802.11 Wireless LAN Vulnerability Assessment (ITSPSR-21A)

UNCLASSIFIED

May 2009

IT SECURITY

TECHNICAL PUBLICATION

802.11 Wireless LAN Vulnerability

Assessment (ITSPSR-21A)

ITSPSR-21A

May 2009

UNCLASSIFIED

802.11 Wireless LAN Vulnerability Assessment (ITSPSR-21A)

This page intentionally left blank.

May 2009

UNCLASSIFIED


Foreword The 802.11 Wireless LAN Vulnerability Assessment (ITSPSR-21A) is an UNCLASSIFIED publication, issued under the authority of the Chief, Communications Security Establishment Canada (CSEC).

Suggestions for amendments should be forwarded through departmental communications security channels to your Client Services Representative at CSEC.

Requests for additional copies or changes in distribution should be directed to your Client Services Representative at CSEC.

For further information, please contact CSEC’s ITS Client Services area by e-mail at [email protected] or call (613) 991-7600.

Effective Date This publication takes effect on May 1st, 2009.

____________________________________________________

Gwen Beauchemin Director, Mission Management

Government of Canada, Communications Security Establishment Canada © 2009

It is not permissible to make copies or extracts from this publication without the written consent of CSEC.

Foreword May 2009

i

mailto:[email protected]

UNCLASSIFIED



ii May 2009

UNCLASSIFIED


Executive Summary May 2009

iii

Executive Summary WLAN devices based on the IEEE 802.11 standard have a number of vulnerabilities related to the fact that wireless signals are sent over the air rather than through closed wiring paths. In WLANs, network traffic is broadcast into uncontrolled public spaces, which may result in the compromise of sensitive information. Additionally, signals from unauthorized external sources may easily enter the network, allowing attackers to join the network as though they were bona-fide users. This creates risks not only for the WLAN but also for any other network to which it is connected. These risks may also arise on traditional wired networks because it is easy and inexpensive for users to install their own WLAN devices without the knowledge or consent of network authorities. The risk of outside attack is very high: activities such as “war driving” and free, simple-to-use software tools for discovering and exploiting WLANs are readily available and may allow outsiders to penetrate the network. The 802.11 standard originally included provision for a security scheme known as Wired Equivalent Privacy (WEP), which provided some protection against casual interception of network traffic or insertion of unauthorized traffic. However, WEP suffered from serious design weaknesses that made it vulnerable to hacker exploitation tools. Recent 802.11 revisions include improved security mechanisms in the form of Wi-Fi Protected Access (WPA) and 802.11i (also called WPA2). WPA2 addresses the weaknesses in previous schemes and features strong, AES-based encryption (some brands/models of WLAN APs carry FIPS140-2 certification), as well as 802.1X enterprise authentication features allowing WLAN access authentication to be integrated with existing corporate user authentication mechanisms (smart cards, tokens, PKI, biometrics, etc). Practical attacks against WPA2 are few and primarily targeted at Pre-Shared Key (PSK) deployments. Note that these security features are usually turned off by default, and must be enabled to have any effect: WLANs deployed without enabling security features leave the network wide open to discovery and attack. CSEC recommends that WPA2 security be mandatory with 802.1X authentication wherever possible for all unclassified WLAN deployments within the Government of Canada. Older equipment not supporting WPA2 must be replaced or upgraded. In instances where especially sensitive information may be transferred over a WLAN, additional security measures such as end-to-end encryption or VPNs should also be deployed. Other essential protection measures include network monitoring for unusual traffic and to detect the installation of unauthorized wireless devices. CSEC is in the process of developing a comprehensive security solution to mitigate the risk of 802.11 WLAN technology. This solution will combine a variety of measures including the use of Firewalls, Virtual Private Network (VPN) encryption and strong authentication, which departments should deploy to isolate WLANs from sensitive government networks.

UNCLASSIFIED



iv May 2009

UNCLASSIFIED


Revision History May 2009

v

Revision History

Document No. Title Release Date

ITSPSR-21 802.11 Wireless LAN Vulnerability Assessment November 2002

UNCLASSIFIED



vi May 2009

UNCLASSIFIED


Table of Contents May 2009

vii

Table of Contents Foreword......................................................................................................................... i Effective Date ................................................................................................................. i Executive Summary ..................................................................................................... iii Revision History............................................................................................................ v

Table of Contents........................................................................................................ vii List of Abbreviations and Acronyms.......................................................................... xi 1 Introduction ........................................................................................................... 1

1.1 Background .................................................................................................. 1 1.2 Purpose........................................................................................................ 1 1.3 Scope ........................................................................................................... 1 1.4 Document Structure ..................................................................................... 1

2 802.11 WLAN System Overview........................................................................... 3 2.1 Technology................................................................................................... 3

2.1.1 Background........................................................................................ 3 2.1.2 Infrared (IR) Technology.................................................................... 3 2.1.3 Radio Frequency (RF) Technology.................................................... 4

2.2 Architecture .................................................................................................. 5 2.2.1 General .............................................................................................. 5 2.2.2 Ad Hoc Mode ..................................................................................... 5 2.2.3 Infrastructure Mode............................................................................ 6 2.2.4 Distribution System Mode.................................................................. 6 2.2.5 Wireless Distribution System Mode ................................................... 7 2.2.6 Wireless Mesh Networks ................................................................... 7

2.3 WLAN Standards.......................................................................................... 8 2.4 IEEE 802.11 Standards .............................................................................. 10

2.4.1 Background...................................................................................... 10 2.4.2 IEEE 802.11 Task Groups/Amendments ......................................... 10

2.5 Wi-Fi™ Interoperability Standard ............................................................... 12 2.5.1 Wireless Ethernet Compatibility Alliance (WECA) and the Wi-Fi

Alliance ............................................................................................ 12

3 Security Mechanisms.......................................................................................... 17 3.1 General....................................................................................................... 17 3.2 Access Control ........................................................................................... 17

3.2.1 General ............................................................................................ 17 3.2.2 Service Set Identifier (SSID) ............................................................ 17 3.2.3 MAC Address Access Control List (ACL)......................................... 18

3.3 Authentication Services .............................................................................. 18

UNCLASSIFIED


viii May 2009

3.3.1 General ............................................................................................ 18 3.3.2 Open System Authentication ........................................................... 18 3.3.3 Shared Key Authentication .............................................................. 19 3.3.4 802.1X Authentication...................................................................... 19

3.4 Data Confidentiality and WEP/WPA/802.11i/WPA2 ................................... 21 3.4.1 General ............................................................................................ 21 3.4.2 Wired Equivalent Privacy (WEP) Protocol ....................................... 21 3.4.3 Wi-Fi Protected Access (WPA) ........................................................ 22 3.4.4 IEEE 802.11i/Wi-Fi Protected Access version 2 (WPA2)................. 23

4 Vulnerabilities...................................................................................................... 25 4.1 Access Control Vulnerabilities .................................................................... 25

4.1.1 General ............................................................................................ 25 4.1.2 SSID ................................................................................................ 25 4.1.3 MAC Address Access Control List (ACL)......................................... 25

4.2 Authentication Mechanism Vulnerabilities .................................................. 25 4.2.1 General ............................................................................................ 25 4.2.2 Shared Key Authentication Flaw...................................................... 25 4.2.3 802.1X/EAP Vulnerabilities .............................................................. 26

4.3 WEP Vulnerabilities .................................................................................... 26 4.3.1 General ............................................................................................ 26 4.3.2 Keystream Re-use ........................................................................... 26 4.3.3 Message Integrity ............................................................................ 26 4.3.4 Key Management............................................................................. 26

4.4 WPA/WPA2 Vulnerabilities......................................................................... 27 4.4.1 General ............................................................................................ 27 4.4.2 Key Management............................................................................. 27 4.4.3 4-Way Handshake and Weak Passphrase Vulnerability .................. 27 4.4.4 WPA MIC Spoofing Countermeasure .............................................. 28

4.5 Configuration Defaults ................................................................................ 28 4.6 Simple Network Management Protocol (SNMP)......................................... 28

5 Exploits ................................................................................................................ 29 5.1 Network Discovery and Access Attacks ..................................................... 29

5.1.1 General ............................................................................................ 29 5.1.2 Network Discovery........................................................................... 29 5.1.3 Network Access via Wireless Router ............................................... 29

5.2 Denial of Service (DoS) Attacks ................................................................. 30 5.2.1 General ............................................................................................ 30 5.2.2 AP Takeover .................................................................................... 30 5.2.3 AP Cloning....................................................................................... 30 5.2.4 RF Jamming .................................................................................... 30

5.3 WEP Protocol Attack .................................................................................. 31 5.3.1 General ............................................................................................ 31

UNCLASSIFIED


Table of Contents May 2009

ix

5.3.2 Passive Attack ................................................................................. 31 5.3.3 Active Attacks .................................................................................. 31 5.3.4 Decryption Table Attack................................................................... 32

5.4 WPA/WPA2 Attacks ................................................................................... 32 5.4.1 General ............................................................................................ 32 5.4.2 Pre-Shared Key Dictionary Attack ................................................... 32

5.5 Monitoring and Interception Attacks ........................................................... 32 5.5.1 General ............................................................................................ 32 5.5.2 Traffic Sniffing.................................................................................. 33 5.5.3 Broadcast Monitoring....................................................................... 33 5.5.4 Man-in-the-Middle Attack ................................................................. 33

6 Solutions.............................................................................................................. 35 6.1 Overview .................................................................................................... 35 6.2 Determine Range of Your Network Coverage ............................................ 35 6.3 Do Not Broadcast Your SSID ..................................................................... 36 6.4 Do Not Use the Default SSID ..................................................................... 36 6.5 Use WPA2.................................................................................................. 36 6.6 Use 802.1X Server-based Authentication................................................... 37 6.7 Change the Key Frequently........................................................................ 37 6.8 Use a VPN and Firewall to Isolate the WLAN............................................. 37 6.9 Use a Personal Firewall on Every Wireless Client...................................... 37 6.10 Consider Wireless Intrusion Detection/Prevention Systems....................... 37

7 Future Work ......................................................................................................... 39

8 Conclusions and Recommendations ................................................................ 41

9 References........................................................................................................... 43

UNCLASSIFIED



x May 2009

UNCLASSIFIED


List of Abbreviations and Acronyms May 2009

xi

List of Abbreviations and Acronyms AES Advanced Encryption Standard ACL Access Control List AP Access Point ARP Address Resolution Protocol ATM Asynchronous Transfer Mode BSS Basic Service Set CBC Cipher Block Chaining mode CCMP Counter-mode with CBC-MAC Protocol CRC Cyclic Redundancy Checksum CSEC Communications Security Establishment Canada DHCP Dynamic Host Configuration Protocol DES Data Encryption Standard 3DES Triple DES DoS Denial of Service DSSS Direct Sequence Spread Spectrum EAP Extensible Authentication Protocol ESS Extended Service Set ETSI European Telecommunications Standards Institute FCC Federal Communications Commission FHSS Frequency-Hopping Spread Spectrum FIPS Federal Information Processing Standards (USA) GC Government of Canada GHz GigaHertz GPS Global Positioning System HiperLAN High Performance Radio Local Area Network (ETSI) IBSS Independent Basic Service Set IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronics Engineers IP Internet Protocol IR Infrared IrDA Infrared Data Association ISM Industrial, Scientific And Medical ISO International Organization For Standardization IT Information Technology ITS Information Technology Security IV Initialization Vector

