Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | adelia-adams |
View: | 214 times |
Download: | 1 times |
802.11 Wireless Insecurity802.11 Wireless Insecurity
By: By: No’eau KamakaniNo’eau KamakaniRobert WhitmireRobert Whitmire
OutlineOutline
BackgroundBackground Security FeaturesSecurity Features AttacksAttacks DemonstrationsDemonstrations ConclusionConclusion
BackgroundBackground
Wireless DefinitionsWireless Definitions
802.11802.11• 802 = LANs (Local Area Network)802 = LANs (Local Area Network)• 11 = Wireless11 = Wireless
WiFiWiFi• Wireless FidelityWireless Fidelity
HotspotsHotspots• Connection point for a WiFi network Connection point for a WiFi network
hardwired to the Internethardwired to the Internet
How Does It Work?How Does It Work?
Transmits over radio frequencyTransmits over radio frequency• 2.4 – 2.483 GHz2.4 – 2.483 GHz• 5 GHz range5 GHz range
Channels (for B and G)Channels (for B and G)• Direct Sequence Spread Spectrum Direct Sequence Spread Spectrum • USA 1-11USA 1-11• Europe 1-13Europe 1-13• Japan 1-14Japan 1-14
ProtocolsProtocols
ProductsProducts
Why go wirelessWhy go wireless
Infrastructure easyInfrastructure easy• Goes thru walls, no wiringGoes thru walls, no wiring
Portability and FlexibilityPortability and Flexibility• Access from anywhereAccess from anywhere
InteroperabilityInteroperability• Compatible with all WiFi products certified by Compatible with all WiFi products certified by
Wireless Ethernet Compatibility Alliance Wireless Ethernet Compatibility Alliance (WECA)(WECA)
Increased ProductivityIncreased Productivity• Endless connectivityEndless connectivity
SecuritySecurity
WEPWEP
Wired Equivalent PrivacyWired Equivalent Privacy Secret Key for encrypting dataSecret Key for encrypting data
• Shared between mobile card and access Shared between mobile card and access pointpoint
• 40-128 bits (includes IV)40-128 bits (includes IV) Initialization Vector (IV)Initialization Vector (IV)
• 24 bit, randomly generated24 bit, randomly generated• Sent in clear textSent in clear text• FiniteFinite
RC4 Encryption AlgorithmRC4 Encryption Algorithm
Stream cipherStream cipher• Generates infinite pseudo-random Generates infinite pseudo-random
keystreamkeystream Keystream generated with key and IVKeystream generated with key and IV
• XOR’ed with message and Checksum to XOR’ed with message and Checksum to generate ciphertextgenerate ciphertext
• Receiver generates same keystream Receiver generates same keystream and XOR’s with ciphertext to get and XOR’s with ciphertext to get message and checksummessage and checksum
Visualizing RC4Visualizing RC4
CRC-32 ChecksumCRC-32 Checksum
Linear Checksum algorithmLinear Checksum algorithm• Integrity checkingIntegrity checking• A bit in message correlates directly to A bit in message correlates directly to
set of checksum bitsset of checksum bits
WEP VulnerabilitiesWEP Vulnerabilities
Relies on flawed encryption methodRelies on flawed encryption method• RC4 is crackable through statistical analysisRC4 is crackable through statistical analysis
IV’s collisions, calculate key from thisIV’s collisions, calculate key from this
• Checksum is predictableChecksum is predictable IV implemented incorrectlyIV implemented incorrectly Better than nothingBetter than nothing
• Not on as defaultNot on as default• Not end all security measureNot end all security measure
Easily Crackable (AirSnort)Easily Crackable (AirSnort)
WPAWPA
WiFi Protected AccessWiFi Protected Access Latest snapshot of 802.11iLatest snapshot of 802.11i
• Explained laterExplained later Rotating KeysRotating Keys
• Temporal Key Integrity ProtocolTemporal Key Integrity Protocol Increased IV (24-48 bits)Increased IV (24-48 bits) ChecksumChecksum Order of magnitude harder to crackOrder of magnitude harder to crack
802.1X802.1X
User not Machine AuthenticationUser not Machine Authentication Supposed to provide a vendor-Supposed to provide a vendor-
independent way to control accessindependent way to control access Authentication through EAP Authentication through EAP
(Extensible Authentication Protocol)(Extensible Authentication Protocol)• Tokens, Kerberos, one-time passwords, Tokens, Kerberos, one-time passwords,
certificates, etc..certificates, etc..
Other Security AttemptsOther Security Attempts 802.11i802.11i
• IEEE attempt to provide strong securityIEEE attempt to provide strong security• Dynamically updating WEP KeyDynamically updating WEP Key• Not completeNot complete
VPNVPN• Providing security through VPN tunneling protocolsProviding security through VPN tunneling protocols• Compatibility issues, better than WEP but not universal Compatibility issues, better than WEP but not universal
solutionsolution MAC FilteringMAC Filtering
• MAC addresses sent in clearMAC addresses sent in clear• Easy to sniffEasy to sniff• Easy to spoofEasy to spoof
AttacksAttacks
Passive attack to decrypt trafficPassive attack to decrypt traffic• Waits for keystream collisionWaits for keystream collision• Gets XORGets XOR• Statistically reveals plain textStatistically reveals plain text
Active attack to inject trafficActive attack to inject traffic• RC4(X) xor X xor Y = RC4(Y)RC4(X) xor X xor Y = RC4(Y)
Unauthorized Access Points on a NetworkUnauthorized Access Points on a Network• Attacker set up own access point on network Attacker set up own access point on network
effectively circumventing security measureseffectively circumventing security measures• Resetting access points to defaultResetting access points to default
Fun DemonstrationsFun Demonstrations
War DrivingWar Driving
War Driving Silicon ValleyWar Driving Silicon Valley
War SpyingWar Spying
Also called Also called WarviewingWarviewing
2.4 GHz wireless 2.4 GHz wireless CamerasCameras
GearGear
ConclusionConclusion
WEP is better than nothingWEP is better than nothing Never settle for default settingsNever settle for default settings Base protection level on sensitivity of Base protection level on sensitivity of
datadata Provide backup network protectionProvide backup network protection Remember, anyone can sniff your Remember, anyone can sniff your
wireless network.wireless network.
Questions?Questions?