Transcript Wi-Fi security

WLAN Security Basics
Security Basics
• Authentication and Access Control
– Who are you?
– What can you do/see?
• Encryption
– Protecting the data (transit and storage)
• Integrity
– Preventing modification, insertion
• Availability
Eavesdropping is easy in wireless
• The air is open. As long as one gets close
to the access point, one can receive the
signal. If there is no security measure,
there is a good chance that your neighbors
can share your internet access and share
the files that can be shared by computers
in your home.
Making the Connection
State 1
State 2
State 3
Unauthenticated
Authenticated
Authenticated
Unassociated
Unassociated
Associated
Authentication
• Found an AP?
– Try to authenticate with AP having desired SSID
and strongest signal
• Station sends AP an Authentication management frame
• AP’s response depends on authentication method
• Authentication Methods
– Open System: anyone can join
– Shared Key: only stations that possess the same
shared secret as the AP can join, but it provides a
very weak protection. The same key used by AP
and all the stations. No individual information is
needed.
• Later…Deauthenticate
Association
• Authenticated?
– Try to associate with AP
• Station sends AP an Associate Request management
frame carrying desired SSID, supported data rates, and
station’s capabilities
• AP’s Associate Response carries Association ID,
supported data rates, and AP’s capabilities
– When successful, station can transmit and receive
data frames as a member of the WLAN
• Later…Disassociate or Reassociate
Simple protection: SSID
• Use ‘opaque’ SSIDs (WLAN names)
– Change default SSIDs
– SSID should not have company or location info
• Unless your WLAN is public, reject “any” SSIDs
– Have your AP require actual SSID from stations
• Sometimes referred to as “closed system”
– Modify Windows XP Zero Config default settings
• Don’t automatically connect to non-preferred networks
Simple protection: assigning IP
addresses
• Before we can forward traffic into attached network
– STA needs a valid IP address
• Alternatives
– Give IP to anyone who asks with DHCP
• But why should we make it so easy to hop on?
– Give fixed (reserved) IPs to known/authorized STAs
• Make war drivers work a little harder to gain access
• But reservations are harder to administer...
– Require STAs to be preconfigured with IPs
• ...and configuring every STA is even harder
• Bottom Line: It isn’t difficult to observe valid IP
addresses
– Fixed IPs therefore raise the bar only marginally
Attacks on network: Modification
and Insertion
• Packet Tampering
– 802.11 data frames include CRC (Cyclic
Redundancy Checking) error detection
– Cannot detect changes that result in valid CRC
• Packet Insertion
– 802.11 data frames are not sequenced – any
STA can inject “extra” frames simply by
transmitting them
– Frames are not signed, so nothing prevents
attackers from “borrowing” MAC address of
legitimate STA
Man in the Middle Attack
Man in the middle II
• Rogue APs that pretend to be valid APs
– STAs tricked into associating with rogue AP
– Valid AP thinks it’s receiving frames from
STAs
– Attacker can change packets in transit
– Attacker can gather authentication
information
Simple Security: WEP
• What Is WEP?
– Stands for Wired Equivalent Privacy – as name
implies, intended to make Wi-Fi as secure as a
wired Ethernet network.
– Encrypts the data sent between two nodes on
the WLAN.
– Designed when cryptographic standards were
hamstrung by government export rules. Original
keys were limited to 40 bits.
– Uses a single, static, shared key for
authentication and encryption.
Built-In Security: WEP
• Implementing WEP
– No two products implement WEP in quite the
same way, but basically . . .
– Choose 64-bit or 128-bit key.
– Choose whether to set up the WEP key using
ASCII (plain alphanumeric text) or Hex
(hexadecimal numbers). Not all offer a choice.
– Set (same) key on AP and all clients
– Some products let you enter multiple keys – you
choose which is the primary.
Built-in Security: WEP
• Implementing WEP
– Hexadecimal: You enter
a string of text in hex
format, limited to
characters A-F and 0-9.
– 64-bit – 10 Hex characters
(0x456789ABCD)
– 128-bit – 26 Hex characters
(0x273c642f25223d58687d49516c)
– Some software may
require the hex code to
begin with “0x” (without
quotes), as above, or a
dollar sign ($).
Built-In Security: WEP
• Implementing WEP
– ASCII: You enter a
string of plain text
characters as the key.
– 64-bit – 5 ASCII characters
– 128-bit – 13 ASCII characters
Built-In Security: WEP
• Implementing WEP
– Passphrase: Similar to ASCII, you enter a string
of plain text characters and the software
automatically creates a hex key based on what
you type.
– Not all products support it, so if you generate a
Hex key with a passphrase on one product, you
should write it down to use with other products.
