How to make 802.11 systems combine security with affordability

In the past, IEEE 802.11-based wireless product developers have been forced to make tradeoffs between security, interoperability, and affordability. The three were traditionally mutually exclusive.

FIPS 140-2, the Federal Information Processing Standard for cryptography, defines a set of cryptographic functions approved for protection of sensitive but unclassified data in the U.S. Government, and provides guidelines governing the correct design, implementation and deployment of these functions.

IEEE 802.11i provides standards-based security improvements to help protect IEEE 802.11 wireless— it is a Layer 2, MAC sublayer specification.

WPA2, from the Wi-Fi Alliance, ensures commercial interoperability and correct COTS implementation of 802.11i. WPA2 certification in the IEEE 802.11 wireless marketplace helps ensure affordability and value to the customer.

In this article we will describe how to integrate all three specifications. First, by implementing strong Layer 2 pre-802.11i, followed by IEEE 802.11i-compliant products. 3eTI has bridged the gap to provide FIPS 140-2, 802.11i and WPA2 for security, interoperability, and affordability of its wireless products.

Click here for Figure 1

1. The subset of products that are 802.11i compliant, WPA2 certified and FIPS 140-2 validated is quite small.

Developing Trends in Commercial WLAN for DoD
Wi-Fi certification for 802.11a/b/g wireless communication interoperability and WPA2 certification for 802.11i security interoperability are growing trends for DoD wireless SBU systems. FIPS 140-2 validation at Level 2, as well as NIAP Common Criteria certification of wireless, data-at-rest, personal firewall and antivirus subsystems, conforming to Government-sponsored Protection Profiles (if they are finalized) are important C&A concerns for DoD WLAN products. At a minimum, 2-factor authentication techniques are becoming de facto for DoD SBU wireless systems, while Wireless Intrusion Detection including location-sensing and continuous-scanning is important to the DoD customer.

Overview of IEEE 802.11i
IEEE 802.11i is a Layer 2 specification that focuses on strengthening IEEE 802.11 security at the MAC sublayer. It is completely separate from and independent of VPN designs or architectures, which are often implemented at Layer 3. IEEE 802.11i goes beyond the simple, flawed encryption mechanism of 1999 802.11 WEP to include specifications on encryption, authentication and key management in a multi-layered approach to security. IEEE 802.1X-based authentication mechanisms are used, with AES in CCMP mode, to establish an 802.11 Robust Security Network (RSN).

IEEE 802.1X defines a framework based on the Extensible Authentication Protocol (EAP) over LANs, also known as EAPoL. EAPoL is used to exchange EAP messages. These EAP messages execute an authentication sequence and are used for key derivation between a Station (STA) and an EAP entity known as the Authentication Server (AS).

IEEE 802.11i defines a four-way handshake using EAPoL for key management and group key derivation. 3eTI has been instrumental in developing an IETF RFC to further standardize the portion of key exchange that must take place between the Authentication Server and the Wireless Access Point (WAP). 3eTI, along with Cisco and Intel, recognizes the merits of standardizing this technique, so that interoperability among multiple 802.11i-compliant vendors can be achieved.

Four major categories or primary functions of 802.11i are invoked within 3eTI products, including the wireless client devices, wireless access points (3e-525A-3), and the security server. These primary functions of 802.11i include:

