Transcript The Art and Science of Penetration Testing

802.11 Security
Past, Present, and Future
Chris Shutters, CISSP
February 2004
[email protected]
What We Will Cover
• Introduction - What is 802.11?
• Relationship Between 802.11 and Wi-Fi
• Original 802.11 Security Goals
• Original 802.11 Security
• Original Vulnerabilities
• Tools
• How to Secure Original 802.11
• Current 802.11 Security
• WPA Protocol Stack
• Future 802.11 Security
• Final Thoughts
Introduction - What is 802.11?
• A set of standards for wireless networking
–
Addresses LANs where devices
 Communicate over ‘airwaves’ (radio or infrared)
 Are within (relatively) close proximity to each other
• Wireless devices may communicate
–
–
Directly with each other (independent or ad-hoc networks)
Via an Access Point (AP) (infrastructure mode)
• Data rates
–
–
–
802.11b: up to 11 Mbps (2.4 GHz frequency range)
802.11a: up to 54 Mbps (5 GHz frequency range)
802.11g: up to 54 Mbps (2.4 GHz frequency range)
Relationship Between 802.11 and Wi-Fi
• 802.11 is a series of standards produced by the IEEE
–
Specify technical details such as:
 Radio frequencies
 Modulation methods
 Protocol messages
• Wi-Fi is an alliance of major 802.11 manufacturers
–
–
–
Focus is on interoperability testing
Interoperability is defined by a set of “gold standard” products
Products are tested and certified as Wi-Fi compliant
Original 802.11 Security Goals
• Authorization
–
Verify that all mobile stations are authorized to access the
network
• Privacy
–
–
Implement security such that there is no privacy difference
between wireless and wired LANs
Maintain data privacy from all unauthorized stations
Original 802.11 Security
• Two authentication methods available
–
Open system authentication
 Station 1 sends Service Set ID (SSID) to station 2
 Station 2 accepts or rejects station 1 based on
knowledge of SSID
 APs can be configured to accept the broadcast SSID
–
–
Thus allowing anyone to access the AP
Shared key authentication
 Stations respond to an authentication challenge from an
AP or other device
–
AP sends a challenge to be encrypted by the station
– Station encrypts the challenge with shared key
– AP decrypts challenge and grants or denies authentication
based on decryption results
Original 802.11 Security (cont.)
• Wired Equivalent Privacy (WEP)
–
–
–
–
Encryption algorithm: RC4 (symmetric stream cipher)
 Requires shared key for all communicating stations
Key length: either 40 or 104 bits (plus 24 bit initialization
vector [IV])
Each data frame is encrypted separately with a different IV
Key management: not addressed by 802.11
• WEP key details
–
RC4 encryption key is constructed by appending IV to
shared key
24 possible encryption keys for each shared key
 2
Original 802.11 Security (cont.)
Original 802.11 Security (cont.)
• Data integrity is protected with a Message Integrity
Code (MIC)
–
The 32-bit Cyclic Redundancy Check (CRC-32) algorithm
was chosen to implement the MIC
 Bad choice, as CRC-32 was originally designed to detect
random changes to data, not to protect against malicious
tampering
 An attacker can reliably change both the data and the
CRC-32 value such that the CRC-32 matches the altered
data
Original Vulnerabilities
• Traffic sniffing
–
–
–
–
–
Easier to perform on wireless than on traditional wired LANs
SSID is always sniffable when stations associate to an AP
If WEP is not being used
 Plaintext data frames can be sniffed
If WEP is being used
 Ciphertext data frames can be sniffed
 Accumulation of ciphertext data leads to many interesting
attacks
For APs connected to other LANs
 Broadcast traffic should be available
 Vulnerable to ARP spoofing
Original Vulnerabilities (cont.)
• Insertion – connecting an unauthorized station into a
Wireless LAN
–
–
Easy if WEP not being used
 Try broadcast SSID
 Sniff SSID and use it to gain access
 Request DHCP address
 If no DHCP, try a 192.168.1.x address
If WEP is being used
 Can still do many things…
• Authentication problems
–
Currently, authentication only performed by SSID or WEP key
 Both of these methods may be sniffed and duplicated
Original Vulnerabilities (cont.)
• WEP problems
–
–
–
Inappropriate choice of encryption algorithm
 With stream ciphers, it is unsafe to ever reuse a key
Key management problems
 Because this issue is not addressed by 802.11, the
shared key is rarely if ever changed
Keyspace problems
 Reuse of IVs is inevitable
–


