Wi-Fi Protected Access (WPA) Implementation at the Children s Health System Kalyana Sannedhi kalyan@uab.edu HI 699 Masters in Health Informatics University of Alabama at Birmingham 1
Table of Contents Introduction...4 Chapter1. The IEEE 802.11 family of Standards...5 1.1 History of Wireless LANs...5 1.2 Current Wireless LAN Standards...6 1.3 Wireless LAN applications...8 Chapter2. Wireless LAN Security...9 2.1 The WEP Privacy Algorithm...9 2.2 The WEP Authentication Process...11 2.2. i. Filtering Techniques...11 2.3 Attacks on WEP...12 2.4 The IEEE 802.11i Standard...13 2.5 Wi-Fi Protected Access...15 Chapter3. WPA Implementation at the Children s Health System...17 3.1 Brief overview of the wireless infrastructure at Children s Health System...17 3.2 Need to move on with the new security standards...18 3.3 Aegis Server for authentication...19 3.4 Aegis Server Configuration...22 3.5 Access Point Configuration...28 3.6 Aegis Client Configuration...31 3.7 Workgroup Bridge Configuration...33 Appendix A Proof of WPA Authentication of the Wireless Client...34 Appendix B Proof of WPA Authentication of the Workgroup Bridge...41 WPA References...42 Summary and Recommendations...44 Acknowledgements...46 2
Table of Figures Figure 1.1 Ad-hoc mode...5 Figure 1.2 Infrastructure mode...6 Figure 2.1 WEP encryption...10 Figure 2.2 802.1x authentication...14 Figure 3.1 Aegis Server home screen...22 Figure 3.2 Aegis Server s Realms screen...23 Figure 3.3 Aegis Server s LDAP configuration module...23 Figure 3.4 Aegis Server s access point listing screen...24 Figure 3.5 Aegis Server s access point configuration screen...24 Figure 3.6 Aegis Server s authentication types screen...25 Figure 3.7 Available EAP types screen...25 Figure 3.8 Aegis Server s user listing screen...26 Figure 3.9 Aegis Server s user configuration screen...27 Figure 3.10 Access point configuration to use the authentication server...28 Figure 3.11 Access point configuration to allow only EAP clients...29 Figure 3.12 MIC, TKIP configuration on the access point...30 Figure 3.13 Latest Cisco wireless client adapter s configuration screen...31 Figure 3.14 Aegis Client configuration screen...32 Figure 3.15 Cisco Aironet Workgroup bridge configuration for LEAP authentication...33 Figure A.1 Aegis Client configuration screen...34 Figure A.2 Aegis Client authentication screen...34 Figure A.3 Wireless client s IP address assignment...35 Figure A.4 Proof of successful network connectivity after authentication...36 Figure A.5 Wireless client association with the access point...37 Figure A.6 Aegis Server s request response statistics...37 Figure A.7 Aegis Server s authentication statistics...38 Figure B.1 Workgroup bridge and wireless client association with the access point...41 Table of tables Table 2.1 Comparison of security standards...16 Table 3.1 WPA authentication methods...21 Table 3.2 Aegis Client parameter requirement for various EAP methods...32 3
Introduction While most of the organizations recognize the benefits of wireless LANs such as mobility, cost savings, and convenience there still remains many questions about the security. Wireless LANs are not inherently secure and security is the most challenging part of managing them. Weaknesses in the underlying 802.11 security capabilities have been well documented and a range of freely downloadable hacking tools are widely available. Outside the formal standards bodies, the industry has reacted to the wireless LAN security problem in many different ways, often exacerbating the problem. Wireless LAN vendors have also taken a variety of security approaches, for example VPN. Most of these solutions are costly, not ideal for handheld devices, and some times provide easy targets for a variety of attacks. However, a new wireless LAN security standard called Wi-Fi Protected Access (WPA) has emerged. WPA is a response from the Wi-Fi Alliance - a non-profit international association of wireless vendors. WPA offers strong authentication and encryption techniques without any extra overhead and lost of convenience of using wireless LANs. WPA is also forward compatible with the much publicized IEEE 802.11i wireless security standard. Hospitals are one of the few early adopters of the wireless network technology and they are also one of the very few organizations to carry sensitive information. Hospitals are traditionally regulated by several federal agencies. The Office for Civil Rights Health Insurance Portability and Accountability Act (HIPAA) mandates security of the patient information through the Security and Privacy Rules. We at Children s Health System are fully aware of all these facts. As part of Masters degree from the Department of Health Informatics I implemented the WPA on a test wireless LAN. This implementation provided very good experience and gave us confidence to move forward with the upcoming security standards. This project report contains all the details of wireless security standards, current security approaches at Children s Health System, and the details of WPA components, setup, and configuration. 4
1. The IEEE 802.11 family of Standards Wireless networks provide mobility and flexibility to Internet users. Also wireless networks are more economical and efficient than installing wired networks. With the market promotion of wireless network technologies, services and applications are increasing day by day. Industry as well as households are benefiting from this technology. However, the growth of this technology depends on the standards and regulations set by various organizations. The standards that govern wireless networks are expected to improve interoperability, compatibility, data rate, coverage, etc. 1.1 History of Wireless LANs Wireless network technologies were immature until 1xy5 when the Federal Communications Commission (FCC) authorized the Industrial, Scientific, and Medical (ISM) frequency bands. Freeing up these three bands for commercial purposes accelerated the development of wireless LANs because licenses are not required any more to operate in the ISM frequency band. In 1xy9, the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.11 working group began elaborating on the wireless LAN Medium Access Control and Physical layer specifications. The final draft was ratified on 26 June 1997. The 802.11 standard defines what comprises a Basic Service Set (BSS). A BSS consists of two or more fixed, portable, and/or moving nodes that can communicate with each other or with the fixed network over the air in a geographically limited area. The IEEE standard specified two wireless configuration modes, ad-hoc and infrastructure. The ad-hoc mode is also referred to as the peer-to-peer mode or an Independent Basic Service Set (IBSS) is shown below. Figure 1.1 Ad-hoc mode 5