1. EAP-TLS: Extensible Authentication Protocol Transport Layer Security, EAP-TLS was compulsory for WPA2 Enterprise products certified prior to April 15, 2005; for products certified after this date, EAP-TLS testing is compulsory if the product can support EAP-TLS. The only products that might not support EAP-TLS are tightly integrated systems that do not support software upgrades by a third party, such as some cell phones intended for, e.g., the 3G market. Non-tightly integrated products like most laptop and PDU adapters still must support EAP-TLS to receive WPA2 certification. 3eTI wireless client and wireless access point devices use standards-based EAP-TLS with no modifications, for complete interoperability with 802.11i and WPA2 certified equipment.
2. IEEE 802.1X: also known as port based network access control, 802.1X provides and authentication framework within 802.11i. 802.11i depends upon 802.1X to control the flow of Medium Access Control Service Data Units (MSDUs) between the Distribution System (DS) and Stations (STAs) by use of the IEEE 802.1X Controlled/Uncontrolled Port model. IEEE 802.1X authentication frames are transmitted in 802.11 Data frames and passed via the IEEE 802.1X Uncontrolled Port. The 802.1X Controlled Port is blocked from passing general data traffic between two STAs until an 802.1X authentication procedure completes successfully over the 802.1X Uncontrolled Port. It is the responsibility of the authenticator (3eTI Access Point) to implement port blocking. 802.11 depends upon IEEE 802.1X and the EAPOL-Key 4-Way and Group Key Handshakes, to establish and change cryptographic keys. Keys are established after authentication has completed. Keys may change for a variety of reasons, including expiration of an IEEE 802.1X authentication timer, key compromise, danger of compromise, or policy. 3eTI products implement standards-based 802.1X with absolutely no custom modifications, again ensuring interoperability with 802.11i and WPA2 certified equipment.
3. 4-way handshake: The 4-way handshake defined in 802.11i achieves the following important goals within the security protocol:
   
   • It confirms the Pairwise Master Key (PMK) between the supplicant (3e client) and authenticator (3e Access Point)
   • It establishes the temporal keys to be used by the data-confidentiality protocol
   • It authenticates the security parameters that were negotiated
   • It provides keying material to implement the group key handshake within 802.11i
   3eTI implements the 4-way handshake within its wireless product line per the 802.11i specification, again with absolutely no custom modifications, in order to maximize interoperability with third-party 802.11i and WPA2 compliant equipment.
4. AES CCMP: 802.11i and WPA2 employ AES CCM, which is a combination of AES Counter (CTR) mode per packet data encryption, combined with AES Cipher Block Chaining—Message Authentication Code (CBC-MAC) per packet data integrity / authentication of the entire packet including the MAC header. AES CCMP has been deemed to surpass the RC4 stream cipher, upon which the older WEP and WPA security protocols are based. 3eTI was the first company to take its AES algorithm through the NIST CCM algorithm certification process, thereby ensuring that 3eTI’s AES CCMP is standards-based, non-proprietary, and ready for wide WPA2 interoperability usage.

WPA and WPA2: Interoperability certifications from Wi-Fi Alliance
The Wi-Fi Alliance is a trade association that promotes the adoption of IEEE Std 802.11 technology through marketing and through interoperability testing. Products implementing IEEE Std 802.11i that are certified as interoperable are called WPA2 compliant. The Wi-Fi Alliance has conducted WPA2 certification since September 2004, and WPA2 will be required for any Wi-Fi Alliance certifications in April 2006.

WPA addresses the weaknesses of original WEP security resulting from WEP’s imperfect encryption key implementation and its lack of authentication. Using TKIP, it brings an enhanced encryption algorithm, and with IEEE 802.1X/EAP authentication it brings standards-based mutual authentication, to Wi-Fi networks. Together, TKIP encryption and mutual authentication insulate the Wi-Fi network from a variety of threats when WPA-Enterprise mode is used.

Both WPA and WPA2 protect the wireless network from a variety of threats, including lost or stolen devices and hacker attacks such as ‘man-in-the-middle’, authentication forging, replay, key collision, weak keys, packet forging, and ‘brute-force/dictionary’ attacks.

WPA2 offers advanced protection from wireless network attacks. Using AES, government grade encryption and IEEE 802.1X/EAP authentication WPA2 provides stronger standards-based mutual authentication and advanced encryption to protect the Wi-Fi network from a variety of threats and attacks. WPA2 is the second generation of WPA security; providing enterprise and consumer Wi-Fi users with a high level of assurance that only authorized users can access their wireless networks. WPA2 is based on the final IEEE 802.11i amendment to the 802.11 standard and is eligible for FIPS 140-2 compliance. WPA2 is effectively the commercial certification of an implementation of 802.11i. WPA and WPA2 ensure interoperability within a large body of commercially-certified COTS wireless equipment. So it can be seen that WPA2 is desirable in any fielded wireless equipment if cost is an issue and interoperability with multiple vendors, in order to take advantage of a competitive marketplace, is a goal.

