Transcript VA-Course V 0.1b

27/03/2006
IEEE 802.11 Security
VA Course
Karlstad University
27/03/2006
IEEE Security Outline
• Introduction to Wireless Local Area Networks
• IEEE 802.11
• IEEE 802.11 PHY & MAC
• IEEE 802.11 Security
•
•
•
•
Risks to IEEE 802.11 networks
IEEE 802.11 WEP
Wi-Fi Alliance’s WPA
IEEE 802.11i amendment and WPA2
2
VA Course
Karlstad University
27/03/2006
Who is Who in IEEE 802.11
• IEEE
• Institute of Electrical and Electronics Engineers, Inc.
• designs the technology & publish the standards
www.ieee.org
• Wi-Fi Alliance*
• certify interoperability of WLAN products
• +250 member companies and +2800 certified products
www.wifialliance.com
3
VA Course
Karlstad University
* former WECA - Wireless Ethernet Compatibility Alliance
27/03/2006
IEEE 802.11 Evolution
• Wireless Evolution:
– early 1990s
• first wireless networks operating in the ISM bands
• issues: price, performance, interoperability
IEEE 802.11 WG is born
– 1997 June
• IEEE 802.11 standard is approved.
– 1999 September
• standard revision, IEEE 802.11a & IEEE 802.11b are approved.
– 2003 June
• IEEE 802.11g amendment is approved
– 2004 July
• IEEE 802.11i amendment is approved
4
VA Course
Karlstad University
27/03/2006
IEEE 802.11 Specification
• Operation Modes
• infrastructure network
• ad hoc network
IP
• IEEE 802.11 standard specifies:
• medium access control (MAC)
• physical layer protocols (PHY)
LLC
IEEE 802.2
MAC
IEEE 802.11
PHY
5
VA Course
Karlstad University
27/03/2006
Operation Modes
• Infrastructure Network Mode
– Basic Service Set (BSS)
AP
BSS
STA
VA Course
Karlstad University
with only one Access Point (AP)
6
27/03/2006
Operational Modes
• Infrastructure Network Mode
– Extended Service Set (ESS)
STA
ESS
STA
AP
AP
BSS
VA Course
Karlstad University
BSS
7
27/03/2006
Operational Modes
• Ad Hoc Network Mode
– Independent Basic Service Set (IBSS)
– no support to multi hopping
no routing! PHY & MAC layers only
STA
IBSS
8
VA Course
Karlstad University
27/03/2006
The Spectrum
• Electromagnetic Spectrum
– the physical medium “air” from viewpoint of the signal frequencies
– frequency usage is regulated / controlled by the local government
•
•
•
•
E.U.
Sweden
U.S.
International
CEPT* - ERO (European Radio Comm. Office)
PTS (Post & Telestyrelsen)
FCC & NTIA
ITU
9
VA Course
Karlstad University
*European Conference of Postal and Telecommunications Administrations
27/03/2006
The Spectrum
3 KHz
VL
L
M
H
VH
AMPS
UH
GSM-DCS
SH
EH
IR
300THz
FM
AM
1GHz
www.ntia.doc.gov/osmhome/allochrt.html
www.pts.se/
www.ero.dk/ecc
PCS
GSM
300GHz
• Electromagnetic Spectrum
microwaves
902MHZ
928MHz
VA Course
Karlstad University
2.4GHz-2.5GHz
IEEE 802.11b
IEEE 802.11g
5.725GHz
5.875GHz
IEEE802.11a
10
27/03/2006
Transmission Mechanisms
• Narrow Band
– all signal power is concentrated in a narrow spectrum band
• Spread Spectrum -SS
– the signal power is spread in the spectrum
11
VA Course
Karlstad University
27/03/2006
Spread Spectrum
• Direct Sequence (DS-SS)
– the signal is multiplied by a code
signal spreading
si(t)=(2.Pi)-1/2.di(t).pi(t).cos(0.t+ i)
code
– the signal is retrieved multiplying it the same code
– anti jamming properties
– low probability of interception
• low amplitude signal
VA Course
Karlstad University
even below noise level!