This mode enables mobile stations to interconnect with each other directly without the use of an access point. All stations are usually independent in the ad-hoc mode. Stations broadcast and flood packets in the wireless coverage area without accessing the Internet. An ad-hoc network is easy to setup if users only need simple file transfer but no network access. Whereas in the infrastructure mode an access point is used to bridge wireless and wired networks to provide network access to wireless clients. Infrastructure mode configuration is shown below. Figure 1.2 Infrastructure mode A typical BSS looks like the above diagram. Each wireless station must be a member of any of the BSS to get network access. Multiple BSSs can be interconnected through a wired network to form an Extended Service Set (ESS). ESS appears as a single logical LAN. The coverage areas of individual BSSs overlap to provide handoff mechanism between any two access points. 1.2 Current Wireless LAN Standards IEEE standard bodies include people from academics, business, military, and the government. Because of tremendous influence of wireless networks on the market it takes many years to create standards. IEEE also allows some comment period for each standard. 6
The first IEEE 802.11 standard was proposed in 1997. Two years later in September, 1999 the 802.11b standard was proposed. Here is a brief overview of the various 802.11 standards. IEEE 802.11: The original wireless LAN standard that specifies the slowest data transfer rate. This standard contained all of the available transmission technologies at the physical layer including Direct Sequence Spread Spectrum (DSSS), Frequency Hopping Spread Spectrum (FHSS), and infrared. More specifically, the IEEE 802.11 standard describes DSSS systems that operate at 1 Mbps and 2 Mbps. All the 802.11 compliant products operate strictly in the 2.4 GHz ISM band between 2.4 and 2.4835 GHz. IEEE 802.11b: This standard is also widely promoted as Wi-Fi by the Wireless Ethernet Compatibility Alliance (WECA). This standard also operates in the same frequency band as the original 802.11 standard but provide a data rate up to 11 Mbps, which is comparable to a regular Ethernet network. This standard also provided interoperability among various products from different vendors and compatibility with the older 802.11 products. The high data rate of 802.11b products is a result of using a different coding technique called Complimentary Code Keying (CCK). IEEE 802.11a: The IEEE 802.11a standard describes wireless LAN device operation in the 5 GHZ UNII bands. Operation in the UNII bands makes these devices incompatible with all other devices complying with the other 802.11 series of standards. This standard uses Orthogonal Frequency Division Multiplexing (OFDM), a different coding scheme that provides significantly higher data rates up to 54 Mbps and beyond (using rate doubling technique). 802.11g: This is the most recent standard based on the 802.11 standard that describes data transfer rates equal to the 802.11a standard. The 802.11g standard is also backward compatible with the popular 802.11b standard. This backward compatibility also makes wireless LAN upgrade easy and inexpensive. The 802.11g standard uses two optional modulation techniques. The packet Binary Convolution Code (PBCC) modulation supports both 22 Mbps and 33 Mbps data rates and the OFDM supports a data rate of 54 Mbps. 802.11i: This standard still in the draft form supports enhanced security and authentication mechanisms for the IEEE 802.11 systems. This standard has adopted the IEEE 802.1x, a port based network access control standard, to authenticate wireless users. The 802.1x standard leverages on the existing authentication protocol called Extensible Authentication Protocol (EAP). This standard supports two different types of encryption algorithms WEP2 (also called Temporal Key Integrity Protocol (TKIP)) which is an enhanced version of WEP and Advanced Encryption Standard (AES). Apart from the above standards IEEE committees are working on the 802.11e standard to support Quality of Service (QoS) in wireless devices and the 802.11f standard for multivendor access point interoperability. 7
1.3 Wireless LAN applications As a technology, wireless LANs have enjoyed a very fast adoption rate due to many advantages they offer to a variety of situations. Some of the most common and appropriate uses are explained below. Network Extension: Wireless LANs can serve as an extension to a wired network. A wireless LAN saves the cost of LAN cabling and eases the task of relocation. For example, in case of a large warehouse, the distances may be too great to use Category 5 cable to setup an Ethernet network. Other examples include buildings with large open areas such as manufacturing plants, stock exchange trading floors, and warehouses; historical buildings with insufficient twisted pair and where drilling holes for new wiring is prohibited; and small offices where installation and maintenance of wired LANs is not economical. For all these scenarios wireless LANs provide an effective and more attractive alternative. Cross-building Interconnect: Wireless technology is useful to interconnect LANs in nearby buildings, whether wired or wireless LANs. A point-to-point wireless link can be established between two buildings. The other type of cross-building connectivity is pointto-multipoint (PTMP). The devices connected in such a way are typically bridges or routers and they use either semi-directional or highly-directional antennas at each end of the link. This type of wireless interconnectivity avoids running cables underground from one building to another or renting expensive leased-lines from a local telephone company. Last Mile Data Delivery: Wireless Internet Service Providers (WISPs) are now taking advantage of latest developments in wireless networking to provide last mile data delivery services to their customers. Last mile refers to the communications infrastructure between central office of the telecommunications company and the end user. This is a very ideal solution for telecom and cable companies that are encountering difficulties expanding their networks because of geographical barriers. And this also provides an opportunity to provide data delivery services for rural communities. Small Office Home Office: Wireless devices are very beneficial for home users and small offices if they want to share single Internet connection. The only alternative is to run cables throughout the office to connect all workstations which is costly without the benefit of mobility. Ad-Hoc Networking: As mentioned earlier this is a peer-to-peer network without any centralized bridge setup to meet some immediate need such as a simple file transfer. For example, a group of employees, each with a laptop or palmtop computer can assemble in a conference room for a business or classroom meeting and link their computers to form a temporary network just for duration of the meeting. 8