UNCLASSIFIED


xii May 2009

LAN Local Area Network MAC Medium Access Control (IP) or Message Authentication Code

(Crypto) MAN Metropolitan Area Network Mbps Megabits per Second MIC Message Integrity Code MIMO Multiple-Input/Multiple-Output NAI Network Access Identifier OCB Offset Code Book OFDM Orthogonal Frequency Division Multiplexing OSI Open Systems Interconnection PHY Physical (Layer) PMK Pairwise Master Key PKI Public Key Infrastructure PPP Point-to-Point Protocol PRNG Pseudo-Random Number Generator PSK Pre-Shared Key PTK Pairwise Transient Key RC4 Rivest Cipher 4/Ron’s Code 4 (Encryption Algorithm) RF Radio Frequency RSN Robust Security Network SNMP Simple Network Management Protocol SSH Secure Shell SSID Service Set Identifier TKIP Temporal Key Integrity Protocol TMTO Time-Memory Trade-Off UMTS Universal Mobile Telecommunications System VPN Virtual Private Network WAN Wide Area Network WECA Wireless Ethernet Compatibility Alliance (see also WFA) WEP Wired Equivalent Privacy WFA Wi-Fi Alliance (new name for WECA) WIDS Wireless Intrusion Detection System Wi-Fi™ Wireless Fidelity, a Trademark of the Wi-Fi Alliance WIPS Wireless Intrusion Prevention System WLAN Wireless Local Area Network WPA Wi-Fi Protected Access WPA2 Wi-Fi Protected Access version 2

UNCLASSIFIED


List of Abbreviations and Acronyms May 2009

xiii

WPAN Wireless Personal Area Network WRAP Wireless Robust Authenticated Protocol XOR Exclusive OR

UNCLASSIFIED



xiv May 2009

UNCLASSIFIED


Introduction September 2008

1

1 Introduction

1.1 Background With the rapidly increasing adoption of 802.11 technology, WLAN products have become mainstream and increasingly common in business, education, and home environments. The enhanced mobility and productivity offered by wireless technology, along with the long-term cost saving and ease of installation, have attracted organizations to make the move to this innovative technology. However, both federal departments and private companies are deploying wireless networks often without fully understanding the security risks associated with their use.

1.2 Purpose This report provides vulnerabilities and solutions for the use of an 802.11 WLAN in the federal government environment. It is based on an analysis of the information discovered in the test laboratory at CSEC and information currently available through open sources such as manufacturers, and technological organizations and associations. The primary goal of this vulnerability assessment report is to provide government clients with a better understanding of the risks involved prior to developing plans for wireless network deployments.

1.3 Scope This report focuses on the main commercially available variants of the WLAN standard: 802.11b, g and the soon-to-be-approved 802.11n. Their present popularity, relative maturity and the wide availability of products make the aforementioned versions of the standard the best models for vulnerability assessment of the 802.11 WLAN technology. It must be pointed out, however, that most of the information that is provided in this document is not exclusive to 802.11b/g/n but also applies to 802.11a and other 802.11 WLAN standards to various degrees.

1.4 Document Structure This report provides a brief overview of the WLAN architectures and the IEEE 802.11 standard that dominates the WLAN market today, followed by an explanation of the security mechanisms, the vulnerabilities of these mechanisms and some commonly known 802.11 exploits. Interim steps to mitigate the problems are also included.

UNCLASSIFIED



2 May 2009

UNCLASSIFIED


802.11 WLAN System Overview May 2009

3

2 802.11 WLAN System Overview

2.1 Technology

2.1.1 Background

Unlike conventional LANs, which rely on physical connections of copper wire or optical fibre to transport information, Wireless LANs (WLANs) use infrared (IR) light or radio frequency (RF) electromagnetic waves to transmit and receive data. Wireless technology provides all of the functionality of wired LANs but removes the physical constraints imposed by the need to hard-wire the user community. This simplifies and speeds up network installation and increases flexibility and scalability, while allowing greater user mobility. These advantages, combined with the ever-increasing data bandwidth offered by wireless technology, make WLANs an attractive alternative for individuals and organizations that plan to implement or expand a LAN without having to install or move wires.

In a WLAN environment, each computer that requires over the air connectivity must be equipped with a WLAN adapter. These adapters normally take the form of plug-in cards for installation in the expansion slots of desktop computers, PC Cards or USB dongles for installation in the appropriate slots of notebooks and laptops. These cards and adapters are simply network interface cards with a built in radio transceiver and a miniature antenna that provide the RF communication link (or in the case of IR-based WLANs, an infrared emitter/detector pair). Virtually all recent laptop models come with some variety of WLAN built-in (one or more of: IR, 802.11, Bluetooth). While this practice increases the convenience and eliminates the number of additional cards and adapters that must be carried by the user, it adds the complication that in most cases, such built-in WLAN hardware cannot be easily upgraded to take advantage of new security or user features.

2.1.2 Infrared (IR) Technology

IR is used in a variety of Information Technology (IT) applications including WLANs and wireless interfaces for connecting computer and peripheral devices, commonly known as serial IR links. IR was originally a non-standardized technology, with each vendor and equipment manufacturer implementing a proprietary protocol; however the Infrared Data Association (IrDA) was quickly formed to produce a set of standards governing IR computer connectivity. The IrDA Data standard addresses the use of IR for high speed, short range, line-of-sight, and point-to-point wireless data transfer. The IrDA Control standard covers the communications between PCs and wireless peripherals such as the keyboard or mouse. Laser technology is also employed to establish optical data links capable of transmitting information in a direct line-of-sight for distances of several kilometers.

The legacy IEEE 802.11 standard also defines the use of infrared as a transmission technology; however, no commercial 802.11 IR products are known to have been developed and this portion of the standard has not been updated since the initial release of the standard in 1997.

UNCLASSIFIED


4 May 2009

2.1.3 Radio Frequency (RF) Technology

2.1.3.1 General

RF has become the de-facto technology for the majority of today’s WLANs. Radio signals can travel in all directions for distances ranging from a few metres to several kilometers. These characteristics can be very practical in situations where wide or long-range coverage is required but they become problematic when the signal’s propagation needs to be limited. The fact that the destination of radio signals cannot be precisely controlled makes this medium the most vulnerable to undetected interception and exploitation. All unprotected radio traffic can be monitored with widely available radio equipment by anyone located within the range of the transmitter; however it is important to note that amplifiers and specialized antennas can also be used solely at the receiver site to increase the effective range of radio signals, therefore simply controlling the transmitter power is not sufficient to limit the propagation of signals. For example, the use of RF wireless computer keyboards should be avoided for the processing of sensitive information since they broadcast the information that is typed on them, and even though the transmit power is comparatively low, this information may be still be intercepted at range. In addition to signal interception, RF communications are also subject to spurious and deliberate electromagnetic interference that can result in the inability to communicate.

2.1.3.2 Spread Spectrum

The development of spread-spectrum communications technology has been claimed to have alleviated the vulnerabilities of standard RF transmission: Unlike narrowband systems that transmit a powerful signal on a single frequency, spread-spectrum systems transmit a low power signal over a broad range of frequencies. The signal is spread according to pre-established parameters or patterns that must also be known by the receiver so that it can recover the signal. This transmission technique provides more resistance to noise and interference and is less vulnerable to jamming and casual interception. In the case of WLANs, the hardware must be aware of the signal spreading parameters in order to receive a spread-spectrum signal, so these parameters are pre-programmed into the hardware chipsets used to build these products. Although these chipset were intended to be developed into standalone WLAN AP and workstation hardware, it is inevitable that tools and methods are developed for exploiting these pre-programmed receivers for the purpose of intercepting spread-spectrum WLAN communications. Many such tools are freely available on the Internet, and therefore none of the spread spectrum technologies should be considered to be sufficient to secure a WLAN.

Several signal-spreading schemes have been developed but the methods that prevail in the WLAN domain are:

1. Frequency Hopping Spread Spectrum (FHSS)

2. Direct Sequence Spread Spectrum (DSSS) and

3. Orthogonal Frequency Division Multiplexing (OFDM)

UNCLASSIFIED


FHSS and DSSS are the original spread-spectrum technologies employed in 802.11 WLANs. The concept of expanding spectral use through frequency hopping is fairly self-explanatory; DSSS is based on the mathematical principle of convolution and provides a greater data throughput and a higher immunity to interference than FHSS. OFDM is a multi-carrier wideband modulation scheme introduced in the 802.11g revision and provides even greater data throughput and is much more resistant to interference than the previous schemes. 802.11n introduces OFDM+MIMO, which continues to use the same 2.4 GHz frequency band and basic modulation scheme of OFDM, but adds techniques for using multiple transmitters and receivers while taking into account temporal and spatial characterization of the RF environment. This effectively increases the available bandwidth using a practice known as “channel bonding” (combining multiple adjacent channels into one large channel) to further increase range and throughput.

2.2 Architecture

2.2.1 General

There are five forms of wireless network architectures currently allowed in the overall 802.11 standard: Ad-Hoc Mode, Infrastructure Mode, Distribution System Mode, Wireless Distribution System mode and Wireless Mesh.

2.2.2 Ad Hoc Mode

In the ad-hoc mode, as illustrated in Figure 1, wireless devices create a LAN by communicating freely and directly with each other without a centralized base station. This architecture is also referred to as the peer-to-peer network or the Independent Basic Service Set (IBSS). This network structure is easy to implement as it requires no infrastructure and minimal administration but the transfer of information is limited to the propagation range of the transmitting device.

Figure 1 - WLAN in Ad Hoc Mode


5

UNCLASSIFIED


2.2.3 Infrastructure Mode

In the more commonly used infrastructure mode, the network is built around a central base station, or Access Point (AP). The information transmitted by the originating device is received by the AP and routed to the proper destination. As illustrated in Figure 2, the AP is physically connected to the wired LAN’s backbone and it provides the communication link between the wireless client devices and any of the wired network devices. The AP also functions as a radio relay capable of forwarding information to/from wireless devices that are too distant to communicate directly with each other. The infrastructure mode is referred to as the Basic Service Set (BSS).

Figure 2 - WLAN in Infrastructure Mode

2.2.4 Distribution System Mode

The distribution system mode is also referred to as Extended Service Set (ESS) mode. In the distribution system mode, multiple APs are connected to the wired network by a switching or bridging device, enabling a WLAN client to roam between APs, thus providing greater range and mobility. Roaming capability is also provided to mobile users. Note that the roaming capability requires special AP support and may not be available on all brands/models of AP. Additionally, the inter-AP communication required to support wireless roaming is not covered by the 802.11 standard as it is a higher layer protocol and most manufacturers either do not implement this feature or utilize a proprietary protocol; thus in general, roaming between different brands of AP is not possible, even though they may be connected to the same network.

