Wireless Security


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Case Study on wireless insecurity
  • Layer2 ACKs on every frame
  • Every frame has a control field that tells the 802.11 protocol version, frame type, and various indicators, such as whether WEP is on, power management is active, and so on Beacon Frame carries info like, SSID, the network identifier for wireless network. Or Capability information like, WEP is on or not RTS/CTS are used to avoid collision WEP helps establish a secure communication channel by encrypting the payload using a chosen secret
  • Recently, there was a buffer overflow vulnerability found in Linksys firmware
  • You have the clear text and the cipher text
  • Calcuate the checksum of the data using CRC32 Concatenate it after the plain text Now, we create a key sequence by concatenating the WEP key to an IV. This is used as a seed for RC4 algorithm to create a key sequence which is then XORed with the plaintxt + MAC Finally, IV and the ciphered data are concatenated and the check sum for the entire frame is calculated This way, the key sequence can be changed per packet without changing the WEP key
  • Whether you include the IV or not
  • 6 major problems
  • You can infer the possible CRC value when the modifying data In fact, you can be 100% sure the result CRC value when just flipping the bits in the data: 1->0 or 0->1
  • Think of it as a PRNG which takes a seed and returns a fixed length random number called a key sequence Very fast : 10 times faster than DES Used in IPSEC or SSL Avoid key collision, or XOR or two clear text can be retrieved But, doesn’t mean that having a key sequence reveals the WEP key being used.
  • Wouldn’t have happened if the access point can verify the validity of the packet from the IV value - In fact, you could keep using the same IV and it is perfectly 802.11 protocol compliant
  • Uses… RC4 weakness CRC32 Vulnerability to decrypt the packet Exploits Replay attack Decrypts packets (espcially ARP packets) using the CRC32 vulnerability
  • Passive attacks are not possible to detect!!!!
  • 802.1x can be used with WEP
  • provides authentication mechanism
  • A client requests access to the AP The AP asks for a set of credentials The client sends the credentials to the AP which forwards them to authenticating server The exact method for supplying credentials is not defined in 802.1X itself
  • Usually used in Wireless or PPP protocol EAP itself just means framework EAP-methods specifies the exact mechanism Flexibility: one time passwords, certificates, smartcards, own EAP protocol, etc
  • You and the AP negotiates what kind of encryption mechanisms are supported Pair-wise master key is derived as a result of the authentication Using this Pair-wise master key, 4 way handshake verifies the previous authentication phase by exchanging the information. As a result of 4way handshake, the AP and you derive the traffic encryption key used in TKIP, the encryption mechanism in WPA
  • Can catch the replay attack No more bit-flipping attack seen in CRC32
  • Pretty much like WEP, except with a better encryption and integrity checking mechanism 8 or more characters are recommended for the password
  • CCMP – CounterMode CBC-MAC protocol
  • Wireless Security

