Embed Size (px)
Citation preview
Wireless Networks
Mahalingam Ramkumar
Wireless DimensionAccess to Medium:
Unlike wired medium (cables) wireless medium (air) is ubiquitous hence access restrictions to the medium must be handled
explicitly, where as in wired environments it is implicit.
War Dialing:Attacker gains access to
wired medium by exhaustive dialing of
phone numbers
War Driving:Attacker gains access to wireless medium by just driving by the network
coverage area.
How is wireless different?
● The Medium– Wireless medium has no explicit boundary– This property weakens privacy and
authentication mechanisms adopted from wired environment
● Portability– Wireless devices are smaller in size and
portable– Data in portable devices require more
protection than data on non-portable devices– Mechanisms to recover stolen or lost devices
are important– Mechanisms for self-destruction of data are
also important
How is wireless different?
● Mobility - brings even bigger challenges– Trust in infrastructure
● Wired networks assume certain level of trust in local infrastructure (we trust our routers)
● In wireless networks this is a weak assumption● Would you put same level of trust on an Access
Point in JFK as you put on your home AP?● Security mechanisms should anticipate these
variances in trust● Security mechanisms should be independent of
location.
How is wireless different?
● Mobility– Trust in location
● Wired networks implicitly assume network address is equivalent to physical location (130.18.x.x MSU)
● In wireless networks physical location not tied to network address. Physical location may change transparent to end nodes.
– Privacy of location● On wired network privacy of location is not a concern● In wireless networks location privacy of the user is a
serious issue because users can be tracked, their travel behaviors can be used for marketing purposes etc.
● Similar scenario exists on the Web: A user’s web surfing pattern can be tracked and this raised several privacy issues in 1999 (Double Click’s Cookie Tracking)
How is wireless different?
● Processing power, memory & energy requirements– Hand-held devices have stringent processing
power, memory, and energy requirements– Current security solutions require expensive
processing power & memory– Hand-held devices mandate inexpensive
substitutes for● Crypto algorithms (AES instead of 3-DES)● Authentication schemes
– Better one-time password schemes with feasible remote key updates
How is wireless different?
● Network Topologies– Wired networks usually rely on network
topology to deploy security solutions● E.g: firewall is installed on a machine where
all traffic is visible– Wireless networks (esp. ad-hoc) have dynamic
topologies– Wireless networks may not have single point of
convergence (hidden host problem!)– Wireless networks put emphasis on host based
solutions e.g: distributed firewalls
Wireless LAN (WLAN) Technology● Based on 802.11b technology● Uses Direct Sequence Spread Spectrum
(DSSS) modulation at 2.4 Ghz– Free, public frequency
● Serves as an Ethernet-to-wireless bridge● Speed between 1 and 11 Mbps (shared
bandwidth)● Most Access Points (APs) include:
– DHCP Client (LAN Port)– DHCP Server (Wireless Port)– NAT
802.11 Components● A MAC, PHY layer specification● Serves mobile and portable
devices● Provides transparency of
mobility● Appears as 802 LAN to LLC ● Basic Service Set (BSS)● Extended Service Set (ESS)● Distribution System (DS)● Station (STA)● STAs that provide access to
Distributed System Service (DSS) are Access Point (AP)
● 802.11 supports Ad-hoc networking
● Provides link level security
Components of 802.11
BSS (1)
BSS (2)
STA 1
(AP)
STA 2
(AP)
DS
WLAN Basic Service Set
● AP Connects WLAN to/
extends wired network More units deliver
higher speed and greater area coverage
▲ Client● Many media (PCI,
PCMCIA, etc.)● Support for multiple
operating systems
WLAN Extended Service Set
● Two or more wired networks connected by wireless “bridge”
WLAN Ad Hoc (Peer-to-Peer) Service Set
● Two or more wireless-enabled devices create own wireless network without an AP
Wired Equivalent Privacy (WEP)
● Wired equivalence privacy?– Wireless medium has no packet boundaries
● WEP controls access to LAN via authentication– Wireless is an open medium
● Provides link-level security equivalent to a closed medium● No end-to-end privacy
● Security Goals of WEP– Access Control
● Provide access control to the underlying medium through authentication
– Confidentiality● Provide confidentiality to data on the underlying medium
through encryption– Data Integrity
● Provide means to determine integrity of data between links
Wired Equivalent Privacy (WEP)
● An attack on WEP should compromise at least one of these properties
● Three levels of security– Open system – WEP is disabled in this mode. No security.– Shared Key Authentication – provides access control to medium – Encryption – provides confidentiality to data on network
● You can have confidentiality on an open system– That is, you can encrypt all the traffic and not have access control
to the medium!– Also means a wily hacker can have all his traffic encrypted on our
network so that no one “see” what he is doing!
