Mario Čagalj

University of Split

2013/2014.

FELK 19: Security of Wireless Networks*

WiFi (In)Security – 2st part

Assembled from different sources: Walker, Lehembre Buttyan, ...

Produced by Mario Čagalj

3

Introduction: IEEE 802.11iWe have seen that WEP is critically flawed IEEE 802.11i defined to properly secure wireless LANs (2004)

Specifies robust security mechanisms for WLANsDefines Transition Security Network (TSN)

Called WiFi-Protected Access (WPA) by WiFi-AllianceBased on “new” TKIP (that uses “old” RC4 like WEP)Backward compatibility (with old RC4-only hardware)IEEE 802.1X authentication framework

More importantly defines a Robust Security Network (RSN)Called WiFi-Protected Access 2 (WPA2) by WiFi-AllianceBased on AES and optionally TKIPAlso uses IEEE 802.1X authentication framework

4

Tranzicija prema IEEE 802.11i

IEEE 802.11bWEP

WPAIEEE 802.11i

(WPA2)

Tajnost podataka (enkripcija)

WEP (RC4) TKIP (RC4)AES,

(opcija TKIP)

Integritet podataka WEP (RC4) + CRC TKIP-MICAES-MAC

(opcija TKIP-MIC)

Autentikacija i kontrola pristupa

Shared Key Authentication

IEEE 802.1X/EAP(+ EAP-TLS,

LEAP…)

IEEE 802.1X/EAP(+ EAP-TLS,

LEAP…)

TKIP: Temporal Key Integrity Protocol

AES: Advanced Encryption StandardMIC: Message Integrity CodeMAC: Message Authentication Code

EAP: Extensible Authentication ProtocolTLS: Transport Layer SecurityLEAP: Light EAP (Cisco)

5

Značajke IEEE 802.11i standardaNovine u IEEE 802.11i u usporedbi sa WEP-om

Autentifikacija i kontrola pristupa zasnovana na IEEE 802.1X modelu

Fleksibilan autentifikacijski okvir EAP (Extensible Authentication Protocol)Mogu se koristiti “dokazani” protokoli (npr., TLS)

Autentifikacijski proces rezultira sesijskim tajnim ključem Različite funkcije koriste različite ključeve koji se izvode iz sesijskog ključaEnkripcijska funkcija značajno poboljšana (AES, TKIP)

Zaštita integriteta poruka značajno poboljšana AES-MAC i TKIP-MIC

6

Autentifikacijski model IEEE 802.1X u WiFi

Port-based Network Access Control● Mobilni klijent zahtijeva pristup uslugama (želi se spojiti na mrežu)● AP kontrolira pristup uslugama (kontrolirani port)● Autentifikacijski server (AS)

• Mobilni klijent i AS se međusobno autentificiraju• AS informira AP da može otvoriti kontrolirani port mobilnom klijentu

Mobilni klijent

AP

LAN(Internet)

Autentifikacijskiserver

Kontroliran port

Slobodan(otvoren) port

7

Operacijske faze IEEE 802.11i

Mobilni klijent (M) Pristupna točka (AP) Autentikacijski server (AS)

Otkrivanje sigurnosnih funkcionalnosti

Distribucija PMK ključa(npr. putem RADIUS-a)

Zaštita podataka(TKIP, CCMP/AES)

Rezultat: M i AS-generiraju Master Key (MK)-izvedu Pairwise MK (PMK)

802.1X autentifikacija

Rezultat: M i AP-provjere PMK-izvedu Paiwise Transient Key (PTK)-PTK vezan uz ovaj M i ovu AP

802.1X key management

CCMP = Counter-Mode / Cipher Block Chaining Message Authentication Code Protocol based on AES block cipher

8

Operacijske faze IEEE 802.11i: kućne i ad hoc mreže Autentifikacijski server nije prisutan Autentifikacija zasnovana na dijeljenom ključu (Pre-Shared Key, PSK)

