WLAN Security
Wireless LANsJune – September 2009
1
��. ��. ���� �� ����
Assoc. Prof. Anan Phonphoem, [email protected]
http://www.cpe.ku.ac.th/~anan
Computer Engineering Department
Kasetsart University, Bangkok, Thailand
Outline
• Secure Communication• Security Mechanisms• Security Threats
Secure Communication
2
• Security Threats• IEEE 802.11 Security• WLAN security management
What is Secure Communication?
• Secrecy
3
• Secrecy•Only you and me, no one else
• Authentication• Identify that is real you
• Message Integrity•Message is not altered
Secrecy
• Privacy or confidentiality• Cannot block the sniffer!• Requires encryption/decryption mechanism
4
• Requires encryption/decryption mechanism• Encryption at the sender•Decryption at the receiver using a public or
private (secret) key
Authentication
• Confirms the identity of the communicating party
• Assures the real sender and real receiver
5
• Assures the real sender and real receiver
Message Integrity
• Data integrity •Data is transmitted from source to destination
without undetected alteration
• Non-repudiation
6
• Non-repudiation• Prove that a received message came from a
claimed sender
Wireline VS. Wireless Security
7
Wireless Magnifies Vulnerability
• Traditional wireline link•Benefits from physical security•Access to the wire is required •
8
•Access to Switch/Hub is required
• Wireless link• Extended range beyond a room or a building• Easy to eavesdrop
Vulnerable: ออนแอ ไมมั่นคง
Trust
• Communicate to unseen devices• Physically hidden (End user, AP, …)• Problem on both home and foreign networks
•
9
• Service provider maybe not trustable•Access points•DHCP servers• Intermediate nodes
End-to-End/Link Security
End-to-End Security
Link Security
10
Internet
End-to-End/Link Security
• End-to-end security• Provided by Network layer (e.g., IPsec),•Transport layer (e.g., SSL)•Application layer (e.g., app.-specific)
11
•Application layer (e.g., app.-specific)• Link security
• Provided by Link layer • e.g., IEEE 802.11 WEP, WPA, or IEEE 802.11i
Outline
• Secure Communication• Security Mechanisms
• Security Threats
����
12
• Security Threats• IEEE 802.11 Security• WLAN security management
Security Mechanisms
• Cryptography• Authentication
13
Cryptography
Plaintext
Encryption
KACiphertext
Decryption
KBPlaintext
14
• Symmetric (private) key cryptography• Sender and receiver keys are identical (KA = KB)
• Asymmetric (public) key cryptography• Sender (encryption) key (KA) is public• Receiver (decryption) key (KB ≠ KA) is private
Public Key Cryptography
• Unlike a private key system, one can publish the key for encryption in a public key encryption system
KB+
Public key
15
Decryption
KB-
Encryption
Ciphertext
KB+(m)
Plaintext
m
Plaintext
m = KB-(KB
+(m))
Public key
Private key
Authentication (Private Key)
• Authentication can be implemented with symmetric (private) key cryptography
Claim “A”
A B
16
Claim “A”
RGenerate aone-time “nonce”
K(R)
encrypt
R����decrypt
nonce: ชั่วขณะหนึ่ง
Authentication (Public Key)
• Use of public key avoids shared key problem• Vulnerable to “man-in-the-middle” attack
Claim “A”
A B
KA+: A’s public key
17
R
KA-(R)
KA+
Compute K A+(KA
-(R)) = R ����
Sender must have used private key of A, so it is A
Key Request
KA : A’s public keyKA
-: A’s private key
Outline
• Secure Communication• Security Mechanisms• Security Threats
��������
18
• Security Threats• IEEE 802.11 Security• WLAN security management
Typical WLAN Topology
Internet
19
LAN
Types of AttacksSniffing
•Eavesdrop network traffic•SSID broadcast is full text
Internet
20
LAN
Types of AttacksSpoofing
•Impersonate legitimate device credentials, like MAC address
Internet
21
LAN
Types of AttacksJamming
•Introduction of radio signals that prevent WLAN operations
Internet
22
LAN
Types of AttacksSession Hijacking•Hacker disconnects the
legitimate user but makes AP think that user is still connected
Internet
23
LAN
Types of AttacksDoS
•Flood the network with useless traffic (e.g.repeated login
requests) and eventually shut it down
Internet
24
LAN
Types of AttacksMan in the Middle
•All WLAN traffic from devices is passed through the rogue device
•Lack of strong AP level authentication
Internet
25
LAN
Types of Attacks
WarDriving
Driving around town looking for unprotected WLAN connections to
get Internet access
26
Netstumbler with GPS
