Wireless Networks Security CSSE 572- Software Security Loizos Markides
Introduction <ul><li>Wireless networks broadcast their packets using radio frequency or optical wavelengths.  A modern lap...
Before we start… <ul><li>Who is a hacker? </li></ul><ul><li>(originally) Someone who makes furniture with an axe!  </li></...
Before we start… <ul><li>Who is a hacker? </li></ul><ul><li>(originally) Someone who makes furniture with an axe!  </li></...
WLAN Overview  Stations and Access Points A wireless network interface card (adapter) is a device, called a  station , pro...
WLAN Overview  MAC Address, SSID and Channels  <ul><li>Media Access Control (MAC) address: </li></ul><ul><ul><li>The stati...
WLAN Overview  Frames  <ul><li>Both the station and AP radiate and gather 802.11 frames as needed. </li></ul><ul><li>There...
WLAN Overview  Authentication  <ul><li>Authentication is the process of proving identity of a station to another station o...
WLAN Overview  Association  <ul><li>Data can be exchanged between the station and AP only after a station is associated wi...
IEEE 802.11 Standards <ul><li>IEEE 802  is a dominant collection of networking standards developed by IEEE. </li></ul><ul>...
IEEE 802.11 Modes Infrastructure Mode  <ul><li>Basic Service Set (BSS) </li></ul><ul><ul><li>A set of stations that are lo...
IEEE 802.11 Modes Ad-hoc Mode <ul><li>Also called peer-to-peer. </li></ul><ul><li>Independent Basic Service Set. </li></ul...
IEEE 802.11 Modes Joining a Basic Service Set <ul><li>When 802.11 client enters range of one or more APs: </li></ul><ul><u...
Security of IEEE 802.11 WLANs Open System Authentication <ul><li>Relies on Service Set Identifier (SSID). </li></ul><ul><l...
Security of IEEE 802.11 WLANs SSID Hiding <ul><li>AP can choose not to transmit SSID in its beacons. </li></ul><ul><li>Can...
Security of IEEE 802.11 WLANs MAC Access Control Lists <ul><li>Access points may have Access Control Lists (ACLs). </li></...
Interception <ul><li>Wireless LAN uses radio signal. </li></ul><ul><li>Not limited to physical building. </li></ul><ul><li...
Directional Antennae <ul><li>Directional antenna provides focused reception. </li></ul><ul><li>DIY plans available, using:...
Wired Equivalence Privacy (WEP) <ul><li>Shared key between stations and an Access Point. </li></ul><ul><li>Key used in str...
WEP Encryption RC4 ICV computation  using CRC32  IV Cipher text || || Plaintext Secret key Initialisation Vector (IV) Key...
Shared Key Authentication <ul><li>Station requests association with AP. </li></ul><ul><li>AP sends challenge to station. <...
WEP Safeguards <ul><li>Shared secret key required for: </li></ul><ul><ul><li>Associating with an access point. </li></ul><...
Initialization Vector (IV) <ul><li>IV should be different for every message transmitted. </li></ul><ul><li>But 802.11 stan...
Insecurity of SKA <ul><li>Rogue station records run of authentication protocol. </li></ul><ul><li>Uses known plaintext (ch...
WEP attacks Packet injection <ul><li>A packet sent in a WEP protected network which has been intercepted by an attacker, c...
WEP attacks Fake authentication <ul><li>Allows an attacker to join a WEP protected network, even if the attacker has not g...
WEP attacks Chopchop attack (I) <ul><li>Allows an attacker to interactively decrypt the last m bytes of plaintext of an en...
WEP attacks Chopchop attack (II) <ul><li>Using the AP as an  oracle : </li></ul><ul><li>The attacker could join the networ...
WEP attacks FMS attack <ul><li>First key recovery attack against the RC4 algorithm. </li></ul><ul><li>Main idea: </li></ul...
WEP attacks Generating traffic for the FMS attack <ul><li>Capture encrypted ARP request packets ( associate an IP address ...
WEP attacks  Other WEP attacks <ul><li>PTW attack </li></ul><ul><li>Bit-flipping attack </li></ul><ul><li>Brute-force key ...
