Wireless Security

Download Report

Transcript Wireless Security


802.11 Basics

Security in 802.11

WEP summary

WEP Insecurity





ALOHAnet
1999: IEEE 802.11a (54 Mbps)
1999: IEEE 802.11b (11 Mbps)
2003: IEEE 802.11g (54 Mbps)
2009: IEEE 802.11n (150 Mbps)
802.11b
 2.4-2.485 GHz unlicensed
radio spectrum
 up to 11 Mbps
 direct sequence spread
spectrum (DSSS) in physical
layer: all hosts use same
chipping code
 802.11a
 5-6 GHz range
 up to 54 Mbps
 Physical layer: orthogonal
frequency division
multiplexing (OFDM)

802.11g
 2.4-2.485 GHz range
 up to 54 Mbps
 OFDM
 All use CSMA/CA for multiple
access
 All have base-station and adhoc versions
 All allow for reducing bit rate
for longer range

4
 Wireless host communicates with a base station
 base station = access point (AP)
 Basic Service Set (BSS) (a.k.a. “cell”) contains:
wireless hosts
 access point (AP): base station
 BSS’s combined to form distribution system (DS)



No AP (i.e., base station)
wireless hosts communicate with each
other
 to get packet from wireless host A to B
may need to route through wireless hosts

Applications:
 “Laptop” meeting in conference room
 Vehicle Network
 Interconnection of “personal” devices
 Battlefield


802.11b: 2.4GHz-2.485GHz spectrum divided into 11 channels at
different frequencies; 3 non-overlapping
 AP admin chooses frequency for AP
 interference possible: channel can be same as that chosen by
neighboring AP!
AP regularly sends beacon frame
 Includes SSID, beacon interval (often 0.1 sec)

host: must associate with an AP




scans channels, listening for beacon frames
selects AP to associate with; initiates association protocol
may perform authentication
After association, host will typically run DHCP to get IP address
in AP’s subnet
7
2
2
6
6
6
frame
address address address
duration
control
1
2
3
Address 1: MAC address
of wireless host or AP
to receive this frame
2
6
seq address
4
control
0 - 2312
4
payload
CRC
Address 4: used only in
ad hoc mode
Address 3: MAC address
of router interface to
which AP is attached
Address 2: MAC address
of wireless host or AP
transmitting this frame
8
802.11 frame: addressing
R1 router
H1
Internet
AP
H1 MAC addr R1 MAC addr
dest. address
source address
802.3 frame
H1 MAC addr AP MAC addr R1 MAC addr
address 1
address 2
address 3
802.11 frame
9
802.11 frame: addressing
R1 router
H1
Internet
AP
R1 MAC addr
dest. address
H1 MAC addr
source address
802.3 frame
AP MAC addr
address 1
H1 MAC addr
address 2
R1 MAC addr
address 3
802.11 frame
10
frame:
2
2
6
6
6
frame
address address address
duration
control
1
2
3
2
Protocol
version
2
4
1
Type
Subtype
To
AP
6
2
1
seq address
4
control
1
From More
AP
frag
1
Retry
1
0 - 2312
4
payload
CRC
1
Power More
mgt
data
1
1
WEP
Rsvd
frame control field expanded:
 Type/subtype distinguishes
beacon, association, ACK, RTS,
CTS, etc frames.
 To/From AP defines meaning of
address fields
 802.11 allows for fragmentation
at the link layer
 802.11 allows stations to enter
sleep mode
 Seq number identifies
retransmitted frames (eg, when
ACK lost)
 WEP = 1 if encryption is used
11





Service Set Identifier (SSID)
Differentiates one access point from
another
SSID is cast in ‘beacon frames’ every
few seconds.
Beacon frames are in plain text!
Encryption

802.11 Basics

Security in 802.11

WEP summary

WEP Insecurity

Why do we need the encryption?
 Wi-Fi networks use radio transmissions
prone to eavesdropping
 Mechanism to prevent outsiders from
▪ accessing network data & traffic
▪ using network resources

Access points have two ways of initiating
communication with a client

Shared Key or Open System authentication

Open System: need to supply the correct SSID
 Allow anyone to start a conversation with the AP

Shared Key is supposed to add an extra layer of
security by requiring authentication info as
soon as one associates

Client begins by sending an association
request to the AP

AP responds with a challenge text
(unencrypted)

Client, using the proper key, encrypts text
and sends it back to the AP

If properly encrypted, AP allows
communication with the client

1997: Original 802.11 standard only offers
 SSID
 MAC Filtering

1999: Introduce of Wired Equivalent Privacy (WEP)
 Several industry players formes WECA (Wireless Ethernet
Compatibility Alliance) for rapid adaption of 802.11
network products

2001: Discover weaknesses in WEP
 IEEE started Task Group i


2002: WECA was renamed in WI-FI
2003: WiFi Protected Access (WPA)
 Interim Solution for the weakness of WEP

2004: WPA2 (IEEE-802.11i-2004)

Primary built security for 802.11 protocol

RC4 encryption
 64-bits RC4 keys
 Non-standard extension uses 128-bit keys

Many flaws in implementation

Interim solution for replacement of WEP

Goals:
 improved encryption
 user authentication

Two Modes
 WPA Personal : TKIP/MIC ; PSK
 WPA Enterprise : TKIP/MIC ; 802.1X/EAP

WPA-Personal
 Also refer to WPA-PSK (WPA Pre-shared Key)
 Designed for home and small office networks and doesn't
require an authentication server.

