Transcript lecture10 - Computer and Information Sciences

Lecture 10: Wireless Security –
WEP/WPA
CS 336/536: Computer Network Security
Fall 2015
Nitesh Saxena
Adopted from previous lecture by Keith Ross, Amine Khalife and Tony Barnard
Outline
• WiFi Overview
• WiFi Security Threats
• WEP – Wired Equivalence Privacy
– Including vulnerabilities
• WPA – WiFi Protected Access
4/5/2016
Lecture 9 - Wireless Security
2
Security at different layers
Application layer: PGP
Transport layer: SSL
Network layer: IPsec
Link layer: WEP / 802.11i (WPA)
WiFi Security Approach:




HTTP/SMTP/IM
TCP/UDP/ICMP
IPsec
WEP/WPA
3
802.11 Standards
 802.11a – 54 Mbps@5 GHz



Not interoperable with 802.11b
Limited distance
Cisco products: Aironet 1200
 802.11b – 11 [email protected] GHz



Full speed up to 300 feet
Coverage up to 1750 feet
Cisco products: Aironet 340, 350, 1100, 1200
 802.11g – 54 [email protected] GHz



Same range as 802.11b
Backward-compatible with 802.11b
Cisco products: Aironet 1100, 1200
4
802.11 Standards (Cont.)
802.11e – QoS
 Dubbed “Wireless MultiMedia (WMM)” by Wi-Fi
Alliance
 802.11i – Security
 Adds AES encryption
 Requires high cpu, new chips required
 TKIP is interim solution
 802.11n –(2009)
 up to 300Mbps
 5Ghz and/or 2.4Ghz
 ~230ft range

5
Wireless Network Modes
 The 802.11 wireless networks operate in
two basic modes:
1.
2.

Infrastructure mode
Ad-hoc mode
Infrastructure mode:



each wireless client connects directly to a
central device called Access Point (AP)
no direct connection between wireless clients
AP acts as a wireless hub that performs the
connections and handles them between wireless
clients
6
Wireless Network Modes
(cont’d)

The hub handles:
 the clients’ authentication,
 Authorization
 link-level data security (access control and
enabling data traffic encryption)
 Ad-hoc mode:
 Each wireless client connects directly with each other
 No central device managing the connections
 Rapid deployment of a temporal network where no
infrastructures exist (advantage in case of disaster…)
 Each node must maintain its proper authentication
list
7
802.11 LAN architecture
 wireless host communicates
Internet
AP
hub, switch
or router
BSS 1
AP
BSS 2
with base station
 base station = access
point (AP)
 Basic Service Set (BSS)
(aka “cell”) in infrastructure
mode contains:
 wireless hosts
 access point (AP): base
station
 ad hoc mode: hosts only
8
SSID – Service Set Identification
 Identifies a particular wireless network
 A client must set the same SSID as the one in
that particular AP Point to join the network
 Without SSID, the client won’t be able to
select and join a wireless network
 Hiding SSID is not a security measure because
the wireless network in this case is not
invisible
 It can be defeated by intruders by sniffing it
from any probe signal containing it.
9
Beacon frames & association
 AP regularly sends beacon frame
 Includes SSID, beacon interval (often 0.1 sec)
 host: must associate with an AP
 scans channels, listening for beacon frames
 selects AP to associate with; initiates association
protocol
 may perform authentication
 After association, host will typically run DHCP to get IP
address in AP’s subnet
10
802.11 frame: addressing
2
2
6
6
6
frame
address address address
duration
control
1
2
3
Address 1: MAC address
of wireless host or AP
to receive this frame
2
6
seq address
4
control
0 - 2312
4
payload
CRC
Address 4: used only
in ad hoc mode
Address 3: MAC address
of router interface to
which AP is attached
Address 2: MAC address
of wireless host or AP
transmitting this frame
11
802.11 frame: addressing
R1 router
H1
Internet
AP
H1 MAC addr R1 MAC addr
dest. address
source address
802.3 frame
H1 MAC addr AP MAC addr R1 MAC addr
address 1
address 2
address 3
802.11 frame
12
802.11 frame: addressing
R1 router
H1
Internet
AP
R1 MAC addr H1 MAC addr
dest. address
source address
802.3 frame
AP MAC addr H1 MAC addr R1 MAC addr
address 1
address 2
address 3
802.11 frame
13
802.11 frame (more)
frame:
2
2
6
6
6
frame
address address address
duration
control
1
2
3
2
Protocol
version
2
4
1
Type
Subtype
To
AP
6
2
1
seq address
4
control
1
From More
AP
frag
1
Retry
1
0 - 2312
4
payload
CRC
1
Power More
mgt
data
1
1
WEP
Rsvd
frame control field expanded:
 Type/subtype distinguishes
beacon, association, ACK, RTS,
CTS, etc frames.
 To/From AP defines meaning of
address fields
 802.11 allows for fragmentation
at the link layer
 802.11 allows stations to enter
sleep mode
 Seq number identifies
retransmitted frames (eg,
when ACK lost)
 WEP = 1 if encryption is used
14
Primary Threats
 Unauthorized access