12
27/03/2006
Spread Spectrum
• Direct Sequence (DS-SS)
pi(t)
(2.Pi)-1/2.di(t).cos(0.t+
Original
Narrowband
Signal
i)
pi(t)
code

code
spread
signal

(2.Pi)-1/2.di(t).cos(0.t+ i)
Received
Narrowband
Signal
(2.Pi)-1/2.di(t).pi(t).cos(0.t+ i)
spread
waveform
noise
noise
noise
13
VA Course
Karlstad University
27/03/2006
IEEE 802.11 PHY
• Several different PHY layers
MAC Layer
MAC
2.4 GHz
FH-SS
1 Mbps
2 Mbps
2.4 GHz
DS-SS
1 Mbps
2 Mbps
IEEE 802.11
VA Course
Karlstad University
Infrared
1 Mbps
2 Mbps
2.4 GHz
5 GHz
DS-SS
OFDM
OFDM
6, 9, 12, 18,
max 11 Mbps 24, 36, 48,
max 54 Mbps 54 Mbps
IEEE
802.11b
802.11g
IEEE
802.11a
14
27/03/2006
IEEE 802.11 PHY DS-SS
• DS-SS: Direct Sequence – Spread Spectrum
5
10
4
14
9
3
8
2
13
7
1
12
6
11
2497
2492
2487
2482
2477
2472
2467
2462
2457
2452
2447
2442
2437
2432
2427
2422
2417
2412
2400
MHz
15
VA Course
Karlstad University
27/03/2006
IEEE 802.11 PHY OFDM
• OFDM: Orthogonal Frequency Division Multiplexing
• multiple transmissions at the same time
• 4 overlayering carriers
no interference among the carriers
maximum
minimum
OFDM
16
VA Course
Karlstad University
27/03/2006
IEEE 802.11 PHY
• Channels and Channel reuse
11
1
• Europe*, USA
1
6
6
VA Course
Karlstad University
11
1
11
1
6
11
6
1
6
11
1
11
1
6
17
* except France, Spain
27/03/2006
IEEE 802.11 MAC
• MAC Layer - Medium Access
• medium access without contention
• medium access with contention
random backoff mechanism
• ACK and retransmission
PCF
MAC
DCF
Point
Coordination
Function
Distributed
Coordination
Function
18
VA Course
Karlstad University
27/03/2006
IEEE 802.11 MAC
• Point Coordination Function (PCF)
• the Access Point (AP) defines medium access
• only for infrastructure wireless networks (optional)
• polling among STA
contention-free medium access
• Distributed Coordination Function (DCF)
• all station (STA)
• CSMA/CA
Carrier Sense Multiple Access / Collision Avoidance
• RTS/CTS mechanism
19
VA Course
Karlstad University
27/03/2006
IEEE 802.11 CSMA/CA
• Physical Carrier Sense (PHY)
• checks if the physical medium is free
• Virtual Carrier Sense
• to solve the “hidden-node” problem!
• use of RTS and CTS frames
Duration/ID field defines the reserved period of time
NAV
Network Allocation Vector
stores the reservation information
implemented as a counter
VA Course
Karlstad University
20
27/03/2006
IEEE 802.11 CSMA/CA
• Virtual Carrier Sense
PIFS – PCF IFS - 10µs
SIFS – Short IFS - 30µs
DIFS – DCF IFS - 50µs
DS-SS
timings
21
VA Course
Karlstad University
27/03/2006
IEEE 802.11 CSMA/CA
• Random backoff mechanism
• after transmission
DIFS (DFC interframe space)
• if a STA wants to transmit and the medium is free
immediate access (>= DIFS)
• if a STA wants to transmit and the medium is not free
wait for DIFS + random period (contention window)
22
VA Course
Karlstad University
* Networking Computing
27/03/2006
IEEE 802.11 CSMA/CA
• Backoff mechanism (contention window)
DIFS
STA A
STA B
DIFS
DIFS
DIFS
Frame Contention
Wait
Frame
Backoff
Wait
Frame
STA C
STA D
STA E
Wait
Cont.
Frame
Wait
Cont.
Frame
Cont.
23
VA Course
Karlstad University
27/03/2006
Risks in IEEE 802.11 networks
• Risks? Is it really not secure?
•
•
•
•
rogue clients logging in into your networks
wireless eavesdropping and network intrusion
non-authorized / rogue AP and cloned AP
bad configuration
Attacker
AP
Cloned AP
Rogue AP
VA Course
Karlstad University
Enterprise LAN
24
27/03/2006
IEEE 802.11 Security
• Data link security (L2)
between AP and STA or STA and STA (ad hoc mode)
IEEE 802.11 WEP (Wired Equivalent Privacy)
is WEP really that bad?
Wi-Fi Alliance’s WPA (Wi-Fi Protected Access)
is WPA enough?
IEEE 802.11i amendment and WPA2
are we finally secure?
