In today's wireless network, user authentication and strong encryption is a necessary step in securing an enterprise network. While there are a myriad of different technologies available to provide a secure network, several IEEE standards have emerged as intrinsic components to enterprise wireless networking. This paper discusses these standards and addresses ways of implementing them within a secure WLAN system.

WEP
It is well known that the Wired Equivalent Protocol (WEP) provided a very weak security solution, both in terms of its scalability and its poor use of cryptographic algorithms. For instance, static WEP required that all devices in an enterprise network share a single shared key, known as a shared WEP key. The fact that all devices share the same key allowed any device to decrypt any packet sent over the air, basically meaning that privacy was non-existent.

The fact that this key had to be manually provisioned on each wireless device within the enterprise imposed some significant deployment challenges. Furthermore, a compromised device would require that the IT staff reconfigure each wireless device with a new shared WEP key.

The main security issues with WEP revolved around its use of the RC4 encryption algorithm. Each packet sent by a station would include a random value which is used as part of the encryption key (called Initialization Vector, or IV). However, if two stations sharing the same static key both sent a packet with the same IV, these two packets could be used to reverse engineer (or crack) the key. Tools to crack WEP keys are now freely available on the Internet [e.g., AIRSNORT].

802.1X
In order to solve the scalability issues that surrounded static WEP, the IEEE introduced the concept of user-based authentication using per-user encryption keys. This gave birth to the 802.1X standard, which makes use of the IETF's Extensible Authentication Protocol (EAP), originally designed for user authentication in dial-up networks. The 802.1X standard supplemented the EAP protocol with a mechanism to send an encryption key to a wireless Access Point (AP). These encryption keys are used as dynamic WEP keys, allowing traffic to each individual user to be encrypted using a separate key.

The 802.1X protocol defines three separate components: the supplicant (wireless station), authenticator (WLAN) and authentication server (RADIUS server). Supplicants are available as part of certain operating systems (e.g. Windows XP), or come as third party software applications that run on a variety of platforms, as offered by Funk Software. In an Airespace WLAN system, the Airespace 4000 WLAN Switch and 4100 WLAN Appliance act as an 802.1X authenticator. RADIUS services are provided by multiple vendors, such as Microsoft, Cisco, Funk, and Infoblox.

Figure 1 shows how the 802.1X authentication process works. In this illustration, the supplicant issues EAP frames over 802.11, which are tunneled by the authenticator within a RADIUS request. The corresponding EAP response is sent by the server encapsulated within a RADIUS Access-Challenge, which is forwarded to the supplicant. This exchange continues until the user is authenticated, at which time the RADIUS server issues an Access-Accept, which includes a Master Key. This Master Key is also sent to the supplicant by the RADIUS server, encrypted within the EAP packet.

Since both the supplicant and the authenticator share a Master Key, they can use this key for encryption purposes. The Authentication process generates two separate keys; unicast and broadcast. The unicast key is unique for an individual user; the broadcast key is shared among all devices associated with an Access Point. These keys are sent in an encrypted form to the supplicant. All future traffic between the station and the Access Point are encrypted using the WEP protocol.

While this method of distributing dynamic WEP keys provides a much more scalable approach than WEP and other approaches, two primary issues exist. One, the WEP protocol is still used, which introduces all of the vulnerabilities listed above associated with WEP. Second, the key exchange mechanism lacks reliability and can present security holes.

The Emergence of 802.11i
In order to solve the WEP problem, the IEEE began working on a new security solution in conjunction with leading cryptographers. This work became known as the 802.11i standard.

When designing 802.11i, the IEEE faced an interesting problem - a large number of devices existed on the market employing different encryption schemes. Therefore, the IEEE worked on two different encryption mechanisms within 802.11i, TKIP and AES. TKIP was designed to be compatible with devices that have existing WEP capabilities, but makes use of the RC4 encryption algorithm in a much more effective and safe manner by rotating the key on each packet. To further increase security, Message Integrity Checking, called "Michael" was also added to provide better authentication.

AES provided a cryptographically stronger solution than TKIP, aimed at users willing to deploy a new client adapter and new APs. As it is stronger than TKIP, no additional authentication algorithm is required with AES.

In order to make use of either TKIP or AES, both the supplicant and the authentication still require the Master Key (known as the Pairwise Master Key, or PMK). The PMK is used by both the supplicant and the authenticator to create the Pairwise Transient Key (see Figure 2). The PTK is used by both peers to create three separate keys: KCK, KEK and TK. These keys are used during the key exchange (discussed later in this document.)

IEEE defined two ways for both the supplicant and the authenticator to retrieve a common PMK: 802.1X and Pre-Shared Key (PSK). The 802.1X method is identical to the method listed above for user authentication using dynamic WEP keys. PSK allows both the supplicant and the authenticator to share a common, statically configured key. It is like static WEP keys in that if a device is compromised, all wireless devices will have to be re-configured with a new key. However, it offers increased security over static WEP keys by using the PMK to generate a temporal key (PTK). This eliminates the need to have every device use the same encryption key.