27
Netstumbler
28
War Driving
29
Smiley's Team
War Driving in KU
30
Outline
• Secure Communication• Security Mechanisms• Security Threats
������������
31
• Security Threats• IEEE 802.11 Security• WLAN security management
����
Authentication & Encryption Std
TLS
MSFTIETF
PEAP
CSCO/MSFTIETF
CertificateCredentials Username/Password
32
EAP
802.1x
WPA-TKIP 802.11i
RC4Encryption Algorithms
Authentication Protocols
Encryption Standards WEP
RC4 AES
Dan Ziminski & Bill Davidge
Built-in WLAN Security
• Wired Equivalent Privacy (WEP)• Provides encryption based on RC-4 cipher
• 802.1x• Provides authentication using Extensible
33
• Provides authentication using Extensible Authentication Protocol (EAP)
• Wi-Fi Protected Access (WPA)• Uses dynamic keys and advanced encryption
• 802.11i• Advanced encryption and authentication
802.11b Security Services
• Two security services provided:• Authentication
• Shared Key Authentication
•
34
• Shared Key Authentication
• Encryption•Wired Equivalence Privacy
Wired Equivalence Privacy
• Shared key between• Stations & AP
• Extended Service Set• All AP will have same shared key• All AP will have same shared key
• No key management• Shared key entered manually into
• Stations & AP
• Key management nightmare in large wireless LANs
35
RC4
• Ron’s Code number 4• Symmetric key encryption• RSA Security Inc.• Designed in 1987•
36
• Designed in 1987• Trade secret until leak in 1994
• can use key sizes from 1 bit to 2048 bits• generates a stream of pseudo random bits
• XORed with plaintext to create ciphertext
Wired Equivalent Privacy (WEP)
Pseudo-RandomNumber Generator
Key Sequence
Secret Key (40-bit or 128-bit)
InitializationVector (IV)
IV
37
IntegrityAlgorithm(CRC-32)
Number GeneratorRC-4
+
BitwiseXOR
Plain Text
Cipher Text
Integrity CheckValue (ICV)
WEP – Sending Side
Pseudo-RandomNumber Generator
RC-4
+
BitwiseXOR
Plain Text
Cipher Text
Key Sequence
Secret Key (40-bit or 128-bit)
InitializationVector (IV)
IV
38
IntegrityAlgorithm(CRC-32) Integrity Check
Value (ICV)
WEP – Receiving Side
Pseudo-RandomNumber Generator
RC-4
BitwiseXOR
Cipher Text
Plain Text + ICV
Key Sequence
Secret Key (40-bit or 128-bit)
InitializationVector (IV)
Plain Text
39
IntegrityAlgorithm(CRC-32)
ICV
compare
Shared Key Authentication
• When station requests association with AP• AP sends random number to station• Station encrypts random number
• uses RC4, 40 bit shared secret key & 24 bit IV• uses RC4, 40 bit shared secret key & 24 bit IV
• Encrypted random number sent to AP• AP decrypts received message
• uses RC4, 40 bit shared secret key & 24 bit IV
• AP compares decrypted random number to transmitted random number
• If numbers match, station has shared secret key
40
WEP Safeguards
• Shared secret key required for:• Associating with an access point• Sending & Receiving data
• Messages are encrypted• Confidentiality
41
• Confidentiality• Messages have checksum
• Integrity• But management traffic still broadcast in clear
containing SSID
Initialisation Vector (IV)
• IV must be different for every message transmitted
• 802.11 standard doesn’t specify how IV is calculatedcalculated
• Wireless cards use several methods• Some use a simple ascending counter for each
message• Some switch between alternate ascending and
descending counters• Some use a pseudo random IV generator
42
Passive WEP attack
• If 24-bit IV is an ascending counter and AP transmits at 11 Mbps
• All IVs are exhausted in roughly 5 hours• Passive attack:• Passive attack:
• Attacker collects all traffic• Attacker could collect two messages:
• Encrypted with same key and same IV• Statistical attacks to reveal plaintext• Plaintext XOR Ciphertext = Keystream
43
Active WEP attack
• If attacker knows plaintext and ciphertext pair• Keystream is known• Attacker can create correctly encrypted messages• AP is deceived into accepting messages
•
44
•• Bitflipping
• Flip a bit in ciphertext• Bit difference in CRC-32 can be computed
Limited WEP keys
• Some vendors allow limited WEP keys• User types in a passphrase• WEP key is generated from passphrase• Passphrases creates only 21 bits of entropy in 40-bit
45
• Passphrases creates only 21 bits of entropy in 40-bit key• Reduces key strength to 21 bits = 2,097,152• Remaining 19 bits are predictable• 21-bit key can be brute forced in min.