2. Wireless LAN Security Wireless LANs are not inherently secure because the data transfer is not confined physically like in wired networks and also bad press such as Ethernet jack in a parking lot analogies are holding back businesses and home users from embracing wireless LAN technology. Organizations like hospitals and banks where sensitive data is transferred all the time will undoubtedly require user authentication to prevent unauthorized access and strong encryption to protect privacy of the data. The IEEE 802.11b standard made many improvements over its predecessor the IEEE 802.11 standard. These improvements include Wired Equivalent Privacy (WEP) protocol and filtering techniques. WEP provides encryption with built-in message authentication and data integrity. WEP is a simple protocol utilizes a Pseudo-Random Number Generator (PRNG) and the RC4 stream cipher. When the 802.11 standard was approved, manufacturers of wireless LAN equipment rushed their products to market without much consideration about security. However, the 802.11 standard specifies the following criteria for security. Exportable Reasonably strong Self-synchronizing Computationally efficient Optional WEP meets all these requirements. How the WEP provides privacy, data integrity, and authentication are explained below. 2.1 The WEP Privacy Algorithm With wireless LANs, eavesdropping is a major concern because of the ease of capturing a data transmission. WEP provides modest level of security. To provide privacy as well as data integrity, WEP uses an encryption algorithm based on the RC4. RC4 is the most widely used stream cipher in software applications. It was designed by Ron Rivest in 1xy7 and kept as trade secret until the source code was leaked out by somebody to the Cyberpunks mailing list in 1994. RC4 consists of two stages: a Key Scheduling Algorithm (KSA) and Pseudo-Random Generation Algorithm (PRGA). KSA turns a randomly selected key (shared key in case of the WEP implementation) into a permutation to derive the initial state and PRGA uses this permutation to generate a pseudo-random output key sequence. For the encryption process, a 40-bit or 104-bit secret key is shared by the two participants to exchange data. The data integrity algorithm is simply the 32-bit Cyclic Redundancy Check (CRC) value appended at the end to each Medium Access Control (MAC) frame. WEP encryption and decryption processes are shown in the figure below. 9
IV IV Secret key Seed WEP PRNG Key sequence Cipher text Plain text Integrity algorithm ICV Encryption Secret key IV Cipher text Seed WEP PRNG Key sequence ICV Integrity algorithm ICV Compare Decryption Figure 2.1 WEP encryption An Initialization Vector (IV) is concatenated to the secret key. The resulting block forms the seed that is input to the PRNG. The PRNG generates a bit sequence of the same length as the MAC frame plus it s CRC. A bit-by-bit exclusive-or (XOR) between the MAC frame and the PRNG sequence produces the cipher text. The IV is attached to the cipher text and the resulting block is transmitted to the receiver. A different IV is used for each data block. Each time IV changes, the PRNG sequence also changes. At the receiving end, the receiver retrieves the IV from the data block and concatenates this with the shared secret key to generate the same key sequence used by the sender. This key sequence is then XORed with the incoming block to recover the plain text. This is achieved because if we take a plain text, XOR it with a key sequence two times, we get the original plain text. Finally, the receiver compares the incoming CRC with the CRC calculated at the receiver to validate data integrity. If the CRC value doesn t match the receiver rejects the data. 10
2.2 The WEP Authentication Process WEP provides two types of authentication: open system and shared key. Shared key authentication forces all clients joining the network to confirm that they have the correct key. To confirm, the access point first sends a challenge string to the client. The client encrypts this string using the shared secret key and then sends it back to the access point. If the access point determines that the string is encrypted properly, the client gains access to the network. Open authentication does not require this handshake as it simply relies on the fact that the client that does not have the right key can not read encrypted data. 2.2. i. Filtering Techniques Initially many vendors did not implement WEP and developed alternate solutions such as filtering which are easily deployable. Filtering keeps out unauthorized users and allows the authorized. There are three basic types of filtering that can be performed on wireless LANs to provide security. SSID filtering: The SSID (Service Set Identifier) is another term for the network name. The SSID of a wireless client must match the SSID on the access point (infrastructure mode) or of the other station (ad-hoc mode) in order for it to authenticate and associate to the basic service set. By default the wireless access points announce their presence by sending beacon frames in the air. Beacon frames contain the SSID or the name of the network in a clear text format. It makes it easy to find the SSID using any freely available wireless sniffer such as Netstumbler. Network administrators can take out SSID from the beacon frames through SSID filtering to make the system a closed one. But the default SSIDs, SSIDs that are related to company or department names make it easy to guess by the attackers. MAC address filtering: Wireless LANs can filter traffic based on the MAC addresses of wireless clients. The network administrator can compile, distribute, and maintain a list of allowable MAC addresses and program them into each access point on a network. If a client with a wireless adapter address that is not in the access point s MAC filter list tries to gain access to the wireless LAN, the MAC address filter functionality will not let it to associate. But the MAC address filtering identifies stations not users. Also MAC addresses are easy to masquerade by malicious users with sufficient operating system privileges. Protocol filtering: Wireless LANs can filter packets traversing a network based on layer 3-7 protocols. For example if users only require Internet access then filtering out every protocol except POP3, HTTP, HTTPS, and any instant messaging protocols would limit wireless network users from accessing internal database systems. All these filtering techniques can be used in addition to the WEP for extra security. 11
2.3 Attacks on WEP Although WEP incorporates several mechanisms to help secure wireless traffic, many attacks have surfaced over time, demonstrating that WEP fails to enforce access control, and can not guarantee privacy or integrity of data transmissions. Shared key authentication and Access control: Shared key authentication puts network access control at risk. Challenging a new client to ensure it has the correct key provides useful information to an eavesdropper to compromise network access. By listening to the handshake, the eavesdropper obtains the initial unencrypted challenge message that the access point sent, as well as the encrypted response from the client. From these two pieces of information eavesdropper can conduct an off-line known plain text attack. Initialization Vector and Privacy: Data privacy is at risk when any two messages are encrypted with the same key sequence. Because the key sequence depends on a combination of the secret key and an IV, and because the secret key is always constant, an eavesdropper can determine that two messages are encrypted with the same key sequence by simply comparing their IVs, which are always sent in a plain text format. If two different plain text messages are encrypted using the same key sequence and if one of the plain text is a known one such as email headers, web page requests, etc. the other plain text can be easily computed. Such attacks would not be possible if the IVs were non-repeating. However, with a 24-bit IV, at most 2 24 possible values exist. In high-traffic environments, IVs are guaranteed to repeat in a matter of