Claimed Properties of WEP
● It is reasonably strong (?!!)– Withstands brute force attacks and
cryptanalysis● It is self-synchronizing
– Uses self-synchronizing stream cipher● It is efficient
– Hardware/software implementation● It is exportable (Does not matter anymore).
– Rest of the world needs security too!● It is optional
– WEP layer should be independent of other layers
Current Security
SSID MAC address filtering WEP Unfortunately,
most of these mechanisms are off by default
All of these mechanisms have problems
802.11b Network Security Issues
● “Out-of-the-Box” settings create open network● No real user identification and authentication● No support for SecureID, PKI, etc. ● Encryption methods vulnerable to known plain
text attack – WEP implementation of RC4– “Default keys” proliferation
● Service Set Identifiers (SSID) broadcast “in the clear”
● Unauthorized users can join network and inject traffic
802.11b Issues (cont.)
● Wireless cards broadcast their MAC address – Easily captured and programmed onto another
card● Use of network name as the shared-secret for
authentication1. “Sniff” network name 2. Reconfigure device to show membership3. Reboot4. Access target network
● Rogue APs– Shared-key authentication one-way only – User cannot authenticate an AP– Unauthorized access can serve as launch pad for
DOS attacks by “hijacking” legitimate clients
Vernam CiphersThe WEP encryption algorithm RC4 is a Vernam Cipher:
Pseudo-random number generator
Encryption Key K
Plaintext data byte p
Random byte b
⊕ Ciphertext data byte p
Decryption works the same way: p = c ⊕ b
WEP crypto function
● WEP uses RC4 PRNG● CRC-32 for integrity algorithm● IV is renewed for each packet (usu. iv++)● actual key size = (vendor advertised size – 24)● ICV is Integrity Check Value (CRC-32)
+plaintext
secret key
init. vectorWEP
PRNG
seed key sequence
integrity algorithm ICV
IV
cipher text
message
24
40
64
WEP Frame
● Key id is used to choose between four secret keys
● ICV is integrity check sum (CRC-32)● Pad is zero. Unused.
IV4
PDU>=1
ICV4
IV3 p
ad (
6)
Key
id (
2)
RC4 algorithm● Proprietary algorithm belonging to
RSADS Inc. • Secret key stream cipher. • Variable length key (up to 2048 bits). • Fairly fast (1Mbyte/sec on 33MHz
processor). • Claimed to be very strong. • Exportable outside the U.S. • Algorithm leaked onto the Internet in
1994.
Properties of Vernam Ciphers
What happens when p1 and p2 are encrypted under the same “random” byte b?
c1 = p1 ⊕ b c2 = p2 ⊕ b
Then:
Conclusion: it is a very bad idea to encrypt any two bytes of data using the same byte output by a Vernam Cipher PRNG.
c1 ⊕ c2 = (p1 ⊕ b) ⊕ (p2 ⊕ b) = p1 ⊕ p2
Ever.
Attacks on WEP● Stream ciphers and keystream reuse
– Stream ciphers expand a secret key to a stream of pseudo random numbers
– Message is XORed (denoted by ‘+’ here after) with random number stream to produce the cipher text
– Suppose two messages used the same secret key then stream cipher is easily broken so WEP uses an IV to extend the life of secret key
– But, reusing IV is same as reusing the secret key
– Given two cipher texts with the same IV, we can remove the effects of XORing with the RC4 stream (for the same secret key)
C1 = P1 + RC4(IV, key)C2 = P2 + RC4(IV, key)but…(C1+C2) = (P1+P2) and (P1+P2) can be easily cryptanalyzed
Attacks on WEP● Two assumptions for this attack
– Availability of ciphertexts with same IV● IV length is fixed 24 bits (224 = 16,777,216)● Implementations make the reuse factor worse ● Every time a card is initialized IV is set to zero● IV is collision usually after only 5,000 packets● So, obtaining cipher text with same IV is practical
– Partial knowledge of plaintexts● Can use legitimate traffic to obtain known plain texts
e.g: Login:, password: prompts in a telnet session● Bouncing Spam off a mail server through wireless
network
Dictionary Attack● Once plaintext corresponding to ciphertext obtained, it
is possible to decrypt any ciphertext for same key and IV. Can be done in real time!
