IEEE 802.11 security

Enhanced Open

WFA introduced “Enhanced Open” in June 2018 (Read public announcement from here) and meant to provide traffic encryption for open networks (eg public event, airport free WiFi).

This certification is based on OWE – Opportunistic Wireless Encryption (IETF RFC 8110). It is also required to use PMF – Protected Management Frames, that provide additional security.
f your device support “Enhanced Open” it will encrypt data traffic after initial association.

Here is the basic frame exchange in a “Enhanced Open” Wireless association.

Enhanced Open Transition Mode

WPA3 Personal

WPA3 Personal Transition Mode

WPA3 Lessons

WPA3-Enterprise


The Access Control protocols : IEEE 802.1X, EAP, and RADIUS

802.1X: Port-Based Authentication HOWTO


1. Introduction


This document describes the software and procedures to set up and use 802.1X: Port-Based Network Access Control using Xsupplicant with PEAP (PEAP/MS-CHAPv2) as authentication method and FreeRADIUS as back-end authentication server.

If another authentication mechanism than PEAP is preferred, e.g., EAP-TLS or EAP-TTLS, only a small number of configuration options needs to be changed. PEAP/MS-CHAPv2 are also supported by Windows XP SP1/Windows 2000 SP3.

1.1. What is EAP?


  • 802.1X is based on EAP.
  • EAP was originally designed for use with dial-up authentication via a modem.
  • IEEE 802.1X defines a protocol called EAP over LAN to get EAP messages passed between the supplicant and the authenticator.
Extensible Authentication Protocol (EAP) [RFC 3748] is just the transport protocol optimized for authentication, not the authentication method itself:

" [EAP is] an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this." --- RFC 3748, page 3

EAP is a simple encapsulation that can run over any link layer, but it has been most widely deployed on PPP links.

The format of EAP packets over PPP or LAN:

There is no strict requirement that EAP run on PPP; the EAP packet can be carried in any type of link frame.
  • Code
  • The Code field, the first field in the packet, is one byte long and identifies the type of EAP packet. It is used to interpret the Data field of the packet. The Code field is set to
    • 1
    • for requests
    • 2
    • for responses
    • 3
    • for success
    • 4
    • for failure
  • Identifier
  • The Identifier field is one byte long. It contains an unsigned integer used to match requests with responses to them. Retransmissions reuse the same identifier numbers, but new transmissions use new identifier numbers.
  • Length
  • The Length field is two bytes long. It is the number of bytes in the entire packet, which includes the Code, Identifier, Length, and Data fields. On some link layer protocols, padding may be required. EAP assumes that any data in excess of the Length field is link-layer padding and can be ignored.
  • Data
  • The last field is the variable-length Data field. Depending on the type of packet, the Data field may be zero bytes long. Interpretation of the Data field is based on the value of the Code field. This data field is composed of :
    • type
    • one-byte field that indicates the type of carried data.
      • 1
      • Identity. The authenticator generally uses this as the initial request. Frequently, the EAP Identity is the user identifier, possibly with routing information.
      • 2
      • Notification. The authenticator can use the Notification type to send a message to the user.
      • 3
      • NAK. If the end user system does not support the authentication type of the challenge, it can issue a NAK. The Type-Data field of a NAK message includes a single byte corresponding to the suggested authentication type. Most 802.1X implementations do not actively negotiate, and will simply log an error message if the client attempts to use an unsupported type.
      Types greater than or equal to 4 indicate authentication methods.
      • 4
      • MD5 Challenge CHAP-like authentication in EAP
      • 6
      • GTC Originally intended for use with token cards such as RSA SecurID
      • 13
      • EAP-TLS Mutual authentication with digital certificates
      • 21
      • TTLS Tunneled TLS; protects weaker authentication methods with TLS encryption
      • 25
      • PEAP Protected EAP; protects weaker EAP methods with TLS encryption
      • 18
      • EAP-SIM Authentication by mobile phone Subscriber Identity Module (SIM)
      • 29
      • MS-CHAP-V2 Microsoft encrypted password authentication; compatible with Windows domains
    • carried data
    • a variable field that must be interpreted according to the rules for each type.




