IC3-8 MPJ WLAN Security 1
Wireless LANs Security
Matthew JoyceRutherford Appleton Laboratory,
CCLRC
IC3-8 MPJ WLAN Security 2
Contents
>Wireless LAN 802.11>Understand the technology.>Investigate vulnerabilities.>Examine how security can be provided.>Demonstration
IC3-8 MPJ WLAN Security 3
Wireless LAN Standards>IEEE ratified 802.11 in 1997.
>Also known as Wi-Fi.
>802.11 provides Layer 1 & Layer 2 of OSI model.>Physical layer>Data link layer
>Wireless LAN at 1 Mbps & 2 Mbps.>Wi-Fi Alliance formed to promote
interoperability.>802.11b ratified in 1999 adding 5.5
Mbps and 11 Mbps.
IC3-8 MPJ WLAN Security 4
Wireless LAN Standards> 802.11a
> Ratified 2001> 5 Ghz radio spectrum.> Maximum speed 54 Mbps.> In practice about 20Mbps> More energy efficient, less battery drain, better
range
> 802.11g> Ratified June 2003> 2.4Ghz spectrum again> Maximum speed 54 Mbps> In practice from 10 to 20Mbps
IC3-8 MPJ WLAN Security 5
802.11 Components
>Two pieces of equipment defined:>Wireless station
>A desktop or laptop PC or PDA with a wireless NIC.
>Access point>A bridge between wireless and wired networks>Composed of
> Radio> Wired network interface (usually 802.3)> Bridging software
>Aggregates access for multiple wireless stations to wired network.
IC3-8 MPJ WLAN Security 6
802.11 modes> Infrastructure mode
> Basic Service Set> One access point
> Extended Service Set> Two or more BSSs forming a single subnet.
> Most corporate LANs in this mode.
> Ad-hoc mode> Also called peer-to-peer.> Independent Basic Service Set> Set of 802.11 wireless stations that communicate
directly without an access point.> Useful for quick & easy wireless networks.
IC3-8 MPJ WLAN Security 7
Infrastructure mode
Basic Service Set (BSS) – Single cell
Extended Service Set (ESS) – Multiple cells
Access Point
Station
IC3-8 MPJ WLAN Security 8
Ad-hoc mode
Independent Basic Service Set (IBSS)
IC3-8 MPJ WLAN Security 9
802.11 Physical Layer
>Three alternative physical layers>Two incompatible spread-spectrum radio in
2.4Ghz ISM band>Frequency Hopping Spread Spectrum (FHSS)
> 75 channels
>Direct Sequence Spread Spectrum (DSSS)> 14 channels (11 channels in US)
>One diffuse infrared layer
IC3-8 MPJ WLAN Security 10
Speed & Range> 802.11 standard.
> 1 Mbps or 2 Mbps.
> 802.11b standard.> Adds 5 Mbps or 11 Mbps.> DSSS as sole physical layer.
> So only 14 channels.> Dynamic rate shifting.
> Transparent to higher layers> Ideally 11 Mbps.> Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
> Higher ranges.> Interference.
> Shifts back up when possible.
> Maximum specified range 100 metres
IC3-8 MPJ WLAN Security 11
802.11 Data Link Layer> Layer 2 split into:
> Logical Link Control (LLC).> Media Access Control (MAC).
> LLC - same 48-bit addresses as 802.3.> MAC - CSMA/CD not possible.
> Can’t listen for collision while transmitting.
> CSMA/CA – Collision Avoidance.> Sender waits for clear air, waits random time, then
sends data.> Receiver sends explicit ACK when data arrives intact.> Also handles interference.> But adds overhead.
> 802.11 always slower than equivalent 802.3.
IC3-8 MPJ WLAN Security 12
Joining a BSS
>When 802.11 client enters range of one or more APs>APs send beacons.>AP beacon can include SSID.>AP chosen on signal strength and observed
error rates.>After AP accepts client.
>Client tunes to AP channel.
>Periodically, all channels surveyed.>To check for stronger or more reliable APs.>If found, reassociates with new AP.