• www.lava.net/~newsham/wlan/WEP_password_cracker.ppt
Creating limited WEP keys
46
Brute force key attack
• Capture ciphertext• IV is included in message
• Search all 240 possible secret keys•
47
• Search all 2 possible secret keys• 1,099,511,627,776 keys•~170 days on a modern laptop
• Find which key decrypts ciphertext to plaintext
128 bit WEP
• Vendors have extended WEP to 128 bit keys• 104 bit secret key.• 24 bit IV.
• Brute force takes 10^19 years for 104-bit key
48
• Brute force takes 10^19 years for 104-bit key• Effectively safeguards against brute force
attacks.
Key Scheduling Weakness
• Paper from Fluhrer, Mantin, Shamir, 2001.• Two weaknesses:
•Certain keys leak into key stream.•
49
•Certain keys leak into key stream.• Invariance weakness.
• If portion of PRNG input is exposed, •Analysis of initial key stream allows key to be
determined.• IV weakness.
IV weakness
• WEP exposes part of PRNG input.• IV is transmitted with message.• Every wireless frame has reliable first byte
• Sub-network Access Protocol header (SNAP) used in logical link control layer, upper sub-layer of data link layer.
•
50
link control layer, upper sub-layer of data link layer.• First byte is 0xAA
• Attack is:• Capture packets with weak IV• First byte ciphertext XOR 0xAA = First byte key stream• Can determine key from initial key stream
• Practical for 40 bit and 104 bit keys• Passive attack.
• Non-intrusive / No warning.
Wepcrack
• First tool to demonstrate attack using IV weakness• Open source, Anton Rager
• Three components• Three components• Weaker IV generator• Search sniffer output for weaker IVs & record 1st byte• Cracker to combine weaker IVs and selected 1st bytes
• Cumbersome
51
Airsnort
• Automated tool• Sniffs• Searches for weaker IVs•Records encrypted data
52
•Records encrypted data•Until key is derived
• 100 Mb to 1 Gb of transmitted data• 3 to 4 hours on a very busy WLAN
Avoid the weak IVs
• FMS described a simple method to find weak IVs• Many manufacturers avoid those IVs after 2002• Therefore Airsnort and others may not work on recent hardware
• However David Hulton aka h1kari•
•• Properly implemented FMS attack which shows many more weak
IVs• Identified IVs that leak into second byte of key stream.• Second byte of SNAP header is also 0xAA• So attack still works on recent hardware• And is faster on older hardware• Dwepcrack, weplab, aircrack
53
Generating WEP traffic
• Not capturing enough traffic?•Capture encrypted ARP request packets•Anecdotally lengths of 68, 118 and 368 bytes
appear appropriate
54
appear appropriate•Replay encrypted ARP packets to generate
encrypted ARP replies•Aireplay implements this
Wired Equivalent Privacy (WEP)
• Provides rudimentary 40-bit/128-bit encryption• RC-4 cipher• Weak Point is IV not RC-4• Static encryption keys must be changed
55
• Static encryption keys — must be changed manually
• Attacker’s tools: Airsnort, Yellowjacket, Airfart• Encryption keys can be cracked• Default setting is “OFF”
802.1x — A New Hope
• Provides secure access using port control• Uses EAP (Extensible Authentication Protocol)• Supports Kerberos, smart cards, one-time
passwords, etc.