hours. Some vendors designed IVs to start at zero and subsequently increment the IV for each transmitted packet. Also some implementations reinitialize the IV to zero each time the access point or client is started. Each of these faulty implementations increase the chance of repeating IVs which result in repeated key sequences. Checksum value and Data integrity: WEP uses CRC-32 algorithm to detect random errors but fails to detect intentional or malicious modifications because of CRC-32 s exclusive dependence on message i.e. CRC-32 is implemented independent of the secret key and IV. As explained earlier, the receiver accepts the message after decryption if the checksum appended to the message matches the checksum computed on the received data. If an attacker modifies a data packet, and changes the appended checksum to reflect this modification, the receiver will unknowingly accept the message as unaltered. Some of the other problems with WEP: i. It lacks tools for key management. ii. Authentication is done only one way. iii. WEP cracking tools are widely available. iv. Vulnerable to replay attacks. 12
All these numerous attacks show what could arise when security is not designed from the ground up. Because of all these vulnerabilities of WEP, IEEE formed a new committee in 2001 to design a new security standard for wireless LANs. This standard called the 802.11i wireless security standard strictly focuses on security and improving upon the protocols offered by previous 802.11 standards. 2.4 The IEEE 802.11i Standard The IEEE 802.11i task group was formed to address the security concerns that are preventing wider adoption of wireless networking. This task group is improving security through enhancements to the current 802.11 MAC layer. This standard includes another IEEE standard, 802.1x, to improve access control on wireless networks through a more rigorous authentication mechanism. The 802.1x standard provides the per-port user authentication. This security standard was originally designed for Ethernet switches. When a user attempts to connect to an Ethernet port, the port places the user s connection in blocked mode awaiting verification of the user s identity with a backend authentication system. When combined with Extensible Authentication Protocol (EAP), defined by RFC 2284, the 802.1x standard can provide a very secure and flexible environment based on various authentication schemes available today. The following five components are required to implement the 802.1x standard. Compatible client device: Typical clients include laptops and PDAs. Any device that desires to join a wireless network is called a supplicant. Supplicant software: This software provides the logic a device needs to present its credentials and follow the proper protocol for joining the network as a client. Authenticator: The authenticator is a wireless access point that must verify the identity of a supplicant before granting network access to it. Authentication server: It can be a Remote Authentication Dial-In User Service (RADIUS) or any other service capable of supporting the EAP standard. Authentication server handles authentication requests relayed by authenticators from supplicants. User database: The user database is a list of valid users and their credentials that the authentication server consults to validate authentication requests. This database may be a simple flat file or a service provided by a directory infrastructure, such as the Microsoft Active Directory service or the Lightweight Directory Access Protocol (LDAP). The authentication process begins when a client attempts to connect to the access point. The access point opens the restricted port and allows the client to pass EAP packets to the authentication server on the wired side of the access point. All other types of traffic are blocked by the port. The 802.1x protocol involves the following seven basic steps. i. Supplicant presents the authenticator with an EAP response/identity request. ii. Authenticator relays the request to the authentication server; at this point, the supplicant s access is restricted to the authentication server. 13
iii. Server issues a challenge and passes it back to the supplicant. iv. Supplicant answers the challenge by sending the necessary credentials back to the authentication server. v. Server verifies the user credentials against the user database. If they are valid server responds with a success message. vi. Authenticator increases scope of the client s access. vii. Authenticator notifies the client that it may participate on the network. All these seven steps are illustrated in the following diagram. iii. Issue challenge v. Validate response Authentication Server Authenticator ii. Limit access to Authentication server vi. Allow access to network Supplicant i. Request iv. Answer vii. Use other access challenge network resources Figure 2.2 802.1x authentication Enhanced key management and Privacy: Because the key sequence used to encrypt the data largely depends on the secret key, the new standard contains enhanced key management features. Unlike WEP which forces a common key to be manually entered and updated on every member of the network, the 802.11i standard uses automatically generated per-user, per-session keys. These keys, generated using a central key distribution system, are assigned to both the client and the access point for each session. After the successful mutual authentication between the access point and the client, a key exchange process occurs, called 4-way and group key handshakes. The 4-way handshake establishes the unicast key while the group key handshake establishes and distributes the group key needed for broadcast communication. Thus, the 802.11i standard uses a completely different key for broadcast traffic. 14
In addition, the 802.11i standard includes several privacy enhancement alternatives such as the Temporal Key Integrity Protocol (TKIP). TKIP is essentially WEP with the following three enhancements. i. Extended IV: The IV is extended from a 24-bit to a 48-bit value, significantly reducing IV collisions. ii. IV sequence counter: The IV is reinitialized to zero only when the base keys are established, not at every restart. iii. Per-packet key construction: WEP relied solely on the IV and secret key (constant value) to determine the key sequence. In contrast, the 802.11i standard relies on the base key, the transmitter s hardware address, and the IV. Michael algorithm and Data integrity: A new algorithm called Michael is used to generate an 8-bit Message Integrity Check (MIC) value for each packet. This 8-bit MIC is appended to each packet before the CRC. This value is encrypted with the data, IV, source and destination addresses. This encryption inhibits eavesdroppers from easily calculating the value, as they could with the linear CRC value. The 802.11i standard also includes countermeasures when two MIC failures occur within a minute. The countermeasures consist of re-keying the connection and notifying the network administrator. The 802.11i standard is still evolving and expected to be ratified by the middle of 2004. The Wi-Fi Alliance has released key components of the 802.11i standard under the name Wi-Fi Protect Access (WPA) as an intermediary. WPA is expected to fill gaps until the 802.11i products are released to the market. 2.5 Wi-Fi Protected Access WPA is subset of the 802.11i standard and is expected to maintain forward compatibility with it. WPA has the following features. Backward compatibility with the existing 802.11 hardware Only the software or firmware upgrades are enough Inexpensive in terms of time and cost to implement Has different versions for home, small business, and enterprise environments 802.1x authentication TKIP Michael algorithm Key management All these features will fix the security holes in WEP. Some of the features of 802.11i standard such as Advanced Encryption Standard (AES), ad-hoc (peer-to-peer) security, etc. does not appear in the WPA as they require hardware upgrades or they are not that important in a security viewpoint. 15