    1. 1. Wireless Security 802.11 With a focus on Security by Brian Lee Takehiro Takahashi
    2. 2. Survey (1) <ul><li>Who has not used wireless? </li></ul><ul><li>Are you confident with your wireless network? </li></ul>
    3. 3. Brief Overview <ul><li>Wireless Technology Overview </li></ul><ul><ul><li>Architecture </li></ul></ul><ul><ul><li>Features </li></ul></ul><ul><li>Wireless Security Overview </li></ul><ul><ul><li>Built-in security features in 802.11 </li></ul></ul><ul><ul><li>WEP insecurity </li></ul></ul><ul><ul><li>802.1x </li></ul></ul><ul><ul><li>WPA </li></ul></ul><ul><ul><li>WPA2 - 802.11i </li></ul></ul>
    4. 4. GOAL <ul><li>Understand the state of art </li></ul><ul><ul><li>WEP is insecure </li></ul></ul><ul><ul><li>But we CAN make a wireless network ‘secure’ </li></ul></ul>
    5. 5. 802.11Basics <ul><li>Infrastructure Mode or Ad Hoc </li></ul><ul><li>11Mbps with 802.11b </li></ul><ul><li>feels slow….? (effective speed ~ 50%) </li></ul><ul><li>802.11 a/b/g/n : Physical Layer Spec </li></ul><ul><li>802.11i : Security Spec </li></ul><ul><li>802.11r : QoS </li></ul>
    6. 6. 802.11 Built-in Features <ul><li>802.11 frame types </li></ul><ul><ul><li>Association Request/Response Frame </li></ul></ul><ul><ul><li>Beacon Frame </li></ul></ul><ul><ul><li>RTS/CTS Frame </li></ul></ul><ul><li>Shared/Open Authentication </li></ul><ul><li>WEP (Layer 2 security) </li></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Confidentiality </li></ul></ul>
    7. 7. SSID <ul><li>Network identifier </li></ul><ul><li>SSID is broadcasted in a beacon frame </li></ul><ul><li>Clear Text! </li></ul><ul><li>Change it from the default </li></ul><ul><ul><li>Cisco = tsunami </li></ul></ul><ul><ul><li>Linksys = linksys </li></ul></ul><ul><ul><li>Netgear = netgear </li></ul></ul><ul><li>Stop broadcasting! </li></ul>
    8. 8. MAC Address Filtering <ul><li>White-list approach </li></ul><ul><ul><li>Does not scale </li></ul></ul><ul><li>Frame headers are never encrypted </li></ul><ul><ul><li>Sniffing traffic will reveal valid MAC addresses </li></ul></ul><ul><li>Bottom line….. </li></ul><ul><ul><li>Prevents casual hacking.. </li></ul></ul><ul><ul><li>Quite useless </li></ul></ul>
    9. 9. Shared/Open Authentication (1) <ul><li>2 ways of initiating communication </li></ul><ul><ul><li>Shared Key </li></ul></ul><ul><ul><li>Open Key authentication </li></ul></ul><ul><li>Open key Auth = No authentication </li></ul><ul><li>Shared Key Auth = requires WEP </li></ul>
    10. 10. Shared Authentication (2) <ul><li>The challenge is generated using a PRNG used by WEP </li></ul><ul><li>Challenge is then encrypted using WEP key and sent back </li></ul><ul><li>This is bad…….. reveals the WEP key </li></ul>
    11. 11. WEP (Wired Equivalent Protocol) <ul><li>Provides “Confidentiality”, and “Integrity”. </li></ul><ul><li>Uses 40/104 bits RC4 encryption + CRC32 </li></ul>
    12. 12. WEP Encryption
    13. 13. 64/40 and 128/104 bits confusion <ul><li>IV (24bits) </li></ul><ul><li>Your WEP key: </li></ul><ul><ul><li>5-ASCII char word = 40bits </li></ul></ul><ul><ul><li>13-ASCII char word = 104bits </li></ul></ul><ul><li>Security-wise, it’s really 40bits or 104bits </li></ul>