Wi-Fi Protected Access (WPA) <ul><li>The IEEE 802.11 community has responded to the many security problems identified in W...
Wi-Fi Protected Access (WPA) <ul><li>Wi-Fi Protected Access (WPA) </li></ul><ul><ul><li>Works with 802.11b, a and g. </li>...
Temporal Key Integrity Protocol ( TKIP) <ul><li>WPA introduced Temporal Key Integrity Protocol (TKIP). </li></ul><ul><li>I...
TKIP Security Measures (I) <ul><li>A cryptographic message integrity code (MIC) is added to every packet before fragmentat...
TKIP Security Measures (II) <ul><li>TKIP only allows a small number of messages where the CRC32 checksum is correct but th...
WPA attacks <ul><li>Dictionary attack on pre-shared key mode </li></ul><ul><li>Denial of service attack  </li></ul><ul><ul...
WPA2 <ul><li>Supersedes WPA’s interim solution to WEP issues but  does require new hardware . </li></ul><ul><li>An enterpr...
Workshop <ul><li>Automation of attacks:  </li></ul><ul><li>How much time is needed for an inexperienced attacker to break ...
If you liked the workshop… <ul><li>Have in mind that: </li></ul><ul><li>June 2004, Michigan, Lowes DIY store </li></ul><ul...
Wireless Security Best Practices Proper Configuration <ul><li>Change default SSID names of the AP, such as “Default SSID”,...
Wireless Security Best Practices Secure Protocols <ul><li>Avoid the use of protocols that send passwords and data in the c...
Wireless Security Best Practices Discover Unauthorized Use <ul><li>A  wireless intrusion detection system  (WIDS) is often...
Wireless Security Best Practices Wireless Auditing <ul><li>Begins with the definition of a well-established security polic...
Q&A
References <ul><li>Papers : </li></ul><ul><li>[1] Attacks on the WEP protocol. Diploma Thesis 2007 by Eric Tews  </li></ul...
Upcoming SlideShare
Loading in...5
×

(Wireless network security - WEP, WPA, WPA2 encryptions)

3,252
-1

Published on

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,252
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
381
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • The IV is chosen by a pseudo random number generator. The station always remembers the last IV used. When a new IV needs to be chosen, the station interprets the last IV used as a number and adds 1 to this number. When the highest possible number is reached, the station starts again with 0. 3. The IV is prepended to the root key and form the per packet key K = IV||Rk. 4. A CRC32 checksum of the payload is produced and appended to the payload. This checksum is called Integrity Check Value (ICV). 5. The per packet key K is feed into the RC4 stream cipher to produce a key stream X of the length of the payload with checksum. 6. The plaintext with the checksum is XORed with the key stream and form the cipher text of the packet. 7. The cipher text, the initialization vector IV and some additional header fields are used to build a packet, which is now send to the receiver.
  • (Wireless network security - WEP, WPA, WPA2 encryptions)

    1. 1. Wireless Networks Security CSSE 572- Software Security Loizos Markides
    2. 2. Introduction <ul><li>Wireless networks broadcast their packets using radio frequency or optical wavelengths.  A modern laptop computer can listen in, but also an attacker can manufacture new packets on the fly and persuade wireless stations to accept his packets as legitimate.  </li></ul><ul><li>This presentation covers the following subjects: </li></ul><ul><li>WLAN Overview – Basic Concepts </li></ul><ul><li>The IEEE 802.11 Standards </li></ul><ul><li>IEEE 802.11 Security Measures </li></ul><ul><li>WEP Encryption and Related Attacks </li></ul><ul><li>WPA Encryption and Related Attacks </li></ul><ul><li>WPA 2 Encryption </li></ul><ul><li>Wireless Networks Best Practices </li></ul><ul><li>Workshop subject : How much time you need to crack into a WEP network? </li></ul>
    3. 3. Before we start… <ul><li>Who is a hacker? </li></ul><ul><li>(originally) Someone who makes furniture with an axe! </li></ul><ul><li>From the Jargon Dictionary ( http ://info.astrian.net/jargon/ ) </li></ul><ul><li>A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. </li></ul><ul><li>One who programs enthusiastically or who enjoys programming rather than just theorizing about programming. </li></ul><ul><li>A person capable of appreciating hack value. </li></ul><ul><li>A person who is good at programming quickly. </li></ul><ul><li>An expert at a particular program, or one who frequently does work using it or on it. </li></ul><ul><li>One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. </li></ul>
    4. 4. Before we start… <ul><li>Who is a hacker? </li></ul><ul><li>(originally) Someone who makes furniture with an axe! </li></ul><ul><li>From the Jargon Dictionary ( http ://info.astrian.net/jargon/ ) </li></ul><ul><li>A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. </li></ul><ul><li>One who programs enthusiastically or who enjoys programming rather than just theorizing about programming. </li></ul><ul><li>A person capable of appreciating hack value. </li></ul><ul><li>A person who is good at programming quickly . </li></ul><ul><li>An expert at a particular program, or one who frequently does work using it or on it. </li></ul><ul><li>One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. </li></ul>
    5. 5. WLAN Overview Stations and Access Points A wireless network interface card (adapter) is a device, called a station , providing the network physical layer over a radio link to another station. An access point (AP) is a station that provides frame distribution service to stations associated with it. The AP itself is typically connected by wire to a LAN.