In an 802.11 WLAN system operating in distribution mode, as a user moves around and out of range of an AP, the user’s mobile device will re-associate with the next AP in the extended set. Therefore it will remain “connected” to the network and able to start and receive new connections on the new AP. However, without dedicated AP roaming support, any existing open network sessions on the old AP will generally not follow the user to the new AP (unless the particular application in use by the user has its own roaming capability). This LAN structure is more complex and in the case of RF-based wireless devices, requires careful frequency or channel management so that APs do not interfere with each other.

6 May 2009

UNCLASSIFIED


Figure 3 - WLAN in Distribution System Mode

2.2.5 Wireless Distribution System Mode

In the Wireless Distribution System (WDS) mode, a wireless link is used to interconnect multiple APs, allowing the wireless network to be expanded without the need for wired infrastructure. The reduction in wired infrastructure allowed by WDS comes at the expense of throughput. Because each AP must re-broadcast any received WDS traffic in a “repeater”-like fashion, wireless throughput is cut approximately in half for each hop that a message must travel over, so that wireless clients at the end of a long string of WDS-connected APs may see very poor throughput. Additionally, like the wireless roaming functionality discussed previously, WDS requires Layer 3 and 4 interaction to manage the routing and this aspect is not standardized under 802.11, which deals primarily with Layers 1 and 2, and thus WDS may be incompatible between different brands of AP. Finally, in WDS, all APs in the chain must share the same radio channel and security keys, therefore dynamically assigned encryption keys (e.g. enterprise WPA/WPA2) are generally not supported over a WDS connection.

Figure 4 - WLAN in Wireless Distribution System Mode

2.2.6 Wireless Mesh Networks

Wireless mesh networks combine features of ad-hoc wireless networks, as well as infrastructure wireless networks in wireless distribution system mode. The result is a robust wireless infrastructure network that may be deployed with minimal wiring and cabling costs but is no longer just confined to a local area, but normally extend to Metropolitan Area Network (MAN) or Wide Area Network (WAN) scales.

Wireless mesh networks products have been previously released under proprietary standards, but 802.11 WLAN System Overview May 2009

7

UNCLASSIFIED


have begun to converge under the banner of the Wi-Mesh Alliance and the proposed 802.11s standard. This standard allows both wireless mesh ad-hoc networks and wireless mesh infrastructure networks and defines the routing protocols needed to make the system work. Security for the proposed standard includes the definition of 802.11i, but adds enhancements to deal with re-keying and authentication issues in this architecture.

Figure 5 - WLAN in Wireless Mesh Mode

2.3 WLAN Standards Wireless networking technology has matured through the development of proprietary systems by various manufacturers. In the absence of formal standards, many manufacturers introduced their own, however most of these proprietary systems have been superseded by systems based on the various IEEE standards. Table 1 identifies some of the leading and competing standards and lists some of their specifications and intended applications. The products that are offered under most of these proprietary standards are not interoperable. Another issue is the opportunity for interference among the products from the different manufacturers causing a reduction in data throughput. Because many standards use the same unlicensed frequency band, spread-spectrum technology cannot completely eliminate the possibility of packet collisions.

In addition to the standards described on the table, still other wireless networking standards are in use. These standards are unrelated to 802.11 and are intended to meet different needs and include standards for Wireless USB (IEEE 802.15.3), ZigBee Industrial Control (802.15.4), or standards for WiMAX wireless metropolitan area networks (802.16e).

8 May 2009

UNCLASSIFIED



9

Table 1 – Key WLAN Standards IEEE 802.11 802.11b 802.11a 802.11g 802.11n

(Draft 2.0) HiperLAN

(ETSI) HiperLAN/2

(ETSI) HomeRF IEEE 802.15.1

Bluetooth

Frequency 2.4 GHz 2.4 GHz 5 GHz 2.4 GHz 2.4 GHz 2.4 GHz 5 GHz 2.4 GHz 2.4 GHz

RF Technology FHSS or DSSS DSSS OFDM OFDM OFDM+MIMO Single carrier Single carrier FHSS FHSS

Max Transfer Rate 2 Mbps 11 Mbps 54 Mbps 54 Mbps 248 Mbps 23 Mbps up to 54 Mbps 1.6 Mbps 1 Mbps

Typical Outdoor Range

100 metres 150 metres 120 metres 150 metres 250 metres 100 metres 100 metres 50 metres 10 metres

Security

Wired Equivalent Protection (WEP)

Wired Equivalent Protection (WEP) + optional WiFi Protected Access (WPA)

Wired Equivalent Protection (WEP) + optional WiFi Protected Access (WPA)

Wired Equivalent Protection (WEP) / WiFi Protected Access (WPA/) / 802.11i (WPA2)

Wired Equivalent Protection (WEP) / WiFi Protected Access (WPA/) / 802.11i (WPA2)

NAI/IEEE address/ X.509

NAI/IEEE address/X.509

Optional Challenge-response using secret key (Bluetooth 1.0-2.0), Elliptic Curve Diffie-Hellman (Bluetooth 2.1)

Encryption 40-bit RC4 up to 104-bit RC4 (WEP), 128-bit RC4 w/ TKIP key scheduling (WPA)

up to 104-bit RC4 (WEP), 128-bit RC4 w/ TKIP key scheduling (WPA)

up to 104-bit RC4 (WEP), 128-bit RC4 w/ TKIP key scheduling (WPA), 128-bit AES (WPA2)

up to 104-bit RC4 (WEP), 128-bit RC4 w/ TKIP key scheduling (WPA), 128-bit AES (WPA2)

DES, 3DES DES, 3DES 128-bit 128-bit E0 Cipher, 128-bit SAFER+, ECDH (in version 2.1 and later)

Fixed network support

Ethernet Ethernet Ethernet Ethernet Ethernet Ethernet Ethernet, IP, ATM, UMTS, FireWire, PPP 5

Ethernet PPP, Ethernet

Applications Wireless Data Wireless Data

Wireless Data Wireless Data Wireless Multimedia

Wireless Data Wireless Data Wireless Data Wireless voice

Cable Replacement Wireless Data Wireless Voice

UNCLASSIFIED


May 2009 10

2.4 IEEE 802.11 Standards

2.4.1 Background

In 1985, the U.S. Federal Communications Commission (FCC) decided to open the Industrial, Scientific, and Medical (ISM) bands, operating at 902 to 928MHz, 2.4 to 2.483GHz, and 5.725 to 5.875GHz, for unlicensed public use. This not only fulfilled a demand for commercial communication, but it also sparked the development of WLAN technology. The Institute of Electrical and Electronics Engineers (IEEE) established the 802.11 WLAN standard [1] in 1997 in an attempt to standardize wireless LAN products utilizing the ISM band. This standard has since been adopted by the International Organization for Standardization / International Electrotechnical Commission (ISO/IEC).

The IEEE 802.11 core specification addresses both the Physical (PHY) and Data Link layers of the Open Systems Interconnection (OSI) Basic reference model. The legacy standard proposed three (mutually incompatible) implementations for the physical layer: IR pulse modulation, RF signaling using FHSS, and RF signaling using DSSS. The most obvious difference between the WLAN and the traditional wired LAN is the physical medium for data transmission; there is no physical wiring required for the 802.11 network.

The IEEE 802.11 standard has several key amendments. Products compliant to the 802.11a, b and g amendments are in common use today, with an increasing number of products based on the “Draft 2.0” release of 802.11n. Key specifications for each of these amendments can be found in Table 1.

Historically, the first successful commercial 802.11 WLAN products were compliant with the 802.11b standard. Both 802.11a and b amendments were actually adopted at the same time, but because 802.11b was less complex than 802.11a, products compliant with the 802.11b standard rapidly materialized while products under 802.11a only reached the market in 2002. Since that time, the 802.11g amendment which utilized the same 2.4 GHz band as 802.11b, but delivered faster and more robust connections as well as greater range, has come to dominate the market. Although in terms of number of units sold, 802.11b products still comprise the majority of global WLAN market; sales of 802.11g products are poised to surpass this.

2.4.2 IEEE 802.11 Task Groups/Amendments

2.4.2.1 General

Core standard 802.11 WLANs based on IR transport were never commercially implemented and the RF-based versions suffered from low transmission speed (2 Mbps). The IEEE later established several task groups to explore various improvements to the original 802.11 core standard.

UNCLASSIFIED



11

2.4.2.2 802.11a Amendment

Task Group A explored the unlicensed 5.0 GHz frequency band, using Orthogonal Frequency Division Multiplexing (OFDM), working to achieve throughputs up to 54 Mbps. The 802.11a extension [2] was completed in 1999 and in 2002 vendors began releasing products compliant to this extension. Because of the different operating band and modulation, the 802.11a standard is not backward compatible or interoperable with the 802.11b standard. Several vendors are marketing dual-band, multi-standard (802.11a and 802.11b/g) APs. The 802.11a is currently licensed for use in North America and most European countries; however commercial use of 802.11a has historically been quite limited.

Recently, 802.11a has enjoyed somewhat of a resurgence in popularity due to the development of enterprise mesh infrastructure networks. In such networks, 802.11a is used for communications between APs, and 802.11b/g is used for communications between AP and wireless clients.

2.4.2.3 802.11b Amendment

Task Group B explored DSSS technology to boost data rates in the original 2.4 GHz band. The 802.11b extension [3], published in September 1999, delivers raw data rates up to 11 Mbps, which gave data rate parity with the popular 10 Mbps “10Base” wired LAN systems of the day. The majority of WLAN systems in the market today follow the 802.11b standard and it is accepted throughout North America, Europe and Asia.

2.4.2.4 802.11g Amendment

Task Group G approved the development of the new extension to the 802.11 standard in November 2001; the resultant amendment was approved in 2003. The 802.11g operates at 2.4 GHz with mandatory compatibility to 802.11b and uses the OFDM multicarrier modulation scheme to achieve a maximum data rate of 54 Mbps.

2.4.2.5 802.11n Amendment

Task Group N is currently engaged in the development of the higher data rate extensions to the 802.11 standard. As with 802.11b and g, the 802.11n standard will operate at 2.4 GHz with mandatory compatibility to 802.11b/g and uses OFDM with MIMO techniques to achieve a maximum projected data rate of 248 Mbps. As described earlier in this document, OFDM+MIMO utilizes the same basic modulation as 802.11g. However it utilizes multiple transceivers with advanced techniques to compensate for both the spatial and temporal variations of the RF channel as well as the practice of “channel bonding” in order to greatly increase the range and raw data rate. The 802.11n is still in the draft stage with an expected final approval in 2010, however many “Pre-N” or “Draft-N” products have already begun emerging on the market. Consumers are cautioned when purchasing such products because, as draft-based products, they are not subject to the same interoperability testing as full-standard compliant products. As such, they are not guaranteed to be compatible with, and may not be upgradeable,

UNCLASSIFIED


May 2009 12

to the finalized release of the standard.

