Wireless Security - PowerPoint PPT Presentation

1 / 63
About This Presentation
Title:

Wireless Security

Description:

Understand the truth in Wireless Security. WEP is insecure ... Ethereal. http://www.ethereal.com. tinyPEAP. http://www.tinypeap.com ... – PowerPoint PPT presentation

Number of Views:735
Avg rating:3.0/5.0
Slides: 64
Provided by: int3
Category:

less

Transcript and Presenter's Notes

Title: Wireless Security


1
Wireless Security
  • 802.11 With a focus on Security
  • by Brian Lee
  • Takehiro Takahashi

2
Outline
  • Wireless Technology Overview
  • Architecture
  • Features
  • Wireless Security Overview
  • Built-in security features in 802.11
  • WEP insecurity
  • 802.1x
  • WPA
  • WPA2 - 802.11i

3
GOAL
  • Understand the truth in Wireless Security
  • WEP is insecure
  • But we CAN make a wireless network secure

4
802.11 Basics
  • Infrastructure Mode or Ad Hoc
  • 802.11 a/b/g/n Physical Layer Spec
  • 11Mbps or 54Mbps
  • feels slower.? (effective speed 50)
  • 802.11i Security Spec
  • 802.11 Security Layer 2 Security

5
802.11 Built-in Features
  • 802.11 frame types
  • Association Request/Response Frame
  • Beacon Frame
  • RTS/CTS Frame
  • Shared/Open Authentication
  • WEP
  • Integrity
  • Confidentiality
  • Authentication (Shared Auth)

6
SSID
  • Network identifier
  • SSID is broadcasted in a beacon frame
  • Clear Text!
  • Change it from the default
  • Cisco tsunami
  • Linksys linksys
  • Netgear netgear
  • Stop broadcasting!

7
MAC Address Filtering
  • White-list approach
  • Problems
  • Does not scale
  • Frame headers are never encrypted
  • Bottom line..
  • Prevents casual hacking..
  • Quite useless

8
Authentication (1)
  • 2 ways of initiating communication
  • Shared Key
  • Open Key authentication
  • Open Key Auth No authentication
  • Shared Key Auth requires WEP
  • Bottom Line
  • Open Key Auth gtgtgt Shared Key Auth

9
Authentication (2) Shared Auth
  • This is bad.. reveals the WEP key

10
WEP (Wired Equivalent Protocol)
  • Confidentiality
  • Integrity
  • Authentication (Shared Auth)
  • RC4 Stream Cipher Encryption CRC32
  • Broken!

11
WEP Encryption
12
64/40 and 128/104 bits confusion
  • IV (24bits)
  • Your WEP key
  • 5-ASCII char word 6-hex num 40bits
  • 13-ASCII char word 26-hex num 104bits
  • Security-wise, its really 40bits or 104bits

13
Problems with WEP
  • 1 Static Key
  • No encryption is strong if one key is used
    forever
  • Key length is short (40bits)
  • Brute forcing is possible
  • 104bits version exists
  • Using CRC32
  • CRC is a hash function used to produce a checksum
  • Improper use of RC4
  • IV space is too small (24bits)
  • No protection against replay attack
  • No specification on key distribution
  • Lacks scalability

14
CRC32 and WEP
  • CRC32 doesnt have the cryptographic strength
    seen in MD5 or SHA1
  • Bit-flipping is possible
  • Change the data, and WEP wont catch it

15
RC4 and WEP (1)
  • RC4 Rivests Cipher 4
  • Stream Cipher
  • What is a requirement for a stream cipher?
  • Avoid key sequence collision at any cost
  • M1 XOR RC4-Key XOR M2 XOR RC4-Key
     M1 XOR M2
  • With WEP, key sequences are repeated every 16
    million packets (2 24)
  • Key sequence collision doesnt reveal the WEP key!

16
RC4 and WEP (2)
  • Weak IVs reveal the WEP key
  • 5 chance of guessing the portion of the seed
    (WEP key) correctly
  • FMS attack
  • 2M packets to decrypt 40bit WEP key
  • The time needed is a linear function to the key
    length
  • 104bit key is just as useless as 40bits key

17
Replay Attacks
  • Reinjection of the captured packets are possible
  • IV usage is not specified
  • KoreK ChopChop attack to decipher a packet
    without knowing the WEP key

18
Countermeasures.
  • So weve seen the attacks, but WEP is widely
    deployed and supported by any wireless device.
  • Can we do anything smart with it?
  • Lets swap WEP keys every 10 minutes!
  • well