Learn SSID and join the network
 Sniffing/Eavesdropping
 Easy since wireless traffic is broadcast in
nature
 Session Hijacking
 Similar to wired session hijacking
 Evil Twin Attack
 Attacker fools the user into connecting to its
own AP (rather than the starbucks AP, e.g.)
15
Unauthorized Access
 So easy to find the ID for a “hidden”
network because the beacon
broadcasting cannot be turned off
 Simply use a utility to show all the
current networks:



inSSIDer
NetStumbler
Kismet
16
Unauthorized Access
Defense: Access control list
 Access control list
 Simplest security measure
 Filtering out unknown users
 Requires a list of authorized clients’ MAC
addresses to be loaded in the AP
 Won’t protect each wireless client nor the
traffic confidentiality and integrity
===>vulnerable
 Defeated by MAC spoofing:
 ifconfig eth0 hw ether 00:01:02:03:04:05 (Linux)
 SMAC - KLC Consulting (Windows)
 MAC Makeup - H&C Works (Windows)
17
802.11 Sniffing
 Requires wireless card that supports raw
monitoring mode (rfmon)

Grabs all frames including management frames
 Tools:
 Dump packets using Wireshark;
18
Sniffing Encrypted 802.11 traffic
Suppose:
 Traffic encrypted
with symmetric crypto
 Attacker can sniff but
can’t break crypto
What’s the damage?
 SSID, Mac addresses
 Manufacturers of
cards from MAC addrs
 Count # of devices
 Traffic analysis:
 Size of packets
 Timing of messages
 Determine apps being
used
 But cannot see
anything really useful
 Attacker needs the
keys, or break crypto

Very hard
19
WEP - Wired Equivalent
Privacy






The original native security mechanism for WLAN
provide security through a 802.11 network
Used to protect wireless communication from eavesdropping
(confidentiality)
Prevent unauthorized access to a wireless network (access
control)
Prevent tampering with transmitted messages
Provide users with the equivalent level of privacy inbuilt in
wireless networks.
WEP Feature Goals:
 Authentication

AP only allows authorized stations to associate
 Data integrity
 Data received is the data sent
 Confidentiality

Symmetric encryption
21
WEP Design Goals
 Symmetric key crypto
 Confidentiality
 Station authorization
 Data integrity
 Self synchronizing: each packet separately
encrypted


Given encrypted packet and key, can decrypt; can
continue to decrypt packets when preceding packet was
lost
Unlike Cipher Block Chaining (CBC) in block ciphers
 Efficient
 Can be implemented in hardware or software
22
WEP Keys
 40 bits or 104 bits
 Key distribution not covered in standard
 Configure manually:
 At
home
 Small organization with tens of users
 Nightmare in company >100 users
23
WEP Procedures
1. Appends a 32-bit CRC checksum to each outgoing frame
(INTEGRITY)
2. Encrypts the frame using RC4 stream cipher = 40-bit
(standard) or 104-bit (Enhanced) message keys + a 24-bit IV
random initialization vector (CONFIDENTIALITY).
3. The Initialization Vector (IV) and default key on the station
access point are used to create a key stream
4. The key stream is then used to convert the plain text message
into the WEP encrypted frame.
Encrypted WEP frame
encrypted
IV
Key
ID
data
MAC payload
ICV
RC4 keystream XORed
with plaintext
26
WEP Components

Initialization Vector IV
 Dynamic 24-bit value
 Chosen randomly by the transmitter wireless network
interface
 16.7 million possible IVs (224)