    14. 14. Problems with WEP <ul><li>1 Static Key </li></ul><ul><ul><li>No encryption is strong if one key is used forever </li></ul></ul><ul><li>Key length is short (40bits) </li></ul><ul><ul><li>Brute forcing is possible </li></ul></ul><ul><ul><li>104bits version exists </li></ul></ul><ul><li>Using CRC32 </li></ul><ul><ul><li>CRC is a hash function used to produce a checksum </li></ul></ul><ul><li>Improper use of RC4 </li></ul><ul><ul><li>IV space is too small (24bits) </li></ul></ul><ul><li>No protection against replay attack </li></ul><ul><li>No specification on key distribution </li></ul><ul><ul><li>Lacks scalability </li></ul></ul>
    15. 15. CRC32 and WEP <ul><li>CRC32 doesn’t have the cryptographic strength seen in MD5 or SHA1 </li></ul><ul><li>Bit-flipping is possible </li></ul><ul><li>Change the data, and WEP won’t catch it </li></ul><ul><li>Seems trivial….? </li></ul>
    16. 16. RC4 and WEP (1) <ul><li>RC4 – Rivest’s Cipher 4 </li></ul><ul><ul><li>Stream Cipher </li></ul></ul><ul><li>What is a requirement for a stream cipher? </li></ul><ul><ul><li>Avoid key sequence collision at any cost </li></ul></ul><ul><li>{ M1 XOR RC4-Key }  XOR  { M2 XOR RC4-Key } = M1 XOR M2 </li></ul><ul><li>With WEP, key sequences are repeated every 16 million packets (2 ^ 24) </li></ul><ul><li>Key sequence collision doesn’t reveal the WEP key! </li></ul>
    17. 17. RC4 and WEP (2) <ul><li>Weak IVs reveal the WEP key </li></ul><ul><ul><li>5% chance of guessing the portion of the seed (WEP key) correctly </li></ul></ul><ul><ul><li>FMS attack </li></ul></ul><ul><li>2M~ packets to decrypt 40bit WEP key </li></ul><ul><li>The time needed is a linear function to the key length </li></ul><ul><ul><li>104bit key is just as useless as 40bits key </li></ul></ul>
    18. 18. Replay Attacks <ul><li>Reinjection of the captured packets are possible </li></ul><ul><li>IV usage is not specified </li></ul>
    19. 19. Effective WEP cracking <ul><li>KoreK attack (Aug. 2004) </li></ul><ul><li>Another statistical analysis based attack on WEP key </li></ul><ul><li>Extremely fast </li></ul><ul><li>Decrypts packets using CRC32 vulnerability </li></ul><ul><li>Possible with as little as 0.1M IVs (packets)… </li></ul><ul><ul><li>Traditional method requires more than 2M packets </li></ul></ul><ul><li>Accelerate it with packet injection – ARP </li></ul><ul><ul><li>A 40-bit WEP can be cracked in 10 Minutes </li></ul></ul><ul><li>Fast swapping of WEP key is no longer safe </li></ul>
    20. 20. Conclusion: WEP <ul><li>Confidentiality </li></ul><ul><ul><li>FMS attack </li></ul></ul><ul><ul><li>KoreK attack </li></ul></ul><ul><li>Integrity </li></ul><ul><ul><li>Bit-flipping attack </li></ul></ul><ul><li>Authentication </li></ul><ul><ul><li>Non-existent </li></ul></ul><ul><li>Attacks can be completely passive </li></ul><ul><li>NO MORE WEP </li></ul>
    21. 21. WEP…. <ul><li>Wired Equivalent Privacy </li></ul><ul><li>Well.. More like </li></ul><ul><li>W hat on the E arth does it P rotect? </li></ul>
    22. 22. Finally…. we have solutions! <ul><li>802.1x (Authentication) </li></ul><ul><ul><li>per-user authentication </li></ul></ul><ul><ul><li>Key distribution mechanism </li></ul></ul><ul><li>WPA (Confidentiality, Integrity) </li></ul><ul><ul><li>Subset of 802.11i </li></ul></ul><ul><ul><li>2 forms </li></ul></ul><ul><ul><ul><li>802.1x Auth + TKIP (Enterprise mode) </li></ul></ul></ul><ul><ul><ul><li>Pre-shared Key + TKIP </li></ul></ul></ul><ul><li>WPA2 – 802.11i </li></ul><ul><ul><li>WPA2 is the implementation of 802.11i </li></ul></ul><ul><ul><li>Uses AES-CCMP </li></ul></ul>
