Mario Čagalj
University of Split
2013/2014.
FELK 19: Security of Wireless Networks*
WiFi (In)Security – 2st part
Assembled from different sources: Walker, Lehembre Buttyan, ...
Produced by Mario Čagalj
3
Introduction: IEEE 802.11iWe have seen that WEP is critically flawed IEEE 802.11i defined to properly secure wireless LANs (2004)
Specifies robust security mechanisms for WLANsDefines Transition Security Network (TSN)
Called WiFi-Protected Access (WPA) by WiFi-AllianceBased on “new” TKIP (that uses “old” RC4 like WEP)Backward compatibility (with old RC4-only hardware)IEEE 802.1X authentication framework
More importantly defines a Robust Security Network (RSN)Called WiFi-Protected Access 2 (WPA2) by WiFi-AllianceBased on AES and optionally TKIPAlso uses IEEE 802.1X authentication framework
4
Tranzicija prema IEEE 802.11i
IEEE 802.11bWEP
WPAIEEE 802.11i
(WPA2)
Tajnost podataka (enkripcija)
WEP (RC4) TKIP (RC4)AES,
(opcija TKIP)
Integritet podataka WEP (RC4) + CRC TKIP-MICAES-MAC
(opcija TKIP-MIC)
Autentikacija i kontrola pristupa
Shared Key Authentication
IEEE 802.1X/EAP(+ EAP-TLS,
LEAP…)
IEEE 802.1X/EAP(+ EAP-TLS,
LEAP…)
TKIP: Temporal Key Integrity Protocol
AES: Advanced Encryption StandardMIC: Message Integrity CodeMAC: Message Authentication Code
EAP: Extensible Authentication ProtocolTLS: Transport Layer SecurityLEAP: Light EAP (Cisco)
5
Značajke IEEE 802.11i standardaNovine u IEEE 802.11i u usporedbi sa WEP-om
Autentifikacija i kontrola pristupa zasnovana na IEEE 802.1X modelu
Fleksibilan autentifikacijski okvir EAP (Extensible Authentication Protocol)Mogu se koristiti “dokazani” protokoli (npr., TLS)
Autentifikacijski proces rezultira sesijskim tajnim ključem Različite funkcije koriste različite ključeve koji se izvode iz sesijskog ključaEnkripcijska funkcija značajno poboljšana (AES, TKIP)
Zaštita integriteta poruka značajno poboljšana AES-MAC i TKIP-MIC
6
Autentifikacijski model IEEE 802.1X u WiFi
Port-based Network Access Control● Mobilni klijent zahtijeva pristup uslugama (želi se spojiti na mrežu)● AP kontrolira pristup uslugama (kontrolirani port)● Autentifikacijski server (AS)
• Mobilni klijent i AS se međusobno autentificiraju• AS informira AP da može otvoriti kontrolirani port mobilnom klijentu
Mobilni klijent
AP
LAN(Internet)
Autentifikacijskiserver
Kontroliran port
Slobodan(otvoren) port
7
Operacijske faze IEEE 802.11i
Mobilni klijent (M) Pristupna točka (AP) Autentikacijski server (AS)
Otkrivanje sigurnosnih funkcionalnosti
Distribucija PMK ključa(npr. putem RADIUS-a)
Zaštita podataka(TKIP, CCMP/AES)
Rezultat: M i AS-generiraju Master Key (MK)-izvedu Pairwise MK (PMK)
802.1X autentifikacija
Rezultat: M i AP-provjere PMK-izvedu Paiwise Transient Key (PTK)-PTK vezan uz ovaj M i ovu AP
802.1X key management
CCMP = Counter-Mode / Cipher Block Chaining Message Authentication Code Protocol based on AES block cipher
8
Operacijske faze IEEE 802.11i: kućne i ad hoc mreže Autentifikacijski server nije prisutan Autentifikacija zasnovana na dijeljenom ključu (Pre-Shared Key, PSK)
Mobilni klijent (M) Pristupna točka (AP)
PSK(umjesto PMK)
Otkrivanje sigurnosnih funkcionalnosti
IEEE 802.1X key management(Provjera PSK/PTK– “4-way” handshake)
Zaštita podataka(TKIP, CCMP/AES)
9
Operational phases in IEEE 802.11i
1. Agreeing on the security policy2. IEEE 802.1X authentication (absent in home nets)3. Key derivation and distribution4. Protecting data confidentiality and integrity
10
Operational phases in IEEE 802.11i (1/4)1. Agreeing on the security policy between M and AP
Security policy advertied in RSN IE (RSN Information Element)E.g., use PSK (Pre-Shared Key) or 802.1X (auth prot.), TKIP or CCMP/AES,
etc.