The WPA2 Enterprise interoperability test suite requires that products demonstrate interoperability of the following when used together:

1. EAP-TLS was compulsory for WPA2 Enterprise products certified prior to April 15, 2005; for products certified after this date, EAP-TLS testing is compulsory if the product can support EAP-TLS. The only products that might not support EAP-TLS are tightly integrated systems that do not support software upgrades by a third party, such as some cell phones intended for, e.g., the 3G market. Non-tightly integrated products like most laptop and PDU adapters still must support EAP-TLS to receive WPA2 certification. 3eTI wireless products implement industry standard and WPA2 certified EAP-TLS
2. IEEE Std 802.11i key derivation from the symmetric key established by EAP-TLS;
3. AES-CCM, using the 128 bit key derived by 802.11i key derivation. The test configuration for any product that supports EAP-TLS conforms exactly to the approved configuration specified by Clause 7.2 of the FIPS 140-2 implementation guidance document of January 21, 2005.

FIPS 140-2
FIPS 140-2 is the Federal Information Processing Standard for cryptography. It defines a set of cryptographic functions approved for protecting of sensitive but unclassified data in the U.S. Government, and provides guidelines governing the correct implementation and deployment of these functions. FIPS 140-2 can be envisioned in a simple manner as defining two types of requirements: local requirements and algorithmic requirements.

Examples of local requirements include cryptographic boundaries and random bit generators. Local requirements have no implications for interoperability; they only have implications for the correctness of implementation or deployment. For example, the output of a FIPS approved random bit generator will appear to any computationally bounded party as a bit stream that is computationally indistinguishable from a true random bit stream.

Examples of algorithmic requirements include implementing symmetric key encryption using AES and hashing using SHA-1. These requirements have interoperability implications, because the communication protocols utilizing algorithms requires that their outputs in different implementations be identical.

FIPS 140-2 does not address algorithmic interoperability directly. Instead, it defines known-answer tests for the cryptographic algorithms it approves. This means that each algorithm must operate on known inputs to produce known outputs. There is an indirect interoperability implication of these known-answer tests. In particular, every correct implementation must output the same bit pattern for each input in each known-answer test.

On January 21, 2005, NIST issued an updated implementation guidance document for FIPS 140-2. Section 7.2 of this update addresses IEEE 802.11i. It indicates that an IEEE 802.11i deployment can be certified and deployed for sensitive but unclassified use if it conforms to the following:

• The IEEE Std 802.11i key derivation function is used to establish session keys from a shared secret constructed using an approved key establishment method. Annex D of FIPS 140-2 defines approved key establishment technique, including Diffie-Hellman key establishment. EAP-TLS, which relies on Diffie-Hellman key agreement, is such a technique;
• AES-CCM as defined in IEEE Std 802.11i is used to protect the data exchanged.

This is a far-reaching development, because it has paved the way for IEEE 802.11i at Layer 2 to become the preferred security solution by the Office of the Secretary of Defense. The U.S. Government has determined that FIPS 140-2 certified, IEEE 802.11i-compliant and WPA2-tested wireless products are the preferred solution for wireless SBU data communication throughout government agencies. 3eTI is a premier provider of wireless products that meet these requirements.

Click here for Table 1

1. The key DoD requirements are met by 3eTI solutions.

3eTI wireless products not only meet the baseline trends identified for DoD wireless in table 1, they exceed the baseline by providing the following functionality:

• 802.11i (WPA-2) and additional 256-bit AES Security
• 802.1x Authentication
• Layer 2 Security
• DoD PKI (JTIC certified) with password protection
• X.509 Certificates
• DKE (Dynamic key, per user, per session)
• Multiple location profiles
• Compatible with VPN
Site survey support
• Tamper-proof algorithms

Note: In tested WLANs, the 3e Security Server, AP, and Client devices have been replaced and tested with third-party products. The system has been proven interoperable with these third- party products.

