Wireless Security - Grand Rapids ISSA
Download
Report
Transcript Wireless Security - Grand Rapids ISSA
West Michigan Infragard
802.11b Wireless presentation
Dennis Peasley
&
Brian DeLine
– 6/21/03
6/21/03
Areas to Cover for WLAN’s
Introduction
It’s a radio
WEP and WPA Security Methods
Authentication EAP’s gallore
6/21/03
Alphabet Soup
Many different kinds of wireless
We will talk about WLANS only
802.11a – 56Mhz up to 54Mbps
802.11b – 2.4 Ghz up to 11Mbps
802.11g – 2.4 Ghz up to 24Mbps
802.11i – Wireless security Std
802.11h – Wireless power control
6/21/03
802.11 Standards
802.11
– IEEE family of specifications for WLANs
– 2.4GHz 2Mbps
802.11a
– 5GHz, 54Mbps
802.11b
– Often called Wi-Fi, 2.4GHz, 11Mbps
802.11e
– QoS & Multimedia support to 802.11b & 802.11a
802.11g
– 2.4GHz, 54Mbps
802.11i
– An alternative of WEP
802.1x
– A method of authentication and security protocols
6/21/03
What is Wireless LAN?
• It is a Local Area Network
• Extension of Wired LAN
• Use High Frequency Radio Wave (RF)
• Speed : 2Mbps to 54Mbps
• Distance 100 feet to 15 miles
6/21/03
Physical LAN
vs. Wireless LAN
• Physical security is important.
• Both types are vulnerable to
attack.
• Wired LANS have defined borders
• Wireless is harder to determine
where it can be accessed.
• Both can be controlled
6/21/03
3 PHY layers defined by the
802.11
• Frequency Hopping SS (FHSS)
• Direct Sequence SS (DSSS)
• Infrared
6/21/03
Modes of Wireless LAN’s
Infrastructure
– Access point based
Ad-Hoc
– Client to Client
6/21/03
AP
It’s a Radio
Frequencies
Channels
Power Level
Antennas
6/21/03
DSS and Chiping
DSSS. This type of signaling uses a
broadband carrier, generating a
redundant bit pattern (called a
"chip") for every bit of data to be
transmitted. While seemingly
wasteful of bandwidth, DSSS copes
well with weak signals.
6/21/03
Wireless Channels
6/21/03
802.11b Channels
3
4
5
6
7
8
9
Channel 5
Channel 9
Channel 3
Channel 8
Channel 2
Channel 6
2.437
2.412
2.400
Channel 7
Frequency (GHz)
6/21/03
11
Channel 10
Channel 4
Channel 1
10
Channel 11
2.474
2
2.462
1
Deploying in 3D
6/21/03
6/21/03
Grid Dishes
6/21/03
Many Kinds of Antennas
6/21/03
War Driving & Chalking
•Access points are visible
mostly because of beaconing
•People driving around
looking for access points
•Software is available to use
a GPS to collect access point
locations
•Captured info can be fed
into MS Streets and Trips
6/21/03
6/21/03
Secure Protocols For Encryption
Application
Application
SSL
SSL
Transport
(TCP, UDP)
Network (IP)
Transport
(TCP, UDP)
Router
Network (IP)
Network (IP)
(VPN)
(VPN)
802.11b Link
WEP
802.1b
Physical
6/21/03
Network (IP)
802.11b Link
WEP
802.1b
Physical
Ethernet
Link
Ethernet
Link
Ethernet
Physical
Ethernet
Physical
Open vs. Closed Association
Closed
Association
is bad
http://www.extremetech.com/article2/0,3973,54543,00.asp
6/21/03
Encryption WEP vs. WPA
WPA uses Temporal Key Integrity Protocol
(TKIP) - stronger data encryption,
addresses known vulnerabilities in WEP.
TKIP chosen as primary encryption
cipher suite - Easily deployed and
supported in legacy 802.11b
hardware compared to other
available cipher suites.
– .
6/21/03
TKIP
– TKIP based on RC4 stream cipher algorithm,
surrounds WEP cipher engine with 4 new
algorithms,
1. Extended 48-bit Initialization Vector (IV) and IV sequencing
rules (compared to the shorter 24-bit WEP RC4 key).