Guillaume Lehembre, hakin9 6/2005
11
Operational phases in IEEE 802.11i
1. Agreeing on the security policy2. IEEE 802.1X authentication (absent in home nets)3. Key derivation and distribution4. Protecting data confidentiality and integrity
12
Operational phases in IEEE 802.11i (2/4)2. IEEE 802.1X authentication
Based on EAP (Extensible Authentication Protocol) and the specific authentication method agreed earlier (in the 1st phase)
Guillaume Lehembre, hakin9 6/2005
13
IEEE 802.1X authentication (2nd phase) EAP (Extensible Authentication Protocol) [RFC 3748]
carrier protocol designed to transport the messages of “real” authentication protocols (e.g., TLS)
very simple, four types of messages: EAP request – carries messages from AS to M EAP response – carries messages from M to the AS EAP success – signals successful authentication EAP failure – signals authentication failure
authenticator (AP) doesn’t understand what is inside the EAP messages, it recognizes only EAP success and failure
EAP is not an authentication method itself
14
IEEE 802.1X authentication (2nd phase) EAP (Extensible Authentication Protocol)
End-to-end transport between M and AS AP proxies EAP between 802.1X and backend protocol
between AP and AS (e.g. RADIUS)
EAP-TLSEAP-TLS
EAPEAP
EAPoL (802.1X)EAPoL (802.1X)
802.11802.11
EAP over RADIUSEAP over RADIUS
RADIUSRADIUS
TCP/IPTCP/IP
802.3 ili drugi802.3 ili drugi
Mobilni klijent Pristupna točka Autentifikacijski server
RADIUS: Remote Authentication Dial In User Service
within the scope of IEEE 802.11i
15
IEEE 802.1X authentication (2nd phase) EAPoL (EAP over LAN) [802.1X]
used to encapsulate EAP messages into LAN protocols (e.g., Ethernet) EAPoL is used to carry EAP messages between the M and the AP
RADIUS (Remote Access Dial-In User Service) [RFC 2865-2869, RFC 2548] used to carry EAP messages between the AP and the auth server RADIUS is mandated by WPA and optional for RSN (WPA2)
EAP-TLSEAP-TLS
EAPEAP
EAPoL (802.1X)EAPoL (802.1X)
802.11802.11
EAP over RADIUSEAP over RADIUS
RADIUSRADIUS
TCP/IPTCP/IP
802.3 ili drugi802.3 ili drugi
Mobilni klijent Pristupna točka Autentifikacijski server
16
IEEE 802.1X authentication (2nd phase) EAP in action
APM auth server
EAP Request (Identity)
EAP Response (Identity) EAP Response (Identity)
EAP Request 1EAP Request 1
EAP Response 1 EAP Response 1
EAP SuccessEAP Success
EAP Request nEAP Request n
EAP Response n EAP Response n...
