Upload
parry
View
52
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Wireless Security. Outlines. 802.11 Basics Security in 802.11 WEP summary WEP Insecurity. Wireless Networking. ALOHAnet 1999: IEEE 802.11a (54 Mbps) 1999: IEEE 802.11b (11 Mbps) 2003: IEEE 802.11g (54 Mbps) 2009: IEEE 802.11n (150 Mbps). IEEE 802.11 Wireless LAN. 802.11b - PowerPoint PPT Presentation
Citation preview
802.11 Basics
Security in 802.11WEP summary
WEP Insecurity
ALOHAnet1999: IEEE 802.11a (54 Mbps)1999: IEEE 802.11b (11 Mbps)2003: IEEE 802.11g (54 Mbps)2009: IEEE 802.11n (150 Mbps)
802.11b 2.4-2.485 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence spread
spectrum (DSSS) in physical layer: all hosts use same chipping code
802.11a 5-6 GHz range up to 54 Mbps Physical layer: orthogonal
frequency division multiplexing (OFDM)
802.11g 2.4-2.485 GHz range up to 54 Mbps OFDM
All use CSMA/CA for multiple access
All have base-station and ad-hoc versions
All allow for reducing bit rate for longer range
4
Wireless host communicates with a base station base station = access point (AP)
Basic Service Set (BSS) (a.k.a. “cell”) contains: wireless hosts access point (AP): base station
BSS’s combined to form distribution system (DS)
No AP (i.e., base station) wireless hosts communicate with
each other to get packet from wireless host A to B
may need to route through wireless hosts
Applications: “Laptop” meeting in conference room Vehicle Network Interconnection of “personal” devices Battlefield
802.11b: 2.4GHz-2.485GHz spectrum divided into 11 channels at different frequencies; 3 non-overlapping AP admin chooses frequency for AP interference possible: channel can be same as that
chosen by neighboring AP! AP regularly sends beacon frame
Includes SSID, beacon interval (often 0.1 sec) host: must associate with an AP
scans channels, listening for beacon frames selects AP to associate with; initiates association protocol may perform authentication After association, host will typically run DHCP to get IP
address in AP’s subnet
7
8
framecontrol duration address
1address
2address
4address
3 payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
Address 2: MAC addressof wireless host or AP transmitting this frame
Address 1: MAC addressof wireless host or AP to receive this frame Address 3: MAC address
of router interface to which AP is attached
Address 4: used only in ad hoc mode
9
Internetrouter
APH1 R1
H1 MAC addr AP MAC addr R1 MAC addraddress 1 address 2 address 3
802.11 frame
H1 MAC addr R1 MAC addr dest. address source address
802.3 frame
802.11 frame: addressing
10
Internetrouter
APH1 R1
AP MAC addr H1 MAC addr R1 MAC addraddress 1 address 2 address 3
802.11 frame
R1 MAC addr H1 MAC addr dest. address source address
802.3 frame
802.11 frame: addressing
11
Type FromAPSubtype To
APMore frag WEPMore
dataPower
mgtRetry RsvdProtocolversion
2 2 4 1 1 1 1 1 11 1
framecontrol duration address
1address
2address
4address
3 payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
frame:
frame control field expanded:
Type/subtype distinguishes beacon, association, ACK, RTS, CTS, etc frames.
To/From AP defines meaning of address fields
802.11 allows for fragmentation at the link layer
802.11 allows stations to enter sleep mode
Seq number identifies retransmitted frames (eg, when ACK lost)
WEP = 1 if encryption is used
Service Set Identifier (SSID)Differentiates one access point from
anotherSSID is cast in ‘beacon frames’ every
few seconds.Beacon frames are in plain text!Encryption
802.11 Basics
Security in 802.11WEP summary
WEP Insecurity
Why do we need the encryption? Wi-Fi networks use radio transmissions
prone to eavesdropping Mechanism to prevent outsiders from
▪ accessing network data & traffic▪ using network resources
Access points have two ways of initiating communication with a client
Shared Key or Open System authentication Open System: need to supply the correct SSID
Allow anyone to start a conversation with the AP
Shared Key is supposed to add an extra layer of security by requiring authentication info as soon as one associates
Client begins by sending an association request to the AP
AP responds with a challenge text (unencrypted)
Client, using the proper key, encrypts text and sends it back to the AP
If properly encrypted, AP allows communication with the client
1997: Original 802.11 standard only offers SSID MAC Filtering
1999: Introduce of Wired Equivalent Privacy (WEP) Several industry players formes WECA (Wireless
Ethernet Compatibility Alliance) for rapid adaption of 802.11 network products
2001: Discover weaknesses in WEP IEEE started Task Group i
2002: WECA was renamed in WI-FI 2003: WiFi Protected Access (WPA)
Interim Solution for the weakness of WEP 2004: WPA2 (IEEE-802.11i-2004)
Primary built security for 802.11 protocol
RC4 encryption 64-bits RC4 keys Non-standard extension uses 128-bit
keys
Many flaws in implementation
Interim solution for replacement of WEP
Goals: improved encryption user authentication
Two Modes WPA Personal : TKIP/MIC ; PSK WPA Enterprise : TKIP/MIC ; 802.1X/EAP
WPA-Personal Also refer to WPA-PSK (WPA Pre-shared Key) Designed for home and small office networks and
doesn't require an authentication server.