56
passwords, etc.• Components required:
• Wireless device• AP• Authentication server, typically Remote Authentication
Dial-in User Service (RADIUS)
Authentication & Encryption Std
TLS
MSFTIETF
PEAP
CSCO/MSFTIETF
CertificateCredentials Username/Password
57
EAP
802.1x
WPA-TKIP 802.11i
RC4Encryption Algorithms
Authentication Protocols
Encryption Standards WEP
RC4 AES
Dan Ziminski & Bill Davidge
How 802.1x Works
User requests connection
AP requests user ID
Wireless Device Access Point Authentication Server (RADIUS)
58
AP requests user ID
User sends ID
RADIUS confirms credentials
AP requests user credentials
User sends AP credentials AP sends credentials to RADIUS
RADIUS asks for credentials
AP requests RADIUS connection for user
AP confirms credentials
If credentials are correct, user is given access to the network through the AP, according to policies enforced by the authentication server
802.1x EAP-TLS Authentication
Client digital certFrom XYZ CA
59
StationSupplicant
Access PointAuthenticator RADIUS Server
AuthorizerServer Digital certFrom XYZ CA
Dan Ziminski & Bill DavidgeEAP-TLS :EAP -Transport Layer Security
802.1x PEAP authentication
StationSupplicant
Access PointAuthenticator
Digital certFrom XYZ CA
Phase 1 :Authenticate AP. Secure tunnelto AP using TLS
60
Supplicant Authenticator
Phase 2 :Password authenticationwith directory server
Username: ABCPassword: encrypted
Success/Fail
Dan Ziminski & Bill DavidgePEAP: Protected Extensible Authentication Protocol
802.1x — The Downside
• Only does authentication• Encryption is still required• If used with WEP, the encryption keys are still
static even though the authentication keys
61
static even though the authentication keys change
• Authenticator and device must use the same authentication method
• Only supports client-level authentication
WPA (Wi-Fi Protected Access)
802.1XSupport for a Mixture of WPA and WEP Wireless
Clients
Certification by the Wi-Fi Alliance
62
TKIP and MIC WPA
AES
Clients
WPA (Wi-Fi Protected Access)
• WPA = 802.1X + TKIP•WPA requires authentication and encryption• 802.1X authentication choices include LEAP,
PEAP, TLSPEAP, TLS
• WPA has strong industry supporters •Widespread adoption of WPA• It is an interim standard
63
WPA – Fixed WEP’s Problems
• IV changes to 48 bits with no weak keys (900 years to repeat an IV at 10k packets/sec)
• Use IV as a replay counter
64
• Use IV as a replay counter• Message integrity Code (MIC)• Per-packet keying
Dan Ziminski & Bill Davidge
Temporal Key Integrity Protocol (TKIP)
48 bit IV16 bit lower IV32 bit upper IV Per-Packet-KeyIVIV d
104 bits24 bits
128 bits
• Per packet keying• Fixes the weaknesses of WEP key generation but still uses the RC4 algorithm
65
Key mixing Key mixing
Session Key
MAC Address
Dan Ziminski & Bill Davidge
In November 2008, reported crack (for a short message)
ICV data integrity problem
• 32-bit (4-byte)integrity check value (ICV)• appended to the 802.11 payload• encrypted with WEP
• Although the ICV is encrypted• Although the ICV is encrypted• can use cryptanalysis to change bits in the encrypted
payload • update the encrypted ICV without being detected by
the receiver
66
Message Integrity Code (MIC)
• Also called “Michael”• Solve ICV problem• new algorithm that calculates an 8-byte MIC
• The MIC is placed between the data portion and the 4-• The MIC is placed between the data portion and the 4-byte ICV
• The MIC field is encrypted together with the frame data and the ICV
• also provides replay protection
67
802.11i
• Mutual authentication• Dynamic session key• Message Integrity Check (MIC)• Temporal Key Integrity Protocol (TKIP)
68
• Temporal Key Integrity Protocol (TKIP)• Initialization vector sequencing• Rapid re-keying• Per-packet key hashing
• Stronger encryption schemes, such as AES
802.11i and WPA Pitfalls
• Keys can be cracked using much less than 10,000 packets
• Michael feature — shuts down AP if it
69
• —receives two login attempts within one second. Hackers can use this to perpetrate a DoS attack
WPA2
• implements the mandatory elements of 802.11i
• a new AES-based algorithm•• a new AES-based algorithm• CCMP (Counter Mode with Cipher Block
Chaining Message Authentication Code Protocol) -- fully secure � Replace TKIP
• Since 2006, WPA2 certification is mandatory for all new devices
70
Encryption Effects
Wireless Encryption
Type
Desktop Control Needed
Cost to Implement
Difficult to Manage
Vendor Support Problems
Vulnerable to Attack
none low low low low high
71
WEP medium low high low medium
WPA TKIP high high high medium low
802.11i AES high high high high none
VPN high high medium low none
Dan Ziminski & Bill Davidge
