WLAN Security

1
WLAN Security

• Antti Miettinen
• (modified by JJ)

2
What is WLAN?

• A wireless data communication system implemented
  as an extension to, or alternative for, a wired
  local area network.
• Operates at uncontrolled ISM (Industrial,
  Scientific and Medical) band

3
What is WLAN? (cont.)

• Standards by IEEE for 802.11
• 802.11 First standard, up to 2Mbps_at_2.4Ghz
• 802.11a Accepted standard, up to 54Mbps_at_5GHz
• 802.11b Accepted standard, up to 11Mbps_at_2.4GHz
• 802.11d MAC Enhancements for wider use of 802.11

4
What is WLAN? (cont.)

• Standards by IEEE for 802.11 (cont.)
• 802.11e MAC Enhancements for Quality of Service
• 802.11f Recommended Practice for Inter Access
  Point Protocol Roaming hand over
• 802.11g Accepted standard, up to 54Mbps_at_2.4Ghz
• 802.11i Improved WEP and EAP (802.1X)

5
What is WLAN? (cont.)

• Standards by ETSI
• HiperLAN/1 23,5Mbps_at_5GHz
• published 1999
• HiperLAN/2 54Mbps_at_5Ghz (http//www.hiperlan2.com/
  )
• Asynchronous data communication
• Support for QoS (real-time voice video)
• support Transmit Power Control and Dynamic
  Frequency Selection (required in Europe at 5GHz)
• Uses 56 bit to 168 bit key encryption (DES)

6
WLAN structure

• Two possibility, either ad-hoc or Access Point

BSS or ESS
ad-hoc network IBSS
IBSS Independent Basic Service Set (ad hoc BSS
(Infrastructure) Basic Service Set ESS Extended
Service Set AP Access Point
Access Point network
Fix to http//www.comlab.hut.fi/opetus/423/2002/9
7
802.11 WLAN security features

• DSSS (Direct sequence Spread Spectrum)
• Isnt very secure, although theoretically it
  could be a good security feature. AP transmits
  the hop sequence in plain.
• ESSID (Extended Service Set Identifier)
• By default all stations are broadcasting ESSID
• Can be passively received, when legitimate user
  associates with Access Point
• WEP (Wired Equivalent Privacy)
• By default is turned off
• Includes flaws (AirSnort attack collect weak
  initialization vectors)
• MAC-address controlled authorization to Access
  Point
• MAC-address is easy to spoof (command line)

8
WEP

• Goals
• Access control To prevent unauthorized users who
  lack a correct WEP key from gaining access to the
  network.
• Privacy To protect wireless LAN data streams by
  encrypting them and allowing decryption only by
  users with the correct WEP keys.
• Includes security flaws!

9
WEP Authentication

• Access request by client
• Challenge text sent to client by AP
• Challenge text encoded by client using a shared
  secret then sent to AP
• If challenge text encoded properly AP allows
  access else denied

10
WEP (cont.)

• Based on symmetric RC4-encryption algorithm
• Support 40bit and 104bit encryption
• All clients and APs in wireless network share
  the same encryption key (weakness)
• No protocol for encryption key distribution
  (weakness)
• Initialization Vector (IV) transmitted in the
  clear (weakness)

11
WEP overview

• A master key k0 (either 40 or 104 bits) is shared
  between two parties wishing to communicate a
  priori.
• Each 802.11 packet (headerdata) is then
  protected by
• An integrity check field IC h(headerdata)
• A random initialization vector (IV)
• The master key and IV are used to generate a
  keystream using RC4 in stream cypher mode
• k RC4(k0, IV)
• The data and IC are then encrypted by this
  keystream
• Ek(m) m ? k

12
WEP packet

data IC
RC4 generated keystream
header IV
encrypted
802.11 packet
random
packet header IV Ek(data IC)
13
Possible Attacks

• War-driving, war-walking etc.
• Moving around the city and scanning the WLANs
• Many of the WLANs are without protection!
• (about in 50 of present WLANs WEP isnt enabled)
• Usually used to find networks, not to penetrate
  them
• Monitoring
• Just listening the traffic

14
Possible Attacks (cont.)

• DOS-attack
• Use high power 2,45Ghz (or 5GHz) signal generator
  
• for instance, a microwave oven
• Send continuous streams of CLS (clear-to-send)
  frames to a fictitious user
• Legitimate users wont be able to access the
  medium
• Send deassociate frame in name of others
  (MAC-address can be faked)
• It is possible!
• Take the Access Point down!

15
Possible Attacks (cont.)

• Man-in-the-middle attack
• If WEP is used, the secret key must first be
  solved
• Set up fake Access Point
• No authentication required (from Access Points)
• Legitimate users change their Access Point to
  yours, if it has better SNR. You can e.g.
  deassociate them from the real Access Point.

16
Why is WLAN still used?

• It is fast and easy to set up
• It supports mobility
• Reduced installation time and costs compared with
  cable
• Broadband connection, up to 54Mbps

17
WLAN is fast
100 000
Fixed LAN
50 000
802.11a, 802.11g and HiperLAN2
10 000
802.11b/WiFi
Transmission rate (kbit/s)
1000
500
Bluetooth
Bluetooth
UMTS
GPRS
50
GSM
Stationary
Source Public Wireless LAN Access A Threat
toMobile Operators, Analysys Research, 2001

18
How to check security of your WLAN-network?

• AirSnort (http//airsnort.shmoo.com/)
• For Linux and Windows
• Recovers encryption keys
• Operates by passively
• WEPCrack (http//wepcrack.sourceforge.net/)
• Open source tool for breaking 802.11 WEP secret
  keys
• For Linux only

19
How to check security of your WLAN-network?

• Other software
• Netstumbler (http//www.netstumbler.com/)
• Only for Windows
• Dstumbler (http//www.dachb0den.com/projects/dstum
  bler.html)
• Only for Linux
• Kismet (http//www.kismetwireless.net/)
• Only for Linux

20
WLAN security

• To Be Continued