2. New per-packet key mixing function.
3. Derivation and distribution method - a.k.a. re-keying.
4. A message integrity check (MIC) - a.k.a. ‘Michael’, ensures
messages haven’t been tampered with during transmission
6/21/03
WPA the details
Temporal Key
TA
Phase 1
key mixing
Phase 2
key mixing
TTAK Key
TSC
WEP seed(s)
(represented as
WEP IV + RC4
key)
MIC Key
SA + DA +
Plaintext MSDU
Data
DA – Destination Address
ICV– Integrity Check Value
MPDU – Message Protocol Data Unit
MSDU – MAC Service Data Unit
RSN – Robust Security Network
SA – Source Address
TA – Transmitter Address
6/21/03
MIC
Plaintext
MSDU +
MIC
Fragment(s)
Plaintext
MPDU(s)
WEP
Encapsulation
TKIP – Temporal Key Integrity Protocol
TSC – TKIP Sequence Counter
TTAK– result of phase 1 key mixing of Temporal Key
and Transmitter Address
WEP – Wired Equivalent Privacy
WEP IV – Wired Equivalent Privacy Initialization Vector
Ciphertext
MPDU(s)
WPA Encryption cont.
– TKIP Sequence Counter (TSC) - Combination of extended 48-bit
IV and IV sequence counter, extends life of Temporal Key,
eliminates need to re-key Temporal Key during single association.
– Temporal and MIC Keys derived from Pairwise Master Key
(PMK) - PMK derived as part of 802.1X exchange.
Message Integrity Check (MIC) Cryptographic checksum designed to
make it much more difficult for an
attacker to successfully intercept and
alter data.
6/21/03
– TKIP implements countermeasures - reduces rate which attacker can make
message forgery attempts down to two packets every 60 seconds.
– After 60 second timeout new PMK or Groupwise Key generated, depending on
which attacked – ensures attacker cannot obtain information from attacked key.
– Countermeasures bound probability of successful forgery and amount of
information attacker can learn about a key.
– TKIP is made available as firmware or software upgrade to existing legacy
hardware.
TKIP eliminates having to replace existing hardware
or having to purchase new hardware.
6/21/03
WPA uses two types of Authentication
– Authentication and Key Management based
on IEEE 802.1X.
– WPA supports two authenticated key
management protocols,
1. EAP Authentication
2. Pre-Shared Key
6/21/03
Client decides what authentication to use
WPA requires APs announce
supported ciphers (encryption
types) and authentication types Clients choose most secure
encryption and authentication type.
6/21/03
Summary of WPA
– Wi-Fi Protected Access effectively addresses WLAN security
requirements and provides immediate and strong encryption and
authentication solution.
– WPA forward compatible with the full 802.11i standard.
– WPA replaces WEP as standard Wi-Fi security mechansim.
– Initial release of WPA addresses AP based 802.11 networks, Ad-hoc (peerto-peer) networks addressed in final WPA standard, WPA version 2.
– Wi-Fi Alliance to adopt full 802.11i standard as version 2 of WPA.
WPA will be mandatory for Wi-Fi certification
before the end of 2003
6/21/03
Authentication and 802.1x
6/21/03
What is Network Access Authentication?
A mechanism by which access to the network is
restricted to authorized entities
–
–
Identities used are typically userIDs
NB: each user on a multi-user machine does not need to authenticate
once the link is up, so this doesn’t guarantee that only the authenticated
user is accessing the network
Once authenticated, the session needs to be
authorized
–
Authorization can include things like VLANID, rate limits, filters,
tunneling, etc.
To prevent hijacking, you need per-packet
authentication as well
–
–
–
6/21/03
Encryption orthogonal to authentication
Per-packed MIC based on key derived during the authentication
process, linking each packet to the identity claimed in the
authentication
No MIC support in PPP and WEP!
What is IEEE 802.1X?
The IEEE standard for authenticated and auto-provisioned LANs.
– Ratified June 2001
– Based on EAP, IETF RFC 2284
A framework for authentication and key management
– IEEE 802.1X derives keys which can be used to provide per-packet authentication,
integrity and confidentiality
– Typically used along with well-known key derivation algorithms (e.g. TLS, SRP,
etc.)
