Wireless Networking Designing and Implementing WLAN Security Module-11

1
Wireless NetworkingDesigning and Implementing
WLAN SecurityModule-11

• Jerry Bernardini
• Community College of Rhode Island

2
Presentation Reference Material

• CWNA Certified Wireless Network Administration
  Official Study Guide, Fourth Edition, Tom
  Carpenter, Joel Barrett
• Chapter-10, pages475-525
• Cisco White Paper - A Comprehensive Review of
  802.11 Wireless LAN Security and the Cisco
  Wireless Security Suite
• www.cisco.com/warp/public/cc/pd/witc/ao1200ap/pro
  dlit/wswpf_wp.htm
• Your 802.11 Wireless Network has No Clothes
• William A. Arbaugh, Narendar Shankar, Y.C. Justin
  Wan, Department of Computer Science University
  of Maryland College Park, Maryland 20742 March
  30, 2001
• http//www.cs.umd.edu/waa/wireless.pdf

3
Early IEEE 802.11 Security

• Referred to as Pre-RSNA Security
• RSNARobust Security Network Association
• Pre-RSNA Security includes
• Open System Authentication
• Share Key Authentication
• Wired Equivalent Privacy
• This technology has many flaws and should not be
  considered for new systems
• But we should understand Pre-RSNA to appreciate
  WLAN vulnerabilities

4
Open Authentication

• Open authentication allows any device network
  access.
• If no encryption is enabled on the network, any
  device that knows the SSID of the access point
  can gain access to the network.
• With WEP encryption enabled on an access point,
  the WEP key itself becomes a means of access
  control.

5
802.11 client authentication process

• 1. Client broadcasts a probe request frame on
  every channel
• 2. Access points within range respond with a
  probe response frame
• 3. The client decides which access point (AP) is
  the best for access and sends an authentication
  request
• 4. The access point will send an authentication
  reply
• 5. Upon successful authentication, the client
  will send an association request frame to the
  access point
• 6. The access point will reply with an
  association response
• 7. The client is now able to pass traffic to the
  access point

6
Open Authentication Vulnerabilities

• No way for the access point to determine whether
  a client is valid.
• A major security vulnerability if WEP or better
  encryption is not implemented
• Cisco does not recommend deploying wireless LANs
  without WEP encryption.
• When WEP encryption is not needed or is not
  feasible to deploy - such as public WLAN
  deployments
• Higher-layer authentication can be provided by
  implementing a Service Selection Gateway (SSG).

7
Shared Key Authentication

1. The client sends an authentication request to the
   access point requesting shared key authentication
2. The access point responds with an authentication
   response containing challenge text
3. The client uses its locally configured WEP key to
   encrypt the challenge text and reply with a
   subsequent authentication request
4. If the access point can decrypt the
   authentication request and retrieve the original
   challenge text, then it responds with an
   authentication response that grants the client
   access

8
Vulnerability of Shared Key Authentication
9
Wired Equivalent Privacy-WEP

• Wired Equivalent Privacy, a security protocol for
  WLANs defined in the 802.11b standard.
• A secret key is shared between STAs and an AP
• The secret key is used to encrypt packets (MSDU)
  before they are transmitted.
• LANs are inherently more secure than WLANs
• WLANs are over radio waves and can be intercepted

10
WEP uses RC4

• It is reasonably strong
• It is self-synchronizing
• WEP is self-synchronizing for each message. This
  property is critical for a
• data-link level encryption algorithm, where best
  effort delivery is assumed and packet loss rates
  may be high.
• It is efficient
• The WEP algorithm is efficient and may be
  implemented in either hardware or software.
• It may be exportable

11
What is RC4

• RC4 is a stream cipher designed by Ronald L.
  Rivest (MIT Professor) for RSA Data Security (now
  RSA Security).
• It is a variable key-size stream cipher with
  byte-oriented operations.
• The algorithm is based on the use of a random
  permutation. Analysis shows that the period of
  the cipher is overwhelmingly likely to be greater
  than 10100.
• Eight to sixteen machine operations are required
  per output byte, and the cipher can be expected
  to run very quickly in software.
• Independent analysts have scrutinized the
  algorithm and it is considered secure.