IC3-8 MPJ WLAN Security 13
Access Point Roaming
Channel 4
Channel 7
Channel 9
Channel 1
IC3-8 MPJ WLAN Security 14
Roaming and Channels
>Reassociation with APs>Moving out of range.>High error rates.>High network traffic.
>Allows load balancing.
>Each AP has a channel.>14 partially overlapping channels.>Only three channels that have no overlap.
>1, 6, 11>Best for multicell coverage.
IC3-8 MPJ WLAN Security 15
Open System Authentication
>Service Set Identifier (SSID)>Station must specify SSID to Access
Point when requesting association.>Multiple APs with same SSID form
Extended Service Set.>APs can broadcast their SSID
>But this can be turned off
>Some 802.11b clients allow * as SSID.>Associates with strongest AP regardless of
SSID.
IC3-8 MPJ WLAN Security 16
MAC Address locking
>Access points have Access Control Lists (ACL).
>ACL is list of allowed MAC addresses.>E.g. Allow access to:
>00:01:42:0E:12:1F>00:01:42:F1:72:AE>00:01:42:4F:E2:01
>But MAC addresses are sniffable and spoofable.
>Access Point ACLs are ineffective control.
IC3-8 MPJ WLAN Security 17
Interception Range
Basic Service Set (BSS) – Single cell
Station outsidebuilding perimeter.
100 metres
IC3-8 MPJ WLAN Security 18
Interception
>Wireless LAN uses radio signal.>Not limited to physical building.>Signal is weakened by:
>Walls>Floors>Interference
>Directional antenna allows interception over longer distances.
IC3-8 MPJ WLAN Security 19
Directional Antenna>Directional antenna provides focused
reception.>DIY plans available.
>Aluminium cake tin.>11 Mbps at 750 meters.
> http://www.saunalahti.fi/~elepal/antennie.html> http://www.turnpoint.net/wireless/has.html
> Pringles vs Coffee vs Pasta Sauce vs Beef Stew
IC3-8 MPJ WLAN Security 20
WarDriving>Software
>Netstumbler>THC-Wardrive
>Laptop>802.11b PC card>Optional:
>Global Positioning System>Car, bicycle, boat…
>Logging of MAC address, network name, SSID, manufacturer, channel, signal strength, noise (GPS - location).
IC3-8 MPJ WLAN Security 21
WarDriving results
CATEGORY TOTAL PERCENT
TOTAL APs FOUND 9374 100
WEP Enabled 2825 30.13
No WEP Enabled 6549 69.86
Default SSID 2768 29.53
Default SSID and No WEP
2497 26.64
Unique SSIDs 3672 39.17
Most Common SSID 1778 18.97
Second Most Common SSID
623 6.65
>http://www.wigle.net/> 568,000 GPS located wireless networks
> WorldWide WarDrive Autumn 2002> Chris Hurley, DefCon11
IC3-8 MPJ WLAN Security 22
WarDriving map Source: www.dis.org/wl/maps/
IC3-8 MPJ WLAN Security 23
IC3-8 MPJ WLAN Security 24
Further issues>Access Point configuration
>Mixtures of SNMP, web, serial, telnet.>Community strings, default passwords.
>Evil Twin Access Points>Stronger signal, capture user
authentication.
>Hub broadcasts>If AP connected to hub, all broadcasts
transmitted.
>Renegade Access Points>Unauthorised wireless LANs.
IC3-8 MPJ WLAN Security 25
802.11b Security Services
>Two security services provided:>Authentication
>Shared Key Authentication
>Encryption>Wired Equivalence Privacy
IC3-8 MPJ WLAN Security 26
Wired Equivalence Privacy
>Shared key between>Stations.>An Access Point.
>Extended Service Set>All Access Points will have same shared key.
>No key management>Shared key entered manually into
>Stations>Access points>Key management nightmare in large wireless
LANs
IC3-8 MPJ WLAN Security 27
RC4
>Ron’s Code number 4>Symmetric key encryption>RSA Security Inc.>Designed in 1987.>Trade secret until leak in 1994.