The current WPA should be sufficient to provide robust wireless security, unless one of the following requirements arises: Business with the US government - US government mandates AES encryption. Ad-hoc network support Smooth roaming WPA enables pre-authentication for wired clients so that they need not be re-authenticated if they move to a wireless network. This feature also enables fast roaming from one access point to the other. Here is a comparison table among WEP, WPA, and 802.11i standards. Wireless security WEP WPA 802.11i standard Cipher algorithm RC4 RC4 Rijndael (AES) Encryption key 40-bit, 104-bit 128-bit 128-bit length IV length 24-bit 48-bit 48-bit Integrity check CRC-32 Michael Counter mode Cyclic block chaining MAC (CCM) Key management Manual 802.1x (EAP) 802.1x (EAP) Key unique to Network Packet, session, user Packet, session, user Ad-hoc (P2P) security No No No Table 2.1 Comparison of security standards 16
3. WPA Implementation at the Children s Health System As mentioned in the previous chapter, the IEEE 802.11i security standard will be released by the middle of 2004. It may take few more months for the vendors to come up with the IEEE 802.11i compliant products. The Wi-Fi Alliance has released the WPA as an intermediary standard for wireless users to secure their networks. We at Children s Health System decided to implement this standard as it offers a good learning experience before we fully support the 802.11i standard at the enterprise level. WPA consists of two standards: 802.1x for authentication and TKIP for encryption. 3.1 Brief overview of the wireless infrastructure at Children s Health System Children s hospital is proud to be one of the early implementers of wireless technology in the Birmingham metro area. A large wireless network was setup in year 2000 using Symbol Spectrum24 access points to support mobile stations on half of the hospital s floors. The Symbol access points support the IEEE 802.11 standard at 2 Mbps data rate. Hardware address and SSID filtering were the only security measures available on these access points. In year 2002 we slowly started moving towards implementation of the IEEE 802.11b standard, which operates at 11 Mbps data rate. The Cisco Aironet 1200 access points are used to support this standard. At the same time we started replacing the existing Symbol access points with the Cisco access points. Users were excited about better data rate and more consistent performance of this new implementation. Being a more sophisticated standard than its predecessor, the IEEE 802.11b supported the following security features. i. SSID filtering ii. Hardware address filtering iii. Protocol filtering iv. Static WEP key support The IEEE 802.11b standard based wireless LAN is spread over the following buildings. i. Children s Hospital ii. Midtown Center iii. Children s Hospital Office Building iv. Ambulatory Care Center Wireless technology was quickly adopted by many users at our facility on laptops, PDAs, mobile carts, etc. Various clinical applications are also supported on these mobile devices. For example, MercuryMD s MData, is capable of integrating hospital data from existing clinical information systems and securely deliver patient information including demographics, laboratory results, medication lists, diagnostic reports, consults, transcribed reports directly to clinician s handheld devices. Physicians and nurses can place their handheld devices in synch stations. These stations are wirelessly connected to the MData server to access required patient information. They can also directly connect to the MData server if their devices are wireless capable. Such implementations quickly 17
popularized the usefulness of wireless LANs among the user community. They also increased efficiency of the staff, saved time, and quickly realized Return On Investment (ROI). Children s Health System s wireless infrastructure includes the following devices: i. Workstations running Windows NT, 2000, XP ii. PDAs running Windows CE, PPC 2002, PPC 2003, Palm OS iii. Cisco Aironet 1200 access points running VxWorks iv. Cisco Aironet 350 Workgroup bridges The sheer diversity of the wireless devices made implementation of the new security standards very complicated especially for the Palm OS based devices as they lacked inbuilt security tools. 3.2 Need to move on with the new security standards Some of the reasons why we wanted to introduce new security standards are explained below. i. Static WEP key implementation is time intensive and not very secure. With the static WEP key implementation, the same key is entered into each wireless device by the network administrators which take enormous amount of time to configure and maintain them. Also there is a chance for the key to slip into some one hand outside the wireless network team. Apart from these reasons several vulnerabilities exist with the WEP key implementation. All these vulnerabilities are elaborately explained in the previous chapter. ii. One of the security measures we have taken is hardware address filtering. Like static WEP management, this one also is a time intensive job. As of now we enter any new client adapter s hardware address into one of the access point s Address Filters list and export it to rest of the access points. Some times we issue these cards temporarily and some of the existing cards on the network get lost. These types of scenarios require frequent hardware address filter updates. At one point we considered purchasing wireless network management tools such as Airwave or Wavelink, but these are very expensive solutions. These tools act as a central management system; hardware addresses entered in them will be distributed to all the access points and updates take effect instantaneously. Apart from the management hassles, hardware addresses are vulnerable to spoofing. Also hardware addresses authenticate the devices not the users. iii. Right now user authentication is non-existent on our wireless network. We explored different wireless security products in the market to know if there are any that can solve the problems listed above and provide strong authentication, hack proof encryption, open standards compliance, and support various types of clients used in our hospital. 18
