1

WLAN Security

รศ. ดร. อนันต์ ผลเพิม่

Asso. Prof. Anan Phonphoem, Ph.D. anan.p@ku.ac.th

http://www.cpe.ku.ac.th/~anan

Computer Engineering Department

Kasetsart University, Bangkok, Thailand

Wireless LANs 2013

2

Outline

• Secure Communication

• Security Mechanisms

• Security Threats

• IEEE 802.11 Security

• WLAN security management

Secure Communication

3

What is Secure Communication?

• Secrecy •Only you and me, no one else

• Authentication • Identify that is real you

• Message Integrity •Message is not altered

4

Secrecy

• Privacy or confidentiality

• Cannot block the sniffer!

• Requires encryption/decryption mechanism

• Encryption at the sender

•Decryption at the receiver

• using a public or private (secret) key to decode the encrypted information

5

Authentication

• Confirms identity of the communicating party

• Assures the real sender and real receiver

6

Message Integrity

• Data integrity

•Data is transmitted from source to destination without undetected alteration

• Non-repudiation

• Prove that a received message came from a claimed sender

Integrity: การยึดถือหลกัคุณธรรม,ความซ่ือสัตย,์ความสมบูรณ์,ความมัน่คง,ความเป็นอนัหน่ึงอนัเดียวกนั (honesty)

7

Wireline VS. Wireless Security

8

Wireless Magnifies Vulnerability

• Traditional wireline link

•Benefits from physical security

•Access to the wire is required

•Access to Switch/Hub is required

• Wireless link

• Extended range beyond a room or a building

• Easy to eavesdrop

Vulnerable: ออ่นแอ ไมม่ั่นคง

9

Trust

• Communicate to unseen devices

• Physically hidden (End user, AP, …)

• Problem on both home and foreign networks

• Service provider maybe not trustable

•Access points

•DHCP servers

• Intermediate nodes

10

End-to-End/Link Security

End-to-End Security

Internet

Link Security

11

End-to-End/Link Security

• End-to-end security provided by •Network layer (e.g., IPsec)

•Transport layer (e.g., SSL)

•Application layer (e.g., app.-specific)

• Link security provided by • Link layer (e.g., IEEE 802.11 WEP, WPA, or

IEEE 802.11i)

12

Outline

• Secure Communication

• Security Mechanisms

• Security Threats

• IEEE 802.11 Security

• WLAN security management

13

Security Mechanisms

• Cryptography

• Authentication

14

Cryptography

• Symmetric (private) key cryptography

• Sender and receiver keys are identical (KA = KB)

• Asymmetric (public) key cryptography

• Sender (encryption) key (KA) is public

• Receiver (decryption) key (KB KA) is private

Plaintext

Encryption

KA Ciphertext

Decryption

KB Plaintext

15

Public Key Cryptography

• Unlike a private key system, one can publish the key for encryption in a public key encryption system

Decryption

KB-

Encryption

KB+

Ciphertext

KB+(m)

Plaintext

m

Plaintext

m = KB-(KB

+(m))

Public key

Private key

16

Authentication (Private Key)

• Authentication can be implemented with symmetric (private) key cryptography

Claim “A”

A B

R Generate a one-time “nonce”

K(R)

encrypt

R decrypt

nonce: ชัว่ขณะหนึง่

17

Authentication (Public Key)

• Use of public key avoids shared key problem

• Vulnerable to “man-in-the-middle” attack

R

Claim “A”

A B

KA-(R)