WEP’s problems
• WEP has several problems
– Keys are known to every STA, thus if one key is
lost, then everyone’s key is compromised
– There’s no standard key distribution, and keys have
to be entered manually, which leads to static keys
(keys don’t change often enough) and keystream
reuse (see later slides)
– WEP encryption can be broken easily by a hacker
using readily available software
– No good authentication approach
– Integrity checking is weak (hacker can tamper the
data stream and the receiver can’t detect)
Countermeasures: WEP
• Keys are recoverable through cryptanalysis
• RC4 is the encryption algorithm used by WEP
– Stream ciphers require an Initialization Vector (IV)
– To remain synchronized in WLAN,
IV must be sent in plaintext on every 802.11b frame
– IV is only 24 bits to keep the frame short (too short)
– IV appended to shared key to encrypt each frame
– Small IV leads to key reuse
– Keystream easily obtained from any 2 frames
encrypted with same IV, can be used to decrypt
future frames
How does WEP work?
• WEP uses RC4 cipher, which is a symmetric (secretkey) stream cipher.
• A stream cipher uses a stream of bits, called the
keystream, which is combined with the message to
produce the ciphertext.
• To recover the original message, the receiver processes
the ciphertext with an identical keystream.
• RC4 uses the exclusive OR (XOR) operation to combine
the keystream and the message frame (at the
transmitter) to generate the ciphertext, and keystream
and ciphertext (at the receiver) to recover the sent
message frame.
Cipher stream
Stream cipher operation
How is a keystream generated?
• Stream ciphers use a short secret key (and the
Initialization Vector in Wi-Fi) and expand it into a
pseudorandom keystream the same length as
the message. (See graph below.)
• The pseudorandom number generator (PRNG)
is a set of rules used to expand the key into a
keystream.
• To recover the data, both sides must share the
same secret key and use the same algorithm to
expand the key into a pseudorandom sequence.
Keyed stream cipher
Totally random keystream
• A totally random keystream is called a one-time
pad and is the only known encryption scheme
that is mathematically proven to protect against
certain types of attacks. One-time pads are not
commonly used because the keystream must be
perfectly random and the same length as the
data that will be protected, and it can never be
reused again.
• the practical difficulties and cost incurred in
generating and distributing the keying material is
worthwhile only for short messages that require
the utmost security
The length of WEP keys
• The 64 (or 128)-bit WEP key contains two parts.
The first part is a 24-bit initialization vector (IV),
and the second part is a 40 (or 104)-bit WEP
key, which is given by the user. So the actual
length is only 40 (or 104) bits.
• The longer the key, the more difficult to break.
(Some venders provide 256-bit WEP key.)
• RC4 takes the 64 (128) input bits and generates
a keystream equal to the length of the frame
body. The keystream is then XORed with the
frame body to cipher it. To enable the receiver to
decrypt the frame, the IV is placed in the header
of the frame in plain text.
The WEP data frame
ICV—Integrity Check Vector
Weakness of WEP
• Reuse of the keystream is the major weakness in any stream
cipher-based cryptosystem.
• WEP uses the IV to encrypt different packets with different
RC4 keys. However, the IV is part of the packet header and is
not encrypted, so eavesdroppers are tipped off to packets that
are encrypted with the same RC4 key.
• Infrequent rekeying allows attackers to assemble large
collections of frames encrypted with the same keystreams. As
more frames with the same IV pile up, more information is
available about the original frames even if the secret key is
not recovered.
• A subset of all IVs is particularly weak. A hacker observing
those IVs can break the encryption even quicker.
Increase the key length
• Products today come standard with both
64-bit and 128-bit WEP– originally only 64bit was required.
• Many vendors have introduced WEP
versions with longer keys – 152-bit and
even 256-bit – but technical problems
mean they don’t add much security.
Beyond WEP: WPA (Wi-Fi
Protected Access)
•
What is WPA (a newer version is WPA2)?
– “Hardened WEP” – uses Advanced Encryption
Standard (AES) or Temporal Key Integrity Protocol
(TKIP) for encryption, plus 802.1X and EAP support
for authentication in offices.
•
Home vs. Office
– Hone version uses Pre-shared Key of 256-bit long.
– Office version provides 802.1X and EAP support for
authentication.
Some features of WPA
• Data is encrypted using the RC4 stream cipher plus
TKIP (explained below), with a 128-bit key and a 48-bit
initialization vector (IV). Much longer than WEP’s IV.
• Temporal Key Integrity Protocol (TKIP), which
dynamically changes keys as the system is used.
(Remember in WEP the key never changes unless you
manually change it.)
• WPA2 uses Advanced Encryption Standard (AES) which
is more secure than RC 4 + TKIP.
• Can use authentication server in an office.
• Homes without an authentication server can use Preshared key (PSK) mode. Each user must enter a
passphrase to access the network. The passphrase is
the same for all users in the same network.
Beyond WEP: WPA
• WPA at Home (WPA Personal)
– A Pre-Shared Key (PSK), the same for everyone in the
network, is entered in each device first, very much like WEP.
– The difference is that this pre-shared key is not the key used for
encryption (In WEP the same key is used for encryption).
Instead, TKIP will use this key to derive new encryption keys
mathematically and rotates them regularly (in WEP the key
doesn’t change). Also, the encryption key is derived based on
each user’s MAC address, thus unique for each user (WEP
uses the same key for everyone).
