Security in Wireless Networks IEEE 802.11i Presented by Sean Goggin March 1, 2005

Security in Wireless Networks

IEEE 802.11iPresented by Sean Goggin

March 1, 2005

3/1/2005 Sean Goggin 2

Overview

• Inherent Problems in Wireless

• Is WEP Really Equivalent?

• Additional Solutions

• 802.11i – A New Solution

• Conclusion


Inherent Problems in Wireless

• Modern Wired Network– Multiple Nodes Interconnected with CAT-5, RG-58,

Fiber, and Etc.– Typically Difficult to Intercept

CAT 5e

Computer A Computer B

Data

Data



• Modern Wireless Network– Multiple Nodes Interconnected Over Radio Frequency– Lacks Simplest Form of Physical Protection

Computer B

Da t a

Computer A

Da t a



• Denial-of-Service Attack (DOS Attack)– Media is Open to the Public– Easily Disrupted, Compromises Availability – Only Solution is to Locate and Disable

Computer A Computer BIntruder



• Man-in-the-Middle Attack (MITM Attack)– Easily Intercepted– Compromises Integrity and Confidentially– Mitigate with use of Encryption

Computer A Computer B

Da t a

Intruder

Da t a



• Do to the Nature of Wired vs. Wireless, Wired is More Secure

• Wireless Requires Protocol to Increase Security

• IEEE & Wired Equivalent Privacy– 40-bit (Exportable) and 104-bit Key– RC4


Is WEP Really Equivalent?

• IEEE Selects RC4 Cipher for WEP• RC4 is a Stream Cipher System

– Utilizes a Shared Key and Pseudo Random Number Generator (PRNG) to Create Keystream to XOR with Source’s Data, then Sends Cipher Text

– Destination Utilizes the Shared Key and PRNG to Create Keystream to XOR Cipher Text and Decrypt Source’s Data

Courtesy of 802.11 Wireless Networks: The Definitive Guide



• WEP Process– 40-bit Key + 24-bit Initialization Vector (IV) =

64-bit RC4 Key– RC4 Key and PRNG Create Keystream Equal

in Length to Plain Text + CRC– Keystream XORed with Plain Text and CRC

Value– Transmit IV + Cipher Text



• Key Management Issue– Up to 4 WEP Keys Can Be Used– Scalability vs. Security

• Manually Configure 1-4 Keys in an Enterprise• Manually Distribute 1-4 Keys to an Enterprise• Terminated Employees• Public Keys & Monitoring Station



• Encryption Issue– “Weaknesses in the Key Scheduling Algorithm

of RC4 “ by Fluhrer, Mantin, and Shamir• Addressed Poor Implementation of RC4 in WEP• Weak IVs are Poorly Chosen and Repeated • Reused Keys Make Crypt Analysis Possible• Function is Linear, not Exponential



• Attacking WEP– The Key is Comprised of 5 Bytes or 13 Bytes– The First Byte

• LLC Encapsulation & SNAP Header (00xA)• (00xA) XOR First Byte of Cipher Text = First Byte

of Keystream

– The Remaining Bytes• Weak IVs in form of B+3:FF:N

– B Refers to the Byte of the Key– FF is Weak Middle Byte of all 1s– N is any value from 0 to 255



• Attacking WEP, Continued– The Remaining Bytes, Continued

• Gather Weak IVs into Groups of B– 5 Groups for 40-bit, 13 Groups for 104-bit

– Takes Approximately 115 Samples Per Group to Crack a Byte of the Key

• Even Though More Weak IVs are Needed for 104-bit Key, it Provides More Weak IVs by Nature

• Cracking 104-bit vs. 40-bit Takes More Time, But Insignificant Amount

• More Wireless Network Traffic, Faster Weak IVs Appear



• Tools to Crack WEP– AirSnort

• Developed by Bruestle & Hegerle to Demonstrate Work Done by Fluhrer, Mantin, and Shamir

• Capture Component– Captures Raw Packets using Wireless Interface

• Crack Component– Performs Analysis and Cracks Bytes of Key

– WEPCrack & dweputils• Similar Functions as AirSnort



• Other Attacks– Simple XOR Attack

• Cipher Text is Plain Text XOR Keystream• If a Known Plain Text is then XOR with Cipher Text

the KeyStream will be Exposed– Use SPAM, Heavy Virus Network Traffic (ie: Sasser), or

Other Well-Known Network Traffic

• Used for Message Injection & Authentication Spoofing



• Other Attacks, Continued– Brute-Force Attack

• Phrase Key Generators Often Flawed– Uses ASCII Values to Seed the PRNG– ASCII Always Start with 0 and Range from 0 to 7F– 7F vs FF… 21-bit vs. 32-bit Seed– Newsham Attacked 40-bit Key using P3/500, 35

Seconds to Key– Sometimes Applies to 104-bit Key Generator (MD5

Hash)


Additional Solutions

• Best Practices– Disabling SSID Beaconing

• SSID Beaconing Identifies AP to Wireless Interfaces

• Easier for Legitimate Users and Intruders/Attackers to Find AP

• Disabling SSID May Requires Additional Configuration of User’s Interface

• Attacker can Detect Presence of AP, but without SSID cannot Associate with AP



• Best Practices, Continued– MAC Authentication (CSUN)

• Legitimate Users Register MAC Address• AP Disregard Packets from Non-Registered MAC

– Problems• Both SSID and Legitimate MAC can be Gathered

with Network Sniffer and Wireless Card if Weak or No Encryption Used

• WEP is Weak, So What is Left?



