IEEE 802.11 Security

VA CourseKarlstad University

27/03/2006

IEEE 802.11 Security


27/03/2006

2

IEEE Security Outline

• Introduction to Wireless Local Area Networks• IEEE 802.11• IEEE 802.11 PHY & MAC

• IEEE 802.11 Security• Risks to IEEE 802.11 networks• IEEE 802.11 WEP• Wi-Fi Alliance’s WPA• IEEE 802.11i amendment and WPA2


27/03/2006

3

Who is Who in IEEE 802.11

• IEEE• Institute of Electrical and Electronics Engineers, Inc.• designs the technology & publish the standards

www.ieee.org

• Wi-Fi Alliance*• certify interoperability of WLAN products• +250 member companies and +2800 certified products

www.wifialliance.com

* former WECA - Wireless Ethernet Compatibility Alliance


27/03/2006

4

IEEE 802.11 Evolution• Wireless Evolution:

– early 1990s• first wireless networks operating in the ISM bands• issues: price, performance, interoperability IEEE 802.11 WG is born

– 1997 June• IEEE 802.11 standard is approved.

– 1999 September• standard revision, IEEE 802.11a & IEEE 802.11b are approved.

– 2003 June• IEEE 802.11g amendment is approved

– 2004 July• IEEE 802.11i amendment is approved


27/03/2006

5

IEEE 802.11 Specification

• Operation Modes• infrastructure network• ad hoc network

• IEEE 802.11 standard specifies:• medium access control (MAC)• physical layer protocols (PHY)

PHY

MAC

IP

LLC IEEE 802.2

IEEE 802.11


27/03/2006

6

Operation Modes

• Infrastructure Network Mode– Basic Service Set (BSS) with only one Access Point (AP)

AP

STA

BSS


27/03/2006

7

Operational Modes

• Infrastructure Network Mode– Extended Service Set (ESS)

BSS BSS

ESS

AP

STA

AP

STA


27/03/2006

8

Operational Modes

• Ad Hoc Network Mode– Independent Basic Service Set (IBSS)– no support to multi hopping no routing! PHY & MAC layers only

IBSS

STA


27/03/2006

9

The Spectrum

• Electromagnetic Spectrum– the physical medium “air” from viewpoint of the signal frequencies– frequency usage is regulated / controlled by the local government

• E.U. CEPT* - ERO (European Radio Comm. Office)• Sweden PTS (Post & Telestyrelsen)• U.S. FCC & NTIA• International ITU

*European Conference of Postal and Telecommunications Administrations


27/03/2006

10

The Spectrum

• Electromagnetic Spectrumwww.ntia.doc.gov/osmhome/allochrt.htmlwww.pts.se/www.ero.dk/ecc

1G

Hz

2.4GHz-2.5GHzIEEE 802.11bIEEE 802.11g

5.725GHz5.875GHz

IEEE802.11a902MHZ928MHz

MVL L H UH SHVH EH IR

300

GH

z

300

TH

z

3 K

Hz

microwaves

AM FM AMPS GSM-DCSPCSGSM


27/03/2006

11

Transmission Mechanisms

• Narrow Band– all signal power is concentrated in a narrow spectrum band

• Spread Spectrum -SS– the signal power is spread in the spectrum


27/03/2006

12

Spread Spectrum• Direct Sequence (DS-SS)

– the signal is multiplied by a code signal spreading

si(t)=(2.Pi)-1/2.di(t).pi(t).cos(0.t+ i)

– the signal is retrieved multiplying it the same code

– anti jamming properties– low probability of interception

• low amplitude signal even below noise level!

code


27/03/2006

13

Spread Spectrum

• Direct Sequence (DS-SS)

ReceivedNarrowband

Signal

Original Narrowband

Signal

spread signal

noisenoisenoise

code

code

spread waveform

pi(t) pi(t)

(2.Pi)-1/2.di(t).cos(0.t+ i)

(2.Pi)-1/2.di(t).pi(t).cos(0.t+ i)

(2.Pi)-1/2.di(t).cos(0.t+ i)


