description of these algorithms is beyond the scope of this paper. ECDH: The elliptic curve adaptation of the Diffie-Hellman exchange is known as elliptic curve Diffie-Hellman (ECDH.) exchange. The requirement of the two parties involved in an ECDH exchange is that, they share the same curve parameters and a generating base point prior to the start of communication. At first both the entities create their private keys by generating a random integer. They calculate their public key by scalar multiplication of the private key and the generating point (point on the elliptic curve). Then they exchange the public key values through an insecure channel and multiply the locally generated private key with the other's public key to derive the symmetric shared key, Let, Entity A and Entity B generate the random private keys x and v respectively. There public keys are X and Y, where X = x.p and Y = v.p. Here, p is the point on the curve. After the exchange they finally derive the shared secrets by Y p and X p respectively.

ECDSA: The elliptic curve adaptation of digital signature algorithm is known as elliptic curve digital signature algorithm (ECDSA). The message to be signed is first hashed Reference [ 151 has provided a detailed discussion, why it is by the SHA-I [18] algorithm to generate a message digest. It a good choice to use ECC in wireless LAN. In the following is then passed through the signature generation algorithm to subsection we describe why we select ECC as our choice of generate the signature of the message. Receiver, after algorithms and we also briefly describe the ECDH and reception, passes the message through the same hash algorithm and then uses the signature verification dgorithm to ECDSA algorithms. verify the signature. Upon successful verification of the message, receiver authenticates the sender. A. Benefits of ECC Based Cryptosymms Among the public key cryptosystems, the most extensively reviewed schemes are h v e s t Shamir and Adleman (RSA), Diffie-Hellman (DH) and elliptic curve cryptography (ECG). .mAmong these three, the most deployed public key cryptosystem is the RSA systems with 1024-bit keys having 80-bit strengths. Use of 1024-bit RSA key agreement in conjunction with 128-bit key AES encryption will cause reduction of the overall system security strength to 80-bit. At present the cryptographic requirement of strength is 128 bits. To support this strength RSAlDH requires a minimum key size of 3072 bits whereas ECC requires a minimum key size of 283 bits. The smaller key is advantageous for the resource Figure 1. Equivalent key size [ 151and number of instructions [ 191 (ECC vs. RSMDH). critical environment like WLAN where the mobile devices The following section describes the proposed protocol with can save memory, computing power and battery [15]. Fig. 1 BSS and ESS networks its two different realization in shows the advantages of using ECC over DH and RSA with respectively and categorically discusses the implementation, respect to key size and processing power respectively. deployment and security issues. Furthermore as ECC is non-proprietary and there are several standards from various standard bodies such as IEEE, V. PROPOSED KEYAGREEMENT PROTOCOL MST, ANSI and IETF, provide guidelines regarding practically deploying in the devices and systems. Fig. 2 depicts our proposed key agreement (U)protocol, Let the authentication process involves two entities namely IV. ELLIPTICCURVE CRYPTOGRAPHY

a

0-7803-8924-7/05/$20.OO(~)2005 EEE.

378

Entity -4and Entity B. And let, Entity A and Entity B generate random integers x and y correspondingly. These are also known as their private keys, Both the entities then calculate their public keys Xand Y by scalar multiplication of their private keys and the shared generating base points. The operation of our proposed KA protocol starts with the Entity A sending X to the Entity B. Entity B in tum responds with Y in concatenation with the signature of the received X and finally Entity A transmits the signature of both X and Y in concatenation. By using the above-mentioned three-way messaging as well as the ECDH and ECDSA algorithms both the entities will be able to authenticate each other and calculate a shared secret key that will in turn be used by the symmetric authenticated encryption scheme like AES-CCM. The general model of the protocol is then implanted into the BSS and ESS networks respectively. In case of BSS networks the Entity A works as an AP, whereas in ESS networks it works as a RADIUS server. For both the networks Entity B works as a STA.

the result of the authentication, the success/failure is notified to both the ST.4 and AP. In case of success the ephemeral session key is delivered to the AP and the AP responds with the session key acknowledgement. And finally the AP and the STA carry out the 4-way handshake, as defined in [3]. Unlike KA protocoI’s message format in BSS network, messaging in the ESS network uses EAP packet format. As the protocol uses EAP mechanisms, implementation requires full conformation to EAP protocol. Since the type field of EAP packet format must not conflict with the other EAP authentication protocols, we propose EAP-KA as the name of the EAP type field within the EAP frame format used in the implementation. Fig. 4 and 5 show the implementation of the proposed KA protocol within the EAP stack [ZO] and the corresponding message exchanges involving AP, STA and the RADIUS server.

