Wired Equivalent Privacy(WEP) Wired Equivalent Privacy(WEP) algorithm is introduced as part of the original 802.11 standard ratified in September 1999. Three Security Goals1. Access Control2. Data integrity3. Confidentiality This algorithm was responsible for both authentication and encryption. WEP uses the stream cipher RC4 for confidentiality and the CRC- 32 checksum for integrity.
WEP Algorithm• Standard 64-bit WEP uses a 40 bit key (also known as WEP- 40), which is concatenated with a 24-bit initialization vector (IV) to form the RC4 key(Rivest Cipher 4).• It is extended to 104-bit key(128-bit total with the 24-bit IV) to eliminate brute-force out as a method of attack.• RC4 is a stream cipher, which means that it encrypts each message one bit at a time.• Two methods of authentication can be used with WEP.1. Open System authentication.2. Shared Key authentication.• Open System authentication for WEP is used as Shared Key authentication can be easily attacked.
Flaws in WEP Use of the CRC-32 hashing algorithm for its integrity check value(ICV), as CRC is a poor cryptographic hash choice because it is a linear function of the message, less data integrity. The RC4 algorithm becomes very vulnerable if two messages are encrypted using the same key-stream. One more notable attack against the WEP algorithm and its implementation was published in 2007, called the "Caffe Latte" attack. In 2008, Payment Card Industry (PCI) Security Standards Council’s latest update of the Data Security Standard (DSS), prohibits use of the WEP as part of any credit-card processing after 30 June 2010.
Remedies of WEP WEP2(shared key length = 128 bits , IV = 128-bit) WEP plus. Dynamic WEP(combination of 802.1x technology and the Extensible Authentication Protocol) 802.11i (WPA and WPA2).
Wi-Fi Protected Access (WPA) The Wi-Fi Alliance intended WPA as an intermediate measure to take the place of WEP pending the availability of the full IEEE 802.11i standard. 2 modes in WPA: - WPA Enterprise : Encryption=TKIP ; Authentication=802.1X/EAP - WPA Personal : Encryption=TKIP ; Authentication=PSK
Temporal Key Integrity Protocol(TKIP) encryption The TKIP is a WEP patch, wrapping the WEP protocol with three new elements1. A message integrity code (MIC) named Michael2. A packet sequencing procedure(Initialization Vector sequencing)3. A per packet key mixing function(Key Mixing). Encryption is still carried out using the RC4 Stream Cipher.
Encryption-TKIP(MIC) The TGi adopted a new algorithm called Michael, superior to CRC method used in WEP. The MIC algorithm checks for forgeries and ensures data integrity. A tag value is calculated at the sender’s end, using the data and a predefined algorithm and sent with the key. The receiver makes a similar calculation, and verifies data integrity based on similarity of the tags. Michael uses a 64-bit key and requires a fresh key after an MIC validation error, or once per minute.
Encryption: TKIP(IV sequencing) To avoid replay attacks, TKIP uses a 48-bit sequence number. This sequence is changed whenever a MIC key is replaced. The sequence number is mixed in with the encryption key and encrypts the MIC and WEP ICV. The AP discards any packets that have an out-of-sequence sequence number.
Encryption-TKIP(key mixing)Per Packet Key Mixing Instead of concatenating the IV with the key (as in WEP), a mixing functiontakes the key, the transmitter’s MAC address, and packet sequence numberand outputs a new WEP key.Keys and authenticationKIP requires two keys:1. a 128-bit key used by the mixing function described above to obtain a per packet key2. a 64-bit key used by Michael.TKIP uses the IEEE 802.1x protocol to authenticate users and provide a keymanagement scheme by supplying fresh keys.
Encryption: Benefits by TKIP - unique Key to encrypt every packet: keys are stronger - IV: 48bit length, reduce IV reuses - IV sents encrypted - MIC replace CRC-Check - upgrade with firmware for WEP hardware possible
Authentication in WAP 802.1x/EAP IEEE 802.1x defines three participating entities in the authentication process: the supplicant, the authenticator, and the authentication server In the case of wireless networks, the supplicant could be any mobile node (MN) or device that requires connection to the network; the authenticator could be an access point (AP); the authentication server could be a RADIUS, DIAMETER, or any other device or server used for authentication. RADIUS is a client/server authentication, authorization, and accounting(AAA) protocol that runs in the application layer, using UDP as transport. Diameter is an alternate and advanced to RADIUS. Extensible Authentication Protocol-EAP.
WPA2/108.11 Task Group i 802.11i uses concept of a Robust Security Network (RSN) The 802.11i standard implements the 128-bit Advanced Encryption Standard (AES) block cipher algorithm for encryption and authentication. Is enabled in two mode like WPA:1. Enterprise Mode: - authentication: 802.1X/EAP(Extensible Authentication Protocol) - encryption: AES-CCMP(Counter Cipher Mode with Block Chaining Message Authentication Code Protocol)2. Personal Mode: - authentication: PSK(pre-shared key) - encryption: AES(Advanced Encryption Standard)-CCMP The 802.11i provides Robust Security Network (RSN) with two new protocols, the 4-Way Handshake and the Group Key Handshake.
