Security Techniques For

Wireless Protocols
Protecting an Inherently Insecure Medium

R. K. Coleman
3e Technologies International, Inc.

ISA–The Instrumentation, Systems, and Automation Society

 The 3eTI Total Security Solution
Redundant
Security Server

3e-030 Security Server / PDC /

Certificate Authority DHCP Server Dynamic Key Exchange
(client-security server examples)
Network Router
Encrypted
Communications

Unencrypted
Communications

Ethernet Ethernet
Switch 7x 8x 9x 10x 11x 12x 7x 8x 9x 10x 11x 12x
Switch 7x 8x 9x 10x 11x 12x 7x 8x 9x 10x 11x 12x
Ethernet

Ethernet
C C
7 8 9 101112 7 8 9101112

A 123456 1x 2x 3x
A
4x 5x 6x 1x 2x 3x
B
4x 5x 6x A 1 2 34 5 6 1x 2x 3x
A
4x 5x 6x 1x 2x 3x
B
4x 5x 6x

3e-Wireless AP

3e-Wireless AP
3e-Wireless AP Wi-Fi
Phone
RFID
TabletPC
w/ Wi-Fi

3e-010F 3e-010F Other Wi-Fi Devices:

3e-010F Crypto Client Crypto Client Card Readers
3e-010F
Crypto Client Video/Digital Camera
Crypto Client
Inventory Scanners
Gaming / MP3 Players

Whether on Navy Ships, Army Tanks or in the Enterprise

Wireless Security is Essential
ISA–The Instrumentation, Systems, and Automation Society
The Wireless Security Landscape
 For wireless security, symmetric-key encryption using U.S.
Government-approved AES encryption is an accepted methodology.
 IEEE 802.11i, IEEE 802.15.4, and Bluetooth all employ a cross-layered
approach to security.

All three wireless protocols rely on private encryption keys; therefore, key
management over the insecure wireless channel has emerged as a
problem of chief concern.
 802.11i uses Extensible Authentication Protocol (EAP) over LAN to
perform authentication and mutual key derivation.
 ZigBee will employ Elliptic Curve Cryptographic (ECC) techniques to
derive and manage encryption keys.
 3eTI provides an innovative Dynamic Key Exchange (DKE) technique
that leverages Diffie-Hellman and RSA to securely exchange keys
between a wireless Access Point and Client Device.
 3eTI wireless products have been rigorously tested and validated
against NIST / NSA standards, ensuring top-tier security solutions for
the discerning wireless consumer.

ISA–The Instrumentation, Systems, and Automation Society

 Background: AES
 In Federal Information Processing Standards Publication 197 (FIPS
PUB 197), the U.S. National Institute of Standards and Technology
(NIST) officially endorses the Rijndael algorithm to be used as the
Advanced Encryption Standard (AES) in cryptographic systems
throughout Federal Agencies.
 Where Rijndael stood out was in its compact number of rounds
required to produce a significant level of entropy.

Algorithm Rounds/Stages Minimal Rounds Relative Speed with

Minimal Rounds
SW for

MARS 32 20 1.00
ed

RC6 20 21 0.66
lin

Rijndael 10 8 0.98
am

or

Twofish 16 14 0.91
re
W
St

Serpent 32 17 1.04
H

Comparison of AES Contending Algorithm Rounds / Stages

ISA–The Instrumentation, Systems, and Automation Society

Rijndael Qualities
 Rijndael advantages:

Fast (for a block cipher) on general purpose processors.

Can be compactly implemented on Smart Cards.

Its round transformation is parallel by design.

Rijndael does not rely on arithmetic operators – as such it contains no bias
in favor of big or little-endian architectures.

The cipher does not base its security in full or in part on obscure or not
mathematically well-understood operations.

 For completeness, a disadvantage of Rijndael is that the inverse cipher

required for decryption is more processing-intensive and less optimal than the
forward cipher – it takes more code and consumes more clock cycles.
 Also, the Rijndael cipher and its inverse make use of different code and tables,
so in hardware, the inverse cipher can only partially re-use the circuitry that
implements the forward cipher.
 Regardless of these disadvantages, Rijndael has stood up to much scrutiny
in its 3-year selection process, has solid overall encryption qualities, and
has been projected to have a useful lifetime similar to 3DES, or on the
order of 20 years.

ISA–The Instrumentation, Systems, and Automation Society

Simplicity of AES ECB Mode
 Electronic codebook mode (ECB) is the simplest and most obvious
way to use the AES block cipher. In this mode, no chaining or
feedback is employed, and the same block of plaintext always encrypts
to the same block of ciphertext.
 AES ECB is straightforward, easy to implement and well-suited to
streamlined, high-performance processing.
 However, the fact that the same block of plaintext always encrypts to
the same block of ciphertext with ECB mode is a weakness.