– IEEE 802.1X does not mandate security services – can do authentication, or
authentication & encryption
– Encryption alone not recommended (but that’s what WEP does)
What 802.1X is not
– Purely a wireless standard – it applies to all IEEE 802 technologies (e.g. Ethernet
First Mile applications)
– PPP over Ethernet (PPPOE) – only supports EAP authentication methods (no PAP or
CHAP), packets are not encapsulated
– A cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc.
• But 802.1X can be used to derive keys for any cipher
– A single authentication method
• But 802.1X can support many authentication methods without changes to the AP or NIC
firmware
6/21/03
A History of IEEE 802.1X
The idea started with customers who wanted to control access to a public network
– Universities, government agencies
Existing approaches were inadequate
– Customers wanted something that could be implemented inexpensively – on existing
switches
– Customers wanted to utilize existing network access infrastructure (RADIUS, LDAP,
etc.)
– PPPOE – too much overhead
– VPN – too many interoperability issues
– DHCP – designed for addressing and configuration, not access control
Concept developed by 3Com, HP, and Microsoft
–
–
–
–
We examined alternatives, and settled on a Layer 2 approach
A small group wrote the spec and built prototypes
Consensus and running code!
Not designed by committee!
IEEE 802.1X PAR approved in January 1999
Approved as an IEEE standard June 2001
Specification available at: http://www.drizzle.com/~aboba/IEEE/
6/21/03
802.1X Topologies
Semi-Public Network /
Enterprise Edge
Enterprise or ISP
Network
PAE
Authenticator/EtherNAS
(e.g. Access Point or
Bridge)
PAE
Supplicant
EtherCPE
6/21/03
Non-802.1X
Supplicant
R
A
D
I
U
S
Authentication
Server
802.1X Security Philosophy
Approach: a flexible security framework
– Implement security framework in upper layers
– Enable plug-in of new authentication, key management methods without changing
NIC or Access Point
– Leverage main CPU resources for cryptographic calculations
How it works
– Security conversation carried out between supplicant and authentication server
– NIC, Access Point acts as a pass through device
Advantages
– Decreases hardware cost and complexity
– Enables customers to choose their own security solution
– Can implement the latest, most sophisticated authentication and key management
techniques with modest hardware
– Enables rapid response to security issues
6/21/03
What is RADIUS?
Remote Access Dial In User Service
Supports authentication, authorization, and
accounting for network access
–
–
Physical ports (analog, ISDN, IEEE 802)
Virtual ports (tunnels, wireless)
Allows centralized administration and accounting
6/21/03
IEEE 802.1X Conversation
Switch
Laptop computer
Radius Server
Ethernet
Port connect
Access blocked
EAPOL
EAPOL-Start
RADIUS
EAP-Request/Identity
EAP-Response/Identity
Radius-Access-Request
Radius-Access-Challenge
EAP-Request
EAP-Response (credentials)
Radius-Access-Request
Radius-Access-Accept
EAP-Success
Access allowed
6/21/03
802.1X On 802.11
Wireless
Access Point
Radius Server
Laptop computer
Ethernet
Association
Access blocked
802.11
802.11 Associate-Request
RADIUS
802.11 Associate-Response
EAPOW-Start
EAPOW
EAP-Request/Identity
EAP-Response/Identity
EAP-Request
EAP-Response (credentials)
EAP-Success
6/21/03
Radius-Access-Request
Radius-Access-Challenge
Radius-Access-Request
Radius-Access-Accept
EAPOW-Key (WEP)Access allowed
802.1X and Ad-Hoc Networking
What is ad-hoc networking?
– Station communicating directly with other stations
How does ad-hoc networking work with 802.lX?