WPA-Enterprise
 Known as WPA-802.1X
 Designed for enterprise networks and requires an authentication server
 An Extensible Authentication Protocol (EAP) is used for authentication
 Supports multiple authentication method based on:
▪ passwords (Sample: PEAP)
▪ digital certificates (Sample: TLS, TTLS)

TKIP (Temporal Key Integrity Protocol)
 The 128 bit RC4 stream cipher used in WPA

CCMP (Counter Cipher Mode with Block Chaining
Message Authentication Code Protocol)
 An AES-based encryption mechanism used in WPA2

Approved in July 2004

AES is used for encryption

Two mode like WPA:
 Enterprise Mode:
▪ authentication: 802.1X/EAP
▪ encryption: AES-CCMP
 Personal Mode:
▪ authentication: PSK
▪ encryption: AES-CCMP
WEP
WPA
WPA2
Cipher
RC4
RC4
AES
Key Size (bits)
64/128
128
128
Key Life
24 bit IV
48 bit IV
48 bit IV
Packet Key
Concatenation
Two Phase Mix
Not Need
Data Integrity
CRC32
Michael
CCM
Key Management
None
802.1X/PSK
802.1X/PSK
23
• WEP is no longer a secure wireless method
• WPA2 with AES encryption is currently the best encryption
scheme
• If on an unsecured network, use SSH or VPN tunneling to
secure your data

802.11 Basics

Security in 802.11

WEP summary

WEP Insecurity
A block of plaintext is bitwise XORed with a
pseudorandom key sequence of equal length
 RC4 PRNG

26
CRC
802.11 Frame
Header
Payload
Payload
ICV
32

ICV computed – 32-bit CRC of payload
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4


Key
40
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits



IV
keynumber
24
8
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to
keynumber
64
IV
Payload




Key
ICV
RC4
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to
keynumber
IV+key used to encrypt payload+ICV
WEP Frame
Header





IV
keynumber
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to
keynumber
IV+key used to encrypt payload+ICV
IV+keynumber prepended to encrypted
payload+ICV
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4

Keynumber is used to select key
Key
40
64
IV
Payload
Key
ICV
RC4
 Keynumber is used to select key
 ICV+key used to decrypt payload+ICV
Payload
ICV
Payload
ICV
CRC
Header
Payload
ICV’
32
 Keynumber is used to select key
 ICV+key used to decrypt payload+ICV
 ICV recomputed and compared against original
24
104
IV
Key
Payload





ICV
128-bits
RC4
Payload
ICV
Purpose – increase the encryption key size
Non-standard, but in wide use
IV and ICV set as before
104-bit key selected
IV+key concatenated to form 128-bit RC4
key


Keys are manually distributed
Keys are statically configured
 often infrequently changed and easy to remember!


Key values can be directly set as hex data
Key generators provided for convenience
 ASCII string is converted into keying material
 Non-standard but in wide use
 Different key generators for 64- and 128-bit

http://www.wepkey.com/
38

802.11 Basics

Security in 802.11

WEP summary

WEP Insecurity



Problem: Keystream Reuse
WEP’ s Solution: Per Packet Ivs
But…
XOR cancels
keystream
so knowing one plaintext will get you the other
40




IV only 24-bits in WEP,
It must repeat after 2^24 or ~ 16.7M packets
practical?
How long to exhaust the IV space in busy network?
 A busy AP constantly send 1500 bytes packet
 Consider Data Rate 11 Mbps
 IV exhausts after..
(1500 ´ 8) 24
11´10
6
´ 2 » 18000s » 5hrs
Consequences:
– Keystream for corresponding IV is obtained
41

2001: Fluhrer, Mantin, Shamir : Weaknesses in the
Key Scheduling Algorithm of RC4.

completely passive attack

Inductive chosen plaintext attack
 Takes 5-10M. packets to find secret key
 Showed that WEP is near useless
42




In 2001, airsnort was released but needs
millions of packets
‹In 2004, aircrack and weblap require only
hundreds of thousands of packets
http://securityfocus.com/infocus/1814
‹http://www.securityfocus.com/infocus/1824
43
One common shared key
 If any device is stolen or
compromised, must change
shared key in all devices
 No key distribution mechanism
 Infeasible for large organization:
approach doesn’t scale
Crypto is flawed
 Early 2001: Integrity and
authentication attacks published
 August 2001 (weak-key attack):
can deduce RC4 key after
observing several million packets
 AirSnort application allows
casual user to decrypt WEP
traffic
Crypto problems
 24 bit IV to short
 Same key for encryption and
message integrity
 ICV flawed, does not prevent
adversarial modification of
intercepted packets
 Cryptanalytic attack allows
eavesdroppers to learn key
after observing several
millions of packets
44

SSID and access control lists provide
minimal security
 no encryption


WEP provides encryption, but is easily
broken
Emerging protocol: 802.11i
 Back-end authentication server
 Public-key cryptography for authentication
and master key distribution
 TKIP: Strong symmetric crypto techniques
45

Fluhrer, Mantin, Shamir - Weakness in the
Key Scheduling Algorithm of RC4.
http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf

Stubblefield, Loannidis, Rubin – Using the
Fluhrer, Mantin, and Shamir Attack to Break
WEP.
http://www.cs.rice.edu/~astubble/wep/wep_attack.pdf

Rivest – RSA Security Response to Weakness
in the Key Scheduling Algorithm of RC4.
http://www.rsasecurity.com/rsalabs/technotes/wep.html

RC4 Encryption Algorithm.
http://www.ncat.edu/~grogans/algorithm_breakdown.htm
46