Shared Secret Key
 40 bits long (5 ASCII characters)
 104 bits long (13 ASCII characters)
27
WEP Components (cont’d)
 RC4 algorithm consists of 2 main parts:
1.
The Key Scheduling Algorithm (KSA):
2.
The Pseudo Random Generation Algorithm(PRGA):
 The state array from the KSA process is used here to
generate a final key stream.
 Each byte of the key stream generated is then Xor’ed with
the corresponding plain text byte to produce the desired
cipher text.
 involves creating a scrambled state array
 This state array will now be used as input in the
second phase, called the PRGA phase.
28
WEP Components (cont’d)
 ICV (Integrity Check Value)= CRC32
(cyclic redundancy check) integrity
check
 XOR operation
 denoted as ⊕
 plain-text ⊕ keystream= cipher-text
 cipher-text ⊕ keystream= plain-text
 plain-text ⊕ cipher-text= keystream
How WEP works
IV
original unencrypted packet checksum
key
IV
RC4
encrypted packet
Encryption Process
Decryption Process
32
8.2.5 WEP Frame Body Expansion
Recall from CS 334/534:
CRC-32
Figure 6 - 802.11 frame format
33
CRC-32
CRC-32
Figure 46 – Construction of expanded WEP frame body
34
End-point authentication w/ nonce
Nonce: number (R) used only once –in-a-lifetime
How: to prove Alice “live”, Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key
“I am Alice”
R
KA-B(R)
Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
be Alice!
35
WEP Authentication
Not all APs do it, even if WEP
is being used. AP indicates
if authentication is necessary
in beacon frame. Done before
association.
authentication request
AP
nonce (128 bytes)
nonce encrypted shared key
success if decrypted value equals nonce
36
WEP is flawed
 Confidentiality problems
 Authentication problems
 Integrity problems
37
A Risk of Keystream Reuse
IV,
P  RC4(K, IV)
IV,
P’  RC4(K, IV)
 If IV’s repeat, confidentiality is at risk
 If we send two ciphertexts (C, C’) using the same IV, then the
xor of plaintexts leaks (P  P’ = C  C’), which might reveal both
plaintexts
 Lesson: If RC4 isn’t used carefully, it becomes insecure
38
Problems with WEP confidentiality
(2)
 IV reuse
 With 17 million IVs and 500 full-length frames/sec,
collisions start after 7 hours
 Worse when multiple hosts start with IV=0
 IV reuse:
 Trudy guesses some of Alice’s plaintext d1 d2 d3 d4 …
IV
 Trudy sniffs: ci = di  ki
IV
 Trudy computes keystream ki =ci  di
IV
IV
IV
 Trudy knows encrypting keystream k1 k2 k3 …
 Next time IV is used, Trudy can decrypt!
39
Keystream Reuse
 WEP didn’t use RC4 carefully
 The problem: IV’s frequently repeat
 The IV is often a counter that starts at zero
 Hence, rebooting causes IV reuse
 Also, there are only 16 million possible IV’s, so
after intercepting enough packets, there are
sure to be repeats
 Attackers can eavesdrop on 802.11 traffic

An eavesdropper can decrypt intercepted
ciphertexts even without knowing the key
40
WEP authentication problems
 Attacker sniffs nonce, m, sent by AP
 Attacker sniffs response sent by station:
 IV in clear
 Encrypted nonce, c
 Attacker calculates keystream ks = m  c, which is
the keystream for the IV .
 Attacker then requests access to channel,
receives nonce m’
 Attacker forms response c’ = ks  m’ and IV
 Server decrypts, matches m’ and declares
attacker authenticated !
41
Problems with Message Integrity
 ICV (Integrity Check Value) supposed to provide
data integrity


ICV is a hash/CRC calculation
But a flawed one.
 Can predict which bits in ICV change if you change
single bit in data.

