Upload
lorena-gibson
View
216
Download
1
Embed Size (px)
Citation preview
Security in Wireless Networks
IEEE 802.11iPresented by Sean Goggin
March 1, 2005
3/1/2005 Sean Goggin 2
Overview
• Inherent Problems in Wireless
• Is WEP Really Equivalent?
• Additional Solutions
• 802.11i – A New Solution
• Conclusion
3/1/2005 Sean Goggin 3
Inherent Problems in Wireless
• Modern Wired Network– Multiple Nodes Interconnected with CAT-5, RG-58,
Fiber, and Etc.– Typically Difficult to Intercept
CAT 5e
Computer A Computer B
Data
Data
3/1/2005 Sean Goggin 4
Inherent Problems in Wireless
• Modern Wireless Network– Multiple Nodes Interconnected Over Radio Frequency– Lacks Simplest Form of Physical Protection
Computer B
Da t a
Computer A
Da t a
3/1/2005 Sean Goggin 5
Inherent Problems in Wireless
• Denial-of-Service Attack (DOS Attack)– Media is Open to the Public– Easily Disrupted, Compromises Availability – Only Solution is to Locate and Disable
Computer A Computer BIntruder
3/1/2005 Sean Goggin 6
Inherent Problems in Wireless
• Man-in-the-Middle Attack (MITM Attack)– Easily Intercepted– Compromises Integrity and Confidentially– Mitigate with use of Encryption
Computer A Computer B
Da t a
Intruder
Da t a
3/1/2005 Sean Goggin 7
Inherent Problems in Wireless
• Do to the Nature of Wired vs. Wireless, Wired is More Secure
• Wireless Requires Protocol to Increase Security
• IEEE & Wired Equivalent Privacy– 40-bit (Exportable) and 104-bit Key– RC4
3/1/2005 Sean Goggin 8
Is WEP Really Equivalent?
• IEEE Selects RC4 Cipher for WEP• RC4 is a Stream Cipher System
– Utilizes a Shared Key and Pseudo Random Number Generator (PRNG) to Create Keystream to XOR with Source’s Data, then Sends Cipher Text
– Destination Utilizes the Shared Key and PRNG to Create Keystream to XOR Cipher Text and Decrypt Source’s Data
Courtesy of 802.11 Wireless Networks: The Definitive Guide
3/1/2005 Sean Goggin 9
Is WEP Really Equivalent?
• WEP Process– 40-bit Key + 24-bit Initialization Vector (IV) =
64-bit RC4 Key– RC4 Key and PRNG Create Keystream Equal
in Length to Plain Text + CRC– Keystream XORed with Plain Text and CRC
Value– Transmit IV + Cipher Text
3/1/2005 Sean Goggin 10
Is WEP Really Equivalent?
• Key Management Issue– Up to 4 WEP Keys Can Be Used– Scalability vs. Security
• Manually Configure 1-4 Keys in an Enterprise• Manually Distribute 1-4 Keys to an Enterprise• Terminated Employees• Public Keys & Monitoring Station
3/1/2005 Sean Goggin 11
Is WEP Really Equivalent?
• Encryption Issue– “Weaknesses in the Key Scheduling Algorithm
of RC4 “ by Fluhrer, Mantin, and Shamir• Addressed Poor Implementation of RC4 in WEP• Weak IVs are Poorly Chosen and Repeated • Reused Keys Make Crypt Analysis Possible• Function is Linear, not Exponential
3/1/2005 Sean Goggin 12
Is WEP Really Equivalent?
• Attacking WEP– The Key is Comprised of 5 Bytes or 13 Bytes– The First Byte
• LLC Encapsulation & SNAP Header (00xA)• (00xA) XOR First Byte of Cipher Text = First Byte
of Keystream
– The Remaining Bytes• Weak IVs in form of B+3:FF:N
– B Refers to the Byte of the Key– FF is Weak Middle Byte of all 1s– N is any value from 0 to 255
3/1/2005 Sean Goggin 13
Is WEP Really Equivalent?
• Attacking WEP, Continued– The Remaining Bytes, Continued
• Gather Weak IVs into Groups of B– 5 Groups for 40-bit, 13 Groups for 104-bit
– Takes Approximately 115 Samples Per Group to Crack a Byte of the Key
• Even Though More Weak IVs are Needed for 104-bit Key, it Provides More Weak IVs by Nature
• Cracking 104-bit vs. 40-bit Takes More Time, But Insignificant Amount
• More Wireless Network Traffic, Faster Weak IVs Appear
3/1/2005 Sean Goggin 14
Is WEP Really Equivalent?
