Title: Wireless Security
1Wireless Security
- 802.11 With a focus on Security
- by Brian Lee
- Takehiro Takahashi
2Outline
- Wireless Technology Overview
- Architecture
- Features
- Wireless Security Overview
- Built-in security features in 802.11
- WEP insecurity
- 802.1x
- WPA
- WPA2 - 802.11i
3GOAL
- Understand the truth in Wireless Security
- WEP is insecure
- But we CAN make a wireless network secure
4802.11 Basics
- Infrastructure Mode or Ad Hoc
- 802.11 a/b/g/n Physical Layer Spec
- 11Mbps or 54Mbps
- feels slower.? (effective speed 50)
- 802.11i Security Spec
- 802.11 Security Layer 2 Security
5802.11 Built-in Features
- 802.11 frame types
- Association Request/Response Frame
- Beacon Frame
- RTS/CTS Frame
- Shared/Open Authentication
- WEP
- Integrity
- Confidentiality
- Authentication (Shared Auth)
6SSID
- Network identifier
- SSID is broadcasted in a beacon frame
- Clear Text!
- Change it from the default
- Cisco tsunami
- Linksys linksys
- Netgear netgear
- Stop broadcasting!
7MAC Address Filtering
- White-list approach
- Problems
- Does not scale
- Frame headers are never encrypted
- Bottom line..
- Prevents casual hacking..
- Quite useless
8Authentication (1)
- 2 ways of initiating communication
- Shared Key
- Open Key authentication
- Open Key Auth No authentication
- Shared Key Auth requires WEP
- Bottom Line
- Open Key Auth gtgtgt Shared Key Auth
9Authentication (2) Shared Auth
- This is bad.. reveals the WEP key
10WEP (Wired Equivalent Protocol)
- Confidentiality
- Integrity
- Authentication (Shared Auth)
- RC4 Stream Cipher Encryption CRC32
- Broken!
11WEP Encryption
1264/40 and 128/104 bits confusion
- IV (24bits)
- Your WEP key
- 5-ASCII char word 6-hex num 40bits
- 13-ASCII char word 26-hex num 104bits
- Security-wise, its really 40bits or 104bits
13Problems with WEP
- 1 Static Key
- No encryption is strong if one key is used
forever - Key length is short (40bits)
- Brute forcing is possible
- 104bits version exists
- Using CRC32
- CRC is a hash function used to produce a checksum
- Improper use of RC4
- IV space is too small (24bits)
- No protection against replay attack
- No specification on key distribution
- Lacks scalability
14CRC32 and WEP
- CRC32 doesnt have the cryptographic strength
seen in MD5 or SHA1 - Bit-flipping is possible
- Change the data, and WEP wont catch it
15RC4 and WEP (1)
- RC4 Rivests Cipher 4
- Stream Cipher
- What is a requirement for a stream cipher?
- Avoid key sequence collision at any cost
- M1 XOR RC4-Key XOR M2 XOR RC4-Key
M1 XOR M2 - With WEP, key sequences are repeated every 16
million packets (2 24) - Key sequence collision doesnt reveal the WEP key!
16RC4 and WEP (2)
- Weak IVs reveal the WEP key
- 5 chance of guessing the portion of the seed
(WEP key) correctly - FMS attack
- 2M packets to decrypt 40bit WEP key
- The time needed is a linear function to the key
length - 104bit key is just as useless as 40bits key
17Replay Attacks
- Reinjection of the captured packets are possible
- IV usage is not specified
- KoreK ChopChop attack to decipher a packet
without knowing the WEP key
18Countermeasures.
- So weve seen the attacks, but WEP is widely
deployed and supported by any wireless device. - Can we do anything smart with it?
- Lets swap WEP keys every 10 minutes!
- well
19Effective WEP cracking
- KoreK Chopper Attack (Aug. 2004)
- Another statistical analysis based attack on WEP
key - Extension to FMS attack to require unique IVs
- Possible with as little as 0.1M IVs (packets)
- Traditional method requires more than 2M packets
- Accelerate it with packet injection KoreK
ChopChop - A 40-bit WEP can be cracked in 10 Minutes
- Fast swapping of WEP key is no longer safe
20Conclusion WEP
- Confidentiality
- FMS attack
- KoreK attack
- Integrity
- Bit-flipping attack
- Authentication
- Insecure Shared Auth?