    6. 6. WLAN Overview MAC Address, SSID and Channels <ul><li>Media Access Control (MAC) address: </li></ul><ul><ul><li>The station and AP each contain a network interface that has a MAC address. </li></ul></ul><ul><ul><li>World-wide-unique 48-bit number. </li></ul></ul><ul><ul><li>Represented as a string of six octets separated by colons (00:02:2D:17:B9:E8).  </li></ul></ul><ul><ul><li>Can be changed in software. </li></ul></ul><ul><li>Service Set Identifier (SSID): </li></ul><ul><ul><li>Every AP has a SSID, which is used to segment the airwaves for usage. </li></ul></ul><ul><ul><li>If two wireless networks are physically close, the SSIDs label the respective networks and allow the components of one network to ignore those of the other. </li></ul></ul><ul><ul><li>It is possible that two unrelated networks use the same SSID. </li></ul></ul><ul><li>Channels </li></ul><ul><ul><li>The stations communicate with each other using radio frequencies between 2.4 GHz and 2.5 GHz. </li></ul></ul><ul><ul><li>Neighboring channels are only 5 MHz apart. </li></ul></ul><ul><ul><li>Networks with neighboring channels may interfere with each other. </li></ul></ul>
    7. 7. WLAN Overview Frames <ul><li>Both the station and AP radiate and gather 802.11 frames as needed. </li></ul><ul><li>There are three classes of frames: </li></ul><ul><li>Management Frames : Establish and maintain communication </li></ul><ul><ul><li>Association request, Association response, Probe request, Probe response, Beacon, Announcement traffic indication message, Disassociation, Authentication, Deauthentication etc </li></ul></ul><ul><ul><li>Management messages are always sent in the clear, even when link encryption (WEP or WPA) is used. </li></ul></ul><ul><li>Control Frames : Help in the delivery of data </li></ul><ul><li>Data Frames : Encapsulate the OSI Network Layer packets </li></ul><ul><ul><li>These contain the source and destination MAC address, the BSSID, and the TCP/IP datagram. </li></ul></ul><ul><ul><li>The payload part of the datagram is WEP-encrypted. </li></ul></ul>Image taken from http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm#_Toc77524650
    8. 8. WLAN Overview Authentication <ul><li>Authentication is the process of proving identity of a station to another station or AP.  </li></ul><ul><li>Open system authentication -> all stations are authenticated without any checking.  </li></ul><ul><li>Shared key authentication -> standard challenge and response along with a shared secret key. </li></ul>authentication management frame recognition frame
    9. 9. WLAN Overview Association <ul><li>Data can be exchanged between the station and AP only after a station is associated with: </li></ul><ul><ul><li>an AP in the infrastructure mode </li></ul></ul><ul><ul><li>another station in the ad hoc mode. </li></ul></ul><ul><ul><li>  </li></ul></ul><ul><li>A station can be authenticated with several APs at the same time, but associated with at most one AP at any time.  </li></ul><ul><li>Association implies authentication.  </li></ul><ul><li>There is no state where a station is associated but not authenticated. </li></ul>Image taken from http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm#_Toc77524650
