Wireless Security

1
Wireless Security

• 802.11 With a focus on Security
• by Brian Lee
• Takehiro Takahashi

2
Outline

• Wireless Technology Overview
• Architecture
• Features
• Wireless Security Overview
• Built-in security features in 802.11
• WEP insecurity
• 802.1x
• WPA
• WPA2 - 802.11i

3
GOAL

• Understand the truth in Wireless Security
• WEP is insecure
• But we CAN make a wireless network secure

4
802.11 Basics

• Infrastructure Mode or Ad Hoc
• 802.11 a/b/g/n Physical Layer Spec
• 11Mbps or 54Mbps (for a/b/g)
• feels slower.? (effective speed 50)
• 802.11i Security Spec
• 802.11 k/r
• 802.11 Security Layer 2 Security

5
802.11 Built-in Features

• 802.11 frame types
• Association Request/Response Frame
• Beacon Frame
• RTS/CTS Frame
• Shared/Open Authentication
• WEP
• Integrity
• Confidentiality
• Authentication (Shared Auth)

6
SSID

• Network identifier
• SSID is broadcasted in a beacon frame
• Clear Text!
• Change it from the default
• Cisco tsunami
• Linksys linksys
• Netgear netgear
• Stop broadcasting!

7
MAC Address Filtering

• White/Black-list approach
• Problems
• MAC addresses are easy to change
• Frame headers are never encrypted
• Does not scale
• Bottom line..
• Prevents casual hacking..
• Quite useless

8
Authentication (1)

• 2 ways of initiating communication
• Shared Key
• Open Key authentication
• Open Key Auth No authentication
• Shared Key Auth requires WEP
• However

9
Authentication (2) Shared Auth

• Shared-Auth is a simple challenge-response
  protocol ? Susceptible to offline dictionary
  attacks

10
WEP (Wired Equivalent Protocol)

• Confidentiality
• Integrity
• Authentication (Shared Auth)
• RC4 Stream Cipher Encryption CRC32
• Broken!

11
WEP Encryption
12
64/40 and 128/104 bits confusion

• IV (24bits)
• Your WEP key
• 5-ASCII char word 10-hex num 40bits
• 13-ASCII char word 26-hex num 104bits
• Security-wise, its really 40bits or 104bits

13
Problems with WEP

• 1 Static Key
• No encryption is strong if one key is used
  forever
• Key length is short (40bits)
• Brute forcing is possible
• 104bits version exists
• Using CRC32
• CRC doesnt have the cryptographic strength seen
  in MD5 or SHA1
• Improper use of RC4
• IV space is too small (24bits)
• No protection against replay attack
• No specification on key distribution
• Lacks scalability

14
CRC32 and WEP

• CRC32 doesnt have the cryptographic strength
  seen in MD5 or SHA1
• It aims to discover/recover random communication
  errors
• Bit-flipping is possible
• CRC(M XOR delta) CRC(M) XOR CRC(delta)
• Change the data, and WEP wont catch it

15
Replay Attacks

• Reinjection of the captured packets are possible
• IV usage is not specified

16
RC4 and WEP (1)

• RC4 Rivests Cipher 4
• Stream Cipher
• What is a requirement for a stream cipher?
• Avoid keystream collision at any cost
• M1 XOR RC4-Key XOR M2 XOR RC4-Key
   M1 XOR M2
• With WEP, key sequences are repeated every 16
  million packets (2 24)
• Key sequence collision doesnt reveal the WEP key!

17
RC4 and WEP (2)

• Weak IVs
• IV 3B, 255, XX
• 5 chance of guessing the WEP key correctly
• 60 weak IVs 50 chance of guessing the WEP key
• FMS attack (Fluhrer, Mantin, Shamir)
• 2M packets to decrypt 40bit WEP key
• The time needed is a linear function to the key
  length
• 104bit key is just as useless as 40bits key

18
A Countermeasure.

• So WEP keys are bad but they are widely deployed
  and supported by any wireless device.
• Can we do anything smart with it?
• Lets swap WEP keys every 30 minutes!
• well

19
Better WEP cracking exists

• KoreK Chopper Attack (Aug. 2004)
• Another statistical analysis based attack on WEP
  key
• Extension to FMS attack to require unique IVs
• Possible with as little as 0.1M IVs (packets)
• Traditional method requires more than 2M packets
• Accelerate it with packet injection KoreK
  ChopChop
• A 40-bit WEP can be cracked in 10 Minutes
• Fast swapping of WEP key is no longer safe