19
Effective WEP cracking
  • KoreK Chopper Attack (Aug. 2004)
  • Another statistical analysis based attack on WEP
    key
  • Extension to FMS attack to require unique IVs
  • Possible with as little as 0.1M IVs (packets)
  • Traditional method requires more than 2M packets
  • Accelerate it with packet injection KoreK
    ChopChop
  • A 40-bit WEP can be cracked in 10 Minutes
  • Fast swapping of WEP key is no longer safe

20
Conclusion WEP
  • Confidentiality
  • FMS attack
  • KoreK attack
  • Integrity
  • Bit-flipping attack
  • Authentication
  • Insecure Shared Auth?
  • Attacks can be completely passive
  • NO MORE WEP

21
Finally. we have solutions!
  • 802.1x (Authentication)
  • per-user authentication
  • Key distribution mechanism
  • WPA (Confidentiality, Integrity)
  • Subset of 802.11i
  • 2 forms
  • 802.1x Auth TKIP (Enterprise mode)
  • Pre-shared Key TKIP
  • WPA2 802.11i
  • WPA2 is the implementation of 802.11i
  • Uses AES-CCMP

22
802.1x (Authentication)
23
802.1X
  • 802.1X is a port-based, layer 2 authentication
    framework
  • Not limited wireless networks
  • Uses EAP for implementation
  • End-result
  • A seed for a WEP key in WEP
  • A seed for an encryption key used in WPA/WPA2
  • 802.1X is not an alternative to WEP

24
802.1x authentication
25
Extensible Authentication Protocol (EAP)
  • Authentication Framework
  • runs on the different layer than 802.1x
  • Very flexible
  • RADIUS is de-facto
  • a server for remote user authentication and
    accounting

26
Implementations
  • EAP methods adopted in WPA/WPA2
  • EAP-MD5
  • EAP-LEAP
  • EAP-TLS
  • EAP-TTLS
  • PEAP

27
EAP-MD5
  • EAP-MD5 is a simple EAP implementation
  • Uses and MD5 hash of a username and password that
    is sent to the RADIUS server
  • Authenticates only one way
  • Man in the middle attack
  • Bottom line Not recommended

28
LEAP (EAP-Cisco)
  • Like EAP-MD5, it uses a Login/Password scheme
    that it sends to the RADIUS server
  • Each user gets a dynamically generated one time
    key upon login
  • Authenticates client to AP and vice versa
  • Only guaranteed to work with Cisco wireless
    clients
  • Broken ASLEAP by Joshua Wright
  • Dictionary attack

29
EAP-TLS by Microsoft
  • Instead of a username/password scheme, EAP-TLS
    uses certificate based authentication
  • Two way authentication
  • Uses TLS (Transport Layer Security) to pass the
    PKI (Public Key Infrastructure) information to
    RADIUS server
  • Compatible with many OSs
  • Harder to implement and deploy because PKI for
    clients are also required

30
PEAP by Microsoft and Cisco
  • A more elegant solution!
  • Very similar to EAP-TLS except that the client
    does not have to authenticate itself with the
    server using a certificate, instead it can use a
    login/password based scheme
  • Much easier to setup, does not necessarily
    require a PKI
  • Currently works natively with Windows XP SP1, and
    OSX. 802.1x supplicant exists for linux

31
WPA (Wi-Fi Protected Access)
  • Improved Confidentiality
  • Fix flawed encryption mechanism
  • Per session/packet dynamic key mechanism
  • Improved Integrity
  • Does not require authentication server
  • Upgradeability
  • Software / Firmware Upgrade

32
WPA Mechanism
  • Confirmation of association capability
  • Authentication by 802.1x or PSK
  • 4-way Handshake
  • Derivation of PTK and GTK
  • Encryption using TKIP

Very Different from WEP which took care of
everything
33
Association and Capability Check
34
802.1x Authentication (recap)
35
4 Way Handshake and PTK
36
4 Way Handshake and PTK
  • PTK (512bits) splits in 4 ways
  • Part of PTK is used to generate the encryption
    key (WEP equivalent) in the next phase
  • PTK requires a PMK, 2 nonces, and MAC addresses

37
PMK ? PTK ? Actual Keys
38
Group Key
39
TKIP (Temporal Key Integrity Protocol)
  • The heart of WPA encryption mechanism
  • Expands IV space (24 ? 48bits)
  • IV sequence is specified
  • Generate a key which conforms to WEP
  • Michael
  • Very cheap integrity checker for MAC addresses
    and DATA

40
Per-packet mixing function
41
WPA-PSK
  • For home / SOHO use
  • Removes 802.1x authentication
  • Pre-shared Key TKIP
  • Weak against passive dictionary attack
  • Attacks exist - WPA Cracker
  • Still MUCH better than WEP