1.2. What is RADIUS?


Remote Authentication Dial-In User Service (RADIUS) is defined in [RFC2865] (with friends), and was primarily used by ISPs who authenticated username and password before the user got authorized to use the ISP's network.
802.1X does not specify what kind of back-end authentication server must be present, but RADIUS is the "de-facto" back-end authentication server used in 802.1X.
There are not many AAA protocols available, but both RADIUS and DIAMETER [RFC3588] (including their extensions) conform to full AAA support. AAA stands for Authentication, Authorization, and Accounting (IETF's AAA Working Group).

1.3. What is 802.1X?


802.1X is a framework which is an adaptation of the IETF's Extensible Authentication Protocol (EAP), rather than specifying how to authenticate users, EAP allows protocol designers to build their own EAP methods, subprotocols that perform the authentication
transaction.

The 802.1X-2001 standard states:

"Port-based network access control makes use of the physical access characteristics of IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases which the authentication and authorization fails. A port in this context is a single point of attachment to the LAN infrastructure." --- 802.1X-2001, page 1.

802.1X defines 3 components to the authentication conversation:
  • supplicant
  • The end user machine that seeks access to network resources
  • authenticator
  • The authenticator controls the network access. It does not maintain any user information. Any incoming requests are passed to an authentication server, such as a RADIUS server, for actual processing.
  • authentication server
The authentication exchange is logically carried out between the supplicant and the authentication server, with the authenticator acting only as a bridge.

From the supplicant to the authenticator (the "front end"), the protocol is EAP over LANs (EAPOL), as defined by 802.1X. On the "back end," EAP is carried in RADIUS packets.


Figure 802.1X: A wireless node must be authenticated before it can gain access to other LAN resources.


  1. When a new wireless node (WN) requests access to a LAN resource, the access point (AP) asks for the WN's identity. No other traffic than EAP is allowed before the WN is authenticated (the "port" is closed).
    The wireless node that requests authentication is often called Supplicant, although it is more correct to say that the wireless node contains a Supplicant. The Supplicant is responsible for responding to Authenticator data that will establish its credentials. The same goes for the access point; the Authenticator is not the access point. Rather, the access point contains an Authenticator. The Authenticator does not even need to be in the access point; it can be an external component.
    EAP, which is the protocol used for authentication, was originally used for dial-up PPP. The identity was the username, and either PAP or CHAP authentication [RFC1994] was used to check the user's password. Since the identity is sent in clear (not encrypted), a malicious sniffer may learn the user's identity. "Identity hiding" is therefore used; the real identity is not sent before the encrypted TLS tunnel is up.
  2. After the identity has been sent, the authentication process begins. The protocol used between the Supplicant and the Authenticator is EAP, or, more correctly, EAP encapsulation over LAN (EAPOL). The Authenticator re-encapsulates the EAP messages to RADIUS format, and passes them to the Authentication Server.
    During authentication, the Authenticator just relays packets between the Supplicant and the Authentication Server. When the authentication process finishes, the Authentication Server sends a success message (or failure, if the authentication failed). The Authenticator then opens the "port" for the Supplicant.
  3. After a successful authentication, the Supplicant is granted access to other LAN resources/Internet.
Why is it called "port"-based authentication? The Authenticator deals with controlled and uncontrolled ports. Both the controlled and the uncontrolled port are logical entities (virtual ports), but use the same physical connection to the LAN (same point of attachment).

Before authentication, only the uncontrolled port is "open". The only traffic allowed is EAPOL. After the Supplicant has been authenticated, the controlled port is opened, and access to other LAN resources are granted;

802.1X is a framework, not a complete specification in and of itself. The actual authentication mechanism is implemented by the authentication server. 802.1X supplies a mechanism for issuing challenges and confirming or denying access, but it does not pass judgment on the offered credentials. Changes to the authentication method do not require complex changes to the end user devices or the network infrastructure. The authentication server can be reconfigured to "plug in" a new authentication service without changes to the end user driver software or switch firmware.