Suppose attacker knows that flipping bit 3244 of
plaintext data causes bits 2,7,23 of plaintext ICV to flip
 Suppose attacker intercepts a frame:
 In intercepted encrypted frame, attacker flips bit 3244
in data payload and ICV bits 2,7,23
 Will ICV match after decryption at the receiver?
 After decryption, cleartext bit 3244 is flipped (stream
cipher)
 Also after decryption, cleartext bits 2,7, 23 also flipped.
 So cleartext ICV will match up with data!
42
Attacks on WEP
WEP encrypted networks can be cracked in 10 minutes
Goal is to collect enough IVs to be able to crack the key
IV = Initialization Vector, plaintext appended to the key to
avoid Repetition
Injecting packets generates IVs
Attacks on WEP
 Backtrack 5 (Released 1st March 2012)
 Tutorial is available
 All required tools on a Linux
bootable CD + laptop +
wireless card
WEP cracking example
45
Summary of WEP flaws
One common shared key
 If any device is stolen or
compromised, must change
shared key in all devices
 No key distribution mechanism
 Infeasible for large
organization: approach doesn’t
scale
Crypto is flawed
 Early 2001: Integrity and
authentication attacks
published
 August 2001 (weak-key
attack): can deduce RC4 key
after observing several million
packets
 AirSnort application allows
casual user to decrypt WEP
traffic
Crypto problems
 24 bit IV to short
 Same key for encryption
and message integrity
 ICV flawed, does not
prevent adversarial
modification of intercepted
packets – not a MAC
 Cryptanalytic attack allows
eavesdroppers to learn key
after observing several
millions of packets
46
IEEE 802.11i
 Much stronger encryption
 TKIP (temporal key integrity protocol) – stopgap
 But use RC4 for compatibility with existing WEP
hardware
 Can also support standard crypto algo (CBC AES, CBC
MAC, etc.)
 Extensible set of authentication mechanisms
 Employs 802.1X authentication
 Key distribution mechanism
 Typically public key cryptography
 RADIUS authentication server
• distributes different keys to each user
• also there’s a less secure pre-shared key mode
 WPA: Wi-Fi Protected Access
 Pre-standard subset of 802.11i
47
IEEE 802i Phases of Operation – preview
802.11i security is provided only over the wireless link within a BSS,
not externally.
Phase 1 - Discovery
Phase 2 - Authentication
Phase 3 - Key Generation and Distribution to STA and AP
Phase 4 - Actual User Data Transfer
Phase 5 - Connection Termination when Transfer Complete
4/5/2016
Lecture 9 - Wireless Security
48
Phase 1 – Discovery
The purpose of this phase is for STA and AP to establish
(unsecure) contact and negotiate a set of security algorithms to
be used in subsequent phases.
STA and AP need to decide on:
► The methods to be used in phase 3 to perform
mutual authentication of STA and AP and generate/distribute keys.
► Confidentiality and integrity algorithms to protect user data in phase 4
4/5/2016
Lecture 9 - Wireless Security
49
The discovery phase uses three message exchanges
► Probe request/response (or observation of a beacon frame)
APs advertize their capabilities (WEP, WPA, etc.) in Information
Elements in their beacon frames and in their probe responses.
► Authentication request/response
WEP Open System Authentication, for backward compatibility
(provides no security)
► Association request/response
STA chooses methods to be used from AP’s menu
(we will study the case that the station chooses WPA/TKIP)
STA uses an Information Element in Association Request
to inform AP
4/5/2016
Lecture 9 - Wireless Security
50
Phase 1
This is not
Phase 2/3
Authentication!
Figure 1 Phase 1 Discovery
51
Phase 2 - Authentication
SOHO Mode
A pre-shared key (PSK), is provided in advance to the station and AP by a
method external to 802.11i
In this case the lower half of figure 1 is bypassed (and was not shown in the
previous slide).
There are two methods for providing the PSK:
► the exact 256-bit number can be provided and used as PMK
► a passphrase can be adopted, keyed in by user and expanded
to 256 bits by the system.
In WPA SOHO mode STA and AP delay authenticating each other
until phase 3, when they demonstrate that each knows information
derived from the PSK.
4/5/2016
Lecture 9 - Wireless Security
52
Phase 3 – Key Generation and Distribution
In SOHO mode the PSK has already been shared, so no more
distribution is needed and key generation can proceed.
Next step in SOHO: The PSK is adopted to derive
Pairwise Master Key (PMK)
Figure 2
53
The Pairwise Master Key is not used directly in any security operation.
Instead, it will be used to derive a set of keys, the Pairwise Transient Key,