WPA-Enterprise Known as WPA-802.1X Designed for enterprise networks and requires an authentication
server An Extensible Authentication Protocol (EAP) is used for
authentication Supports multiple authentication method based on:
▪ passwords (Sample: PEAP)▪ digital certificates (Sample: TLS, TTLS)
TKIP (Temporal Key Integrity Protocol) The 128 bit RC4 stream cipher used in WPA
CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) An AES-based encryption mechanism used in
WPA2
Approved in July 2004
AES is used for encryption
Two mode like WPA: Enterprise Mode:
▪ authentication: 802.1X/EAP▪ encryption: AES-CCMP
Personal Mode:▪ authentication: PSK▪ encryption: AES-CCMP
23
WEP WPA WPA2Cipher RC4 RC4 AESKey Size (bits) 64/128 128 128Key Life 24 bit IV 48 bit IV 48 bit IVPacket Key Concatenation Two Phase Mix Not NeedData Integrity CRC32 Michael CCMKey Management
None 802.1X/PSK 802.1X/PSK
• WEP is no longer a secure wireless method • WPA2 with AES encryption is currently the best
encryption scheme
• If on an unsecured network, use SSH or VPN tunneling to secure your data
802.11 Basics
Security in 802.11WEP summary
WEP Insecurity
26
A block of plaintext is bitwise XORed with a pseudorandom key sequence of equal length
RC4 PRNG
Header Payload ICVPayload802.11 Frame
ICV computed – 32-bit CRC of payload
CRC
32
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
KeyKeynumber
Key 1Key 2Key 3Key 4 40
4 x 40
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits IV selected – 24-bits, prepended to
keynumber
IV keynumber24 8
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits IV selected – 24-bits, prepended to
keynumber IV+key used to encrypt
payload+ICV
IV Key
ICVPayload ICVPayloadRC4
64
ICV computed – 32-bit CRC of payload One of four keys selected – 40-bits IV selected – 24-bits, prepended to
keynumber IV+key used to encrypt payload+ICV IV+keynumber prepended to
encrypted payload+ICV
ICVPayloadIV keynumberHeaderWEP Frame
Keynumber is used to select key
KeyKeynumber
Key 1Key 2Key 3Key 4 40
4 x 40
IV Key
ICVPayload ICVPayloadRC4
64
Keynumber is used to select key
ICV+key used to decrypt payload+ICV
CRCICVPayload
Header PayloadICV’
Keynumber is used to select key
ICV+key used to decrypt payload+ICV
ICV recomputed and compared against original
32
Purpose – increase the encryption key size
Non-standard, but in wide use IV and ICV set as before104-bit key selected IV+key concatenated to form 128-
bit RC4 key
IV Key
ICVPayload ICVPayloadRC4
24 104128-bits
Keys are manually distributed Keys are statically configured
often infrequently changed and easy to remember!
Key values can be directly set as hex data Key generators provided for convenience
ASCII string is converted into keying material Non-standard but in wide use Different key generators for 64- and 128-bit
http://www.wepkey.com/
38
802.11 Basics
Security in 802.11WEP summary
WEP Insecurity
Problem: Keystream ReuseWEP’ s Solution: Per Packet IvsBut…
40
so knowing one plaintext will get you the other
XOR cancels keystream
IV only 24-bits in WEP, It must repeat after 2^24 or ~ 16.7M packets practical? How long to exhaust the IV space in busy
network? A busy AP constantly send 1500 bytes packet Consider Data Rate 11 Mbps IV exhausts after..
Consequences:– Keystream for corresponding IV is obtained
41
2001: Fluhrer, Mantin, Shamir : Weaknesses in the Key Scheduling Algorithm of RC4.
completely passive attack Inductive chosen plaintext attack
Takes 5-10M. packets to find secret key Showed that WEP is near useless
42
In 2001, airsnort was released but needs millions of packets
‹In 2004, aircrack and weblap require only hundreds of thousands of packets
http://securityfocus.com/infocus/1814 ‹http://www.securityfocus.com/
infocus/182443
One common shared key If any device is stolen or
compromised, must change shared key in all devices
No key distribution mechanism
Infeasible for large organization: approach doesn’t scale
Crypto is flawed Early 2001: Integrity and
authentication attacks published
August 2001 (weak-key attack): can deduce RC4 key after observing several million packets
AirSnort application allows casual user to decrypt WEP traffic
Crypto problems 24 bit IV to short Same key for encryption
and message integrity ICV flawed, does not
prevent adversarial modification of intercepted packets
Cryptanalytic attack allows eavesdroppers to learn key after observing several millions of packets
44
SSID and access control lists provide minimal security no encryption
WEP provides encryption, but is easily broken
Emerging protocol: 802.11i Back-end authentication server Public-key cryptography for authentication
and master key distribution TKIP: Strong symmetric crypto techniques
45
Fluhrer, Mantin, Shamir - Weakness in the Key Scheduling Algorithm of RC4.http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf
Stubblefield, Loannidis, Rubin – Using the Fluhrer, Mantin, and Shamir Attack to Break WEP.http://www.cs.rice.edu/~astubble/wep/wep_attack.pdf
Rivest – RSA Security Response to Weakness in the Key Scheduling Algorithm of RC4.http://www.rsasecurity.com/rsalabs/technotes/wep.html
RC4 Encryption Algorithm.http://www.ncat.edu/~grogans/algorithm_breakdown.htm
46