Security in Wireless Networks
Download
Report
Transcript Security in Wireless Networks
Security in Wireless Networks
IEEE 802.11i
Presented by Sean Goggin
March 1, 2005
Overview
•
•
•
•
•
Inherent Problems in Wireless
Is WEP Really Equivalent?
Additional Solutions
802.11i – A New Solution
Conclusion
3/1/2005
Sean Goggin
2
Inherent Problems in Wireless
• Modern Wired Network
– Multiple Nodes Interconnected with CAT-5, RG-58,
Fiber, and Etc.
– Typically Difficult to Intercept
Data
CAT 5e
Data
Computer A
3/1/2005
Computer B
Sean Goggin
3
Inherent Problems in Wireless
• Modern Wireless Network
– Multiple Nodes Interconnected Over Radio Frequency
– Lacks Simplest Form of Physical Protection
Da t a
Da t a
Computer A
3/1/2005
Computer B
Sean Goggin
4
Inherent Problems in Wireless
• Denial-of-Service Attack (DOS Attack)
– Media is Open to the Public
– Easily Disrupted, Compromises Availability
– Only Solution is to Locate and Disable
Computer A
3/1/2005
Intruder
Sean Goggin
Computer B
5
Inherent Problems in Wireless
• Man-in-the-Middle Attack (MITM Attack)
– Easily Intercepted
– Compromises Integrity and Confidentially
– Mitigate with use of Encryption
Da t a
Computer A
3/1/2005
Da t a
Intruder
Sean Goggin
Computer B
6
Inherent Problems in Wireless
• Do to the Nature of Wired vs. Wireless,
Wired is More Secure
• Wireless Requires Protocol to Increase
Security
• IEEE & Wired Equivalent Privacy
– 40-bit (Exportable) and 104-bit Key
– RC4
3/1/2005
Sean Goggin
7
Is WEP Really Equivalent?
• IEEE Selects RC4 Cipher for WEP
• RC4 is a Stream Cipher System
– Utilizes a Shared Key and Pseudo Random Number Generator
(PRNG) to Create Keystream to XOR with Source’s Data, then
Sends Cipher Text
– Destination Utilizes the Shared Key and PRNG to Create
Keystream to XOR Cipher Text and Decrypt Source’s Data
Courtesy of 802.11 Wireless Networks: The Definitive Guide
3/1/2005
Sean Goggin
8
Is WEP Really Equivalent?
• WEP Process
– 40-bit Key + 24-bit Initialization Vector (IV) =
64-bit RC4 Key
– RC4 Key and PRNG Create Keystream Equal
in Length to Plain Text + CRC
– Keystream XORed with Plain Text and CRC
Value
– Transmit IV + Cipher Text
3/1/2005
Sean Goggin
9
Is WEP Really Equivalent?
• Key Management Issue
– Up to 4 WEP Keys Can Be Used
– Scalability vs. Security
•
•
•
•
3/1/2005
Manually Configure 1-4 Keys in an Enterprise
Manually Distribute 1-4 Keys to an Enterprise
Terminated Employees
Public Keys & Monitoring Station
Sean Goggin
10
Is WEP Really Equivalent?
• Encryption Issue
– “Weaknesses in the Key Scheduling Algorithm
of RC4 “ by Fluhrer, Mantin, and Shamir
•
•
•
•
3/1/2005
Addressed Poor Implementation of RC4 in WEP
Weak IVs are Poorly Chosen and Repeated
Reused Keys Make Crypt Analysis Possible
Function is Linear, not Exponential
Sean Goggin
11
Is WEP Really Equivalent?
• Attacking WEP
– The Key is Comprised of 5 Bytes or 13 Bytes
– The First Byte
• LLC Encapsulation & SNAP Header (00xA)
• (00xA) XOR First Byte of Cipher Text = First Byte
of Keystream
– The Remaining Bytes
• Weak IVs in form of B+3:FF:N
– B Refers to the Byte of the Key
– FF is Weak Middle Byte of all 1s
– N is any value from 0 to 255
3/1/2005
Sean Goggin
12
Is WEP Really Equivalent?
• Attacking WEP, Continued
– The Remaining Bytes, Continued
• Gather Weak IVs into Groups of B
– 5 Groups for 40-bit, 13 Groups for 104-bit
– Takes Approximately 115 Samples Per Group to Crack a Byte
of the Key
• Even Though More Weak IVs are Needed for 104-bit Key, it
Provides More Weak IVs by Nature
• Cracking 104-bit vs. 40-bit Takes More Time, But Insignificant
Amount
• More Wireless Network Traffic, Faster Weak IVs Appear
3/1/2005
Sean Goggin
13
Is WEP Really Equivalent?