2.4.2.6 802.11i Amendment

Unlike the previously listed amendments, 802.11i is not focused on RF technologies, frequencies and data rates. Instead, Task Group I was tasked with addressing the security vulnerabilities in the existing WEP security. Although work on 802.11i began in 2000, it was not ratified until 2004. Recognizing a need to improve 802.11 WLAN security sooner rather than later, in 2001, the Wi-Fi Alliance developed an interim improved security standard based on a draft of 802.11i. This interim release was dubbed Wi-Fi Protected Access (WPA) and turned out to be largely compatible with the finalized 802.11i, which was subsequently given the name Wi-Fi Protected Access version 2 (WPA2). This is the name that the 802.11i is commonly known by today.

WPA2 improves on the basic WEP security framework in several ways. Firstly, by adding improved authentication (all authentication schemes allowed under the Extensible Authentication Protocol (EAP), defined by RFC 3748, are supported by 802.11i, however most commercial products only support a limited number of modes: Enterprise authentication using a RADIUS server, and the pre-shared key mechanism carried over from WEP). Secondly, by significantly improving the strength of the cryptographic algorithms: 128-bit AES-CCMP is used as the encryption algorithm in WPA2, which provides substantial security margin over the RC4, CRC-32 and “Michael” algorithms used previously in WEP and WPA.

While WPA2/802.11i has addressed the majority of WEP deficiencies, one surprising criticism levelled at WPA2 was its use of AES encryption, which although very strong, also significantly increased the processing requirements, which many devices utilizing slower microprocessors were unable to fulfill. As a result, there still exist many devices on the market which only implement the interim WPA standard with its reduced processing requirements and somewhat weaker security.

2.4.2.7 Other 802.11 Extensions

There are many other 802.11 extensions dealing with various aspects of WLANs in progress or being planned. For example, 802.11e addresses wireless quality of service (QoS) concerns, 802.11p and 802.11r address mobility use and roaming, 802.11s deals with ad-hoc mesh networks, 802.11w is a proposed security-related amendment intended to address the remaining issue of network management information frames being transmitted without protection or encryption, and 802.11y which proposes to extend the use of 802.11 into the 3.7 GHz frequency band. A full list of 802.11 amendments and working groups is available on the IEEE web site.

2.5 Wi-Fi™ Interoperability Standard

2.5.1 Wireless Ethernet Compatibility Alliance (WECA) and the Wi-Fi Alliance

Manufacturers often include proprietary features that render their products incompatible with those of other companies. To address this concern, several manufacturers founded WECA in

UNCLASSIFIED


1999. WECA defined a test suite [5] to ensure interoperability of 802.11b products and correct implementation of WEP. This was soon expanded to include interoperability suites for 802.11g and WPA. In 2002, WECA changed its name to the Wi-Fi Alliance, and at the time of writing, the Wi-Fi Alliance has over 320 industry and affiliate members.

Products that pass these tests are deemed to be Wi-Fi (Wireless Fidelity) compliant and are permitted to display the logo. The popular backing of Wi-Fi™ has enabled the 802.11b/g family of products to dominate the WLAN market.

Although often used interchangeably in the media, the terms 802.11 and Wi-Fi™ are not synonymous. The IEEE 802.11 standard contains amendments dealing with all aspects of WLANs and the 802.11a/b/g/n amendments in particular are PHY and Medium Access Control (MAC) layer specifications whereas Wi-Fi™ is an only interoperability certification for 802.11a/b/g products. Originally, Wi-Fi was intended to refer only to 2.4 GHz interoperable products, and a Wi-Fi5™ designation was created for certifying 5 GHz band 802.11a WLAN products, however with the increasing prevalence of dual-band products supporting both 2.4GHz and 5 GHz standards, the certification was unified to a single Wi-Fi certification. At the time of writing, the following mandatory aspects are covered:

1. Radio standards for 802.11a, b, g, including multi-band support

2. Security implementation: WEP, WPA, WPA2

3. Authentication implementation: EAP

The Wi-Fi Alliance also offers optional certification programs for:

1. Product interoperability for 802.11n Draft 2.0

2. Validation of “easy setup” security features

3. Multimedia-over-Wi-Fi features

4. Low-Power Wi-Fi for multimedia applications

5. Combined Wi-Fi + cellular devices (this certification is mandatory for combined devices seeking CTIA certification)

It is important to note that although products may be Wi-Fi certified, this only refers to operation within the strictures of the specific 802.11 standards. Devices may still contain non-standard, proprietary operating modes which are not covered by the Wi-Fi interoperability requirements (e.g., the “enhanced” 104 Mbps data rate of many commercial 802.11 devices are not compliant with the official 802.11 standards and such modes are generally NOT compatible or interoperable between vendors, and indeed, may employ practices that actually interfere with proper operation of strictly standards compliant devices which are located within common transmission range). Users are further cautioned to check for compliance with Industry Canada regulations before utilizing these non-standard modes, as some non-standard modes of operation


13

UNCLASSIFIED


May 2009 14

are known to interfere with operation of other 802.11-based networks in the vicinity.

UNCLASSIFIED




15

UNCLASSIFIED


Security Mechanisms May 2009

17

3 Security Mechanisms

3.1 General With any network, security is an important consideration. Unauthorized access can result in sensitive information disclosure, data modification, denial of service and illicit use of resources. Once an unauthorized user has gained access to the network, monitoring of the now unprotected data can lead to user names and passwords being intercepted, which can then be used for further attacks. WLANs are subject to all the security issues normally faced with conventional wired LANs, but additionally, they suffer from vulnerabilities directly associated with the use of wireless connectivity. The nature of the wireless medium makes it practically impossible to confine the radio signals to a controlled area. These radiated signals are subject to clandestine interception and exploitation. In a traditional wired LAN environment, the physical security of the workplace provides some protection for the LAN as the users need to physically connect wires to the network to access its resources. In a WLAN environment, this protection is no longer enough since a wireless network can be accessed remotely from a distance without the need for a physical connection: anyone using compatible wireless equipment can potentially access the LAN.

To mitigate these security concerns, encryption is used in an attempt to make the signal unusable by unauthorized parties if intercepted. However, as in most commercial products, ease-of-use for the consumer is the primary concern To this day, the majority of 802.11 WLAN products typically have all encryption options and security features turned off by default, or, where they are enabled, devices will typically use the simplest and weakest encryption scheme available.

3.2 Access Control

3.2.1 General

Access control is a fundamental requirement for any sensitive network. However, the access control mechanisms specified in the IEEE 802.11 standard are weak. The following two mechanisms, although often promoted as security features, are intended more as an interference prevention measure rather than access control measures.

3.2.2 Service Set Identifier (SSID)

APs send out beacon messages to announce their presence and operating parameters to clients. The SSID is part of this beacon message that declares the AP’s identity to the network. A client looking for a specific network to join would scan for this SSID and when the network is discovered, the authentication process begins. By turning off the broadcast of this SSID, clients would not be able to automatically identify and associate with the AP, but would instead require pre-knowledge of the SSID. Unfortunately, this mechanism fails as a security feature because although the SSID is no longer broadcast on the beacon, it is still sent out in other network management traffic, which can be sniffed by an attacker.

UNCLASSIFIED


May 2009 18

3.2.3 MAC Address Access Control List (ACL)

Some vendors implement a MAC Address (i.e., Ethernet address) filter or ACL to prevent unauthorized access to an AP. MAC addresses of authorized clients are entered and stored in a list internal to the AP, and only clients with MAC addresses matching this list are allowed access to the AP (alternately, certain MAC addresses may be blocked instead). This is similarly ineffective as a security measure because all traffic sent over the network contains the MAC address in the unencrypted header. Therefore, by capturing just a single packet and examining its header, an attacker can determine a legitimate MAC address and program his device with this address. Further, the process of manually maintaining a list of all permitted MAC addresses is time consuming and error-prone making it only practical for small and fairly static networks.

3.3 Authentication Services

3.3.1 General

Unlike wired LANs, WLANs transmit over a medium without physical bounds. The IEEE 802.11 standard provides access control via the authentication service. All wireless devices use an authentication mechanism to establish their identity prior to association. Association of wireless devices is established only if the authentication is accepted. Authentication can be performed between two devices or between a device and an AP. The IEEE 802.11 core standard defines two types of authentication methods: Open System and Shared Key. The Wi-Fi Alliance’s WPA standard and the 802.11i/WPA2 standards add additional authentication modes and IEEE 802.1X authentication using the Extensible Authentication Protocol (EAP) is also supported as an optional extension to all native authentication modes.

It is important to note that the native authentication methods authenticate the devices; they do not authenticate the users of the devices. Further, in an infrastructure configuration, authentication is not mutual. Only the wireless client device must prove its identity; the AP is implicitly trusted and there is no way for a client to verify that an AP is legitimate. The use of additional 802.1X authentication can be used to address these issues but requires the use of a dedicated RADIUS or other authentication server and associated infrastructure to support the additional authentication layer.

3.3.2 Open System Authentication

The Open System provides identification only and is essentially a “null” authentication. A client requesting access to an AP simply sends its MAC address to the AP, and the AP replies with an authentication verification message: any client who requests authentication with this algorithm will be authenticated. This mode of authentication is implemented where ease-of-use is the primary concern or when security is not an issue for a network administrator. It is important to note that Open System authentication is the default setting in many 802.11 WLAN devices.

The 802.11 standard allows for use of WEP encryption even with open system authentication- in this case, both devices must share a WEP key, but unlike the “Shared Key Authentication”

UNCLASSIFIED



19

described in the next section, the key is not used for authentication, only for encryption. In this mode, a client is authenticated using open system authentication and then both ends immediately begin WEP-encrypted communications. This mode is actually considered somewhat more secure than shared key authentication because key-related information is not exchanged over the air.

3.3.3 Shared Key Authentication

Shared Key authentication is a feature of the original 802.11 standard and can only be used if the legacy wireless security features of the device are enabled. It does not apply when WPA or WPA2/802.11i is in use, where a similar but somewhat stronger “Pre-Shared Key” scheme is available.

In this mode, the secret shared key is manually distributed and configured on all participating stations. The Shared Key authentication process follows a challenge-response scheme where the encryption/decryption is performed using WEP’s RC4 Pseudo-Random Number Generator (PRNG) to validate the challenge-response. After a “success” message is received, the link is considered authenticated. Note that the 802.11 standard also allows for shared key authentication without link encryption, but virtually all consumer 802.11 WLAN devices will turn on link encryption by default if shared-key authentication is used.

The Shared Key authentication method was intended to provide a greater degree of security compared to the Open System authentication; however, weaknesses in the WEP encryption used in the challenge-response scheme can allow the key to be easily recovered if this exchange is intercepted by an attacker. As well, it must be noted again, that this authentication only confirms the identity of the hardware not that of the user. Therefore, individuals gaining unauthorized access to wireless devices registered for use on a network can potentially gain access to the network. Because of this, the previously described method of using Open System Authentication with WEP encryption is actually the preferred mode of operation if no stronger authentication and encryption measures (e.g. WPA/WPA2) are available. However, adequate user authentication is also essential no matter which mode is chosen.