• Tools to Crack WEP– AirSnort
• Developed by Bruestle & Hegerle to Demonstrate Work Done by Fluhrer, Mantin, and Shamir
• Capture Component– Captures Raw Packets using Wireless Interface
• Crack Component– Performs Analysis and Cracks Bytes of Key
– WEPCrack & dweputils• Similar Functions as AirSnort
3/1/2005 Sean Goggin 15
Is WEP Really Equivalent?
• Other Attacks– Simple XOR Attack
• Cipher Text is Plain Text XOR Keystream• If a Known Plain Text is then XOR with Cipher Text
the KeyStream will be Exposed– Use SPAM, Heavy Virus Network Traffic (ie: Sasser), or
Other Well-Known Network Traffic
• Used for Message Injection & Authentication Spoofing
3/1/2005 Sean Goggin 16
Is WEP Really Equivalent?
• Other Attacks, Continued– Brute-Force Attack
• Phrase Key Generators Often Flawed– Uses ASCII Values to Seed the PRNG– ASCII Always Start with 0 and Range from 0 to 7F– 7F vs FF… 21-bit vs. 32-bit Seed– Newsham Attacked 40-bit Key using P3/500, 35
Seconds to Key– Sometimes Applies to 104-bit Key Generator (MD5
Hash)
3/1/2005 Sean Goggin 17
Additional Solutions
• Best Practices– Disabling SSID Beaconing
• SSID Beaconing Identifies AP to Wireless Interfaces
• Easier for Legitimate Users and Intruders/Attackers to Find AP
• Disabling SSID May Requires Additional Configuration of User’s Interface
• Attacker can Detect Presence of AP, but without SSID cannot Associate with AP
3/1/2005 Sean Goggin 18
Additional Solutions
• Best Practices, Continued– MAC Authentication (CSUN)
• Legitimate Users Register MAC Address• AP Disregard Packets from Non-Registered MAC
– Problems• Both SSID and Legitimate MAC can be Gathered
with Network Sniffer and Wireless Card if Weak or No Encryption Used
• WEP is Weak, So What is Left?
3/1/2005 Sean Goggin 19
Additional Solutions
• Virtual Private Network (VPN)– Secure Data Above the Link-Layer– May Require More Bandwidth– Variety of Protocols
• IPsec (CSUN), SSL, & PPTP
• Wi-Fi Protected Access (WPA)– After WEP was Exposed a Temporary
Solution was Needed
3/1/2005 Sean Goggin 20
Additional Solutions
• Wi-Fi Protected Access (WPA), Continued– Wi-Fi Alliance Took Components of 802.11i
Draft• Temporal Key Integrity Protocol• Larger IV (48-bit vs. 24-bit)• Message Integrity Check (MIC) Replaced CRC• 802.1x or Pre-Shared Key (PSK)• RC4
– Could be Implemented on Existing Hardware
3/1/2005 Sean Goggin 21
802.11i – A New Solution
• Originally Meant to Address Security and Quality of Service (QoS)
• Apparent Need for Additional Security Created 802.11e QoS & 802.11i Security
• WPA is Released in April 2003 as Temporary Solution Until 802.11i Ratification
• 802.11i Ratified on June 24th, 2004
3/1/2005 Sean Goggin 22
802.11i – A New Solution
• Components of 802.11i– 802.1x – Advanced Encryption Standard in Counter-
Mode/Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP)
– Temporal Key Integrity Protocol (TKIP)
3/1/2005 Sean Goggin 23
802.11i – A New Solution
• 802.1x– Based on IETF Extensible Authentication
Protocol (EAP)• Future Proof Open Standard• Allows for Any Authentication Standard to be Used• Designed to Regulate at Physical Port
– Point of Authenticating User & Network– Typically Uses RADIUS
3/1/2005 Sean Goggin 24
802.11i – A New Solution
• 802.1x, Step 1– Supplicant Request Association with Authenticator– Authenticator Associates with Supplicant– Authenticator Requests Identity from Supplicant via
EAP
WirelessUser
(Supplicant)Authentication
Server
AP(Authenticator)
EAP
3/1/2005 Sean Goggin 25
802.11i – A New Solution
• 802.1x, Step 2– Supplicant Responds with Identity to Authenticator via
EAP– Authenticator Sends Access Request for Supplicant’s
Identity to Authentication Server via RADIUS
WirelessUser
(Supplicant)Authentication
Server
AP(Authenticator)
