Transcript Wireless Security

Wireless
Security
Wireless Networks (+)
•
•
•
•
•
•
•
•
Mobility
Installation (easiness, time, cost)
Flexibility
Convenience
Productivity
Geographic expansion (+/-)
Machine increase (+/-)
Access (+/-)
Wireless Networks (-)
• Reach
• Aditional cost of APs
• Interference
• Noise of external devices, microwaves, wireless phones,
bluetooth, etc.
• Speed
• Slow compared to wired networks (+/-)
• Congestion
• Power compsumtion
• More distance → More power
• Laptops
• Security
SECURITY
• Bad reputation
– Weak legacy security mechanisms deployed in the
past
• 802.11i
– It allows proper encryption and authentication
methods
– A wireless network can as secure as a wired network
– Sometimes more
Components of wireless security
• Data privacy
• AAA
– Authentication, Authorization and Accounting
• Segmentation
• Monitoring
• Policy
Data privacy
• 802.11 uses license-free bands
• Every bit goes to the air
– Access available to anyone in listening range
• More complicated than wired networks
– Whoever is near has access
• Protection is obtained through data encryption
– Strong encryption
AAA
• Authentication
– Verification of identity through credentials
• Authorization
– Grant access to network resources and services
• Accounting
– Track the use of resources by users
– Identity - resource used - time of access
– Logs
Segmentation
• Before
– Separation of the wireless network (not trusted and
unreliable) of the wired network (trusted, because
the physical access)
• Now
– 802.11i →easier integration
– Separation of users (in groups), still important
• Firewalls, routers, VPN y VLAN
• RBAC
– Role-Base Access Control
Monitors and policies
• Monitors are necessary for protection against
attacks
– WIDS and WIPS
• Policies
– Password sharing
– What to do about rogue APs
– Log violations
– Audit security
– Federal regulations
IEEE 802.11
Independent BSS (IBSS)
IEEE 802.11
Channels 802.11
Enterprise coverage
Enterprise coverage
Addressing
Addressing
Addressing
Addressing
Frame 802.11
DS
from
DS
0
0
Destination
Source
BSS ID
N/A
0
1
Destination
Transmitter
(AP)
Estación
Origen
N/A
1
0
Receiver (AP)
Source
Estación
Destino
N/A
1
1
Receiver (AP)
Transmitter
(AP)
Estación
Destino
Estación
Origen
to
Address
1
Address
2
Address
3
Address
4
Administration Frames
• Authentication y Deauthentication
– Authentication
– End secure communication
• Association (Request, response)
– Associate to an AP
– AP reserves resources and synchronizes with the
station
– SSID, possible speeds
Administration frames
• Reassociation (Request, response)
– When a station moves to another AP (better signal)
– The new AP asks the old AP for pending frames
• Disassociation
– To leave an SSID, in a correct manner
– The AP frees resources (memory, association table)
Administration frames
• Beacon
– Broadcast from AP, let its presence known
– SSID, time
• Probe (request, response)
– Vrify the presence of an AP
– Answer with available speeds
Control frames
• Request To Send (RTS)
– Duración
• Clear To Send (CTS)
– Duración
• Acknowledgement (ACK)
– Verificación del frame que llega
– En caso de no recibir ACK se retransmite el frame
correspndiente
Connection process
Legacy
802.11
Security
WEP
• Wired Equivalent Privacy
• WEP original 802.11 encryption method
• Based on RC4
– Uses 64 or 128 bits keys
– 64 bits = 40 bits (key) + 24 bits IV (Initialization Vector)
– 128 bits = 104 bits (key) + 24 bits IV (Initialization Vector)
• It did not offered much
• The name implied the same security as a wired
network
• Two methods of authentication
Authentication (Shared Key)
• Client sends a PROBE REQUEST
• AP answers PROBE RESPONSE
• Client sends an
AUTHENTICATION REQUEST
• AP sends an unencrypted frame
called CHALLENGE PACKET
• Client encrypts the frame and sends
it back to the AP
• AP sends an AUTHENTICATION
RESPONSE
Deprecated
FIASCO!!!!