KA+

Compute KA+(KA

-(R)) = R

Sender must have

used private key of A,

so it is A Key Request

KA+: A’s public key

KA-: A’s private key

18

Outline

• Secure Communication

• Security Mechanisms

• Security Threats

• IEEE 802.11 Security

• WLAN security management

19

Typical WLAN Topology

LAN

Internet

20

Types of Attacks Sniffing

•Eavesdrop network traffic •SSID broadcast is full text

LAN

Internet

21

Types of Attacks Spoofing

•Impersonate legitimate device credentials, like MAC address

LAN

Internet

22

Types of Attacks Jamming

•Introduction of radio signals that prevent WLAN operations

LAN

Internet

23

Types of Attacks Session Hijacking •Hacker disconnects the

legitimate user but makes AP think that user is still connected

LAN

Internet

24

Types of Attacks DoS

•Flood the network with useless traffic (e.g.repeated login

requests) and eventually shut it down

LAN

Internet

25

Types of Attacks Man in the Middle

•All WLAN traffic from devices is passed through the rogue device

•Lack of strong AP level authentication

LAN

Internet

26

Types of Attacks

WarDriving

Driving around town looking for unprotected WLAN connections to

get Internet access

27

Outline

• Secure Communication

• Security Mechanisms

• Security Threats

• IEEE 802.11 Security

• WLAN security management

28

Authentication & Encryption Std

EAP

802.1x

WPA-TKIP 802.11i

RC4

TLS

MSFT IETF

Encryption Algorithms

Authentication Protocols

PEAP

CSCO/MSFT IETF

Certificate Credentials Username/Password

Encryption Standards WEP

RC4 AES

Dan Ziminski & Bill Davidge

29

Built-in WLAN Security

• Wired Equivalent Privacy (WEP)

• Provides encryption based on RC-4 cipher

• 802.1x

• Provides authentication using Extensible Authentication Protocol (EAP)

• Wi-Fi Protected Access (WPA: subset of 802.11i draft)

•Uses dynamic keys and advanced encryption

• 802.11i (implemented as WPA2 )

•Advanced encryption and authentication

30

802.11b Security Services

• Two security services provided:

• Authentication

• Shared Key Authentication

• Encryption

•Wired Equivalence Privacy

31

Wired Equivalence Privacy

• Shared key between • Stations

•An Access Point

• Extended Service Set •All Access Points will have a same shared key

• No key management • Shared key entered manually into

•Stations

•Access points

•Key management nightmare in large wireless LANs

32

RC4

• Ron’s Code number 4 • Symmetric key encryption

• RSA Security Inc.

• Designed in 1987

• Trade secret until leak in 1994

• RC4 can use key sizes from 1 bit to 2048 bits

• RC4 generates a stream of pseudo random bits • XORed with plaintext to create cipher text

33

Authentication & Encryption Std

EAP

802.1x

WPA-TKIP 802.11i

RC4

TLS

MSFT IETF

Encryption Algorithms

Authentication Protocols

PEAP

CSCO/MSFT IETF

Certificate Credentials Username/Password

Encryption Standards WEP

RC4 AES

Dan Ziminski & Bill Davidge

WEP Block Diagram

34

WEP Frame

Integrity Algorithm (CRC-32)

Pseudo-Random Number Generator

RC-4

+

Bitwise XOR

Plain Text

Cipher Text

Integrity Check Value (ICV)

Key Sequence

Secret Key (40-bit or 128-bit)

Initialization Vector (IV)

IV

Encryption Block

Sender Site

Integrity Algorithm

Pseudo-Random Number Generator

Bitwise XOR

Cipher Text

Plain Text

Integrity Check Value (ICV)

Key Sequence

IV

Secret Key (40-bit or 128-bit)

Decryption Block

Receiver Site

35

WEP – Encoding

Integrity Algorithm (CRC-32)

Pseudo-Random Number Generator

RC-4

+

Bitwise XOR

Plain Text

Cipher Text

Integrity Check Value (ICV)

Key Sequence

Secret Key (40-bit or 128-bit)

Initialization Vector (IV)

IV

36

WEP – Sending • Compute Integrity Check Vector (ICV)

• Provides integrity

• 32 bit Cyclic Redundancy Check

• Appended to message to create plaintext

• Plaintext encrypted via RC4

• Provides confidentiality

• Plaintext XORed with long key stream of pseudo random bits

• Key stream is function of

• 40-bit secret key

• 24 bit initialisation vector

• Cipher text is transmitted

37

WEP – Decryption

Integrity Algorithm

Pseudo-Random Number Generator RC-4

Bitwise XOR

Cipher Text

Plain Text

Integrity Check Value (ICV)

Key Sequence

IV

Secret Key (40-bit or 128-bit)

38

WEP – Receiving

• Cipher text is received

• Cipher text decrypted via RC4 • Cipher text XORed with long key stream of pseudo

random bits

• Key stream is function of

•40-bit secret key

•24 bit initialisation vector (IV)

• Check ICV • Separate ICV from message

• Compute ICV for message

• Compare with received ICV

39

Shared Key Authentication

• When station requests association with AP • AP sends random number to station • Station encrypts random number

