Wireless Security
Download
Report
Transcript Wireless Security
802.11 Basics
Security in 802.11
WEP summary
WEP Insecurity
ALOHAnet
1999: IEEE 802.11a (54 Mbps)
1999: IEEE 802.11b (11 Mbps)
2003: IEEE 802.11g (54 Mbps)
2009: IEEE 802.11n (150 Mbps)
802.11b
2.4-2.485 GHz unlicensed
radio spectrum
up to 11 Mbps
direct sequence spread
spectrum (DSSS) in physical
layer: all hosts use same
chipping code
802.11a
5-6 GHz range
up to 54 Mbps
Physical layer: orthogonal
frequency division
multiplexing (OFDM)
802.11g
2.4-2.485 GHz range
up to 54 Mbps
OFDM
All use CSMA/CA for multiple
access
All have base-station and adhoc versions
All allow for reducing bit rate
for longer range
4
Wireless host communicates with a base station
base station = access point (AP)
Basic Service Set (BSS) (a.k.a. “cell”) contains:
wireless hosts
access point (AP): base station
BSS’s combined to form distribution system (DS)
No AP (i.e., base station)
wireless hosts communicate with each
other
to get packet from wireless host A to B
may need to route through wireless hosts
Applications:
“Laptop” meeting in conference room
Vehicle Network
Interconnection of “personal” devices
Battlefield
802.11b: 2.4GHz-2.485GHz spectrum divided into 11 channels at
different frequencies; 3 non-overlapping
AP admin chooses frequency for AP
interference possible: channel can be same as that chosen by
neighboring AP!
AP regularly sends beacon frame
Includes SSID, beacon interval (often 0.1 sec)
host: must associate with an AP
scans channels, listening for beacon frames
selects AP to associate with; initiates association protocol
may perform authentication
After association, host will typically run DHCP to get IP address
in AP’s subnet
7
2
2
6
6
6
frame
address address address
duration
control
1
2
3
Address 1: MAC address
of wireless host or AP
to receive this frame
2
6
seq address
4
control
0 - 2312
4
payload
CRC
Address 4: used only in
ad hoc mode
Address 3: MAC address
of router interface to
which AP is attached
Address 2: MAC address
of wireless host or AP
transmitting this frame
8
802.11 frame: addressing
R1 router
H1
Internet
AP
H1 MAC addr R1 MAC addr
dest. address
source address
802.3 frame
H1 MAC addr AP MAC addr R1 MAC addr
address 1
address 2
address 3
802.11 frame
9
802.11 frame: addressing
R1 router
H1
Internet
AP
R1 MAC addr
dest. address
H1 MAC addr
source address
802.3 frame
AP MAC addr
address 1
H1 MAC addr
address 2
R1 MAC addr
address 3
802.11 frame
10
frame:
2
2
6
6
6
frame
address address address
duration
control
1
2
3
2
Protocol
version
2
4
1
Type
Subtype
To
AP
6
2
1
seq address
4
control
1
From More
AP
frag
1
Retry
1
0 - 2312
4
payload
CRC
1
Power More
mgt
data
1
1
WEP
Rsvd
frame control field expanded:
Type/subtype distinguishes
beacon, association, ACK, RTS,
CTS, etc frames.
To/From AP defines meaning of
address fields
802.11 allows for fragmentation
at the link layer
802.11 allows stations to enter
sleep mode
Seq number identifies
retransmitted frames (eg, when
ACK lost)
WEP = 1 if encryption is used
11
Service Set Identifier (SSID)
Differentiates one access point from
another
SSID is cast in ‘beacon frames’ every
few seconds.
Beacon frames are in plain text!
Encryption
802.11 Basics
Security in 802.11
WEP summary
WEP Insecurity
Why do we need the encryption?
Wi-Fi networks use radio transmissions
prone to eavesdropping
Mechanism to prevent outsiders from
▪ accessing network data & traffic
▪ using network resources
Access points have two ways of initiating
communication with a client
Shared Key or Open System authentication
Open System: need to supply the correct SSID
Allow anyone to start a conversation with the AP
Shared Key is supposed to add an extra layer of
security by requiring authentication info as
soon as one associates
Client begins by sending an association
request to the AP
AP responds with a challenge text
(unencrypted)
Client, using the proper key, encrypts text
and sends it back to the AP
If properly encrypted, AP allows
communication with the client
1997: Original 802.11 standard only offers
SSID
MAC Filtering
1999: Introduce of Wired Equivalent Privacy (WEP)
Several industry players formes WECA (Wireless Ethernet
Compatibility Alliance) for rapid adaption of 802.11
network products
2001: Discover weaknesses in WEP
IEEE started Task Group i
2002: WECA was renamed in WI-FI
2003: WiFi Protected Access (WPA)
Interim Solution for the weakness of WEP
2004: WPA2 (IEEE-802.11i-2004)
Primary built security for 802.11 protocol
RC4 encryption
64-bits RC4 keys
Non-standard extension uses 128-bit keys
Many flaws in implementation
Interim solution for replacement of WEP
Goals:
improved encryption
user authentication
Two Modes
WPA Personal : TKIP/MIC ; PSK
WPA Enterprise : TKIP/MIC ; 802.1X/EAP
WPA-Personal
Also refer to WPA-PSK (WPA Pre-shared Key)
Designed for home and small office networks and doesn't
require an authentication server.