The constant data in the plaintext will produce constant data in the
ciphertext, allowing a cryptanalyst to glean information about the
plaintext and to mount statistical attacks, irrespective of the strength of the
AES block cipher.
 A cryptanalyst who has the plaintext and ciphertext for several
messages can start to compile a codebook without knowledge of the
actual encryption key.

ISA–The Instrumentation, Systems, and Automation Society

Strengths of AES CCMP
 The CCMP protocol combines Counter (CTR) mode encryption for
data privacy or confidentiality, and Cipher Block Chaining Message
Authentication Code (CBC-MAC) authentication, for an authenticate-
and-encrypt process.
 CCMP has two prominent advantages for IEEE 802.11 security:

First, it is particularly useful because it computes the CBC-MAC over the
IEEE 802.11 header length, selected parts of the IEEE 802.11 MAC
Payload Data Unit (MPDU) header, and the plaintext MPDU data;
whereas the old IEEE 802.11 WEP mechanism provided no protection to
the MPDU header.

Secondly, both CCMP encryption and decryption employ only the forward
AES block cipher function. In this way CCMP avoids use of the inverse
AES cipher which is more costly and processing intensive.

 The CCMP implementation does not have to complete calculation of

the message authentication code before CTR encryption can begin,
allowing parallel implementation of both modes.
 The benefits of performing authentication and encryption on each
data packet are clear, as opposed to encryption alone.

ISA–The Instrumentation, Systems, and Automation Society

Benefits of
Elliptic Curve Cryptography
 The elliptic curve discrete logarithm problem rests on mathematics that
make it possible to define the addition of two points on the elliptic
curve:

The problem can be defined as follows: Fix an elliptic curve such
that P and Q are both points on the curve, and xP represents the
point P added to itself x times. Q is a multiple of P, so that Q = xP
for some x. The elliptic curve discrete logarithm problem is to
determine x given P and Q.
 The elliptic curve discrete logarithm problem’s best general-purpose
solution requires fully-exponential time.
 Due to the complexity of the elliptic curve discrete logarithm problem
that Elliptic Curve Cryptography poses versus the relative ease of
implementing the algorithm, ECC provides a very high level of security
strength-per-key-bit when compared with other public-key
cryptographic systems including RSA, ElGamal, and DSA.
 The strength, as well as the computational efficiency and relative
compactness make ECC/ECDSA very attractive for use in handheld
devices and other low-power, miniaturized devices where space and
power are at a premium – exactly the applications ZigBee will target.

ISA–The Instrumentation, Systems, and Automation Society

Bluetooth Security: LAN Access
Profile – A Cross-Layered Approach
Applications Applications

TCP & UDP TCP & UDP

IP PPP Networking IP

PPP PPP

SDP RFCOMM RFCOMM SDP

LAN LAN
L2CAP L2CAP
LMP LMP

Baseband Baseband

Wireless Client Wireless Access Point

Bluetooth Baseband Authentication & Encryption

PPP Authentication & Encryption

IP Security Authentication, Integrity Protection & Encryption

Different Application Level Security Mechanisms

ISA–The Instrumentation, Systems, and Automation Society

IEEE 802.11i and Key Management
 For wireless systems using a noisy, inherently insecure channel, key
management and mutual key derivation are at least as critical as the
actual encryption cipher that is chosen and employed.
 IEEE 802.11i includes specifications on encryption, authentication and
key management in a multi-layered approach to security.
 IEEE 802.1X-based authentication mechanisms are used, with AES in
CCMP mode, to establish an 802.11 Robust Security Network (RSN).
 IEEE 802.1X-2001 defines a framework based on the Extensible
Authentication Protocol (EAP) over LANs (EAPoL). EAPoL is used to
exchange EAP messages. These EAP messages execute an authentication
sequence and are used for key derivation between a Station (STA) and an
EAP entity known as the Authentication Server.
 EAP is not tied to any particular authentication algorithm and is
therefore highly extensible. It defines a small number of messages
used to communicate between the Authentication Server and the EAP
Client.
 The Authenticator and Supplicant use the 802.11i four-way handshake to
mutually authenticate and to mutually derive the necessary encryption
and authentication keys.

ISA–The Instrumentation, Systems, and Automation Society

EAP For Key Management &
Exchange
EAP
EAP Client EAP Server

IEEE 802.1X IEEE 802.1X

Secure
EAPoL Channel Authentication
Supplicant Authenticator
Server (AS)

Port Access Entity Port Access Entity

Wireless Client Device Wireless Gateway / Access Point

EAPoL carries EAP messages between the Supplicant and the

Authenticator, which acts as a relay for EAP packets by extracting
them from within the EAPoL frames and sending those EAP packets
to the Authentication Server over the secure channel.

ISA–The Instrumentation, Systems, and Automation Society

OSI Layer 2 Protection vs.
IPSec Layer 3 VPNs
 IPSec provides an Encapsulating Security Payload (ESP), which is a protocol header
inserted into an Internet Protocol (IP) datagram at the (layer 3) network layer.
 IPSec is intended to provide confidentiality, data origin authentication, antireplay,
and data integrity services to IP frames.
 Virtual Private Networks (VPNs) typically rely on IPSec for implementing secure
tunnels.