>RC4 can use key sizes from 1 bit to 2048 bits.
>RC4 generates a stream of pseudo random bits>XORed with plaintext to create ciphertext.
IC3-8 MPJ WLAN Security 28
WEP – Sending>Compute Integrity Check Vector (ICV).
>Provides integrity>32 bit Cyclic Redundancy Check.>Appended to message to create plaintext.
>Plaintext encrypted via RC4>Provides confidentiality.>Plaintext XORed with long key stream of
pseudo random bits.>Key stream is function of
>40-bit secret key>24 bit initialisation vector
>Ciphertext is transmitted.
IC3-8 MPJ WLAN Security 29
WEP Encryption
PRNG
32 bit CRC
IV
Ciphertext
||
||Plaintext
Secret key
InitialisationVector (IV)
IC3-8 MPJ WLAN Security 30
WEP – Receiving
>Ciphertext is received.>Ciphertext decrypted via RC4
>Ciphertext XORed with long key stream of pseudo random bits.
>Key stream is function of >40-bit secret key>24 bit initialisation vector (IV)
>Check ICV>Separate ICV from message.>Compute ICV for message>Compare with received ICV
IC3-8 MPJ WLAN Security 31
Shared Key Authentication>When station requests association with
Access Point>AP sends random number to station>Station encrypts random number
>Uses RC4, 40 bit shared secret key & 24 bit IV
>Encrypted random number sent to AP>AP decrypts received message
>Uses RC4, 40 bit shared secret key & 24 bit IV
>AP compares decrypted random number to transmitted random number
>If numbers match, station has shared secret key.
IC3-8 MPJ WLAN Security 32
WEP Safeguards
>Shared secret key required for:>Associating with an access point.>Sending data.>Receiving data.
>Messages are encrypted.>Confidentiality.
>Messages have checksum.>Integrity.
>But SSID still broadcast in clear.
IC3-8 MPJ WLAN Security 33
Initialisation Vector
>IV must be different for every message transmitted.
>802.11 standard doesn’t specify how IV is calculated.
>Wireless cards use several methods>Some use a simple ascending counter for
each message.>Some switch between alternate ascending
and descending counters.>Some use a pseudo random IV generator.
IC3-8 MPJ WLAN Security 34
WEP attacks
> Statistical attack> If 24 bit IV is an ascending counter,> If Access Point transmits at 11 Mbps,> All IVs are exhausted in roughly 5 hours.> Passive attack:
> Attacker collects all traffic> Attacker could collect two messages:
> Encrypted with same key and same IV> So XORed with same key stream> Ciphertext 1 XOR Ciphertext 2 = Plaintext 1 XOR Plaintext 2> Statistical attacks to reveal plaintext
> More than two messages with same key and same IV…
IC3-8 MPJ WLAN Security 35
More WEP attacks
>If attacker knows plaintext and ciphertext pair>Key is known.>Attacker can create correctly encrypted
messages.>Access Point is deceived into accepting
messages.
IC3-8 MPJ WLAN Security 36
Limited WEP keys
>Some vendors allow limited WEP keys>User types in a password>WEP key is generated from passphrase>Passphrases creates only 21 bits of entropy
in 40 bit key.>Reduces key strength to 21 bits = 2,097,152>Remaining 19 bits are predictable.>21 bit key can be brute forced in minutes.
>http://www.lava.net/~newsham/wlan/
IC3-8 MPJ WLAN Security 37
Creating limited WEP keys
IC3-8 MPJ WLAN Security 38
Brute force key attack
>Capture ciphertext.>IV is included in message.
>Search all 240 possible secret keys.>1,099,511,627,776 keys>~100 days on a modern machine
>Find which key decrypts ciphertext to plaintext.
IC3-8 MPJ WLAN Security 39
128 bit WEP
>Vendors have extended WEP to 128 bit keys.>104 bit secret key.>24 bit IV.