A . BSS Networks In BSS networks, after the reception of the authentication request sent by the STA, AP will start the KA protocol and depending on the verification, success/ failure messages will be sent to the STA as shown in Fig. 3. In case the STA detects the failure of the authentication process with the Ap, it silently discards the session. All the messages used by the KA protocol for BSS network uses WLAN frame format.

Usiiig Public Key: A public key (PK) based cryptographic mechanism has intentionally been avoided by the IEEE 802.1 1i, primarily because of the computational complexity of the algorithms. Using EAP-TLS in turn permits the user to use the PK systems in WLAN. Though this configuration allows AP to avoid the large computation, power constrained STA still needs to perform the calculations. In HYPERLANR [21] [22] both AP and STA have been using RSA-based signature scheme in their networks for several years, which is a far less efficient authentication scheme than ECC-based cryptography. Finally as the processing power of small devices increases from day-to-day, we can argue that KA protocol’s using of PK is satisfactory as it is capable of providing a superior level of security. BSS Networks: As our approach does not require implementing the EAP and the RADIUS protocol in AP, more resources can be dedicated for the ECDH and ECDSA algorithms. Moreover it requires a lot less message sequences to perform with respect to the straightforward approach.

Figure 2. Proposed Three-Pass KA Protocol.

Figure 3. Message exchange of KA in BSS Network.

B. ESSNerworks In ESS networks, after the association phase and after the STA’s response to AP’s EAP-request ID, AP becomes a pass through device and it passes the EAP-request ID to the RADIUS server. There the three-pass KA protocol commences by the server sending X to STA. Depending on

0-7803-8924-7/05/$20.00 (~)2005 IEEE.

C. Disciissiorr

ESS Network: The proposed KA protocol in ESS network is fully compatible with the IEEE 802.1 li RSN authentication. Essentially, RSN provided the mechanism for other authentication protocols to work under the security protocol standard. In contrary to BSS networks, APs for ESS networks does not require supporting the ECDH and ECDSA algorithms. It only requires supporting the EAP and the RADIUS protocol, which will allow current APs to operate normally in ths case. Implementation of the KA protocol only requires implementing it in the STA and the authentication server. For a corporate network, upgrading all the A P s is much more cumbersome than upgrading the authentication Servers and the clients [20]. This is because the servers are located centrally and there are a very small number of servers to be

379

upgraded. Even though the number of STAs could be very REFERENCES high, responsibility of upgrading the stations can still be [ 11 IEEE 802.11, IEEE Standard for Wireless LAN Medium Access delegated to the users. Control (MAC) and Physical Layer (PHY). 26 June 1997. Secrrriw;:The security strength of the proposed protocol for both the BSS and ESS relies on the underlying algorithms [Z] [Vi-Fi (Wireless Fidelity) Protected Access, Wi-Fi Alliances, 29 ECDSA and ECDH and the curve itself, Implementation and April 2003. selection of the ECC curves and the generating points has to [ 3 ] IEEE 802.111’Amendment 6 : Medium Access Control (MAC) be strong. Randomly generated curve and point has to be Security Enhancements, 23 July 2004. validated by the validation algorithm provided by IEEE [16]. [4]IEEE802.1x-200 1. IEEE Standards for Local and Metropolitan Area Networks: Port-Based Network Access Control (EAPOL),

14 June 2001. [ 5 ] PPP Extensible Authentication Protocol (EAP), IETF RFC 2284, Extensible Authentication Protocol E A P )

I

EAP over LAN (EAPOL)

Figure 4. KA protocol in the EAP stack AP

STA

1

EAWLStart UPRequsstID

I

1

Three Pass Key Agreemint Message Sequence

c

NwceAP

:

NonCelIMIC

:

-

E A P R ~ ~ D M ~ ~

:

i-

RADIUS

Session K e y ACK

NonceIIlMIC

Keyhitiation

Figure 5. Message exchange of KA in ESS Network.