    10. 10. IEEE 802.11 Standards <ul><li>IEEE 802 is a dominant collection of networking standards developed by IEEE. </li></ul><ul><li>IEEE 802.11 is a family of standards for wireless LANs. </li></ul><ul><li>Baseline IEEE Std 802.11-1997 was approved in June 1997. </li></ul><ul><ul><li>Offering 1 Mbps and 2Mbps rates. </li></ul></ul><ul><ul><li>Typical indoor range of 20m. </li></ul></ul><ul><li>802.11b added 5.5 Mbps and 11 Mbps in 1999 </li></ul><ul><ul><li>range of 30-40m (indoor) </li></ul></ul><ul><li>802.11g added 54 Mbps in 2002 </li></ul><ul><ul><ul><ul><li>range of 30-40m (indoor) </li></ul></ul></ul></ul><ul><ul><li>802.11n was published in October 2009. </li></ul></ul><ul><ul><ul><ul><li>Aiming for typical 75Mbps and maximum of 600Mbps </li></ul></ul></ul></ul><ul><ul><li>Range of 70m (indoor). </li></ul></ul><ul><ul><li>Products already available, based on draft standard. </li></ul></ul>
    11. 11. IEEE 802.11 Modes Infrastructure Mode <ul><li>Basic Service Set (BSS) </li></ul><ul><ul><li>A set of stations that are logically associated with each other and controlled by a single AP </li></ul></ul><ul><li>Extended Service Set </li></ul><ul><ul><li>Two or more BSSs forming a single subnet. </li></ul></ul>BSS Extended Service Set (ESS) Access Point Station
    12. 12. IEEE 802.11 Modes Ad-hoc Mode <ul><li>Also called peer-to-peer. </li></ul><ul><li>Independent Basic Service Set. </li></ul><ul><li>Set of 802.11 wireless stations that communicate directly without an access point. </li></ul><ul><ul><li>Useful for quick & easy wireless networks. </li></ul></ul>
    13. 13. IEEE 802.11 Modes Joining a Basic Service Set <ul><li>When 802.11 client enters range of one or more APs: </li></ul><ul><ul><li>APs send beacons. </li></ul></ul><ul><ul><li>AP beacon can include SSID. </li></ul></ul><ul><ul><li>AP chosen on signal strength and observed error rates. </li></ul></ul><ul><ul><li>After AP accepts client. </li></ul></ul><ul><ul><ul><li>Client tunes to AP channel. </li></ul></ul></ul><ul><li>Periodically, all channels surveyed. </li></ul><ul><ul><li>To check for stronger or more reliable APs. </li></ul></ul><ul><ul><li>If found, may reassociate with new AP. </li></ul></ul>
    14. 14. Security of IEEE 802.11 WLANs Open System Authentication <ul><li>Relies on Service Set Identifier (SSID). </li></ul><ul><li>Station must specify SSID to Access Point when requesting association. </li></ul><ul><li>APs can broadcast their SSID as a beacon. </li></ul><ul><li>Some clients allow * as SSID. </li></ul><ul><ul><li>Associates with strongest AP regardless of SSID. </li></ul></ul>
    15. 15. Security of IEEE 802.11 WLANs SSID Hiding <ul><li>AP can choose not to transmit SSID in its beacons. </li></ul><ul><li>Can still attack APs that don’t transmit SSID: </li></ul><ul><ul><li>Send deauthenticate frames to client. </li></ul></ul><ul><ul><li>SSID then captured when client sends reauthenticate frames containing SSID. </li></ul></ul><ul><li>Open System Authentication only provides trivial level of security. </li></ul><ul><ul><li>Even with SSID hiding. </li></ul></ul>
    16. 16. Security of IEEE 802.11 WLANs MAC Access Control Lists <ul><li>Access points may have Access Control Lists (ACLs). </li></ul><ul><li>ACL is a list of allowed MAC addresses. </li></ul><ul><ul><li>E.g. only allow access to: </li></ul></ul><ul><ul><ul><li>00:01:42:0E:12:1F </li></ul></ul></ul><ul><ul><ul><li>00:01:42:F1:72:AE </li></ul></ul></ul><ul><ul><ul><li>00:01:42:4F:E2:01 </li></ul></ul></ul><ul><li>But MAC addresses are sniffable and spoofable. </li></ul><ul><li>Hence MAC ACLs are of limited value. </li></ul><ul><ul><li>Will not prevent determined attacker. </li></ul></ul>
    17. 17. Interception <ul><li>Wireless LAN uses radio signal. </li></ul><ul><li>Not limited to physical building. </li></ul><ul><li>Signal is weakened by: </li></ul><ul><ul><li>Walls </li></ul></ul><ul><ul><li>Floors </li></ul></ul><ul><ul><li>Interference </li></ul></ul><ul><li>Directional antenna allows interception over longer distances. </li></ul><ul><ul><li>Record is 124 miles for an unamplified 802.11b signal (using a 4 metre dish). </li></ul></ul>