WPA-Enterprise
Known as WPA-802.1X
Designed for enterprise networks and requires an authentication server
An Extensible Authentication Protocol (EAP) is used for authentication
Supports multiple authentication method based on:
▪ passwords (Sample: PEAP)
▪ digital certificates (Sample: TLS, TTLS)
TKIP (Temporal Key Integrity Protocol)
The 128 bit RC4 stream cipher used in WPA
CCMP (Counter Cipher Mode with Block Chaining
Message Authentication Code Protocol)
An AES-based encryption mechanism used in WPA2
Approved in July 2004
AES is used for encryption
Two mode like WPA:
Enterprise Mode:
▪ authentication: 802.1X/EAP
▪ encryption: AES-CCMP
Personal Mode:
▪ authentication: PSK
▪ encryption: AES-CCMP
WEP
WPA
WPA2
Cipher
RC4
RC4
AES
Key Size (bits)
64/128
128
128
Key Life
24 bit IV
48 bit IV
48 bit IV
Packet Key
Concatenation
Two Phase Mix
Not Need
Data Integrity
CRC32
Michael
CCM
Key Management
None
802.1X/PSK
802.1X/PSK
23
• WEP is no longer a secure wireless method
• WPA2 with AES encryption is currently the best encryption
scheme
• If on an unsecured network, use SSH or VPN tunneling to
secure your data
802.11 Basics
Security in 802.11
WEP summary
WEP Insecurity
A block of plaintext is bitwise XORed with a
pseudorandom key sequence of equal length
RC4 PRNG
26
CRC
802.11 Frame
Header
Payload
Payload
ICV
32
ICV computed – 32-bit CRC of payload
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4
Key
40
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV
keynumber
24
8
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to
keynumber
64
IV
Payload
Key
ICV
RC4
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to
keynumber
IV+key used to encrypt payload+ICV
WEP Frame
Header
IV
keynumber
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to
keynumber
IV+key used to encrypt payload+ICV
IV+keynumber prepended to encrypted
payload+ICV
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4
Keynumber is used to select key
Key
40
64
IV
Payload
Key
ICV
RC4
Keynumber is used to select key
ICV+key used to decrypt payload+ICV
Payload
ICV
Payload
ICV
CRC
Header
Payload
ICV’
32
Keynumber is used to select key
ICV+key used to decrypt payload+ICV
ICV recomputed and compared against original
24
104
IV
Key
Payload
ICV
128-bits
RC4
Payload
ICV
Purpose – increase the encryption key size
Non-standard, but in wide use
IV and ICV set as before
104-bit key selected
IV+key concatenated to form 128-bit RC4
key
Keys are manually distributed
Keys are statically configured
often infrequently changed and easy to remember!
Key values can be directly set as hex data
Key generators provided for convenience
ASCII string is converted into keying material
Non-standard but in wide use
Different key generators for 64- and 128-bit
http://www.wepkey.com/
38
802.11 Basics
Security in 802.11
WEP summary
WEP Insecurity
Problem: Keystream Reuse
WEP’ s Solution: Per Packet Ivs
But…
XOR cancels
keystream
so knowing one plaintext will get you the other
40
IV only 24-bits in WEP,
It must repeat after 2^24 or ~ 16.7M packets
practical?
How long to exhaust the IV space in busy network?
A busy AP constantly send 1500 bytes packet
Consider Data Rate 11 Mbps
IV exhausts after..
(1500 ´ 8) 24
11´10
6
´ 2 » 18000s » 5hrs
Consequences:
– Keystream for corresponding IV is obtained
41
2001: Fluhrer, Mantin, Shamir : Weaknesses in the
Key Scheduling Algorithm of RC4.
completely passive attack
Inductive chosen plaintext attack
Takes 5-10M. packets to find secret key
Showed that WEP is near useless
42
In 2001, airsnort was released but needs
millions of packets
‹In 2004, aircrack and weblap require only
hundreds of thousands of packets
http://securityfocus.com/infocus/1814
‹http://www.securityfocus.com/infocus/1824
43
One common shared key
If any device is stolen or
compromised, must change
shared key in all devices
No key distribution mechanism
Infeasible for large organization:
approach doesn’t scale
Crypto is flawed
Early 2001: Integrity and
authentication attacks published
August 2001 (weak-key attack):
can deduce RC4 key after
observing several million packets
AirSnort application allows
casual user to decrypt WEP
traffic
Crypto problems
24 bit IV to short
Same key for encryption and
message integrity
ICV flawed, does not prevent
adversarial modification of
intercepted packets
Cryptanalytic attack allows
eavesdroppers to learn key
after observing several
millions of packets
44
SSID and access control lists provide
minimal security
no encryption
WEP provides encryption, but is easily
broken
Emerging protocol: 802.11i
Back-end authentication server
Public-key cryptography for authentication
and master key distribution
TKIP: Strong symmetric crypto techniques
45
Fluhrer, Mantin, Shamir - Weakness in the
Key Scheduling Algorithm of RC4.
http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf
Stubblefield, Loannidis, Rubin – Using the
Fluhrer, Mantin, and Shamir Attack to Break
WEP.
http://www.cs.rice.edu/~astubble/wep/wep_attack.pdf
Rivest – RSA Security Response to Weakness
in the Key Scheduling Algorithm of RC4.
http://www.rsasecurity.com/rsalabs/technotes/wep.html
RC4 Encryption Algorithm.
http://www.ncat.edu/~grogans/algorithm_breakdown.htm
46