802.11 does not specify any key management processes or mechanisms, therefore ensuring the security of Shared Keys is the responsibility of the user. As with any passphrase-based system, strong passphrases should be chosen to minimize the possibility of password guessing, and should be changed regularly.

3.3.4 802.1X Authentication

Both the WPA and the WPA2/IEEE 802.11i amendment specify the mandatory use of another standard, IEEE 802.1X, for network authentication. 802.1X is an Ethernet standard (IEEE 802.1 family; it is not wireless LAN specific) that provides a framework for authentication, on top of which various methods (such as passwords, smart cards, certificates, etc) can be used to verify identity. 802.1X works at the MAC layer to restrict network access to authorized entities. Network connectivity is provided through the concept of ports, each of which represents an

UNCLASSIFIED


May 2009 20

association between a client station and an access point. Further, the standard specifies three entities involved in the authentication transaction: the supplicant, the authenticator and the authentication server. A supplicant (wireless client) is an entity that desires to use a service offered via a port on the authenticator (wireless access point). On a typical network, there may be many ports available through which a supplicant may authenticate for service. The authentication server is the entity that verifies the identity of the supplicant that was submitted to the authenticator, and directs the authenticator to allow access if the verification was successful.

The IEEE 802.1X standard utilizes the Extensible Authentication Protocol (EAP) to permit a variety of authentication mechanisms to be used. Like the legacy Shared Key authentication, EAP is similarly based on a challenge-response scheme utilizing four distinct messages types: EAP Request, EAP Response, EAP Success and EAP Failure. EAP is considered “extensible” because these messages may be used to encapsulate virtually any authentication mechanism, although in practice, only a limited set of protocols is supported by commercial WLAN equipment. In EAP-based authentication, initially, the EAP Request message is sent to a supplicant, indicating a challenge to which the supplicant responds with the EAP Response message. Depending on the specific authentication method used, this challenge-response exchange may be repeated several times and in both directions (allowing mutual authentication to take place) to exchange authentication data until either an EAP Success or EAP Failure is sent to allow or deny the connection request.

Use of 802.1X authentication has the potential to greatly increase the security of any LAN installation, especially since the authentication method can be geared towards individual user authentication vs. device authentication, which is recommended to be used wherever possible. Note however that in most cases, a network utilizing 802.1X authentication requires the installation of dedicated infrastructure in the form of the authentication server (RADIUS server). Additionally, even when using server-based authentication, it is important to select a method that addresses the necessary security requirements as not all EAP methods are created equal. Methods are available that integrate with PKI-infrastructure, two-factor authentication using tokens, etc, however most devices support at least the EPA-TLS method based on the Transport Layer Security (TLS) protocol.

As described earlier, both WPA and WPA2/802.11i implement a Pre-Shared Key authentication scheme that does not require an external authentication server and is intended for home or small network use. Like the legacy Shared Key authentication, it relies on a challenge response derived from a shared key in order to authenticate a device. The PSK mechanism uses a “4-way handshake” based on 802.1X exchanges and is much stronger than the legacy RC4-based challenge-response; however it is still vulnerable to attack if a weak passphrase is chosen. Additionally, the use of the PSK mode of authentication suffers from the same issues as the legacy mechanism, namely those of key management and device vs. user authentication.

UNCLASSIFIED



21

3.4 Data Confidentiality and WEP/WPA/802.11i/WPA2

3.4.1 General

The IEEE 802.11 core standard specifies an optional data confidentiality mechanism using the WEP protocol. It is intended to provide protection for a WLAN from casual unauthorized eavesdropping and to ensure data integrity. Since its release, the WEP protocol has been proven to exhibit many weaknesses, resulting in the development of stronger security and data confidentiality measures. As documented earlier, IEEE 802.11 working group I was formed to tackle this task. Due to the long process, the Wi-Fi Alliance released an interim standard known as Wi-Fi Protected Access (WPA) which was based on an early draft of the eventual 802.11i standard content. Because the two improved security standards turned out to be largely compatible, 802.11i was also adopted by the Wi-Fi Alliance and came to be known as Wi-Fi Protected Access version 2 (WPA2). Although WEP/WPA/WPA2 are strictly optional within the 802.11 standard, they are requirements for Wi-Fi™ compliance certification.

3.4.2 Wired Equivalent Privacy (WEP) Protocol

3.4.2.1 Properties of WEP Protocol

WEP employs the RC4 PRNG algorithm by RSA Data Security, Inc. RC4 is a stream cipher algorithm developed in 1987 by Ronald Rivest. The RC4 algorithm uses a variable sized symmetric key independent of the plaintext to produce the ciphertext. The WEP protocol was designed to be:

a. Reasonably strong (difficult to break through brute-force attack); b. Self-synchronizing (WEP is self-synchronizing for each message); c. Computationally efficient (may be implemented in hardware or software); d. Exportable to all countries; and e. Optional in use (however implementation is required for an 802.11 Wi-Fi™ compliant

product).

3.4.2.2 WEP Operation Theory

The RC4 stream cipher operates by expanding a secret key and a public 24-bit Initialization Vector (IV) concatenated to a pre-shared key (generally, the same key used for the authentication stage) into an arbitrarily long keystream of pseudo-random bits. Encryption is achieved by performing an exclusive OR (XOR) operation between the keystream and the plaintext to produce the ciphertext. Decryption is done by generating the identical keystream based on the IV and secret key and XORing it with the ciphertext to produce the plaintext. Details of the WEP operation can be found in the IEEE 802.11 standard [1].

Many 802.11b vendors produce products that support 40-bit and 104-bit WEP. Some vendors refer to the 40-bit version as “64-bit WEP” and the 104-bit variant as “128-bit WEP”. This discrepancy comes from the fact that although the 40-bit secret key and 24-bit IV are

UNCLASSIFIED


May 2009 22

concatenated to make up 64-bits, the 24-bit IV is sent in the clear, thereby reducing the effectiveness to only 40 bits. Similarly, 128-bit WEP is actually 104 bits of secret key plus the 24-bit IV. Several 802.11a vendors have added more non-standard WEP lengths, for example, one popular brand of 802.11 appliance features a 152-bit or “True-128-bit” WEP which consists of a 24-bit IV and a full 128-bit key, and another brand offers “256-bit WEP” (in this case, only 232-bit due to IVs). Readers are cautioned that such modes require matched hardware and software at both the AP and the wireless client in order to function, and due to weaknesses in the WEP algorithm, these longer key lengths are not considered any more secure than the basic version. Only 40-bit WEP is specified in the 802.11b standard and the Wi-Fi™ requirements. The other WEP lengths are uncertified industry add-ons that may or may not be well-implemented from a security perspective.

Theoretical weaknesses in WEP were pointed out by Walker [8, 7] as far back as 2000, and the first practical attacks against WEP appeared in 2001 [9], demonstrating that WEP is not a robust protection mechanism. WEP suffers from important weaknesses that can provide opportunities for disclosures of information, unauthorized access to the network and denials of service attacks. Because of these vulnerabilities, WEP is ineffective as a primary security measure and the use of WEP is not recommended for the protection of any Government of Canada data. It is imperative that older equipment which does not support stronger security than WEP be replaced or upgraded.

3.4.3 Wi-Fi Protected Access (WPA)

The Wi-Fi Protected Access (WPA) system was created by the Wi-Fi Alliance in an attempt to address the security vulnerabilities in WEP. WPA was an intermediate measure to take the place of WEP while the official 802.11i standards were being developed. WPA was in fact based on an early draft of the 802.11i standard, with key frame information elements intentionally changed to avoid the possibility of conflicts between WPA and the eventual 802.11i release.

The goals of WPA were largely the same as for WEP; improved security was the main objective, but the new scheme had to be supported on the existing hardware base. To do this, RC4 was retained as the data stream cipher due to its low processing requirements, but “wrapped” to cover the insecurities of WEP.

Several major improvements were made in WPA to improve security. A full 128-bit secret key and a larger 48-bit initialization vector (IV) was used- separate individual keys are used in each direction as well as for integrity validation and a new key scheduling process known as the Temporal Key Integrity Protocol (TKIP) was added. TKIP continuously and dynamically changes these keys as the system operates and combined with the longer IV, defeats the key recovery vulnerabilities present in WEP.

Related to TKIP, key security was improved in two ways. Firstly, when the Pre-Shared Key mode is in use, by eliminating the practice of using the shared key and public IV directly as a master encryption key (same key used for all operations in both upstream and downstream directions) as was done in WEP. Instead, in WPA, a Pairwise Master Key (PMK, which, in this

UNCLASSIFIED



23

mode, is the same as the shared key) is combined with other data exchanged during authentication in a procedure known as the 4-Way Handshake, to derive a session-specific Pairwise Transient Key (PTK) which in turn drives the TKIP dynamic key generation (as well as key generation for other related WPA services). Note, however, that this does not solve any of the PSK distribution and management issues with using this mode of operation. Secondly, where an 802.1X authentication server is used, the server will generate a random PMK instead of using a fixed key, further improving security.

In addition to authentication and encryption changes, WPA also improved the security around message integrity. The weak 32-bit cyclic redundancy check (CRC32) used in WEP was replaced by a somewhat stronger, key-based message integrity code (MIC) and also a frame counter to prevent replay attacks. Although better than the CRC32 at error detection, the MIC algorithm (called “Michael”) used in WPA is still considered cryptographically weak since it, like the CRC32, is an invertible algorithm that was designed to be able to run on older hardware platforms with limited processor capacity. WPA therefore also implements a MIC spoofing countermeasure which is supposed to disable the wireless connection for one minute if more than two frames that fail the MIC integrity check are detected in a one minute interval. Unfortunately, because the system is wireless and subject to RF interference, the occasional noisy frame can still pass all the simpler integrity checks and trigger the MIC check, causing a shutdown of the network; intentional denial-of-service attackers can also take advantage of this mechanism. For this reason, some commercial devices may not implement this countermeasure or allow it to be turned off, which somewhat increases the risk of a spoofing attack, but improves overall network robustness.

3.4.4 IEEE 802.11i/Wi-Fi Protected Access version 2 (WPA2)

The official IEEE-endorsed security improvement standard 802.11i was not ratified until 2004 and being backward compatible with the interim WPA standard, came to be known also as WPA2. As of 2006, all commercial products that wish to be Wi-Fi certified must support WPA2 security measures.

WPA2 continues to support the simple Pre-Shared Key (PSK) mode of operation which can complicate key management and distribution issues if there is even a moderate population of wireless users. As with WPA, 802.1X Extensible Authentication Protocol (EAP) is supported; however the Wi-Fi Alliance now requires validation for a wider range of 802.1X EAP methods under WPA2 in its certification program.

Of primary significance in WPA2 is the introduction of an AES-based encryption algorithm known as CCMP or “Counter-mode with CBC-MAC Protocol”, which is a cipher-block chaining mode of 128-bit AES with integrated message integrity checking (64-bit MAC), as well as a counter for protection against packet replay attacks.