Authentication (Open Key)
• Client sends a PROBE REQUEST
• AP answers PROBE RESPONSE
• Client sends an
AUTHENTICATION REQUEST
• AP sends an AUTHENTICATION
RESPONSE
It provides authentication without performing any type of client verification
Null authentication
The only pre-RSNA security mechanism not deprecated
• Created by Ron Rivest
– Rivest Cipher 4 or Ron's Code 4
• Stream Cipher
• Key of 40 to 256 bits
• Strong
– Equivalent to a “one time pad”
• Simple
– Not much CPU required
– Fast in software
– Small devices
– Mobil devices
RC4
Secret
Key
RC4
RC4
engine
Stream key
Plaintext
+
Ciphertext
Key
RC4
Plaintext
0
1
0
1
1
1
0
0
0
1
+
=
Ciphertext
1
0
Streamkey
10011010100
WEP utiliza el
Cifrador RC4
RC4
+
1
0
0
1
1
0
1
0
1
0
0
0
1
0
0
0
0
1
1
1
1
1
0
1
1
0
0
0
1
0
1
1
0
+
XYS jd56+$%
Hd%#” 8Gha
11111000010
0
1
1
0
1
0
0
0
1
1
0
RC4
WEP utiliza el
Cifrador RC4
RC4 engine
• Initilize an array S
– 256 bytes
• KSA (Key Scheduling Algorithm)
– Mix the array using the secret key
• PRGA (Pseudo-Random Generation Algorithm)
– More mixing
• Output
– One byte of S
– Exor the output with a byte from the plaintext
– Until no more bytes from the plaintext
• Initilize array S
RC4 engine
for (i=0, j=0; i<256; i++)
S[i]= i;
• KSA (Key Scheduling Algorithm)
j = 0;
for (i=0; i<256; i++){
j = (j + S[i] + key[i%keyLength])%256;
swap(S[i], S[j]);
}
• PRGA (Pseudo-Random Generation Algorithm)
i = j = 0;
While (more plaintext){
i = (i + 1)%256;
j = (j + S[i])%256;
swap(S[i], S[j]);
salida = S[(S[i]+S[j])%256];
}
CRC:
ICV:
IV:
FCS:
Cyclic Redundancy Check
Integrity Check Value
Initialization Vector
Frame Check Sequence
Header
WEP (encryption and transmission)
IV
Data
24 bits
0
1
2
3
CRC
32 bits
IV
Data
Key
Number
Secret Key
40 ó 104 bits
ICV
RC4 key
(seed)
RC4
Header
IV
Key
Number
Data
ICV
FCS
CRC:
ICV:
IV:
FCS:
Cyclic Redundancy Check
Integrity Check Value
Initialization Vector
Frame Check Sequence
WEP (encryption and transmission)
WEP (reception and decryption)
Encabezado
IV
Num
Llave
Datos
ICV
FCS
0
1
2
3
Datos
ICV
IV
Llave secreta
40 ó 104 bits
RC4
Datos
PR = C
=P
=P
K
K
ICV
K
Datos
A la capa superior
WEP (reception and decryption)
PR = C
=P
=P
K
K
K
To the upper layer
“two time pad” problem
• Two messages cannot be encrypted with the
same streamkey
– Same secret key will generate the same streamkey
– Let's assume P1 y P2 are encryted with the same key
K, producing C1 y C2 (C1 = P1 K and C2 = P2 K)
– C1 C2 = P1 K P2 K
– C 1 C2 = P 1 P 2
“two time pad” problem
• We only need to know one plaintext
• Send a known plaintext from the outside
• We CANNOT encrypt two messages with the same key
– Same stream key
• We just have to make every key diferent
Key collisions example
• Easily known cipher texts
– Captured with a sniffer
• With a known plain text, we can get the other
plain text
– Send a packet from the outside (known data)
– Well known packets (DHCP, ARP, etc)
WEP solution
• Usually K rarely changes
– In a company every user shares the same key
• This means the stream key woud be the same
• Since the streamkey depends only on the key
IV (Initilization Vector)
• 24 extra bits sounded like a good idea
• Almost 17 millions of diferent keys
• A lot of traffic
– Repetition was easier than expected
– A lot sooner
• Many implementations
– Many cards start with zero
– It increments 1 by 1
Packet injection
•
•
•
•
•
•
•
•
Attacker sends himself packets from “outside”
The AP receives it and encrypts it
Attacker has the two versions
It doesn’t have the key but can inject encryted
packets
AP accepts them as valid and retransmit them
More traffic is generated artificially
Until the IV is repeated and then the key is
repeated
Save the frame (packet) and the IV
Other problems with WEP
• Dictionaries with “common” keys
– They are built slowly
• Shared key, in theory more secured, but
– A disaster
• And a lot more..............