to protect the link between AP and station.
Protection is needed during two phases:
► in phase 3 - the handshake between station and AP
(protocol called “EAPOL”)
► in phase 4 - Passing user data during actual use of the link
4/5/2016
Lecture 9 - Wireless Security
54
In both phases separate keys are needed for integrity and encryption, so
the total number of keys needed is four:
► EAPOL-key Confirmation key (KCK) (Integrity)
► EAPOL-key Encryption key (KEK)
► Data Integrity Key (part of Temporal Key)
► Data Encryption Key (part of Temporal Key)
PSK
4/5/2016
Figure 6.8 (middle)
55
Computation of the PTK from the PMK
The PTK is re-computed every time a station associates with an AP.
We want the PTK to be different for each STA-AP pair and different
each time a STA associates with an AP (so as not to re-use old keys)
Four-way handshake:
TKIP/WPA uses a four-way handshake during establishment of the
association relationship between an AP and a station
4/5/2016
Lecture 9 - Wireless Security
56
We can force the PTK to be different for each STA-AP pair by mixing
their MAC addresses into the computation of the PTK.
But since these do not change between associations, there must also
be some dynamic input to the PTK - nonces.
Recall that in the discovery phase the STA sent its association request
to the AP, including the selection of WPA/TKIP for security.
For later use, we can think of the STA randomly generating a
nonce (Nonce1) at that point, but not transmitting it.
4/5/2016
Lecture 9 - Wireless Security
57
Four-Way Handshake
Frame 1: AP to STA: a nonce chosen by the AP (Nonce2)
Nonce2 gives the STA the last piece of information
it needs to compute the 512-bit PTK:
SHA
hash
Computation of PTK from PMK
4/5/2016
Lecture 9 - Wireless Security
58
Four-Way Handshake - continued
Frame 2: STA to AP:
Nonce1, together with a message integrity code (MIC)
(standard HMAC-SHA, since done only during handshake)
Nonce1 gives the AP the last piece of information it needs to compute
the PTK, so key exchange is complete. This enables the AP to check
the validity of the MIC. If correct, this proves that that the STA
possesses the PMK and authenticates the STA.
Each side has chosen a nonce, and both nonces have been
mixed into the computation of the PTK, so PTK is unique to
each AP-STA pair and to each association session .
4/5/2016
Lecture 9 - Wireless Security
59
Four-Way Handshake - continued
Frame 3: AP to STA: message “AP able to turn on encryption”
(includes MIC, so STA can check that AP knows PMK)
Frame 4: STA to AP: message “STA about to turn on encryption”
After sending frame 4, STA activates encryption;
on receipt of frame 4, AP activates encryption.
At this point Phase 3 is complete – we have authenticated the STA
and the AP, using the EAPOL keys, and have generated the 256-bit
Temporal Key for use in phase 4.
We can proceed to phase 4 – secure transmission of user data.
TKIP stands for Temporal Key Integrity Protocol
(“temporal” = “temporary” - only for this association session)
4/5/2016
Lecture 9 - Wireless Security
60
TKIP: Changes from WEP
 Message integrity scheme that works
 IV length increased
 Rules for how the IV values are selected
 Use IV as a replay counter
 Generates different message integrity key and
encryption key from master key
 Hierarchy of keys derived from master key
 Secret part of encryption key changed in every
packet.
 Much more complicated than WEP!
61
TKIP: Message integrity
 Uses message authentication code (MAC);
called a MIC in 802.11 parlance
 Different key from encryption key
 Source and destination MAC addresses
appended to data before hashing
 Before hashing, key is combined with data
with exclusive ors (not just a
concatenation)
 Computationally efficient
62
TKIP: IV Selection and Use
 IV is 56 bits

10,000 short packets/sec
• WEP IV: recycle in less than 30 min
• TKIP IV: 900 years

Must still avoid two devices separately using
same key
 IV acts as a sequence counter
 Starts at 0, increments by 1
 But two stations starting up use different keys:
• MAC address is incorporated in key
63
802.11 security summary
 SSID and access control lists provide
minimal security

no encryption/authentication
 WEP provides encryption, but is easily
broken
 Emerging protocol: 802.11i
Back-end authentication server
 Public-key cryptography for authentication and
master key distribution
 WPA/WPA2: Strong symmetric crypto
techniques

64
Further Reading
 Real 802.11 Security by Jon Edney and
William Arbaugh
 Stallings chapter 7
 Intercepting Mobile Communications: The
Insecurity of 802.11. Borisov et al., 2001
65