William Stallings, Cryptography and Network Security 3/e

William Stallings, Cryptography and Network Security 3/e

Chapter 5 (B) Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard http://standards.ieee.org/getieee802/download/802.1X-2001.pdf Used in both wired and wireless networks

Example: used in 802.11i as the new security mechanism of IEEE 802.11 (aka WLAN), replacing the originally proposed un-secure WEP See http://sce.uhcl.edu/yang/research/WLAN%20security.doc for further discussions. Network Security 1 IEEE 802.1x Standard Primary goal: to allow for controlled access to the LAN environment Authentication of Layer 2 devices Before a device is allowed to connect to the physical or logical

port of a switch or a wireless access point, it first needs to be authenticated and authorized. Example Uses: Ethernet, Token Ring, 802.11 WLAN Additional resource: http://www.networkdictionary.com/protocols/8021x.php Network Security 2 802.1x Entities 1. Supplicant:

requests to connect to a LAN 2. Authenticator: responsible for initiating the authentication process Acting as a relay btwn the authentication server and the supplicant 3. Authentication server: responsible for doing the actual authentication & authorization Network Security

3 802.1x entities Network Security 4 Port access entity (PAE) From section 6.2 of the IEEE 802.1x standard ( The Port Access Entity (PAE) operates the algorithms and protocols

associated with the authentication mechanisms for a given Port of the System. In the Supplicant role, the PAE is responsible for responding to requests from an Authenticator for information that will establish its credentials. The PAE that performs the Supplicant role in an authentication exchange is known as the Supplicant PAE. In the Authenticator role, the PAE is responsible for communication with the Supplicant, and for submitting the information received from the Supplicant to a suitable Authentication Server in order for the credentials to be checked and for the consequent authorization state to be determined. The PAE that performs the Authenticator role in an authentication exchange is known as the Authenticator PAE.

http://standards.ieee.org/getieee802/download/802.1X-2001.pdf) The Authenticator PAE controls the authorized/unauthorized state of its controlled Port (see 6.3) depending on the outcome of the authentication process. Network Security 5 Controlled and uncontrolled access The operation of Port-based access control has the effect of creating two distinct points of access to the Authenticator Systems point of attachment to the LAN. The uncontrolled and controlled Ports are considered to be part of the same point of attachment to the LAN; any frame received on the physical Port is made available at both the controlled and

uncontrolled Ports, subject to the authorization state associated with the controlled Port. Network Security 6 Supplicant Authenticator - Auth. Server Network Security 7 802.1x communcations EAP

Originally developed for PPP Allow two entities to exchange authentication data via various authentication mechanisms: One-time password, MD5 hashed username and password, etc. RFC 2284 PPP Extensible Authentication Protocol (EAP) L. Blunk, J. Vollbrecht. March 1998 (obsoleted) RFC3748 Extensible Authentication Protocol (EAP) B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz (Ed.) June 2004 (current edition) RFC3579 RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP) B. Aboba, P. Calhoun. September 2003.

Network Security 8 EAP Aboba, et al. Standards Track [Page 21] RFC 3748 EAP June 2004 (ftp:// ftp.rfc-editor.org/in-notes/rfc3748.txt) Network Security

9 EAP 4 types of EAP packets 1. 2. 3. 4. Request Response Success

Failure Subtypes of request/response messages: Identify: authenticator (send your identity info) supplicant Notification: authenticator (notification/warning, etc.) supplicant NAK: supplicant (unacceptable! This is my desired authentication mechanism) authenticator MD-5 challenge: authenticator (challenge) supplicant supplicant (response) authenticator Network Security

10 EAP Subtypes of request/response messages (cont.): One-time password a password with an expiration time that is about to expire, i.e., an OTP sequence integer which is nearing 0 EAP-TLS message Allows a supplicant and an authentication server to use digital certificates to authenticate each other

RFC2716 PPP EAP TLS Authentication Protocol B. Aboba, D. Simon. October 1999. A mutual authentication method Network Security 11 Using EAP in IEEE 802.1x Question: Is this protocol secure? Is replay attack possible?