EAPOL Encapsulation


EAPoL is a simple encapsulation that can run over any LAN.

The IEEE 802.1X committee decided to add a few more useful messages and fields while it was defining EAPOL.

The EAP messages are encapsulated by prepending an MAC header.

Not all EAPOL frames actually carry EAP messages; some are used to perform administrative tasks.



  • MAC Header
  • In shared-media LANs such as Ethernet, supplicants send EAPOL messages to the group address of 01:80:C2:00:00:03.
  • Ethernet Type
  • As with any other Ethernet frame, the Ethernet Type field contains the two-byte type code assigned to EAPOL: 88-8e.
  • Version
  • Version 1 was standardized in the 2001 version of 802.1X; version 2 was specified in 802.1X-2004. This chapter describes the 2001 version, which is much more commonly implemented.
  • Packet Type
  • EAPOL is an extension of EAP. In addition to the EAP messages that are described in the previous section, EAPOL adds some messages to adapt EAP to the port-based LAN environment. EAPOL message types:
    • 0000 0000
    • EAP-Packet. This EAPOL frame is used for sending the actual EAP messages. It is simply a container for transporting an EAP message across the LAN, which was the original objective of the EAPOL protocol. Most frames are EAP-Packet
    • 0000 0001
    • EAPOL-Start. Instead of waiting for a challenge from the authenticator, the supplicant can issue an EAPOL-Start frame. By sending this message to a special group-multicast MAC address reserved for IEEE 802.1X authenticators, a supplicant can find out whether an authenticator is present and let it know that the supplicant is ready. In response, the authenticator sends an EAP-Request/Identity frame.
    • 0000 0010
    • EAPOL-Logoff. When a system is done using the network, it can issue an EAPOL-Logoff frame to return the port to an unauthorized state.
    • 0000 0011
    • EAPOL-Key. EAPOL can be used to exchange cryptographic keying information. A slightly modified EAPOL-Key message (4-way handshake) is used to establish encryption keys and also to validate that both sides have correct keys before allowing access.
    • 0000 0100
    • EAPOL-Encapsulated-ASF-Alert. The Alerting Standards Forum (ASF) has defined a way of allowing alerts, such as SNMP traps, to be sent to an unauthorized port using this frame type.
  • Packet Body Length
  • This two-byte field is the length of the Packet Body field in bytes. It is set to 0 when no packet body is present.
  • Packet Body
  • This variable-length field is present in all EAPOL frames except the EAPOL-Start and EAPOL- Logoff messages. It encapsulates one EAP packet in EAP-Packet frames, one key descriptor in EAPOL-Key frames, and one alert in EAPOL-Encapsulated-ASF-Alert frames.

The below diagram is referenced from cisco.com and shows the EAPOL and EAP flows, the EAP-PEAP authentication method is used.


802.1X on Wireless LANs


The encapsulation of EAP over IEEE 802 is defined in [IEEE-802.1X].


The "port" in 802.1X on wireless is an association between a wireless device and its access point. The successful exchange of Association Request and Association Response frames is reported to the 802.1X state engine as the link layer becoming active.
Once associated, a station can exchange 802.1X frames in an attempt to become authorized.

The main difference between EAPOL exchanges and EAP exchanges is that supplicants can issue EAPOL-Start frames to trigger the EAP exchange, and they can use EAPOL-Logoff messages to deauthorize the port when the station is done using the network.
EAP authentication in RADIUS packets is specified in RFC 2869.