25
VA Course
Karlstad University
27/03/2006
Wired Equivalent Privacy - WEP
• the security goals of IEEE 802.11 were:
– Authentication
– Confidentiality
– Data Integrity
• WEP
introduced in the original IEEE 802.11 standard
• designed to protect authorized users from casual eavesdropping
• optional security add-on to achieve confidentiality
• WEP assumes that AP and clients have shared-keys
26
VA Course
Karlstad University
27/03/2006
Wired Equivalent Privacy - WEP
• WEP Confidentiality and Integrity in the Data Link Layer
• but what is WEP?
“a form of ECB* in which a a block of plaintext is bitwised XORed with a
pseudorandom key sequence of equal length”
• WEP key (PRNG input)
a 40-bit long shared secret
+ 24-bit long IV
PRNG input is
64-bit long
• Data integrity
with CRC-32
MAC
VA Course
Karlstad University
IV
Ciphered Payload
CRC
27
*Electronic Code Book
27/03/2006
Ciphering with WEP
Initialization
Vector (IV)
24 bits
IV
Secret
Key
40 bits
||
Seed
64 bits
WEP
PRNG
(RC4)
Key
Sequence
Ciphertext
PK=C
Plaintext
CRC-32
VA Course
Karlstad University

Output
32 bits
Integrity
Check Value
(ICV)
||
|| - concatenation
28
 - bitwise XOR
27/03/2006
Deciphering with WEP
CK=PKK=P
Secret
Key
40 bits
IV
Input
IV
Ciphertext
||
24 bits
Seed
64 bits
WEP
PRNG
(RC4)
Plaintext
Key
Sequence

CRC-32
Ciphertext
ICV
VA Course
Karlstad University
?
=
ICV’
|| - concatenation
29
 - bitwise XOR
27/03/2006
WEP Authentication
• WEP authentication modes
– Open System
null authentication
– Shared Key
based on WEP
STA
request
challenge: (M)
STA
or AP
response: EWEP(M)
OK / NOK
30
VA Course
Karlstad University
27/03/2006
Early comments on WEP
• the use of shared-keys in WEP
• network security management problem
• shared keys are not long enough (40bits)
• brute force attacks (feasible, but takes time)
just increase the key length to 104bits!
31
VA Course
Karlstad University
27/03/2006
Overview of the WEP Insecurity
• March 2000: Simon, Aboba and Moore
• several flaws in WEP design
• October 2000: Walker
• limited IV space leads to IV reuse problem
• July 2001: Borisov, Goldberg and Wagner
• practical attacks to cause known plaintext to be transmitted
• March 2001: Arbaugh et al.
• trivial to obtain a keystream
• August 2001: the Fluhrer, Mantin and Shamir attack
• weakness in RC4 key scheduling algorithm
and the popular cracking tools for IEEE 802.11 networks secured with WEP…
32
VA Course
Karlstad University
27/03/2006
Simon, Aboba and Moore (Microsoft)
• NIC authentication only
• lost NICs / device
no user authentication
huge security management problem
• shared-key authentication is not mutual
• rogue AP
MitM attacks
• ICV is not keyed
• no guarantee of data integrity
• known plaintext attacks
recover the keystream for a given IV
CP=PKP=K
33
VA Course
Karlstad University
27/03/2006
J. Walker (Microsoft)
• WEP mechanism unsafe at any key size (24-bit long IV)
• only 224 values can be derived from a WEP key
• IV reuse can lead to data decryption without the secret key
• no policy for IV selection on AP
Initialization
Vector (IV)
24 bits
Secret
Key
40 bits
||
Seed
64 bits
C  C’ = P  K  P’  K = P  P’
WEP
PRNG
(RC4)
Key
Sequence
K
34
VA Course
Karlstad University
27/03/2006
Borisov, Goldberg and Wagner (UCB)
• IV dictionaries are independent of the key size (224 entries)
• practical ways to cause known plaintext to be transmitted
• broadcasted datagrams
obtain a RC4 keystream
• Message modification
• CRC-32 is a linear function of the message
C’ = C  ( Δ || c(Δ) )
• Message injection and authentication spoofing
• one RC4 keystream needed
VA Course
Karlstad University
35
27/03/2006
Arbaugh et al. (UMD)
• trivial to obtain a keystream
• shared-key authentication 2nd frame and 3rd frame
STA
request
challenge: (M)
STA
or AP
Plaintext
response: EWEP(M)
Ciphertext
OK / NOK
CP=PKP=K
RC4 keystream
VA Course
Karlstad University
36
27/03/2006
Fluhrer, Mantin and Shamir
• weakeness in RC4 key scheduling algorithm
• large class of weak keys