Mobilni klijent (M) Pristupna točka (AP)

PSK(umjesto PMK)

Otkrivanje sigurnosnih funkcionalnosti

IEEE 802.1X key management(Provjera PSK/PTK– “4-way” handshake)

Zaštita podataka(TKIP, CCMP/AES)

9

Operational phases in IEEE 802.11i

1. Agreeing on the security policy2. IEEE 802.1X authentication (absent in home nets)3. Key derivation and distribution4. Protecting data confidentiality and integrity

10

Operational phases in IEEE 802.11i (1/4)1. Agreeing on the security policy between M and AP

Security policy advertied in RSN IE (RSN Information Element)E.g., use PSK (Pre-Shared Key) or 802.1X (auth prot.), TKIP or CCMP/AES,

etc.

Guillaume Lehembre, hakin9 6/2005

11

Operational phases in IEEE 802.11i

1. Agreeing on the security policy2. IEEE 802.1X authentication (absent in home nets)3. Key derivation and distribution4. Protecting data confidentiality and integrity

12

Operational phases in IEEE 802.11i (2/4)2. IEEE 802.1X authentication

Based on EAP (Extensible Authentication Protocol) and the specific authentication method agreed earlier (in the 1st phase)

Guillaume Lehembre, hakin9 6/2005

13

IEEE 802.1X authentication (2nd phase) EAP (Extensible Authentication Protocol) [RFC 3748]

carrier protocol designed to transport the messages of “real” authentication protocols (e.g., TLS)

very simple, four types of messages: EAP request – carries messages from AS to M EAP response – carries messages from M to the AS EAP success – signals successful authentication EAP failure – signals authentication failure

authenticator (AP) doesn’t understand what is inside the EAP messages, it recognizes only EAP success and failure

EAP is not an authentication method itself

14

IEEE 802.1X authentication (2nd phase) EAP (Extensible Authentication Protocol)

End-to-end transport between M and AS AP proxies EAP between 802.1X and backend protocol

between AP and AS (e.g. RADIUS)

EAP-TLSEAP-TLS

EAPEAP

EAPoL (802.1X)EAPoL (802.1X)

802.11802.11

EAP over RADIUSEAP over RADIUS

RADIUSRADIUS

TCP/IPTCP/IP

802.3 ili drugi802.3 ili drugi

Mobilni klijent Pristupna točka Autentifikacijski server

RADIUS: Remote Authentication Dial In User Service

within the scope of IEEE 802.11i

15

IEEE 802.1X authentication (2nd phase) EAPoL (EAP over LAN) [802.1X]

used to encapsulate EAP messages into LAN protocols (e.g., Ethernet) EAPoL is used to carry EAP messages between the M and the AP

RADIUS (Remote Access Dial-In User Service) [RFC 2865-2869, RFC 2548] used to carry EAP messages between the AP and the auth server RADIUS is mandated by WPA and optional for RSN (WPA2)

EAP-TLSEAP-TLS

EAPEAP

EAPoL (802.1X)EAPoL (802.1X)

802.11802.11

EAP over RADIUSEAP over RADIUS

RADIUSRADIUS

TCP/IPTCP/IP

802.3 ili drugi802.3 ili drugi

Mobilni klijent Pristupna točka Autentifikacijski server

16

IEEE 802.1X authentication (2nd phase) EAP in action

APM auth server

EAP Request (Identity)

EAP Response (Identity) EAP Response (Identity)

EAP Request 1EAP Request 1

EAP Response 1 EAP Response 1

EAP SuccessEAP Success

EAP Request nEAP Request n

EAP Response n EAP Response n...