...
em
bed
ded a
uth
. pro
toco
l
EAPOL-Start
encapsulated in EAPOL
encapsulated in RADIUS
17
IEEE 802.1X authentication (2nd phase)Examples of embedded authentication protocols
EAP-TLS (TLS over EAP) only the TLS Handshake Protocol is used server and client authentication via certificates, generation of master secret TLS master secret becomes the session key
PEAP (Protected EAP) phase 1: TLS Handshake without client authentication (only server’s certificate) phase 2: client authentication protected by the secure channel from phase 1 we will use it in our labs with WinSrv2008
EAP-TTLS (used for securing FESB WiFi) similar to PEAP (mainly different inner/client authentication) we will use it in our demos
EAP-SIM, EAP-MD5, EAP-PSK and many others
Tunneled TLS over Extensible Authentication Protocol (EAP-TTLS) Provides protection for initial authentication messages (plaintext passwords, e.g.
PAP used by FESB)
18
Example: FESB WiFi (EAP-TTLS and PAP)
Mobilni klijent (M) Pristupna točka (AP) Autentifikacijskiserver (AS)
TTLS server
Establishing an authentication TLS tunnel
TLS protected authentication
<--no trust--> <--trust--> <--trust-->
<-----------certificate---------->
WLAN master session key
Authentication
Data traffic on secured link
19
IEEE 802.1X authentication summaryAt the end of authentication:
The AS and M have established a session
The AS and M possess a mutually authenticated Master Key (derived from the concrete EAP method)Master Key represents decision to grant access based on authentication
M and AS have derived PMK (Pairwise Master Key)PMK is an authorization token to enforce access control decision at AP
AS has distributed PMK to an AP (hopefully, to the M’s AP)
20
Operational phases in IEEE 802.11i
1. Agreeing on the security policy2. IEEE 802.1X authentication (absent in home nets)3. Key derivation and distribution4. Protecting data confidentiality and integrity
21
Operational phases in IEEE 802.11i (3/4)3. Key derivation and distribution
At this stage M and AP both hold PMK (Pairwise Master Key)They use it to derive a fresh PTK (Pairwise Transient Key) and GTK (Group
Transient Key)
Guillaume Lehembre, hakin9 6/2005
22
Key derivation and distribution (3rd phase) PTK (Pairwise Transient Key) – unique for this M and this AP
Guillaume Lehembre, hakin9 6/2005
23
Key derivation and distribution (3rd phase) GTK (Group Transient Key) – for multicast, the same for all M’s
Guillaume Lehembre, hakin9 6/2005
24
Key derivation and distribution (3rd phase)4-Way Handshake (radio channel)
Guillaum
e Lehembre, hakin9 6/2005
PTK
PTK = EAPoL-PRF(PMK, ANonce | SNonce | AP MAC Addr | M’s MAC Addr)
25
Key derivation and distribution (3rd phase)
Key Management Summary4-Way Handshake
Establishes a fresh pairwise key bound to M and AP for this sessionProves liveness of peersDemonstrates there is no man-in-the-middle between PTK holders if
there was no man-in-the-middle between PMK holdersSynchronizes pairwise key use
Provisions fresh group key GTK to all mobile stations (for multicast traffic)
26
Example:the 3 phases withPEAP + MS-CHAPv2
27
Operational phases in IEEE 802.11i
1. Agreeing on the security policy2. IEEE 802.1X authentication (absent in home nets)3. Key derivation and distribution4. Protecting data confidentiality and integrity
28
Operational phases in IEEE 802.11i (4/4)
4. Protecting data confidentiality and integrityIEEE 802.11i defines 3 protocols to protect data
TKIP (Temporal Key Integrity Protocol) for legacy (old RC4 devices) WPA
CCMP (Counter Mode with CBC-MAC Protocol)uses AESmanadatory in WPA2
WRAP (Wireless Robust Authenticated Protocol)uses AES and patent-protected authenticated-encryption method OCBoptional in WPA2
Three protocols instead of one due to politics
29
Protecting data confidentiality and integrity (4th phase)Data Transfer Requirements
Never send or receive unprotected packetsMessage origin authenticity —prevent forgeriesSequence packets —detect replaysAvoid rekeying —48 bit packet sequence numberProtect source and destination addressesUse one strong cryptographic primitive for both confidentiality
and integrity
30
Zaštita podataka TKIP-om TKIP - Temporal Key Integrity Protocol
Radi sa starim hardverom (koji podržava RC4) Rješava sve sigurnosne probleme sa WEP protokolom, npr.
