Saturday, 4 February 2012

IEEE 802.11i, IEEE 802.11r, IEEE 802.11k and IEEE 802.11w

IEEE 802.11i
802.11i is implemented as WPA2 (Wi-Fi Protected Access 2). It is used to supersede the WEP (Wired Equivalent Privacy), which is known to have several severe weaknesses. 802.11i uses the (AES) advanced encryption standard block cipher as the form of electronic encryption. 


802.11i Data Frame Details



EAP packets are encapsulated in EAP-Packet Frame to enable them to cross the LAN segment between the supplicant and the authenticator. EAPoL also provides some control features; for example, an EAPoL-Start Message was defined to initiate the EAPoL exchange; similarly, an EAPoL-Logoff message was defined to terminate a connection.

Even though these two control messages are part of the IEEE 802.1X-2001, the IEEE 802.11i draft does not require them. IEEE 802.1X-2001 also defined an optional capability to use the EAPoL-Key message to exchange cryptographic key, but no mechanism was defined to enable keys to be exchanged securely.


802.11i Connection Sequence Diagrams





IEEE 802.11r
IEEE 802.11r is an amendment to the 802.11 standard to permit continuous connectivity aboard wireless devices in motion, with fast and secure hand-offs from one base station to another managed in a seamless manner.

802.11r Data Frame Details




During the initial association in a mobility zone, a 802.11r capable STA and AP perform an Open System Authentication exchange, followed by a a FT Reassociation Exchange that differs from 802.11 Reassociation Exchange by including an MDIE in the Reassociation Request to indicate that the STA wishes to use 802.11r. Moreover, a Fast Transition Information Element (FTIE) is included in the Reassiciation Response frame issued by the AP. The FTIE carries the R0KH-ID as well as the current access point's R1KH-ID. After successful 802.11X authentication, the AP and STA engage in a FT four-way handshake that differs from the 802.11i handshake by carrying extra MDIE and FTIE components, needed for the derivation of PMK-R1s and PTKs.


802.11r Connection Sequence Diagrams






IEEE 802.11k
IEEE 802.11k is an amendment to the 802.11 standard for radio source management. It defines and exposes radio and network information to facilitate the management and maintenance of a mobile Wireless LAN.


802.11k Data Frame Details



Pros

  • Guaranteed to work on all existing hardware.
  • No need for separate negotiation, configuration or policy 
  • No changes to existing security mechanisms. 
  • RRM uses implemented ciphersuites. 
  • No modifications to 4-way handshake.
  • Compatible with WPA2 driver model.
  • Driver passes up SMI-Information frames to OS as data
  • OS reflects SMI-Information frames back down to the driver via OIDs
  • Enables sending of RRM frames over the DS in future.

Cons

  • Requires allocation of new Ethertype
  • Experimental Ethertype used until actual Ethertype allocated



IEEE 802.11w
IEEE 802.11w is an amendment to the 802.11 standard to increase the security of its management frames. However, the frames are vulnerable to be eavesdropped, forged and distorted before the Four-Way Handshake complete.

802.11w Data Frame Details




References


http://flylib.com/books/en/2.799.1.50/1/

http://www.codealias.info/technotes/the_ieee_802.11r_standard_for_fast_wireless_handoffs

http://en.wikipedia.org/wiki/IEEE_802.11r-2008

http://www.google.com.sg/url?sa=t&rct=j&q=IEEE+802.11k+data+frame+details&source=web&cd=1&ved=0CCwQFjAA&url=https%3A%2F%2Fmentor.ieee.org%2F802.11%2Fdcn%2F04%2F11-04-0724-01-000k-security-conceptual-model.ppt&ei=WVcrT_mxPIqIrAfazqC_DA&usg=AFQjCNG5E5p-16R2YLGaTA62_d0KjD_FSw

http://en.wikipedia.org/wiki/IEEE_802.11w-2009
Posted by at No comments:

Tuesday, 10 January 2012

X.500 / LDAP / Microsoft's Active Directory Security Features

X.500
X.500 is a compilation of standards developed for the directory services made to support electronic mail exchange. It is first developed by the ITU-T and was approved in 1988. Several protocols defined by the X.500 includes:

