Transcript Wireless LAN Security

Network Security
Lecture 8
Wireless LAN Security
WLAN Security
1
WLAN Security - Contents
> Wireless LAN 802.11
> Technology
> Security History
> Vulnerabilities
> Demonstration
WLAN Security
2
Wireless LANs
> IEEE ratified 802.11 in 1997.
> Also known as Wi-Fi.
> Wireless LAN at 1 Mbps & 2 Mbps.
> WECA (Wireless Ethernet Compatibility
Alliance) promoted Interoperability.
> Now Wi-Fi Alliance
> 802.11 focuses on Layer 1 & Layer 2 of
OSI model.
> Physical layer
> Data link layer
WLAN Security
3
802.11 Components
> Two pieces of equipment defined:
> Wireless station
>A desktop or laptop PC or PDA with a wireless
NIC.
> Access point
>A bridge between wireless and wired networks
>Composed of
> Radio
> Wired network interface (usually 802.3)
> Bridging software
>Aggregates access for multiple wireless stations
to wired network.
WLAN Security
4
802.11 modes
> Infrastructure mode
> Basic Service Set
> One access point
> Extended Service Set
> Two or more BSSs forming a single subnet.
> Most corporate LANs in this mode.
> Ad-hoc mode
> Also called peer-to-peer.
> Independent Basic Service Set
> Set of 802.11 wireless stations that communicate
directly without an access point.
> Useful for quick & easy wireless networks.
WLAN Security
5
Infrastructure mode
Access Point
Basic Service Set (BSS) –
Single cell
Station
Extended Service Set (ESS) –
Multiple cells
WLAN Security
6
Ad-hoc mode
Independent Basic Service Set (IBSS)
WLAN Security
7
802.11 Physical Layer
> Originally three alternative physical
layers
> Two incompatible spread-spectrum radio in
2.4Ghz ISM band
>Frequency Hopping Spread Spectrum (FHSS)
> 75 channels
>Direct Sequence Spread Spectrum (DSSS)
> 14 channels (11 channels in US)
> One diffuse infrared layer
> 802.11 speed
> 1 Mbps or 2 Mbps.
WLAN Security
8
802.11 Data Link Layer
> Layer 2 split into:
> Logical Link Control (LLC).
> Media Access Control (MAC).
> LLC - same 48-bit addresses as 802.3.
> MAC - CSMA/CD not possible.
> Can’t listen for collision while transmitting.
> CSMA/CA – Collision Avoidance.
> Sender waits for clear air, waits random time, then
sends data.
> Receiver sends explicit ACK when data arrives intact.
> Also handles interference.
> But adds overhead.
> 802.11 always slower than equivalent 802.3.
WLAN Security
9
Hidden nodes
WLAN Security
10
RTS / CTS
> To handle hidden nodes
> Sending station sends
> “Request to Send”
> Access point responds with
> “Clear to Send”
> All other stations hear this and delay any
transmissions.
> Only used for larger pieces of data.
> When retransmission may waste significant
time.
WLAN Security
11
802.11b
> 802.11b ratified in 1999 adding 5.5 Mbps and
11 Mbps.
> DSSS as physical layer.
> 11 channels (3 non-overlapping)
> Dynamic rate shifting.
> Transparent to higher layers
> Ideally 11 Mbps.
> Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
> Higher ranges.
> Interference.
> Shifts back up when possible.
> Maximum specified range 100 metres
> Average throughput of 4Mbps
WLAN Security
12
Joining a BSS
> When 802.11 client enters range of one
or more APs
> APs send beacons.
> AP beacon can include SSID.
> AP chosen on signal strength and observed
error rates.
> After AP accepts client.
>Client tunes to AP channel.
> Periodically, all channels surveyed.
> To check for stronger or more reliable APs.
> If found, reassociates with new AP.
WLAN Security
13
Access Point Roaming
Channel 1
Channel 4
Channel 9
Channel 7
WLAN Security
14
Roaming and Channels
> Reassociation with APs
> Moving out of range.
> High error rates.
> High network traffic.
>Allows load balancing.
> Each AP has a channel.
> 14 partially overlapping channels.
> Only three channels that have no overlap.
>Best for multicell coverage.
WLAN Security
15
802.11a
> 802.11a ratified in 2001
> Supports up to 54Mbps in 5 Ghz range.
> Higher frequency limits the range
> Regulated frequency reduces interference
from other devices
> 12 non-overlapping channels
> Usable range of 30 metres
> Average throughput of 30 Mbps
> Not backwards compatible
WLAN Security
16
802.11g
> 802.11g ratified in 2002
> Supports up to 54Mbps in 2.4Ghz
range.