27/03/2006

14

IEEE 802.11 PHY

• Several different PHY layers MAC Layer

2.4 GHzFH-SS

1 Mbps2 Mbps

MAC

2.4 GHzDS-SS1 Mbps2 Mbps

Infrared

1 Mbps2 Mbps

2.4 GHzDS-SSOFDM

max 11 Mbpsmax 54 Mbps

5 GHzOFDM

6, 9, 12, 18, 24, 36,

48, 54 Mbps

IEEE 802.11 IEEE802.11b802.11g

IEEE802.11a


27/03/2006

15

IEEE 802.11 PHY DS-SS

• DS-SS: Direct Sequence – Spread Spectrum

2400

2412

2417

2422

2427

2432

2437

2442

2447

2452

2457

2462

2467

2472

2477

2482

2487

2492

2497

1

2

3

4

5

6

8

7

9

10

11

12

13

14

MHz


27/03/2006

16

IEEE 802.11 PHY OFDM

• OFDM: Orthogonal Frequency Division Multiplexing• multiple transmissions at the same time• 4 overlayering carriers

no interference among the carriers

OFDMminimum

maximum


27/03/2006

176111

6

6 11

1

11

1

1

IEEE 802.11 PHY

• Channels and Channel reuse• Europe*, USA

6 11

6

611

11

1

11

* except France, Spain


27/03/2006

18

IEEE 802.11 MAC

• MAC Layer - Medium Access• medium access without contention• medium access with contention

random backoff mechanism• ACK and retransmission

MACDCF

PCF

Point Coordination

Function

Distributed Coordination

Function


27/03/2006

19

IEEE 802.11 MAC

• Point Coordination Function (PCF)• the Access Point (AP) defines medium access• only for infrastructure wireless networks (optional)• polling among STA contention-free medium access

• Distributed Coordination Function (DCF)• all station (STA)• CSMA/CA Carrier Sense Multiple Access / Collision

Avoidance• RTS/CTS mechanism


27/03/2006

20

IEEE 802.11 CSMA/CA

• Physical Carrier Sense (PHY)• checks if the physical medium is free

• Virtual Carrier Sense• to solve the “hidden-node” problem!• use of RTS and CTS frames

Duration/ID field defines the reserved period of time

NAV Network Allocation Vectorstores the reservation informationimplemented as a counter


27/03/2006

21

IEEE 802.11 CSMA/CA

• Virtual Carrier Sense PIFS – PCF IFS - 10µs SIFS – Short IFS - 30µs DIFS – DCF IFS - 50µs

DS-SStimings


27/03/2006

22

IEEE 802.11 CSMA/CA

• Random backoff mechanism• after transmission DIFS (DFC interframe space)• if a STA wants to transmit and the medium is free

immediate access (>= DIFS)• if a STA wants to transmit and the medium is not free

wait for DIFS + random period (contention window)

* Networking Computing


27/03/2006

23

Frame

IEEE 802.11 CSMA/CA

• Backoff mechanism (contention window)

Frame

DIFS

STA A

STA E

STA D

STA C

STA BWait

Wait

Contention

Frame

Backoff

DIFS

Cont.

Frame

DIFS

Cont.

Frame

DIFS

Cont.

Wait

Wait


27/03/2006

24

Risks in IEEE 802.11 networks

• Risks? Is it really not secure?• rogue clients logging in into your networks• wireless eavesdropping and network intrusion• non-authorized / rogue AP and cloned AP• bad configuration

Cloned AP Rogue AP

Enterprise LAN

Attacker

AP


27/03/2006

25

IEEE 802.11 Security

• Data link security (L2)between AP and STA or STA and STA (ad hoc mode)

IEEE 802.11 WEP (Wired Equivalent Privacy)is WEP really that bad?

Wi-Fi Alliance’s WPA (Wi-Fi Protected Access)is WPA enough?

IEEE 802.11i amendment and WPA2are we finally secure?