  1. The supplicant associates with the 802.11 network. Association is a simple two-frame exchange which nearly always succeeds.
  2. The supplicant starts the 802.1X exchange with an EAPOL-Start message. This step is optional. Not all supplicants send EAPOL-Start messages, so this step may not be present.
  3. The "normal" EAP exchange begins. The authenticator (access point) issues an EAP-Request/Identity frame. Request/Identity frames may be sent without first having an EAPOL-Start if the access point only forwards frames for authenticated sessions. Unsolicited Request/Identity frames indicate to the supplicant that 802.1X authentication is required.
  4. The supplicant replies with an EAP-Response/Identity frame, which is passed on to the RADIUS server as a Radius-Access-Request packet.
  5. The RADIUS server determines the type of authentication that is required, and sends an EAP-Request for the method type. The EAP-Request is encapsulated in a Radius-Access-Challenge packet to the AP. When it reaches the AP, the EAP-Request is passed on to the supplicant. EAP Requests are are often denoted EAP-Request/Method, where the Method refers to the EAP method in use. If PEAP is in use, the return packet will be written as EAP-Request/PEAP.
  6. The supplicant gathers the reply from the user and sends an EAP-Response/Method in return. The response is translated by the authenticator into a Radius-Access-Request with the response to the challenge as a data field.
  7. Steps five and six repeat as many times as is necessary to complete the authentication. If it is an EAP method that requires certificate exchange, multiple steps are almost certainly required. Many EAP exchanges can require 10-20 round trips between the client and RADIUS server.
  8. The RADIUS server grants access with a Radius-Access-Accept packet, so the authenticator issues an EAP-Success frame and authorizes the port. Authorization may depend on parameters passed back from the RADIUS server.
  9. Immediately following receipt of the Access-Accept packet, the access point distributes keys to the supplicant using EAPOL-Key messages.

  10. The Group Key Handshake could be considered a 2-way handshake. "WPA and RSN Key Hierarchy," outlines how a slightly modified EAPOL-Key message ((4-way handshake)) is used to establish encryption keys and also to validate that both sides have correct keys before allowing access.
  11. Once keys are installed in the supplicant, it can begin sending data frames to access the network. It is quite common at this point for DHCP configuration to take place.
  12. When the supplicant is done accessing the network, it sends an EAPOL-Logoff message to put the port back into an unauthorized state.
It is not necessary for the user to begin an EAPOL exchange with the EAPOL-Start message. At any point, the authenticator can begin an EAPOL exchange by issuing an EAP-Request/Identity frame to refresh the authentication data. Re-authentications are often triggered by session timeout values to refresh keys. The EAPOL-Key frame allows keys to be sent from the access point to the client and vice versa. Key exchange frames are sent only if the authentication succeeds; this prevents the compromise of key information. EAPOL-Key frames can be used periodically to update keys dynamically as well.

1.2. What is 802.11i?

1.2.1. WEP

Wired Equivalent Privacy (WEP), which is part of the original 802.11 standard, should provide confidentiality. Unfortunately WEP is poorly designed and easily cracked. There is no authentication mechanism, only a weak form of access control (must have the shared key to communicate). Read more here. As a response to WEP broken security, IEEE has come up with a new wireless security standard named 802.11i. 802.1X plays a major role in this new standard.

1.2.2. 802.11i

The new security standard, 802.11i, which was ratified in June 2004, fixes all WEP weaknesses. It is divided into three main categories:
  1. Temporary Key Integrity Protocol (TKIP) is a short-term solution that fixes all WEP weaknesses. TKIP can be used with old 802.11 equipment (after a driver/firmware upgrade) and provides integrity and confidentiality.
  2. Counter Mode with CBC-MAC Protocol (CCMP) [RFC2610] is a new protocol, designed from ground up. It uses AES [FIPS 197] as its cryptographic algorithm, and, since this is more CPU intensive than RC4 (used in WEP and TKIP), new 802.11 hardware may be required. Some drivers can implement CCMP in software. CCMP provides integrity and confidentiality.
  3. 802.1X Port-Based Network Access Control: Either when using TKIP or CCMP, 802.1X is used for authentication.
In addition, an optional encryption method called "Wireless Robust Authentication Protocol" (WRAP) may be used instead of CCMP. WRAP was the original AES-based proposal for 802.11i, but was replaced by CCMP since it became plagued by property encumbrances. Support for WRAP is optional, but CCMP support is mandatory in 802.11i. 802.11i also has an extended key derivation/management, described next.