collecting weakened packets
• derive the first byte of the RC4 output
Seed
Known
Secret
24 bits
+
40 bits
RC4
KSA
PRGA
Key
Sequence
• Stubblefield, Ioannidis and Rubin
effectiveness of the attack
ca. 106 packets to retrieve a key
37
VA Course
Karlstad University
27/03/2006
Attack Tools on WEP
•
Fluhrer, Mantin and Shamir Implemented
AirSnort
http://airsnort.shmoo.com/
WEPCrack
http://sourceforge.net/projects/wepcrack/
•
wesside - a fragmentation-based attack tool from UCL
http://www.cs.ucl.ac.uk/staff/A.Bittau/frag-0.1.tgz
39
VA Course
Karlstad University
27/03/2006
Vendors’ Countermeasures
• Increasing the secret key length to 104 bits
innocuous:: WEP is insecure at any key-size
• MAC filtering
MAC spoofing is easily achievable
• suppressing of SSID broadcasts
network will be detected (management datagrams)
• the vendors’ patch
blocking potentially harmful IV
reduced the IV space even more
legacy hosts compromise the solution
VA Course
Karlstad University
40
27/03/2006
Wi-Fi Protected Access (WPA)
• WPA (Wi-Fi Protected Access)
• recommendation to improve security in IEEE 802.11 networks
• published in April 2003
added as subset of IEEE 802.11i for backward compatibility
firmware upgrade only is needed
• WPA encryption:
Temporal Key Integrity Protocol
VA Course
Karlstad University
wrapper over WEP
• WPA has two authentication modes:
Enterprise Mode (Authentication Server is needed)
SOHO Mode (using shared-keys)
41
27/03/2006
WPA Encryption with TKIP
• TKIP enhancements over WEP are:
• a keyed data integrity protocol (MIC – Message Integrity Protocol)
MICHAEL
64-bit long keys, calculated over the MSDU
• re-keying mechanism to provide fresh keys
encryption keys for different purposes
• per packet mixing function
prevent weak key attacks
MAC of the destination is mixed to the temporal key
• a discipline for IV sequencing
prevent IV reuse
IV counter is reseted after the establishment of fresh keys
42
VA Course
Karlstad University
27/03/2006
WPA Authentication Enterprise Mode
• Authentication Server provides:
• key management and
• authentication according to the EAP
• EAPOL (IEEE 802.1X) is needed
• IEEE 802.1X defines a port-based network control method
authenticator
AP
supplicant
STA
wired
medium
wireless
medium
AS
EAP authentication mechanism
EAP
VA Course
Karlstad University
EAPoL (IEEE 802.1X)
RADIUS
43
27/03/2006
IEEE 802.1X Authentication with TLS
STA
EAPoL
AP
RADIUS
AS
802.1X/EAP Req. ID
802.1X/EAP Resp. ID
calculate PMK*
RADIUS Access Req. /
EAP - Resp. ID
EAP-TLS Mutual Authentication
calculate PMK*
RADIUS Accept + PMK
802.1X/EAP-Success
PMK
TLS-PseudoRandomFunction( PreMasterKey, “master secret” || random1 || random2 )
44
VA Course
Karlstad University
*TLS-PRF( MasterKey, “client EAP encryption” || random1 || random2 )
27/03/2006
WPA Authentication SOHO Mode
• using Pre-Shared Keys (PSK)
• shared keys between the AP and STA
• useful solution for smaller networks
• no need for an authentication server
• PSK is vulnerable to dictionary attacks
• coWPAtty
http://sourceforge.net/projects/cowpatty
45
VA Course
Karlstad University
27/03/2006
IEEE 802.11i
• IEEE 802.11i is an amendment to the IEEE 802.11 standard
• several components are external to the IEEE 802.11 standard
IEEE 802.11i protect data frames
EAPoL (IEEE 802.1X) provides authentication
key establishment and distribution
• RSNA - Robust Secure Network Association
• defined as a type of association to secure wireless networks
46
VA Course
Karlstad University
27/03/2006
RSNA
• RSNA defines:
•
•
•
•
key hierarchy and key management algorithms;
a cryptographic key establishment;
enhanced authentication mechanisms;
enhanced data encapsulation mechanism: CTR with CBC-MAC
Counter Mode with Cipher Block Chaining with Message
Authentication Code (CBC-MAC) Protocol.
• TKIP is included for systems not full compliant with RSNA
• Open-System Authentication is kept;
• WEP is supported only for interoperability with legacy systems.