12
Correct WEP Key Required

• If a device does not have the correct WEP key,
  even though authentication is successful, the
  device will be unable to transmit data through
  the access point.
• Neither can it decrypt data sent from the access
  point

13
WEP Encryption Process
802.11 recommends IV change per-frame same packet
is transmitted twice resulting cipher-text will
be different
Ciphertext
IV
Initialization Vector (IV)
PRNG
Key Stream
Seed
C1
Secret Key
Pseudorandom Number Generator
Plain text
Exclusive-OR
C2
Integrity Algorithm
Integrity Check Value (ICV)
What is Transmitted
14
Initialization Vector

• The IV is a 24-bits that augments a 40-bit WEP
  key to 64 bits and a 104-bit WEP key to 128 bits.
  
• The IV is sent in the clear in the frame header
  so the receiving station knows the IV value and
  is able to decrypt the frame
• Although 40-bit and 104-bit WEP keys are often
  referred to as 64-bit and 128-bit WEP keys, the
  effective key strength is only 40 bits and 104
  bits, respectively, because the IV is sent
  unencrypted.

15
WEP Encryption Process
Data
1 0 1 1 1 0 0 1 0 1 1 1 0 1 0 1 1 0 0 1 1 1 1 0 1
Key Stream
1 1 1 1 0 1 1 0 0 1 1 1 1 0 1 0 1 0 1 0 1 1 1 0 1
Cipher Stream (Transmitted and Received)
0 1 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 1 1 0 0 0 0 0
Key Stream
1 1 1 1 0 1 1 0 0 1 1 1 1 0 1 0 1 0 1 0 1 1 1 0 1
Data
1 0 1 1 1 0 0 1 0 1 1 1 0 1 0 1 1 0 0 1 1 1 1 0 1
16
WEP Encryption Process
The WEP Encrypted Frame Body
Encrypted
IV 4
Data PDU gt1
ICV 4
Init. Vector 3
1 Octet
Pad 6-bits
Key ID 2-bits
17
WEP Keys

• 802.11b 64-bit shared RC4 Key.
• 24-bit IV plus a 40-bit Secret Key.
• 128-bit shared RC4 Key
• 24-bit IV plus a 104-bit Secret Key.
• 152-bit shared RC4 Key
• 24-bit IV plus a 128-bit Secret Key.

2324
0
63
IV 24 - bits
Secret Key 40 - bits
PRNG Seed
18
WEP Weaknesses

• Key management and key size. 40-bit
• The IV is too small.
• 24-bit 16,777,216 different cipher
  streams.
• The ICV algorithm is not appropriate
• Uses CRC-32 when MD5 or SHA-1 would be
  better.
• Authentication messages can be easily forged.
  

19
Initialization Vector Replay Attacks

• 1. A known plain-text message is sent to an
  observable wireless LAN client (an e-mail
  message)
• 2. The network attacker will sniff the wireless
  LAN looking for the predicted cipher-text
• 3. The network attacker will find the known frame
  and derive the key stream
• 4. The network attacker can "grow" the key stream
  using the same IV/WEP key pair as the observed
  frame
• This attack is based on the knowledge that the IV
  and base WEP key can be reused or replayed
  repeatedly to generate a key stream large enough
  to subvert the network.

20
Block Cipher Operation

• Block ciphers deal with data in defined blocks
• The block cipher fragments the frame into blocks
  of predetermined size and performs the XOR
  function on each block.
• Each block must be the predetermined size, and
  leftover frame fragments are padded to the
  appropriate block size

21
Electronic Code Book Encryption

• The process of encryption described stream
  ciphers and block ciphers is known as Electronic
  Code Book (ECB) mode encryption.
• With ECB mode encryption, the same plain-text
  input always generates the same cipher-text
  output.
• The Figure illustrates, the input text of "FOO"
  always produces the same cipher-text.
• This is a potential security threat because
  eavesdroppers can see patterns in the cipher-text
  and start making educated guesses about what the
  original plain-text is.