WEP
• WEP is still in use........
• Easy to crack
– A couple of minutes
– Google, youtube
http://www.aircrack-ng.org/
Virtual Private Networks (VPNs)
• Layer 3 VPNs are outdated for client access
– Overhead and complex configuration
– Double encryption
• They should be used for remote access
– Mandatory
– Hot spots → NO Security
– A Personal Firewall is also recommended
• Technologies
– PPTP: Point-to-Point Tunneling Protocol
– IPsec: Internet Protocol Security
– L2TP: Layer 2 Tunneling Protocol
Virtual Private Networks (VPNs)
• Router to Router
– To protect communications between two separate
networks
• Cliente-Server
– Client communications to/from a network
Virtual Private Networks (VPNs)
• Encryption, encapsulation, authentication and data integrity
• Tunneling
MAC Filters
• They are outdated as well
– Not reliable
• Spoofing
• Administrative work
• The 802.11 standard does not define it
– Any implementation is vendor specific
SSID Segmentation
• Different SSIDs
– For different type of users
– VLANs
• Guest, voice and data
• 802.1Q
• A lot configuration
• MAC Layer overhead
SSID Cloaking
• Broadcast SSID
– Checkbox
• Null probe request → Null SSID in probe response
• 802.11 does not define SSID cloacking
– Incompatibility
• Administrative issue
– Users have to configure the SSID them selves
WLAN
Encryption
3 methods
• WEP
– Wired Equivalent Privacy
• TKIP
– Temporal Key Integrity Protocol
• CCMP
– Counter Mode with Cipher-Block Chaining
Message Authentication Code Protocol
Defined in 802.11-2007
Frames encrypted
• MAC Protocol Data Unit
• MAC Service Data Unit
• Frames never encrypted
– Management Frames
– Control Frames
– Null Function Frame
WEP encryption process
WEP encrypted MSDU
WEP enabled → MPDU body is added 8 bytes → maximum is 2312
TKIP
• Temporal Key Integrity Protocol
• Created by 802.11i to replace WEP........Fast!!!
• Stronger security with the same hardware
– No need to replace equipment
– Firmware upgrade (not all APs and STAs, but most)
• Temporary security solution
– Important: immediate solution
– Until vendors could provide hardware that
supported CCMP/AES encryption
• WEP enhancement
TKIP, modifications to WEP
• Temporal keys
– Dynamically created keys instead of static keys
– 4-way handshake process to create unique keys
• Dynamic unicast keys
– No social engineering attacks
– Derived from the master keys
• Sequencing
– A sequence number per MPDU (TSC, TKIP
Secquence Counter) sent
– A station drops all MPDU received out of order
– No replay and reinjection attacks
TKIP, modifications to WEP
• Key Mixing
– To create strong seed for the RC4 engine
– Avoid IV colissions and weak-key attacks
• Enhanced Data Integrity
– Message Integrity Code (MIC)
• Message Integrity Check
• Nickname Michael
– Defeat bit-flipping and forgery attacks
• TKIP Countermeasures
– To not compromise message integrity
TKIP encryption process
80 bits
128
bits
64 bits
TSC: TKIP Sequence Counter (48 bits)
TTAK: TKIP-Mixed Transmit Address And Key
TA: Transmit Address, MAC address of the transmitting station
TK: Generated dynamically with a four way handshake process
TTAK = Phase1(TK,TA,TSC)
WEP seed = Phase2(TTAK,TK,TSC)
TKIP MPDU
Key mixing
TKIP encrytpion process
CCMP
– Counter Mode with Cipher-Block Chaining
Message Authentication Code Protocol
– Uses the AES block cipher instead the RC4 stream
cipher
– Mandatory for RSN
• Robust Security Network
– It is processor intensive
– Newer hardware
– Blocks of 128 bits with 128 bit key
CCMP
• CCM
– Combines modes of operation
– The same key is used in
• Encryption for confidentiality
• Secure Integrity Check Value
• Counter Mode (CTR)
– Data confidentiality
• Cipher-Block Chaining Message Authentication
Code (CBC-MAC)
– Authentication and Integrity
CCMP Data Processing
Temporal Keys: 128 bits (PTK or GTK)
Pairwise Transient Key
Group Temporal Key
Packet Number: 48 bits
NONCE: Random numerical value
generated only once