> Backwards compatible with 802.11b
> 3 non-overlapping channels
> Range similar to 802.11b
> Average throughput of 30 Mbps
> 802.11n due for November 2006
> Aiming for maximum 200Mbps with average
100Mbps
WLAN Security
17
Open System Authentication
> Service Set Identifier (SSID)
> Station must specify SSID to Access
Point when requesting association.
> Multiple APs with same SSID form
Extended Service Set.
> APs can broadcast their SSID.
> Some clients allow * as SSID.
> Associates with strongest AP regardless of
SSID.
WLAN Security
18
MAC ACLs and SSID hiding
> Access points have Access Control Lists (ACL).
> ACL is list of allowed MAC addresses.
> E.g. Allow access to:
> 00:01:42:0E:12:1F
> 00:01:42:F1:72:AE
> 00:01:42:4F:E2:01
> But MAC addresses are sniffable and
spoofable.
> AP Beacons without SSID
> Essid_jack
> sends deauthenticate frames to client
> SSID then displayed when client sends reauthenticate
frames
WLAN Security
19
Interception Range
Station outside
building perimeter.
Basic Service Set (BSS) –
Single cell
WLAN Security
20
Interception
> Wireless LAN uses radio signal.
> Not limited to physical building.
> Signal is weakened by:
> Walls
> Floors
> Interference
> Directional antenna allows interception
over longer distances.
WLAN Security
21
Directional Antenna
> Directional antenna provides focused
reception.
> DIY plans available.
> Aluminium cake tin
> Chinese cooking sieve
> http://www.saunalahti.fi/~elepal/antennie.html
> http://www.usbwifi.orcon.net.nz/
WLAN Security
22
WarDriving
> Software
> Netstumbler
> And many more
> Laptop
> 802.11b,g or a PC card
> Optional:
> Global Positioning System
> Car, bicycle, boat…
> Logging of MAC address, network name, SSID,
manufacturer, channel, signal strength, noise
(GPS - location).
WLAN Security
23
WarDriving results
> San Francisco, 2001
> Maximum 55 miles per hour.
> 1500 Access Points
> 60% in default configuration.
> Most connected to internal backbones.
> 85% use Open System Authentication.
> Commercial directional antenna
> 25 mile range from hilltops.
> Peter Shipley - http://www.dis.org/filez/openlans.pdf
WLAN Security
24
WarDriving map
WLAN Security
Source: www.dis.org/wl/maps/
25
Worldwide War Drive 2004
> Fourth WWWD
> www.worldwidewaredrive.org
> 228,537 Access points
> 82,755 (35%) with default SSID
> 140,890 (60%) with Open System
Authentication
> 62,859 (27%) with both, probably default
configuration
WLAN Security
26
Further issues
> Access Point configuration
> Mixtures of SNMP, web, serial, telnet.
>Default community strings, default passwords.
> Evil Twin Access Points
> Stronger signal, capture user
authentication.
> Renegade Access Points
> Unauthorised wireless LANs.
WLAN Security
27
War Driving prosecutions
> February 2004, Texas, Stefan Puffer acquitted of
wrongful access after showing an unprotected county
WLAN to officials
> June 2004, North Carolina, Lowes DIY store
> Botbyl convicted for stealing credit card numbers via
unprotected WLAN
> Timmins convicted for checking email & web browsing via
unprotected WLAN
> June 2004, Connecticut, Myron Tereshchuk guilty of
drive-by extortion via unprotected WLANs
> “make the check payable to M.Tereshchuk”
> Sep 2004, Los Angeles, Nicholas Tombros guilty of
drive-by spamming via unprotected WLANs
WLAN Security
28
802.11b Security Services
> Two security services provided:
> Authentication
> Shared Key Authentication
> Encryption
> Wired Equivalence Privacy
WLAN Security
29
Wired Equivalence Privacy
> Shared key between
> Stations.
> An Access Point.
> Extended Service Set
> All Access Points will have same shared key.
> No key management
> Shared key entered manually into
>Stations
>Access points
>Key management nightmare in large wireless
LANs
WLAN Security
30
RC4
> Ron’s Code number 4
> Symmetric key encryption
> RSA Security Inc.
> Designed in 1987.
> Trade secret until leak in 1994.
> RC4 can use key sizes from 1 bit to
2048 bits.
> RC4 generates a stream of pseudo
random bits
> XORed with plaintext to create ciphertext.
WLAN Security
31
WEP – Sending
> Compute Integrity Check Vector (ICV).
> Provides integrity
> 32 bit Cyclic Redundancy Check.
> Appended to message to create plaintext.
> Plaintext encrypted via RC4
> Provides confidentiality.
> Plaintext XORed with long key stream of pseudo
random bits.
> Key stream is function of
> 40-bit secret key
> 24 bit initialisation vector
> Ciphertext is transmitted.