20
Conclusion WEP

• Confidentiality
• FMS attack
• KoreK attack
• Integrity
• Bit-flipping attack
• Authentication
• Insecure Shared Auth?
• Attacks can be completely passive
• NO MORE WEP

21
Finally. we have solutions!

• 802.1x (Authentication)
• per-user authentication
• Key distribution mechanism
• WPA (Confidentiality, Integrity)
• Subset of 802.11i
• 2 forms
• 802.1x Auth TKIP (Enterprise mode)
• Pre-shared Key TKIP
• WPA2 802.11i
• WPA2 is the implementation of 802.11i
• Uses AES-CCMP

22
802.1x (Authentication)
23
802.1X

• 802.1X is a port-based, layer 2 authentication
  framework
• Not limited wireless networks
• Uses EAP for implementation
• End-result
• A seed for a WEP key in WEP
• A seed for an encryption key used in WPA/WPA2
• 802.1X is not an alternative to WEP

24
802.1x authentication
25
Extensible Authentication Protocol (EAP)

• Authentication Framework
• runs on the different layer than 802.1x
• Very flexible
• RADIUS is de-facto
• a server for remote user authentication and
  accounting

26
Implementations

• EAP methods adopted in 802.1x
• EAP-MD5
• EAP-LEAP
• EAP-TLS
• EAP-TTLS
• PEAP

27
EAP-MD5

• EAP-MD5 is a simple EAP implementation
• Uses and MD5 hash of a username and password that
  is sent to the RADIUS server
• Authenticates only one way
• Man in the middle attack
• Not recommended

28
LEAP (EAP-Cisco)

• Like EAP-MD5, it uses a Login/Password scheme
  that it sends to the RADIUS server
• Each user gets a dynamically generated one time
  key upon login
• Mutual authentication
• Only guaranteed to work with Cisco wireless
  clients
• Broken ASLEAP by Joshua Wright
• De-authenticate users
• Captures re-authentication transaction
• Dictionary attack
• Replaced by EAP-FAST

29
EAP-TLS by Microsoft

• Instead of a username/password scheme, EAP-TLS
  uses certificate based authentication
• Two way authentication
• Uses TLS (Transport Layer Security) to pass the
  PKI (Public Key Infrastructure) information to
  RADIUS server
• Compatible with many OSs
• Harder to implement and deploy because PKI for
  clients are also required

30
PEAP by Microsoft and Cisco

• A more elegant solution!
• Very similar to EAP-TLS except that the client
  does not have to authenticate itself with the
  server using a certificate, instead it can use a
  login/password based scheme
• Much easier to setup, does not necessarily
  require a PKI
• Currently works natively with Windows XP SP1, and
  OSX. 802.1x supplicant exists for linux

31
WPA (Wi-Fi Protected Access)

• Improved Confidentiality
• Fix flawed encryption mechanism
• Per session/packet dynamic key mechanism
• Improved Integrity
• Does not require authentication server
• Upgradeability
• Software / Firmware Upgrade

32
WPA/WPA2 Mechanism

• Confirmation of association capability
• Authentication by 802.1x or PSK
• 4-way Handshake
• Derivation of PTK and GTK
• Encryption using TKIP/AES-CCMP

Very Different from WEP which took care of
everything
33
Association and Capability Check
34
802.1x Authentication (recap)
35
4 Way Handshake and PTK
36
4 Way Handshake and PTK

• PTK (512bits) splits in 4 ways
• Part of PTK is used to generate the encryption
  key (WEP equivalent) in the next phase
• PTK requires a PMK, 2 nonces, and MAC addresses

37
PMK ? PTK ? Actual Keys
38
Group Key
39
TKIP (Temporal Key Integrity Protocol)

• The heart of WPA encryption mechanism
• Expands IV space (24 ? 48bits)
• IV sequence is specified
• Generate a key which conforms to WEP
• Michael
• Very cheap integrity checker for MAC addresses
  and DATA

40
Per-packet mixing function
41
WPA-PSK

• For home / SOHO use
• Removes 802.1x authentication
• Pre-shared Key TKIP
• Weak against passive dictionary attack
• Attacks exist - WPA Cracker
• Still MUCH better than WEP