1.2.3. Key Management

1.2.3.1. Dynamic key exchange and management
To enforce a security policy using encryption and integrity algorithms, keys must be obtained. Fortunately, 802.11i implements a key derivation/management regime. See figure KM. Figure KM: Key management and distribution in 802.11i.
  1. When the Supplicant (WN) and Authentication Server (AS) authenticate, one of the last messages sent from AS, given that authentication was successful, is a Master Key (MK). After it has been sent, the MK is known only to the WN and the AS. The MK is bound to this session between the WN and the AS.
  2. Both the WN and the AS derive a new key, called the Pairwise Master Key (PMK), from the Master Key.
  3. In PSK authentication, the PMK is actually the PSK[6], which is typically derived from WiFi password by putting it through a key derivation function that use SHA-1 as the cryptographic hash function.[7] If an 802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server.
  4. The PMK is then moved from the AS to the Authenticator (AP). Only the WN and the AS can derive the PMK, else the AP could make access-control decisions instead of the AS. The PMK is a fresh symmetric key bound to this session between the WN and the AP.
  5. PMK and a 4-way handshake are used between the WN and the AP to derive, bind, and verify a Pairwise Transient Key (PTK). The PTK is a collection of operational keys:

    • Key Confirmation Key (KCK), as the name implies, is used to prove the possession of the PMK and to bind the PMK to the AP.
    • Key Encryption Key (KEK) is used to distributed the Group Transient Key (GTK). Described below.
    • Temporal Key 1 & 2 (TK1/TK2) are used for encryption. Usage of TK1 and TK2 is ciphersuite-specific.

    See figure PKH for a overview of the Pairwise Key Hierarchy.
  6. The KEK and a 4-way group handshake are then used to send the Group Transient Key (GTK) from the AP to the WN. The GTK is a shared key among all Supplicants connected to the same Authenticator, and is used to secure multicast/broadcast traffic.
Figure PKH: Pairwise Key Hierarchy
1.2.3.2. Pre-shared Key
For small office / home office (SOHO), ad-hoc networks or home usage, a pre-shared key (PSK) may be used. When using PSK, the whole 802.1X authentication process is elided. This has also been called "WPA Personal" (WPA-PSK), whereas WPA using EAP (and RADIUS) is "WPA Enterprise" or just "WPA". The 256-bit PSK is generated from a given password using PBKDFv2 from [RFC2898], and is used as the Paiwise Master Key (PMK) described in the key management regime above.


It can be one single PSK for the whole network (insecure), or one PSK per Supplicant (more secure).

1.2.4. TSN (WPA) / RSN (WPA2)

The industry didn't have time to wait until the 802.11i standard was completed. They wanted the WEP issues fixed now! Wi-Fi Alliance felt the pressure, took a "snapshot" of the standard (based on draft 3), and called it Wi-Fi Protected Access (WPA). One requirement was that existing 802.11 equipment could be used with WPA, so WPA is basically TKIP + 802.1X. WPA is not the long term solution.
WPA的出現,是由於WEP加密機制幾近瓦解,加上IEEE制定802.11i標準的時程不斷延後,使得市面上無線網路設備沒有可靠的加密方式可以依循。在這樣的狀況下,Wi-Fi聯盟便將802.11i第三版草案中,規範的TKIP(Temporal Key Integrity Protocol)加密方式先獨立拉出來,作為WPA加密機制的骨幹,在能與原有支援WEP設備相容的狀況下,於2003年推出WPA加密機制。
WPA可以說是在商業考量下,原有WEP加密機制的加強版,仍然使用RC4加密演算法,但因為加入了TKIP,所以安全性大幅提升。TKIP將IV的位元數從24增加到48。
並且透過TKIP金鑰、傳送位址資訊、變動的IV值中的32位元,先做一次運算,得出一把金鑰後,再與IV值中剩下的16位元進行運算,最後得出128位元的金鑰,並且能夠替每個訊框配上獨特的金鑰。這使得TKIP機制等於擁有多個主要金鑰來源,輔以不停變動的48位元IV值,讓每個訊框都能以不同的金鑰加密,增加了破解的難度。