    23. 23. 802.1x (Authentication) WPA2 (802.11i) WPA
    24. 24. 802.1X <ul><li>802.1X is a port-based, layer 2 authentication framework </li></ul><ul><li>Not limited wireless networks </li></ul><ul><li>Uses EAP for implementation </li></ul><ul><li>End-result </li></ul><ul><ul><li>A WEP key for WEP </li></ul></ul><ul><ul><li>A seed for an encryption key used in WPA/WPA2 </li></ul></ul><ul><li>802.1X is not an alternative to WEP </li></ul>
    25. 25. 802.1x authentication
    26. 26. Extensible Authentication Protocol (EAP) <ul><li>Authentication Framework </li></ul><ul><ul><li>runs on the different layer than 802.1x </li></ul></ul><ul><li>Very flexible </li></ul><ul><li>RADIUS is de-facto </li></ul><ul><ul><li>a server for remote user authentication and accounting </li></ul></ul>
    27. 27. Implementations <ul><li>EAP methods adopted in WPA/WPA2 </li></ul><ul><ul><li>EAP-MD5 </li></ul></ul><ul><ul><li>EAP-LEAP </li></ul></ul><ul><ul><li>EAP-TLS </li></ul></ul><ul><ul><li>EAP-TTLS </li></ul></ul><ul><ul><li>PEAP </li></ul></ul>
    28. 28. EAP-MD5 <ul><li>EAP-MD5 is a simple EAP implementation </li></ul><ul><li>Uses and MD5 hash of a username and password that is sent to the RADIUS server </li></ul><ul><li>Authenticates only one way </li></ul><ul><li>Man in the middle attack </li></ul><ul><li>Bottom line: Not recommended </li></ul>
    29. 29. LEAP (EAP-Cisco) <ul><li>Like EAP-MD5, it uses a Login/Password scheme that it sends to the RADIUS server </li></ul><ul><li>Each user gets a dynamically generated one time key upon login </li></ul><ul><li>Authenticates client to AP and vice versa </li></ul><ul><li>Only guaranteed to work with Cisco wireless clients </li></ul><ul><li>Broken – ASLEAP by Joshua Wright </li></ul><ul><ul><li>Dictionary attack </li></ul></ul>
    30. 30. EAP-TLS by Microsoft <ul><li>Instead of a username/password scheme, EAP-TLS uses certificate based authentication </li></ul><ul><li>Two way authentication </li></ul><ul><li>Uses TLS (Transport Layer Security) to pass the PKI (Public Key Infrastructure) information to RADIUS server </li></ul><ul><li>Compatible with many OS’s </li></ul><ul><li>Harder to implement and deploy because PKI for clients are also required </li></ul>
    31. 31. PEAP by Microsoft and Cisco <ul><li>A more elegant solution! </li></ul><ul><li>Very similar to EAP-TLS except that the client does not have to authenticate itself with the server using a certificate, instead it can use a login/password based scheme </li></ul><ul><li>Much easier to setup, does not necessarily require a PKI </li></ul><ul><li>Currently works natively with Windows XP SP1, and OSX. 802.1x supplicant exists for linux </li></ul>
    32. 32. WPA (Wi-Fi Protected Access) <ul><li>Subset of 802.11i </li></ul><ul><li>Confidentiality </li></ul><ul><ul><li>Fix flawed encryption mechanism </li></ul></ul><ul><ul><li>TKIP: Per-packet dynamic key mechanism </li></ul></ul><ul><li>Integrity </li></ul><ul><li>Upgradeability </li></ul><ul><ul><li>Software / Firmware Upgrade </li></ul></ul>