  • DAP (Directory Access Protocol) - Protocol used to monitor the communication between the server and clients
  • DSP (Directory System Protocl) - Protocol used to monitor the interaction between a Directory User Agent and a Directory System Agent or two or more Directory System Agents
  • DISP (Directory Information Shadowing Protocol) - Used to monitor the shadowing of information within the Directory System Agent
  • DOP (Directory Operational Bindings Management Protocol) - Protocol used to link up communications between two Directory System Agents
 

Some of the features of X.500 includes:
  • Authentication
    • Uses the X.509 Public Key Infrastructure (PKI) which allows for strong authentication
  • Access Control - To prevent changes from being applied to data files and system resources
A typical communication between a server and a client can happen either in a One-Way Authentication, Two-Way Authentication or Three-Way Authentication. The client firstly request access to the server, which the server will choose to authenticate the client. If the authentication is successful, access is granted to the client. The server will request a service to the client which the client will choose to interact with. If the client were to choose, the client might be redirected to another X.500 server or it will choose to terminate if the client refuses the service.


LDAP
The LDAP (Lightweight Directory Access Protocol) is an application protocol derived from the X.500 standard for accessing and maintaining distributed directory information through a Internet Protocol (IP) network. Some of the security features of LDAP includes: 
  • Limited authentication to authorized users only
  • Secure Socket Layer (SSL) to protect data from being sniffed by hackers
  • Non-intrusive data integration: Schema changes are not required and there are no data stored in the directory
  • PKI (Public Key Infrastructure) - Allows for stronger authentication by utilizing strong encryption
Features of LDAP includes:
  • Scalability: Allows for flexibility in scaling as it does not rely on a specific operating system; being vendor-independent, it allows for flexibility in upgrading hardware and software
  • Availability: Retrieves information from different servers which stores the same directory contents. Should there be a problem in a certain server, other servers can still cater to the client.
  • Security: By utilizing Secure Socket Layer (SSL) and access control lists (ACL), it increases security level by preventing unauthorized users from accessing into the network
  • Manageability: Graphical User Interface (GUI) are implemented for simplicity and it is integrated into both the system administration and data administration. It also allows for changes in schema without extending into the directory schema.


Microsoft Active Directory
Microsoft Active Directory is a directory service created by Microsoft for Windows domain networks. It is designed to handle a large number of read and search operations in addition to implementing changes and updates. The active directory is a central location for network administration and security and it is responsible for authenticating and authorizing users into a Windows domain type network, implementing security policies for all devices and installing or updating software on network computers.


Some of the features of Microsoft Active Directory includes:
  • Simplified user and network resource management
  • Directory consolidation
  • Simple scalability
  • Use of internet protocols and internet standards
  • Interoperability with X.500 standard
  • Compatible with LDAP
  • Provides a single point for access in the network

Some of the security features of Microsoft Active Directory includes:
  •  Cross-Forest trust - Allows for trust between two different domains
  • TLS support - Able to encrypt LDAP traffic
  • WML filtering of Group Policy Object (GPOs) - Provide services that monitor the transmission between two different domains and WMI information can be used to determine whether a GPO should be applied.
  • Delegation of administration - Simplified graphical user interface (GUI) for user account creation and account management.
  • Directory object security
    •  Per property access control
    • Per property auditing
  •  Organization units (OUs) - To separate users, groups and computers in separate containers.

References
http://www.x500standard.com/index.php?n=X500.X500
http://searchnetworking.techtarget.com/definition/X500
http://docs.oracle.com/javase/jndi/tutorial/ldap/models/x500.html
http://support.novell.com/techcenter/articles/img/dnd1998070201.gif
http://msdn.microsoft.com/en-us/library/aa913688.aspx
http://searchmobilecomputing.techtarget.com/definition/LDAP
http://technet.microsoft.com/en-us/library/cc737139%28WS.10%29.aspx
http://www.centrify.com/downloads/public/centrify_wp_active_directory.pdf
http://technet.microsoft.com/en-us/library/cc737139%28WS.10%29.aspx
Posted by at No comments:
Subscribe to: Posts (Atom)