• Uses RC4, 40 bit shared secret key & 24 bit IV

• Encrypted random number sent to AP • AP decrypts received message

• Uses RC4, 40 bit shared secret key & 24 bit IV

• AP compares decrypted random number to transmitted random number

• If numbers match, station has shared secret key

40

WEP Safeguards

• Shared secret key required for: • Associating with an access point

• Sending data

• Receiving data

• Messages are encrypted • Confidentiality

• Messages have checksum • Integrity

• But management traffic still broadcast in clear containing SSID

41

Initialization Vector

• IV must be different for every message transmitted

• 802.1standard does not specify how IV is calculated

• Wireless 1 cards use several methods

• Some use a simple ascending counter for each message

• Some switch between alternate ascending and descending counters

• Some use a pseudo random IV generator

• If IV is the same, then two duplicate messages would result in the same cipher text

42

Passive WEP attack

• If 24 bit IV is an ascending counter,

• If Access Point transmits at 11 Mbps,

•All IVs are exhausted in roughly 5 hours

• Passive attack:

•Attacker collects all traffic

•Attacker could collect two messages:

•Encrypted with same key and same IV

•Statistical attacks to reveal plaintext

•Plaintext XOR Ciphertext = Keystream

Passive WEP attack

43 http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm

Initialization Vector Reuse Vulnerability

44

45

Active WEP attack

• If attacker knows plaintext and ciphertext pair

• Keystream is known

• Attacker can create correctly encrypted messages

• Access Point is deceived into accepting messages

• Bitflipping

• Flip a bit in ciphertext

• Bit difference in CRC-32 can be computed

46

Limited WEP keys

• Some vendors allow limited WEP keys

• User types in a passphrase

• WEP key is generated from passphrase

• Passphrases creates only 21 bits of entropy in 40 bit key

• Reduces key strength to 21 bits = 2,097,152

• Remaining 19 bits are predictable

• 21 bit key can be brute forced in minutes

• www.lava.net/~newsham/wlan/WEP_password_cracker.ppt

47

Creating limited WEP keys

48

Brute force key attack

• Capture ciphertext

• IV is included in message

• Search all 240 possible secret keys

• 1,099,511,627,776 keys

•~170 days on a modern laptop

• Find which key decrypts ciphertext to plaintext

49

128 bit WEP

• Vendors have extended WEP to 128 bit keys

• 104 bit secret key

• 24 bit IV

• Brute force takes 10^19 years for 104-bit key

• Effectively safeguards against brute force attacks

50

Key Scheduling Weakness

• Paper from Fluhrer, Mantin, Shamir (FMS), 2001

• Two weaknesses:

•Certain keys leak into key stream

• Invariance weakness

• If portion of PRNG input is exposed,

•Analysis of initial key stream allows key to be determined

• IV weakness

51

IV weakness

• WEP exposes part of PRNG input • IV is transmitted with message

• Every wireless frame has reliable first byte • Sub-network Access Protocol header (SNAP) used in logical

link control layer, upper sub-layer of data link layer.

• First byte is 0xAA

• Attack is: • Capture packets with weak IV

• First byte ciphertext XOR 0xAA = First byte key stream

• Can determine key from initial key stream

• Practical for 40 bit and 104 bit keys

• Passive attack • Non-intrusive / No warning

52

Wepcrack

• First tool to demonstrate attack using IV weakness

• Open source, Anton Rager

• Three components

• Weaker IV generator

• Search sniffer output for weaker IVs & record 1st byte

• Cracker to combine weaker IVs and selected 1st bytes

• Cumbersome

53

Airsnort

• Automated tool

• Cypher42, Minnesota, USA.

• Does it all!

• Sniffs

• Searches for weaker IVs

• Records encrypted data

• Until key is derived.

• 100 Mb to 1 Gb of transmitted data.

• 3 to 4 hours on a very busy WLAN.

54

Avoid the weak IVs • FMS described a simple method to find weak IVs

• Many manufacturers avoid those IVs after 2002

• Therefore Airsnort and others may not work on recent hardware

• However David Hulton aka h1kari • Properly implemented FMS attack which shows many

more weak IVs

• Identified IVs that leak into second byte of key stream.

• Second byte of SNAP header is also 0xAA

• So attack still works on recent hardware

• And is faster on older hardware

• Dwepcrack, weplab, aircrack

55

Generating WEP traffic

• Not capturing enough traffic?

•Capture encrypted ARP request packets

•Anecdotally lengths of 68, 118 and 368 bytes appear appropriate

•Replay encrypted ARP packets to generate encrypted ARP replies

•Aireplay implements this.