Note that the WPA2 definition still supports the old RC4/TKIP/Michael mechanisms for backwards compatibility, but when CCMP encryption is enabled, it completely replaces these older mechanisms for much stronger ones and addresses the weaknesses in many of the WPA

UNCLASSIFIED


May 2009 24

mechanisms: CCMP is now used to strengthen phases of authentication and key exchange and the weak Michael algorithm is superseded by the integral CBC-MAC in CCMP. These and other measures introduced in WPA2 comprise the new 802.11i Robust Security Network (RSN) architecture, which largely address the flaws in previous wireless network standards. It should be noted for Government of Canada users that AES-CCMP is a GC-approved mechanism for securing up to Protected B data, and if the use of WLAN is supported by an appropriate threat-risk assessment, use of WPA2 is mandatory for GC WLANs (in the USA, NIST similarly requires the use of CCMP for securing Federal agencies’ IEEE 802.11-based WLANs) [21].

Finally, WPA2 optionally allows the use of another AES-based encryption mechanism called WRAP (Wireless Robust Authenticated Protocol). This was the original mechanism chosen by the 802.11i committee, and uses AES in the OCB (Offset Code Book) mode, which is considered slightly stronger than the CCMP mode. However, it was abandoned in favour of the CCMP mode due to intellectual property issues and the possibility of incurring licensing fees.

UNCLASSIFIED


Vulnerabilities May 2009

25

4 Vulnerabilities

4.1 Access Control Vulnerabilities

4.1.1 General

The 802.11 standard does not adequately address access control. The following two features offer limited forms of access control.

4.1.2 SSID

The SSID is used for identifying the network, not as a security measure. Unfortunately, the use of a SSID is often mistaken as a password protection. The SSID contained in the beacon frame is always sent in plaintext, regardless of the deployment of the WEP option. Any wireless client, malicious or not, can listen for this beacon to obtain the SSID and bypass this low level access control.

4.1.3 MAC Address Access Control List (ACL)

Some 802.11 vendors offer a MAC Address ACL feature that provides minimal access control by limiting access to only authorized wireless cards. Unfortunately, the packets containing the MAC addresses are sent in clear text and the entries on the ACL can be easily obtained through traffic monitoring. An unauthorized user can spoof these MAC addresses and try to gain access to the AP. Most of the time, the AP has the factory configuration for the administrator username and password. When the unauthorized user has accessed the AP, the configuration of the AP can be changed.

4.2 Authentication Mechanism Vulnerabilities

4.2.1 General

The authentication mechanism defined in the 802.11 is used to bring the wireless link up to the assumed physical standards of a wired link. There are vulnerabilities present in both the design and the implementation of the service.

4.2.2 Shared Key Authentication Flaw

The Shared Key authentication mechanism is used before an association is allowed. During the challenge-response sequence, both the plaintext challenge and the encrypted challenge are transmitted. This is a potential security vulnerability since it allows for discovery of the key and the IV pair used for the authentication sequence. The 802.11 standard recommends avoiding using the same key and IV pair for the next frame transmitted but there is no guarantee that implementations follow this recommendation. For this reason, as noted earlier in this document, using Open System Authentication along with WEP is generally considered more secure as key-related information is not transmitted.

UNCLASSIFIED


May 2009 26

4.2.3 802.1X/EAP Vulnerabilities

First introduced in WPA, the 802.1X framework has the potential to greatly improve the authentication capabilities of 802.11 wireless networks. Ironically, the authentication protocol specified by 802.1X is vulnerable to attack primarily due to its inability to authenticate its own messages. Because of this flaw, EAP messages may be forged in a man-in-the-middle scenario, potentially allowing an attacker to bypass an authentication mechanism or to hijack an 802.11 session. [20]

4.3 WEP Vulnerabilities

4.3.1 General

Numerous reports and articles [6,7,8,9,10,11] have been published about the security vulnerabilities of the implementation of WEP. These reports focus on the minimal security offered by the WEP protocol, in particular, the following weaknesses:

a. High probability of key re-use due to the short IV (On a busy network, IV re-use occurs often enough that the hacker may obtain the key in minutes to hours);

b. Weak message authentication due to the short key length used; and c. Lack of a key management specification.

4.3.2 Keystream Re-use

Based on the use of a relatively short 24-bit IV, it is highly likely that over a short period of time on an active wireless network, the IV will be re-used. This could facilitate an attack on the system to recover the plaintext [7]. This vulnerability exists regardless whether 64-bit or 128-bit WEP is used.

4.3.3 Message Integrity

The CRC-32 checksum is used to ensure the integrity of the packets during transmission. It is possible for controlled changes to be made to ciphertext without changing the checksum appended to the message and to inject messages without detection [9].

4.3.4 Key Management

The distributed shared key is the weakest aspect of the system. By using static shared keys, distributed among all the clients as “passwords,” the number of users aware of these keys will grow as the network expands. This creates the following problems:

a. Shared key among many people does not stay secret for long; b. The manual distribution of shared key can be time consuming, especially in a large

environment with many users. Quite often, this results in key not being changed as frequently as required; and

UNCLASSIFIED


Vulnerabilities May 2009

27

c. The frequency of IV re-use increases as the network size expands, which makes it more vulnerable to attack.

4.4 WPA/WPA2 Vulnerabilities

4.4.1 General

WPA and WPA2 have introduced measures designed to address the major vulnerabilities of WEP, however a few new vulnerabilities were introduced and some vulnerabilities remain, particularly in WPA because of the requirement for backwards compatibility, and low compute requirements.

4.4.2 Key Management

Although 802.1X authentication support was made mandatory in WPA/WPA2, its use requires an external authentication server and so the user is given an option to use a simple pre-shared key mechanism like WEP. Unfortunately, as with WEP, the pre-shared key authentication mechanism for both WPA and WPA2 is vulnerable to key management issues: it is virtually impossible to keep a single shared key secret among a large community, and re-keying and distributing new keys for a large community is likewise difficult.

4.4.3 4-Way Handshake and Weak Passphrase Vulnerability

The Pre-Shared Key mechanism allows the use of security features in WPA/WPA2 in situations where the additional 802.1X infrastructure is not available. As with the shared key in WEP, all users share a common “secret key”. Although the Pre-Shared Key is used as the Pairwise Master Key (PMK) in WPA/WPA2, unlike WEP, the WPA shared key is not used directly as an encryption key, but is instead combined with other session-specific information exchanged during the 4-Way Handshake, to generate a Pairwise Transient Key (PTK), which is in turn used to generate dynamic encryption and message integrity keys.

Although the short key and IV re-use issue has been resolved by this mechanism, a pre-shared key in WPA/WPA2 is now vulnerable to dictionary attacks. By capturing the 4-Way Handshake authentication exchange and using this information along with a dictionary file it is possible to successfully guess the session keys if the Pre-Shared Key is one of the words in the dictionary; if the shared key is short or very simple, it may even be found through a brute-force search. A successful dictionary attack can lead to two scenarios: recovered session keys can be used to eavesdrop on or disrupt an ongoing session, or the recovered PSK can be used to initiate a new session and allow unauthorized use of the network resources. If this mechanism must be used, it is imperative that a long, non-dictionary passphrase be used to secure the access point.

UNCLASSIFIED


May 2009 28

4.4.4 WPA MIC Spoofing Countermeasure

As described earlier in this document, the Michael MIC algorithm in WPA was chosen for a balance between data integrity, security and reduced processing requirements in order to be supported on existing wireless LAN hardware. Although an improvement over the original CRC32 used in WEP, the Michael algorithm is invertible and its key discoverable and therefore vulnerable to spoofing attacks. To address this vulnerability, designers of the WPA standard implemented a spoofing countermeasure, which terminates the wireless connection for one minute if more than two bad MICs are received in any one minute period. Unfortunately, this countermeasure is in itself a vulnerability because it may be used as a doorway to Denial-of-Service attacks (by deliberately injecting packets with bad MICs), and in noisy RF environments, where packet errors are common, this countermeasure can inadvertently trigger and negatively affect the robustness of the wireless network.

4.5 Configuration Defaults In order to simplify the initial configuration process, many vendors provide a factory default configuration that provides very little security. For example, some vendor’s factory defaults permit configuration of the AP from the wireless segment, do not implement any security, and use documented default system settings such as IP addresses, administrator password, and SSID.

Many APs also have an easily accessible reset button that will reset the device’s configuration back to these same insecure factory default settings, requiring a degree of physical security/access control to prevent.

Recently, APs have been introduced which do enable security settings, but for simplicity and ease of configuration, many will only use WEP with only a 40-bit key, even though stronger mechanisms may actually be supported by the device.

4.6 Simple Network Management Protocol (SNMP) Many 802.11 APs support management of the wireless device via SNMP. Often, this feature permits someone to view system and configuration information, and in some cases, allows the capability to update this information. Access to this information is normally restricted by the use of a community string, which is not a password, but simply an identifier given to the SNMP network. Further, this string is usually a well-known value, obtainable by a simple Internet search, or easily guessable (e.g.: “GovernmentofCanada”, “DND”, “DFAIT”).

UNCLASSIFIED


Exploits September 2008

29

5 Exploits

5.1 Network Discovery and Access Attacks

5.1.1 General

War driving is a term derived from war dialing. War dialing, a technique employed by hackers for many years, is the use of software to automatically and systematically dial telephone numbers to discover vulnerable modems through which a hacker can connect and hack into a network. War driving exploits the same kind of vulnerability as with war dialing. A war driving attacker drives around with a portable wireless client looking for unprotected entry points into a wireless network. War driving has become a sport among the hacking community who regularly update Internet-accessible (e.g. www.wigle.net) maps of wireless access points for communities around the world. In most cases, war driving is about the challenge of discovering a new access point before any other hacker, and illicit access to networks is not performed, however many commercial and free hacker tools which exploit the vulnerabilities described in this document, are available for all 802.11-based wireless networks and can be used by less ethical individuals for network penetration.

5.1.2 Network Discovery

Network discovery tools or network auditing tools are software developed to help network administrators manage and trouble shoot network problems. Most network auditing tools used by network administrators are quite sophisticated and expensive, making them unpopular for war driving use. However, various free discovery software packages are publicly available and very simple to use [13] to scan for networks and logs detailed information, including SSID, AP MAC address, vendor information, signal-to-noise ratio, and whether security features are enabled. A war driver equipped with a network discovery package, an 802.11-enabled notebook, and a Global Positioning System (GPS) receiver, can log the exact latitude and longitude of the APs in addition to the information mentioned above.

5.1.3 Network Access via Wireless Router

Most APs sold today also have a router built in, often with Dynamic Host Configuration Protocol (DHCP) services enabled. These wireless routers are particularly vulnerable to bandwidth hijacking attacks. When a wireless router is discovered, an attacker simply requests an IP from the DHCP server, or restarts his network connection and has an IP automatically assigned. If security features are not enabled, the attacker will have complete access to the target network.

http://www.wigle.net/

UNCLASSIFIED


May 2009 30

5.2 Denial of Service (DoS) Attacks

5.2.1 General

A DoS attack is one of the most easily and widely carried out attacks against computer networks. This type of attack usually entails taking over or overloading network resources, denying normal operation of the target network.

