Your SlideShare is downloading. ×
WiFi Security Explained
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WiFi Security Explained

3,467
views

Published on

This is my understanding on WiFi Security Protocols

This is my understanding on WiFi Security Protocols

Published in: Technology, Education

0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,467
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
9
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1.
        • WiFi Security Standard
        • Somenath Mukhopadhyay
        • [email_address]
    • 2. Why WiFi Security is needed
        • 802.11 wireless network has no clothes
        • Wireless LANs are broadcasting secrets of enterprises that have spent millions on internet security
        • The insecurity of WLAN has given rise to War-Driving
    • 3. 802.11 Security
        • Two Phases - Authentication & Encryption
        • Open System Authentication(OSA)‏
        • NIL protection
        • Shared Key Authentication – WEP Authentication
    • 4. OSA and Shared Key Authentication
    • 5. WEP Authentication Frame Format
        • Algorithm Number – 0 OSA, 1 WEP
        • Transaction Sequence – First Message 0, Second Message 1, etc
        • Status Code – Sent in the Final Message – SUCCESS/FAILURE
        • Challenge Text – 128 bit random number sent by the AP
    • 6. WEP Encryption
        • Stream Ciphering – byte wise ciphering
        • RC4 encryption technology
    • 7. RC4 Encryption Technology
        • Two Phases – Initialization and Encryption
        • IV – Initialization Vector – 24 bit value
        • Secret Key - 104 bit value
        • IV changes for every data packet
        • IV is sent along with the packet
    • 8. WEP Checksumming
    • 9. WEP Encryption
    • 10. WEP Decryption
    • 11. RC4 algorithm in details
      • Key scheduling algorithm generation using RC4
      • First step – generating an array with 256 8 bit values
      • Second step – scrambling the array
      • Initialization:
      • For i = 0 ... N - 1
      • S[i] = i
      • j = 0
      • Scrambling:
      • For i = 0 ... N - 1
      • j = j + S[i] + K[i mod l]
      • Swap(S[i], S[j])
    • 12. RC4 algorithm in details
      • Generating the streaming key
      • This part of the algorithm is responsible for creating the streaming values used to encrypt the plaintext
      • Initialization:
      • i = 0
      • j = 0
      • Generation Loop: i = i + 1
      • j = (j + S[i]) mod l
      • Swap(S[i], S[j])
      • Output z = S[S[i] + S[j]]
    • 13. Example of a simple RC4 using 2 bits RC4
        • Assumptions
        • I = 0
        • J = 0
        • Pass = “6152”
        • Pass length = 4
        • Index N = 4
        • Initialization Logic:
        • For i = 0 .... N-1
          • S[i] = i
        • Next
        • S[0] = 0, S[1] = 1, S[2] = 2, S[3] = 3
    • 14. Example of a simple RC4 using 2 bits RC4
      • Scrambling
      • Logic: For i = 0 ... N - 1
      • j = j + S[i] + K[i mod l]
      • Swap(S[i], S[j])‏
      • Initial values
      • S[0] = 0, S[1] = 1, S[2] = 2, S[3] = 3
      • K[0] = 6, K[1] = 1, K[2] = 5, K[3] = 2
      • i = 0, j = 0, pass(K) = “6152”,
      • pass length(l) = 4, Index(N) = 4
    • 15. Example of a simple RC4 using 2 bits RC4
      • Equations:
      • j = j + S[i] + K[i mod l]
      • Swap(S[i], S[j])
      • j=(0 + S[0] + K[0]) mod 4
      • j=(0+0+6) mod 4
      • j=6 mod 4
      • j=2
      • Swap (S[0] , S[2]) S[0]=0 , S[2]=2 => S[0]=2 , S[2]=0
    • 16. Example of a simple RC4 using 2 bits RC4
      • Calculation for the second loop