For randomly-selected IVs: due to Birthday Paradox, it is
99% likely that at least one IV will be reused every 12,500
frames
On a moderately loaded AP, keyspace will be exhausted
in a few hours
Capture of large amounts of frames can lead to
compromise of shared key
Original Vulnerabilities (cont.)
–
Known plaintext attacks
 If the plaintext and corresponding ciphertext of a
message can be obtained, the RC4 keystream for that IV
can be recovered
–
As discussed before, the shared key authentication
method does this for us!
– Note: No knowledge of the shared key is required, except
the fact that it hasn’t changed

Once at least one RC4 keystream has been recovered,
one can
–
Authenticate to the network
– Insert messages into the network
Original Vulnerabilities (cont.)

Often, attacker can inject known plaintext
–
HTTP requests
– PING packets


Known plaintext in a packet allows immediate recovery of
the keystream for that particular IV!
A Decryption Dictionary can be assembled
–
–
–
Table indexed by IV that contains recovered keystreams
 Approximately 23 GB required for 24 bit IVs
 Dictionary is the same size for 40 and 104 bit
encryption!
When a new packet that uses a known IV is captured, just
look up the keystream and decrypt the data!
Many implementations reset IVs to zero when initialized,
and sequentially increment IVs
 In this case the dictionary won’t have to be very big to
be able to decrypt a significant percentage of traffic
Original Vulnerabilities (cont.)
• Misconfiguration
–
–
–
–
Default SSID not changed
Broadcast SSID not disabled
Default passwords not changed
WEP not enabled
Tools
• NetStumbler (http://www.netstumbler.com/)
–
–
–
Windows application that sniffs for presence of wireless
traffic
When it detects traffic, it logs
 MAC address
 SSID
 Manufacturer
 Channel
 WEP enabled (yes or no)
 Signal strength
 Signal to noise ratio
If you have GPS data available, it will also log coordinates
Tools (cont.)
• AiroPeek NX
(http://www.wildpackets.com/products/airopeek_nx)
– Commercial 802.11 sniffer and analyzer
– Performs full decode of all 802.11 traffic as well as higherlevel network protocols
Tools (cont.)
Tools (cont.)
• AirSnort (http://airsnort.shmoo.com/)
– Wireless LAN WEP key recovery program
– Sniffs and stores traffic until key can be computed
 Typically requires capture of between five to ten
million encrypted packets
– Implements attack against RC4 Key Scheduling
Algorithm Weakness
(http://downloads.securityfocus.com/library/rc4_ksaproc.pdf)
 This is commonly known as the FMS attack (for the initials of
the discoverers of the attack)
 Looks for frames that were encrypted with “weak” RC4 keys
(approximately 3,000 out of the 16+ million possible keys)
 Once approximately 2,000 “interesting” frames have been
gathered, the key can be computed
Tools (cont.)
• Kismet (http://www.kismetwireless.net/)
–
–
Linux program for sniffing wireless traffic
Will log the following information
 Networks found
 Captured packets in binary format (suitable for later
replay and analysis)
 Cryptographically “weak” packets (like AirSnort)
 IP address blocks in use (via ARP and DHCP analysis)
 All Cisco products that announce themselves via Cisco
Discovery Protocol (CDP)
How to Secure Original 802.11
•
Place the WLAN in a DMZ and require VPN authentication for
access to internal systems
–
•
•
•
•
•
•
•
•
•
•
Systems may still be individually attackable by rogue mobile stations
Enable WEP
Use 128 bit WEP encryption
Change shared keys on a regular basis
Change default SSID
Don’t make SSID something obvious (company name, street
address, etc)
Disable acceptance of “broadcast SSID”
Disable broadcasting of SSID
Change default passwords on all equipment
If possible, restrict access by MAC addresses
Consider not using DHCP (statically assign addresses)
Current 802.11 Security
• Wi-Fi Protected Access (WPA) is the current “state of
the art” in 802.11 security
–
–
Why? To specifically address WEP weaknesses in a timely
manner
 Most existing equipment can implement WPA with a
firmware update
First, use of the Temporal Key Integrity Protocol (TKIP) is
specified
 CRC is replaced with a MIC called Michael
–
New algorithm
– Compromise between security and ability to be
implemented in current hardware
– Can potentially be brute-forced
 However, countermeasures are implemented to detect
and respond to brute-force attacks
Current 802.11 Security (cont.)