• There are two encryption techniques to overcome
  this issue
• Initialization vectors
• Feedback modes

22
Feedback Modes Encryption Process

• Feedback modes are modifications to the
  encryption process to prevent a plain-text
  message from generating the same cipher-text
  during encryption.
• Feedback modes are generally used with block
  ciphers, and the most common feedback mode is
  known as cipher block chaining (CBC) mode.
• The premise behind CBC mode is that a plain-text
  block has the XOR function performed with the
  previous block of cipher-text.
• Because the first block has no preceding
  cipher-text block, an IV is used to change the
  key stream.

23
"Growing" a Key Stream Attack

• Once a key stream has been derived for a given
  frame size, it can be "grown" to any size
  required.
• 1. The network attacker can build a frame one
  byte larger than the known key stream size an
  Internet Control Message Protocol (ICMP) echo
  frame is ideal because the access point solicits
  a response
• 2. The network attacker then augments the key
  stream by one byte
• 3. The additional byte is guessed because only
  256 possible values are possible
• 4. When the network attacker guesses the correct
  value, the expected response is received in this
  example, the ICMP echo reply message
• 5. The process is repeated until the desired key
  stream length is obtained

24
RSNA Security

• Robust Security Network Association
• IEEE 802.11. Clause 8 (previously IEEE 802.11i)
• TKIP and RC4
• CCMP and AES
• IEEE 802.1X
• Preshared Keys
• Certificates and PACs
• Four way Handshake
• Key Hierarchies
• Transition Security Network

25
IEEE 802.11, Clause 8
Discusses and defines the following issues
26
Temporal Key Integrity Protocol - TKIP

• Part of the IEEE 802.11i encryption standard for
  wireless LANs (Pronounced tee-kip )
• TKIP is the next generation of WEP (initially
  call WEP2).
• Provides per-packet key mixing, a message
  integrity check and a re-keying mechanism, thus
  fixing the flaws of WEP.
• TKIP Process
• begins with a 128-bit "temporal key" shared among
  clients and access points
• Combines the temporal key with the client's MAC
  address and then adds a relatively large 16-octet
  initialization vector to produce the key that
  will encrypt the data.
• This procedure ensures that each station uses
  different key streams to encrypt the data.
• Older WEP based devices can be upgraded to TKIP
  and not processor intensive

27
CCMP and AES

• Counter Mode with Cipher Block Chaining-Message
  Authentication Code (CCMP)
• CCMP uses Advanced Encryption Standard (AES)
  instead of RC4 algorithm
• CCMP/AES uses 128-bit encryption, encrypts
  128-bit blocks, uses 8-bytes integrity check
• AES is very processor intensive
• Not upgradable for older devices

28
Advanced Encryption Standard - AES

• Relatively new U.S. National Institute of
  Standards and technology (NIST) for single-key
  encryption approved in 2002.
• 16-byte Block Cipher based on Rijndael
• (pronounced Rain Doll)
• Key Lengths of 128, 192, and 256-bit
• Time to brute-force break an AES 256-bit key
  several years.
• AES Encryption is a four step process

29
http//en.wikipedia.org/wiki/Advanced_Encryption_S
tandard AES Four Steps
3
1
2
4
30
802.1X and EAP

• IEEEs 802.1X Port Based Network Access Control
  standard provides strong authentication and
  network access control for 802.11 networks.
• Extensible Authentication Protocol (EAP) is
  used to pass authentication information between
  the supplicant and the AS.

Supplicant
Authenticator
Authentication Server
1
31
802.1X Requires Three Entities

• The supplicant-Resides on the wireless LAN
  client
• The authenticator-Resides on the access point
• The authentication serverResides on the RADIUS
  server

32
Cisco Wireless Security Suite and 802.1X

• authentication frameworkThe IEEE 802.1X standard
  provides a framework for many authentication
  types and the link layer
• Extensible Authentication Protocol (EAP) Cisco
  authentication algorithmThe EAP Cisco Wireless
  authentication type, also called Cisco LEAP
  supports centralized, user-based authentication
  with the ability to generate dynamic WEP keys
• Temporal Key Integrity Protocol (TKIP)Cisco has
  implemented two components to augment WEP
  encryption
• Message Integrity Check (MIC)The MIC function
  provides effective frame authenticity to mitigate
  man-in-the-middle vulnerabilities
• Per-Packet KeyingPer-packet keying provides
  every frame with a new and unique WEP key that
  mitigates WEP key derivation attacks
• Broadcast Key RotationDynamic key rotation