56

Wired Equivalent Privacy (WEP)

• Provides rudimentary 40-bit/128-bit encryption

• RC-4 cipher

• Weak Point is IV not RC-4

• Static encryption keys — must be changed

manually

• Attacker’s tools: Airsnort, Yellowjacket, Airfart

• Encryption keys can be cracked

• Default setting is “OFF”

57

802.1x — A New Hope

• Provides secure access using port control

• Uses EAP (Extensible Authentication Protocol)

• Supports Kerberos, smart cards, one-time passwords, and so on

• Components required: • Wireless device

• AP

• Authentication server, typically Remote Authentication Dial-in User Service (RADIUS)

58

Authentication & Encryption Std

EAP

802.1x

WPA-TKIP 802.11i

RC4

TLS

MSFT IETF

Encryption Algorithms

Authentication Protocols

PEAP

CSCO/MSFT IETF

Certificate Credentials Username/Password

Encryption Standards WEP

RC4 AES

Dan Ziminski & Bill Davidge

59

How 802.1x Works

User requests connection

AP requests user ID

User sends ID

RADIUS confirms credentials

AP requests user credentials

User sends AP credentials AP sends credentials to RADIUS

RADIUS asks for credentials

AP requests RADIUS

connection for user

AP confirms credentials

If credentials are correct, user is given access to the network through the AP,

according to policies enforced by the authentication server

Wireless Device Access Point Authentication Server (RADIUS)

60

802.1x EAP-TLS Authentication

Station

Supplicant

Access Point

Authenticator RADIUS Server

Authorizer

Client digital cert

From XYZ CA

Server Digital cert

From XYZ CA

Dan Ziminski & Bill Davidge

61

802.1x PEAP authentication

Station

Supplicant

Access Point

Authenticator

Digital cert

From XYZ CA Phase 1:

Authenticate AP.

Secure tunnel

to AP using TLS

Phase 2:

Password authentication

with directory server

Username: ABC

Password: encrypted

Success/Fail

Dan Ziminski & Bill Davidge

62

802.1x — The Downside

• Only does authentication

• Encryption is still required

• If used with WEP, the encryption keys are still static even though the authentication keys change

• Authenticator and device must use the same authentication method

• Only supports client-level authentication

63

WPA (Wi-Fi Protected Access)

802.1X

TKIP and AES

WPA

64

WPA (Wi-Fi Protected Access)

• WPA = 802.1X + TKIP • WPA requires authentication and encryption

• 802.1X authentication choices include LEAP, PEAP, TLS

• WPA has strong industry supporters

• Adds to 802.1X and TKIP

• Widespread adoption of WPA will add robust security and remove the “security issue” from the WLAN industry

• WPA will become accepted as the standard

• It is an interim standard

65

WPA – Fixed WEP’s Problems

• IV changes to 48 bits with no weak keys

(900 years to repeat an IV at 10k packets/sec)

• Use IV as a replay counter

• Message integrity Check (MIC)

• Per-packet keying

Dan Ziminski & Bill Davidge

66

TKIP – Per Packet Keying

48 bit IV

16 bit lower IV 32 bit upper IV

Key mixing Key mixing

Per-Packet-Key IV IV d

Session Key

MAC Address

104 bits 24 bits

128 bits

Fixes the weaknesses of WEP key generation but still uses the RC4 algorithm

Dan Ziminski & Bill Davidge

67

802.11i

• Mutual authentication

• Dynamic session key

• Message Integrity Check (MIC)

• Temporal Key Integrity Protocol (TKIP)

• Initialization vector sequencing

•Rapid re-keying

• Per-packet key hashing

• Future

• Stronger encryption schemes, such as AES

68

802.11i and WPA

• Uses 802.1x authentication

• Uses Temporal Key Integrity Protocol (TKIP) to dynamically change encryption keys after 10,000 packets are transferred

• Uses Advanced Encryption Standard (AES) encryption, which is much better than WEP

• A subset of 802.11i, Wi-Fi Protected Access (WPA) is available as a firmware upgrade today

69

802.11i and WPA Pitfalls

• Keys can be cracked using much less than 10,000 packets

• Michael feature — shuts down AP if it

receives two login attempts within one second. Hackers can use this to perpetrate a DoS attack.

