Wireless Security

1
Wireless Security

• Rick Anderson
• Pat Demko

2
Wireless Medium

• Open medium
• Broadcast in every direction
• Anyone within range can listen in
• No Privacy
• Weak Authentication

3
802.11

• 802.11 a,b,g
• Standards do not require security
• All use same encryption mechanisms
• Short range, low power environment
• Supported by many devices

4
Common Encryption Methods

• WEP
• Wired Equivalent Privacy
• Ratified in 1999
• Commonly used in home routers, commercial
  applications
• WPA
• Wi-Fi Protected Access
• Tries to improve upon WEP weaknesses
• 802.11i (WPA 2)

5
The Effects of Encryption

• Raises computational time
• Increases power consumed by devices
• Adds additional overhead
• Decreases overall throughput

6
WEP

• Data link level
• Uses a shared Secret Key
• Stream cipher RC4 for confidentiality
• Ensures info is given to only those who are
  authorized
• CRC-32 checksum for integrity
• Ensures the validity of the data transmitted

7
WEP, cont.

• Uses 2 key sizes
• 40 bit
• 104 bit
• Each key has a 24 bit Initialization Vector (IV)
• Random number used to synchronize encryption
• Transmitted in the clear

8
WEP Weaknesses

• Doesnt include a key management protocol
• Relies upon a single shared key
• Shared Key Easily Cracked
• RC4 has a large amount of weak keys
• By knowing a small amount of bits, you can
  determine a large amount of the remaining bits
  easily.
• Passive Attacks to decrypt traffic
• Active Attacks to insert traffic

9
WEP Weaknesses

• Data headers remain unencrypted
• Anyone can see source, dest. address
• Weak integrity check
• Payload can be modified and the CRC can be
  updated without knowing the WEP key.

10
Exploiting WEP

• AirSNORT
• Once 5-10 million packets have been gathered, lt 1
  second to crack
• WEP Crack
• Open source tool to exploit same RC4
  vulnerabilities

11
WPA

• Wi-Fi Protected Access
• Created to patch WEP
• Intended as intermediate security platform
• Between WEP and 802.11i formalization

12
WPA

• Designed to be used with 802.1X authentication
  server
• Distributes different keys to each user
• Can be used without the server in less secure
  pre-shared key mode
• Data encrypted with RC4 with 128 bit key
• 48 bit IV

13
WPA

• Temporal Key Integrity Protocol (TKIP)
• Major improvement over WEP
• Dynamically changes key as system is used
• Combined with larger IV, this defeats well known
  attacks
• Improved payload integrity vs. WEP
• Uses more secure message integrity check (MIC)
  known as Michael

14
WPA

• Message Integrity Check (Michael)
• Includes a frame counter to prevent replay
  attacks
• Fixes problem with undetected modification
  attacks
• The strongest algorithm WPA makers could devise
  that worked with most network cards
• Still subject to attack
• To limit risk, WPA networks shut down whenever an
  attempted attack is detected

15
WPA Weaknesses

• Fundamentally much harder to crack
• Weakness still lies in the key
• Possible to passively intercept initial key
  exchange messages then use an offline dictionary
  attack to find password
• Could allow DoS attacks

16
802.11i

• Also known as WPA 2
• WPA addressed problems with WEP, but still had
  room for improvement
• 802.11i is still being formalized
• Implements new encryption algorithm
• No use of RC4

17
802.11i

• Uses Advanced Encryption Standard algorithm (AES)
• Variable key sizes of 128, 192 and 256 bits
• Much harder to decrypt than WPA or WEP
• Not compatible with todays devices
• Requires new chip sets

18
Other ways to secure a Wireless Network

• MAC filtering
• Easy to spoof a MAC address
• Using another authentication method
• Force users to authenticate using a
  username/password
• VPN tunnel between computer and AP

19

• Weakness in Key Scheduling Algorithm of RC4
  http//www.crypto.com/papers/others/rc4_ksaproc.pd
  f