Rijndael is a symmetric block cipher that processes 128-bit data blocks using cipher keys of 128-, 192-, or 256-bit lengths. NIST chose the algorithm from five finalists to be the AES used in cryptographic systems throughout the U.S. Dept. of Defense and Federal Agencies for high-security wireless LANs. Although Rijndael was not the leading contender based on strength of security—all were equally strong—it won because it requires fewer rounds (calculation cycles) to produce a sufficient level of entropy. As a result, you can implement Rijndael to run at unusually fast speeds for a block cipher on general-purpose Pentium-based processors and implement it on a Smart Card, with a small amount of RAM and using a small number of clock cycles.
A disadvantage of the algorithm is that the inverse cipher (required for decryption) is more processing intensive and so less suited for implementation of a Smart Card than is the forward cipher. Also, the cipher and its inverse use different code and tables; in hardware, the inverse cipher can only partially reuse the circuitry that implements the forward one.
Strengths of AES CCMP
AES CCMP mode provides both authentication and encryption using the AES block cipher. CCMP combines Counter (CTR) mode encryption for data privacy or confidentiality, and Cipher Block Chaining Message Authentication Code (CBC-MAC) authentication, for an authenticate-and-encrypt security process on each data block processed. CCMP has two main advantages for IEEE 802.11 security. First, it computes the CBC-MAC over the IEEE 802.11 header length, selected parts of the IEEE 802.11 MAC Payload Data Unit (MPDU) header, and the plaintext MPDU data, whereas the old IEEE 802.11 WEP mechanism provided no protection to the MPDU header. Second, both CCMP encryption and decryption use only the forward AES block cipher function rather than the more costly and processing-intensive inverse AES cipher. Using only the AES forward cipher leads to significant savings in code and hardware size. Also, the CCMP implementation does not have to complete calculation of the message authentication code before CTR encryption can begin, allowing parallel implementation and further streamlining of AES CCMP in hardware or software. The CCMP mode of AES encryption is currently under consideration by the 802.11i task group for use in future wireless devices.
Secure Key Management and Distribution
The IEEE 802.11i proposed standard goes beyond the flawed encryption mechanism of the 1999 802.11 WEP standard to include specifications on encryption, authentication, and key management in a multilayered approach to security. IEEE 802.1X-based authentication mechanisms are used, with AES in CCMP mode, to establish an 802.11 Robust Security Network (RSN). IEEE 802.1X-2001 defines a framework based on the Extensible Authentication Protocol (EAP) over local area networks (also known as EAPoL). EAPoL is used to exchange EAP messages, which execute an authentication sequence and are used for key derivation between a Station (STA) and an EAP entity known as the Authentication Server. IEEE 802.11i defines a four-way handshake using EAPoL for key management as well as pairwise and group key derivation (see Figure 1).
Figure 1. Here we see the dynamic key exchange process. Note that the certificates at the Client and Security Server devices are currently X.509, generated from a Microsoft certificate authority (CA). 3e is migrating to DOD PKI compliance, with certificates from the JITC CA. HMAC-SHA1 (not shown) is used in addition to Diffie-Hellman to prevent "man-in-the-middle" attacks.
OSI Layer 2 Protection with IPSec Layer 3 VPNs
For readers familiar with networking, the Open System Interconnection (OSI) 7-layer model defines a networking framework for implementing protocols in these layers. IPSec is intended to provide confidentiality, data origin authentication, anti-replay, and data integrity services to Internet Protocol (IP) frames. Virtual Private Networks (VPNs) typically rely on IPSec to implement secure tunnels. IPSec provides an Encapsulating Security Payload (ESP), which is a protocol header inserted into an IP datagram at the network layer (layer 3). The drawback to this approach is that for wireless systems, the datalink layer (layer 2) and physical layer (layer 1) frames are completely unprotected using IPSec alone. Spoofing and replay attacks on the MPDU and physical layer packets are possible. In general, for wireless traffic, security at layer 2 and above is advisable to protect both data and routing information. As mentioned earlier, AES CCMP computes the CBC-MAC over the 802.11 header length, selected parts of the 802.11 MAC packet header, and the plaintext MAC packet payload. This approach, combined with dynamic key exchange and careful key management, provides strong protection of the wireless frames. IPSec can and should be used in the network above AES CCMP, for multilayer security. Note that AES CCMP is recommended, although FIPS 140-2 currently mandates use of the simpler AES ECB mode. A "best practice" recommendation would be that NIST incorporate the CCMP mode into its FIPS 140-2 standard.