33
Four-Way Handshake

• Used to establish temporary transient keys with
  AP
• Four-packet exchange
• Number used once (Anounce)
• Supplicant nounce (Snounce)
• Authenticator Nounce
• Message Integrity Check (MIC)

34
IPsec VPN (Secure Your Wireless with Ipsec by Dan
Langille 10/21/2004 )

• IPsec is short for IP security
• It is a set of protocols for securely exchanging
  packets at the IP layer.
• VPNs frequently use it. can use the same approach
  to secure our wireless network.
• uses shared secrets to encrypt data.
• uses security policies to decide what types of
  traffic to encrypt between which hosts.
• IPsec can create a point-to-point tunnel between
  two hosts.
• IPsec cannot exist on its own -need to have IPsec
  at both ends
• IPsec uses a database to decide how to treat
  traffic.
• The two main types of rules are policy and
  association.
• Security Policy Database (SPD) determines what
  traffic IPsec should handle.
• Security Association Database (SAD) specifies how
  to encrypt that traffic.

35
Wireless VPNs

• Virtual Private Networks, or VPNs, use publicly
  accessible or wireless network infrastructures
  combined with private connections to securely
  exchange private applications and data.
• All VPN systems use encryption and other
  security mechanisms to ensure that only
  authorized users can access the network, so that
  the data cannot be intercepted.

36
Wireless Gateways

• A network device or base station, usually
  providing shared network access, firewall
  security and encryption.
• An Access Point, LAN Switch, Firewall, and WAN
  Interface in one enclosure.

37
WPA

• There are 2 modes of WPA and WPA2
  certificationEnterprise and Personal

WPA WPA2
Enterprise Mode (Business Government) Authentication IEEE 802.1X/EAP Encryption TKIP/MIC Authentication IEEE 802.1X/EAP Encryption AES-CCMP
Personal Mode (Personal SOHO) Authentication PSK Encryption TKIP/MIC Authentication PSK Encryption AES-CCMP
38
WPA WPA2, 7-steps

• The 7 steps are
• Step 1 Security Mechanism and Credentials
• Step 2 User Authentication Database
• Step 3 Client Operating Systems
• Step 4 Supplicants
• Step 5 EAP Types (EAP-TTLS)
• Step 6 Authentication Server
• Step 7 Access Points and Client NIC Cards

39
Example of a WPA2

• Windows
• 1. Security Credentials Digital Certificate
  X.509
• 2. Database Microsoft Active Directory
• 3. Client OS Windows XP
• 4. Supplicant Built into Windows XP for EAP-TLS
• 5. Authentication EAP Type EAP-TLS
• 6. Authentication Server Cisco Secure Access
  Control Server (RADIUS server)
• 7. Access Points and Client Devices
  WPA2-Enterprise Wi-Fi CERTIFIED

40
WPA Deployment
Authentication Database
Radius Server 802.1X EAP Type
Wired LAN
Support for802.1X EAP TypeTKIP
Access Points
AP-1
Wireless Clients
WiFi Cert with WPA802.1X EAP TypeSupplicant for
EAP OSTKIP Encryption
1
2
41
Corporate Security Policy

• Develop a wireless security policy to define
  what is and what is not allowed with wireless
  technology.
• Know the technologies and the users that use the
  network.
• Measure the basic field or illumination coverage
  of the wireless network.
• Physical Security

42
Corporate Security Policy

• Set base lines and perform audits/monitoring
  of the network.
• Harden APs, servers, and gateways.
• Determine level of security protocols and
  standards.
• Consider using switches, DMZ, RADIUS servers,
  and VPN.
• Update firmware and software.