104 bit from PN and TA
AAD:
(Additional Authentication Data)
used for data integrity of portions
of the MAC header. Created from
Portions of the MAC header
Temporal Keys: 128 bits (PTK or GTK)
Pairwise Transient Key
Group Temporal Key
Packet Number: 48 bits
NONCE: Random numerical value
generated only once
104 bit from PN and TA
AAD:
(Additional Authentication Data)
used for data integrity of portions
of the MAC header. Created from
Portions of the MAC header
CCMP Data Processing
WPA/WPA2
• Before the release of 802.11i, Wi-Fi Alliance
introduced WPA certification
– Wi-Fi Protected Access
– It included only TKIP/RC4
– TKIP was design to last 5 years
• WPA2 is 802.11i for the Wi-Fi Alliance
certification
– CCMP with AES
– Also supports authentication with 802.11X/EAP
802.11i
• IEEE 802.11i
• IEEE-SA is responsible for the 802 family
– Local and Metropolitan Area Networks
– Divided in working groups
– Each group produces standards
• 802.11
– Working group for wireless
• 802.11i
– Task group (Standard)
• Wi-Fi Alliance
– Interoperability (certification)
802.11i
• 802.11 Amendment
• New generation of wireless security
• Defines a RNS
– Robust Security Network
• Also defines a TSN
– Transitional Security Network
– Allows RSN with WEP
WPA (Wi-Fi Protected Access)
• Wi-Fi Alliance created WPA as a temporal solution to the WEP
problems
– Only supporting TKIP/RC4 dynamic encryption key generation
•
•
•
•
Urgent change because of the perception of the market
Initially called WEP2
Uses TKIP (Temporal Key Integrity Protocol)
Same hardware
– Improve perception
– Without making the clients spends more money
• The industry could not wait the long process involved in the
development of a new standard
• Software updates
802.11i
•
•
•
•
Also called WPA2
Create a scalable solution
Started from scratch
Separates the authentication process from the
message protection
– Authentication
– Integrity and confidentiality
802.1X
Port-Based Network Access Control
Objectives
•
•
•
•
Provide security
Separate the good and the bad
Control the access to a local network
Devices and Users
– Authenticated and Authorized
• Provides an authorization framework
– To access networks resources
• It is NOT a wireless standard
AAA
• Authentication
– Before allowing to access the network resources
– Users' identity and credentials
– Who you are → Credentials
• Something you know (passwords, PINs)
• Something you have (Card, Token)
• Something you are (Picture, Biometrics)
– Multifactor authentication
• Debit card with PIN
• Debit card with picture and PIN
AAA
• Authorization
– To protect network resources
– Very important since WLAN is a portal to other
applications in the enterprise
– Allows authenticated users access
– 802.1X
– RADIUS server
AAA
• Accounting
– Accounting Trail
– Accounting Record
•
•
•
•
•
User account logged in
Where it was logged in from (actual AP)
Date and time
Amount of traffic sent and received
Time of logging off
– Very useful in forensincs
802.1X Elements
• Supplicant
– The one which wants access
• Authenticator
– The one which controls the access (door)
– Bridge between authentication server and
supplicant
– It does not authenticate, it controls the access
• Authorizer
– The one which decides if the supplicant is allowed
– Authentication Server that validates credentials
Wireless environment
EAP
EAP
802.1X Authenticators
Autonomous AP
WLAN Controller
EAP
• Extensible Authentication Protocol
• Originally designed for PPP
– Point to Point Protocol
– For Dial-In (Phone)
• PAP (Password Authentication Protocol)
• CHAP (Challenge Handshake Protocol)
• Data exchange for authentication
• Several authentication mechanisms
• EPA-TLS, PEAP, TTLS, LEAP
RADIUS
• Remote Authentication Dial In User Service
• Authentication, Authorization, and Accounting
(AAA) centralized
• Administration for users and devices that
connect and use the network service
• Client/Server (UDP)
Before EAP
Eap Exchange