IV size increased from 24 to 48 bits
–
IVs mandated to be used in sequential order
– IV rollover or reuse won’t happen for hundreds of years
– IV is also used as a replay detector/preventer

The secret key used to encrypt packets is changed for
every packet, using Per-Packet Key Mixing
–
Static Master and Session keys exist, but they are not
directly used to encrypt packets
– Thus, the tactic of accumulating large amounts of
ciphertext to attack a static secret key will no longer work

Countermeasures
–
The countermeasure against a Michael brute-force attack
is to halt all network traffic on the attacked device for one
minute
 This limits attacker to one attempt per minute
 The network interruptions should (in theory) be noticed
by network support personnel
Current 802.11 Security (cont.)
–
–
Second, use of the Extensible Authentication Protocol (EAP)
is specified
 This is a simple protocol, designed to transport arbitrary
authentication information (originally designed for dialup)
 For communication between mobile station and AP, EAP
over LAN (EAPOL) is used
 For communication between AP and authentication
server, EAP over RADIUS is used
Third, use of the 802.1X protocol is specified
 802.1X was designed to implement access control at the
point where a user joins the network
–


Multiple lower-level protocols can implement 802.1X
WPA specifies EAPOL as the 802.1X protocol used
between mobile station and AP
WPA specifies RADIUS as the 802.1X protocol used
between AP and authentication server
Current 802.11 Security (cont.)
Please note that 802.1X has been shown to be
vulnerable to man-in-the-middle and session hijacking
attacks (http://www.cs.umd.edu/~waa/1x.pdf)
Fourth, use of Transport Layer Security (TLS, the RFC
standardized version of SSL) is specified
 TLS is transported over EAP
 It is utilized specifically for authentication
 This implies existence of a PKI infrastructure for
managing keys and certificates

–
–
–
May be non-trivial to implement such an infrastructure
Fifth, specific methods of cryptographic key management
are specified
 Each authenticated mobile station receives:
–
A pairwise key that is used to protect communications
between it and the AP
– A group key that is used to protect broadcast or multicast
data
WPA Protocol Stack
Security Communication Between
Mobile Station and Access Point
TLS (RFC2246)
TLS over EAP (RFC2716)
EAP (RFC2284)
802.1X EAPOL
802.11
WPA Protocol Stack (cont.)
Security Communication Between
Access Point and Authentication Server
TLS (RFC2246)
TLS over EAP (RFC2716)
EAP (RFC2284)
EAP over RADIUS (RFC2869)
RADIUS (RFC2865)
TCP/IP
802.3 (or other)
Future 802.11 Security
• The 802.11i standard is close to being finalized and
published
–
–
WPA was designed to be upwardly compatible with 802.11i
802.11i defines a Robust Security Network (RSN)
 RSN utilizes almost all of the protocols specified in WPA,
but includes some additional changes/options
 First, use of the Advanced Encryption Standard (AES) is
required,
–
This replaces RC4
– AES can not be implemented in the majority of existing
hardware
Future 802.11 Security (cont.)

Second, the WPA MIC is replaced by Cipher Block
Chaining – Message Authentication Code (CBC-MAC)
–

This is a new implementation of CBC-MAC using AES, but
based upon previous implementations of CBC-MAC using
other crypto algorithms
Third, TKIP is replaced by Counter Mode – CBC-MAC
Protocol, or CCMP (RFC 3610)
–
This is basically an implementation of a protocol similar to
TKIP, only based on AES instead of RC4
– What RC4 is to TKIP, AES is to CCMP
Future 802.11 Security (cont.)

Fourth, multiple additional upper-layer authentication
mechanisms (at the same layer as TLS) are specified
–
Kerberos V5 (RFC 1510) is a well-known, centralized
authentication and authorization system
– Protected EAP (PEAP) provides a way to do EAP
negotiation while not exposing authentication tokens (e.g.
passwords, password hashes, or identity credentials) to
sniffing attacks
 Currently a draft internet standard
(http://www.ietf.org/internet-drafts/draft-josefssonpppext-eap-tls-eap-07.txt)
– EAP-SIM is based on an authentication method used in
cellular networks
Final Thoughts
• Original 802.11 networks can be secured, but it is not
easy
• WPA is a dramatic improvement over original 802.11
security
• 802.11i will likely be even better, but implementation
will almost assuredly require updated hardware
• Questions?