- Attacks can be completely passive
- NO MORE WEP
21Finally. we have solutions!
- 802.1x (Authentication)
- per-user authentication
- Key distribution mechanism
- WPA (Confidentiality, Integrity)
- Subset of 802.11i
- 2 forms
- 802.1x Auth TKIP (Enterprise mode)
- Pre-shared Key TKIP
- WPA2 802.11i
- WPA2 is the implementation of 802.11i
- Uses AES-CCMP
22802.1x (Authentication)
23802.1X
- 802.1X is a port-based, layer 2 authentication
framework - Not limited wireless networks
- Uses EAP for implementation
- End-result
- A seed for a WEP key in WEP
- A seed for an encryption key used in WPA/WPA2
- 802.1X is not an alternative to WEP
24802.1x authentication
25Extensible Authentication Protocol (EAP)
- Authentication Framework
- runs on the different layer than 802.1x
- Very flexible
- RADIUS is de-facto
- a server for remote user authentication and
accounting
26Implementations
- EAP methods adopted in WPA/WPA2
- EAP-MD5
- EAP-LEAP
- EAP-TLS
- EAP-TTLS
- PEAP
27EAP-MD5
- EAP-MD5 is a simple EAP implementation
- Uses and MD5 hash of a username and password that
is sent to the RADIUS server - Authenticates only one way
- Man in the middle attack
- Bottom line Not recommended
28LEAP (EAP-Cisco)
- Like EAP-MD5, it uses a Login/Password scheme
that it sends to the RADIUS server - Each user gets a dynamically generated one time
key upon login - Authenticates client to AP and vice versa
- Only guaranteed to work with Cisco wireless
clients - Broken ASLEAP by Joshua Wright
- Dictionary attack
29EAP-TLS by Microsoft
- Instead of a username/password scheme, EAP-TLS
uses certificate based authentication - Two way authentication
- Uses TLS (Transport Layer Security) to pass the
PKI (Public Key Infrastructure) information to
RADIUS server - Compatible with many OSs
- Harder to implement and deploy because PKI for
clients are also required
30PEAP by Microsoft and Cisco
- A more elegant solution!
- Very similar to EAP-TLS except that the client
does not have to authenticate itself with the
server using a certificate, instead it can use a
login/password based scheme - Much easier to setup, does not necessarily
require a PKI - Currently works natively with Windows XP SP1, and
OSX. 802.1x supplicant exists for linux
31WPA (Wi-Fi Protected Access)
- Improved Confidentiality
- Fix flawed encryption mechanism
- Per session/packet dynamic key mechanism
- Improved Integrity
- Does not require authentication server
- Upgradeability
- Software / Firmware Upgrade
32WPA Mechanism
- Confirmation of association capability
- Authentication by 802.1x or PSK
- 4-way Handshake
- Derivation of PTK and GTK
- Encryption using TKIP
Very Different from WEP which took care of
everything
33Association and Capability Check
34802.1x Authentication (recap)
354 Way Handshake and PTK
364 Way Handshake and PTK
- PTK (512bits) splits in 4 ways
- Part of PTK is used to generate the encryption
key (WEP equivalent) in the next phase - PTK requires a PMK, 2 nonces, and MAC addresses
37PMK ? PTK ? Actual Keys
38Group Key
39TKIP (Temporal Key Integrity Protocol)
- The heart of WPA encryption mechanism
- Expands IV space (24 ? 48bits)
- IV sequence is specified
- Generate a key which conforms to WEP
- Michael
- Very cheap integrity checker for MAC addresses
and DATA
40Per-packet mixing function
41WPA-PSK
- For home / SOHO use
- Removes 802.1x authentication
- Pre-shared Key TKIP
- Weak against passive dictionary attack
- Attacks exist - WPA Cracker
- Still MUCH better than WEP
42WPA Security Insight
- No effective attacks found on WPA 802.1x
- WPA-PSK should be used with care
43WPA2 - 802.11i
- The long-awaited security standard for wireless,
ratified in June 2004 - Better encryption AES-CCMP
- Some New Features
- PMK caching (optional)
