Successfully reported this slideshow.

Wireless Security

2,517 views

Published on

Rudi van Drunen Presentation on wireless security NLUUG vj 08. Courtesy of www.competa.com

Published in: Technology, Business
  • Be the first to comment

Wireless Security

  1. 1. Wireless security The Competa Plane <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 1
  2. 2. Wireless security See if it Flies .... <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 2
  3. 3. Wireless security Me • Rudi van Drunen • Senior Consultant & CTO Competa IT • Design, Deliver and Maintain Complex IT Infrastructure • CTO XlexiT Technology B.V. <XlexiT> • Wireless / Embedded / Networking • Tech Guru Wireless Leiden • Largest wireless community network in NL ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 3
  4. 4. Wireless security This Talk • Attacks • What to do about it, Applied to wireless • RF level • Protocol level • Encryption <XlexiT> • Authentication • Application level ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 4
  5. 5. Wireless security Hierarchy Attacks Passive Active <XlexiT> Eavesdropping Denial Replay of Service Traffic analysis Masquerade Message Modification ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 5
  6. 6. Wireless security Passive • Eavesdropping • Need signal • Decrypt if needed <XlexiT> • Traffic Analysis • Get data from signal and traffic ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 6
  7. 7. Wireless security Active (1) • Denial of Service • Radio Level (microwave method) • <XlexiT> Flooding AP with packets • Disconnect messages ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 7
  8. 8. Wireless security Active (2) • Replay • Listen to the traffic, get SSID, MAC • replay and associate, masquerade <XlexiT> • Message modification • Rogue Accesspoint ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 8
  9. 9. Wireless security 802.11 alphabet soup • 802.11a 5 GHz WLAN • 802.11b 2.4 GHz WLAN • 802.11c Bridging between APs • 802.11d Global frequency harmonization • 802.11e MAC level enhancements for QoS • <XlexiT> 802.11f Inter Access Point Protocol for Roaming • 802.11g High Rate 2.4 GHz WLAN • 802.11h ETSI requirements of Dynamic Frequency Selection and Transmitter Power Control • 802.11i Security Enhancements • 802.11n Super Fast WLAN (mimo) ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 9
  10. 10. Wireless security Wireless • RF Level ... • <XlexiT> cf. ethernet level..... ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 10
  11. 11. Wireless security leaky building ... <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 11
  12. 12. Wireless security Antennae <XlexiT> Omnidirectional Directional ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 12
  13. 13. Wireless security Shaping coverage <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 13
  14. 14. Wireless security Site Survey <XlexiT> - Outside-in - Use Antennas (remember:Leaky building) - Check RF interference ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 14
  15. 15. Wireless security Protocol Level • Encryption • WEP, WPA, WPA2 • Key management • Authorization - Authentication <XlexiT> • 802.1x, RADIUS • EAP Methods • Cooking it up: WPA2 with EAP-TLS ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 15
  16. 16. Wireless security WEP <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 16
  17. 17. Wireless security Next please ... • 802.11i • WPA • Transient Security Network (TSN) • TSN = TKIP + WPA(1) + Radius <XlexiT> • Temporal keys, Message Integrity Check • WPA2 • Robust Security Network (RSN) • RSN = CCMP + WPA(2) + Radius ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 17
  18. 18. Wireless security WPA • 802.11i framework • Try to fix the flaws introduced in WEP • TKIP, MIC, tsc • Keep backwards compatible <XlexiT> • (HW level (should be firmware update)) • Add authentication layer (802.1x) ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 18
  19. 19. Wireless security WPA <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 19
  20. 20. Wireless security WPA2 <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 20
  21. 21. Wireless security Key managment • Pairwise Keys • Between EACH client and AP different pair • Computed / Distributed @association time • Unicast <XlexiT> • Group Keys • Same key between AP and every client • Broadcast (and multicast) ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 21
  22. 22. Wireless security Key Hierachy • Pairwise master key (PMK) • From Auth server (or pre-shared) • Generated during authentication (tls/ssl) • WPA: Radius server sends PMK to AP • From PMK AP derives Temporal keys <XlexiT> • Pairwise Transient Keys • Data Encryption ,Integrity keys ; EAPOL keys • These keys are used in encryption engines ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 22
  23. 23. Wireless security Authentication • 802.1x • Not part of 802.11 suite <XlexiT> • Can also be used on wired networks. ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 23
  24. 24. Wireless security Authentication: Radius • Component in 802.1x • Other Applications in Wireless • MAC Address authentication <XlexiT> • NOT SECURE ! • Captive Portal • nocat, m0n0wall (www.m0n0.ch/wall) ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 24
  25. 25. Wireless security 802.1x + RADIUS <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 25
  26. 26. Wireless security Cooking it up • EAP-TLS enterprise in time • Authentication mechanism • Key distribution mechanism • Other fun things wpa <XlexiT> • WPA @home ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 26
  27. 27. Wireless security EAP-TLS <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 27
  28. 28. Wireless security EAP-TLS <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 28
  29. 29. Wireless security Fun things WPA • Key caching • Returning authenticated client • send (PM)Key name in associate request • AP start 4-way handshake <XlexiT> • AP verifies PMKey • Pre-authentication • Makes Roaming seamless and faster ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 29
  30. 30. Wireless security WPA@home • No Radius server • Primary Master Key as Shared Secret • Key generation from password (rfc 2898) • good passwords: https://www.grc.com/passwords <XlexiT> • AP and Client have same PMK • 4 way handshake between AP - Client • Client / AP derive temporal keys for encryption ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 30
  31. 31. Wireless security WPA-PSK Overview <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 31
  32. 32. Wireless security Application Level • VPN (ipsec, OpenVPN) • Some Setup required • SSL connections • <XlexiT> You thought everything did ssl, right ?! • Captive portals • Hotspot model ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 32
  33. 33. Wireless security Questions ?! <XlexiT> R.van.Drunen@competa.com ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 33

×