Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.
-
Upload
polly-hudson -
Category
Documents
-
view
216 -
download
1
Transcript of Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.
![Page 1: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/1.jpg)
Wireless Security: The need for WPA and 802.11i
By Abuzar Amini
CS 265 Section 1
![Page 2: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/2.jpg)
Wireless Security Timeline WEP - Part of original 802.11
specification published in 1999. WPA - Developed to fix numerous WEP
flaws. Ratified by Wi-Fi Alliance in 2003. 802.11i - More robust, permanent security
standard expected to be finalized soon. Currently in 7th draft.
![Page 3: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/3.jpg)
WEP
Wired Equivalent Privacy Uses RC4 Stream cipher Has static 40-bit base key 64-bit per-packet key 24-bit Initialization Vector (IV) Uses Integrity Check Value (ICV) to verify
integrity
![Page 4: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/4.jpg)
WEP Weaknesses (IV repetition)
Short 24-bit IV means RC4 key must be changed every 224 packets or data can be exposed via IV repetition. With repeated IV -> c1 c2 = p1 p2 Not very feasible to change WEP key after 16
million packets transmitted.
![Page 5: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/5.jpg)
WEP Weaknesses (Replay Attack)
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Alice
BobTrudy
Authorized WEP communications
Eavesdrop and record
Replay packets
![Page 6: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/6.jpg)
WEP Weaknesses (Forgery Attack)
Packet data can be forged WEP uses ICV (CRC-32) to verify integrity. Create a blank message with same number of data
bytes, flip some bits and compute ICV. XOR bit-flipped message and ICV into captured
message. Result - Undetected forgery.
Identity can be forged Source address, Destination address not protected.
![Page 7: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/7.jpg)
WEP Weaknesses (Keys)
WEP uses same key for authentication and encryption.
No way to manage keys. Same static key used on AP as well as all
clients.
![Page 8: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/8.jpg)
WPA: The solution for today
Wi-Fi Protected Access (WPA) created to fix vulnerabilities of WEP while keeping the ability to run on legacy Access Points.
Subset of 802.11i Standard. Two major components: TKIP and 802.1X
Extensible Authentication Protocol (EAP) based authentication.
![Page 9: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/9.jpg)
TKIP Temporal Key Integrity Protocol. Consists of new algorithms to wrap WEP
A new Message Integrity Code (MIC) called Michael.
IV sequencing to defeat replay attacks. A per-packet key mixing function to de-
correlate IVs from weak keys. A re-keying mechanism to provide fresh
encryption and integrity keys.
![Page 10: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/10.jpg)
TKIP (Michael)
Uses two 64-bit keys, one for each link direction.
Unlike WEP, packet Sender Address and Destination Address are computed as part of the MIC.
8-byte MIC appended to the packet data.
![Page 11: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/11.jpg)
TKIP (IV Sequencing)
IV sequencing used to protect against replay attacks. Reset packet sequence number to 0 on
rekey. Increment sequence number by 1 each time
packet transmitted. Packets received out of sequence are
dropped.
![Page 12: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/12.jpg)
TKIP (Key mixing)
Per-packet mixing function implemented in 2 phases: Phase 1: Combines local MAC address and
temporal key. Then run through S-box to produce intermediate key.
Fistel cipher used to encrypt the packet sequence number under the intermediate key, producing 128-bit per-packet key.
![Page 13: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/13.jpg)
TKIP (Keys)
One 128-bit encryption key Two 64-bit integrity keys Master keys assigned by Authentication
Server using the 802.1X architecture
![Page 14: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/14.jpg)
802.1X EAP WPA uses 802.1X as an authentication and key
replacement mechanism. 802.1X specifies the following components:
Supplicant – A user or a client that wants to be authenticated.
Authentication server – An authentication system, such as a RADIUS server, that handles actual authentications.
Authenticator – A device that acts as an intermediary between a supplicant and an authentication server. Usually, an AP.
![Page 15: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/15.jpg)
802.1X EAP Messages
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture. QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
EAP-identity request
EAP Identity Response
EAP Auth Request
EAP Success / Optional Master Key
Supplicant Authenticator Auth. ServerAttach
EAP Auth Response
![Page 16: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/16.jpg)
Different forms of EAP EAP-Transport Layer Security(EAP-TLS)
Authentication requires use of PKI EAP-Tunneled TLS (EAP-TTLS)
Favored by some for use in 802.11i EAP-Protected EAP (PEAP)
Favored by some for use in 802.11i
![Page 17: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/17.jpg)
802.11i:Robust Security for Tomorrows WLANs
Still uses some WPA features TKIP 802.1X Key hierarchy Key management
![Page 18: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/18.jpg)
802.11i
New cipher AES block cipher replaces RC4 AP hardware needs to be upgraded to
support more complex AES computations. Mode of operation - AES Counter Mode
Encryption with CBC-MAC (CCM).
![Page 19: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/19.jpg)
AES-CCM Mode
Header Payload MIC
Authenticated
Encrypted
CBC-MAC used to compute MIC on header and payload.
CTR mode is used to encrypt the payload and MIC.
![Page 20: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/20.jpg)
802.11i (Other Features) EAP over an Ethernet LAN (EAPOL)
Roaming support Allows clients to pre-authenticate with different APs,
on wired or wireless LANs.
Independent Base Service Set (IBSS) Allows clients to authenticate to each other, even if
not in range of an AP.
Password-to-key mapping
![Page 21: Wireless Security: The need for WPA and 802.11i By Abuzar Amini CS 265 Section 1.](https://reader035.fdocuments.net/reader035/viewer/2022070413/5697bfb91a28abf838c9f8d5/html5/thumbnails/21.jpg)
WLAN Security SummaryWEP WPA 802.11i
Cipher Algorithm RC4 RC4 (TKIP) AES-CCMPEncryption Key 40-bit 128-bit 128-bitInitialization Vector 24-bit 48-bit 48-bitAuthentication Key None 64-bit 128-bitIntegrity Check CRC-32 Michael CCMKey Distribution Manual 802.1X (EAP) 802.1X (EAP)Key Unique To: Network Packet, Session, User Packet, Session, UserKey Hierarchy No Derived from 802.1X Derived from 802.1XAd-hoc Security (P2P) No No Yes (IBSS)Pre-authentication No No Yes (EAPOL)