• 802.11i WPA2

70

Encryption Effects

Wireless Encryption

Type

Desktop Control Needed

Cost to Implement

Difficult to Manage

Vendor Support

Problems

Vulnerable to Attack

none low low low low high

WEP medium low high low medium

WPA TKIP high high high medium low

802.11i AES high high high high none

VPN high high medium low none

Dan Ziminski & Bill Davidge

71

End-to-End/Link Security

End-to-End Security

Internet

Link Security

72

VPN Authentication & Encryption

Station

Access Point

VPN Gateway

LAN

IPSEC VPN Tunnel

Dan Ziminski & Bill Davidge

73

Web Authentication

Station

Access Point

Web auth

security device

LAN

HTTPS

Login page

Backend

RADIUS

Server

Dan Ziminski & Bill Davidge

74

Authentication Type

Wireless Auth Type

Desktop Control Needed

Cost to Implement

Difficult to Manage

Vendor Support

Problems

Vulnerable to Attack

VPN high high medium low low

WEP medium low high low high

802.1x EAP TLS

ceritficates

high high high medium low

802.1x PEAP medium medium medium medium low

Web Auth low low medium low medium

Dan Ziminski & Bill Davidge

75

Outline

• Secure Communication

• Security Mechanisms

• Security Threats

• IEEE 802.11 Security

• WLAN security management

76

Wireless Security Concerns

• Management of device security

• Corruption of data sent to wireless devices

• Malicious code (viruses, Trojans, worms)

• Unauthorized users

• Confidentiality of data sent wirelessly

• Security of data stored on a handheld device

77

WLAN security management

• Open Access

• No WEP, WPA, encryption

• Broadcast Mode

• Basic Security

• 40-bit, 128-bit, 256-bit Static Encryption Key

• Enhanced Security

• Dynamic Encryption Key / Scalable Key Management

• Mutual 802.1x/EAP Authentication

• TKIP/WPA

• Traveling Security

• Virtual Private Network (VPN)

78

Wireless Policy Issues

• Policy needs to dictate permitted services and usage

• Needs a means of identifying and enforcing wireless policies

• Existing organization security policies need to be updated to cope with wireless security issues

• Policy needs to indicate how access will be controlled, for instance, time of day

79

Wireless Policy Issues

• Every access needs to be logged

• User compliance and standards enforcement

• Centralized control of security policies

• Wireless intrusion alert issues

• Process to update client software levels

• Intrusion detection policies

80

Knows Your Organization

1

2

3

4

User Involvement,

Awareness and Roles

Key Password Quality

User and

Key Administration

Environment Integrity

and Robustness

Network Security

and Technology Issues

Client

Security

Application

Security

Audits and Controls,

and IDS

Process Management

and Standards

Weakness

Strength

Weakness

Weakness

81

More Security

A laptop in your network connecting to

a neighboring Wi-Fi network exposing

your corporate data.

Neighbor’s Network

Hacker attacking your network through

an internal laptop acting as an

unofficial software access point.

Unofficial Access Point

Rogue Access Point Hacker attacking your network through an

unofficial access point connected to the

network.

Hacker attacking your

network through an

unofficial connection with a

misconfigured AP.

Misconfigured Access Point

DO NOT

ENTER

DO NOT

ENTER

DO NOT

ENTER

DO NOT

ENTER

82

More Secure WLAN Topology

LAN

Internet

RADIUS

83

Client Differentiation

Channel: 1 SSID: Laptop VLAN: 1

Channel: 6 SSID: PDA VLAN: 2

Channel: 11 SSID: Phone VLAN: 3

802.1Q wired network with

VLANs

84

SSID: Laptop VLAN: 1

SSID: PDA VLAN: 2

SSID: Phone VLAN: 3

Client Differentiation

802.1Q wired network with

VLANs

85

Conclusions

• Wireless technology is becoming embedded

• Notebooks, PDAs, cell phones, etc.

• WLAN is currently unsecure

• 802.11 WEP security is insufficient for the enterprise

• 802.11i (WPA2) and WPA offer great improvements

• People, processes, policies and architecture are required to deploy WLAN securely

86

References

• “WLAN teaching materials” by Anan Phonphoem, Computer Engineering Dept., Kasetsart University

• “Who’s Watching Your Wireless Network?” by Ian Hameroff, Computer Associates, eTrust™ Security solutions, CA World 2003

• “Wireless Configuration and Security Issues” by Greg Gabet, IBMGS, CA world 2003

• “Addressing the Challenges of Adopting Secured Mobility in the Enterprise” by Hans-Georg Büttner, Ernst & Young IT-Security GmbH, Germany, CA World 2003

• “Wireless Local Area Network Security” by Robert Simkins, University of Derby, UK

• “WLAN Security”, Matthew Joyce, Rutherford Appleton Laboratory, CCLRC

• Wireless LAN Security, Threats & Countermeasures, By Joseph Tomasone, Senior Network Security Engineer, Fortress Technologies, Inc., Session 8, August 10, 2005, Infragard National Conference 2005

• CSG 256 Final Project Presentation, by Dan Ziminski & Bill Davidge