>Brute force takes 10^19 years for 104-bit key.
>Effectively safeguards against brute force attacks.
IC3-8 MPJ WLAN Security 40
Key Scheduling Weakness
>Paper from Fluhrer, Mantin, Shamir, 2001.
>Two weaknesses:>Certain keys leak into key stream.
>Invariance weakness.
>If portion of PRNG input is exposed, >Analysis of initial key stream allows key to be
determined.>IV weakness.
IC3-8 MPJ WLAN Security 41
IV weakness
>WEP exposes part of PRNG input.>IV is transmitted with message.
>Attack is practical.>For 40 bit keys – WEP.>For 128 bit keys – enhanced WEP.
>Passive attack.>Non-intrusive.>No warning.
IC3-8 MPJ WLAN Security 42
Wepcrack
>First tool to demonstrate attack using IV weakness.>Open source, Anton Rager.
>Three components>Weaker IV generator.>Search sniffer output for weaker IVs &
record 1st byte.>Cracker to combine weaker IVs and selected
1st bytes.
>Cumbersome.
IC3-8 MPJ WLAN Security 43
Airsnort
>Automated tool>Cypher42, Minnesota, USA.>Does it all!>Sniffs>Searches for weaker IVs>Records encrypted data>Until key is derived.
>100 Mb to 1 Gb of transmitted data.>3 to 4 hours on a busy WLAN.
IC3-8 MPJ WLAN Security 44
802.11b safeguards
>Security Policy & Architecture Design>Treat as untrusted LAN>Discover unauthorised use>Access point audits>Station protection>Access point location>Antenna design
IC3-8 MPJ WLAN Security 45
Security Policy & Architecture
>Define use of wireless network>What is allowed >What is not allowed
>Holistic architecture and implementation >Consider all threats.>Design entire architecture
>To minimise risk.
IC3-8 MPJ WLAN Security 46
Wireless as untrusted LAN
>Treat wireless as untrusted.>Similar to Internet.
>Firewall between WLAN and Backbone.>Extra authentication required.>Intrusion Detection
>at WLAN / Backbone junction.
>Vulnerability assessments
IC3-8 MPJ WLAN Security 47
Discover unauthorised use>Search for unauthorised access points
or ad-hoc networks.>Port scanning
>For unknown SNMP agents.>For unknown web or telnet interfaces.
>Warwalking!>Sniff 802.11 packets>Identify IP addresses>Detect signal strength>NetStumbler, but may sniff your
neighbours…
IC3-8 MPJ WLAN Security 48
Access point audits
>Review security of access points. >Are passwords and community strings
secure?>Use Firewalls & router ACLs
>Limit use of access point administration interfaces.
>Standard access point config:>SSID>WEP keys>Community string & password policy
IC3-8 MPJ WLAN Security 49
Station protection>Personal firewalls
>Protect the station from attackers.
>VPN from station into Intranet>End-to-end encryption into the trusted
network.>But consider roaming issues.
>Host intrusion detection>Provide early warning of intrusions onto a
station.
>Configuration scanning>Check that stations are securely configured.
IC3-8 MPJ WLAN Security 50
Location of Access Points
>Ideally locate access points>In centre of buildings.
>Try to avoid access points>By windows>On external walls>Line of sight to outside
>Use directional antenna to “point” radio signal.