    18. 18. Directional Antennae <ul><li>Directional antenna provides focused reception. </li></ul><ul><li>DIY plans available, using: </li></ul><ul><ul><li>Aluminium cake tins </li></ul></ul><ul><ul><li>Chinese cooking sieves. </li></ul></ul>
    19. 19. Wired Equivalence Privacy (WEP) <ul><li>Shared key between stations and an Access Point. </li></ul><ul><li>Key used in stream cipher to encrypt WLAN traffic. </li></ul><ul><li>Uses RC4 stream cipher </li></ul><ul><ul><li>RC4 algorithm generates a stream of pseudo-random bits using key and Initialisation Vector (IV) as input. </li></ul></ul><ul><ul><li>RC4 is also used in the decryption of the ciphertext. </li></ul></ul><ul><li>Uses 32-bit Cyclic Redundancy Check (CRC32) </li></ul><ul><ul><li>Basically a hash function </li></ul></ul><ul><ul><li>Used to compute Integrity Check Vector (ICV) </li></ul></ul>
    20. 20. WEP Encryption RC4 ICV computation using CRC32  IV Cipher text || || Plaintext Secret key Initialisation Vector (IV) Key-stream || append XOR 
    21. 21. Shared Key Authentication <ul><li>Station requests association with AP. </li></ul><ul><li>AP sends challenge to station. </li></ul><ul><li>Station encrypts challenge using WEP to produce response. </li></ul><ul><li>Response received by AP, decrypted by AP and result compared to initial challenge. If they match AP sends a successful message and the station is authenticated. </li></ul>
    22. 22. WEP Safeguards <ul><li>Shared secret key required for: </li></ul><ul><ul><li>Associating with an access point. </li></ul></ul><ul><ul><li>Sending data. </li></ul></ul><ul><ul><li>Receiving data. </li></ul></ul><ul><li>Messages are encrypted. </li></ul><ul><ul><li>Confidentiality. </li></ul></ul><ul><li>Messages have checksum. </li></ul><ul><ul><li>Intended to provide integrity. </li></ul></ul><ul><li>But has serious vulnerabilities… </li></ul>
    23. 23. Initialization Vector (IV) <ul><li>IV should be different for every message transmitted. </li></ul><ul><li>But 802.11 standard doesn’t specify how IV is calculated. </li></ul><ul><li>Wireless cards use several methods: </li></ul><ul><ul><li>Some use a simple ascending counter for each message. </li></ul></ul><ul><ul><li>Some switch between alternate ascending and descending counters. </li></ul></ul><ul><ul><li>Some use a pseudo-random IV generator. </li></ul></ul><ul><li>If 24-bit IV is an ascending counter, and if AP transmits at 11 Mbps, then all IVs are exhausted in roughly 5 hours! </li></ul>
    24. 24. Insecurity of SKA <ul><li>Rogue station records run of authentication protocol. </li></ul><ul><li>Uses known plaintext (challenge) to compute portion of key-stream for the (known) IV. </li></ul><ul><ul><li>C = P XOR key-stream. </li></ul></ul><ul><li>Rogue station can now respond to any future authentication challenge from AP encrypted with same key and same IV. </li></ul><ul><ul><li>Rogue receives fresh challenge. </li></ul></ul><ul><ul><li>Wireless station gets to choose IV in protocol. </li></ul></ul><ul><ul><li>But same IV (and same secret key) means that RC4 produces the same key-stream bits. </li></ul></ul><ul><ul><li>Hence rogue who repeats IV can reuse old key-stream portion to encrypt, producing correct response </li></ul></ul>
    25. 25. WEP attacks Packet injection <ul><li>A packet sent in a WEP protected network which has been intercepted by an attacker, can later be injected into the network again, as long as the key has not been changed and the original sending station is still in the network. </li></ul><ul><li>WEP was never designed to be resistant against such an attack. </li></ul>