– Both Stations initiate EAPOL conversation
– All stations authenticate with each other
• Otherwise mutual authentication required and algorithm to
select authenticator
– RADIUS not used in ad-hoc mode
• Typically implies that user credentials are stored on Stations
6/21/03
Key Management for Ad-Hoc Networking
Requirements
– Password-based mutual authentication
– Secure key generation
Evaluation of existing EAP methods
– EAP-TLS: supports mutual authentication, keying, but
assumes both participants have a certificate
– EAP-SRP: supports mutual authentication, but not assumes
“client” and “server”
802.1X will work in adhoc mode if required
– Shared key is easiest mechanism in most cases
6/21/03
Other issues with Adhoc
Interconnections not organized
– Multiple interconnections to destinations
– “Hidden” stations
– Loops in the network
L2 Spanning tree required
– Removes loops, organizes STAs to form a coherent LAN
– Problem: convergence time of 802.1D too slow
Not easy to connect both via adhoc and AP
– Two interfaces need to be exposed
– Requires STAs to act as a bridge
– Creates potential security issues
6/21/03
Adhoc Networking Advances
Goal: allow devices to talk to each other without
a network administrator
Fast spanning tree convergence
IPv4 linklocal addressing
IPv4 automatic multicast addressing
Mini-DHCP server
Multicast DNS
6/21/03
Extending Coverage with Adhoc
Semi-Public Network /
Enterprise Edge
Enterprise or ISP
Network
R
A
D
I
U
S
Authentication
Server
Authenticator/EtherNAS
(e.g. Access Point or
Bridge)
Supplicant
Adhoc
Peer
6/21/03
Adhoc
Peer
Adhoc
Peer
Adhoc
Peer
Deploying IEEE 802.1X With
802.11
6/21/03
Authentication EAP’s Galore
EAP-TLS – Transport Layer Security
EAP-TTLS – Tunneled Transport Layer Security
LEAP – Proprietary Cisco
PEAP – Protected EAP – similar to TTLS
EAP – MD5 – equivalent to CHAP
EAP – SecurID EAP – SIM – GSM Cell technology
EAP - AKA
6/21/03
Deployment Issues with 802.11
User-based authentication and accounting
–
–
–
–
–
802.11-1997 only allows users to be identified by MAC address
How do I know who is on my network?
How can I do user-based access control, accounting and auditing?
What happens if a machine is stolen?
Proprietary key management solutions require separate user databases
Secure roaming
– Why can’t you just “plug in and connect” anywhere in the world?
Key management
– 802.11-1997 supports per-user keys, but most implementations only
support global keys
– What if the global key(s) are compromised?
– Static keys difficult to manage on clients, access points
6/21/03
Quest to Improve WEP
How can we improve WEP security and
– Retain (most) performance
• Enhance without greatly reducing line rates
– Easily upgrade deployed systems
• Avoid hardware upgrades
– Retain interoperability
• Allow most deployed systems to upgrade
• Allow for incremental deployment
• Allow legacy systems to continue to work without
improvements
Provide better protection until 802.11i is available
6/21/03
802.1X Authentication
802.1X users identified by usernames, not MAC
addresses
– Enables user-based authentication, authorization, accounting
For use with 802.1X, EAP methods supporting
mutual authentication are recommended
– Need to mutually authenticate to guarantee key is transferred to the
right entity
– Prevents man-in-the-middle and rogue server attacks
Common EAP methods support mutual
authentication
– TLS: server and client must supply a certificate, prove possession
of private key
– SRP: permits mutual authentication via weak shared secret without
risk of dictionary attack on the wire
– Tunneled TLS: enables any EAP method to run, protected by TLS
6/21/03
Advantages of IEEE 802.1X
Open standards based
– Leverages existing standards: EAP (RFC 2284), RADIUS
(RFC 2865, 2866, 2867, 2868, 2869)
– Enables interoperable user identification, centralized
authentication, key management
– Enables automated provisioning of LAN connectivity
User-based identification
– Identification based on Network Access Identifier (RFC
2486) enables support for roaming access in public spaces
(RFC 2607).
Dynamic key management
– Improved security for wireless (802.11) installations
6/21/03
WEPv1.0 w/802.1X
Improved key derivation
– Per-user unicast keys instead of global unicast key
– Unicast key may be changed periodically to avoid staleness
– Support for standards-based key derivation techniques
Additional fixes still under discussion
– Authentication for reassociate, disassociate
WEP deficiencies still present
– No keyed MIC
– Improper usage of RC4 stream cipher
– No IV replay protection
Long term solution: Need a “real” cipher!