EAPRADIUS
3/1/2005 Sean Goggin 26
802.11i – A New Solution
• 802.1x, Step 3– Authentication Server Validates Supplicant’s Identity– Authentication Server Notifies Authenticator the Supplicant is
Valid and Issues Keying Material via RADIUS– If Supplicant Fails to be Validated, Authentication Server
Submits Identity Request instead
WirelessUser
(Supplicant)Authentication
Server
AP(Authenticator)
RADIUS
3/1/2005 Sean Goggin 27
802.11i – A New Solution
• 802.1x, Step 4– The Authenticator Initiates a 4-Way Handshake with
Supplicant to Establish Keys– Once Keys are Established the Supplicant is
Permitted to Access the Network
WirelessUser
(Supplicant)Authentication
Server
AP(Authenticator)
EAP
3/1/2005 Sean Goggin 28
802.11i – A New Solution
• The 4-Way Handshake in 802.1x– Terminology
• Master Key (MK)• Pairwise Master Key (PMK)• Authenticator Nonce (Anonce)• Supplicant Nonce (Snonce)• Pairwise Transient Key (PTK)• Group Temporal Key (GTK)
3/1/2005 Sean Goggin 29
802.11i – A New Solution
• The 4-Way Handshake in 802.1x– Both the Supplicant and Authenticator have PMK Derived from
MK issued by the Authentication Server– Step 1
• Authenticator Generates Anonce and Sends it to the Supplicant
WirelessUser
(Supplicant)
AP(Authenticator)
PMK
AnonceAnonce
PMK
3/1/2005 Sean Goggin 30
802.11i – A New Solution
• The 4-Way Handshake in 802.1x– Step 2
• Supplicant Generates Snonce• Supplicant Constructs PTK from Anonce, Snonce,
Authenticator MAC, Supplicant MAC, and PMK• Supplicant Sends Snonce and MIC to Authenticator
WirelessUser
(Supplicant)
AP(Authenticator)
PMK
AnonceSnonce + MIC
PMK
Anonce
Snonce
PTK
3/1/2005 Sean Goggin 31
802.11i – A New Solution
• The 4-Way Handshake in 802.1x– Step 3
• Authenticator Derives PTK from Anonce, Snonce, Authenticator MAC, Supplicant MAC, and PMK
• Authenticator Constructs GTK from Above Data and Sends GTK and MIC to Supplicant
WirelessUser
(Supplicant)
AP(Authenticator)
PMK
AnonceGTK + MIC
PMK
Anonce
Snonce
PTK
Snonce
PTKGTK
3/1/2005 Sean Goggin 32
802.11i – A New Solution
• The 4-Way Handshake in 802.1x– Step 4
• Supplicant Sends ACK to Authenticator Concluding Handshake Process
• Supplicant & Authenticator Have Established All Necessary Keys
WirelessUser
(Supplicant)
AP(Authenticator)
PMK
AnonceACK
PMK
Anonce
Snonce
PTK
Snonce
PTKGTKGTK
3/1/2005 Sean Goggin 33
802.11i – A New Solution
• Pairwise Transient Key (PTK)– Broken into 3 Keys
• Key Confirmation Key (KCK)– Used to Compute and Confirm EAP MICs
• Key Encryption Key (KEK)– Used for Encryption of EAP Data
• Temporal Key (TK)– Used for Encryption of Supplicant-Authenticator Traffic
• Group Temporal Key (GTK)– Used for Broadcast and Multicast Encryption
3/1/2005 Sean Goggin 34
802.11i – A New Solution
• Additional Features of 802.1x– Key Caching
• Authenticator & Supplicant Cache Keys While Roaming
• Prevents Excessive Load on Authentication Server
– Pre-Authentication• If the Supplicant Sense the Next AP while
Roaming it can Begin Authentication via Network to Next AP
• Reduces Association Time to Next AP
3/1/2005 Sean Goggin 35
802.11i – A New Solution
• AES-CM/CBC-MAC Protocol (AES-CCMP) – Features
• 128-bit Advanced Encryption Standard• Counter-Mode• Cipher Block Chaining• 48-bit Initialization Vectors• 802.1x Key Assignment (TK from PTK)• Message Integrity Check
3/1/2005 Sean Goggin 36
802.11i – A New Solution
• Counter-Mode– Turns a Block Cipher into a Stream Cipher– Generates the Next Keystream Block by
Encrypting Successive Values of a Counter– Counter is any Simple Function which
Produces Sequence which is Guaranteed not to Repeat for a Long Time
3/1/2005 Sean Goggin 37
802.11i – A New Solution
Courtesy of: WikiPedia - Block cipher modes of operation
3/1/2005 Sean Goggin 38
802.11i – A New Solution