● A dictionary of IVs (~224 entries) can be built– For each IV find the associated key stream
Ci= Pi + RC4(IVi, key) Tabulate these two fields searchable by IV– For each packet, scan the table to find the IV first
and then XOR the message with corresponding keystream in the dictionary to decrypt the message.Cn = Pn + RC4(IV, key) we know RC4(IV, key) from the dictionary, we know Cn so we can find Pn!
● Size of the dictionary depends on size of the IV, which is fixed by the standard at 24 bits!
● Increasing key size has no affect on this attack!
Key Management
● WEP does not specify how keys are to be managed.
● Assumes array of four possible keys is somehow populated.
● Each message contains index of key used.● Most installations use single key for entire
network.● Changing keys requires every single user to
reconfigure their wireless drivers!! Hence keys seldom changed.
Message Modification● ICV is not key based - CRC-32.● It is linear, i.e. crc(x + y) = crc(x) + crc(y).● Given C = RC4(v,k) + (M, crc(M)) it is possible
to find new ciphertext C’ which decrypts to M’ = M + d where d is arbitrary!!
● To do this XOR (d, crc(d)) with C.● C’ = C + (d, c(d)) = RC4(v,k) + (M, crc(M)) + (d, crc(d))
= RC4(v,k) + (M + d, crc(M) + crc(d)) = RC4(v,k) + (M + d, crc(M+d)) = RC4(v,k) + (M’, crc(M’))
● So you can change first bit of plaintext by choosing d to be 100..000. And so on …
Message Injection
● If you know one (C, P) ciphertext, plaintext pair for a IV and key, then you can inject any message with the same IV.
● This is because P + C = P + (P + RC4(v, k)) = RC4(v,k). – Which is the key stream– And it can be reused indefinitely (almost)
● Key seldom gets changed and IV reuse happens often so this is not a problem.
Attack on Access Control
● It is possible to get authenticated without knowing the secret key! (shown in red)
● We only need a plaintext, ciphertext pair of one legitimate authentication. (shown in black) and we can authenticate ourselves for the same key.
client
server
Request.Authentication
128 nonce
nonce+RC4(IV, key) IV
Request received
nonce+RC4(IV, key)
Decrypt the packetand verify nonce
Request.Authentication
128 nonce
nonce+RC4(IV, key) IV
Request received
nonce+RC4(IV, key)
Decrypt the packetand verify nonce
No
rmal sessio
nH
acker Usin
g D
ata Ob
tained
Fro
m P
reviou
s Sessio
n
hacker
ARP Spoofing
Wireless AP is a transparent bridge New hardware, same old problems (and a few
new ones Subject to a man-in-the-middle attack
Attacker Victim B
Victim A
Switch
I am A
B --> A
Copy and
Forward
Attacker Victim B
Victim A
Switch
802.11bAccess Point
This attack also translates to a wireless network
It also may compromise the integrity of a wired network (from the parking lot…) So much for wired security…
I am A
B - -> A
Copy and
Forward
ARP Spoofing
Other Mechanisms
If these mechanisms are insufficient, what else can we do?
Don’t trust the wireless network Put it behind a firewall Place the AP on its own network segment
Use a VPN to secure the connection Encrypted application protocols
SSH, SSL/TLS, etc.
General authentication requirements for access to
networks● Unique identification of users at the edge
of the network● Identity take-over must be impossible● Ease of use for the end-user ● Per-institution provisioning of users in one
database of the institutions network● Low maintenance● Ease of use for guests● Enabling various authentication-
mechanisms
WEP2 – Some Proposed Modifications
● Increases size of IV space to 128 bits● VPN● Use of EAP for authentication within IEEE 802.1X
(Off line password guessing attacks)– Key may be changed periodically via IEEE 802.1X re-
authentication to avoid staleness– No keyed MIC– No authentication for re-associate, disassociate
(Denial of Service attacks)– No IV replay protection
802.11 terminals
802.11 APs
Contivity
Enterprise Network
Private Network - Unencrypted
Public Network - Encrypted
VPN-based Security
IPSec SecurityIPSec Security
WEP SecurityWEP Security
VPN DeviceVPN DeviceWireless clientWireless client
APAP
RC4 and IPSec Use
IEEE 802.1X● Access solution (Layer 2) between client and
AP● Several available authentication-
mechanisms (EAP-MD5, EAP-TLS, EAP-TTLS, PEAP)
● Standardised● Also encrypts all data, using dynamic keys● RADIUS back end:
– Scaleable– Re-use existing Trust relationships
● Client software necessary (OS-built in or third-party)
802.1X ≠ 802.11x
● 802.11x is sometimes used to summarise all ethernet standards (i.e. 802.11a, 802.11b) but it is not a standard!
