Intro to Wireless Networks - Kasetsart University · PDF fileEnd-to-end security provided by...
Transcript of Intro to Wireless Networks - Kasetsart University · PDF fileEnd-to-end security provided by...
1
WLAN Security
รศ. ดร. อนันต์ ผลเพิม่
Asso. Prof. Anan Phonphoem, Ph.D. [email protected]
http://www.cpe.ku.ac.th/~anan
Computer Engineering Department
Kasetsart University, Bangkok, Thailand
Wireless LANs 2013
2
Outline
• Secure Communication
• Security Mechanisms
• Security Threats
• IEEE 802.11 Security
• WLAN security management
Secure Communication
3
What is Secure Communication?
• Secrecy •Only you and me, no one else
• Authentication • Identify that is real you
• Message Integrity •Message is not altered
4
Secrecy
• Privacy or confidentiality
• Cannot block the sniffer!
• Requires encryption/decryption mechanism
• Encryption at the sender
•Decryption at the receiver
• using a public or private (secret) key to decode the encrypted information
5
Authentication
• Confirms identity of the communicating party
• Assures the real sender and real receiver
6
Message Integrity
• Data integrity
•Data is transmitted from source to destination without undetected alteration
• Non-repudiation
• Prove that a received message came from a claimed sender
Integrity: การยึดถือหลกัคุณธรรม,ความซ่ือสัตย,์ความสมบูรณ์,ความมัน่คง,ความเป็นอนัหน่ึงอนัเดียวกนั (honesty)
8
Wireless Magnifies Vulnerability
• Traditional wireline link
•Benefits from physical security
•Access to the wire is required
•Access to Switch/Hub is required
• Wireless link
• Extended range beyond a room or a building
• Easy to eavesdrop
Vulnerable: ออ่นแอ ไมม่ั่นคง
9
Trust
• Communicate to unseen devices
• Physically hidden (End user, AP, …)
• Problem on both home and foreign networks
• Service provider maybe not trustable
•Access points
•DHCP servers
• Intermediate nodes
11
End-to-End/Link Security
• End-to-end security provided by •Network layer (e.g., IPsec)
•Transport layer (e.g., SSL)
•Application layer (e.g., app.-specific)
• Link security provided by • Link layer (e.g., IEEE 802.11 WEP, WPA, or
IEEE 802.11i)
12
Outline
• Secure Communication
• Security Mechanisms
• Security Threats
• IEEE 802.11 Security
• WLAN security management
14
Cryptography
• Symmetric (private) key cryptography
• Sender and receiver keys are identical (KA = KB)
• Asymmetric (public) key cryptography
• Sender (encryption) key (KA) is public
• Receiver (decryption) key (KB KA) is private
Plaintext
Encryption
KA Ciphertext
Decryption
KB Plaintext
15
Public Key Cryptography
• Unlike a private key system, one can publish the key for encryption in a public key encryption system
Decryption
KB-
Encryption
KB+
Ciphertext
KB+(m)
Plaintext
m
Plaintext
m = KB-(KB
+(m))
Public key
Private key
16
Authentication (Private Key)
• Authentication can be implemented with symmetric (private) key cryptography
Claim “A”
A B
R Generate a one-time “nonce”
K(R)
encrypt
R decrypt
nonce: ชัว่ขณะหนึง่
17
Authentication (Public Key)
• Use of public key avoids shared key problem
• Vulnerable to “man-in-the-middle” attack
R
Claim “A”
A B
KA-(R)
KA+
Compute KA+(KA
-(R)) = R
Sender must have
used private key of A,
so it is A Key Request
KA+: A’s public key
KA-: A’s private key
18
Outline
• Secure Communication
• Security Mechanisms
• Security Threats
• IEEE 802.11 Security
• WLAN security management
21
Types of Attacks Spoofing
•Impersonate legitimate device credentials, like MAC address
LAN
Internet
22
Types of Attacks Jamming
•Introduction of radio signals that prevent WLAN operations
LAN
Internet
23
Types of Attacks Session Hijacking •Hacker disconnects the
legitimate user but makes AP think that user is still connected
LAN
Internet
24
Types of Attacks DoS
•Flood the network with useless traffic (e.g.repeated login
requests) and eventually shut it down
LAN
Internet
25
Types of Attacks Man in the Middle
•All WLAN traffic from devices is passed through the rogue device