42
WPA Security Insight

• No effective attacks found on WPA 802.1x
• WPA-PSK should be used with care

43
WPA2 - 802.11i

• The long-awaited security standard for wireless,
  ratified in June 2004
• Better encryption AES-CCMP
• Some New Features
• PMK caching (optional)
• Pre-authentication (optional)
• Hardware manufactured before 2002 is likely to be
  unsupported

44
CCMP

• Counter-mode CBC-MAC Protocol
• Use AES in Counter Mode
• Calculate CBC-MAC using AES
• Encryption and Integrity Check is done
  concurrently

45
PMK Key-Caching

• Skips re-entering of the user credential by
  storing the host information on the network

• Allows client to become authenticated with an AP
  before moving to it
• Useful in encrypted VoIP over Wi-Fi
• ? Fast Roaming

46
Existing Problems.

• Denial of Service
• Flooding with de-authentication frames
• 802.11w
• WEP is still dominant in 802.11 security

47
Conclusion

• WEP Dead Meat
• WPA-PSK Potentially Insecure
• WPA 802.1x (Secure EAP) Secure
• WPA2-PSK Potentially Insecure
• WPA2 802.1x Very Secure

48
Suggested Practice

• Hide SSID
• Do NOT use WEP
• Use WPA-PSK with a good pass-phrase
• or Use WPA with 802.1x if possible
• Get WPA2 certified product for your next purchase

49
tinyPEAP (1)

• A self contained PEAP enabled RADIUS server
• Currently available in Linksys WRT54G/GS router
  and Win32 binary
• Native Windows XP SP1 support
• Web-based user management
• The easiest and the most secure solution
  available in consumer level

50
tinyPEAP (2)
51
tinyPEAP (3)
52
Survey

• Ready to reconfigure your wireless network?

53
Questions?
54
Links to the tools used

• Airsnorthttp//airsnort.shmoo.com
• Netstumblerhttp//www.netstumbler.com
• Etherealhttp//www.ethereal.com
• tinyPEAP
• http//www.tinypeap.org

55
Papers and Wireless Security Web Pages

• Weaknesses in the Key Scheduling Algorithm of RC4
  
• The Unofficial 802.11 Security Web Page
• Wireless Security Blackpaper
• The IEEE 802.11 specifications (includes WEP
  spec)
• Paper on detecting Netstumbler and similar
  programs
• Further reading on upcoming 802.11 variations
• Assorted 802.11 related crypto algorithms written
  in ANSI C

56
An exercise in wireless insecurity

• Tools used
• Laptop w/ 802.11a/b/g card
• GPS
• Netstumbler
• Aircrack (or any WEP cracking tool)
• Ethereal
• the car of your choice

57
Step1 Find networks to attack

• An attacker would first use Netstumbler to drive
  around and map out active wireless networks
• Using Netstumbler, the attacker locates a strong
  signal on the target WLAN
• Netstumbler not only has the ability to monitor
  all active networks in the area, but it also
  integrates with a GPS to map APs

58
WarDriving
59
Step 2 Choose the network to attack

• At this point, the attacker has chosen his target
• Netstumbler or Kismet can tell you whether or not
  the network is encrypted
• This time.
• Your target is GTwireless

60
Step3 Analyzing the Network

• WLAN has no broadcasted SSID
• Netstubmler tells me that SSID is GTwireless
• Multiple access points
• Open authentication method
• WLAN is encrypted with 40bit WEP
• WLAN is not using 802.1X

61
Step4 Cracking the WEP key

• Attacker sets NIC drivers to Monitor Mode
• Begins capturing packets with Airodump
• Airodump quickly lists the available network with
  SSID and starts capturing packets.
• After a few hours of airodump session, launch
  aircrack to start cracking!
• WEP key for GTwireless is now revealed!

62
Step5 Sniffing the network

• Once the WEP key is cracked and the NIC is
  configured appropriately, the attacker is
  assigned an IP, and can access the WLAN
• However, a secure proxy with an SSL enabled web
  based login prevents access to the rest of
  network and the Internet
• Attacker begins listening to traffic with
  Ethereal until someone starts using FTP or Telnet

63
Step6 Sniffing continued

• Sniffing a WLAN is very fruitful because everyone
  on the WLAN is a peer, therefore you can sniff
  every wireless client
• Listening to connections with plain text
  protocols (in this case FTP, POP, Telnet) to
  servers on the wired LAN yielded 2 usable logins
  within 1.5hrs

64
Thats itthe network is compromised

• As long as WEP is in place, such attack is always
  possible
• Sadly, many are less secure
• How about yours?