Povećava inicijalizacijski vektor (ext v) na 48 bitova (WEP - 24 bita), da bi se izbjeglo ponavljanje istog init. vektora
Novi mehanizam za zaštitu integriteta – Michael (Message Integrity Code) Inicijalizacijski vektor kao brojač služi za zaštitu od “replay” napada
802.11 hdr Podaci CRC
WEP-
RC4(k,v)802.11 hdr CRCv Podaci
802.11 hdr
TKIP-RC4(PTK,ext
v)802.11 hdr ext v Podaci MIC CRC
WEP TKIP
Podaci MIC CRC
31
TKIP dizajn Pairwise Transient Key (PTK) je dug 512 bitova
Enkripcijski ključ = PTK bitovi 256-383 (128 bitova) Autentifikacijski ključ = PTK bitovi 384-511 (128 bitova)
Message Integrity Code (8 bytes)
Zaštita od “replay” napada Za svaki paket inicijalizacijski vektor se inkrementira ( + 1 ) Odbacuje se paket koji je primljen izvan sekvence (…, n, n+1, n, …)
Miješanje enkripcijskog ključa – rješavanje “slabih” RC4 ključeva
Autentifikacijski ključ Michael algoritam
Michael algoritam
MAC Adresa Izvora
MAC Adresa Odredišta Podaci MIC
32
Protecting data with CCMPBased on AES in CCM mode
Counter Mode Encryption with CBC-MAC (Whiting, Ferguson and Housley)Counter Mode Encryption: Decription:
CBC-MAC
EE
Pi Ci
K
+
(n)
(n)
(n)
counter + i
(n)
EE
Ci Pi
K
+
(n)
(n)
(n)
counter + i
(n)
EE
m1
K
+
EE
m2
K
+
EE
m3
K
+
EE
mN
MAC = CN
K
+IV CN-1
…
33
CCM Mode Overview
Use CBC-MAC to compute a MIC (Message Integrity Code) on the plaintext header, length of the plaintext header, and the payload
Use CTR mode to encrypt the payloadCounter values 1, 2, 3, …
Use CTR mode to encrypt the MICCounter value 0
34
Protecting data with CCMP
35
Protecting data with CCMPCCM provides authenticity and privacy
A CBC-MAC of the plaintext is appended to the plaintext to form an encoded plaintext
The encoded plaintext is encrypted in CTR mode
CCM is packet oriented
CCM can leave any number of initial blocks of the plaintext unencrypted
CCM has a high security levelIt is provably secure
36
IEEE 802.11i: Pre-Shared Key (PSK) Autentifikacijski server nije prisutan (npr. kućne i ad hoc mreže) Autentifikacija zasnovana na dijeljenom ključu (Pre-Shared Key, PSK)
Mobilni klijent (M) Pristupna točka (AP)
PSK(umjesto PMK)
Otkrivanje sigurnosnih funkcionalnosti
IEEE 802.1X key management(Provjera PSK/PTK– “4-way” handshake)
Zaštita podataka(TKIP, CCMP/AES)
37
IEEE 802.11i: Pre-Shared Key (PSK)No explicit authentication!
The IEEE 802.1X authentication exchange absentCan have a single pre-shared key for entire network (insecure)…
…or one per STA pair (secure)
Password-to-Key MappingUses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII
passwordPMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256)
Salt = SSID, so PSK different for different SSIDs4096 is the number of hashes used in this process
38
Next timeVulnerabilities of WPA, WPA2, IEEE 802.1X