- Pre-authentication (optional)
- Hardware manufactured before 2002 is likely to be
unsupported
44CCMP
- Counter-mode CBC-MAC Protocol
- Use AES in Counter Mode
- Calculate CBC-MAC using AES
- Encryption and Integrity Check is done
concurrently
45 PMK Key-Caching
- Skips re-entering of the user credential by
storing the host information on the network
- Allows client to become authenticated with an AP
before moving to it - Useful in encrypted VoIP over Wi-Fi
- ? Fast Roaming
46Conclusion
- WEP Dead Meat
- WPA-PSK Potentially Insecure
- WPA 802.1x (Secure EAP) Secure
- WPA2-PSK Potentially Insecure
- WPA2 802.1x Very Secure
47Suggested Practice
- Hide SSID
- Do NOT use WEP
- Use WPA-PSK with a good pass-phrase
- or Use WPA with 802.1x if possible
- Get WPA2 certified product for your next purchase
48tinyPEAP (1)
- A self contained PEAP enabled RADIUS server
- Currently available in Linksys WRT54G/GS router
and Win32 binary - Native Windows XP SP1 support
- Web-based user management
- The easiest and the most secure solution
available in consumer level
49tinyPEAP (2)
50tinyPEAP (3)
51Survey (2)
- Ready to reconfigure your wireless network?
52Questions?
53Links to the tools used
- Airsnorthttp//airsnort.shmoo.com
- Netstumblerhttp//www.netstumbler.com
- Etherealhttp//www.ethereal.com
- tinyPEAP
- http//www.tinypeap.com
54Papers and Wireless Security Web Pages
- Weaknesses in the Key Scheduling Algorithm of RC4
- The Unofficial 802.11 Security Web Page
- Wireless Security Blackpaper
- The IEEE 802.11 specifications (includes WEP
spec) - Paper on detecting Netstumbler and similar
programs - Further reading on upcoming 802.11 variations
- Assorted 802.11 related crypto algorithms written
in ANSI C
55An exercise in wireless insecurity
- Tools used
- Laptop w/ 802.11a/b/g card
- GPS
- Netstumbler
- Aircrack (or any WEP cracking tool)
- Ethereal
- the car of your choice
56Step1 Find networks to attack
- An attacker would first use Netstumbler to drive
around and map out active wireless networks - Using Netstumbler, the attacker locates a strong
signal on the target WLAN - Netstumbler not only has the ability to monitor
all active networks in the area, but it also
integrates with a GPS to map APs
57WarDriving
58Step 2 Choose the network to attack
- At this point, the attacker has chosen his target
- Netstumbler or Kismet can tell you whether or not
the network is encrypted - This time.
- Your target is GTwireless
59Step3 Analyzing the Network
- WLAN has no broadcasted SSID
- Netstubmler tells me that SSID is GTwireless
- Multiple access points
- Open authentication method
- WLAN is encrypted with 40bit WEP
- WLAN is not using 802.1X
60Step4 Cracking the WEP key
- Attacker sets NIC drivers to Monitor Mode
- Begins capturing packets with Airodump
- Airodump quickly lists the available network with
SSID and starts capturing packets. - After a few hours of airodump session, launch
aircrack to start cracking! - WEP key for GTwireless is now revealed!
61Step5 Sniffing the network
- Once the WEP key is cracked and the NIC is
configured appropriately, the attacker is
assigned an IP, and can access the WLAN - However, a secure proxy with an SSL enabled web
based login prevents access to the rest of
network and the Internet - Attacker begins listening to traffic with
Ethereal
62Step6 Sniffing continued
- Sniffing a WLAN is very fruitful because everyone
on the WLAN is a peer, therefore you can sniff
every wireless client - Listening to connections with plain text
protocols (in this case FTP, POP, Telnet) to
servers on the wired LAN yielded 2 usable logins
within 1.5hrs -
63Thats itthe network is compromised
- As long as WEP is in place, such attack is always
possible - Sadly, many are less secure
- How about yours?