      • Initial values before the iteration
      • S[0] = 2, S[1] = 1, S[2] = 0, S[3] = 3
      • K[0] = 6, K[1] = 1, K[2] = 5, K[3] = 2
      • pass length (l) = 4, Index(N) = 4, i = 1, j = 2
      • Equations:
      • j = j + S[i] + K[i mod l] =>j = (2+S[1]+k[1]) mod 4
      • = (2+1+1)mod 4 = 0
      • Swap(S[i], S[j]) =>Swap(S[1],S[0]) =>S[0] =1
      • & S[1] = 2
    • 17. Example of a simple RC4 using 2 bits RC4
      • After second loop the values are
      • S[0] = 1, s[1] = 2, S[2] = 0, S[3] = 3
      • K[0] = 6, K[1] = 1, K[2] = 5, K[3] = 2
      • pass length (l) = 4, Index(N) = 4, i = 2 , j = 0
    • 18. Example of a simple RC4 using 2 bits RC4
      • Calculation for the third loop
      • Initial values before the loop starts
      • S[0] = 1, s[1] = 2, S[2] = 0, S[3] = 3
      • K[0] = 6, K[1] = 1, K[2] = 5, K[3] = 2
      • pass length (l) = 4, Index(N) = 4, i = 2 , j = 0
      • Equation
      • j = j + S[i] + K[i mod l] =>j = (0+S[2]+k[2]) mod 4
      • = (0+0+5)mod 4 = 1
      • Swap(S[i], S[j]) =>Swap(S[2],S[1]) =>S[1] =0
      • & S[2] = 2
    • 19. Example of a simple RC4 using 2 bits RC4
      • Final values after third loop
      • S[0] = 1, s[1] = 0, S[2] =2, S[3] = 3
      • K[0] = 6, K[1] = 1, K[2] = 5, K[3] = 2
      • pass length (l) = 4, Index(N) = 4, i = 3 , j = 1
    • 20. Example of a simple RC4 using 2 bits RC4
      • Calculation for the fourth loop
      • Initial values before the loop starts
      • S[0] = 1, s[1] = 0, S[2] =2, S[3] = 3
      • K[0] = 6, K[1] = 1, K[2] = 5, K[3] = 2
      • pass length (l) = 4, Index(N) = 4, i = 3 , j = 1
      • Equation
      • j = j + S[i] + K[i mod l] =>j = (1+S[3]+k[3]) mod 4
      • = (1+3+2)mod 4 = 2
      • Swap(S[i], S[j]) =>Swap(S[3],S[2]) =>S[2] =3
      • & S[3] = 2
    • 21. Example of a simple RC4 using 2 bits RC4
      • Final values after fourth loop (final loop)‏
      • S[0] = 1, s[1] = 0, S[2] =3, S[3] = 2
      • K[0] = 6, K[1] = 1, K[2] = 5, K[3] = 2
      • pass length (l) = 4, Index(N) = 4, i = 4 , j = 2
    • 22. Example of a simple RC4 using 2 bits RC4
      • Logic of PRGA
      • i = 0
      • j = 0
      • Generation Loop: i = i + 1
      • j = (j + S[i]) mod l
      • Swap(S[i], S[j])
      • Output z = S[S[i] + S[j]]
      • After first loop
      • i=0+1=1
      • j=(0+S[1])mod 4=(0+0)mod 4=0
      • Swap (S[1] , S[0]) S[1]=0 , S[0]=1 ==> S[1]=1 , S[0]=0
      • z1=S[S[1]+S[0]]=S[0+1]=S[1]=1
      • Z1=0000 0001
    • 23. Example of a simple RC4 using 2 bits RC4
      • Similarly z2 = 0000 0001
      • Assume the plaintext to be “HI”
      • After Xoring the plaintext with the RC4 keystream we get
      • H(0100 1000) XOR Z1(0000 0001) = 0100 1001 ==> I
      • and
      • I(0100 1001) XOR Z2(0000 0001) = 0100 1000 ==>H
      • After RC4 “HI” becomes “IH”
    • 24. RC4 Encryption Technology
        • Integrity Checksum – Calculated on the message M to yield the plaintext P = <M,c(M)>
        • Encryption -
        • RC4 stream cipher with secret key k
        • Initialization vector iv
        • Keystrem is generated based on iv & k (RC4(iv,k))‏
        • Ciphertext C = P XOR RC4(iv,k)‏
    • 25. Weakness of WEP
      • Key should not be reused
      • One Way Authentication
      • No key management protocol
    • 26. Weakness of WEP
        • Key should not at all be reused
        • C = KI XOR P
        • Intruder can get C and if he knows part of P he can obtain KI (as KI = P XOR C)‏
        • Next time any packet encrypted with this KI can easily be decrypted.
    • 27. Weakness of WEP
        • For a 11 mbps base station the key has to be reused in approximately 5 hrs.