此外,TKIP也有序號計數的能力,每個訊框加密發送出去後,都會編列序號,接收端會確認接收的次序,這可以有效避免攻擊者攔截封包再重發的攻擊模式。並且加上一個名為MIC(Message Integrity Check)的檢驗方式,MIC採用的演算法被稱為Michael,透過輸入目的地位址、來源位址,Michael會產生一組32位元倍數的值(一般來說為64位元),其中包括保留和優先性等補0的欄位。經由Michael演算,得到一個更可靠的確認值MIC,讓接收端能夠驗證封包的完整性,並且由於Michael並非線性的雜湊演算法,所以不會有過去WEP的問題。而為了避免暴力硬破的重複嘗試攻擊,在傳輸的過程中,如果MIC值錯誤,MIC機制也會在60秒內自動啟動反制措施,停止通訊60秒。

To get a Robust Secure Network (RSN), the hardware must support and use CCMP. RSN is basically CCMP + 802.1X. RSN, which uses TKIP instead of CCMP, is also called Transition Security Network (TSN). RSN may also be called WPA2, so that the market don't get confused.

WPA2同時使用TKIP與CCMP(Counter Mode with CBC-MAC Protocol)加密機制。 CCMP只要透過輸入訊框、暫時金鑰、金鑰識別碼、封包號碼,就能進行加密。透過由封包號碼和傳送端位址產生的亂數nonce(密碼學中指用過就拋棄的亂數號碼),以及由訊框標頭產生的額外認證資料(Additional Authentication Data,AAD),然後與128位元的暫時金鑰共同經過CCM加密,產出MIC和加密完成的資料。

Confused?
Basically:

  • TSN = TKIP + 802.1X = WPA(1)
  • RSN = CCMP + 802.1X = WPA2
In addition comes key management, as described in the previous section.


Wi-Fi 新標準 WPA3 蜻蜓 (Dragonfly) 金鑰交換協議分析

與WPA3相關的最核心的文件為RFC7664,其中描述的是WPA3中最大的改進,就是將原來的四次握手協議換成了新的“蜻蜓祕鑰交換協議”(Dragonfly Key Exchange),該協議將認證和祕鑰交換兩個功能合成於一個協議。
號稱可以解決WPA2中未解決的幾個安全問題:
  • 離線密碼破解——獲得WPA2的四次握手包即可進行離線字典攻擊,破解無線密碼。
  • 轉發安全(Forward Secracy)——已知4次握手和無線密碼的情況下,可以解密目標的所有通訊流量。
  • KRACK等其他已知攻擊方法。
WPA3企業級認證與WPA2相比差別不大,僅僅將金鑰長度增加到了192位(WPA2使用的是128位的加密金鑰)仍然採用EAP-SSL,EAP-SIM/EAP-AKA之類的基於認證伺服器的認證方法。

改動最大的地方就是WPA3個人級

  • 更強的基於密碼的認證安全(官方聲稱即使使用者使用弱密碼,仍然可以得到良好的保護。)
  • 使用等量同步認證——一種更安全的裝置間金鑰交換協議,即蜻蜓協議,可以防止通通訊流量被竊聽,即使被攻擊者獲取了握手過程,也無法解密流量。
  • 金鑰長度擴充套件到192位。

