Transcript IEEE 802.11b WLAN SECURITY VULNERABILITIES

WIRELESS LAN SECURITY AND
LABORATORY DESIGNS
Yasir Zahur
T. Andrew Yang
University of Houston – Clear Lake
17th CCSC Southeastern Conference
Georgia Perimeter College - Dunwoody, GA
CCSCSE 2003
1
Agenda
 Introduction
 Standards & Specifications
 Vulnerabilities
 Alternate Security Solutions
 Laboratory Setup
CCSCSE 2003
2
Where Does WLAN Fit ?
CCSCSE 2003
3
Source:
http://www.jiwire.com/?cid=95&kw=802.11&se=google
(Nov. 6, 2003)
Traveler's Quick Finder
Browse by location
Free Hotspots 510 hotspots
Hotels 5,910 hotspots
Airports 432 hotspots
Cafes 5,344 hotspots
CCSCSE 2003
4
Growth of WLAN
CCSCSE 2003
5
Infrastructure Mode of WLAN
CCSCSE 2003
6
Typical WLAN Architecture
CCSCSE 2003
7
IEEE 802.11 Standards
Standard
Description
Current Status
IEEE 802.11
Standard for WLAN operations at data rates up to 2 Mbps in the
2.4-GHz ISM band
Approved in July 1997
IEEE 802.11a
Standard for WLAN operations at data rates up to 54 Mbps in the
5-GHz UNII band
Approved in Sept 1999. End-user products began
hipping in early 2002
IEEE 802.11b
Standard for WLAN operations at data rates up to 11 Mbps in the
2.4-GHz ISM band
Sept 1999. End-user products began shipping in
early 2000
IEEE 802.11g
High-rate extension to 802.11b allowing for
data rates up to 54 Mbps in the 2.4-GHz
ISM band
Draft standard adopted Nov 2001.
Full ratification expected late 2002
or early 2003
IEEE 802.11e
Enhance the 802.11 MAC to improve and manage Quality of
Service, provide classes of service, and enhanced security and
authentication mechanisms. These enhancements should provide
the quality required for services such as IP telephony and video
streaming
Still in development, i.e., in the task group (TG)
stage
IEEE 802.11f
Develop recommended practices for an Inter- access Point
Protocol (IAPP) which provides the necessary capabilities to
achieve multi-vendor AP interoperability across a DS supporting
IEEE P802.11 Wireless LAN Links
Still in development, i.e., in the task group (TG)
stage
IEEE 802.11i
Enhance the 802.11 Medium Access Control (MAC) to enhance
security and authentication mechanisms
Still in development, i.e., in the task group (TG)
stage
CCSCSE 2003
8
Interferences (802.11b)
2.4GHz
Cordless
Phone
Some other
wireless network
Microwave
oven
Access
Point
CCSCSE 2003
9
IEEE 802.11b Specifications
(a brief overview)
 Transmission of approximately 11 Mbps of data
 Half Duplex protocol
 Use of CSMA/CA (collision avoidance) instead of CSMA/CD (collision
detection)
 Total of 14 frequency channels. FCC allows channels 1 through 11
within the U.S in 2.4 GHz ISM band
 Only channels 1, 6 and 11 can be used without causing interference
between access points
 Wired Equivalent Privacy (WEP) based on Symmetric RC4 Encryption
algorithm
 Use of Service Set Identifier (SSID) as network identifier
CCSCSE 2003
10
General WLAN Vulnerabilities
•
•
•
•
•
•
•
Eavesdropping
Invasion and Resource Stealing
Traffic Redirection
Denial Of Service Attack
Rogue Access Point
No per packet authentication
No central authentication, authorization, and
accounting (AAA) support
CCSCSE 2003
11
802.11b Vulnerabilities
MAC address based authentication
One-Way authentication
SSID
Static WEP Keys
WEP key vulnerabilities
•
•
•
•
•
o
o
o
o
Manual Key Management
Key Size
Initialization Vector
Decryption Dictionaries
CCSCSE 2003
12
WEP Encryption
CCSCSE 2003
13
IEEE 802.1x
 IEEE 802.1x is a port based authentication protocol.
 It forms the basis for IEEE 802.11i standard.
 There are three different types of entities in a typical 802.1x network
including a supplicant, an authenticator, and an authentication server.
 In an un-authorized state, the port allows only DHCP and EAP
(Extensible Authentication Protocol) traffic to pass through.
CCSCSE 2003
14
EAPOL Exchange
CCSCSE 2003
15
IEEE 802.1x – Pros / Cons






Dynamic Session Key Management
Open Standards Based
Centralized User Administration
User Based Identification
Absence Of Mutual Authentication
Lack of clear communication between 802.11 and 802.11i
state machines and message authenticity
CCSCSE 2003
16
Absence Of Mutual Authentication
 Supplicant always trusts the Authenticator but not vice versa
 This opens the door for “MAN IN THE MIDDLE ATTACK”
CCSCSE 2003
17
Session Hijack Attack
802.11 State Machine
802.11i State Machine
CCSCSE 2003
18
Session Hijack Attack (…cont)
CCSCSE 2003
19
Alternate Solutions
 Virtual Private Networks (VPN)


User Authentication
Encryption
 Cisco LEAP


Mutual Authentication
Per Session based Keys
 Secure Socket Layer (SSL)


Encryption
Digital Certificates
CCSCSE 2003
20
WEP Attack
CCSCSE 2003
21
Man In The Middle &
Session Hijack Attacks
CCSCSE 2003
22
Cisco LEAP Setup
LEAP Enabled
Client
LEAP Enabled
Access Point
CCSCSE 2003
AAA Server
23
VPN Setup
VPN Client
Pass Through
Access Point
CCSCSE 2003
VPN Server
24
SSL Setup
SSL Client
Pass Through
Access Point
CCSCSE 2003
SSL Server
25
A Specialized Computer Security
Lab

NSF CCLI A&I grant: 2003-2005

Two Focuses:
a)
DCSL: Distributed Computer Security Lab
Between UHCL and UHD
Possibly extended to other small or medium-sized colleges
Customizable testbed for various security-related
experiments/projects
b)
Module-based Computer Security Courseware Design
On-going
Looking for collaborators, courseware developers, users, …
CCSCSE 2003
26
CCSCSE 2003
27
Computer Security Courseware
b)
Module-based Computer Security Courseware Design
Units: Modules, submodules, artifacts, …
CCSCSE 2003
28
References
 John Pescatore, “Wireless Networks: Can Security Catch Up With Business?”
 Arunesh Mishra, William A. Arbaugh, “An Initial Security Analysis of the IEEE
802.1x Standard”, Department Of Computer Science, University Of Maryland,
Feb 06 2002
 WLAN Association, “Wireless Networking Standards and Organizations”,
WLANA Resource Center, April 17 2002
 Cisco Networks, “Cisco Aironet Response to University of Maryland’s paper”
 John Vollbrecht, David Rago, and Robert Moskowitz. “Wireless LAN Access
Control and Authentication”, White Papers at Interlink Networks Resource
Library, 2001
 Nikita Borisov, Ian Goldberg, and David Wagner “Security of WEP Algorithm”,
ISAAC, Computer Science Department, University Of California Berkely
CCSCSE 2003
29