    33. 33. WPA Mechanism <ul><li>Confirmation of association capability </li></ul><ul><li>Authentication by 802.1x or PSK </li></ul><ul><li>4-way handshake </li></ul><ul><li>Encryption using TKIP </li></ul>Very Different from WEP which took care of “everything”
    34. 34. 802.1x Authentication (recap)
    35. 35. 4 Way Handshake and PTK
    36. 36. 802.1x Authentication + PMK <ul><li>Security level can be selected </li></ul><ul><li>Pairwise Master Key (PMK) is a seed for temporal key generation used in encryption </li></ul><ul><li>PMK is generated based on the user authentication result </li></ul>
    37. 37. 4 Way Handshake and PTK <ul><li>PTK (512bits) splits in 4 ways </li></ul><ul><li>Part of PTK is used to generate the encryption key (WEP equivalent) in the next phase </li></ul>
    38. 38. 4 Way Handshake and PTK
    39. 39. TKIP (Temporal Key Integrity Protocol) <ul><li>The heart of WPA encryption mechanism </li></ul><ul><li>Expands IV space (24  48bits) </li></ul><ul><li>IV sequence is specified </li></ul><ul><li>Generate a key which conforms to WEP </li></ul><ul><li>A fresh key is used for every 16M packets </li></ul><ul><li>Michael </li></ul><ul><ul><li>Very cheap integrity checker for MAC addresses and DATA </li></ul></ul>
    40. 40. WPA-PSK <ul><li>For home / SOHO use </li></ul><ul><li>Removes 802.1x authentication </li></ul><ul><li>Pre-shared Key + TKIP </li></ul><ul><li>Weak against passive dictionary attack </li></ul><ul><ul><li>Attacks exist - WPA Cracker </li></ul></ul><ul><li>Still MUCH better than WEP </li></ul>
    41. 41. WPA Security Insight <ul><li>No effective attacks found on WPA + 802.1x </li></ul><ul><li>WPA-PSK should be used with care </li></ul>
    42. 42. WPA2 - 802.11i <ul><li>The long-awaited security standard for wireless, ratified in June 2004 </li></ul><ul><li>Better encryption: AES-CCMP </li></ul><ul><li>Key-caching (optional) </li></ul><ul><li>Pre-authentication (optional) </li></ul><ul><li>Hardware manufactured before 2002 is likely to be unsupported: too weak </li></ul>
    43. 43. PMK Key-Caching <ul><li>Skips re-entering of the user credential by storing the host information on the network </li></ul><ul><li>Allows client to become authenticated with an AP before moving to it </li></ul><ul><li>Useful in encrypted VoIP over Wi-Fi </li></ul><ul><ul><li> Fast Roaming </li></ul></ul>
    44. 44. Conclusion <ul><li>WEP = Dead Meat </li></ul><ul><li>WPA-PSK = Potentially Insecure </li></ul><ul><li>WPA + 802.1x (Secure EAP) = Secure </li></ul><ul><li>WPA2-PSK = Potentially Insecure </li></ul><ul><li>WPA2 + 802.1x = Very Secure </li></ul>
    45. 45. Suggested Practice <ul><li>Hide SSID </li></ul><ul><li>Do NOT use WEP </li></ul><ul><li>Use WPA-PSK with a good pass-phrase </li></ul><ul><li>or Use WPA with 802.1x if possible </li></ul><ul><li>Get WPA2 certified product for your next purchase </li></ul>
    46. 46. tinyPEAP (1) <ul><li>A self contained PEAP enabled RADIUS server </li></ul><ul><li>Currently available in Linksys WRT54G/GS router and Win32 binary </li></ul><ul><li>Native Windows XP SP1 support </li></ul><ul><li>Web-based user management </li></ul><ul><li>The easiest and the most secure solution available in consumer level </li></ul>
    47. 47. tinyPEAP (2)
    48. 48. tinyPEAP (3)
    49. 49. Survey (2) <ul><li>Ready to reconfigure your wireless network? </li></ul>
    50. 50. Questions?