    26. 26. WEP attacks Fake authentication <ul><li>Allows an attacker to join a WEP protected network, even if the attacker has not got the secret root key. </li></ul><ul><li>Open System Authentication </li></ul><ul><ul><li>Attacker can perform handshake without knowing the secret root key </li></ul></ul><ul><li>Shared Key Authentication </li></ul><ul><ul><li>The attacker has to be able to sniff an SKA handshake between the AP and another station. </li></ul></ul>
    27. 27. WEP attacks Chopchop attack (I) <ul><li>Allows an attacker to interactively decrypt the last m bytes of plaintext of an encrypted packet by sending m128 packets in average to the network. </li></ul><ul><li>Procedure: </li></ul><ul><ul><li>Select a captured packet for decryption </li></ul></ul><ul><ul><li>Truncate the packet by one byte, correct the checksum and send the packet to the oracle to find out if the guess is correct </li></ul></ul><ul><ul><li>If the guess is correct, we know the last byte of plaintext and we can continue with the second last byte </li></ul></ul><ul><ul><li>If the guess war incorrect make another different guess for that byte (at most 256 guesses and an average of 128 guesses per byte) </li></ul></ul>
    28. 28. WEP attacks Chopchop attack (II) <ul><li>Using the AP as an oracle : </li></ul><ul><li>The attacker could join the network with two stations A and B and send the packet from station A to station B. </li></ul><ul><ul><li>Correct checksum -> the packet will be replayed by the AP to station B. </li></ul></ul><ul><ul><li>Incorrect checksum -> the packet will be discarded. </li></ul></ul><ul><li>The attacker could send the packet from a station which is not in the network to the AP. </li></ul><ul><ul><li>Correct checksum -> the AP will send an error-message to the station, telling it, that it needs to rejoin the network. </li></ul></ul><ul><ul><li>Incorrect checksum -> the packet will be discarded. </li></ul></ul>
    29. 29. WEP attacks FMS attack <ul><li>First key recovery attack against the RC4 algorithm. </li></ul><ul><li>Main idea: </li></ul><ul><ul><li>If the RC4 key is composed from a known IV and an unknown secret part by concatenation; </li></ul></ul><ul><ul><li>And if the attacker knows the first byte of key-stream for enough different IVs; </li></ul></ul><ul><ul><li>Then the whole RC4 key can be determined in a statistical attack. </li></ul></ul><ul><ul><li>Attack only makes use of some of the IVs – so-called “weak” IVs. </li></ul></ul><ul><ul><li>Complexity of attack grows only linearly with key size rather than exponentially. </li></ul></ul><ul><li>http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf </li></ul>
    30. 30. WEP attacks Generating traffic for the FMS attack <ul><li>Capture encrypted ARP request packets ( associate an IP address with its physical address) . </li></ul><ul><li>Replay encrypted ARP packets to generate encrypted ARP replies. </li></ul><ul><li>These replies provide more traffic, potentially with IVs indicating weak keys. </li></ul>
    31. 31. WEP attacks Other WEP attacks <ul><li>PTW attack </li></ul><ul><li>Bit-flipping attack </li></ul><ul><li>Brute-force key attack </li></ul><ul><li>KoreK’s fragmentation attack </li></ul><ul><li>… . </li></ul>
    32. 32. Wi-Fi Protected Access (WPA) <ul><li>The IEEE 802.11 community has responded to the many security problems identified in WEP. </li></ul><ul><li>Intermediate solution: Wi-Fi Protected Access (WPA). </li></ul><ul><li>Longer-term solution: WPA2. </li></ul><ul><li>WPA and WPA2 are standardised in IEEE 802.11i </li></ul><ul><li>Recently WPA has been cracked in just 60 seconds by Japanese researchers http://www.itpro.co.uk/blogs/daveyw/2009/08/30/wifi-security-gone-in-60-seconds/ </li></ul>