        • There is 50% chance that a key will be reused after every 4823 packets
        • Moreover, the specification has made the changing of IV value with each packet as optional
    • 28. Weakness of WEP
        • Pre-Shared Key – the absence of any key management protocol
        • It requires manual key configuration in all the mobile devices that want to communicate with the AP
    • 29. Weakness of WEP
        • One way authentication
        • The AP does not authenticate itself to the mobile device
        • A rouge node imitating as the AP can have access to everything the mobile device sends
    • 30. 802.11i
      • Goals
      • Develop 802.11i through a process open to all
      • Anyone must be able to implement the entire standard or any part of it – no secret algorithm
      • Market driven feature development
          • Addresses all perceived security problems of WEP
          • Deliver as rapidly as possible
    • 31. 802.11i Facilities
      • Authentication
      • TKIP
      • AES-CCMP
      • Discovery & Negotiation
      • Key Management
    • 32. External components used by 802.11i
      • 802.1x – an external standard used to provide an authentication framework, coordinate authentication and key management
      • 802.1x Authenticator/Supplicant – local protocol entity to coordinate authentication and and key management with remote entity
      • Authentication server(AS) – a logical construction that centralizes authentication and access control decision making
    • 33. Operating an 802.11i Link Data protection: TKIP and CCMP Authentication 802.11i key management Session Key distribution Security capabilities discovery Authentication Server Access Point Station Security negotiation
    • 34. 802.1X
    • 35. TKIP Identification and Goals
      • TKIP: T emporal K ey I ntegrity P rotocol
      • Deploy as a software patch in already deployed equipment
      • Short term only, to permit migration from existing equipment to more capable equipment without violating security constraints
        • Patch old equipment from WEP to TKIP first
        • Interoperate between patched and unpatched first generation equipment until all have been patched
        • Finally deploy new equipment
      • Security Goals: Address all known WEP problems
        • Prevent Frame Forgeries
        • Prevent Replay
        • Correct WEP’s mis-use of encryption
        • Never reuse keys
    • 36. TKIP Overview
      • TKIP: T emporal K ey I ntegrity P rotocol
      • Features
        • New Message Integrity Code (MIC) called Michael to prevent tampering that can be implemented on a low-power microprocessor
        • Supplement Michael with Counter-measures, to increase forgery deterrence
        • Increase the size of IV to avoid ever reusing the same IV
        • Change the encryption key for every frame
        • Under WEP it was infeasible to detect when you were under attack
    • 37. Message Integrity
      • The simplest method is to create a “checksum” by adding all the bytes of the message together
      • Send this checksum along with the message
      • The receiver will recalculate this checksum from the received msg and then test it against the checksum value sent with the message.
    • 38. Message Integrity
      • Attacker can recompute the checksum after he makes any changes in the message
      • Idea is to generate a checksum after combining together all the bytes and producing MIC
      • MIC is produced using a special nonreversible process and combining a secret key
      • Attacker cannot produce the MIC unless he knows the secret key
    • 39. Message Integrity
      • There are several well tested methods to produce the MIC
      • However, for a small microprocessor these methods are not feasible
      • One solution for TKIP is Michael
    • 40. IV Length
      • WEP uses 24 bit IV
      • TKIP has added 32 more bits
      • Total = 24 + 32 = 56
      • Practically 48 bits are used
    • 41. Per Packet Key Mixing
      • It solves few things
      • The value of the key used for RC4 encryption is different for every IV value
      • 24 bit “old” IV value and 104 bit secret key
    • 42. WPA2-AES-CCMP
      • AES- CCMP is the strongest security in 802.11i
      • AES stands for Advanced Encryption Standard
      • CCMP stands for Counter Mode – CBC MAC Protocol
      • TKIP was designed to accommodate the older hardware
      • AES-CCMP was designed from ground up. Requires new hardware
    • 43. WPA2-AES-CCMP
      • Security goals – addresses all known WEP
      • problems
      • Prevent frame forgeries
      • Prevent Replay
      • No key reuse
    • 44. AES Encryption process
      • The encryption process uses a set of
      • specially derived keys called round keys
      • These are applied, along with other operations,
      • on an array of data, that exactly holds one block
      • of data, called state array