– AES proposals under discussion
6/21/03
802.1X Implementations
Implementations available now
–
–
–
IEEE 802.1X support included in Windows XP
Firmware upgrades available from AP and NIC vendors
Interoperability testing underway
802.1X OS support
–
–
Microsoft: Windows XP
Cisco: Windows 9x, NT4, 2000, Mac OS, Linux
RADIUS servers supporting EAP
–
–
–
–
6/21/03
Microsoft Windows 2000 Server
Cisco ACS
Funk RADIUS
Interlink Networks (formerly MERIT) RADIUS server
Windows XP Wireless Features
Support for 802.1X built-in (EAP-TLS, MD-5)
Automated configuration via SSID detection
Wireless Roaming
6/21/03
Extensible security with 802.1X
Windows XP Wireless (cont’d)
Improved driver support
Internet Connection Firewall (ICF)
6/21/03
Diagnosing 802.1X
RADIUS accounting
– Termination-Cause attribute provides information
on reasons why a session ended
– Connection-Info attribute provides information on
link performance
802.1X MIB
– Provides information on failures at each stage of
the authentication process
•
“Failure fractions” derived from MIB variables ideally
suited for reporting and quality control charts
– Provides same accounting information as
RADIUS accounting
6/21/03
•
SNMP supports “pull model” accounting
Protecting your WLAN
–
–
–
–
–
–
–
–
–
6/21/03
Enable WEP, use 128bit key*
Disable SSID Broadcasts
No SNMP access
Choose complex admin password
Enable firewall function
Use MAC (hardware) address to restrict access
Non-default Access Point password
Change default Access Point Name
False Access point with IDS Alert
Questions ?
6/21/03
History of 802.11..
• 2 Meg wireless
– SSDS
– SSFH
• 72 Frequencies
• Same Frequency that cooks
turkeys
6/21/03
802.11G
• One Standard
• 3 different implementations
• All data rates above 11Mb could be
incompatible with each other
6/21/03
802.1x
6/21/03
802.1x mechanism
•
Supplicant sends an "EAP-Response/Identity" packet to the authenticator, which
is then passed on to the authentication (RADIUS) server.
•
The authentication server sends back a challenge to the supplicant via the
authenticator using EAPOL
•
The supplicant responds to the challenge via the authenticator and passes the
response onto the authentication server.
•
If the supplicant provides proper identity, the authentication server responds
with a success message, which is then passed onto the supplicant.
•
The authenticator now allows access to the LAN- - possibly restricted based on
attributes that came back from the authentication server.
For example, the authenticator might switch the supplicant to a particular virtual
LAN or install a set of firewall rules.
6/21/03
WEP Secure enough?
• What if traffic is compromised
• If the key is broken all traffic
saved is readable.
• Breaking WEP is not a drive by
attack. It takes too long.
6/21/03
WEP Key Management
• Static keys
• Manually distributed
• Up to four keys
– Can be mixture of 40/128 bit keys
• Either set as hex data or ASCII
– Configuration tool usually determines
6/21/03
Attacks on WEP Overview
WEP is broken.
There are a surprising large number of attacks possible on the
protocol:
– Passive attacks to decrypt traffic based on statistical analysis.
– Active attacks to decrypt traffic, based on tricking the access point.
– Active attack to inject new traffic from unauthorized mobile
stations.
– A memory tradeoff attack that allows real-time automated
decryption of all traffic.
– An active inductive chosen plaintext attack which allows decryption
of traffic.
– An attack on the key scheduling algorithm of RC4.
matt barrie <[email protected]>
6/21/03
Wi-Fi Protected Access
(WPA),
• Temporal Key Integrity Protocol (TKIP),
• TKIP is part of a draft 802.11i standard
that will supersede WPA
6/21/03
802.11h
IEEE 802.11h working group. This
new draft standard will include
provisions for attenuating
transmission power as well as
flexibly selecting transmission
frequency in order to keep from
interfering with other potential
devices in that same frequency
spectrum
6/21/03
802.11i
To expand 802.11i's lifespan, its
IEEE committee also plans to
replace RC4 with AES
When 802.11i does arrive it appears
almost a lead pipe cinch that you'll
need to replace all your Wi-Fi
equipment to make use of it.
6/21/03