...

em

bed

ded a

uth

. pro

toco

l

EAPOL-Start

encapsulated in EAPOL

encapsulated in RADIUS

17

IEEE 802.1X authentication (2nd phase)Examples of embedded authentication protocols

EAP-TLS (TLS over EAP) only the TLS Handshake Protocol is used server and client authentication via certificates, generation of master secret TLS master secret becomes the session key

PEAP (Protected EAP) phase 1: TLS Handshake without client authentication (only server’s certificate) phase 2: client authentication protected by the secure channel from phase 1 we will use it in our labs with WinSrv2008

EAP-TTLS (used for securing FESB WiFi) similar to PEAP (mainly different inner/client authentication) we will use it in our demos

EAP-SIM, EAP-MD5, EAP-PSK and many others

Tunneled TLS over Extensible Authentication Protocol (EAP-TTLS) Provides protection for initial authentication messages (plaintext passwords, e.g.

PAP used by FESB)

18

Example: FESB WiFi (EAP-TTLS and PAP)

Mobilni klijent (M) Pristupna točka (AP) Autentifikacijskiserver (AS)

TTLS server

Establishing an authentication TLS tunnel

TLS protected authentication

<--no trust--> <--trust--> <--trust-->

<-----------certificate---------->

WLAN master session key

Authentication

Data traffic on secured link

19

IEEE 802.1X authentication summaryAt the end of authentication:

The AS and M have established a session

The AS and M possess a mutually authenticated Master Key (derived from the concrete EAP method)Master Key represents decision to grant access based on authentication

M and AS have derived PMK (Pairwise Master Key)PMK is an authorization token to enforce access control decision at AP

AS has distributed PMK to an AP (hopefully, to the M’s AP)

20

Operational phases in IEEE 802.11i

1. Agreeing on the security policy2. IEEE 802.1X authentication (absent in home nets)3. Key derivation and distribution4. Protecting data confidentiality and integrity

21

Operational phases in IEEE 802.11i (3/4)3. Key derivation and distribution

At this stage M and AP both hold PMK (Pairwise Master Key)They use it to derive a fresh PTK (Pairwise Transient Key) and GTK (Group

Transient Key)

Guillaume Lehembre, hakin9 6/2005

22

Key derivation and distribution (3rd phase) PTK (Pairwise Transient Key) – unique for this M and this AP

Guillaume Lehembre, hakin9 6/2005

23

Key derivation and distribution (3rd phase) GTK (Group Transient Key) – for multicast, the same for all M’s

Guillaume Lehembre, hakin9 6/2005

24

Key derivation and distribution (3rd phase)4-Way Handshake (radio channel)

Guillaum

e Lehembre, hakin9 6/2005

PTK

PTK = EAPoL-PRF(PMK, ANonce | SNonce | AP MAC Addr | M’s MAC Addr)

25

Key derivation and distribution (3rd phase)

Key Management Summary4-Way Handshake

Establishes a fresh pairwise key bound to M and AP for this sessionProves liveness of peersDemonstrates there is no man-in-the-middle between PTK holders if

there was no man-in-the-middle between PMK holdersSynchronizes pairwise key use

Provisions fresh group key GTK to all mobile stations (for multicast traffic)

26

Example:the 3 phases withPEAP + MS-CHAPv2

27

Operational phases in IEEE 802.11i

1. Agreeing on the security policy2. IEEE 802.1X authentication (absent in home nets)3. Key derivation and distribution4. Protecting data confidentiality and integrity

28

Operational phases in IEEE 802.11i (4/4)

4. Protecting data confidentiality and integrityIEEE 802.11i defines 3 protocols to protect data

TKIP (Temporal Key Integrity Protocol) for legacy (old RC4 devices) WPA

CCMP (Counter Mode with CBC-MAC Protocol)uses AESmanadatory in WPA2

WRAP (Wireless Robust Authenticated Protocol)uses AES and patent-protected authenticated-encryption method OCBoptional in WPA2

Three protocols instead of one due to politics

29

Protecting data confidentiality and integrity (4th phase)Data Transfer Requirements

Never send or receive unprotected packetsMessage origin authenticity —prevent forgeriesSequence packets —detect replaysAvoid rekeying —48 bit packet sequence numberProtect source and destination addressesUse one strong cryptographic primitive for both confidentiality

and integrity

30

Zaštita podataka TKIP-om TKIP - Temporal Key Integrity Protocol

Radi sa starim hardverom (koji podržava RC4) Rješava sve sigurnosne probleme sa WEP protokolom, npr.