    33. 33. Wi-Fi Protected Access (WPA) <ul><li>Wi-Fi Protected Access (WPA) </li></ul><ul><ul><li>Works with 802.11b, a and g. </li></ul></ul><ul><ul><li>An intermediate solution to address WEP’s problems. </li></ul></ul><ul><ul><li>Existing hardware can still be used; only firmware upgrade needed. </li></ul></ul><ul><li>WPA introduced new authentication protocol, improved integrity protection measure and per-packet keys. </li></ul><ul><ul><li>To provide stronger authentication than in WEP. </li></ul></ul><ul><ul><li>To prevent spoofing attacks (i.e. bit flipping on WEP CRC). </li></ul></ul><ul><ul><li>To prevent FMS-style attacks. </li></ul></ul>
    34. 34. Temporal Key Integrity Protocol ( TKIP) <ul><li>WPA introduced Temporal Key Integrity Protocol (TKIP). </li></ul><ul><li>It is designed to be usable on already existing hardware by installing a new firmware. </li></ul><ul><li>It is known to have several security weaknesses, but raises bar considerably compared to WEP. </li></ul>
    35. 35. TKIP Security Measures (I) <ul><li>A cryptographic message integrity code (MIC) is added to every packet before fragmentation. </li></ul><ul><ul><li>Prevents attacks like fragmentation or chopchop, where fragments of a packet are rearranged or packets are modified </li></ul></ul><ul><ul><li>Protects the plaintext of the fragments to prevent an attacker from modifying the source or destination address of a packet. </li></ul></ul><ul><li>TKIP exchanges the per packet key completely after every single packet. </li></ul><ul><ul><li>WEP changes only the first 3 bytes of the per packet key. </li></ul></ul>
    36. 36. TKIP Security Measures (II) <ul><li>TKIP only allows a small number of messages where the CRC32 checksum is correct but the MIC is incorrect. </li></ul><ul><ul><li>If more than two such messages are received by a station within a minute, TKIP is disabled for a minute and a renegotiation of the keys is suggested. </li></ul></ul><ul><li>A per packet sequence counter is used to prevent replay attacks. </li></ul><ul><ul><li>If a packet is received out of order, it is dropped by the receiving station. </li></ul></ul><ul><ul><li>This prevents all kind of injection attacks where a packet is replayed. </li></ul></ul>
    37. 37. WPA attacks <ul><li>Dictionary attack on pre-shared key mode </li></ul><ul><li>Denial of service attack </li></ul><ul><ul><li>If WPA equipment sees two packets with invalid MICs in 1 second, then: </li></ul></ul><ul><ul><ul><li>All clients are disassociated. </li></ul></ul></ul><ul><ul><ul><li>All activity stopped for one minute. </li></ul></ul></ul><ul><ul><ul><li>So two malicious packets per minute is enough to stop a wireless network. </li></ul></ul></ul>
    38. 38. WPA2 <ul><li>Supersedes WPA’s interim solution to WEP issues but does require new hardware . </li></ul><ul><li>An enterprise level key management was added to IEEE 802.11, which allows a lot of modes of authentication: </li></ul><ul><ul><li>No need for a single secret pre-shared key </li></ul></ul><ul><ul><li>Use of a username and a password, smartcards, certificates, hardware security tokens etc </li></ul></ul><ul><li>Every station uses individual keys to communicate with an AP </li></ul><ul><ul><li>Eavesdropping by another station in the same network is not possible anymore. </li></ul></ul>
    39. 39. Workshop <ul><li>Automation of attacks: </li></ul><ul><li>How much time is needed for an inexperienced attacker to break into your WEP network? </li></ul><ul><ul><li>http://lifehacker.com/5305094/how-to-crack-a-wi+fi-networks-wep-password-with-backtrack </li></ul></ul>