• Virtual Private Network (VPN)– Secure Data Above the Link-Layer– May Require More Bandwidth– Variety of Protocols

• IPsec (CSUN), SSL, & PPTP

• Wi-Fi Protected Access (WPA)– After WEP was Exposed a Temporary

Solution was Needed



• Wi-Fi Protected Access (WPA), Continued– Wi-Fi Alliance Took Components of 802.11i

Draft• Temporal Key Integrity Protocol• Larger IV (48-bit vs. 24-bit)• Message Integrity Check (MIC) Replaced CRC• 802.1x or Pre-Shared Key (PSK)• RC4

– Could be Implemented on Existing Hardware


802.11i – A New Solution

• Originally Meant to Address Security and Quality of Service (QoS)

• Apparent Need for Additional Security Created 802.11e QoS & 802.11i Security

• WPA is Released in April 2003 as Temporary Solution Until 802.11i Ratification

• 802.11i Ratified on June 24th, 2004



• Components of 802.11i– 802.1x – Advanced Encryption Standard in Counter-

Mode/Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP)

– Temporal Key Integrity Protocol (TKIP)



• 802.1x– Based on IETF Extensible Authentication

Protocol (EAP)• Future Proof Open Standard• Allows for Any Authentication Standard to be Used• Designed to Regulate at Physical Port

– Point of Authenticating User & Network– Typically Uses RADIUS



• 802.1x, Step 1– Supplicant Request Association with Authenticator– Authenticator Associates with Supplicant– Authenticator Requests Identity from Supplicant via

EAP

WirelessUser

(Supplicant)Authentication

Server

AP(Authenticator)

EAP



• 802.1x, Step 2– Supplicant Responds with Identity to Authenticator via

EAP– Authenticator Sends Access Request for Supplicant’s

Identity to Authentication Server via RADIUS

WirelessUser


Server

AP(Authenticator)

EAPRADIUS



• 802.1x, Step 3– Authentication Server Validates Supplicant’s Identity– Authentication Server Notifies Authenticator the Supplicant is

Valid and Issues Keying Material via RADIUS– If Supplicant Fails to be Validated, Authentication Server

Submits Identity Request instead

WirelessUser


Server

AP(Authenticator)

RADIUS



• 802.1x, Step 4– The Authenticator Initiates a 4-Way Handshake with

Supplicant to Establish Keys– Once Keys are Established the Supplicant is

Permitted to Access the Network

WirelessUser


Server

AP(Authenticator)

EAP



• The 4-Way Handshake in 802.1x– Terminology

• Master Key (MK)• Pairwise Master Key (PMK)• Authenticator Nonce (Anonce)• Supplicant Nonce (Snonce)• Pairwise Transient Key (PTK)• Group Temporal Key (GTK)



• The 4-Way Handshake in 802.1x– Both the Supplicant and Authenticator have PMK Derived from

MK issued by the Authentication Server– Step 1

• Authenticator Generates Anonce and Sends it to the Supplicant

WirelessUser

(Supplicant)

AP(Authenticator)

PMK

AnonceAnonce

PMK



• The 4-Way Handshake in 802.1x– Step 2

• Supplicant Generates Snonce• Supplicant Constructs PTK from Anonce, Snonce,

Authenticator MAC, Supplicant MAC, and PMK• Supplicant Sends Snonce and MIC to Authenticator

WirelessUser

(Supplicant)

AP(Authenticator)

PMK

AnonceSnonce + MIC

PMK

Anonce

Snonce

PTK




• Authenticator Derives PTK from Anonce, Snonce, Authenticator MAC, Supplicant MAC, and PMK

• Authenticator Constructs GTK from Above Data and Sends GTK and MIC to Supplicant

WirelessUser

(Supplicant)

AP(Authenticator)

PMK

AnonceGTK + MIC

PMK

Anonce

Snonce

PTK

Snonce

PTKGTK




• Supplicant Sends ACK to Authenticator Concluding Handshake Process

• Supplicant & Authenticator Have Established All Necessary Keys

WirelessUser

(Supplicant)

AP(Authenticator)

PMK

AnonceACK

PMK

Anonce

Snonce

PTK

Snonce

PTKGTKGTK



• Pairwise Transient Key (PTK)– Broken into 3 Keys

• Key Confirmation Key (KCK)– Used to Compute and Confirm EAP MICs

• Key Encryption Key (KEK)– Used for Encryption of EAP Data

• Temporal Key (TK)– Used for Encryption of Supplicant-Authenticator Traffic

• Group Temporal Key (GTK)– Used for Broadcast and Multicast Encryption



• Additional Features of 802.1x– Key Caching

• Authenticator & Supplicant Cache Keys While Roaming

• Prevents Excessive Load on Authentication Server

– Pre-Authentication• If the Supplicant Sense the Next AP while

Roaming it can Begin Authentication via Network to Next AP

• Reduces Association Time to Next AP



• AES-CM/CBC-MAC Protocol (AES-CCMP) – Features

• 128-bit Advanced Encryption Standard• Counter-Mode• Cipher Block Chaining• 48-bit Initialization Vectors• 802.1x Key Assignment (TK from PTK)• Message Integrity Check