WPA2-PSK

  1. AP傳送一個隨機數AP Nonce給STA,STA通過AP的ESSID,以及自己的MAC地址,AP的MAC地址,PSK,AP傳送的隨機數以及自己生成的STA Nonce,這6個引數生成PMK和PTK。
  2. STA傳送第1步生成的隨機數STA Nonce給AP,並使用上一步生成的PTK生成該資料包的訊息校驗值MIC附在資料包後面傳送給AP,AP通過包括STA Nonce在內的同樣6個引數生成自己的PMK和PTK,並用PTK校驗STA傳送的資料包的MIC值是否匹配,如果匹配則說明PSK正確認證通過。
  3. AP將組金鑰(即GTK用於加密廣播以及組播包的金鑰)用PMK加密並附上MIC傳送給STA。
  4. STA校驗MIC後裝入GTK並回復ACK,金鑰交換結束開始加密通訊。
AP和STA對於PTK金鑰的計算演算法是對稱的,只要握手過程被截取,任何知道Pre-Shared Key的人都可以計算出PTK,從而解密所有通訊流量。

因為這一點,導致WPA2可以被離線字典攻擊。
公開的網路中,例如星巴克,酒店之類的場景,PSK被很多人都知道,一旦金鑰被攻擊者獲取,就無法保證使用者的資料安全!

WPA3 Dragonfly(蜻蜓)金鑰交換演算法

How to decrypt WPA2 AES data on Over the Air Packet Captures with Wireshark


Requirements

  • Capture to be on .pcap format.
  • Frames are to be presented in 802.11 format.
  • Know the SSID name and PSK for the WLAN from which Over the Air Capture has been collected.
  • Capture the 4 EAPOL 4 way handshake.
  • The most accurate process to do this is to start the capture and then de-authenticate the client in order to catch the process from zero, meaning that the 4 way EAPOL handshake will be included.

Steps


  • Configure Wireshark
  • In Wireshark:
    • go to “Preferences” Menu.
    • Go to “Protocols” menu and look for “IEEE 802.11”
    • From IEEE 802.11 section check the “Enable Decryption” check box and click on “Edit…” button next to “Decryption Keys” label.
    • Once in the “Edit” menu click on New button of the window.
      • From the key type choose “wpa-psk”.
      • Generate the ky
      • In order to obtain the key it is important to know the exact name of SSID and PSK then go to the website "WPA PSK (Raw Key) Generator" to generate the key based on these two elements. Input the "Passphrase" and "SSID", click on “Generate PSK”, this will generate the key, copy it and go back to Wireshark.
      • Then click “Apply” at the “Preferences” screen”. Capture will begin to be decoded.
  • Open the captured file
  • Use "eapol" as the filter to locate the key exchange event.
  • Investigate the beacon information
  • RSN and WPA tag attributes.
  • Investigate the association request
  • STA selects one of authentication methods and cipher suites advertised by AP.
  • For 802.11 WPA-Enterprise, 802.1x authentication takes place after successful 802.11 association
  • After successful 802.1x authentication, PMK is trasmitted to AP in “Access-Accept” message from AAA server.
  • 4-way handshake takes place using PMK, then, PTK and GTK are established.

WPA Supplicant

To authenticate to a network with the 802.1x protocol, the WPA-Supplicant software can be used. Despite the software’s heavy focus on wireless networking, it can be used for the authentication of wired networks as well. WPA supplicant should already be installed. Otherwise, install it:

  sudo apt-get install wpasupplicant
To configure our computer for using WPA-Supplicant, two configuration files need to be edited:
  • /etc/wpa_supplicant.conf
  • Copy the following basic configuration into the new file:
    
    # Where is the control interface located? This is the default path:
    ctrl_interface=/var/run/wpa_supplicant
    
    # Who can use the WPA frontend? Replace "0" with a group name if you
    #   want other users besides root to control it.
    # There should be no need to chance this value for a basic configuration:
    ctrl_interface_group=0
    
    # IEEE 802.1X works with EAPOL version 2, but the version is defaults 
    #   to 1 because of compatibility problems with a number of wireless
    #   access points. So we explicitly set it to version 2:
    eapol_version=2
    