The drawback to this approach is that for wireless systems, the datalink (layer 2)
and physical (layer 1) frames are completely unprotected using IPSec alone.

Spoofing and replay attacks on the MPDU and physical layer packets are possible.
 For wireless traffic, security at layer 2 and above is advisable.
 3eTI is developing AES for encryption and authentication at the datalink layer in
accordance with IEEE 802.11i, providing secure protection of the wireless packet(s).
 Combined with dynamic key exchange and careful key management, MAC-sublayer
AES CCMP provides strong protection of the wireless frames.
 IPSec can still be used in the network above AES CCMP, for multi-layer security to
provide comprehensive protection.

ISA–The Instrumentation, Systems, and Automation Society

 Approach to Dynamic Key Exchange
Wireless Client
3. Start WLAN client
4. Client sets up card: SSID
selected
5. Pre-Authentication
Connection
6. Client starts authentication
Wireless Access Point Security Server
2. MAC Listening 1. Listening
Security Server asks client for Certificate
and Sends its own certificate to client for
mutual authentication
7. AP pass-through 8. Challenges client (EAP-TLS)

… (EAP/TLS authentication process between security server and wireless client)

10. Sends its DH public key to 9. Sends auth-success

Security Server; Sends prime
number 11. Sends its DH public key
12. Calculates the DH session and AES-encrypted TLS key
key; decrypts the TLS key
15. Sets broadcast / 13. Sends success to client
unicast keys 14. Sends broadcast key to client

Key Exchange Ends Successfully

Summary: All packets are authenticated using HMAC-SHA-1 (per packet authentication) Between Wireless Access Point and
Security Server. They have a shared secret.
Note: DH – Diffie Hellman, TLS – Transport Layer Security

ISA–The Instrumentation, Systems, and Automation Society

FIPS 140-2 Validation and CC
Certification
 FIPS 140-2 is focused on Cryptography and the protection of Cryptographic
Keys.
 The main objective of the Common Criteria (CC) initiative was to create
standard methods for the specification, design and evaluation of IT security
products that would be widely accepted and established, yielding consistent
levels of Information Assurance within the security community.
 The determination of acceptable cryptographic algorithms is within the
domain of FIPS 140-2 for cryptographic systems deployed in Federal
agencies.
 The scope of the CC involves specifying strength of function, proving that
configuration management is specified and practiced in the TOE development,
and that an assurance maintenance plan is specified and executed to maintain
the information assurance level of the TOE when new product features are
added.
 In this way, FIPS 140-2 and CC are complementary in ensuring a
correctly-constructed and strongly-secure wireless end-to-end system is
developed and deployed, and that the appropriate level of security is
maintained throughout the product life-cycle.

ISA–The Instrumentation, Systems, and Automation Society

Common Criteria & FIPS 140-2
For IA-Enabled Products
Evaluated Assurance
Level (EAL)

Crypto Modules & Algorithms

7
NSA Involvement in
Product Evaluation
High Type 1 Crypto
Robustness 6
for Classified
NSA Evaluated Product List
5
4+
Medium
Robustness 4
NIAP Certified FIPS 140-2

Level 4
CCTL Evaluations CMVP Validated

3 http://niap.nist.gov/cc- http://csrc.nist.gov/cryptval/
scheme/VPL-Vendor.html 140-1/1401val2003.htm

Level 3
Basic NIAP Labs CMVP Labs
Robustness
2 CygnaCom CygnaCom

Level 2
Booz Allen Atlan
Cable & Wireless EWA
1 CoACT CoACT
CSC Domus

Level 1
Infogard Infogard
SAIC

ISA–The Instrumentation, Systems, and Automation Society

Future Directions
 3eTI sees a growing trend toward including active intrusion prevention to
secure future networks.
 This includes the use of directional antennas, with adaptive beamforming
and null-steering, to effectively provide an “invisible fence” or RF-boundary
(layer 1) around the deployed wireless LAN.
 Smart antennas are coming down in cost and therefore becoming more
practical for enterprise or company-wide 802.11 networks.
 These smart antennas will be used to complete the multi-layered security
approach by adding physical-layer security techniques to the existing
datalink and higher-layer techniques.
 3eTI has used Small Business Innovation Research (SBIR) contract vehicles
to actively pursue research in the area of 802.11 intrusion prevention and
smart antenna development, which will in the future reinforce the wireless
infrastructures.
 Adaptive beamforming and beamsteering, coupled with 802.11i
constructs and other higher-layer intrusion prevention techniques,
provide a multi-layered approach to security that is necessary to ensure
wireless LANs become a transparent and fully-utilized extension of
traditional wired networks.

ISA–The Instrumentation, Systems, and Automation Society