27/03/2006

26

Wired Equivalent Privacy - WEP

• the security goals of IEEE 802.11 were:– Authentication– Confidentiality– Data Integrity

• WEP introduced in the original IEEE 802.11 standard• designed to protect authorized users from casual eavesdropping• optional security add-on to achieve confidentiality

• WEP assumes that AP and clients have shared-keys


27/03/2006

27

Wired Equivalent Privacy - WEP

• WEP Confidentiality and Integrity in the Data Link Layer• but what is WEP?

“a form of ECB* in which a a block of plaintext is bitwised XORed with a pseudorandom key sequence of equal length”

• WEP key (PRNG input)a 40-bit long shared secret+ 24-bit long IV

• Data integritywith CRC-32

PRNG input is64-bit long

*Electronic Code Book

MAC IV Ciphered Payload CRC


27/03/2006

28

Ciphering with WEP

InitializationVector (IV)

SecretKey

Plaintext

||

IV

CiphertextWEPPRNG(RC4)

Seed

||CRC-32

Key Sequence

Integrity Check Value

(ICV) || - concatenation - bitwise XOR

24 bits

40 bits 64 bits

32 bits

Output

P K = C


27/03/2006

29

Deciphering with WEP

SecretKey

IV

Ciphertext

WEPPRNG(RC4)

Key Sequence

CRC-32

||Seed

ICV

Plaintext

ICV’=?

Ciphertext

IV

24 bits

40 bits

64 bitsInput

C K = P K K = P

|| - concatenation - bitwise XOR


27/03/2006

30

WEP Authentication

• WEP authentication modes– Open System

null authentication

– Shared Keybased on WEPSTA STA

or APrequest

challenge: (M)

response: EWEP(M)

OK / NOK


27/03/2006

31

Early comments on WEP

• the use of shared-keys in WEP• network security management problem

• shared keys are not long enough (40bits)• brute force attacks (feasible, but takes time)

just increase the key length to 104bits!


27/03/2006

32

Overview of the WEP Insecurity• March 2000: Simon, Aboba and Moore

• several flaws in WEP design

• October 2000: Walker• limited IV space leads to IV reuse problem

• July 2001: Borisov, Goldberg and Wagner• practical attacks to cause known plaintext to be transmitted

• March 2001: Arbaugh et al.• trivial to obtain a keystream

• August 2001: the Fluhrer, Mantin and Shamir attack• weakness in RC4 key scheduling algorithm

and the popular cracking tools for IEEE 802.11 networks secured with WEP…


27/03/2006

33

Simon, Aboba and Moore (Microsoft)

• NIC authentication only no user authentication• lost NICs / device huge security management problem

• shared-key authentication is not mutual• rogue AP MitM attacks

• ICV is not keyed• no guarantee of data integrity

• known plaintext attacks recover the keystream for a given IV

C P = P K P = K


27/03/2006

34

J. Walker (Microsoft)

• WEP mechanism unsafe at any key size (24-bit long IV)• only 224 values can be derived from a WEP key• IV reuse can lead to data decryption without the secret key• no policy for IV selection on AP

InitializationVector (IV)

SecretKey ||

WEPPRNG(RC4)

SeedKey

Sequence

24 bits

40 bits 64 bitsK

C C’ = P K P’ K = P P’


27/03/2006

35

Borisov, Goldberg and Wagner (UCB)

• IV dictionaries are independent of the key size (224 entries)

• practical ways to cause known plaintext to be transmitted• broadcasted datagrams obtain a RC4 keystream

• Message modification• CRC-32 is a linear function of the message

• Message injection and authentication spoofing• one RC4 keystream needed

C’ = C ( Δ || c(Δ) )


27/03/2006

36

Arbaugh et al. (UMD)

• trivial to obtain a keystream• shared-key authentication 2nd frame and 3rd frame

STA STA or AP

request

challenge: (M)

response: EWEP(M)

OK / NOK

Plaintext

Ciphertext

C P = P K P = K

RC4 keystream


27/03/2006

37

Fluhrer, Mantin and Shamir

• weakeness in RC4 key scheduling algorithm• large class of weak keys collecting weakened packets• derive the first byte of the RC4 output

• Stubblefield, Ioannidis and Rubin effectiveness of the attackca. 106 packets to retrieve a key