Funk Software and Meetinghouse Data Communications are the only few companies that offer software based wireless LAN security solutions. Funk Software s Odyssey Client allows users to connect to wireless LANs using the security credentials such as user id and password, digital certificates, etc. Odyssey Clients are available for Windows XP, 2000, xy, Me, Pocket PC, and Windows Mobile 2003 operating systems. Whereas, Meetinghouse Data Communications has clients for all of them including Palm operating system. This is the solution we are interested in as we have many users of Palm Tungsten C handheld devices with in-built wireless adapters. Their Aegis Client supports MD5, TLS, TTLS, Cisco LEAP, and PEAP authentication standards. Meetinghouse Data Communications also make Aegis Server to authenticate wireless LAN users. All their products are standards based and provide interoperability with other vendor solutions. Aegis Server is an Authentication, Authorization, and Accounting (AAA) Remote Authentication Dial In User Service (RADIUS) server, which can be configured either as a standalone or as a RADIUS server to pass user authentication credentials to Windows Active Directory server, Cisco Secure Access Control Server, or LDAP server. In case the Aegis Server is used as a standalone, a user database can be maintained with user ids and passwords to verify the supplied credentials. If it is merely used as a proxy to pass the credentials to a domain directory service, it will simplify the overall operation because a single user credential store is used for both domain and wireless LAN authentication. In addition to user authentication, access point authentication is also required on the wireless network to ensure that users are connecting to legitimate access points. 3.3 Aegis Server for authentication Aegis Server is a full implementation of RADIUS protocol according to the RFC 2865. Here are some of the features of Aegis Server: i. Supports EAP-MD5, EAP-TLS, EAP-TTLS, LEAP, and PEAP. ii. LDAP authentication. iii. Supports legacy authentication standards such as PAP, CHAP, MS-CHAP, MS-CHAP-V2, and UNIX password authentication. iv. Legacy authentication requests sent through a secure TTLS channel can be either handled by the AEGIS server or can be proxied to another RADIUS including Microsoft s IAS, Cisco s ACS, and Funk s Steel-belted RADIUS. v. It can be configured and monitored through a comprehensive graphical management console. Aegis Server requirements: It can run on any modest Pentium class machine. Here is a list of both hardware and software requirements. 19
i. Pentium 450 MHz or above processing power. ii. 256 MB RAM or above memory. iii. 10/100 Mbps Ethernet Interface. iv. Red Hat Linux v7.2 or above, Solaris 8.0, Windows 2000 or Windows XP operating system. v. Java Runtime Environment (JRE) vi. Aegis Server must use an Ethernet connection it should not use the same wireless network which it will authenticate. vii. Aegis Server must be configured with a static IP address. viii. Aegis Server must be installed on the same subnet on which the access points (authenticators) are setup. A trial version of the Aegis Server was downloaded onto a Windows XP machine and installed in the Program Files folder. Aegis Server runs as a service on the Windows. Aegis Server and TLS: Mutual authentication to ensure legitimacy of the network and strong encryption to prevent eavesdropping are two of the major requirements of wireless LANs. The Internet Engineering Task Force s (IETF) well-known Transport Layer Security (TLS) can satisfy both these requirements. Three TLS based protocols have been developed for use with EAP and are suitable for deployments with wireless LANs: i. EAP-TLS A TLS session will be established between client and server and certification validation is required on both ends. In this protocol both server and client digital certificates are required. ii. Tunneled Transport Layer Security (TTLS) It is an extension of TLS and was developed to overcome the need created for client-side certification of TLS. In this method, first a TLS encryption tunnel is established between a client and the TTLS server and then value pair exchange occurs between them. The encryption tunnel is used only for protecting the client authentication data. Once verified, the encryption tunnel is collapsed and it is up to the wireless devices to create WEP encryption channel for future data transfer. In this protocol a server digital certificate is required whereas client digital certificate is optional. iii. Protected EAP (PEAP) As with TTLS, an encryption channel is established using a server certificate over which the client authentication process is securely conducted. PEAP also requires a digital certificate on the server side but it is optional on the client side. Some of the important points about digital certificate authentication: i. Client digital certificate can be protected using a passphrase, personal identification number, etc. ii. A two-factor authentication method such as smartcards can be used to provide an extra level of security. User credentials such as client side digital certificate can be setup on these cards. They require user to enter the PIN to use the digital certificate. This technique is very secure and guards against mistakes 20
iii. iv. made because of ignorance, such as passwords carelessly displayed on keyboards or monitors. Furthermore, if an employee leaves the company, he can be asked to return the smartcard thus avoiding any potential security breach. EAP-TLS authentication requires expensive PKI rollout. Work required in issuing, managing, and revoking them is quite large. Whereas, TTLS and PEAP implementations does not require PKI rollout, they only require server side certificates. TTLS and PEAP implementations are similar and occur in two stages. Stage one of both protocols establish a TLS tunnel to authenticate the authentication server to the client with a certificate. Then in the second stage, client credentials are transferred through the established secure tunnel. Aegis server and MD5: MD5 is considered a base-level authentication method and not generally appropriate where strong security is required. A random challenge is issued to the client and the client responds to it by applying a hash algorithm on the shared secret. This method is prone to dictionary attacks as an attacker can obtain both the challenge and its corresponding response. It is very important for the users to choose non-dictionary based passwords. MD5 is also a one-sided authentication method. With one-sided authentication, a client may be fooled to communicate with a rogue AP deployed by a malicious person. Aegis Server and LEAP: Cisco developed Lightweight Extensible Authentication Protocol (LEAP) - a type of RADIUS EAP protocol to authenticate 802.11 wireless clients. LEAP features mutual authentication, secure session key derivation and dynamic per user, per session WEP keys. Mutual authentication process relies on a shared secret the user s logon password which is known to both the client and the authentication server. User password is used to respond to challenges between the client and the RADIUS server. Initially Cisco LEAP is supported only by the Cisco Aironet access points and the Cisco Aironet wireless adapters. Recently Cisco started licensing their proprietary solution to interested chipset makers through the Cisco Compatible extension (CCX) program. CCX lets a Cisco access point to authenticate a non-cisco wireless client using the LEAP authentication. Here is a comparison chart of the authentication methods discussed above. Authentication method Security solution Client certificate Server certificate Dynamic key exchange EAP-MD5 EAP-TLS EAP-TTLS EAP-PEAP EAP-LEAP Standardsbasebasebasebased Standards- Standards- Standards- Proprietary No Yes Optional Optional No No Yes Yes Yes No No Yes Yes Yes Yes 21