● 802.1X is a standard from the 802.1a, 1b series, developed by 3Com, HP, and Microsoft
● 802.1X is a transport mechanism. The actual authentication takes place in the EAP-protocol on top of 802.1X.
802.1x Framework
Pre-Authentication State
Post-Authentication State
EAP over 802.1x
● Extensible Authentication Protocol (RFC 2284) provides an architecture in which several authentication-mechanisms can be used EAP-MD5 Username/Password (unsafe) EAP-TLS PKI (certificates), strong
authentication EAP-TTLS Username/Password (safe) MS-CHAPv2 Microsoft Username/Password
(not safe) LEAP/PEAP Microsoft/Cisco tunnel module for
safe transport of MS-CHAPv2
Protocol Overview
802.1X
MD5 TLS TTLS
802.11PPP
PEAP
EAP
MS-CHAPv2
CHAP
PAP
EAP
EAP
EAP Messages
LEAP● Lightweight Extensible Authentication Protocol● An authentication protocol based on IETF
RFC2284, Extensible Authentication Protocol, or EAP
● Provides mutual authentication between Cisco Aironet client cards and a backend RADIUS server
● Developed by Cisco Systems● Also called, EAP-Cisco Wireless ● Implemented in Cisco Aironet wireless NICs
Simplified Architecture of LEAP
Radius Server
Wired Ethernet LANAuth dB
User Machine(with client adapter)
Access Point
Radio transm
issions
LEAP / Cisco Solution
Auth dB
Access Point
Client associates with access point1
Access point blocks all user requests to access LAN
2
User performs network log-on (User ID and password)
3
RADIUS server and client mutually authenticate and derive WEP session key
4
RADIUS server delivers session key to access point
5
Client and access point activate WEP.6
Client and access point use WEP and key for protection of transmissions.
7
LEAP / Cisco Solution – Sequence of Events
Step 1. A wireless client performs an 802.11b association with an access point (AP).
Step 2. The AP blocks all attempts to gain access to the network (access control is provided until successful authentication occurs).
Step 3. The user supplies a user ID and password in the network logon box (or equivalent).
Step 4. The wireless client and the RADIUS server mutually authenticate (several methods exist). If bilateral authentication is successful, the client and RADIUS server compute a pair-wise WEP session key.
LEAP / Cisco Solution – Sequence of Events
Step 5. The RADIUS server communicates the user WEP key to the AP.
Step 6. Both the client and AP activate WEP for encryption.
Step 7. The client and AP use the WEP session key and WEP for encryption of radio traffic.
Mutual Authentication
Radius Server
Wired Ethernet LANAuth dB
User Machine(with client adapter)
Access Point
Are you who you say you are?
Are you who you say you are?
MD5 Authentication of User to Network – Conceptually
User ID
Challenge
Response
Password
Hash
Hash
Password
Hash
Hash
=?
Auth dB
Key
Determine Action
Key
Secure Channels – Unique Keys per User per Session
Radius Server
Wired Ethernet LANAuth dB
Keys are shared between AP and all users
K1User1
User2
User3User4
User5
K2
K3K4
K5
Anonymity within LEAP
Radius Server
Wired Ethernet LANAuth dB
User Machine(with client adapter)
Access Point
User / client will disclose some information violating anonymity.
Disclosed Parameters:MAC AddressProgrammed SSIDUser ID
Wired Ethernet LAN
Wireless Snooping of Responses on Password-based schemes
Radius Server
Auth dB
User Machine(with client adapter)
Access Point
Radio transm
issions
Adversary can eavesdrop on wireless link
Capture:User IDsRandom challengesResponses (Hashed passwords)
MD5 Authentication of User to Network – Conceptually
User ID
Challenge
Response
Password
Hash
Hash
Password
Hash
Hash
=?
Auth dB
Key
Determine Action
Key
Stolen Parameters
Conceptual Dictionary Attack – Beating Low Entropy passwords
Hash
Hash
=?