IC3-8 MPJ WLAN Security 51
802.1x Access Control for WLAN> 802.1x (IEEE)
> Data link layer protocol for port-based network access control
> Independent of physical layer, so wired or wireless
> Uses EAP (RFC 2284)> Extensible Authentication Protocol> Allows choice of authentication methods> Authentication chosen by peers> Access point doesn’t care about EAP methods
> Manages user and session WEP keys> Session key used for a limited time> User key for rekeying session key
> RADIUS server provides authentication service> Remote Authentication Dial In User Service> RFC 2138
IC3-8 MPJ WLAN Security 52
802.11 + 802.1X/EAPSupplicant Authenticator
AuthenticationServer
802.11 association
EAPOL-start
EAP-request/identity
EAP-response/identity
EAP-request (credentials)
EAP-response (credentials)
EAP-succcess
EAPOW-key (WEP)
RADIUS-access-request
RADIUS-access-challenge
RADIUS-access-request
RADIUS-access-accept
Access allowed
IC3-8 MPJ WLAN Security 53
Association and Authentication> 802.11 association happens first
> Open authentication> Provides access to the AP and allows an IP address to
be supplied
> Access beyond the AP is still prohibited> AP drops non-EAPOL traffic
> Authentication conversation between supplicant and authentication server> Wireless NIC and AP are pass through devices
> After authentication, AP allows traffic through
IC3-8 MPJ WLAN Security 54
EAP-MD5> Authentication server (AS) sends session ID
and challenge> Supplicant returns user name and MD5 hash of
session id, challenge and user password.> AS authenticates supplicant by verifying an
MD5 hash of each user's password.> Good for trusted Ethernets.> Not good for public Ethernets or wireless LANs
> Can sniff supplicant identities > Can sniff & use dictionary attack on
> plaintext session id, plaintext challenge & session id/challenge/password hash
> Can masquerade as access points to trick stations into authenticating with them - MITM
IC3-8 MPJ WLAN Security 55
EAP-TLS (RFC 2716)> EAP with Transport Layer Security is the only
standard secure option for wireless LANs at this time.
> Requires the station and RADIUS server to mutually authenticate
> Secured by an encrypted TLS tunnel> Fast reconnect via TLS session resumption for
roaming> Establishes session keys> Station's identity (the name bound to the
certificate) can still be sniffed. > Most attractive when using only Windows
XP/2000/2003 with deployed certificates.
IC3-8 MPJ WLAN Security 56
EAP-TLSSupplicant
AuthenticationServer
EAPOL-start
Request/identity
Response/TLS Certificate,TLS client key ex, TLS CCS,
Certificate verify, TLS Fin
Response/identity
Response/TLS Client Hello
Request/TLS Server Hello, Certificate,
Certificate Request, Server Done
Request/TLS Start
EAP-request/TLS CCS, TLS Fin
802.11 Association
Response
EAP-Success
Authenticator
IC3-8 MPJ WLAN Security 57
EAP-TTLS & PEAP> EAP with Tunnelled TLS (EAP-TTLS)> Protected EAP (PEAP)> Both are Internet Drafts
> To simplify 802.1X deployment. > Both require certificate-based RADIUS server
authentication> No certificate-based authentication of client> Both support an extensible set of user authentication
methods.
> Can use Windows Domain Controllers, Active Directories, and other existing user databases.
> As strong as EAP-TLS to sniffing attacks. > User passwords can be guessed, shared, or
disclosed.
IC3-8 MPJ WLAN Security 58
EAP summary
EAP-MD5 EAP-TLS EAP-TTLS PEAP
Server Authentication
NonePublic Key
(Certificate)Public Key
(Certificate)Public Key
(Certificate)
Supplicant Authentication
Password hashPublic Key
(Certificate or Smart Card)
CHAP, PAP, MS-CHAP(v2), EAP
Any EAP, like EAP-MS-CHAPv2 or
Public Key
Dynamic Key Delivery
No Yes Yes Yes
Security Risks
Identity exposed, Dictionary attack, Man-in-the-Middle
(MitM) attack
Identity exposed MitM attack MitM attack
IC3-8 MPJ WLAN Security 59
802.11i / WPA> Draft standard> Will apply to 802.11 a, b & g> Uses 802.1X & EAP as authentication
framework> Temporal Key Integrity Protocol (TKIP)
> RC4 still used> 128 bit temporal key shared with all clients> Per-packet key from temporal key, MAC address &
16 bit initialisation vector> Temporal key regenerated every 10,000 packets> Only firmware upgrade required
> AES> AES cipher replaces RC4> Will require new hardware
IC3-8 MPJ WLAN Security 60
Any Questions?
IC3-8 MPJ WLAN Security 61
Demonstration