• Counter-Mode– Turns a Block Cipher into a Stream Cipher– Generates the Next Keystream Block by

Encrypting Successive Values of a Counter– Counter is any Simple Function which

Produces Sequence which is Guaranteed not to Repeat for a Long Time



Courtesy of: WikiPedia - Block cipher modes of operation



• Cipher Block Chaining– Each Block of Plain Text is XORed with

Previous Block of Cipher Text Before Being Encrypted

– Each Cipher Text Block is then Dependent on the Blocks that Preceded



Courtesy of: WikiPedia - Block cipher modes of operation



• AES-CCMP, Continued– AES-CM Provides Confidentiality– CBC-MAC Provides Authentication & Integrity– CCMP Protects Non-Encrypted Fields

• Such as Source & Destination Data• Protects Against Replay Attack

– 16 Octets Larger then Non-Encrypted Data• Slight Speed Decrease, Large Security Increase

– More Enterprise then Home Consumer



• AES-CCMP vs. WEP– AES vs. RC4– 128-bit vs. 104-bit Key– Block Cipher vs. Stream Cipher– 48-bit vs. 24-bit Initialization Vector– CBC-MAC vs. RC4– New vs. Established



• Temporal Key Integrity Protocol (TKIP)– Features

• 128-bit RC4• Per-Packet Key Mixing• Enhanced Initialization Vectors including

Sequencing Rules• 802.1x Key Assignment (TK from PTK)• Michael MIC• Runs on Legacy Hardware



Courtesy of: How Secure Is Your Wireless Network? Safeguarding Your Wi-Fi LAN



• TKIP – Phase 1– Source MAC XORed with TK = Mixed Key

• TKIP – Phase 2– Mixed Key XORed with Trip Sequence

Counter = Per-Packet Mixed Key– Feed to WEP Engine as 128-bit Key



• Michael MIC– 64-bit MIC Key, Source Address, Destination

Address, and Plain Text used to Generate 8 Byte MIC Hash

– MIC replaces CRC– Plain Text+ MIC are Fed to WEP Engine as

Plain Text

• WEP Now Performs RC4 Operations Using 128-bit Key and Plain Text + MIC





• Michael’s Countermeasure– If CRC, Integrity Check Value, and IV Fail

Verification, Only then Check MIC• Avoids False Positive

– If All Fail, Attack Underway• Stop Using Current Keys & Re-Key• Rate Limit Re-Keying to Once Per Minute



• AES-CCMP vs. TKIP– AES vs. RC4– Block vs. Stream Cipher– CBC-MAC vs. RC4– New Hardware vs. Existing Hardware– New vs. Relatively New



• Additional Features of 802.11i– Pre-Shared Key (PSK)

• Utilized instead of PMK, Less Secure?• Home or Ad Hoc Network

– Password-to-Key Mapping• Generates 256-bit PSK from ASCII

– Random Number Generation• Established Minimum Guide Line



• 802.11i & WPA 2– Wi-Fi Alliance Certification Program for

802.11i Compliance– Possibly Misleading, WPA Hardware May Not

Be Compatible• TKIP is in WPA & WPA 2• Most WPA Hardware Not Capable of AES-CCMP

– User-Friendly Name for 802.11i


Conclusion

• 802.11i Shows Promise, Only Proven with Test of Time

• Performance/Security Trade-off Worth it?

• May Not Be as Important to Home Users as it is for Enterprises


Conclusion

• With Major Investment in Last 5 Years in 802.11b, New Hardware May Not Be Adopted Promptly

• Why Buy 802.11i Instead of 802.16 or 802.20?

• Where is the Hardware?

Questions & Answers

Security in Wireless Networks

802.11i

Next Time…

Advances in Optical NetworksSONET

April 19, 2005


References

• Wireless Security’s Future (PDF)• Intercepting Mobile Communications: The Insec

urity of 802.11(PDF)

• IEEE 802.11i Overview (PDF)• 802.11i and Wireless Security• 802.11 Security• Wikipedia – Block Cipher Modes of Operation• Wikipedia – Advanced Encryption Standard

http://ieeexplore.ieee.org/iel5/8013/27399/01219074.pdf

http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf

http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf

http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf

http://www.embedded.com/showArticle.jhtml?articleID=34400002

http://proquest.safaribooksonline.com/JVXSL.asp?x=1&mode=section&sortKey=rank&sortOrder=desc&view=book&g=&catid=&s=1&b=1&f=1&t=1&c=1&u=1&r=&o=1&n=1&d=1&p=1&a=0&xmlid=0-596-00290-4/security80211-CHP-1

http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Documents

Security in Wireless Networks IEEE 802.11i Presented by Sean Goggin March 1, 2005