Povećava inicijalizacijski vektor (ext v) na 48 bitova (WEP - 24 bita), da bi se izbjeglo ponavljanje istog init. vektora

Novi mehanizam za zaštitu integriteta – Michael (Message Integrity Code) Inicijalizacijski vektor kao brojač služi za zaštitu od “replay” napada

802.11 hdr Podaci CRC

WEP-

RC4(k,v)802.11 hdr CRCv Podaci

802.11 hdr

TKIP-RC4(PTK,ext

v)802.11 hdr ext v Podaci MIC CRC

WEP TKIP

Podaci MIC CRC

31

TKIP dizajn Pairwise Transient Key (PTK) je dug 512 bitova

Enkripcijski ključ = PTK bitovi 256-383 (128 bitova) Autentifikacijski ključ = PTK bitovi 384-511 (128 bitova)

Message Integrity Code (8 bytes)

Zaštita od “replay” napada Za svaki paket inicijalizacijski vektor se inkrementira ( + 1 ) Odbacuje se paket koji je primljen izvan sekvence (…, n, n+1, n, …)

Miješanje enkripcijskog ključa – rješavanje “slabih” RC4 ključeva

Autentifikacijski ključ Michael algoritam

Michael algoritam

MAC Adresa Izvora

MAC Adresa Odredišta Podaci MIC

32

Protecting data with CCMPBased on AES in CCM mode

Counter Mode Encryption with CBC-MAC (Whiting, Ferguson and Housley)Counter Mode Encryption: Decription:

CBC-MAC

EE

Pi Ci

K

+

(n)

(n)

(n)

counter + i

(n)

EE

Ci Pi

K

+

(n)

(n)

(n)

counter + i

(n)

EE

m1

K

+

EE

m2

K

+

EE

m3

K

+

EE

mN

MAC = CN

K

+IV CN-1

…

33

CCM Mode Overview

Use CBC-MAC to compute a MIC (Message Integrity Code) on the plaintext header, length of the plaintext header, and the payload

Use CTR mode to encrypt the payloadCounter values 1, 2, 3, …

Use CTR mode to encrypt the MICCounter value 0

34

Protecting data with CCMP

35

Protecting data with CCMPCCM provides authenticity and privacy

A CBC-MAC of the plaintext is appended to the plaintext to form an encoded plaintext

The encoded plaintext is encrypted in CTR mode

CCM is packet oriented

CCM can leave any number of initial blocks of the plaintext unencrypted

CCM has a high security levelIt is provably secure

36

IEEE 802.11i: Pre-Shared Key (PSK) Autentifikacijski server nije prisutan (npr. kućne i ad hoc mreže) Autentifikacija zasnovana na dijeljenom ključu (Pre-Shared Key, PSK)

Mobilni klijent (M) Pristupna točka (AP)

PSK(umjesto PMK)

Otkrivanje sigurnosnih funkcionalnosti

IEEE 802.1X key management(Provjera PSK/PTK– “4-way” handshake)

Zaštita podataka(TKIP, CCMP/AES)

37

IEEE 802.11i: Pre-Shared Key (PSK)No explicit authentication!

The IEEE 802.1X authentication exchange absentCan have a single pre-shared key for entire network (insecure)…

…or one per STA pair (secure)

Password-to-Key MappingUses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII

passwordPMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256)

Salt = SSID, so PSK different for different SSIDs4096 is the number of hashes used in this process

38

Next timeVulnerabilities of WPA, WPA2, IEEE 802.1X