End-to-End/Link Security
End-to-End Security
Link Security
72
Internet
VPN Authentication & Encryption
StationAccess Point VPN Gateway
LAN
73
LAN
IPSEC VPN Tunnel
Dan Ziminski & Bill Davidge
Web Authentication
StationAccess Point
Web auth security device
LAN
74
HTTPSLogin page
BackendRADIUSServer
Dan Ziminski & Bill Davidge
Authentication Type
Wireless Auth Type
Desktop Control Needed
Cost to Implement
Difficult to Manage
Vendor Support Problems
Vulnerable to Attack
VPN high high medium low low
WEP medium low high low high
75
WEP medium low high low high
802.1x EAP TLS
ceritficates
high high high medium low
802.1x PEAP medium medium medium medium low
Web Auth low low medium low medium
Dan Ziminski & Bill Davidge
Outline
• Secure Communication• Security Mechanisms• Security Threats
������������
76
• Security Threats• IEEE 802.11 Security•WLAN security management
��������
Wireless Security Concerns
• Management of device security• Corruption of data sent to wireless devices• Malicious code (viruses, Trojans, worms)
77
• Malicious code (viruses, Trojans, worms)• Unauthorized users• Confidentiality of data sent wirelessly• Security of data stored on a handheld
device
WLAN security management
• Open Access• No WEP• Broadcast Mode
• Basic Security•
78
• Basic Security• 40-bit, 128-bit, 256-bit Static Encryption Key
• Enhanced Security• Dynamic Encryption Key / Scalable Key Management • Mutual 802.1x/EAP Authentication• TKIP/WPA
• Traveling Security• Virtual Private Network (VPN)
Wireless Policy Issues
• Policy needs to dictate permitted services and usage
• Needs a means of identifying and enforcing wireless policies
79
wireless policies• Existing organization security policies need to be
updated to cater to wireless security issues• Policy needs to indicate how access will be
controlled, for instance, time of day
Wireless Policy Issues
• All access needs to be logged• User compliance and standards
enforcement•
80
enforcement• Centralized control of security policies• Wireless intrusion alert issues• Process to update client software levels• Intrusion detection policies
Knows Your Organization
2
3
4
User Involvement, Awareness and Roles
Key Password QualityProcess Management and Standards
Weakness
81
1
2User and
Key Administration
Environment Integrity and Robustness
Network Security and Technology Issues
ClientSecurity
ApplicationSecurity
Audits and Controls, and IDS
Strength
Weakness
Weakness
More Security
A laptop in your network connecting to a neighboring Wi-Fi network exposing your corporate data.
Neighbor’s Network
Hacker attacking your network through an unofficial connection with a misconfigured AP.
Misconfigured Access Point
DO NOT
ENTER
DO NOT
ENTER
DO NOT
DO NOT
ENTER
82
Hacker attacking your network through an internal laptop acting as an unofficial software access point.
Unofficial Access Point
Rogue Access PointHacker attacking your network through an unofficial access point connected to the network.
DO NOT
ENTER
More Secure WLAN Topology
Internet
83
LAN
RADIUS
Client Differentiation
Channel: 1 SSID: Laptop VLAN: 1
802.1Q wired network with
VLANs
84
Channel: 6 SSID: PDA VLAN: 2
Channel: 11 SSID: Phone VLAN: 3
SSID: Laptop VLAN: 1
SSID: PDA VLAN: 2
Client Differentiation
802.1Q wired network with
VLANs
85
SSID: PDA VLAN: 2
SSID: Phone VLAN: 3
Conclusions
• Wireless technology is becoming embedded• Notebooks, PDAs, cell phones, etc.
• WLAN is currently unsecure• 802.11 WEP security is insufficient for the enterprise
86
• 802.11 WEP security is insufficient for the enterprise• WPA, WPA2/802.11i offer great improvements
• People, processes, policies and architecture are required to deploy WLAN securely
References
• “WLAN teaching materials” by Anan Phonphoem, Computer Engineering Dept., Kasetsart University
• “Who’s Watching Your Wireless Network?” by Ian Hameroff, Computer Associates, eTrust™ Security solutions, CA World 2003
• “Wireless Configuration and Security Issues” by Greg Gabet, IBMGS, CA world 2003
• “Addressing the Challenges of Adopting Secured Mobility in the Enterprise”
87
• “Addressing the Challenges of Adopting Secured Mobility in the Enterprise”by Hans-Georg Büttner, Ernst & Young IT-Security GmbH, Germany, CA World 2003
• “Wireless Local Area Network Security” by Robert Simkins, University of Derby, UK
• “WLAN Security” , Matthew Joyce, Rutherford Appleton Laboratory, CCLRC • Wireless LAN Security, Threats & Countermeasures, By Joseph Tomasone, Senior
Network Security Engineer, Fortress Technologies, Inc., Session 8, August 10, 2005, Infragard National Conference 2005
• CSG 256 Final Project Presentation, by Dan Ziminski & Bill Davidge