VI. CONCLUSIONS Despite the popularity of the wireless LAN and its incorporated security features in IEEE 802.1 1 , extensive

literature review show a range of design flaws in the standard. These flaws cause WLAN to become susceptible to security iapses and make it vulnerable to malicious outside attacks. Moreover, strong IEEE 802. I l i standard does not define any particular authentication key agreement protocol; instead it provides the mechanism t o use other authentication protocols to Secure WLAN. As they were designed for other specific networks some of them lack strength while the rest lack efficiency. To address both the issues we proposed an efficient elliptic curve base authenticated key agreement protocol for both BSS and ESS networks. The strength of our proposed protocol was also outlined to justify the importance of the protocol.

0-7803-8924-7/05/$20.00 (cJ2005 IEEE.

March 1998. [ 6 ] Remote Authentication Dial In User Service (RADIUS), IETF RFC 213X,April1997. [7] D. L. Pepyne. Yu-Chi Ho, and Q. Zheng, “SPRiNG: Synchronized Random Numbers for Wireless Security.” IEEE Wireless Communications and Networkmg Cod., (WCNC2003), vol. 3, pp. 2027-2032. March 2003. [8]A. J. Menezes, P. C . van Oorxhot, and S . A. Vanstone, Handbook of Applied Cryptography, CRC Press Series on Discrete Mathematics and Its Applications,CRC Press, 1997. [9J Avery fast random number generator ofperiod 219937-1, http://www.math.sci.hiroshima-u.ac.jp/-m-mat/MT/emt.html, 1101N. Chandranand D. Sampath, “Strengthening WEP Protocol for Wireless Networks using Block Chaiaiag Algorithm with Variable Encryption Function Mechanism,” Advances in Wired and Wireless Communication, pp. 141-143,April 2004. [ l l ] PPP EAP TLS Authentication Protocol, IETF RFC 2716, October 1999. [ 121 EAP Tunneled TLS Authentication Protocol (EAP-TTLS), IETF Internet Draft, February 2002. [13] Extensible Authentication Protocol Method for GSM Subscriber identity Modules (EAP-SIM), IETF, draft-haverinen-pppexteap-sim-lS.txt, 24 November 2004. 141EAP AKA Authentication. IETF, draft-arkko-pppext-eap-aka05.tfl, October 2002. [1 51 K. Lauter, “The Advantages of Elliptic Curve Cryptography for Wireless Security,” IEEE Wireless CommunicationsMagazine, pp. 62-67, vol. 11, no. I , February 2004. 1161 Standard Specifications for Public Key Cryptography, IEEE 1363,2000. [171 Don Johnson and Alfred Menezes, “The Elliptic Curve Digital Signature Algorithm (ECDSA)”, Techcal Report CORR 99-34, Dept. of C & 0, University of Waterloo, Canada, 23 August 1999.

[ 181 Secure Hash Standard, Federal Information Processing Standards Publication 180-1, 17 April 1995. [I91 Securing the Web with Next-Generation Public-Key Cryptosystem, h t t p : / / r e s e a r c h . s u n . c o ~ ~ r ~ ~ e c t ~ c ~ ~ t o / S uv~1 O.pdf e~wor~~03 [ZO]A. Mishra, M. H. Shin, N. L. Petroni, Jr. T. Charles Clancy, and W. A. Arbaugh, “Proactive Key Distribution Using Neighbor Graph,” IEEE Wireless Communications Magazine, pp 26-36, vol. 1 1, no. 1, February 2004. [21] Broadband Radio Access Networks (BRAN), HIPERLAN type 2, Data Lmk Control Layer (DLC) - Part 1: Basic Data Transport Functions ETSI TS 101 761 -1, Ver. 1.1.1.2000-04. [22] Broadband Radio Access Networks (BRAN), HIPERLAN type 2, Data Lmk Control Layer (DLC) - Part 2: Radio Link Control (RLC) sublayer, ETSl TS 101 761 -2, Ver. 1.1.1,2000-04.

380