• Tools to Crack WEP
– AirSnort
• Developed by Bruestle & Hegerle to Demonstrate
Work Done by Fluhrer, Mantin, and Shamir
• Capture Component
– Captures Raw Packets using Wireless Interface
• Crack Component
– Performs Analysis and Cracks Bytes of Key
– WEPCrack & dweputils
• Similar Functions as AirSnort
3/1/2005
Sean Goggin
14
Is WEP Really Equivalent?
• Other Attacks
– Simple XOR Attack
• Cipher Text is Plain Text XOR Keystream
• If a Known Plain Text is then XOR with Cipher Text
the KeyStream will be Exposed
– Use SPAM, Heavy Virus Network Traffic (ie: Sasser), or
Other Well-Known Network Traffic
• Used for Message Injection & Authentication
Spoofing
3/1/2005
Sean Goggin
15
Is WEP Really Equivalent?
• Other Attacks, Continued
– Brute-Force Attack
• Phrase Key Generators Often Flawed
–
–
–
–
Uses ASCII Values to Seed the PRNG
ASCII Always Start with 0 and Range from 0 to 7F
7F vs FF… 21-bit vs. 32-bit Seed
Newsham Attacked 40-bit Key using P3/500, 35 Seconds
to Key
– Sometimes Applies to 104-bit Key Generator (MD5
Hash)
3/1/2005
Sean Goggin
16
Additional Solutions
• Best Practices
– Disabling SSID Beaconing
• SSID Beaconing Identifies AP to Wireless
Interfaces
• Easier for Legitimate Users and
Intruders/Attackers to Find AP
• Disabling SSID May Requires Additional
Configuration of User’s Interface
• Attacker can Detect Presence of AP, but without
SSID cannot Associate with AP
3/1/2005
Sean Goggin
17
Additional Solutions
• Best Practices, Continued
– MAC Authentication (CSUN)
• Legitimate Users Register MAC Address
• AP Disregard Packets from Non-Registered MAC
– Problems
• Both SSID and Legitimate MAC can be Gathered
with Network Sniffer and Wireless Card if Weak or
No Encryption Used
• WEP is Weak, So What is Left?
3/1/2005
Sean Goggin
18
Additional Solutions
• Virtual Private Network (VPN)
– Secure Data Above the Link-Layer
– May Require More Bandwidth
– Variety of Protocols
• IPsec (CSUN), SSL, & PPTP
• Wi-Fi Protected Access (WPA)
– After WEP was Exposed a Temporary
Solution was Needed
3/1/2005
Sean Goggin
19
Additional Solutions
• Wi-Fi Protected Access (WPA), Continued
– Wi-Fi Alliance Took Components of 802.11i
Draft
•
•
•
•
•
Temporal Key Integrity Protocol
Larger IV (48-bit vs. 24-bit)
Message Integrity Check (MIC) Replaced CRC
802.1x or Pre-Shared Key (PSK)
RC4
– Could be Implemented on Existing Hardware
3/1/2005
Sean Goggin
20
802.11i – A New Solution
• Originally Meant to Address Security and
Quality of Service (QoS)
• Apparent Need for Additional Security
Created 802.11e QoS & 802.11i Security
• WPA is Released in April 2003 as
Temporary Solution Until 802.11i
Ratification
• 802.11i Ratified on June 24th, 2004
3/1/2005
Sean Goggin
21
802.11i – A New Solution
• Components of 802.11i
– 802.1x
– Advanced Encryption Standard in CounterMode/Cipher Block Chaining Message
Authentication Code Protocol (AES-CCMP)
– Temporal Key Integrity Protocol (TKIP)
3/1/2005
Sean Goggin
22
802.11i – A New Solution
• 802.1x
– Based on IETF Extensible Authentication
Protocol (EAP)
• Future Proof Open Standard
• Allows for Any Authentication Standard to be Used
• Designed to Regulate at Physical Port
– Point of Authenticating User & Network
– Typically Uses RADIUS
3/1/2005
Sean Goggin
23
802.11i – A New Solution
• 802.1x, Step 1
– Supplicant Request Association with Authenticator
– Authenticator Associates with Supplicant
– Authenticator Requests Identity from Supplicant via
EAP
EAP
Wireless
User
(Supplicant)
3/1/2005
AP
(Authenticator)
Authentication
Server
Sean Goggin
24
802.11i – A New Solution
• 802.1x, Step 2
– Supplicant Responds with Identity to Authenticator via
EAP
– Authenticator Sends Access Request for Supplicant’s
Identity to Authentication Server via RADIUS
EAP
Wireless
User
(Supplicant)
3/1/2005
RADIUS
AP
(Authenticator)
