... WEP Key Rotation in AP2000

More documents

Recommendations

Info

... WEP Key Rotation in AP2000When a message is transmitted, the transmitting wireless device willidentify which of the four defined keys it used for the encryption, to allowthe receiver to select the matching key from its set of four, to decrypt themessage.In addition to these low-level WEP keys that are used by the wireless PCCards, other encryption schemes can be implemented on higher level(typically in software) to encrypt the data even before it is passed by thesoftware to the wireless adapter. For example using VPN involves encryptionof information by so-called VPN client and server software. Here tooencryption keys are required that are known at either side of theconnection. As said these keys are typically used in software at higher level.Within the definition of certain EAP types used in combination with 802.1xthe term session key is used, which also is a higher level encryption keyused to protect the information exchange between the 802.1x Supplicant(the client) and the 802.1x Authentication Server (typically a RADIUSserver).The IEEE 802.1x standard defines that EAP protocol messages exchangedbetween the client’s Supplicant and the Authenticator in the AP, are notencrypted, using low level WEP keys. If the ORiNOCO PC cards areconfigured to use WEP encryption, the FW in the ORiNOCO PC cards will, ondetection of an EAP protocol message by examining the frame type,transmit the frame un-encrypted. However the information inside the EAPmessages can be protected as they can be encrypted using a high level keyused by the software.Encryption Key generationTo use encryption, key values have to be defined. This can be donemanually, or it can be done by deriving keys from a generator. TraditionallyWEP keys have been defined by the System administrator using some sort ofoff-line scheme, and manually entered in the AP’s and the client systems.Technical bulletin TB-039 described a very rudimental scheme where WEPkeys, defined by a system administrator could be passed to the clientdevices as part of the log-in process. Though this method could be usedeffectively it still had some flaws as it relied on the WEP key being defined inan off-line mode by the system administrator, and stored in a simplescrambled mode on the client PC’s hard drive.The EAP-TLS scheme used in combination with IEEE 802.1x can use theDiffie-Hellman encryption key generation to have both ends of thecommunication path derive encryption keys from some basic, randomvalues (Alternatively it could use the RSA encryption methods). The EAP-TLSauthentication method is one of the more popular methods used incombination with IEEE 802.1x. This method is quite secure as the encryptionkey is not known by either entity, is not stored on any hard drive and is nottransmitted through the air. In EAP-TLS both the Authentication Server (i.e.the RADIUS server) and Supplicant in the client device determine (derive) theencryption key, called the session key, which is only used initially totransmit the actual WEP keys that are used by the wireless PC cardhardware, to scramble wireless traffic.TB-053.docPage 2 of 9Copyright © 2002 Agere Systems Inc.
... WEP Key Rotation in AP2000WEP key distributionThe steps involved in getting to the first set of operational WEP-keys are asfollows:1. A wireless client station operating under IEEE 802.11 schemes associatesto an AP2. If the AP also implements the IEEE 802.1x schemes, traffic through theAP to other parts of the network than the Authentication Server (e.g. aRADIUS server) is blocked until the client station is authenticated.3. The Supplicant portion in the station communicates with theAuthenticator function in the Access Point. This traffic is not encryptedusing WEP keys (but could be using a high level encryption key insoftware).4. At this point in time the client station can only communicate (via the AP)with the Authentication Server (i.e. the RADIUS server).5. The Supplicant and the Authentication Server engage in the EAPexchange defined by the EAP method implemented.6. If dictated by the EAP method, the final stage of the exchange includesthe generation of the session key as mentioned above (if theauthentication was successful; a failed authentication will not produce asession key)7. The Authentication Server sends the generated session key to theAuthenticator (i.e. the AP). At this point both the AP and the Clientstation can use an encryption key and higher (software) level.8. The AP will generate a set of (low-level) WEP keys (see later) which itintends to use for subsequent transmissions, and transmit this set (as aset of multiple EAP protocol messages, where each message containsone key) to the client station. The transmission is protected byencrypting the message (on software level) with the session key.9. The client’s Supplicant will decrypt the message using its derived sessionkey, and will pass the received WEP keys (via the driver interface) to thePC card for subsequent use.WEP key rotationAs indicated above, dynamic key generation is more secure than using userdefinedand user-entered keys. However if the values of these keys are notchanged over time, the security is debatable as it is merely a matter of timebefore these “static” keys will be broken. Hence it is essential to implement ascheme that changes the values of the keys over time. This is known as KeyRotation or Re-keying. To assure maximum security, the rotation cycle timeshould be shorter than the fastest time it would take to decipher a key usingbrute force.The IEEE 802.1x standard is in essence a standard that defines a framework for access control and as such focuses its attention to“Authentication”. As described in TB-048, client implementations thatcomply to this standard execute a process where the client (user) isvalidated (authenticated) based on certain credentials that he/shepossesses. Authentication is executed by an Authentication server (e.g. aRADIUS server) which is accessed by the client via the access point that it isTB-053.docPage 3 of 9Copyright © 2002 Agere Systems Inc.
Page 1: ... WEP Key Rotation in AP2000ORiNO
Page 5 and 6: ... WEP Key Rotation in AP2000The f
Page 7 and 8: ... WEP Key Rotation in AP2000On th
Page 9: ... WEP Key Rotation in AP2000Each

... WEP Key Rotation in AP2000

Create successful ePaper yourself

Delete template?

Save as template?