42
WPA Security Insight
  • No effective attacks found on WPA 802.1x
  • WPA-PSK should be used with care

43
WPA2 - 802.11i
  • The long-awaited security standard for wireless,
    ratified in June 2004
  • Better encryption AES-CCMP
  • Some New Features
  • PMK caching (optional)
  • Pre-authentication (optional)
  • Hardware manufactured before 2002 is likely to be
    unsupported

44
CCMP
  • Counter-mode CBC-MAC Protocol
  • Use AES in Counter Mode
  • Calculate CBC-MAC using AES
  • Encryption and Integrity Check is done
    concurrently

45
PMK Key-Caching
  • Skips re-entering of the user credential by
    storing the host information on the network
  • Allows client to become authenticated with an AP
    before moving to it
  • Useful in encrypted VoIP over Wi-Fi
  • ? Fast Roaming

46
Conclusion
  • WEP Dead Meat
  • WPA-PSK Potentially Insecure
  • WPA 802.1x (Secure EAP) Secure
  • WPA2-PSK Potentially Insecure
  • WPA2 802.1x Very Secure

47
Suggested Practice
  • Hide SSID
  • Do NOT use WEP
  • Use WPA-PSK with a good pass-phrase
  • or Use WPA with 802.1x if possible
  • Get WPA2 certified product for your next purchase

48
tinyPEAP (1)
  • A self contained PEAP enabled RADIUS server
  • Currently available in Linksys WRT54G/GS router
    and Win32 binary
  • Native Windows XP SP1 support
  • Web-based user management
  • The easiest and the most secure solution
    available in consumer level

49
tinyPEAP (2)
50
tinyPEAP (3)
51
Survey (2)
  • Ready to reconfigure your wireless network?

52
Questions?
53
Links to the tools used
  • Airsnorthttp//airsnort.shmoo.com
  • Netstumblerhttp//www.netstumbler.com
  • Etherealhttp//www.ethereal.com
  • tinyPEAP
  • http//www.tinypeap.com

54
Papers and Wireless Security Web Pages
  • Weaknesses in the Key Scheduling Algorithm of RC4
  • The Unofficial 802.11 Security Web Page
  • Wireless Security Blackpaper
  • The IEEE 802.11 specifications (includes WEP
    spec)
  • Paper on detecting Netstumbler and similar
    programs
  • Further reading on upcoming 802.11 variations
  • Assorted 802.11 related crypto algorithms written
    in ANSI C

55
An exercise in wireless insecurity
  • Tools used
  • Laptop w/ 802.11a/b/g card
  • GPS
  • Netstumbler
  • Aircrack (or any WEP cracking tool)
  • Ethereal
  • the car of your choice

56
Step1 Find networks to attack
  • An attacker would first use Netstumbler to drive
    around and map out active wireless networks
  • Using Netstumbler, the attacker locates a strong
    signal on the target WLAN
  • Netstumbler not only has the ability to monitor
    all active networks in the area, but it also
    integrates with a GPS to map APs

57
WarDriving
58
Step 2 Choose the network to attack
  • At this point, the attacker has chosen his target
  • Netstumbler or Kismet can tell you whether or not
    the network is encrypted
  • This time.
  • Your target is GTwireless

59
Step3 Analyzing the Network
  • WLAN has no broadcasted SSID
  • Netstubmler tells me that SSID is GTwireless
  • Multiple access points
  • Open authentication method
  • WLAN is encrypted with 40bit WEP
  • WLAN is not using 802.1X

60
Step4 Cracking the WEP key
  • Attacker sets NIC drivers to Monitor Mode
  • Begins capturing packets with Airodump
  • Airodump quickly lists the available network with
    SSID and starts capturing packets.
  • After a few hours of airodump session, launch
    aircrack to start cracking!
  • WEP key for GTwireless is now revealed!

61
Step5 Sniffing the network
  • Once the WEP key is cracked and the NIC is
    configured appropriately, the attacker is
    assigned an IP, and can access the WLAN
  • However, a secure proxy with an SSL enabled web
    based login prevents access to the rest of
    network and the Internet
  • Attacker begins listening to traffic with
    Ethereal

62
Step6 Sniffing continued
  • Sniffing a WLAN is very fruitful because everyone
    on the WLAN is a peer, therefore you can sniff
    every wireless client
  • Listening to connections with plain text
    protocols (in this case FTP, POP, Telnet) to
    servers on the wired LAN yielded 2 usable logins
    within 1.5hrs

63
Thats itthe network is compromised
  • As long as WEP is in place, such attack is always
    possible
  • Sadly, many are less secure
  • How about yours?
Write a Comment
User Comments (0)
About PowerShow.com