•Lack of strong AP level authentication
LAN
Internet
26
Types of Attacks
WarDriving
Driving around town looking for unprotected WLAN connections to
get Internet access
27
Outline
• Secure Communication
• Security Mechanisms
• Security Threats
• IEEE 802.11 Security
• WLAN security management
28
Authentication & Encryption Std
EAP
802.1x
WPA-TKIP 802.11i
RC4
TLS
MSFT IETF
Encryption Algorithms
Authentication Protocols
PEAP
CSCO/MSFT IETF
Certificate Credentials Username/Password
Encryption Standards WEP
RC4 AES
Dan Ziminski & Bill Davidge
29
Built-in WLAN Security
• Wired Equivalent Privacy (WEP)
• Provides encryption based on RC-4 cipher
• 802.1x
• Provides authentication using Extensible Authentication Protocol (EAP)
• Wi-Fi Protected Access (WPA: subset of 802.11i draft)
•Uses dynamic keys and advanced encryption
• 802.11i (implemented as WPA2 )
•Advanced encryption and authentication
30
802.11b Security Services
• Two security services provided:
• Authentication
• Shared Key Authentication
• Encryption
•Wired Equivalence Privacy
31
Wired Equivalence Privacy
• Shared key between • Stations
•An Access Point
• Extended Service Set •All Access Points will have a same shared key
• No key management • Shared key entered manually into
•Stations
•Access points
•Key management nightmare in large wireless LANs
32
RC4
• Ron’s Code number 4 • Symmetric key encryption
• RSA Security Inc.
• Designed in 1987
• Trade secret until leak in 1994
• RC4 can use key sizes from 1 bit to 2048 bits
• RC4 generates a stream of pseudo random bits • XORed with plaintext to create cipher text
33
Authentication & Encryption Std
EAP
802.1x
WPA-TKIP 802.11i
RC4
TLS
MSFT IETF
Encryption Algorithms
Authentication Protocols
PEAP
CSCO/MSFT IETF
Certificate Credentials Username/Password
Encryption Standards WEP
RC4 AES
Dan Ziminski & Bill Davidge
WEP Block Diagram
34
WEP Frame
Integrity Algorithm (CRC-32)
Pseudo-Random Number Generator
RC-4
+
Bitwise XOR
Plain Text
Cipher Text
Integrity Check Value (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
Initialization Vector (IV)
IV
Encryption Block
Sender Site
Integrity Algorithm
Pseudo-Random Number Generator
Bitwise XOR
Cipher Text
Plain Text
Integrity Check Value (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
Decryption Block
Receiver Site
35
WEP – Encoding
Integrity Algorithm (CRC-32)
Pseudo-Random Number Generator
RC-4
+
Bitwise XOR
Plain Text
Cipher Text
Integrity Check Value (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
Initialization Vector (IV)
IV
36
WEP – Sending • Compute Integrity Check Vector (ICV)
• Provides integrity
• 32 bit Cyclic Redundancy Check
• Appended to message to create plaintext
• Plaintext encrypted via RC4
• Provides confidentiality
• Plaintext XORed with long key stream of pseudo random bits
• Key stream is function of
• 40-bit secret key
• 24 bit initialisation vector
• Cipher text is transmitted
37
WEP – Decryption
Integrity Algorithm
Pseudo-Random Number Generator RC-4
Bitwise XOR
Cipher Text
Plain Text
Integrity Check Value (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
38
WEP – Receiving
• Cipher text is received
• Cipher text decrypted via RC4 • Cipher text XORed with long key stream of pseudo
random bits
• Key stream is function of
•40-bit secret key
•24 bit initialisation vector (IV)
• Check ICV • Separate ICV from message
• Compute ICV for message
• Compare with received ICV
39
Shared Key Authentication
• When station requests association with AP • AP sends random number to station • Station encrypts random number
• Uses RC4, 40 bit shared secret key & 24 bit IV
• Encrypted random number sent to AP • AP decrypts received message
• Uses RC4, 40 bit shared secret key & 24 bit IV
• AP compares decrypted random number to transmitted random number
• If numbers match, station has shared secret key
40
WEP Safeguards
• Shared secret key required for: • Associating with an access point
• Sending data
• Receiving data