Click here for Figure 2

2. 3eTI Secure Hardware Clients: FIPS 140-2 Validated for Sensors, Video, RFID, CACs.

3eTI Wireless client interoperability with third-party access points
3eTI has developed 3e-010F-C-2 Crypto Client Software for Intel Centrino and 3e-010F-A-2 Crypto Client Software for Atheros, which have been successfully tested and demonstrated with third-party vendors’ 802.11i-compliant wireless access points. The Crypto Client Software is FIPS 140-2 Validated as well as 802.11i-compliant and WPA2 certified (pending Q42005), for secure wireless interoperability at an attractive price-point. Shown directly below are 3 screen shots from the operational Crypto Client Management Interface.

Supported Operating Systems include Windows 2000/WP, using FIPS certified AES-CCM in 802.11i-compliant mode. X.509 certificates are used, and DoD PKI compliant operation is possible using the Crypto Clients with an additional 3e-030-2 Security Server.

3eTI offers two state-of-the-art clients: the 3e-010F-C-2 or 3e-010F-A-2 Crypto Client Software. The difference between the clients is in the drivers related to the supported hardware. The 3e-010F-C-2 supports Intel PRO/Wireless 2200BG and 2915ABG cards, and the 3e-010F-A-2 supports WLAN cards based on the Atheros AR5001X+, AR5002G and AR5002X chipsets. Other than the drivers needed to work with the specific cards, the clients are identical. Each Client supports Windows 2000 and Windows XP (Home and Professional). The Crypto Clients provide standard 802.11a/b/g wireless access along with enhanced protection through a variety of cryptographic features, providing a high level of security for wireless environments.

The following security modules have been implemented in the Crypto Clients:

• AES (128/192/256 bit)
• 3DES (192 bit)
• AES-CCMP
• TKIP
• WEP
• 802.1x/EAP-TLS for authentication
• WPA
• WPA2/802.11i

Secure Wireless Networking
Click here for Figure 3

3. 802.11i & FIPS 140-2 True Layer 2.

From its beginning, 3eTI has made architectural and design decisions in order to place encryption and other security mechanisms as low in the network stack as possible. The reason for this decision is straightforward – by implementing encryption and other security mechanisms at Layer 2, more of the total wireless transmitted packet is protected than with higher layer encryption and security, as with Layer “2.5” or Layer 3 VPNs / tunnels.

Before IEEE 802.11i became standardized, 3eTI implemented Layer 2 AES throughout its wireless product line. These products were also FIPS 140-2 certified. As described earlier in this paper, FIPS 140-2 and IEEE 802.11i were mutually exclusive prior to January 21, 2005. For this reason, legacy 3eTI wireless products contained a FIPS 140-2 mode as well as a non-FIPS-802.11i-compliant mode.

As of January 21, 2005, NIST has officially determined that FIPS 140-2 and 802.11i can be designed into wireless products and combined into a single operational mode / configuration. While 802.11i ensures that wireless 802.11 products are standards-based, FIPS 140-2 ensures security is correctly designed and implemented in the actual wireless access point, client devices, and backend server.

WPA2 ensures commercial interoperability and affordability. 3eTI presents the customer with a strong value proposition: FIPS 140-2, 802.11i and WPA2 across the wireless product line for security, interoperability and affordability without tradeoffs.

About the authors
Steven C. Chen is the President and CEO of 3e Technologies International, Inc. Mr. Chen is the Chair of IEEE 1451.5 and holds patents for wireless communication devices. He can be reached at schen@3eti.com.
Ryon K. Coleman is a Senior Systems Engineer and Security Architect at 3eTI. He can be reached at rcoleman@3eti.com.