    # When configuring WPA-Supplicant for use on a wired network, we don’t need to
    #   scan for wireless access points. See the wpa-supplicant documentation if
    #   you are authenticating through 802.1x on a wireless network:
    ap_scan=0
    
    Next we need to add the authentication configuration for the network we are authenticating to. Every network has the specific settings and protocols needed for its situation. Example for a wired network with:
    • Network access authentication through IEEE 802.1x.
    • EAP-Tunnelled Transport Layer Security, using PAP and MD5 as the authentication protocol.
    • No certificates.
    The corresponding settings in /etc/wpa_supplicant.conf:
    
    network={
            key_mgmt=IEEE8021X
            eap=TTLS MD5
            identity="myloginname"
            anonymous_identity="myloginname"
            password="mypassword"
            phase1="auth=MD5"
            phase2="auth=PAP password=mypassword"
            eapol_flags=0
    }
    
    
    To test the authentication process, we can call WPA-Supplicant directly with our new configuration file. For example, in case of a wired network, execute the following command:
    
    sudo wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i eth0
    
    
  • /etc/network/interfaces
  • If WPA-Supplicant can authenticate our computer to the network, we can add it to the global network configuration. By doing this WPA-Supplicant is automatically run when we boot up the computer or restart its network. There should already be a number of network interfaces configured in this file. Below we add 802.1x authentication for a wired network, be sure to select the proper driver for WPA-Supplicant if you want to authenticate to a wireless network:
    
    # The first network interface.
    # In this case we want to receive an IP-address through DHCP:
    auto eth0
    iface eth0 inet dhcp
    
    # In this case we have a wired network:
    wpa-driver wired
    
    # Tell the system we want to use WPA-Supplicant with our configuration file:
    wpa-conf /etc/wpa_supplicant.conf
    
    To test our new configuration,
    
    sudo /etc/init.d/networking restart
    

configuring WPA-Supplicant for wireless networks

  • Add the following to the end of /etc/wpa_supplicant.conf
  • 
      network={
            ssid="NetworkEssid"
            scan_ssid=1 # only needed if your access point uses a hidden ssid
            proto=WPA
            key_mgmt=WPA-PSK
            psk=945609a382413e64d57daef00eb5fab3ae228716e1e440981c004bc61dccc98c
      }
    
  • Add the following to the end o/etc/network/interfaces
  • 
    auto ath0
    iface ath0 inet dhcp
    wpa-driver madwifi
    wpa-conf /etc/wpa_supplicant.conf
    

How to Install FreeRADIUS on Ubuntu

RADIUS is a networking protocol that provides Authentication, Authorization and Accounting (AAA).

Install FreeRADIUS on Ubuntu


$ sudo apt-get install freeradius
Once the installation is finished, let’s verify that it was actually installed by running the command below:

$ freeradius -v

Afterwards, let’s run a quick configuration check:

$ sudo freeradius -CX
The configuration file for Freeradius is located in /etc/freeradius/3.0,

/etc/freeradius/3.0
├── certs
├── clients.conf
├── dictionary
├── experimental.conf
├── hints -> mods-config/preprocess/hints
├── huntgroups -> mods-config/preprocess/huntgroups
├── mods-available
├── mods-config
├── mods-enabled
├── panic.gdb
├── policy.d
├── proxy.conf
├── radiusd.conf
├── README.rst
├── sites-available
├── sites-enabled
├── templates.conf
├── trigger.conf
└── users -> mods-config/files/authorize

  • created a new client
  • A new client called OOB created which includes the IP address of the client and the secret password that is used to secure the communication between the RADIUS server and the client device. Add the folling to /etc/freeradius/3.0/clients.conf:
    
    client OOB {
    ipaddr = 192.168.0.10
    secret = secretpassword
    }
    
  • adding users
  • Add the folling to /etc/freeradius/3.0/users:
    
    r_user Cleartext-Password := “Password
    The user "r_user" is added with a type of password.
  • re-start the radius server
  • sudo service freeradius start
Now you just need to configure your device with your Freeradius server.




留言

熱門文章