    40. 40. If you liked the workshop… <ul><li>Have in mind that: </li></ul><ul><li>June 2004, Michigan, Lowes DIY store </li></ul><ul><ul><li>Salcedo convicted for stealing credit card numbers via unprotected WLAN, received 9 year sentence . </li></ul></ul><ul><ul><li>Botbyl convicted for checking email & web browsing via unprotected WLAN, received 26 month sentence . </li></ul></ul><ul><li>June 2004, Connecticut, Myron Tereshchuk guilty of drive-by extortion via unprotected WLANs. </li></ul><ul><ul><li>63 month prison sentence . </li></ul></ul><ul><li>July 2005, London, Gregory Straszkiewicz found guilty of dishonestly obtaining a communications service. </li></ul><ul><ul><li>£500 fine and 12 month suspended sentence under Communications Act (2003). </li></ul></ul>
    41. 41. Wireless Security Best Practices Proper Configuration <ul><li>Change default SSID names of the AP, such as “Default SSID”, “WLAN”, “Wireless”, “Compaq”, “intel”, and “linksys”. </li></ul><ul><ul><li>Default admin passwords are well known for all manufacturers. </li></ul></ul><ul><ul><li>Single-word passwords are easier to crack </li></ul></ul><ul><li>The IEEE 802.11 does not describe an automated way of distributing the shared-secret keys.  </li></ul><ul><ul><li>Manual distribution is expensive in large installations </li></ul></ul><ul><ul><li>But it is better to change them periodically. </li></ul></ul>
    42. 42. Wireless Security Best Practices Secure Protocols <ul><li>Avoid the use of protocols that send passwords and data in the clear. </li></ul><ul><ul><li>Rlogin family; </li></ul></ul><ul><ul><li>Telnet; </li></ul></ul><ul><ul><li>POP3.  </li></ul></ul><ul><li>Instead prefer </li></ul><ul><ul><li>SSH(Secure Shell); </li></ul></ul><ul><ul><li>VPN (Virtual private networks) </li></ul></ul><ul><li>Always use the newest standards and protocols available. </li></ul>
    43. 43. Wireless Security Best Practices Discover Unauthorized Use <ul><li>A wireless intrusion detection system (WIDS) is often a self-contained computer system with specialized hardware and software to detect anomalous behavior. </li></ul><ul><ul><li>Need of special wireless hardware </li></ul></ul><ul><ul><li>Can detect unknown MAC addresses by maintaining a registry of MAC addresses of known stations and APs. </li></ul></ul><ul><ul><li>Can detect spoofed known MAC addresses because the attacker could not control the firmware of the wireless card to insert the appropriate sequence numbers into the frame. </li></ul></ul>
    44. 44. Wireless Security Best Practices Wireless Auditing <ul><li>Begins with the definition of a well-established security policy. </li></ul><ul><ul><li>i.e. a policy for wireless networks should include a description of the geographical volume of coverage. </li></ul></ul><ul><li>The main goal of an audit is to verify that there are no violations of the policy. </li></ul><ul><li>Several audit firms provide this service for a fee. </li></ul><ul><li>The typical auditor employs the tools and techniques of an attacker. </li></ul>
    45. 45. Q&A
    46. 46. References <ul><li>Papers : </li></ul><ul><li>[1] Attacks on the WEP protocol. Diploma Thesis 2007 by Eric Tews </li></ul><ul><li>[2] Practical attacks against WEP and WPA. Martin Beck, Eric Tews, 2008 </li></ul><ul><li>[3] Weaknesses in the key scheduling algorithm of RC4 Scott Fluhrer, Itsik Mantin, Adi Shamir </li></ul><ul><li>Links : </li></ul><ul><ul><li>http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm </li></ul></ul><ul><ul><li>http://www.saunalahti.fi/~elepal/antennie.html </li></ul></ul><ul><li>www.drizzle.com/~aboba/IEEE/ </li></ul><ul><li>http://www.offensive-security.com/ </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×