Embed Size (px)
Citation preview
Wireless Security IssuesWireless Security Issues
David E. Hudak, Ph.D.David E. Hudak, Ph.D.
Senior Software ArchitectSenior Software Architect
Karlnet, Inc.Karlnet, Inc.
OutlineOutline
Security definitionsSecurity definitions Current 802.11 securityCurrent 802.11 security
Weak IV problemWeak IV problem Wi-Fi Protected WPA securityWi-Fi Protected WPA security 802.11i802.11i
Security DefinitionsSecurity Definitions
Security context between two (network) Security context between two (network) entities should provideentities should provide Authentication - to prove identityAuthentication - to prove identity Integrity - to detect altered packetsIntegrity - to detect altered packets Privacy - to prevent eavesdroppingPrivacy - to prevent eavesdropping
Current 802.11 SecurityCurrent 802.11 Security
(as per the 1999 spec)(as per the 1999 spec) AuthenticationAuthentication
Tied to association (session between station Tied to association (session between station and AP)and AP)
Open system - all stations may associateOpen system - all stations may associate Shared key - stations must know secretShared key - stations must know secret
IntegrityIntegrity PrivacyPrivacy
Current 802.11 SecurityCurrent 802.11 Security
(as per the 1999 spec)(as per the 1999 spec) AuthenticationAuthentication Integrity - Integrity Check (IC) fieldIntegrity - Integrity Check (IC) field
32 bit CRC in encrypted payload32 bit CRC in encrypted payload Not separately keyedNot separately keyed Vulnerable to bit-flipping attacksVulnerable to bit-flipping attacks
PrivacyPrivacy
Current 802.11 SecurityCurrent 802.11 Security
(as per the 1999 spec)(as per the 1999 spec) AuthenticationAuthentication IntegrityIntegrity Privacy - Wired Equivalent Privacy (WEP)Privacy - Wired Equivalent Privacy (WEP)
RC4 cipher (relies on XOR)RC4 cipher (relies on XOR) Up to 4 keys per station (40 bit or 104 bit)Up to 4 keys per station (40 bit or 104 bit) Initialization Vector (IV)Initialization Vector (IV)
24 bit extension to key24 bit extension to key Provides some randomization to keyProvides some randomization to key Unfortunately, keyspace is small!Unfortunately, keyspace is small!
Big WEP Attack - Weak IVBig WEP Attack - Weak IV
Say an AP constantly sends 1500 byte frames at Say an AP constantly sends 1500 byte frames at 11 Mbps11 Mbps Keyspace is exhausted in 5 hoursKeyspace is exhausted in 5 hours Will be quicker if packets are smallerWill be quicker if packets are smaller
Original IV algorithms made things much worseOriginal IV algorithms made things much worse Some cards used same IV for multiple packets Some Some cards used same IV for multiple packets Some
cards reset IV to 0 after initializationcards reset IV to 0 after initialization Some cards increment IV by 1 after each packetSome cards increment IV by 1 after each packet
WEP+ fixed these “Weak IV” issuesWEP+ fixed these “Weak IV” issues
Improving SecurityImproving Security
Improve authenticationImprove authentication System wide common loginSystem wide common login
Improve integrityImprove integrity Separate integrity keySeparate integrity key Stronger integrity algorithmStronger integrity algorithm
Improve privacyImprove privacy Increase keyspace size (make cracker analyze more Increase keyspace size (make cracker analyze more
data in order to recover key)data in order to recover key) Per -user keysPer -user keys Key rolloverKey rollover
Stronger privacy algorithmStronger privacy algorithm
802.11i and WPA802.11i and WPA
IEEE 802.11i - IEEE 802.11 task group IEEE 802.11i - IEEE 802.11 task group “MAC enhancement for wireless security”“MAC enhancement for wireless security”
Wi-Fi Alliance WPA - subset of 802.11iWi-Fi Alliance WPA - subset of 802.11i Compatible with earlier draftCompatible with earlier draft Defined for BSS onlyDefined for BSS only Defined for current hardwareDefined for current hardware
WPA has two major componentsWPA has two major components AuthenticationAuthentication TKIP encryptionTKIP encryption
WPAWPA
AuthenticationAuthentication 802.1x (not 802.11x) - defined for both wired 802.1x (not 802.11x) - defined for both wired
and wireless session establishmentand wireless session establishment EAP (Extensible Authentication Protocol) - generic EAP (Extensible Authentication Protocol) - generic
wrapper for authentication trafficwrapper for authentication traffic EAP impactEAP impact
Authentication is between laptop and server - AP is pretty Authentication is between laptop and server - AP is pretty cluelessclueless
Different auth methods, updating auth methods do not Different auth methods, updating auth methods do not require upgrades on APrequire upgrades on AP
Pre-Shared Key (PSK) - for SOHO networksPre-Shared Key (PSK) - for SOHO networks
WPAWPA
Temporal Key Integrity Protocol (TKIP)Temporal Key Integrity Protocol (TKIP) Stronger privacyStronger privacy
Still uses RC-4 encryptionStill uses RC-4 encryption Key rollover (temporal key)Key rollover (temporal key)
Stronger integrityStronger integrity Message Integrity Code (MIC) - computed with own integrity Message Integrity Code (MIC) - computed with own integrity
algorithm (MICHAEL)algorithm (MICHAEL) Separate integrity keySeparate integrity key Integrity counter measuresIntegrity counter measures
802.11i802.11i
Additions over WPAAdditions over WPA IBSS (ad-hoc mode) authentication - what does IBSS (ad-hoc mode) authentication - what does
a security context mean without a trusted third a security context mean without a trusted third party? Is PSK enough?party? Is PSK enough?
Counter-Mode/CBC-MAC Protocol (CCMP)Counter-Mode/CBC-MAC Protocol (CCMP) Privacy: AES-CCM (128 bit key)Privacy: AES-CCM (128 bit key) Integrity: CBC-MACIntegrity: CBC-MAC
802.11i criticisms802.11i criticisms
Does not secure 802.11 management Does not secure 802.11 management control and action framescontrol and action frames Disassociate, output power, etc.Disassociate, output power, etc.
Fundamental dilemma: does 802.11i secureFundamental dilemma: does 802.11i secure 1. Traffic carried by the network?1. Traffic carried by the network? 2. Network elements themselves?2. Network elements themselves?