Network Security 12 More EAP Scenarios in 802.1x Network Security 13 More EAP Scenarios in 802.1x Network Security 14

EAPOL EAP over LANs Allows EAP packets to be encapsulated in regular LAN frames (e.g., Ethernet, Token Ring) Source: http://standards.iee e.org/getieee802/d

ownload/802.1X2001.pdf Network Security 15 EAPOL Packet type in IEEE 802.3 a) EAP-Packet. A value of 0000 0000 indicates that the frame carries an EAP packet. b) EAPOL-Start. A value of 0000 0001 indicates that the frame is an EAPOL-Start frame. c) EAPOL-Logoff. A value of 0000 0010 indicates that the frame is an explicit EAPOL-Logoff request frame. d) EAPOL-Key. A value of 0000 0011 indicates that the frame is an EAPOL-Key frame. e) EAPOL-Encapsulated-ASF-Alert. A value of 0000 0100 indicates that the frame carries an EAPOL-Encapsulated-ASF-Alert.

All other possible values of this field shall not be used, as they are reserved for use in potential future extensions to this protocol. Network Security 16 EAPOL-Key frame Network Security 17 Overall 802.1x Architecture Network Security

18 Summary Next: NAT and security Network Security 19

Recently Viewed Presentations

  • Task xx Scope  Connector Pin Strand Purpose  To

    Task xx Scope Connector Pin Strand Purpose To

    Define a range owned by each end and then associate them. Define a termination that owns the ranges involved at each end. Then decorate the ranges onto the connectors. mTOP Outside Plant Submission Telstra-Cisco 1-2.doc, written around 2007. Should be...
  • Food Chains and Food Webs - Weebly

    Food Chains and Food Webs - Weebly

    Photosynthesis. Photosynthesis is the process in which plants can make their own food (hence they are called autotrophs) Plants use energy from the sun to combine the carbon dioxide and water to form glucose (sugar) and oxygen
  • PENNSYLVANIA DEPARTMENT OF AGRICULTURE ERIE 25 WARREN 62

    PENNSYLVANIA DEPARTMENT OF AGRICULTURE ERIE 25 WARREN 62

    LAWRENCE 37 CLEARFIELD 17 MONTOUR47 UNION 60 BUTLER 10 CENTRE 14 CARBON 13 NORTHUMBER-LAND 49 ARMSTRONG 3 SNYDER 55 NORTHAMPTON 48 INDIANA 32 BEAVER 4 ... Zach Travis - Milk REGION VII 1015 Bridge St Collegeville, PA 19426 (610) 489-1003...
  • Animal Farm

    Animal Farm

    Animal Farm. Parallels between the book and "real life" Leon Trotsky- Snowball. Josef Stalin- Napoleon
  • Title of This Presentation

    Title of This Presentation

    Bill Jeatran is the chief executive officer of Marsh & McLennan Agency's upper Midwest region. In 1986 he founded RJF Agencies, Inc., when he purchased a $100,000-revenue insurance agency, which he structured and developed to deliver exceptional value to both...
  • Creating an Environment of Expectations Navigating the pathway

    Creating an Environment of Expectations Navigating the pathway

    Crucial conversations and work plans are essential data points to focus on when completing an evaluation. ... Yet everyone wanted more accountability and a look forward to merit. I can't in good faith recommend merit until we have a handle...
  • Grid meets Economics: A Market Paradigm for Resource ...

    Grid meets Economics: A Market Paradigm for Resource ...

    678 Topics Covered (1) Part A: Foundation Socket Programming Thread Programming Elements of Parallel Computing Part B: Cluster Computing Elements of Cluster Computing
  • World War I

    World War I

    Crossword of Causes of WW I. ... All expected that the war would soon be over, concluded in a few decisive battles. ... Germany claimed that it was armed and carried Canadian troops. In actuality, it was not armed and...