RC4

KSA

PRGA

Seed Key Sequence24 bits

+40 bitsSecret

Known


27/03/2006

39

Attack Tools on WEP

• Fluhrer, Mantin and Shamir ImplementedAirSnort

http://airsnort.shmoo.com/

WEPCrackhttp://sourceforge.net/projects/wepcrack/

• wesside - a fragmentation-based attack tool from UCL

http://www.cs.ucl.ac.uk/staff/A.Bittau/frag-0.1.tgz


27/03/2006

40

Vendors’ Countermeasures• Increasing the secret key length to 104 bits

innocuous:: WEP is insecure at any key-size

• MAC filteringMAC spoofing is easily achievable

• suppressing of SSID broadcastsnetwork will be detected (management datagrams)

• the vendors’ patch blocking potentially harmful IVreduced the IV space even morelegacy hosts compromise the solution


27/03/2006

41

Wi-Fi Protected Access (WPA)

• WPA (Wi-Fi Protected Access)• recommendation to improve security in IEEE 802.11 networks• published in April 2003

added as subset of IEEE 802.11i for backward compatibility

firmware upgrade only is needed

• WPA encryption:Temporal Key Integrity Protocol wrapper over WEP

• WPA has two authentication modes:Enterprise Mode (Authentication Server is needed)SOHO Mode (using shared-keys)


27/03/2006

42

WPA Encryption with TKIP

• TKIP enhancements over WEP are:• a keyed data integrity protocol (MIC – Message Integrity Protocol)

MICHAEL 64-bit long keys, calculated over the MSDU

• re-keying mechanism to provide fresh keysencryption keys for different purposes

• per packet mixing function prevent weak key attacksMAC of the destination is mixed to the temporal key

• a discipline for IV sequencing prevent IV reuseIV counter is reseted after the establishment of fresh

keys


27/03/2006

43

WPA Authentication Enterprise Mode

• Authentication Server provides:• key management and • authentication according to the EAP

• EAPOL (IEEE 802.1X) is needed• IEEE 802.1X defines a port-based network control method

EAP authentication mechanism

EAP

EAPoL (IEEE 802.1X) RADIUS

ASSTA

APwireless medium

wired medium

supplicantauthenticator


27/03/2006

44

IEEE 802.1X Authentication with TLS

APSTA AS

802.1X/EAP Req. ID

802.1X/EAP Resp. ID RADIUS Access Req. / EAP - Resp. ID

EAP-TLS Mutual Authenticationcalculate PMK* calculate PMK*

RADIUS Accept + PMK

802.1X/EAP-Success

EAPoL RADIUS

*TLS-PRF( MasterKey, “client EAP encryption” || random1 || random2 )

TLS-PseudoRandomFunction( PreMasterKey, “master secret” || random1 || random2 )

PMK


27/03/2006

45

WPA Authentication SOHO Mode

• using Pre-Shared Keys (PSK)• shared keys between the AP and STA

• useful solution for smaller networks• no need for an authentication server

• PSK is vulnerable to dictionary attacks• coWPAtty http://sourceforge.net/projects/cowpatty


27/03/2006

46

IEEE 802.11i

• IEEE 802.11i is an amendment to the IEEE 802.11 standard• several components are external to the IEEE 802.11 standard

IEEE 802.11i protect data framesEAPoL (IEEE 802.1X) provides authentication

key establishment and distribution

• RSNA - Robust Secure Network Association• defined as a type of association to secure wireless networks


27/03/2006

47

RSNA

• RSNA defines:• key hierarchy and key management algorithms;• a cryptographic key establishment;• enhanced authentication mechanisms;• enhanced data encapsulation mechanism: CTR with CBC-MAC

Counter Mode with Cipher Block Chaining with Message Authentication Code (CBC-MAC) Protocol.

• TKIP is included for systems not full compliant with RSNA• Open-System Authentication is kept;• WEP is supported only for interoperability with legacy systems.