Authentication
Server
Sean Goggin
25
802.11i – A New Solution
• 802.1x, Step 3
– Authentication Server Validates Supplicant’s Identity
– Authentication Server Notifies Authenticator the Supplicant is
Valid and Issues Keying Material via RADIUS
– If Supplicant Fails to be Validated, Authentication Server Submits
Identity Request instead
RADIUS
Wireless
User
(Supplicant)
3/1/2005
AP
(Authenticator)
Authentication
Server
Sean Goggin
26
802.11i – A New Solution
• 802.1x, Step 4
– The Authenticator Initiates a 4-Way Handshake with
Supplicant to Establish Keys
– Once Keys are Established the Supplicant is
Permitted to Access the Network
EAP
Wireless
User
(Supplicant)
3/1/2005
AP
(Authenticator)
Authentication
Server
Sean Goggin
27
802.11i – A New Solution
• The 4-Way Handshake in 802.1x
– Terminology
•
•
•
•
•
•
3/1/2005
Master Key (MK)
Pairwise Master Key (PMK)
Authenticator Nonce (Anonce)
Supplicant Nonce (Snonce)
Pairwise Transient Key (PTK)
Group Temporal Key (GTK)
Sean Goggin
28
802.11i – A New Solution
• The 4-Way Handshake in 802.1x
– Both the Supplicant and Authenticator have PMK Derived from
MK issued by the Authentication Server
– Step 1
• Authenticator Generates Anonce and Sends it to the Supplicant
PMK
Anonce
PMK
Anonce
AP
(Authenticator)
Wireless
User
(Supplicant)
3/1/2005
Sean Goggin
29
802.11i – A New Solution
• The 4-Way Handshake in 802.1x
– Step 2
• Supplicant Generates Snonce
• Supplicant Constructs PTK from Anonce, Snonce,
Authenticator MAC, Supplicant MAC, and PMK
• Supplicant Sends Snonce and MIC to Authenticator
PMK
Snonce + MIC
Anonce
PMK
Anonce
Snonce
PTK
AP
(Authenticator)
Wireless
User
(Supplicant)
3/1/2005
Sean Goggin
30
802.11i – A New Solution
• The 4-Way Handshake in 802.1x
– Step 3
• Authenticator Derives PTK from Anonce, Snonce,
Authenticator MAC, Supplicant MAC, and PMK
• Authenticator Constructs GTK from Above Data and Sends
GTK and MIC to Supplicant
PMK
GTK + MIC
Anonce
Anonce
Snonce
Snonce
PTK
PTK
GTK
AP
(Authenticator)
Wireless
User
(Supplicant)
3/1/2005
PMK
Sean Goggin
31
802.11i – A New Solution
• The 4-Way Handshake in 802.1x
– Step 4
• Supplicant Sends ACK to Authenticator Concluding
Handshake Process
• Supplicant & Authenticator Have Established All Necessary
Keys
PMK
ACK
Anonce
Anonce
Snonce
Snonce
PTK
GTK
PTK
GTK
AP
(Authenticator)
Wireless
User
(Supplicant)
3/1/2005
PMK
Sean Goggin
32
802.11i – A New Solution
• Pairwise Transient Key (PTK)
– Broken into 3 Keys
• Key Confirmation Key (KCK)
– Used to Compute and Confirm EAP MICs
• Key Encryption Key (KEK)
– Used for Encryption of EAP Data
• Temporal Key (TK)
– Used for Encryption of Supplicant-Authenticator Traffic
• Group Temporal Key (GTK)
– Used for Broadcast and Multicast Encryption
3/1/2005
Sean Goggin
33
802.11i – A New Solution
• Additional Features of 802.1x
– Key Caching
• Authenticator & Supplicant Cache Keys While
Roaming
• Prevents Excessive Load on Authentication Server
– Pre-Authentication
• If the Supplicant Sense the Next AP while
Roaming it can Begin Authentication via Network
to Next AP
• Reduces Association Time to Next AP
3/1/2005
Sean Goggin
34
802.11i – A New Solution
• AES-CM/CBC-MAC Protocol (AESCCMP)
– Features
•
•
•
•
•
•
3/1/2005
128-bit Advanced Encryption Standard
Counter-Mode
Cipher Block Chaining
48-bit Initialization Vectors
802.1x Key Assignment (TK from PTK)
Message Integrity Check
Sean Goggin
35
802.11i – A New Solution
• Counter-Mode
– Turns a Block Cipher into a Stream Cipher
– Generates the Next Keystream Block by
Encrypting Successive Values of a Counter
– Counter is any Simple Function which
Produces Sequence which is Guaranteed not
to Repeat for a Long Time
3/1/2005
Sean Goggin
36
802.11i – A New Solution
Courtesy of: WikiPedia - Block cipher modes of operation
3/1/2005
Sean Goggin
37
802.11i – A New Solution