Mutual authentication User id & Password Comments No Yes Yes Yes Yes Yes No Optional Optional Yes -> Easy to implement -> One-sided authentication; vulnerable to man-in-the middle attacks -> Requires clear text databases -> Mandates client certificates -> Involves a lot of maintenance and cost -> Creates a secure tunnel -> Supports legacy authentication methods -> Creates a secure tunnel -> Does not support legacy authentication methods -> Proprietary solution -> AP must support LEAP 3.4 Aegis Server Configuration Table 3.1 WPA authentication methods The Aegis Server console is a Java GUI, it allows configuration of the server, lets the administrator look at the server request and response statistics, individual authentication methods statistics, and log information. Aegis server s home screen is shown below. In this page the default authentication and accounting ports are configured. Figure 3.1 Aegis Server home screen The server policy can be either EAP or LDAP. If an external user id database is used to authenticate the wireless clients, a friendly Realm Name can be given to it under the Realms tab. 22
Figure 3.2 Aegis Server s Realms screen The following screenshot shows the identity of the external LDAP server. Figure 3.3 Aegis Server s LDAP configuration module To only let the legitimate access points to provide network access to the wireless clients, the authentication server requires them to share a secret with it. The access points are configured under the NAS (Network Access Server) Clients tab. 23
Figure 3.4 Aegis Server s access point listing screen These two access points are configured to provide WPA authentication. Individual configuration of one of the access points is shown below. Figure 3.5 Aegis Server s access point configuration screen 24
The access point s name, IP address, shared secret are shown in the above screenshot. Modules: Modules button is present on the left hand side navigation. All the supported authentication types are shown under the Modules tab. Figure 3.6 Aegis Server s authentication types screen Properties of different EAP types discussed above can be set in the following screen. Figure 3.7 Available EAP types screen 25
In our implementation LEAP is set as the preferred EAP type, but it can be change to MD5, PEAP, TLS, or TTLS. If the supplicant does not support LEAP it can respond with an EAP_NAK packet which contains an alternative EAP method. If the server does not support the alternative method in the NAK, authentication will fail. AAA Policy settings to configure Authentication, Authorization, and Accounting policies and Storage Policy to store the user database, and log information can also be set on this screen. Storage Policy can be set to store either locally or on a remote server. Local Users: User and Group accounts are configured by clicking on the Local Users button on the left hand side navigation. Figure 3.8 Aegis Server s user listing screen Users may be assigned to one of the Groups and the authentication policy can be set as shown in the following screen. Aegis Server lets the administrator set the authentication type for different user accounts. For example User A may use EAP authentication method whereas User B may use LDAP as the authentication method. 26
Figure 3.9 Aegis Server s user configuration screen 27
3.5 Access Point Configuration We are using Cisco Aironet 1200 series access points to function as authenticators. The authentication port and shared secret parameters should match with the Aegis Server settings. Aegis Server s IP address is also entered into this screen to let the authenticator know the location of the authentication server. Figure 3.10 Access point configuration to use the authentication server The access point is also set to request the connecting wireless client to send its authentication details. The access point is set to use static WEP encryption method. 28
Figure 3.11 Access point configuration to allow only EAP clients Static WEP, Dynamic WEP, TKIP, and MIC: The access point can be configured to use either static WEP or dynamic WEP keying. If static WEP keying is used on the access point the same WEP key needs to be entered into each wireless client. With the dynamic WEP keying key setup is not required at all. WEP key rotation interval can be set in the following screen. With Broadcast WEP key rotation enabled, the access point provides a dynamic broadcast WEP key and changes it at the configured interval. Broadcast key rotation is an excellent alternative to TKIP if the wireless network supports many non-cisco devices. If this parameter is enabled, only the clients that can use LEAP or EAP-TLS authentication methods will be able to access the networks. Clients that are setup for EAP-MD5 and open or shared WEP authentication methods will lose wireless network connectivity. 29
Figure 3.12 MIC, TKIP configuration on the access point TKIP for encryption and MIC for message integrity can also be set in the screen above. Also Use Aironet Extensions should be left as yes which is default. If TKIP and MIC are enabled on the access point they must be enabled on the wireless client also, to connect with the network. Expect to see AES encryption option in the future, which is part of the 802.11i wireless security standard. As of now only few clients support these two functions. For example, a Cisco Aironet 350 series wireless LAN adapter with new Aironet Client Utility (ACU) supports TKIP. WPA configuration for a Cisco Aironet 350 series wireless adapter is shown below. 30
Figure 3.13 Latest Cisco wireless client adapter s configuration screen 3.6 Aegis Client Configuration For this project Aegis Client is used as the supplicant. Screenshot of the Aegis Client is shown below. A different profile can be setup for each wireless network. For example two separate profiles can be setup, one for test and other for production networks. In this example LEAP is set as the authentication type. Both the Identity and Password fields must be set to the same values created on the Aegis Server (RADIUS server) to successfully connect with the network. 31
Figure 3.14 Aegis Client configuration screen Authentication type and the corresponding required parameters are shown in the following table. Authentication type Required parameters MD5-Challenge Identity, Password TLS/Smart Card Identity, Client Certificate LEAP Identity, Password TTLS Identity, Client Certificate; or Identity, Password, and Authentication protocol for the Tunneled authentication PEAP Identity, Client Certificate; or Identity, Password, and Authentication protocol for the Tunneled authentication Table 3.2 Aegis Client parameter requirement for various EAP methods The above parameters must be filled unless the Use Windows logon credentials box is checked. If this box is checked there is no need to enter the Identity and Password information. The supplicant will use the Windows login information to authenticate the user to the wireless network. 32
