An In-Depth Look at the Enhanced Features of Network Security Protocols: 802.11 and 802.11i Wireless LAN and 802.1x Authentication Standards
In our previous tutorial, we explored the network security protocols based on AAA architecture and IEEE standard 802.1x protocols for authentication.
In this sequential part, we will dive deep into some more network security protocols along with their enhanced features.
Suggested Read => Series of Tutorials on Computer Networking Basics
What You Will Learn:
802.11 Authentication and Association
It requires a wireless device like a mobile station called STA and an access point (AP).
The concept of 802.11 authentication lies in between building up the identification and authentication between the STA and AP. The AP can be a router or switch. There is no encryption of the message involved in this process.
There are two types of authentication as mentioned below:
- Open key system
- Shared key system
Open key Authentication:
The authentication request is sent from the client user to the access point containing the wired equivalent privacy (WEP) key for authentication. In response, the access point (AP) sends a success message only if the WEP key of both the client and AP match with each other, if not it circulates a failure message.
In this method, the AP floats an unencrypted challenge text message to the client trying to communicate with the access point. The client device which is appealing for the authentication encrypts the message and sends it back to AP.
If encryption of the message is found right then, the AP permits the client device to authenticate. As it uses WEP key in this method, the AP is open to virus attacks by just evaluating the WEP key and hence it is less secured for the authentication process.
WPA (Wi-Fi Protected Access) Key Method: This method provisions the enhanced level of data security features for wireless devices. This is also companionable with the 802.11i method. In WPA-PSK, a pre-shared key is generated before the start of the authentication process.
Both the Client as well the AP use PSK as the PMK, pair-wise master key for authentication by using an EAP authentication method.
After the completion of the authentication process, the wireless client can associate and enroll itself with the access point which can be a router or switch. After the association, the AP saves all the necessary information regarding the device that it is associated with so that the data packets can be accurately destined.
- When authentication is done, the STA sends a request for association to the AP or router.
- Then the AP will process the association request and grant it on the basis of the type of the request.
- When the AP permits the association, it reverts back to the STA with a status code 0, which means successful and with the AID (association ID).
- If the association is failed, then the AP reverts with the end of the procedure response and with a failure status code.
The 802.11i uses an authentication protocol which was used in the 802.1x with some enhanced features like a four-way handshake and group key handshake with suitable cryptographic keys.
This protocol also provides data integrity and confidentiality features. The start of the protocol operation takes place with the authentication process which was done by the EAP exchange with the company of the authentication server by following the rules of 802.1x protocol.
Here when 802.1x authentication is done, a secret key which is known as a pairwise master key (PMK) is evolved.
Here the authenticator is known as the access point and the supplicant is the wireless client.
In this handshake, both the access point as well as the wireless client need to verify that they are familiar with each others PMK, without revealing it. The messages between these two are shared in an encrypted form and only these have the key to decrypt the messages.
Another key known as a pairwise-transient key (PTK) is used in the authentication process.
It consists of the following attributes:
- Access point nonce
- Client station nonce (STA nonce)
- Access point MAC address
- STA MAC address
The output is then planted into the pseudo-random function. The handshake also capitulates the group temporal key (GTK) for decryption at the receivers end.
The handshake process is as follows:
- The AP circulates an access point nonce to the STA in association with a key counter, the number totally utilizes the message sent and rejects the duplicate entry. STA is now ready with the attributes required to build-up the PTK.
- Now STA sends STA nonce to the AP along with the message integrity code (MIC), inclusive of authentication and the key counter, which is same as sent by the AP so that both will match.
- AP validates the message by examining the MIC, AP Nonce and the key counter. If everything is found ok, then it circulates the GTK with another MIC.
- The STA validates the message received by examining all the counters and finally sends an acknowledgment message to the AP for confirmation.
Group Key Handshake
The GTK is used every time when a particular session is expired and updating is required to start with a new session in the network. The GTK is used to guard the device against receiving broadcast kind of messages from the other resources of other AP.
The group key handshake consists of two-way handshake process:
- The access point circulates a new GTK to every client station present in the network. The GTK is encrypted by using 16 bytes of the EAPOL key encryption key (KEK) allocated to that particular client station. It also prevents data manipulation by using MIC.
- The client station acknowledges the new GTK received and then forwards the response to the access point.
Two-way handshake takes place in the above-mentioned way.
It is a port-basis standard for network access control. It provisions the authentication process to devices who want to communicate in LAN or WLAN architecture.
The 802.1X authentication includes three participants, i.e. a supplicant, an authenticator, and an authentication server. The supplicant will be the end device like a laptop, PC or Tablet which wants to initiate the communication over the network. The supplicant can also be a software-based application running on the client host PC.
The supplicant also supplies the credentials to the authenticator. The authenticator is the machine like an Ethernet switch or WAP and the authentication server is a remote end host device which is running the software and backing the authentication protocols.
The authenticator behaves as a safety shield to the guarded network. The host client which has initiated the communication is not permitted to access the guarded side of the network via the authenticator unless its identity has been validated and authenticated.
By using 802.1X, the supplicant supplies the credentials like digital signature or login username and password, to the authenticator, and the authenticator redirects it to the authentication server for authentication.
If the credentials are found to be bonafide, then the host device is permitted to access the resources situated at the guarded side of the network.
Steps involved in the Authentication Process:
- Initialization: This is the first step. When a fresh supplicant arrives, the port on the authenticator is set enabled and put on an “unauthorized” state.
- Initiation: To startup the authentication process, the authenticator will broadcast the EAP request identity frames on a regular time interval basis to the MAC address of the data segment of the network. The supplicant analyzes the address & reverts it and sends the EAP response identity frame which consists of an identifier of the supplicant like a secret key.
- Negotiation: At this stage, the server reverts with a reply to the authenticator, having an EAP request stating the EAP scheme. The EAP request is encapsulated into EAPOL frame by the authenticator and it sends it back to the supplicant.
- Authentication: If the authentication server and the supplicant consent on the same EAP method, then the EAP request, and EAP response message exchange will take place between the supplicant and authentication server till the Authentication server responds with an EAP-success message or an EAP-failure message.
- After successful authentication, the authenticator puts the port to “authorized” state. Thus all kinds of traffic flow are permitted. If authorization fails, then the port will be kept in an “unauthorized” state. Whenever the host client is logging off, it floats an EAPOL-logoff message to the authenticator, which again puts the port to an “unauthorized” state.
802.1x Authentication Process
Here, in this tutorial, we explored the working of 802.11, 802.11i and 802.1x authentication protocols.
The networking system becomes more secure, by deploying the EAP method for authentication and by using mutual authentication both at the client and Access point end using different types of encryption key methods.