WLAN Security
32
WEP Encryption
IV
Initialisation
Vector (IV)
Secret key
||
RC4 Key stream
PRNG

Cipher
text
Plaintext
32 bit CRC
WLAN Security
||
33
WEP – Receiving
> Ciphertext is received.
> Ciphertext decrypted via RC4
> Ciphertext XORed with long key stream of
pseudo random bits.
> Key stream is function of
>40-bit secret key
>24 bit initialisation vector (IV)
> Check ICV
> Separate ICV from message.
> Compute ICV for message
> Compare with received ICV
WLAN Security
34
Shared Key Authentication
> When station requests association with Access
Point
> AP sends random number to station
> Station encrypts random number
> Uses RC4, 40 bit shared secret key & 24 bit IV
> Encrypted random number sent to AP
> AP decrypts received message
> Uses RC4, 40 bit shared secret key & 24 bit IV
> AP compares decrypted random number to
transmitted random number
> If numbers match, station has shared secret
key.
WLAN Security
35
WEP Safeguards
> Shared secret key required for:
> Associating with an access point.
> Sending data.
> Receiving data.
> Messages are encrypted.
> Confidentiality.
> Messages have checksum.
> Integrity.
> But management traffic still broadcast
in clear containing SSID.
WLAN Security
36
Initialisation Vector
> IV must be different for every message
transmitted.
> 802.11 standard doesn’t specify how IV
is calculated.
> Wireless cards use several methods
> Some use a simple ascending counter for
each message.
> Some switch between alternate ascending
and descending counters.
> Some use a pseudo random IV generator.
WLAN Security
37
Passive WEP attack
> If 24 bit IV is an ascending counter,
> If Access Point transmits at 11 Mbps,
> All IVs are exhausted in roughly 5 hours.
> Passive attack:
> Attacker collects all traffic
> Attacker could collect two messages:
>Encrypted with same key and same IV
>Statistical attacks to reveal plaintext
>Plaintext XOR Ciphertext = Keystream
WLAN Security
38
Active WEP attack
> If attacker knows plaintext and
ciphertext pair
> Keystream is known.
> Attacker can create correctly encrypted
messages.
> Access Point is deceived into accepting
messages.
> Bitflipping
> Flip a bit in ciphertext
> Bit difference in CRC-32 can be computed
WLAN Security
39
Limited WEP keys
> Some vendors allow limited WEP keys
> User types in a passphrase
> WEP key is generated from passphrase
> Passphrases creates only 21 bits of entropy
in 40 bit key.
>Reduces key strength to 21 bits = 2,097,152
>Remaining 19 bits are predictable.
>21 bit key can be brute forced in minutes.
> www.lava.net/~newsham/wlan/WEP_passw
ord_cracker.ppt
WLAN Security
40
Creating limited WEP keys
WLAN Security
41
Brute force key attack
> Capture ciphertext.
> IV is included in message.
> Search all 240 possible secret keys.
> 1,099,511,627,776 keys
> ~170 days on a modern laptop
> Find which key decrypts ciphertext to
plaintext.
WLAN Security
42
128 bit WEP
> Vendors have extended WEP to 128 bit
keys.
> 104 bit secret key.
> 24 bit IV.
> Brute force takes 10^19 years for 104bit key.
> Effectively safeguards against brute
force attacks.
WLAN Security
43
Key Scheduling Weakness
> Paper from Fluhrer, Mantin, Shamir,
2001.
> Two weaknesses:
> Certain keys leak into key stream.
>Invariance weakness.
> If portion of PRNG input is exposed,
>Analysis of initial key stream allows key to be
determined.
>IV weakness.
WLAN Security
44
IV weakness
> WEP exposes part of PRNG input.
> IV is transmitted with message.
> Every wireless frame has reliable first byte
> Sub-network Access Protocol header (SNAP) used in
logical link control layer, upper sub-layer of data link
layer.
> First byte is 0xAA
> Attack is:
> Capture packets with weak IV
> First byte ciphertext XOR 0xAA = First byte key stream
> Can determine key from initial key stream
> Practical for 40 bit and 104 bit keys
> Passive attack.
> Non-intrusive.
> No warning.
WLAN Security
45
Wepcrack
> First tool to demonstrate attack using
IV weakness.
> Open source, Anton Rager.
> Three components
> Weaker IV generator.
> Search sniffer output for weaker IVs &
record 1st byte.
> Cracker to combine weaker IVs and selected
1st bytes.
> Cumbersome.
WLAN Security
46
Airsnort
> Automated tool
> Cypher42, Minnesota, USA.
> Does it all!
> Sniffs
> Searches for weaker IVs
> Records encrypted data
> Until key is derived.
> 100 Mb to 1 Gb of transmitted data.
> 3 to 4 hours on a very busy WLAN.
