Wi-Fi Security

Download Report

Transcript Wi-Fi Security

By Billy Ripple

Security requirements
 Authentication
 Integrity
 Privacy


Security concerns
Security techniques
 WEP
 WPA/WPA2

Conclusion

Security between two network entities
should provide the following
 Authentication
▪ Process of determining whether somebody or
something is who or what it is declared
 Integrity
▪ Maintaining accuracy and consistency of data
 Privacy
▪ Prevents security threats, primarily
eavesdropping attempts




Denial of service
Man-in-the-middle attacks
Rogue access points
Other threats include:
 Ad hoc networks
 MAC Spoofing
 Network Injection


An attempt to make a machine or network
unavailable
Many different methods of attacks
 Internet Control Message Protocol Flood
 SYN flood
 Teardrop attacks
 Peer-to-peer attacks

Smurf Attack
 Relies on misconfigured network devices that
allow packets to be sent to all computer hosts
 The attackers will send large numbers of IP
packets with the source address faked to appear
to be the address of the victim
 The network's bandwidth is quickly
used up, preventing legitimate
packets from getting through to their
destination

Ping Flood
 Based on sending the victim an overwhelming
number of ping packets by using the “ping”
command from Unix-like hosts
 This allows access to greater bandwidth than the
victim

Ping of death
 Sending the victim a malformed
ping packet which ultimately leads
to a system crash




Occurs when a host sends a flood of TCP/SYN
packets
Each packet is handled like a connection request
The server creates a half open connection by
sending back an ACK packet and waiting for a
response to the ACK packet
These half-open connections
keep the server from responding
to legitimate requests until after
the attack is over




Attacker sends mangled IP fragments with
over-sized payloads to the victims machine
This crashes operating systems due to a bug
in their TCP/IP fragmentation
Newer operating systems aren’t affected by
this type of attack
Except Windows Vista



The attacker intercepts messages in a public
key exchange and retransmits them. The
attacker substitutes his own public key for the
requested one.
The original parties believe they are just
communicating with each other
The attacker has access to both
user’s messages
Attacker spoofs a
disassociate message
from the victim
 The victim starts to look
for a new access point
 The attacker advertises
his access point using the
real access point’s mac
address
 The attacker connects to
the real access point using
the victim’s mac address.




A wireless access point that has been
installed on a secure company network
without authorization from a network
administrator
Often created to allow a hacker to conduct a
man-in-the-middle attack
There are many different types of software
that allow businesses to detect
a rogue access point



WEP – Wired Equivalent Privacy
WPA- Wi-Fi Protected Access
WPA2/802.11i




The original encryption protocol developed
for IEEE 802.11 wireless LANs
Designed to provide the same level of
security as wired networks
No longer recommended
Uses a network security key to encrypt
information that one computer
sends to another across your
network





When WEP is active, each 802.11 packet is
encrypted separately
These packets are encrypted with an RC4 cipher
stream generated by a 64-bit RC4 key
This key is composed of a 24-bit initialization
vector(IV) and a 40-bit WEP key
The encrypted packet is generated with a bitwise
XOR of the original packet and the RC4 stream
The IV is chosen by the sender and can be
changed periodically
• RC4
• Most widely used software
stream cipher
• Very simple, relatively weak

Key Management and key size
 Keys are long-lived and of poor quality

The Initialization Vector is too small
 WEP’s IV size of 24 bits allows for 16,777,216
different RC4 cipher streams for a given WEP key
 If the RC4 cipher for a given IV is found an attacker
can decrypt packets

Message Integrity Checking is ineffective
 WEP has a message integrity check but
hackers can change messages and
recompute a new value to match
https://www.youtube.com/watch?v=GqleMWzSvUk
Uses AirPcap and Cain and Abel software
Software must capture at least one Address
Resolution Protocol request from a system on the
target access point
 You can force this by sending something to the
connected client
 You must make sure you have over 250,000 Ivs before
attempting to crack the WEP key






Security technology that improves on the
authentication and encryption of WEP
Developed to replace WEP in 2003
Provides stronger encryption than WEP by
using two standard technologies
 TKIP – Temporal Key Integrity Protocol
 AES – Advanced Encryption Standard

Includes built-in authentication
support that WEP doesn’t offer





Wraps additional code around WEP
TKIP implements a key mixing function that
combines the secret root key with the IV
before passing it to the RC4 routine
WPA then implements a sequence counter to
protect against replay attacks
Packets received out of order will be rejected
by the access point
TKIP then implements a 64-bit
message integrity check
Very complex
Requires more computing power
Better than the TKIP option
Based on a design principle known as substitutionpermutation network
 AES operates on a 4X4 matrix of bytes
 The key size used for AES specifies the number of
repetitions of rounds that convert the input into
output




 10 cycles of repetition for 128-bit keys
 12 cycles of repetition for 192-bit keys
 14 cycles of repetition for 256-bit keys
Possible Combinations:
128-bit- 3.4 X 10^38
192-bit- 6.2 X 10^57
256-bit- 1.1 X 10^77
It would take 1 billion years
to crack the 128-bit AES key
using a brute force method
The primary weakness with WPA is it is
password protected
 Easy password makes this easier to hack
 TKIP isn’t much more secure than WEP due
to the simplicity of the RC4 algorithm
 WPA AES isn’t supported on older
equipment
 WPA used to only be able to use
TKIP

Replaced WPA on all Wi-Fi hardware since 2006
Provides government grade security by combining the
AES encryption algorithm and 802.1x-based
authentication
 Based on the IEEE 802.11i technology standard for
data encryption
 Has several different forms of security keys
 Two versions


 Enterprise – Server authentication 802.1x
 Personal – AES pre-shared key

Backward compatible with WPA

Personal
 Uses pre-shared key to optimize its effectiveness
without an authentication server
▪ Used in small office and home environments

Enterprise
 Caters to big businesses
 Uses open system authentication in its first phase
and the Extensible Authentication protocol
method and 802.1x protocol in its second phase




IEEE 802.1x
 Standard defined by IEEE for port based network access
control
 Protocol to make sure only legitimate clients can use a
network secured by WPA2
Separates the user authentication from the message
integrity and privacy
 Allows for more flexibility
WPA2 personal doesn’t require an authentication server
WPA2 enterprise consists of the following:
 Client
 Access Point
 Authentication Server

WPA2 has immunity against
 Man-in-the-middle attacks
 Weak Keys
 Packet forging
 Brute-force attacks

Allows the client to reconnect to APs he has
recently connected to without needing reauthentication

Can’t withstand a physical layer attack such
as:
 Data flooding
 Access point failure


Vulnerable to a DoS attack
Vulnerable to MAC address spoofing






To have a secure connection between two
connection entities you must have
authentication, integrity, and privacy
There are many security threats in a WLAN
WEP, WPA,WPA2 are wireless network
security methods
WEP should be avoided
WPA2 is the best security method
Questions?
http://www.esecurityplanet.com/views/article.php/3869221/
Top-Ten-WiFi-Security-Threats.htm
 http://searchsecurity.techtarget.com/definition/man-in-themiddle-attack
 http://www.dummies.com/how-to/content/wirelesssecurity-protocols-wep-wpa-and-wpa2.html
 http://www.networkworld.com/details/715.html
 http://www.howtogeek.com/167783/htg-explains-thedifference-between-wep-wpa-and-wpa2-wirelessencryption-and-why-it-matters/
 http://www.eetimes.com/document.asp?doc_id=1279619