3.7 Workgroup Bridge Configuration Apart from the wireless laptops and PDAs, we have more than twenty Cisco Aironet 350 series Workgroup bridges spread all over the hospital. They are primarily used to provide wireless network access to MercuryMD MData synch stations. Wireless connectivity eliminated the need for expensive and time consuming job of running the Ethernet cable to these stations. The current Cisco Aironet 350 series Workgroup bridges are running firmware version 8.84. This firmware only supports the EAP-LEAP authentication and static WEP key for encryption. The configuration screen for a wireless Workgroup bridge is shown below. Figure 3.15 Cisco Aironet Workgroup bridge configuration for LEAP authentication 33
Appendix A Proof of WPA Authentication of the Wireless Client A ViewSonic Tablet PC is used as a wireless client and the Aegis Client supplicant software is installed on it. The Aegis Server is installed on a Compaq laptop. The Cisco Aironet 1200 series access point is setup to request EAP credentials from the clients. Here is a screenshot of the Aegis Client s configuration (this was also shown in Chapter 3). Figure A.1 Aegis Client configuration screen Here is a screenshot of the wireless adapter establishing association with the nearest access point. Figure A.2 Aegis Client authentication screen 34
After the user successfully submitted credentials, the client was allowed to connect to the network. Here is a screenshot of the IP address assignment. Figure A.3 Wireless client s IP address assignment 35
Here is a proof of successful network connectivity. Figure A.4 Proof of successful network connectivity after authentication 36
Here is the access point s client association view. Notice that rest of the wireless clients lost connectivity as they are not configured for authentication. Figure A.5 Wireless client association with the access point Aegis Server s received requests, sent responses and authentication statistics are shown below. Figure A.6 Aegis Server s request response statistics 37
Figure A.7 Aegis Server s authentication statistics Aegis Server s log is shown below (my comments are in red font). Dec 01 22:19:12: DEBUG: Incoming auth request (client s authentication request is received from the access point) Dec 01 22:19:12: DEBUG: Received packet from 10.200.106.1xy.1263: (access point s IP and port addresses) Code: Access-Request (1) ID: 235 User-Name: Kalyan (user id) CISCO-AV-Pair: 73 73 69 64 3D 43 48 53 43 49 53 43 4F NAS-IP-Address: 10.200.106.1xy (access point s IP) Called-Station-Id: 30 30 30 63 33 30 36 63 32 31 62 61 Calling-Station-Id: 30 30 30 35 33 63 30 38 31 39 31 37 NAS-Identifier: 41 6E 64 79 27 73 20 4F 66 66 69 63 65 NAS-Port: 42 Framed-MTU: 1400 NAS-Port-Type: Wireless-802.11 (19) (access point s 802.11 standard) Service-Type: Login (1) (client s request type) EAP-Message: 02 07 00 0B 01 4B 61 6C 79 61 6E Message-Authenticator: E0 8A 9C 84 60 CC C3 EA 17 1B F9 CF FF 22 0E EF 38
Dec 01 22:19:12: DEBUG: Result of fetching user using 'fuser' instance: OK Dec 01 22:19:12: DEBUG: Result of fetching user using 'local-storage' storage: OK (authentication request verified) Dec 01 22:19:12: DEBUG: Using authentication module 'eap' (authentication module) Dec 01 22:19:12: DEBUG: Created new state: 7 (001A25D8) (client s status is changed after verification) Dec 01 22:19:12: DEBUG: Created new state 7. Dec 01 22:19:12: DEBUG: Result of applying policy 'eap' (AUTHENTICATION): OK (client s authentication credentials are received) Dec 01 22:19:12: DEBUG: Sent packet to 10.200.106.1xy.1263: (access challenge is sent to the client via the access point) Code: Access-Challenge (11) ID: 235 AS-Auth-Type: EAP (5) AS-EAP-Type: LEAP (17) (EAP-LEAP) State: 43 30 31 30 33 30 32 30 5F 31 39... (17 bytes) EAP-Message: 01 08 00 16 11 01 00 08 38 17 B2... (22 bytes) Message-Authenticator: AB 02 70 AC C9 60 EC A7 5B 06 EC 26 9F DA 91 55 Dec 01 22:19:12: DEBUG: Incoming auth request Dec 01 22:19:12: DEBUG: Received packet from 10.200.106.1xy.1264: Code: Access-Request (1) ID: 236 User-Name: Kalyan CISCO-AV-Pair: 73 73 69 64 3D 43 48 53 43 49 53 43 4F NAS-IP-Address: 10.200.106.1xy Called-Station-Id: 30 30 30 63 33 30 36 63 32 31 62 61 Calling-Station-Id: 30 30 30 35 33 63 30 38 31 39 31 37 NAS-Identifier: 41 6E 64 79 27 73 20 4F 66 66 69 63 65 NAS-Port: 42 Framed-MTU: 1400 State: 43 30 31 30 33 30 32 30 5F 31 39... (17 bytes) NAS-Port-Type: Wireless-802.11 (19) Service-Type: Login (1) EAP-Message: 02 08 00 26 11 01 00 18 71 BC E8... (38 bytes) Message-Authenticator: 1D 06 B7 A4 EF DE AF 7A D1 2E 61 94 75 37 D8 88 Dec 01 22:19:12: DEBUG: Result of fetching user using 'fuser' instance: OK. Dec 01 22:19:12: DEBUG: Result of fetching user using 'local-storage' storage: OK. Dec 01 22:19:12: DEBUG: Using authentication module 'eap' Dec 01 22:19:12: DEBUG: Using state 7. Dec 01 22:19:12: DEBUG: Result of applying policy 'eap' (AUTHENTICATION): OK. Dec 01 22:19:12: DEBUG: Sent packet to 10.200.106.1xy.1264: Code: Access-Challenge (11) ID: 236 39
AS-Auth-Type: EAP (5) AS-EAP-Type: LEAP (17) State: 43 30 31 30 33 30 32 30 5F 31 39... (17 bytes) EAP-Message: 03 0A 00 04 Message-Authenticator: 39 0A 4D 66 50 B8 30 47 83 3A 48 6A B1 37 8B 35 Dec 01 22:19:12: DEBUG: Incoming auth request Dec 01 22:19:12: DEBUG: Received packet from 10.200.106.1xy.1265: Code: Access-Request (1) ID: 237 User-Name: Kalyan CISCO-AV-Pair: 73 73 69 64 3D 43 48 53 43 49 53 43 4F NAS-IP-Address: 10.200.106.1xy Called-Station-Id: 30 30 30 63 33 30 36 63 32 31 62 61 Calling-Station-Id: 30 30 30 35 33 63 30 38 31 39 31 37 NAS-Identifier: 41 6E 64 79 27 73 20 4F 66 66 69 63 65 NAS-Port: 42 Framed-MTU: 1400 State: 43 30 31 30 33 30 32 30 5F 31 39... (17 bytes) NAS-Port-Type: Wireless-802.11 (19) Service-Type: Login (1) EAP-Message: 01 0A 00 16 11 01 00 08 80 06 82... (22 bytes) Message-Authenticator: F6 CF 36 20 4F 5B DA 43 B2 7B D8 94 80 D8 38 30 Dec 01 22:19:12: DEBUG: Result of fetching user using 'fuser' instance: OK. Dec 01 22:19:12: DEBUG: Result of fetching user using 'local-storage' storage: OK. Dec 01 22:19:12: DEBUG: Using authentication module 'eap' Dec 01 22:19:12: DEBUG: Using state 7. Dec 01 22:19:12: DEBUG: Remove state 7 (001A25D8) Dec 01 22:19:12: DEBUG: Result of applying policy 'eap' (AUTHENTICATION): OK (client s authentication request successful) Dec 01 22:19:12: DEBUG: Sent packet to 10.200.106.1xy.1265: (permission to let the client to connect to the network is sent to the access point) Code: Access-Accept (2) ID: 237 AS-Auth-Type: EAP (5) AS-EAP-Type: LEAP (17) CISCO-AV-Pair: 6C 65 61 70 3A 73 65 73 73 69 6F... (51 bytes) EAP-Message: 02 0A 00 20 11 01 00 18 06 28 ED... (32 bytes) Session-Timeout: 3600 Message-Authenticator: 7A E4 FA 80 C3 F9 43 5F 1F 65 E8 FC 6D 7F C7 F7 Aegis Client s log is written to the Windows XP s Application Log. 40
Appendix B Proof of WPA Authentication of the Workgroup Bridge Here is a screenshot of the Workgroup bridge s association with the access point. Note that the access point requires authentication credentials from the connecting devices. Figure B.1 Workgroup bridge and wireless client association with the access point This screen shows that only the wireless client and the Workgroup bridge were successfully associated, where as the third device was not associated. 41