WLAN Security
47
Avoid the weak IVs
> FMS described a simple method to find weak
IVs
> Many manufacturers avoid those IVs after 2002
> Therefore Airsnort and others may not work on
recent hardware
> However David Hulton aka h1kari
> Properly implemented FMS attack which shows many
more weak IVs
> Identified IVs that leak into second byte of key
stream.
> Second byte of SNAP header is also 0xAA
> So attack still works on recent hardware
> And is faster on older hardware
> Dwepcrack, weplab, aircrack
WLAN Security
48
Generating WEP traffic
> Not capturing enough traffic?
> Capture encrypted ARP request packets
> Anecdotally lengths of 68, 118 and 368
bytes appear appropriate
> Replay encrypted ARP packets to generate
encrypted ARP replies
> Aireplay implements this.
WLAN Security
49
802.11 safeguards
> Security Policy & Architecture Design
> Treat as untrusted LAN
> Discover unauthorised use
> Access point audits
> Station protection
> Access point location
> Antenna design
WLAN Security
50
Security Policy & Architecture
> Define use of wireless network
> What is allowed
> What is not allowed
> Holistic architecture and
implementation
> Consider all threats.
> Design entire architecture
>To minimise risk.
WLAN Security
51
Wireless as untrusted LAN
> Treat wireless as untrusted.
> Similar to Internet.
> Firewall between WLAN and Backbone.
> Extra authentication required.
> Intrusion Detection
> at WLAN / Backbone junction.
> Vulnerability assessments
WLAN Security
52
Discover unauthorised use
> Search for unauthorised access points, ad-hoc
networks or clients.
> Port scanning
> For unknown SNMP agents.
> For unknown web or telnet interfaces.
> Warwalking!
>
>
>
>
Sniff 802.11 packets
Identify IP addresses
Detect signal strength
But may sniff your neighbours…
> Wireless Intrusion Detection
> AirMagnet, AirDefense, Trapeze, Aruba,…
WLAN Security
53
Access point audits
> Review security of access points.
> Are passwords and community strings
secure?
> Use Firewalls & router ACLs
> Limit use of access point administration
interfaces.
> Standard access point config:
> SSID
> WEP keys
> Community string & password policy
WLAN Security
54
Station protection
> Personal firewalls
> Protect the station from attackers.
> VPN from station into Intranet
> End-to-end encryption into the trusted network.
> But consider roaming issues.
> Host intrusion detection
> Provide early warning of intrusions onto a station.
> Configuration scanning
> Check that stations are securely configured.
WLAN Security
55
Location of Access Points
> Ideally locate access points
> In centre of buildings.
> Try to avoid access points
> By windows
> On external walls
> Line of sight to outside
> Use directional antenna to “point” radio
signal.
WLAN Security
56
WPA
> Wi-Fi Protected Access
> Works with 802.11b, a and g
>
>
>
>
“Fixes” WEP’s problems
Existing hardware can be used
802.1x user-level authentication
TKIP
>
>
>
>
>
RC4 session-based dynamic encryption keys
Per-packet key derivation
Unicast and broadcast key management
New 48 bit IV with new sequencing method
Michael 8 byte message integrity code (MIC)
> Optional AES support to replace RC4
WLAN Security
57
WPA and 802.1x
> 802.1x is a general purpose network access
control mechanism
> WPA has two modes
> Pre-shared mode, uses pre-shared keys
> Enterprise mode, uses Extensible Authentication
Protocol (EAP) with a RADIUS server making the
authentication decision
> EAP is a transport for authentication, not
authentication itself
> EAP allows arbitrary authentication methods
> For example, Windows supports
> EAP-TLS requiring client and server certificates
> PEAP-MS-CHAPv2
WLAN Security
58
Practical WPA attacks
> Dictionary attack on pre-shared key
mode
> CoWPAtty, Joshua Wright
> Denial of service attack
> If WPA equipment sees two packets with
invalid MICs in 1 second
>All clients are disassociated
>All activity stopped for one minute
>Two malicious packets a minute enough to stop a
wireless network
WLAN Security
59
802.11i
> Robust Security Network extends WPA
> Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol
(CCMP)
> Based on a mode of AES, with 128 bits keys
and 48 bit IV.
> Also adds dynamic negotiation of
authentication and encryption algorithms
> Allows for future change
> Does require new hardware
> www.drizzle.com/~aboba/IEEE/
WLAN Security
60
Relevant RFCs
> Radius Extensions: RFC 2869
> EAP: RFC 2284
> EAP-TLS: RFC 2716
WLAN Security
61
Demonstration
> War driving
> Packet sniffing
> Faking Aps
> Cracking WEP
> brute force
> Dictionary attack
> FMS / H1kari attack
> Airsnarf?
> Packet injection?
WLAN Security
62