– Although a hacker can access your network if he knows your
PSK, if he doesn’t it would be very difficult for him to find out.
(In WEP a hacker can easily find the key by observing the data
traffic.)
– Better integrity check is provided.
Beyond WEP: WPA
WPA in the Office (WPA Enterprise)
– Combines 802.1X, PSK, and TKIP
– A server will authenticate users (requesting each user
to enter his/her user name and password) and assign
users with their own unique keys. (The home version
WPA uses the same PSK for everybody. Users don’t
need user name and password.) The server can
change the keys frequently.
– The only problem is the authentication process is not
encrypted, thus the hacker can steal the user name
and password. There are several ways to deal with
this problem.
– WPA and WEP are mutually exclusive; cannot be
mixed on a network.
More about TKIP
• Three basic algorithmic components
– MIC (message integrity code)
• Originally message authentication code but the
acronym “MAC (Media Access Control)” is already
being used!
• The MIC used by WPA is called “Michael”
• Prevents packet forging
– Packet Sequencing
• Prevents replay
– Per-Packet Key Mixing
• Prevents the duplicate keystream attacks
Message Integrity Check (MIC)
• MIC (Message Integrity Check)
– Protects WEP from modification, injection
• Must be implemented on both Stations and APs
• Additional bytes (MIC) added to packets before
encryption
– 20 bits of effective security
• Recipient checks MIC for integrity
• If there is no match, frame is dropped
• Works with TKIP which forces a rekey if there is a MIC
validation error
TKIP (Temporal Key Integrity Protocol)
• Longer 48-bit Initialization Vector (IV)
– Would take ~100 years to exhaust this IV space at 802.11a/g
data rates – helps to prevent key reuse
• Per-Packet Key (every packet has its own key)
– It’s derived from a combination of a base key, the MAC
address of the sending station, and the serial number for the
packet (the serial number is also the IV).
• Key distribution
– Home WLANs derive Base Keys from preshared secret.
Therefore it still has one of WEP’s weaknesses.
– Enterprise WLANs use 802.1X to deliver Base Keys
Countermeasures:
WLAN Discovery
– Aerosol
• http://www.stolenshoes.net/sniph/aerosol.html
– Boingo Software
• http://www.boingo.com
– BSD AirTools
• http://www.dachb0den.com/projects/bsd-airtools.html
– Kismet
• http://www.kismetwireless.net/
– MacStumbler for Airport cards
• http://www.macstumbler.com/
– NetStumbler (Win32) and MiniStumbler (PocketPC)
• http://www.netstumbler.com/
– WaveStumbler
• http://www.cqure.net/tools.jsp?id=8
Simple Security Tips
Simple Security Tips
• Set admin (administrator) password, which
is needed to access your AP settings. A
hacker needs to find the password before
he can tamper the settings of your AP.
• Change the SSID (your network name) to
something difficult to guess.
Simple Security Tips
• Broadcasting the SSID or not may not be
that important, because a hacker can use
free software to find your SSID even
though you don’t broadcast.
Simple Security Tips
• Use Static IP addresses
– By default, most WLANs use DHCP to
automatically assign an IP address to a client.
– DHCP doesn’t know the difference between
your wireless computers and a hacker.
– Simple security: Turn off DHCP and Assign
Static IP addresses to users.
– Easy to do at home with a few computers, almost
impossible with a large number of PCs.
Simple Security Tips
• Use MAC Filtering
– Each product on a network has a unique Media Access
Control (MAC) address, for example “04-00-05-B6-6A-
B4” hard-coded into the hardware.
– Simple security: Filter against MACs so only computers
you know about can go on the network.
– This is generally only practical for home and small
business networks – tracking MAC addresses of each
node in an enterprise would be difficult.
– Not completely secure: MAC addresses are easily stolen
and spoofed.
Simple Security Tips
• Personal Firewalls
– Not everything important is on the server.
People store a lot of data on their individual
computers.
– Without a personal firewall, even legitimate
users on the network could get on to your PC.
– Simple security: Install personal firewall
software.
– (This goes for wired networks, too.)
Simple Security Tips
• Physical Security Counts
– Many access points can be easily set back to
their factory defaults with the push of a reset
button.
– Why make it easy for hackers to get to the
units?
– Simple security: Keep APs out of eyesight
(i.e., above the ceiling) and disable their serial
ports.
Simple Security Tips
• WEP Is Better than Nothing
– Vendors want WLANs to be easy to set up, so
most don’t implement any security out of the box.
– Microsoft is currently the only vendor of WLAN
products that ships with WEP security turned on!
– WEP is far better than no security at all –
windows can be broken, but who leaves them
open for burglars?
– Simple security: Turn on WEP or better yet,
WPA.
Simple Security Tips
• Change WEP Keys
– The longer a given key is used on a WLAN, the
more time a hacker has to break it.
– Simple security: Change your WEP key
regularly.
– Inconvenient: If you have a large network, this
could mean physically accessing every client and
AP to make the change, one by one.
– FYI: Don’t use your SSID as a WEP key and
don’t store the key somewhere on the network.