5.2.2 AP Takeover

Many APs utilize SNMP or a web-based interface for configuration and management. If the community/administration password is improperly configured or left in default setting, an intruder can obtain sensitive configuration information from the AP. It may be possible for the intruder to rewrite information to the AP and effectively take ownership of the AP, denying legitimate clients access to the network.

5.2.3 AP Cloning

AP cloning is sometimes referred to as the “Evil Twin” attack. An attacker physically deploys a malicious AP or a laptop equipped with a wireless card and appropriate software and broadcasts the same SSID, but with a higher RF signal strength than the target AP, causing the wireless clients to associate themselves to this rogue AP. Most client cards will, by default, switch over to the more powerful AP to ensure connectivity. Typically, the clients will automatically authenticate with the new AP, thus providing the attacker with a set of valid credentials which can then be used to connect with the real AP. The attacker who controls the malicious AP also has the opportunity to exploit any security weakness that may be present on the clients devices falsely associated with the rogue base station. AP cloning is more difficult than simply denying clients access to a base station because it requires the physical deployment of a modified AP or laptop and wireless card that has a more powerful output or is located physically closer than the original AP.

5.2.4 RF Jamming

An RF jamming attack is not the same type of attack as overloading of network resources. Instead of creating spurious data to overwhelm the processing capability of network devices, RF jamming overwhelms the medium used for transmission, in this case, radio waves. An attacker with very simple tools can easily flood the medium for the network (in the case of 802.11b/g/n, the 2.4GHz radio frequency band) with noise. RF jamming is very effective because it works against all WLAN security safeguards. When noise is injected at the WLAN operating frequency, signal-to-noise ratio drops below acceptable level and the network simply ceases to function.

UNCLASSIFIED



31

5.3 WEP Protocol Attack

5.3.1 General

The optional WEP algorithm defined in the IEEE 802.11 standard was intended to provide data confidentiality equivalent to that of a basic unprotected wired network. Many reports and articles [10,11,14,15] have been published describing attacks exploiting the various weaknesses and design flaws in the WEP protocol. These attacks are easy to perform using readily available equipment. The attacks apply equally to 40-bit and the 104-bit versions of WEP, as well as other non-standard key length variants.

5.3.2 Passive Attack

Passive attacks exploit the keystream IV re-use weakness caused by the poor implementation of the RC4 algorithm by WEP. An eavesdropper intercepts all wireless traffic, collects packets where IV collisions occur, and performs statistical analysis of these packets to obtain the encryption key. The encryption key can then be used to access the WLAN. Tools that perform this type of attack are freely available on the Internet [15,16].

5.3.3 Active Attacks

A couple of different types of active attacks are possible against an 802.11 WLAN installation. The first type of active attack involves creating or modifying packets for injecting into the network for malicious purposes and requires access to the wired side of the network. Injecting packets in plaintext and then intercepting the encrypted version of this known packet as it is broadcast over the wireless network allows an attacker to extract the keystream used for encryption. Malicious commands or viruses can also be injected into the network using this type of attack.

The other type of active attack is possible entirely from the wireless side of the network. This class of attack, which includes spoofing attacks, man-in-the-middle and packet injection attacks are all possible from the wireless side of the network. For example, an active version of an attack against the IV re-use vulnerability of WEP is possible and involves spoofing and injecting packets onto the wireless network, which results in many packets with different IVs being returned. Because of this property, this active attack can dramatically cut down on the packet collection time required in the passive version of the attack described above and can result in an attacker breaking WEP in seconds or minutes as opposed to hours or days. Similarly, an active attack against the weak CRC integrity check [22] is possible by intercepting an encrypted packet, modifying selected portions of the packet that are not adequately protected by the CRC and replacing them with a guessed value and re-broadcasting the modified packet. By progressively guessing and replacing various portions of a packet and watching the re-transmission behaviour, it is possible for an attacker to decrypt WEP-encrypted packets without prior knowledge of the key.

Although active attacks can be extremely effective, they are in general more difficult to

UNCLASSIFIED


May 2009 32

implement and accomplish than a passive attack and require a more in-depth understanding of both the protocols involved as well as some degree of RF knowledge. In addition, an active attack carries a far greater risk of being detected as packets must be broadcast or injected into the network by the attacker.

5.3.4 Decryption Table Attack

Using the attacks described in previous articles, an attacker can determine multiple keystreams and build a decryption table that could be used to decrypt each packet that uses the same IV. Since the IV is transmitted as plaintext, it would be easy to match an IV to the keystream in the table and decode the message accordingly. The decryption table can further be used to create new packets with known keystreams and create false packets to inject into the network.

Building this table would require the hacker to record only 1500 bytes of the keystream for each of the 224 possible IVs, or roughly 24 GB of space [9]. The difficulty level of determining keystreams depends on the size of the IV (24-bit), not the shared key (40-bit). WLANs that use 104-bit(128-bit) key are more difficult to attack in this way, but they are still vulnerable.

5.4 WPA/WPA2 Attacks

5.4.1 General

The WPA and WPA2 security enhancements to 802.11 greatly improve the security and robustness of wireless networks implementing these measures. Although weaknesses and vulnerabilities still exist, comparatively few practical exploits have been found.

5.4.2 Pre-Shared Key Dictionary Attack

WPA and WPA2 attempt to strengthen security by using multiple keys for all operations, however in the case where a Pre-Shared Key is used; all these additional keys are derived from the shared key, which can be recovered by dictionary or even brute-force attacks on the second message of the 802.11i 4-Way Handshake process. A number of freely available tools to exploit this weakness are available. Exploitation of the PSK vulnerability is mitigated through the use of 802.1X server-based authentication, however if the PSK mechanism must be used, a long, non-dictionary passphrase is required.

5.5 Monitoring and Interception Attacks

5.5.1 General

Monitoring and interception attacks involve passive information gathering. The vulnerability of this type of attack is not apparent but it is equally dangerous and should not be overlooked.

UNCLASSIFIED



33

5.5.2 Traffic Sniffing

Once the target wireless network is identified using network discovery techniques, an attacker can setup and sniff any traffic on the target network. Modified versions of device drivers allow the hacker’s wireless client card to operate in the promiscuous mode, making this passive attack stealthy and untraceable. The only constraint is that the attacker must be within the range of the wireless network, but this range can easily be extended to couple hundreds metres with the use of an antenna.

Since the 802.11 packet format is a known standard, captured packets can be analyzed to obtain critical information. This information can then be used to aid attacks against WEP if this security feature was enabled. Some commercially available products [17,18] can do this analysis in real-time as the packets are captured.

5.5.3 Broadcast Monitoring

Unlike a switch, a hub broadcasts all traffic to all connected devices rather than to the intended recipient. An AP connected to a hub rather than to a switch will potentially receive and rebroadcast data packets not intended for wireless clients. This will allow an attacker to monitor sensitive traffic on the wired side of the network.

5.5.4 Man-in-the-Middle Attack

Most 802.11 APs act as transparent MAC layer bridges, which allow Address Resolution Protocol (ARP) packets to be passed between the wired and wireless networks. This implementation allows for the man-in-the-middle attack against two machines on the wired network connected to the same switch or hub as the AP. Using forged ARP packets, traffic can be redirected through the attacker’s wireless client before it can reach both targeted hosts.

UNCLASSIFIED



May 2009 34

UNCLASSIFIED


Solutions May 2009

35

6 Solutions

6.1 Overview The following articles provide some interim guidelines that are essential to achieve some degree of confidence in the secure operation of a WLAN. Solutions for a more secure WLAN environment will be published as they become available. In the meantime, the following measures should be implemented to immediately enhance the security posture of the WLAN:

a. Determine the range of your network coverage and keep it small; b. Do not broadcast your SSID; c. Do not use the default SSID; d. Use WPA2; e. Use 802.1X Server-based authentication; f. Change the keys frequently; g. Use a VPN and Firewall to further isolate the WLAN; and h. Use a personal firewall on every wireless client. i. Consider using Wireless Intrusion Detection/Prevention Systems

6.2 Determine Range of Your Network Coverage Use a wireless sniffer, or any laptop capable of using the 802.11b network, to determine how far away from each access point your WLAN is accessible. This will give you a good idea of how close an unsophisticated attacker or eavesdropper will need to be to have access to your network. Remember that high-gain antennas and/or amplifiers can be used to intercept radio communications from a much greater distance. If the data traveling on your WLAN is extremely valuable or sensitive and could potentially be sought by individuals having access to more sophisticated equipment, you will have to take this into account when determining the coverage of your WLAN.

If your WLAN coverage extends into an adjacent public area, parking lot, or simply too far for your comfort, additional security measures will be needed. Some brands of WLAN devices allow you to change the transmit power level: setting this level to a lower level will help reduce the coverage range and the risk of unauthorized WLAN access or eavesdropping. Retrofitting the standard omni-directional antennas with antenna reflectors or replacing them with directional antennas will help focus the RF energy towards desired coverage areas and away from undesired areas, and are also a very effective and relatively inexpensive means of controlling WLAN coverage. Completely preventing radio transmissions from leaving your building may be possible by employing a Faraday cage1. For highly sensitive information where wireless access

1 A grounded “cage” structure that is designed to electrically screen an area. This can also be accomplished

through the use of conductive wall, floor and ceiling tiles, or conductive paints. A Faraday cage can be

UNCLASSIFIED


May 2009 36

is also a requirement, this must be considered. Physical measures of this type are extremely expensive and probably not cost effective for most cases so the use of strong encryption to protect the information would provide a suitable alternative.

6.3 Do Not Broadcast Your SSID The APs from most vendors are set up by default to broadcast the network name or SSID of the network. This allows users to see and join the network quickly and easily. Wardrivers are attackers who drive through cities with wireless sniffers to find and log all networks that are broadcasting their presence. If wireless security features are not enabled on your WLAN, anyone who can see your network can join it. Most vendors allow you to turn off the broadcast SSID feature. This is not a complete security solution but it will provide some protection against casual attacks and eavesdropping.

6.4 Do Not Use the Default SSID Most APs use well-known defaults as their SSIDs. Using these defaults defeats the effectiveness of disabling SSID broadcast (because default SSIDs are well known) and render the system more vulnerable. Again, this does not represent a complete security solution but addressing this concern does provide some protection against casual attacks and eavesdropping.

6.5 Use WPA2 The original wireless security mechanism, WEP, has been shown to be weak and ineffective as a security measure, and due to the prevalence of freely available “WEP-cracking” programs, will only deter casual attempts at eavesdropping. The latest WPA2/802.11i security standard is strong (particularly when 802.1X authentication is also used, see next section), addresses virtually all of the weaknesses of WEP and utilizes a very strong AES-based encryption. CSE recommends that WPA2 must be used on all 802.11 wireless networks, particularly where security and privacy are important.

