Embed Size (px)
Citation preview
Wireless Security: The need for WPA and 802.11i
By Abuzar Amini
CS 265 Section 1
Wireless Security Timeline WEP - Part of original 802.11
specification published in 1999. WPA - Developed to fix numerous WEP
flaws. Ratified by Wi-Fi Alliance in 2003. 802.11i - More robust, permanent security
standard expected to be finalized soon. Currently in 7th draft.
WEP
Wired Equivalent Privacy Uses RC4 Stream cipher Has static 40-bit base key 64-bit per-packet key 24-bit Initialization Vector (IV) Uses Integrity Check Value (ICV) to verify
integrity
WEP Weaknesses (IV repetition)
Short 24-bit IV means RC4 key must be changed every 224 packets or data can be exposed via IV repetition. With repeated IV -> c1 c2 = p1 p2 Not very feasible to change WEP key after 16
million packets transmitted.
WEP Weaknesses (Replay Attack)
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Alice
BobTrudy
Authorized WEP communications
Eavesdrop and record
Replay packets
WEP Weaknesses (Forgery Attack)
Packet data can be forged WEP uses ICV (CRC-32) to verify integrity. Create a blank message with same number of data
bytes, flip some bits and compute ICV. XOR bit-flipped message and ICV into captured
message. Result - Undetected forgery.
Identity can be forged Source address, Destination address not protected.
WEP Weaknesses (Keys)
WEP uses same key for authentication and encryption.
No way to manage keys. Same static key used on AP as well as all
clients.
WPA: The solution for today
Wi-Fi Protected Access (WPA) created to fix vulnerabilities of WEP while keeping the ability to run on legacy Access Points.
Subset of 802.11i Standard. Two major components: TKIP and 802.1X
Extensible Authentication Protocol (EAP) based authentication.
TKIP Temporal Key Integrity Protocol. Consists of new algorithms to wrap WEP
A new Message Integrity Code (MIC) called Michael.
IV sequencing to defeat replay attacks. A per-packet key mixing function to de-
correlate IVs from weak keys. A re-keying mechanism to provide fresh
encryption and integrity keys.
TKIP (Michael)
Uses two 64-bit keys, one for each link direction.
Unlike WEP, packet Sender Address and Destination Address are computed as part of the MIC.
8-byte MIC appended to the packet data.
TKIP (IV Sequencing)
IV sequencing used to protect against replay attacks. Reset packet sequence number to 0 on
rekey. Increment sequence number by 1 each time
packet transmitted. Packets received out of sequence are
dropped.
TKIP (Key mixing)
Per-packet mixing function implemented in 2 phases: Phase 1: Combines local MAC address and
temporal key. Then run through S-box to produce intermediate key.
Fistel cipher used to encrypt the packet sequence number under the intermediate key, producing 128-bit per-packet key.
TKIP (Keys)
One 128-bit encryption key Two 64-bit integrity keys Master keys assigned by Authentication
Server using the 802.1X architecture
802.1X EAP WPA uses 802.1X as an authentication and key
replacement mechanism. 802.1X specifies the following components:
Supplicant – A user or a client that wants to be authenticated.
Authentication server – An authentication system, such as a RADIUS server, that handles actual authentications.
Authenticator – A device that acts as an intermediary between a supplicant and an authentication server. Usually, an AP.
802.1X EAP Messages
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture. QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
EAP-identity request
EAP Identity Response
EAP Auth Request
EAP Success / Optional Master Key
Supplicant Authenticator Auth. ServerAttach
EAP Auth Response
Different forms of EAP EAP-Transport Layer Security(EAP-TLS)
Authentication requires use of PKI EAP-Tunneled TLS (EAP-TTLS)
Favored by some for use in 802.11i EAP-Protected EAP (PEAP)
Favored by some for use in 802.11i
802.11i:Robust Security for Tomorrows WLANs
Still uses some WPA features TKIP 802.1X Key hierarchy Key management
802.11i
New cipher AES block cipher replaces RC4 AP hardware needs to be upgraded to
support more complex AES computations. Mode of operation - AES Counter Mode
Encryption with CBC-MAC (CCM).
AES-CCM Mode
Header Payload MIC
Authenticated
Encrypted
CBC-MAC used to compute MIC on header and payload.
CTR mode is used to encrypt the payload and MIC.
802.11i (Other Features) EAP over an Ethernet LAN (EAPOL)
Roaming support Allows clients to pre-authenticate with different APs,
on wired or wireless LANs.
Independent Base Service Set (IBSS) Allows clients to authenticate to each other, even if
not in range of an AP.
Password-to-key mapping
WLAN Security SummaryWEP WPA 802.11i
Cipher Algorithm RC4 RC4 (TKIP) AES-CCMPEncryption Key 40-bit 128-bit 128-bitInitialization Vector 24-bit 48-bit 48-bitAuthentication Key None 64-bit 128-bitIntegrity Check CRC-32 Michael CCMKey Distribution Manual 802.1X (EAP) 802.1X (EAP)Key Unique To: Network Packet, Session, User Packet, Session, UserKey Hierarchy No Derived from 802.1X Derived from 802.1XAd-hoc Security (P2P) No No Yes (IBSS)Pre-authentication No No Yes (EAPOL)