• Messages are encrypted • Confidentiality
• Messages have checksum • Integrity
• But management traffic still broadcast in clear containing SSID
41
Initialization Vector
• IV must be different for every message transmitted
• 802.1standard does not specify how IV is calculated
• Wireless 1 cards use several methods
• Some use a simple ascending counter for each message
• Some switch between alternate ascending and descending counters
• Some use a pseudo random IV generator
• If IV is the same, then two duplicate messages would result in the same cipher text
42
Passive WEP attack
• If 24 bit IV is an ascending counter,
• If Access Point transmits at 11 Mbps,
•All IVs are exhausted in roughly 5 hours
• Passive attack:
•Attacker collects all traffic
•Attacker could collect two messages:
•Encrypted with same key and same IV
•Statistical attacks to reveal plaintext
•Plaintext XOR Ciphertext = Keystream
45
Active WEP attack
• If attacker knows plaintext and ciphertext pair
• Keystream is known
• Attacker can create correctly encrypted messages
• Access Point is deceived into accepting messages
• Bitflipping
• Flip a bit in ciphertext
• Bit difference in CRC-32 can be computed
46
Limited WEP keys
• Some vendors allow limited WEP keys
• User types in a passphrase
• WEP key is generated from passphrase
• Passphrases creates only 21 bits of entropy in 40 bit key
• Reduces key strength to 21 bits = 2,097,152
• Remaining 19 bits are predictable
• 21 bit key can be brute forced in minutes
• www.lava.net/~newsham/wlan/WEP_password_cracker.ppt
48
Brute force key attack
• Capture ciphertext
• IV is included in message
• Search all 240 possible secret keys
• 1,099,511,627,776 keys
•~170 days on a modern laptop
• Find which key decrypts ciphertext to plaintext
49
128 bit WEP
• Vendors have extended WEP to 128 bit keys
• 104 bit secret key
• 24 bit IV
• Brute force takes 10^19 years for 104-bit key
• Effectively safeguards against brute force attacks
50
Key Scheduling Weakness
• Paper from Fluhrer, Mantin, Shamir (FMS), 2001
• Two weaknesses:
•Certain keys leak into key stream
• Invariance weakness
• If portion of PRNG input is exposed,
•Analysis of initial key stream allows key to be determined
• IV weakness
51
IV weakness
• WEP exposes part of PRNG input • IV is transmitted with message
• Every wireless frame has reliable first byte • Sub-network Access Protocol header (SNAP) used in logical
link control layer, upper sub-layer of data link layer.
• First byte is 0xAA
• Attack is: • Capture packets with weak IV
• First byte ciphertext XOR 0xAA = First byte key stream
• Can determine key from initial key stream
• Practical for 40 bit and 104 bit keys
• Passive attack • Non-intrusive / No warning
52
Wepcrack
• First tool to demonstrate attack using IV weakness
• Open source, Anton Rager
• Three components
• Weaker IV generator
• Search sniffer output for weaker IVs & record 1st byte
• Cracker to combine weaker IVs and selected 1st bytes
• Cumbersome
53
Airsnort
• Automated tool
• Cypher42, Minnesota, USA.
• Does it all!
• Sniffs
• Searches for weaker IVs
• Records encrypted data
• Until key is derived.
• 100 Mb to 1 Gb of transmitted data.
• 3 to 4 hours on a very busy WLAN.
54
Avoid the weak IVs • FMS described a simple method to find weak IVs
• Many manufacturers avoid those IVs after 2002
• Therefore Airsnort and others may not work on recent hardware
• However David Hulton aka h1kari • Properly implemented FMS attack which shows many
more weak IVs
• Identified IVs that leak into second byte of key stream.
• Second byte of SNAP header is also 0xAA
• So attack still works on recent hardware
• And is faster on older hardware
• Dwepcrack, weplab, aircrack
55
Generating WEP traffic
• Not capturing enough traffic?
•Capture encrypted ARP request packets
•Anecdotally lengths of 68, 118 and 368 bytes appear appropriate
•Replay encrypted ARP packets to generate encrypted ARP replies
•Aireplay implements this.