    • 45. AES Encryption process
      • Following are the steps to encrypt a block of data
      • Derive the set of round keys from cipher key
      • Initialize the state array with block data
      • (plaintext)‏
      • Add the initial round key to the starting state array
      • Perform nine rounds of state manipulation
      • Perform the 10 th /final round of state manipulation
      • Copy the final state array out as the encrypted
      • data
    • 46. AES Encryption Process
      • The 128 bit block of data is stored in a two
      • dimensional (4 x 4) array as shown below
      • D0 D4 D8 D12
      • D1 D5 D9 D13
      • D2 D6 D10 D14
      • D3 D7 D11 D15
    • 47. Derivation of the Round Keys
      • Cipher key is 128 bit long
      • We derive eleven 128 bit round keys ( Rkey0 to
      • Rkey10) from this cipher key
      • These keys can be represented as follows
          • 32 bits 32 bits 32 bits 32 bits
      • Rkey0 W0 W1 W2 W3
      • Rkey1 W0 W1 W2 W3
      • Rkey2 W0 W1 W2 W3
      • Rkey3 W0 W1 W2 W3
      • Rkey4 W0 W1 W2 W3
      • Rkey5 W0 W1 W2 W3
      • Rkey6 W0 W1 W2 W3
      • Rkey7 W0 W1 W2 W3
      • Rkey8 W0 W1 W2 W3
      • Rkey9 W0 W1 W2 W3
      • Rkey10 W0 W1 W2 W3
    • 48. Derivation of the Round keys
      • To start with the Round keys Rkey0 is simply
      • the cipher key
      • For each of the round keys Rkey1 to Rkey10
      • words W1, W2 and W3 are computed as the
      • XOR of the previous word in the same row and
      • the same word of the previous row
      • For example:
      • Rkey5:W1 = Rkey5:W0 XOR Rkey4:W1
      • Rkey8:W3 = Rkey8:W2 XOR Rkey7:W3
    • 49. Derivation of the Round Keys
      • The calculation of W0 for each key is the Xor of
      • three 32 bit values
      • The value of W0 from the previous row
      • The value of W3 from the previous row rotated
      • by 8 bits
      • A special value from a table called Rcon
      • Thus we write
      • Rkey(i):W0 = Rkey(i-1):W0 XOR Rkey(i-
      • 1):W3>>>8 XOR RCon(i)‏
    • 50. Derivation of the Round Keys
      • The values of Rcon(i) are as follows:
      • i Rcon(i)‏
      • 1 2
      • 2 4
      • 3 8
      • 4 16
      • 5 32
      • 6 64
      • 7 128
      • 8 27
      • 9 54
      • 10 108
    • 51. AES Encryption Process
      • Total 10 rounds of operation are performed to
      • alter the state array
      • These rounds involve four types of operations
      • SubBytes
      • ShiftRows
      • MixColumns
      • XorRoundKeys
    • 52. AES Encryption Process
      • All of these four operations are applied in the
      • order mentioned in the first nine rounds
      • In the 10 th round Mix Columns round is mot
      • performed
    • 53. AES Encryption Process- SubBytes
      • SubBytes Operation
      • Create a substitution table of total 16 bytes
      • using a mathematical formula
      • Substitute each byte from the state table by the
      • value from the substitution table
      • Original values can be restored in the reverse
      • operation
      • Substitution table is stored in memory as part of
      • the design
    • 54. AES Encryption Process-ShiftRows
      • Each row is rotated to right by a certain number
      • of bytes
      • 1 st Row is rotated by 0 bytes
      • 2 nd Row is rotated by 1 byte
      • 3 rd Row is rotated by 2 bytes
      • 4 th Row is rotated by 3 bytes
    • 55. AES Encryption Process - MixColumn
      • The columns are changed according to the
      • following formula
      • Left hand side is the new column produced
    • 56. AES Encryption Process - XOrRoundKey
      • In this operation the round keys are Xor-ed with
      • the existing state array
      • This is done once before the beginning of the
      • rounds and then once for each round
    • 57. AES Decryption Process
      • Initial decryption round
      • XorRoundKey
      • InvShiftRows
      • InvSubBytes
      • Nine Full Decryption rounds
      • XorRoundKey
      • InvMixColumn
      • InvShiftRows
      • InvSubBytes
      • Perform final XorRoundKey
    • 58. CCMP
      • CCMP works on MPDU
      • MPDU consists of MAC header and unencrypted data
      • First we construct the CCMP header
      • Then MIC is calculated
      • The combination of Data and MIC is encrypted using AES
      • The MAC header and the CCMP header are added in the beginning of the encrypted data
      • The block is then transmitted
    • 59. Conclusion
      • Large number of Wi-Fi systems have been deployed using RC4 algorithm
      • WPA-TKIP was introduced to upgrade the existing system without changing the hardware
      • However, for better security implemented from ground up, we need AES-CCMP
    • 60. Not Covered
      • This presentation has not covered the different authentication methods used in Wi-Fi.
      • These include EAP, PEAP, EAP-TLS, EAP-TTLS and EAP-SIM
    • 61.
      • Thank You