43
To Secure the WLAN

• If possible, put the wireless network behind its
  own routed interface so you can shut it off if
  necessary.
• Pick a random SSID that gives nothing about your
  network away.
• Use WPA or have your broadcast keys rotate every
  ten minutes.
• Use 802.1X for key management and authentication
• Look over the available EAP protocols and decide
  which is right for your environment.
• Set the session to time out every ten minutes or
  less.

44
Security Solutions
802.1X Authentication
MIC Message Integrity Checking
TKIP Temporal Key Integrity Protocol
Cipher and Authentication Negotiation
Key Management
WPA / WPA2Wi-Fi Protected Access
AES Advanced Encryption Standard
802.11i
45
Service Set Identifier Myth

• The SSID is a construct that allows logical
  separation of wireless LANs.
• A client must be configured with the appropriate
  SSID to gain access to the wireless LAN.
• The SSID does not provide any data-privacy
  functions, nor does it truly authenticate the
  client to the access point.

46
MAC Address Authentication

• MAC address authentication is not specified in
  the 802.11 standard
• Many vendorsincluding Ciscosupport it.
• MAC address authentication verifies the client's
  MAC address against a locally configured list of
  allowed addresses or against an external
  authentication server
• MAC authentication is used to augment the open
  and shared key authentications provided by
  802.11   

47
MAC Address Authentication Vulnerabilities Myth

• MAC addresses are sent in the clear as required
  by the 802.11 specification.
• In wireless LANs that use MAC authentication, a
  network attacker might be able to subvert the MAC
  authentication process by "spoofing" a valid MAC
  address.
• MAC address spoofing is possible in 802.11
  network interface cards (NICs) that allow the
  universally administered address (UAA) to be
  overwritten with a locally administered address
  (LAA).
• A network attacker can use a protocol analyzer to
  determine a valid MAC address in the business
  support system (BSS) and an LAA-compliant NIC
  with which to spoof the valid MAC address.

48
Authentication Vulnerabilities with SSID

• The SSID is advertised in plain-text in the
  access point beacon messages Although beacon
  messages are transparent to users
• Eavesdropper can easily determine the SSID with
  WLAN packet analyzer
• Some access-point vendors, offer the option to
  disable SSID broadcasts in the beacon messages.
• The SSID can still be determined by sniffing the
  probe response frames from an access point
• Disabling SSID broadcasts might have adverse
  effects on Wi-Fi interoperability for
  mixed-client deployments.

49
Wireless Security Summary
Security Model Authentication Encryption Security Level
Transitional (only a temporary solution) Shared Key Up to four WEP keys should be rotated between clients SSID Beaconing turn off if AP permits and or cryptic name SSID MAC Address Filtering Pre-approved at the AP and no guests WEP Even 128-bit WEP has vulnerabilities. 16 ASCII passphasing generate predictable keys and should be discouraged. Only secure against Script-kiddies and casual eavesdroppers. Low
WPA Personal (ten or fewer devices) PSK Manually entered and used as starting seed for encryption generation Must be entered in both the AP and client TKIP Is strong than WEP but uses same hardware. TKIP has three components. MIC to prevent forgeries the IV is increased from 24 to 48-bits and changed for each packet TKIP key mixing generates keys that are replaced frequently. Medium
WPA2 Personal PSK Keys are automatically changed after set number of packets. AES-CCMP Superior to TKIP and based on the 802.11i standard. Produces 128-bit blocks with 128 to 256-bits. Computation intensity strongly suggests hardware processing. Med/High
WPA Enterprise 802.1x Port based authentication employing a Supplicant (client), an Authenticator (server isolating client and RADIUS) and Authentication Server (RADIUS). TKIP Same as WPA2 Personal High/Med
WPA2 Enterprise 802.1x Same as WPA Enterprise AES-CCMP - Same as WPA2 Personal High/High
50
Wireless Security Terms

• SSID Service Set Identifier
• WPA Wi-Fi Protected Access
• WEP- Wired Equivalent Privacy
• PSK Pre-Shared Key
• TKIP Temporal Key Integrity Protocol
• MAC Media Access Control
• MIC Message Integrity Check
• AES Advanced Encryption Standard
• CCMP -Counter Mode CBC-MAC Protocol
• RADIUS Remote Dial-In User Service