• Cipher Block Chaining
– Each Block of Plain Text is XORed with
Previous Block of Cipher Text Before Being
Encrypted
– Each Cipher Text Block is then Dependent on
the Blocks that Preceded
3/1/2005
Sean Goggin
38
802.11i – A New Solution
Courtesy of: WikiPedia - Block cipher modes of operation
3/1/2005
Sean Goggin
39
802.11i – A New Solution
• AES-CCMP, Continued
– AES-CM Provides Confidentiality
– CBC-MAC Provides Authentication & Integrity
– CCMP Protects Non-Encrypted Fields
• Such as Source & Destination Data
• Protects Against Replay Attack
– 16 Octets Larger then Non-Encrypted Data
• Slight Speed Decrease, Large Security Increase
– More Enterprise then Home Consumer
3/1/2005
Sean Goggin
40
802.11i – A New Solution
• AES-CCMP vs. WEP
– AES vs. RC4
– 128-bit vs. 104-bit Key
– Block Cipher vs. Stream Cipher
– 48-bit vs. 24-bit Initialization Vector
– CBC-MAC vs. RC4
– New vs. Established
3/1/2005
Sean Goggin
41
802.11i – A New Solution
• Temporal Key Integrity Protocol (TKIP)
– Features
• 128-bit RC4
• Per-Packet Key Mixing
• Enhanced Initialization Vectors including
Sequencing Rules
• 802.1x Key Assignment (TK from PTK)
• Michael MIC
• Runs on Legacy Hardware
3/1/2005
Sean Goggin
42
802.11i – A New Solution
Courtesy of: How Secure Is Your Wireless Network? Safeguarding Your Wi-Fi LAN
3/1/2005
Sean Goggin
43
802.11i – A New Solution
• TKIP – Phase 1
– Source MAC XORed with TK = Mixed Key
• TKIP – Phase 2
– Mixed Key XORed with Trip Sequence
Counter = Per-Packet Mixed Key
– Feed to WEP Engine as 128-bit Key
3/1/2005
Sean Goggin
44
802.11i – A New Solution
• Michael MIC
– 64-bit MIC Key, Source Address, Destination
Address, and Plain Text used to Generate 8
Byte MIC Hash
– MIC replaces CRC
– Plain Text+ MIC are Fed to WEP Engine as
Plain Text
• WEP Now Performs RC4 Operations
Using 128-bit Key and Plain Text + MIC
3/1/2005
Sean Goggin
45
802.11i – A New Solution
3/1/2005
Sean Goggin
46
802.11i – A New Solution
• Michael’s Countermeasure
– If CRC, Integrity Check Value, and IV Fail
Verification, Only then Check MIC
• Avoids False Positive
– If All Fail, Attack Underway
• Stop Using Current Keys & Re-Key
• Rate Limit Re-Keying to Once Per Minute
3/1/2005
Sean Goggin
47
802.11i – A New Solution
• AES-CCMP vs. TKIP
– AES vs. RC4
– Block vs. Stream Cipher
– CBC-MAC vs. RC4
– New Hardware vs. Existing Hardware
– New vs. Relatively New
3/1/2005
Sean Goggin
48
802.11i – A New Solution
• Additional Features of 802.11i
– Pre-Shared Key (PSK)
• Utilized instead of PMK, Less Secure?
• Home or Ad Hoc Network
– Password-to-Key Mapping
• Generates 256-bit PSK from ASCII
– Random Number Generation
• Established Minimum Guide Line
3/1/2005
Sean Goggin
49
802.11i – A New Solution
• 802.11i & WPA 2
– Wi-Fi Alliance Certification Program for
802.11i Compliance
– Possibly Misleading, WPA Hardware May Not
Be Compatible
• TKIP is in WPA & WPA 2
• Most WPA Hardware Not Capable of AES-CCMP
– User-Friendly Name for 802.11i
3/1/2005
Sean Goggin
50
Conclusion
• 802.11i Shows Promise, Only Proven with
Test of Time
• Performance/Security Trade-off Worth it?
• May Not Be as Important to Home Users
as it is for Enterprises
3/1/2005
Sean Goggin
51
Conclusion
• With Major Investment in Last 5 Years in
802.11b, New Hardware May Not Be
Adopted Promptly
• Why Buy 802.11i Instead of 802.16 or
802.20?
• Where is the Hardware?
3/1/2005
Sean Goggin
52
Questions & Answers
Security in Wireless Networks
802.11i
Next Time…
Advances in Optical Networks
SONET
April 19, 2005
References
• Wireless Security’s Future (PDF)
• Intercepting Mobile Communications: The
Insecurity of 802.11(PDF)
• IEEE 802.11i Overview (PDF)
• 802.11i and Wireless Security
• 802.11 Security
• Wikipedia – Block Cipher Modes of Operation
• Wikipedia – Advanced Encryption Standard
3/1/2005
Sean Goggin
55