User ID, challenges, responses
Dictionaries
Possible password
Indexdatabase
IncrementIndex
SelectUser
ChallengeResponse
User
Index
Computed Response
CapturedResponse
No
Yes
Check next database entry
Passwordlocated
password cracked
Masquerade
EAP-TTLS
Radius Server
Auth dB
User Machine(with client adapter)
Access Point TLS Server
secure data tunnel
secure password authentication tunnel
EAP-TTLS Protocol Overview
● Two phases– TLS handshake phase– TLS tunnel phase
● Phase 1 is used to authenticate TTLS server to client (and optionally, vice versa)– Results is activation of cipher suite– Allows Phase 2 to proceed (using TLS
record)● Phase 2 uses TLS record layer to
Simplified Architecture of EAP-TTLS
TTLS Server
Wired Ethernet LAN
Auth dB
User Machine(with client adapter)
Access Point
Radio transm
issions
Radius Server
What’s Right● Protection of the infrastructure● Authentication mechanism can
– change as needed– address flaws in existing wireless
security● Lightweight
– No encapsulation, no per packet overhead… simply periodic authentication transactions
What’s Wrong – Technical
● One way Authentication– Gateway authenticates the client– Client has no explicit means to authenticate the
Gateway– Rouge gateways put client at risk
● Remember – the loudest access point wins
● Still no Authentication of management frames (assoc/deassoc/beacons/etc…)
What’s Wrong - Technical
● MITM– Send “Authentication Successful” to
client– Client associates with malicious AP
● Hijacking– Send deassociation message to
client… AP is in the dark– Change MAC to client and have live
connection
What’s Wrong – Technical
● RADIUS uses shared secret with the Authenticator– Same issue as WEP, but on a more reasonable scale
● Authentication after association presents roaming problems– Authentication takes a non-trivial amount of time…
can disrupt data in transit● Failure of RADIUS server == failure of network
– Many AP implementations don’t allow multiple RADIUS servers
– Most RADIUS server failover is non-transparent
What’s Next
● Integration of existing solutions to “raise the bar”
● Limited 802.1x implementations● 802.11i (Task Group I – Security)
– On track… the right track– Mutual auth, per packet auth– 802.1x a part of the solution
Temporal Key Integrity Protocol (TKIP)
● Designed as a wrapper around WEP– Can be implemented in software– Reuses existing WEP hardware– Runs WEP as a sub-component
● Fast Packet Keying● Packet MAC● Dynamic Re-keying● Key distribution via 802.1x● Still RC4 based to be backward compatible● AES with 802.1x keying in the distant future
TKIP design challenges
● Mask WEP’s weaknesses…– Prevent data forgery– Prevent replay attacks– Prevent encryption misuse– Prevent key reuse
● … On existing AP hardware– 33 or 25 MHz ARM7 or i486 already running at 90%
CPU utilization before TKIP– Utilize existing WEP off-load hardware– Software/firmware upgrade only– Don’t unduly degrade performance
• Build a better per-packet encryption key…• … by preventing weak-key attacks and decorrelating WEP IV and per-packet key• must be efficient on existing hardware
TKIP Design
Phase 2Mixer
Phase 1Mixer
Intermediate key
Per-packet keyTransmit Address: 00-A0-C9-BA-4D-5F
Base key
Packet Sequence #
4 msb
2 lsb
Further Reading – WLAN Security
● 802.1xhttp://standards.ieee.org/reading/ieee/std/lanman/802.1X-2001.pdf
● RFC’s: see http://www.ietf-editor.org● EAP RFC 2284● EAP-MD5 RFC 1994, RFC 2284● EAP-TLS RFC 2716● EAP-TTLS http://www.funk.com/NIdx/draft-ietf-pppext-eap-ttls-
01.txt● PEAPhttp://www.globecom.net/ietf/draft/draft-josefsson-pppext-
eap-tls-eap-02.html● RADIUS RFC 2865, 2866, 2867, 2868, 2869 (I/w EAP)● Overview of IEEE 802.11b Security, Sultan Weatherspoon● Intercepting Mobile Communications: The Insecurity of 802.11, Nikita
Borisov, Ian Goldberg et al.● Coping with Risk: Moving to Coping with Risk: Moving to Wireless
Wireless● Using the Fluhrer, Mantin, and Shamir Attack to Break WEP, Adam
Stubblefield, John Ioannidis, et al.