27/03/2006

48

RSNA Security Algorithm Classes

• RSNA algorithms• data confidentiality protocols• network architecture for authentication (based on IEEE 802.1X)• key hierarchy, key setting and distribution method

• Pre-RSNA algorithms• WEP and IEEE 802.11 Open System Authentication


27/03/2006

49

RSN and TSN

• RSN Information Element (IE) Beacon Frames• RSN IE Group Key Field Suite indicates the network type

• Robust Secure Networks (RSN)• RSNA only networks

• Transient Secure Networks (TSN)• allows both Pre-RSNA networks (WEP) and RSNA networks


27/03/2006

50

RSNA Operational Phases

ASSTAAP

Discovery

Key Management

Authentication (IEEE 802.1X)

Data Transfer(protected)

Key Distribution


27/03/2006

51

RSNA Discovery Phase

• Discover of an AP SSID by an STA• RSN IE frames

• Definition of:• authentication, key management and cryptographic suite• cipher suite selectors include:

WEP-40, WEP-104, TKIP, CCMP, and vendor specifics


27/03/2006

52

RSNA Key Hierarchy and Distribution

• RSNA key hierarchies• unicast traffic pairwise hierarchy• multicast and broadcast traffic group temporal key hierarchy

• RSNA key distribution• 4-way handshake


27/03/2006

53

RSNA Pairwise Key Hierarchy

Pre-SharedKey (PSK)

Pairwise Master Key (PMK)

Pairwise Transient Key (PTK)

PRF

AAAKey

256 bits

384 or 512 bits

OR

256 bitsfirst

256 bits

product of the IEEE802.1X

authentication

positive access decision

authorization to the IEEE802.11

medium


27/03/2006

54

Pairwise Transient Key

• KCK (Key Confirmation Key) confirms the possession of the PMK

• KEK (Key Encryption Key) for the distribution of group keys• TK (Temporal Key) for data confidentiality

Pairwise Transient Key (PTK)

KCK KEK Temporal Key

0127 128 255 256

n(383 or 512)


27/03/2006

55

RSNA Group Key Hierarchy

Group MasterKey (GMK)

Group TemporalKey (GTK)

PRFnonceAS

AS address

128 or256 bits

chosen by the authenticator

TKIP

CCMP


27/03/2006

56

4-Way Handshake

• PTK setting and GTK distribution• confirm that a live peer holds the PMK and the PMK is current• derive a fresh PTK from the PMK• install encryption and integrity keys• confirm the cipher suite


27/03/2006

57

4-Way HandshakeSupplicantSTA

AuthenticatorAP PMKPMK

EAPoL-Key ( nonceAP )

EAPoL-Key ( nonceSTA , MIC )

generate nonceSTAgenerate nonceAP

derive PTK

derive PTK

nonceAP

nonceSTA

generateGTK*

*if needed

EAPoL-Key ( Install PTK, MIC, EKEK[GTK] )

EAPOL-Key ( MIC )

installPTK and GTK

installPTK


27/03/2006

58

RSNA Confidentiality & Integrity

• RSNA defines:• TKIP should only be used when CCMP is not

available• CCMP mandatory for full compliance

• CCMP• based on AES on CCM mode provable secure• CCM uses a single 128-bit key for both data encryption and MIC• requires a fresh TK for every session, and a unique nonce per

frame 48-bit packet number (PN) field


27/03/2006

59

RSNA Confidentiality & Integrity

• TKIP + MICHAEL• CCMP

• AES based• confidentiality, authentication, integrity and replay protection• 128-bit long key for both data encryption and MIC computing• a fresh Temporal Key (TK) is needed for every session


27/03/2006

60

MIC*• MICHAEL

TKIP

• CBC-MAC**CCMP

*Calculated using MSDU - WEP uses the MPDU only

DASA

Payload

Michael

KCK

MIC8 bytes

MIC

** Counter Mode with Cipher Block Chaining (CBC)

DA SA Payload0 0

padding padding

B1

AES

BK… BK+1 BR…

IV … AES

KCK KCK

AES

KCK

MIC

Date post:	09-Feb-2016
Category:	Documents
Upload:	sidone
View:	78 times
Download:	2 times

IEEE 802.11 Security

Documents