WPA
In order to address the WEP security concerns in the market, the WiFi Alliance took a snapshot of the 802.11i's standard and created an interim pseudo-standard called WiFi Protected Access (WPA). The WiFi Alliance began conformance testing of WPA to assist with multi-vendor interoperability, allowing devices to include the WiFi Alliance's WPA logo on their products after completing certification.

Figure 3 shows an example of the WPA key exchange that is used by the AP to distribute session keys to a station. Note that the key exchange is significantly more complex than the exchange in Figure 1, which results in a more robust and secure WLAN deployment. Initially the exchange is in the clear, up to message 5, which is encrypted using the PTK (delivered in message 3).

WPA is not perfect, however. One issue exists in the way the protocol handles re-keying. Once a PTK/GTK relationship exists between a supplicant and an authenticator, any re-authentication or re-keying occurs in an encryption form (using the previously agreed upon PTK). During the re-key process, a new PTK is negotiated and message 5 is required to be encrypted using the new key. There have been issues where the station gets confused and attempts to decrypt message 5 using the old PTK, which obviously fails.

WPA 2 (802.11i)
In July 2004, the IEEE ratified the 802.11i protocol as standard. As a consequence, the WiFi Alliance published the WPA 2 certification process. The WPA 2 protocol includes some very significant differences with its predecessor, such as key caching and pre-authentication.

One major difference in the new key exchange is that the number of messages was reduced from 6 to 4, reducing latency and overhead. Furthermore, sending the GTK in message 4 eliminates the race condition previously mentioned.

Another feature in WPA 2 is called "Pre-authentication". This is a feature that allows a mobile device to authenticate with other access points that it believes it may roam to in the future. This is done by having the mobile station's authentication frames forwarded by the current access point to the target access point over the wired network (see Figure 5). While pre-authentication is an interesting concept, the fact that mobile stations may authenticate with several access points at any given time causes a considerable amount of load on the Authentication Server. For this reason, the Airespace WLAN system does not support pre-authentication.

Key Caching is another feature that was added to WPA2. This allows a mobile station to "cache" the master keys it gains through a successful authentication with an access point, and re-use it in a future association with the same access point (see Figure 6). This means that a given mobile device only needs to authenticate once with a specific access point, and cache the key for future use. Key Caching is handled via a mechanism known as the PMKID (or the PMK Identifier), which is a hash of the PMK, a string, the station and the AP's MAC addresses. The PMKID uniquely identifies the PMK.

Proactive Key Caching
Even with key caching, a wireless station must authenticate with each Access Point it wishes to get service from. Even though this event only needs to occur once for each Access Point (for as long as the keys are considered valid and are cached on both the station and the AP), it introduces significant latency and overheads, which delays the hand-off process and can inhibit the ability to support real-time applications. Furthermore, this can affect scalability of an 802.11i implementation.

In order to resolve this issue, Airespace, Funk, and Atheros designed an extension to 802.11i, called Proactive Key Caching (PKC). PKC allows a station to re-use a PMK it had previously gained through a successful authentication process, eliminating the need for the station to authenticate against new APs when roaming.

When a mobile device moves from one AP to another AP on the same switch, the client re-computes a PMKID using the previously used PMK and presents it during the association process. The Airespace WLAN Switch/Appliance will search its PMK cache to determine if it has such an entry. If it does, it will by-pass the 802.1X authentication process and immediately initiate the WPA2 key exchange. If it does not, it will go through the standard 802.1X authentication process.

Airespace's unique WLAN architecture enables user context information to be passed from one switch to another. In addition to QoS and security policies, this context transfer can include a common PMK cache, ensuring that users receive fast inter-switch mobility and seamless roaming across all APs. This provides the freedom of mobility across an entire Airespace WLAN system, without the need for devices to re-authenticate while the PMK is considered valid.

PKC is supported with the Microsoft Zero Configuration supplicant, as well as Funk Software's Odyssey client. Additional supplicants will be available shortly. This is just the beginning of fast secure roaming as Airespace is currently experimenting with other methods designed to enable real-time applications in a secure WLAN environment.

Conclusion
WLAN security has come a long way since the onset of WEP. New security standards, such as 802.11i using AES encryption, have helped to transition WLANs into trusted business networks. When these authentication and encryption schemes are coupled with ongoing real time monitoring for RF attacks and intruders, enterprises have a reliable wireless network that is more secure than traditional wireline infrastructures. Airespace provides these capabilities within its Wireless Protection System (WPS). In addition, Airespace marries the best security with real-time performance and seamless roaming to support all enterprise application requirements, from voice over WLANs to real-time data transfer. When it comes to secure business critical wireless networks, Airespace is the key.