56
Wired Equivalent Privacy (WEP)
• Provides rudimentary 40-bit/128-bit encryption
• RC-4 cipher
• Weak Point is IV not RC-4
• Static encryption keys — must be changed
manually
• Attacker’s tools: Airsnort, Yellowjacket, Airfart
• Encryption keys can be cracked
• Default setting is “OFF”
57
802.1x — A New Hope
• Provides secure access using port control
• Uses EAP (Extensible Authentication Protocol)
• Supports Kerberos, smart cards, one-time passwords, and so on
• Components required: • Wireless device
• AP
• Authentication server, typically Remote Authentication Dial-in User Service (RADIUS)
58
Authentication & Encryption Std
EAP
802.1x
WPA-TKIP 802.11i
RC4
TLS
MSFT IETF
Encryption Algorithms
Authentication Protocols
PEAP
CSCO/MSFT IETF
Certificate Credentials Username/Password
Encryption Standards WEP
RC4 AES
Dan Ziminski & Bill Davidge
59
How 802.1x Works
User requests connection
AP requests user ID
User sends ID
RADIUS confirms credentials
AP requests user credentials
User sends AP credentials AP sends credentials to RADIUS
RADIUS asks for credentials
AP requests RADIUS
connection for user
AP confirms credentials
If credentials are correct, user is given access to the network through the AP,
according to policies enforced by the authentication server
Wireless Device Access Point Authentication Server (RADIUS)
60
802.1x EAP-TLS Authentication
Station
Supplicant
Access Point
Authenticator RADIUS Server
Authorizer
Client digital cert
From XYZ CA
Server Digital cert
From XYZ CA
Dan Ziminski & Bill Davidge
61
802.1x PEAP authentication
Station
Supplicant
Access Point
Authenticator
Digital cert
From XYZ CA Phase 1:
Authenticate AP.
Secure tunnel
to AP using TLS
Phase 2:
Password authentication
with directory server
Username: ABC
Password: encrypted
Success/Fail
Dan Ziminski & Bill Davidge
62
802.1x — The Downside
• Only does authentication
• Encryption is still required
• If used with WEP, the encryption keys are still static even though the authentication keys change
• Authenticator and device must use the same authentication method
• Only supports client-level authentication
64
WPA (Wi-Fi Protected Access)
• WPA = 802.1X + TKIP • WPA requires authentication and encryption
• 802.1X authentication choices include LEAP, PEAP, TLS
• WPA has strong industry supporters
• Adds to 802.1X and TKIP
• Widespread adoption of WPA will add robust security and remove the “security issue” from the WLAN industry
• WPA will become accepted as the standard
• It is an interim standard
65
WPA – Fixed WEP’s Problems
• IV changes to 48 bits with no weak keys
(900 years to repeat an IV at 10k packets/sec)
• Use IV as a replay counter
• Message integrity Check (MIC)
• Per-packet keying
Dan Ziminski & Bill Davidge
66
TKIP – Per Packet Keying
48 bit IV
16 bit lower IV 32 bit upper IV
Key mixing Key mixing
Per-Packet-Key IV IV d
Session Key
MAC Address
104 bits 24 bits
128 bits
Fixes the weaknesses of WEP key generation but still uses the RC4 algorithm
Dan Ziminski & Bill Davidge
67
802.11i
• Mutual authentication
• Dynamic session key
• Message Integrity Check (MIC)
• Temporal Key Integrity Protocol (TKIP)
• Initialization vector sequencing
•Rapid re-keying
• Per-packet key hashing
• Future
• Stronger encryption schemes, such as AES
68
802.11i and WPA
• Uses 802.1x authentication
• Uses Temporal Key Integrity Protocol (TKIP) to dynamically change encryption keys after 10,000 packets are transferred
• Uses Advanced Encryption Standard (AES) encryption, which is much better than WEP
• A subset of 802.11i, Wi-Fi Protected Access (WPA) is available as a firmware upgrade today
69
802.11i and WPA Pitfalls
• Keys can be cracked using much less than 10,000 packets
• Michael feature — shuts down AP if it
receives two login attempts within one second. Hackers can use this to perpetrate a DoS attack.
