Wi-Fi Security
Download
Report
Transcript Wi-Fi Security
By Billy Ripple
Security requirements
Authentication
Integrity
Privacy
Security concerns
Security techniques
WEP
WPA/WPA2
Conclusion
Security between two network entities
should provide the following
Authentication
▪ Process of determining whether somebody or
something is who or what it is declared
Integrity
▪ Maintaining accuracy and consistency of data
Privacy
▪ Prevents security threats, primarily
eavesdropping attempts
Denial of service
Man-in-the-middle attacks
Rogue access points
Other threats include:
Ad hoc networks
MAC Spoofing
Network Injection
An attempt to make a machine or network
unavailable
Many different methods of attacks
Internet Control Message Protocol Flood
SYN flood
Teardrop attacks
Peer-to-peer attacks
Smurf Attack
Relies on misconfigured network devices that
allow packets to be sent to all computer hosts
The attackers will send large numbers of IP
packets with the source address faked to appear
to be the address of the victim
The network's bandwidth is quickly
used up, preventing legitimate
packets from getting through to their
destination
Ping Flood
Based on sending the victim an overwhelming
number of ping packets by using the “ping”
command from Unix-like hosts
This allows access to greater bandwidth than the
victim
Ping of death
Sending the victim a malformed
ping packet which ultimately leads
to a system crash
Occurs when a host sends a flood of TCP/SYN
packets
Each packet is handled like a connection request
The server creates a half open connection by
sending back an ACK packet and waiting for a
response to the ACK packet
These half-open connections
keep the server from responding
to legitimate requests until after
the attack is over
Attacker sends mangled IP fragments with
over-sized payloads to the victims machine
This crashes operating systems due to a bug
in their TCP/IP fragmentation
Newer operating systems aren’t affected by
this type of attack
Except Windows Vista
The attacker intercepts messages in a public
key exchange and retransmits them. The
attacker substitutes his own public key for the
requested one.
The original parties believe they are just
communicating with each other
The attacker has access to both
user’s messages
Attacker spoofs a
disassociate message
from the victim
The victim starts to look
for a new access point
The attacker advertises
his access point using the
real access point’s mac
address
The attacker connects to
the real access point using
the victim’s mac address.
A wireless access point that has been
installed on a secure company network
without authorization from a network
administrator
Often created to allow a hacker to conduct a
man-in-the-middle attack
There are many different types of software
that allow businesses to detect
a rogue access point
WEP – Wired Equivalent Privacy
WPA- Wi-Fi Protected Access
WPA2/802.11i
The original encryption protocol developed
for IEEE 802.11 wireless LANs
Designed to provide the same level of
security as wired networks
No longer recommended
Uses a network security key to encrypt
information that one computer
sends to another across your
network
When WEP is active, each 802.11 packet is
encrypted separately
These packets are encrypted with an RC4 cipher
stream generated by a 64-bit RC4 key
This key is composed of a 24-bit initialization
vector(IV) and a 40-bit WEP key
The encrypted packet is generated with a bitwise
XOR of the original packet and the RC4 stream
The IV is chosen by the sender and can be
changed periodically
• RC4
• Most widely used software
stream cipher
• Very simple, relatively weak
Key Management and key size
Keys are long-lived and of poor quality
The Initialization Vector is too small
WEP’s IV size of 24 bits allows for 16,777,216
different RC4 cipher streams for a given WEP key
If the RC4 cipher for a given IV is found an attacker
can decrypt packets
Message Integrity Checking is ineffective
WEP has a message integrity check but
hackers can change messages and
recompute a new value to match
https://www.youtube.com/watch?v=GqleMWzSvUk
Uses AirPcap and Cain and Abel software
Software must capture at least one Address
Resolution Protocol request from a system on the
target access point
You can force this by sending something to the
connected client
You must make sure you have over 250,000 Ivs before
attempting to crack the WEP key
Security technology that improves on the
authentication and encryption of WEP
Developed to replace WEP in 2003
Provides stronger encryption than WEP by
using two standard technologies
TKIP – Temporal Key Integrity Protocol
AES – Advanced Encryption Standard
Includes built-in authentication
support that WEP doesn’t offer
Wraps additional code around WEP
TKIP implements a key mixing function that
combines the secret root key with the IV
before passing it to the RC4 routine
WPA then implements a sequence counter to
protect against replay attacks
Packets received out of order will be rejected
by the access point
TKIP then implements a 64-bit
message integrity check
Very complex
Requires more computing power
Better than the TKIP option
Based on a design principle known as substitutionpermutation network
AES operates on a 4X4 matrix of bytes
The key size used for AES specifies the number of
repetitions of rounds that convert the input into
output
10 cycles of repetition for 128-bit keys
12 cycles of repetition for 192-bit keys
14 cycles of repetition for 256-bit keys
Possible Combinations:
128-bit- 3.4 X 10^38
192-bit- 6.2 X 10^57
256-bit- 1.1 X 10^77
It would take 1 billion years
to crack the 128-bit AES key
using a brute force method
The primary weakness with WPA is it is
password protected
Easy password makes this easier to hack
TKIP isn’t much more secure than WEP due
to the simplicity of the RC4 algorithm
WPA AES isn’t supported on older
equipment
WPA used to only be able to use
TKIP
Replaced WPA on all Wi-Fi hardware since 2006
Provides government grade security by combining the
AES encryption algorithm and 802.1x-based
authentication
Based on the IEEE 802.11i technology standard for
data encryption
Has several different forms of security keys
Two versions
Enterprise – Server authentication 802.1x
Personal – AES pre-shared key
Backward compatible with WPA
Personal
Uses pre-shared key to optimize its effectiveness
without an authentication server
▪ Used in small office and home environments
Enterprise
Caters to big businesses
Uses open system authentication in its first phase
and the Extensible Authentication protocol
method and 802.1x protocol in its second phase
IEEE 802.1x
Standard defined by IEEE for port based network access
control
Protocol to make sure only legitimate clients can use a
network secured by WPA2
Separates the user authentication from the message
integrity and privacy
Allows for more flexibility
WPA2 personal doesn’t require an authentication server
WPA2 enterprise consists of the following:
Client
Access Point
Authentication Server
WPA2 has immunity against
Man-in-the-middle attacks
Weak Keys
Packet forging
Brute-force attacks
Allows the client to reconnect to APs he has
recently connected to without needing reauthentication
Can’t withstand a physical layer attack such
as:
Data flooding
Access point failure
Vulnerable to a DoS attack
Vulnerable to MAC address spoofing
To have a secure connection between two
connection entities you must have
authentication, integrity, and privacy
There are many security threats in a WLAN
WEP, WPA,WPA2 are wireless network
security methods
WEP should be avoided
WPA2 is the best security method
Questions?
http://www.esecurityplanet.com/views/article.php/3869221/
Top-Ten-WiFi-Security-Threats.htm
http://searchsecurity.techtarget.com/definition/man-in-themiddle-attack
http://www.dummies.com/how-to/content/wirelesssecurity-protocols-wep-wpa-and-wpa2.html
http://www.networkworld.com/details/715.html
http://www.howtogeek.com/167783/htg-explains-thedifference-between-wep-wpa-and-wpa2-wirelessencryption-and-why-it-matters/
http://www.eetimes.com/document.asp?doc_id=1279619