Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Networks

Confused about security of VoIP over WLAN?

Posted: 16 Feb 2006 ?? ?Print Version ?Bookmark and Share

Keywords:ravi kodavarti? texas instruments? ti? WLAN? cellphone?

Over the past few years, a significant penetration of VoIP systems has occurred in both enterprise and residential markets. VoIP enables the convergence of data and voice networks into one unified network, allowing network administrators of major corporations or home users to cut costs. We have also started to witness the retail deployment of VoIP systems through a variety of service providers that allow gateway boxes to connect to such broadband connections as DSL or cable modems.

Current generations of residential gateways provide a mechanism for data WLAN connectivity. Most WLAN usage is for data applications, acting as an Ethernet replacement to connect to a laptop or a desktop PC. There is limited deployment of devices without a rich user interface on the device itself, such as printers, cameras and WLAN IP phones. In general, security issues surrounding WLAN apply to all devices that connect to it. However, WLAN IP phones or converged cellular/WLAN phones pose additional challenges as well.

The 802.11i standard is a MAC-layer enhancement that enables support for both packet and authentication security. Previous generations of 802.11 cipher-based security methods revolved around the WEP protocol. The authentication provided by WEP does not provide two-way authentication!i.e. the user does not authenticate the network. Reuse of keys in WEP also allows for a hacker to break the key fairly easily. Finally, in a static WEP implementation, it is virtually impossible for network administrators to change the key on an access point, as this would entail changing it on every station. Thus, in most cases, WEP is not implemented.

802.11i addresses security deficiencies of WEP in two phases!by providing a mechanism for current-generation products to be software-upgradeable and by creating a new robust security network (RSN) that may require hardware changes. The first phase was adopted by the Wi-Fi Alliance as wireless protected access (WPA) and the ratified 802.11i specification has been adopted as WPA2.

WPA essentially puts a wrapper around the RC4 encryption scheme used in WEP to provide mutual authentication of the user and the network, automated and secure key exchange, and replay protection of voice (and data) packets. WPA2 enhances WPA by using the AES instead of RC4 as the encryption engine. However, WPA2 protects the infrastructure investments of WPA by using a similar mechanism of automated key exchange.

WLAN security setup
Devices that connect to a wireless network can be classified into three sub-groups from the needs of security setup:
? Rich user interface clients, including laptops and media adapters hooked to a display device;
? Stationary devices that have limited user interfaces, such as printers;
? Mobile devices that have limited user interfaces, such as WLAN IP phones (these may also include converged cellular and WLAN devices).

WLAN IP phones provide an important feature that is currently not available in corded or cordless telephony!mobility. To act as replacement devices to cordless telephones, mobility in WLAN IP phones needs to address an ease-of-use scenario similar to picking up a cordless telephone and making a phone call. Additionally, WLAN IP phones provide the ability for a user to pick up their "home" phone and use the same phone anywhere an access to a broadband network is available. Thus, security needs to encompass these use cases in addition to the traditional use cases. Early proprietary schemes were primarily developed to address the lack of security in a home network for rich user interface clients. These proprietary schemes include mechanisms such as Secure EZ setup. The type of security offered is typically limited to setting up an access point and an STA device connected to a computer or multiple computers. This security mechanism is not very scalable to address the needs of class "b" and "c" devices.

Subsequent proprietary schemes, such as pushbutton schemes, were developed to enable usage across the previously mentioned three classes of products. These schemes still did not provide any interoperability. The use cases did not address the ability to seamlessly authenticate to a foreign access point. The Wi-Fi Alliance is working on providing secure ease-of-use interoperability.

As part of the RSN framework, 802.11i provides for two different types of authentication mechanisms, pre-shared key (PSK) mode and 802.1x-based authentication mode.

PSK implementation is meant for small home networks that do not have an enterprise class network-based authentication. PSK mode provides robustness over such existing protocols as WEP in terms of the ability to maintain a secure network that is less susceptible to hacker attacks. PSK is essentially a user setup that replaces the pairwise master key (PMK) that would have been exchanged via the 802.1x mechanism. Most ease-of-use implementations for home networks use the PSK mode as the core of their framework. The implicit and valid assumption behind this is that a home network will not have an authentication server that will provide the PMKs to each device.

WLAN IP phones are network devices that use network-based authentication. 802.11i provides a framework using 802.1x to authenticate an end device on the network. The key elements of the 802.1x based authentication are:
? Supplicant!A device that wants to be authenticated on the network;
? Authenticator!A device that controls access to the network (e.g. a wireless access point);
? Authentication server!A server that ultimately decides if a device can enter a network or not.

The 802.1x provides a scalable architecture between the supplicant, authenticator and authentication server to exchange messages that will eventually authenticate a device on the network. The type of messaging passed between components is governed by the extensible authentication protocol (EAP). This messaging describes an authentication method using request and response sequences.

EAP does not define the content of each of the messages. There are different types of content formats that can be implemented, such as TLS, TTLS and SIM. EAP even allows a network operator to implement a proprietary scheme of messaging. The purpose of 802.1x in an 802.11i context is to exchange a PMK used to setup a secure network between the access point and the end station.

Cellular networks and WLANs are converging on the basis of providing user mobility from two different directions. Cellphones provide an authentication mechanism using the authentication authorization and accounting (AAA) server. A subscriber identity module (SIM) stores current authentication and network state information for the cellphone.

In a standalone WLAN IP phone, the same mechanism can be used with a SIM card carrying messages across 802.1x using EAP-SIM. In converged GSM and WLAN phones, the same SIM card used for the cellular network can also be used to authenticate on the WLAN network. The back-end authentication server can still be the AAA server using an IP pipe. This concept is used as part of the unlicensed mobile access (UMA) initiative to provide cellular and WLAN convergence. Additionally, UMA also creates an IPSec tunnel to provide security on the wired network.

The basic ingredients to successfully implement secure VoIP over WLANs will be for vendors to offer improved user experience that surpasses what is currently available via traditional cordless phones and cellphones. These include:
? The ability to provide a seamless authentication to the home network and ease-of-use setup comparable to picking a cordless telephone and making a call. Examples of security setup in this area are some of the proprietary implementations that address just security setup with a single access point.
? The ability to use a WLAN IP phone as a "home" phone in areas such as hotspots and hotel rooms. Security setup would need to be enabled via existing WPA2 and 802.11i mechanisms implemented via a Radius server.
? The ability to seamlessly roam between cellular network and WLAN on a converged phone. Security setup could still be enabled via existing cellular mechanisms like EAP-SIM.

The growing popularity of WLAN, combined with the availability of voice and data services on traditional cellular networks, provides incentive for vendors to continue to develop viable VoIP over WLAN solutions.

- Ravi Kodavarti
Broadband Communications Group
Texas Instruments Inc.

Article Comments - Confused about security of VoIP over...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top