The Four-Way Handshake The Access Point(AP) sends a nonce-value to the STA(station) (ANonce). The client now has all the attributes to construct the PTK(Pairwise Transient Key). The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC). The AP sends the GTK(Group Temporal Key) and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection. The STA sends a confirmation to the AP. All the above messages are sent as EAPOL(EAP over LAN)-Key frames.
The Four-Way Handshake contd.. As soon as the PTK is obtained it is divided into five separate keys: PTK (Pairwise Transient Key – 64 bytes)1. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message2. 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt additional data sent (in the Key Data field) to the client (for example, the RSN IE or the GTK)3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.
The Group Key Handshake The GTK used in the network may need to be updated due to the expiry of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP. GTK ( GroupWise Transient Key – 32 bytes)1. 16 bytes of Group Temporal Encryption Key – Used to encrypt Multicast data packets2. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on Multicast packet transmitted by AP3. 8 bytes of Michael MIC Authenticator Rx Key – This is currently not used as stations do not send multicast traffic The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data. 802.11i supports broadcast messages.
Wireless security summary Feature WEP WPA WPA2 Cipher RC4 RC4(TKIP) AES-CCMP Key Size 40 or 104bits 104bits perPack 128bits encry. Key Life 24bit IV 48bit IV 48bit IV Packet Key Concatenation TwoPhaseMix Not Needed Data Integrity CRC32 Michael MIC CCM Key Management None 802.1X/EAP/PSK 802.1X/EAP/PSK
Conclusion and Recommendations for Security in WLAN Some hints to protect a WLAN from attack: ensure compatibilty to use hardware from one vendor, use Wi-Fi Certified devices. Use MAC-adress authentication if you have manageable number of Clients and only some AP´s. Not only for enterprises: implement user authen. Upgrade AP to use WPA or WPA2/802.11i. enable and use WPA2, WPA or for older hardware that supports WEP, enable this. Uses it at least with 128bit-WEP. change WEP-KEY frequently
Do you think you aresecure with WPA2?Security is not a state, it is a process in continue!
WPA2 “Hole196” Vulnerability In mid-2010, a vulnerability mostly applying to the Enterprise (EAP or 802.1X) mode of WPA and WPA2 security was publically discovered. It can potentially allow users (rogue or curious employees) on the wireless network to snoop on each other’s wireless traffic, like you can when on a network protected with just the Personal (PSK) mode of WPA/WPA2 security. The vulnerability doesn’t involve cracking the encryption, but is from an underlying issue with the 802.11 protocol. It enables users to decrypt packets via a man-in-the-middle attack What can we do about Hole 196? "Theres nothing in the standard to upgrade to in order to patch or fix the hole," says Kaustubh Phanse, AirTights wireless architect who describes Hole 196 as a "zero-day vulnerability that creates a window of opportunity" for exploitation. The 802.11w standard is implemented for the first time into Microsofts new operating system, Windows 8
Steps InvolvedAuthentication - Whenever a MS requests access to a network, the networkmust authenticate the MS. Authentication verifies the identity and validity ofthe SIM card to the network and ensures that the subscriber is authorizedaccess to the network.Encryption - In GSM, encryption refers to the process of creatingauthentication and ciphering crypto-variables using a special key and anencryption algorithm.Ciphering - Ciphering refers to the process of changing plaintext data intoencrypted data using a special key and a special encryption algorithm.Transmissions between the MS and the BTS on the Um link are enciphered.
Key Management Scheme Ki - The Ki is the individual subscriber authentication key. It is a 128-bit number that is paired with an IMSI(International Mobile Subscriber Identity) when the SIM card is created. The Ki is only stored on the SIM card and at the Authentication Center (AuC). RAND - The RAND is a random 128-bit number that is generated by the AuC when the network requests to authenticate a subscriber. The RAND is used to generate the Signed Response (SRES) and Kc crypto-variables. Signed Response - The SRES is a 32-bit crypto-variable used in the authentication process. The MS receives the RAND as a challenge and uses it to calculate the SRES. The SRES is passed up to the network to as a response to the challenge. Kc - The Kc is the 64-bit ciphering key that is used in the A5 encryption algorithm to encipher and decipher the data that is being transmitted on the Um interface. RAND + Signed Response + Kc = Triplets
Authentication and Encryption Scheme Mobile Station Radio Link GSM Operator Challenge RANDSIM Ki Ki A3 A3 Signed response (SRES) SRES SRES A8 A8 Fn Kc Kc Fn mi Encrypted Data mi A5 A5
A3 algorithm Goal Generation of SRES response to MSC’s random challenge RAND RAND (128 bit) Ki (128 bit) A3 SRES (32 bit)
A8 algorithm Goal Generation of session key Ks A8 specification was never made public Both A3 and A8 are implemented on SIM. RAND (128 bit) Ki (128 bit) A8 KC (64 bit)
A5 algorithm It should be noted that the A5 algorithm is a function of the Mobile Equipment (ME) and not the SIM card. A5 is a stream cipher Implemented very efficiently on hardware Design was never made public Leaked to Ross Anderson and Bruce Schneier Variants A5/1 – the strong version A5/2 – the weak version A5/3.
A5 output Real A5 output is 228 bit for both directions Mobile Station BTS Fn (22 bit) Kc (64 bit) Fn (22 bit) Kc (64 bit) A5 A5 114 bit 114 bitData (114 bit) Ciphertext (114 bit) Data (114 bit) XOR XOR