Dynamic Key Exchange and AES Encryption
Dynamic Key Exchange. 3eTI has developed a dynamic key exchange (DKE) technique for key management in wireless systems, which involves a security server (SS), an access point (AP), and multiple wireless client devices. The communications channel between the AP and the client devices is wireless IEEE 802.11, while the channel between the AP and SS is wired. The description of the DKE process is this. First, the SS and Client devices must obtain X.509 certificates (proving trustworthiness at a particular node in the network system) from a third-party certificate authority. This can be accomplished in a number of ways; typically, RSA is used to authenticate these certificates.
Once the X.509 certificates are in place, a client device associates with an AP to initiate the DKE sequence. Once association is successful, authentication messages and only authentication messages are permitted to flow between the Client and the SS through the AP.
Next a mutual authentication process among the Client, AP, and SS ensues, followed by a key exchange process. EAP-TLS, an authentication protocol, encapsulates EAPoL, which is used to achieve mutual authentication between the Client and the AP. Meanwhile, RADIUS, using HMAC-SHA1 (a keyed hashing algorithm), is used between the AP and the SS, for mutual authentication over the wired channel. EAP-TLS is then used to establish mutual authentication between the Client and the SS. At this point, authentication, or proof of valid identity, has been established throughout the wireless network (Client, AP, SS).
Following successful authentication, the dynamic key exchange process is initiated. As a result of the completed authentication process, a pairwise transient key (PTK) is generated at the Client device and SS. Diffie-Hellman protocol is used to exchange an AES encryption key between the SS and the AP. Then an AES-encrypted message transfers the PTK from the SS to the AP; both the Client and the AP now have the PTK. This key will be used to AES-encrypt all single-node-to-single-node traffic between the AP and the Client. A FIPS 140-2 compliant random key generator is used at the AP to generate the key that will be used to AES-encrypt all broadcast traffic between the AP and the Client. Next, an AES-encrypted message transfers the broadcast key from the AP to the Client. At this point, the AP and the Client have both unicast broadcast keys to perform layer 2 AES protection of the wireless channel. This DKE process can be selectively re-invoked whenever a client device initiates the process by associating to an AP, or when a new client joins the wireless network.
FIPS 140-2 Validation. The 3eTI DKE process and 3eTI AP and Client devices have received FIPS 140-2 validation (refer to NIST certificates #355 and #367). The FIPS 140-2 validation process entails rigorous testing and proof-of-secure-design administered by a NIST-endorsed independent laboratory. FIPS 140-2 validation is required for all federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems), as defined in Section 5131âof the Information Technology Management Reform Act of 1996, Public Law 104-106. FIPS 140-2 ensures correct construction and implementation of the cryptographic functions within a rigorously defined "cryptographic boundary."
Common Criteria Certification. The common criteria (CC) contains 15 international recognition participants and is an international standard for information assurance (ISO/IEC 15408). All IT security products purchased by the U.S. government for national security systems must be common-criteria-certified as of July 2002 if corresponding protection profiles are approved for that type of product. In anticipation of protection profiles gaining final approval, many government agencies (especially the DOD) are writing CC validation into new RFPs requiring government vendors to comply with this directive.
IEEE 802.11i, AES CCMP, ECC, and IPSec are useful, but all are passive network intrusion prevention techniques. 3eTI sees a growing trend toward including active intrusion prevention, along with traditional passive encryption, authentication, and network-based and host-based intrusion detection techniques to secure future networks. Certain emerging active intrusion prevention constructs are designed primarily to protect wireless networks, including the use of directional antennas to effectively provide an "invisible fence," or RF-boundary (layer 1), around the deployed wireless LAN. The cost of smart antennas is dropping, making them more practical for enterprise- or company-wide 802.11 networks. These smart antennas will add physical-layer security techniques to the existing data link and higher-layer techniques previously described in this article. Adaptive beam forming and beam steering, coupled with 802.11i constructs and other higher-layer intrusion prevention techniques, provide a multilayered approach to security—necessary for wireless LANs to become a transparent and fully used extension of traditional wired networks.