• Cipher Block Chaining– Each Block of Plain Text is XORed with
Previous Block of Cipher Text Before Being Encrypted
– Each Cipher Text Block is then Dependent on the Blocks that Preceded
3/1/2005 Sean Goggin 39
802.11i – A New Solution
Courtesy of: WikiPedia - Block cipher modes of operation
3/1/2005 Sean Goggin 40
802.11i – A New Solution
• AES-CCMP, Continued– AES-CM Provides Confidentiality– CBC-MAC Provides Authentication & Integrity– CCMP Protects Non-Encrypted Fields
• Such as Source & Destination Data• Protects Against Replay Attack
– 16 Octets Larger then Non-Encrypted Data• Slight Speed Decrease, Large Security Increase
– More Enterprise then Home Consumer
3/1/2005 Sean Goggin 41
802.11i – A New Solution
• AES-CCMP vs. WEP– AES vs. RC4– 128-bit vs. 104-bit Key– Block Cipher vs. Stream Cipher– 48-bit vs. 24-bit Initialization Vector– CBC-MAC vs. RC4– New vs. Established
3/1/2005 Sean Goggin 42
802.11i – A New Solution
• Temporal Key Integrity Protocol (TKIP)– Features
• 128-bit RC4• Per-Packet Key Mixing• Enhanced Initialization Vectors including
Sequencing Rules• 802.1x Key Assignment (TK from PTK)• Michael MIC• Runs on Legacy Hardware
3/1/2005 Sean Goggin 43
802.11i – A New Solution
Courtesy of: How Secure Is Your Wireless Network? Safeguarding Your Wi-Fi LAN
3/1/2005 Sean Goggin 44
802.11i – A New Solution
• TKIP – Phase 1– Source MAC XORed with TK = Mixed Key
• TKIP – Phase 2– Mixed Key XORed with Trip Sequence
Counter = Per-Packet Mixed Key– Feed to WEP Engine as 128-bit Key
3/1/2005 Sean Goggin 45
802.11i – A New Solution
• Michael MIC– 64-bit MIC Key, Source Address, Destination
Address, and Plain Text used to Generate 8 Byte MIC Hash
– MIC replaces CRC– Plain Text+ MIC are Fed to WEP Engine as
Plain Text
• WEP Now Performs RC4 Operations Using 128-bit Key and Plain Text + MIC
3/1/2005 Sean Goggin 46
802.11i – A New Solution
3/1/2005 Sean Goggin 47
802.11i – A New Solution
• Michael’s Countermeasure– If CRC, Integrity Check Value, and IV Fail
Verification, Only then Check MIC• Avoids False Positive
– If All Fail, Attack Underway• Stop Using Current Keys & Re-Key• Rate Limit Re-Keying to Once Per Minute
3/1/2005 Sean Goggin 48
802.11i – A New Solution
• AES-CCMP vs. TKIP– AES vs. RC4– Block vs. Stream Cipher– CBC-MAC vs. RC4– New Hardware vs. Existing Hardware– New vs. Relatively New
3/1/2005 Sean Goggin 49
802.11i – A New Solution
• Additional Features of 802.11i– Pre-Shared Key (PSK)
• Utilized instead of PMK, Less Secure?• Home or Ad Hoc Network
– Password-to-Key Mapping• Generates 256-bit PSK from ASCII
– Random Number Generation• Established Minimum Guide Line
3/1/2005 Sean Goggin 50
802.11i – A New Solution
• 802.11i & WPA 2– Wi-Fi Alliance Certification Program for
802.11i Compliance– Possibly Misleading, WPA Hardware May Not
Be Compatible• TKIP is in WPA & WPA 2• Most WPA Hardware Not Capable of AES-CCMP
– User-Friendly Name for 802.11i
3/1/2005 Sean Goggin 51
Conclusion
• 802.11i Shows Promise, Only Proven with Test of Time
• Performance/Security Trade-off Worth it?
• May Not Be as Important to Home Users as it is for Enterprises
3/1/2005 Sean Goggin 52
Conclusion
• With Major Investment in Last 5 Years in 802.11b, New Hardware May Not Be Adopted Promptly
• Why Buy 802.11i Instead of 802.16 or 802.20?
• Where is the Hardware?
Questions & Answers
Security in Wireless Networks
802.11i
Next Time…
Advances in Optical NetworksSONET
April 19, 2005
3/1/2005 Sean Goggin 55
References
• Wireless Security’s Future (PDF)• Intercepting Mobile Communications: The Insec
urity of 802.11(PDF)
• IEEE 802.11i Overview (PDF)• 802.11i and Wireless Security• 802.11 Security• Wikipedia – Block Cipher Modes of Operation• Wikipedia – Advanced Encryption Standard