• 802.11i WPA2
70
Encryption Effects
Wireless Encryption
Type
Desktop Control Needed
Cost to Implement
Difficult to Manage
Vendor Support
Problems
Vulnerable to Attack
none low low low low high
WEP medium low high low medium
WPA TKIP high high high medium low
802.11i AES high high high high none
VPN high high medium low none
Dan Ziminski & Bill Davidge
72
VPN Authentication & Encryption
Station
Access Point
VPN Gateway
LAN
IPSEC VPN Tunnel
Dan Ziminski & Bill Davidge
73
Web Authentication
Station
Access Point
Web auth
security device
LAN
HTTPS
Login page
Backend
RADIUS
Server
Dan Ziminski & Bill Davidge
74
Authentication Type
Wireless Auth Type
Desktop Control Needed
Cost to Implement
Difficult to Manage
Vendor Support
Problems
Vulnerable to Attack
VPN high high medium low low
WEP medium low high low high
802.1x EAP TLS
ceritficates
high high high medium low
802.1x PEAP medium medium medium medium low
Web Auth low low medium low medium
Dan Ziminski & Bill Davidge
75
Outline
• Secure Communication
• Security Mechanisms
• Security Threats
• IEEE 802.11 Security
• WLAN security management
76
Wireless Security Concerns
• Management of device security
• Corruption of data sent to wireless devices
• Malicious code (viruses, Trojans, worms)
• Unauthorized users
• Confidentiality of data sent wirelessly
• Security of data stored on a handheld device
77
WLAN security management
• Open Access
• No WEP, WPA, encryption
• Broadcast Mode
• Basic Security
• 40-bit, 128-bit, 256-bit Static Encryption Key
• Enhanced Security
• Dynamic Encryption Key / Scalable Key Management
• Mutual 802.1x/EAP Authentication
• TKIP/WPA
• Traveling Security
• Virtual Private Network (VPN)
78
Wireless Policy Issues
• Policy needs to dictate permitted services and usage
• Needs a means of identifying and enforcing wireless policies
• Existing organization security policies need to be updated to cope with wireless security issues
• Policy needs to indicate how access will be controlled, for instance, time of day
79
Wireless Policy Issues
• Every access needs to be logged
• User compliance and standards enforcement
• Centralized control of security policies
• Wireless intrusion alert issues
• Process to update client software levels
• Intrusion detection policies
80
Knows Your Organization
1
2
3
4
User Involvement,
Awareness and Roles
Key Password Quality
User and
Key Administration
Environment Integrity
and Robustness
Network Security
and Technology Issues
Client
Security
Application
Security
Audits and Controls,
and IDS
Process Management
and Standards
Weakness
Strength
Weakness
Weakness
81
More Security
A laptop in your network connecting to
a neighboring Wi-Fi network exposing
your corporate data.
Neighbor’s Network
Hacker attacking your network through
an internal laptop acting as an
unofficial software access point.
Unofficial Access Point
Rogue Access Point Hacker attacking your network through an
unofficial access point connected to the
network.
Hacker attacking your
network through an
unofficial connection with a
misconfigured AP.
Misconfigured Access Point
DO NOT
ENTER
DO NOT
ENTER
DO NOT
ENTER
DO NOT
ENTER
83
Client Differentiation
Channel: 1 SSID: Laptop VLAN: 1
Channel: 6 SSID: PDA VLAN: 2
Channel: 11 SSID: Phone VLAN: 3
802.1Q wired network with
VLANs
84
SSID: Laptop VLAN: 1
SSID: PDA VLAN: 2
SSID: Phone VLAN: 3
Client Differentiation
802.1Q wired network with
VLANs
85
Conclusions
• Wireless technology is becoming embedded
• Notebooks, PDAs, cell phones, etc.
• WLAN is currently unsecure
• 802.11 WEP security is insufficient for the enterprise
• 802.11i (WPA2) and WPA offer great improvements
• People, processes, policies and architecture are required to deploy WLAN securely
86
References
• “WLAN teaching materials” by Anan Phonphoem, Computer Engineering Dept., Kasetsart University
• “Who’s Watching Your Wireless Network?” by Ian Hameroff, Computer Associates, eTrust™ Security solutions, CA World 2003
• “Wireless Configuration and Security Issues” by Greg Gabet, IBMGS, CA world 2003
• “Addressing the Challenges of Adopting Secured Mobility in the Enterprise” by Hans-Georg Büttner, Ernst & Young IT-Security GmbH, Germany, CA World 2003
• “Wireless Local Area Network Security” by Robert Simkins, University of Derby, UK
• “WLAN Security”, Matthew Joyce, Rutherford Appleton Laboratory, CCLRC
• Wireless LAN Security, Threats & Countermeasures, By Joseph Tomasone, Senior Network Security Engineer, Fortress Technologies, Inc., Session 8, August 10, 2005, Infragard National Conference 2005
• CSG 256 Final Project Presentation, by Dan Ziminski & Bill Davidge