47
VA Course
Karlstad University
27/03/2006
RSNA Security Algorithm Classes
• RSNA algorithms
• data confidentiality protocols
• network architecture for authentication (based on IEEE 802.1X)
• key hierarchy, key setting and distribution method
• Pre-RSNA algorithms
• WEP and IEEE 802.11 Open System Authentication
48
VA Course
Karlstad University
27/03/2006
RSN and TSN
• RSN Information Element (IE) Beacon Frames
• RSN IE Group Key Field Suite indicates the network type
• Robust Secure Networks (RSN)
• RSNA only networks
• Transient Secure Networks (TSN)
• allows both Pre-RSNA networks (WEP) and RSNA networks
49
VA Course
Karlstad University
27/03/2006
RSNA Operational Phases
AS
STA
AP
Discovery
Authentication (IEEE 802.1X)
Key Management
Key Distribution
Data Transfer
(protected)
50
VA Course
Karlstad University
27/03/2006
RSNA Discovery Phase
• Discover of an AP SSID by an STA
• RSN IE frames
• Definition of:
• authentication, key management and cryptographic suite
• cipher suite selectors include:
WEP-40, WEP-104, TKIP, CCMP, and vendor specifics
51
VA Course
Karlstad University
27/03/2006
RSNA Key Hierarchy and Distribution
• RSNA key hierarchies
• unicast traffic
pairwise hierarchy
• multicast and broadcast traffic
group temporal key hierarchy
• RSNA key distribution
• 4-way handshake
52
VA Course
Karlstad University
27/03/2006
RSNA Pairwise Key Hierarchy
product of the
IEEE802.1X
authentication
positive access
decision
AAA
Key
first
256 bits
Pre-Shared
Key (PSK)
256 bits
OR
Pairwise Master Key
(PMK)
256 bits
authorization to
the IEEE802.11
medium
PRF
Pairwise Transient Key
(PTK)
384 or 512
bits
53
VA Course
Karlstad University
27/03/2006
Pairwise Transient Key
Pairwise Transient Key
(PTK)
KCK
0
KEK
127
128
Temporal Key
255 256
n
(383 or 512)
• KCK (Key Confirmation Key) confirms the possession of the PMK
• KEK (Key Encryption Key)
for the distribution of group keys
• TK (Temporal Key)
for data confidentiality
54
VA Course
Karlstad University
27/03/2006
RSNA Group Key Hierarchy
Group Master
Key (GMK)
nonceAS
AS address
chosen by the
authenticator
PRF
CCMP
Group Temporal
Key (GTK)
128 or
256 bits
TKIP
55
VA Course
Karlstad University
27/03/2006
4-Way Handshake
• PTK setting and GTK distribution
•
•
•
•
confirm that a live peer holds the PMK and the PMK is current
derive a fresh PTK from the PMK
install encryption and integrity keys
confirm the cipher suite
56
VA Course
Karlstad University
27/03/2006
4-Way Handshake
PMK
generate nonceSTA
Supplicant
STA
Authenticator
AP
EAPoL-Key ( nonceAP )
PMK
generate nonceAP
nonceAP
derive PTK
EAPoL-Key ( nonceSTA , MIC )
nonceSTA
EAPoL-Key ( Install PTK, MIC, EKEK[GTK] )
generate
derive PTK GTK*
EAPOL-Key ( MIC )
install
PTK and GTK
VA Course
Karlstad University
install
PTK
57
*if needed
27/03/2006
RSNA Confidentiality & Integrity
• RSNA defines:
• TKIP
• CCMP
should only be used when CCMP is not available
mandatory for full compliance
• CCMP
• based on AES on CCM mode
provable secure
• CCM uses a single 128-bit key for both data encryption and MIC
• requires a fresh TK for every session, and a unique nonce per
frame
48-bit packet number (PN) field
58
VA Course
Karlstad University
27/03/2006
RSNA Confidentiality & Integrity
• TKIP + MICHAEL
• CCMP
•
•
•
•
AES based
confidentiality, authentication, integrity and replay protection
128-bit long key for both data encryption and MIC computing
a fresh Temporal Key (TK) is needed for every session
59
VA Course
Karlstad University
27/03/2006
MIC*
Michael
DA
SA
Payload
• MICHAEL
TKIP
MIC
8 bytes
KCK
MIC
padding
• CBC-MAC**
CCMP
DA SA
0
…
BK
B1
IV
AES
Payload
0
…
BR
BK+1
…
KCK
VA Course
Karlstad University
padding
*Calculated using MSDU - WEP uses the MPDU only
MIC
AES
AES
KCK
KCK
60
** Counter Mode with Cipher Block Chaining (CBC)