Therefore, only hardware supporting WPA2 wireless security should be considered for new purchases and older existing equipment which does not support WPA2 should be upgraded or replaced wherever possible.

When security and privacy are paramount, even WPA2 may not be sufficient and other options should be considered. For example, the addition of strong data encryption products such as VPNs would greatly reduce this security risk.

used to screen out emitted signals from information systems and can also be employed to protect against lightning strikes and other high energy emissions.

UNCLASSIFIED


Solutions May 2009

37

6.6 Use 802.1X Server-based Authentication Thus far, WPA2 has been found to be a robust security mechanism with comparatively few vulnerabilities, however it may be strengthened further though the use of 802.1X server-based authentication. Use of an external server allows implementation of user-based authentication and access control as well as integration with existing security mechanisms that may be in place, including, but not limited to smart cards, security tokens, PKI, biometrics, etc.

6.7 Change the Key Frequently Whenever using encryption, the encryption key needs to be changed frequently in order to minimize the amount of data that may be processed with any one key. This makes it more difficult for an attacker to collect sufficient data to compromise the key. It also reduces the amount of time that a compromised key may be useful to an attacker. This also applies to the encryption used in WLAN products- if 802.1X server-based authentication is not available and the Pre-Shared Key mode must be used, it is imperative that the passphrase be changed on a regular basis to ensure the security of the network.

6.8 Use a VPN and Firewall to Isolate the WLAN In most cases, the coverage of a WLAN extends outside of the physical security at a location. Therefore, the WLAN should be treated as a hostile network, just as the Internet is. A network firewall should be used to separate the internal wired LAN from the WLAN access point and all wireless clients. A VPN, Secure Shell (SSH) tunneling and end-to-end encryption are appropriate supplemental solutions to protect traffic on and between the wired LAN and the WLAN.

6.9 Use a Personal Firewall on Every Wireless Client Wireless clients are very exposed. They require protection in the form of personal firewalls to filter both incoming and outgoing traffic. Some of these products may be used to provide enhanced authentication capabilities as well.

6.10 Consider Wireless Intrusion Detection/Prevention Systems Wireless Intrusion Detection System (WIDS) and Wireless Intrusion Prevention System (WIPS) products are now available to complement intrusion detection systems designed for wired infrastructure. These systems utilize sensors in the form of specialized wireless receivers to monitor a coverage area for attempts to access the protected network from unauthorized clients. Additionally, the system will monitor for rogue access points, misconfigured access points, use of ad-hoc network connections, attempts at MAC address spoofing and attempts at launching denial-of-service attacks. By placing many sensors in the coverage area, a WIDS may even determine the physical location of an intruder by triangulation and, for example, plot this location on a building map. Wireless Intrusion Prevention products may also feature active defenses against unauthorized access: some of these systems can transmit specially-crafted

UNCLASSIFIED


May 2009 38

packets which can prevent an unauthorized client from gaining access to a network, disable a rogue or misconfigured access point, or even prevent some forms of wireless denial-of-service. Note however that these crafted packets are often non-802.11 standard compliant and testing should be done before enabling these active intrusion prevention features to ensure that there is no blockage or interference with legitimate traffic and devices.

UNCLASSIFIED


Future Work May 2009

39

7 Future Work CSEC continues to research solutions that will mitigate the vulnerabilities associated with WLANs, and will release updates to this publication whenever new pertinent information becomes available. CSEC is in the process of developing a recommendation for secure-WLAN architecture for the GC which will further mitigate risks.

In the meantime, GC departments may contact CSEC client services to obtain current advice and recommendations regarding security of WLANs: [email protected] or (613) 991-7654.

mailto:[email protected]

UNCLASSIFIED



May 2009 40

UNCLASSIFIED


Conclusions and Recommendations May 2009

41

8 Conclusions and Recommendations Unlike wired LANs, the WLAN exists on a medium without physical bounds. With a WLAN, transmitted data is broadcast over the air using radio waves that can be received by any WLAN client in the area served by the data transmitter. Because radio waves travel through ceilings, floors and walls, transmitted data may reach unintended recipients on different floors and even outside the building of the transmitter. This creates major security concerns as the side effect of the mobility and convenience a WLAN offers.

The latest revisions to the IEEE 802.11 standard specify an improved security mechanism: 802.11i or WPA2 for authentication and data confidentiality. This mechanism offers strong AES-based encryption and support for virtually any authentication scheme via 802.1X. When a strong authentication method is chosen, 802.11i/WPA2 addresses the weaknesses of and supersedes all previous security mechanisms including WEP and WPA. Based on these findings, CSEC recommends that the WPA2 security mechanism must be enabled for all GC 802.11-based WLANs; older hardware must be upgraded or replaced with devices that support WPA2. In cases where older hardware cannot be immediately upgraded or replaced, the strongest security mechanism available (WPA if possible, WEP if not) should be enabled according to guidelines documented here, and supplemental security measures such as VPNs must also be implemented to mitigate the risks associated with the weak security mechanisms in the wireless hardware.

Note however that even the strengthened measures in WPA2 are strictly only intended to provide protection for a WLAN against casual unauthorized eavesdropping and to ensure data integrity. Because many aspects of WPA2 are optional or require additional external components for strongest security, it is possible for these features to be disabled, and indeed, in most out-of-the-box “Plug-and-Play” deployments of WLAN hardware, very weak default security settings are norm and all that is required for an unauthorized user to be able to observe wireless traffic or even join a corporate network is to obtain the SSID, which can be easily discovered through readily available hardware and software tools. Additionally, because it is difficult to devise one single solution to address all of the complex security issues faced by the WLAN standard, WPA2 should not be considered adequate in providing privacy protection in situations where particularly sensitive information may be transmitted over wireless networks. In such situations supplemental security measures must be considered.

UNCLASSIFIED



May 2009 42

UNCLASSIFIED


References May 2009

43

9 References [1] “International Standard ISO/IEC 8802-11:1999(E); ANSI/IEEE Std 802.11, 1999 Edition; IEEE

Standard for Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications.” International Organization for Standardization, International Electrotechnical Commission, and The Institute of Electrical and Electronics Engineers, 1999.

[2] “IEEE Std 802.11a-1999 (Supplement to ANSI/IEEE Std 802.11-1999), Supplement to International Standard ISO/IEC 8802-11:1999(E); ANSI/IEEE Std 802.11, 1999 Edition; IEEE Standard for Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Higher-Speed Physical Layer Extension in the 5 GHz Band,” International Organization for Standardization, International Electrotechnical Commission, and The Institute of Electrical and Electronics Engineers, 1999.

[3] “IEEE Std 802.11b-1999 (Supplement to ANSI/IEEE Std 802.11-1999), Supplement to International Standard ISO/IEC 8802-11:1999(E); ANSI/IEEE Std 802.11, 1999 Edition; IEEE Standard for Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Higher-Speed Physical Layer Extension in the 2.4 GHz Band,” International Organization for Standardization, International Electrotechnical Commission, and The Institute of Electrical and Electronics Engineers, 1999.

[4] “Wi-Fi: The Standard for Wireless Fidelity,” Wireless Ethernet Compatibility Alliance (WECA) Ltd. [Online]. Available: http://www.wirelessethernet.org

[5] “Wi-Fi System Interoperability Test Plan, Version 1.0,” Wireless Ethernet Compatibility Alliance, February 2000. [Online]. Available: http://www.wirelessethernet.org

[6] W. A. Arbaugh, N. Shankar, and Y.J. Wan, “Your 802.11 wireless network has no clothes,” University of Maryland, College Park, Maryland, March 2001. [Online]. Available: http://www.cs.umd.edu/~waa/wireless.pdf

[7] J. R. Walker, “Unsafe at any key size: An analysis of the WEP encapsulation,” Intel Corp., Hillsboro, OR, October 2000. Doc.: IEEE 802.11-00/362. [Online]. Available: http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zip

[8] J. R. Walker, “Overview of 802.11 Security,” Intel Corp., Hillsboro, OR, March 2000. Doc.: IEEE 802.15-01/154. [Online]. Available: http://grouper.ieee.org/groups/802/15/pub/2001/Mar01/01154r0P802-15_TG3-Overview-of-802-11-Security.ppt

[9] N. Borisov, I. Goldberg, and D. Wagner, “Intercepting Mobile Communications: The Insecurity of

http://www.wirelessethernet.org/

http://www.wirelessethernet.org/interoperability.asp

http://www.cs.umd.edu/%7Ewaa/wireless.pdf

http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0-362.zip

UNCLASSIFIED


May 2009 44

802.11,” UC Berkeley. Presented at the Seventh Annual International Conference on Mobile Computing and Networking, July 2001. [Online]. Available: http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf

[10] W. A. Arbaugh, “An inductive chosen plaintext attack against WEP/WEP2,” University of Maryland, College Park, Maryland, May 2001. Doc.: IEEE 802.11-01/230r1. [Online]. Available: http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/1-230.zip

[11] S. Fluhrer, I. Mantin, A. Shamir, “Weakness in the Key Scheduling Algorithm of RC4.” Eighth Annual Workshop on Selected Areas in Cryptography, August 2001.

[12] “Network Stumbler,” software. [Online]. Available: http://www.netstumbler.com

[13] A. Stubblefield, J. Ioannidis, A.D. Rubin, “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP,” Rice University, AT&T Labs, August 2001. AT&T Tech. Report TD-4ZCPZZ. [Online]. Available: http://www.cs.rice.edu/~astubble/

[14] N. Borisov, I. Goldberg, and D. Wagner, “(In)Security of the WEP algorithm,” UC Berkeley. [Online]. Available: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

[15] “AirSnort,” software. [Online]. Available: http://airsnort.sourceforge.net

[16] “WEPCrack,” software. [Online]. Available: http://wepcrack.sourceforge.net

[17] “Sniffer Wireless Pro,” software. [Online]. Available: http://www.sniffer.com

[18] “AiroPeek,” software. [Online]. Available: http://www.wildpackets.com

[19] B. Fleck, J. Dimov, “Wireless Access Points and ARP Poisoning: Wireless vulnerabilities that expose the wired network,” Cigital, Inc. [Online]. Available: http://www.cigitallabs.com/resources/papers/download/arppoison.pdf

[20] A. Mishra, W. Arbaugh, “An Initial Analysis of the IEEE 802.1X Standard”, February 2002.

[21] “Establishing Wireless Robust Security Networks- A Guide to IEEE 802.11i”, NIST Publication Number 800-97, Feb 2007.

[22] Lehembre, Guillame, “Wi-Fi Security – WEP, WPA and WPA2”, June 2005, Hakin9.org newsletter

http://www.cs.umd.edu/%7Ewaa/wireless.pdf

http://www.netstumbler.com/

http://www.cs.rice.edu/%7Eastubble/

http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf

http://airsnort.sourceforge.org/

http://wepcrack.sourceforge.net/

http://www.sniffer.com/

http://www.wildpackets.com/

http://www.cigitallabs.com/resources/papers/download/arppoison.pdf

Date post:	28-Jan-2015
Category:	Documents
Upload:	sunghun-kim
View:	133 times
Download:	1 times