    51. 51. Links to the tools used: <ul><li>Airsnort http://airsnort.shmoo.com </li></ul><ul><li>Netstumbler http://www.netstumbler.com </li></ul><ul><li>Ethereal http://www.ethereal.com </li></ul><ul><li>tinyPEAP </li></ul><ul><li>http:// www.tinypeap.com </li></ul>
    52. 52. Papers and Wireless Security Web Pages <ul><li>Weaknesses in the Key Scheduling Algorithm of RC4 </li></ul><ul><li>The Unofficial 802.11 Security Web Page </li></ul><ul><li>Wireless Security Blackpaper </li></ul><ul><li>The IEEE 802.11 specifications (includes WEP spec) </li></ul><ul><li>Paper on detecting Netstumbler and similar programs </li></ul><ul><li>Further reading on upcoming 802.11 variations </li></ul><ul><li>Assorted 802.11 related crypto algorithms written in ANSI C </li></ul>
    53. 53. An exercise in wireless insecurity <ul><li>Tools used: </li></ul><ul><ul><li>Laptop w/ 802.11a/b/g card </li></ul></ul><ul><ul><li>GPS </li></ul></ul><ul><ul><li>Netstumbler </li></ul></ul><ul><ul><li>Aircrack (or any WEP cracking tool) </li></ul></ul><ul><ul><li>Ethereal </li></ul></ul><ul><ul><li>the car of your choice </li></ul></ul>
    54. 54. Step1: Find networks to attack <ul><li>An attacker would first use Netstumbler to drive around and map out active wireless networks </li></ul><ul><li>Using Netstumbler, the attacker locates a strong signal on the target WLAN </li></ul><ul><li>Netstumbler not only has the ability to monitor all active networks in the area, but it also integrates with a GPS to map AP’s </li></ul>
    55. 55. WarDriving
    56. 56. Step 2: Choose the network to attack <ul><li>At this point, the attacker has chosen his target; most likely a business </li></ul><ul><li>Netstumbler can tell you whether or not the network is encrypted </li></ul><ul><li>Also, start Ethereal to look for additional information. </li></ul><ul><li>This time……. </li></ul><ul><li>Your target is GTwireless </li></ul>
    57. 57. Step3: Analyzing the Network <ul><li>WLAN has no broadcasted SSID </li></ul><ul><li>Netstubmler tells me that SSID is GTwireless </li></ul><ul><li>Multiple access points </li></ul><ul><li>Open authentication method </li></ul><ul><li>WLAN is encrypted with 40bit WEP </li></ul><ul><li>WLAN is not using 802.1X (WEB-auth) </li></ul>
    58. 58. Step4: Cracking the WEP key <ul><li>Attacker sets NIC drivers to Monitor Mode </li></ul><ul><li>Begins capturing packets with Airodump </li></ul><ul><li>Airodump quickly lists the available network with SSID and starts capturing packets. </li></ul><ul><li>After a few hours of airodump session, launch aircrack to start cracking! </li></ul><ul><li>WEP key for GTwireless is revealed! </li></ul>
    59. 59. Step5: Sniffing the network <ul><li>Once the WEP key is cracked and the NIC is configured appropriately, the attacker is assigned an IP, and can access the WLAN </li></ul><ul><li>However, a secure proxy with an SSL enabled web based login prevents access to the rest of network and the Internet </li></ul><ul><li>Attacker begins listening to traffic with Ethereal </li></ul>
    60. 60. Step6: Sniffing continued… <ul><li>Sniffing a WLAN is very fruitful because everyone on the WLAN is a peer, therefore you can sniff every wireless client </li></ul><ul><li>Listening to connections with plain text protocols (in this case FTP, POP, Telnet) to servers on the wired LAN yielded 2 usable logins within 1.5hrs </li></ul>
    61. 61. What was accomplished? <ul><li>Complete access to the WLAN </li></ul><ul><li>Complete access to the wired LAN </li></ul><ul><li>Complete access to the internet </li></ul><ul><li>Access to servers on the wired LAN using the sniffed accounts </li></ul><ul><li>Some anonymity. Usage of Netstumbler and other network probing devices can be detected. Skip that step if possible. </li></ul>
    62. 62. Other possibilities <ul><li>Instead of sniffing a valid login, the attacker could have exploited a known vulnerability in the proxy (provided there is one) </li></ul><ul><li>The greater risk for being noticed, something an attacker does not want </li></ul>
    63. 63. That’s it…the network is compromised <ul><li>As long as WEP is in place, such attack is always possible </li></ul><ul><li>Sadly, many are less secure </li></ul><ul><li>How about yours? </li></ul>