Embed Size (px)
Citation preview
Wireless Security
802.11 With a focus on Security
by Brian Lee
Takehiro Takahashi
Survey (1)
Who has not used wireless?
Are you confident with your wireless network?
Brief Overview
Wireless Technology Overview
Architecture
Features
Wireless Security Overview
Built-in security features in 802.11
WEP insecurity
802.1x
WPA
WPA2 - 802.11i
GOAL
Understand the state of art
WEP is insecure
But we CAN make a wireless network ‘secure’
802.11Basics
Infrastructure Mode or Ad Hoc
11Mbps with 802.11b
feels slow….? (effective speed ~ 50%)
802.11 a/b/g/n : Physical Layer Spec
802.11i : Security Spec
802.11r : QoS
802.11 Built-in Features
802.11 frame types
Association Request/Response Frame
Beacon Frame
RTS/CTS Frame
Shared/Open Authentication
WEP (Layer 2 security)
Integrity
Confidentiality
SSID
Network identifier
SSID is broadcasted in a beacon frame
Clear Text!
Change it from the default
Cisco = tsunami
Linksys = linksys
Netgear = netgear
Stop broadcasting!
MAC Address Filtering
White-list approach
Does not scale
Frame headers are never encrypted
Sniffing traffic will reveal valid MAC addresses
Bottom line…..
Prevents casual hacking..
Quite useless
Shared/Open Authentication (1)
2 ways of initiating communication
Shared Key
Open Key authentication
Open key Auth = No authentication
Shared Key Auth = requires WEP
Shared Authentication (2)
The challenge is generated using a PRNG used
by WEP
Challenge is then encrypted using WEP key and
sent back
This is bad…….. reveals the WEP key
WEP (Wired Equivalent
Protocol)
Provides “Confidentiality”, and “Integrity”.
Uses 40/104 bits RC4 encryption +
CRC32
WEP Encryption
64/40 and 128/104 bits
confusion IV (24bits)
Your WEP key:
5-ASCII char word = 40bits
13-ASCII char word = 104bits
Security-wise, it’s really 40bits or 104bits
Problems with WEP
1 Static Key
No encryption is strong if one key is used forever
Key length is short (40bits)
Brute forcing is possible
104bits version exists
Using CRC32
CRC is a hash function used to produce a checksum
Improper use of RC4
IV space is too small (24bits)
No protection against replay attack
No specification on key distribution
Lacks scalability
CRC32 and WEP
CRC32 doesn’t have the cryptographic
strength seen in MD5 or SHA1
Bit-flipping is possible
Change the data, and WEP won’t catch it
Seems trivial….?
RC4 and WEP (1)
RC4 – Rivest’s Cipher 4 Stream Cipher
What is a requirement for a stream cipher? Avoid key sequence collision at any cost
{M1 XOR RC4-Key} XOR {M2 XOR RC4-Key}= M1 XOR M2
With WEP, key sequences are repeated every 16 million packets (2 ^ 24)
Key sequence collision doesn’t reveal the WEP key!
RC4 and WEP (2)
Weak IVs reveal the WEP key 5% chance of guessing the portion of the seed (WEP key)
correctly
FMS attack
2M~ packets to decrypt 40bit WEP key
The time needed is a linear function to the key length 104bit key is just as useless as 40bits key
Replay Attacks
Reinjection of the captured packets are
possible
IV usage is not specified
Effective WEP cracking
KoreK attack (Aug. 2004)
Another statistical analysis based attack on WEP key
Extremely fast
Decrypts packets using CRC32 vulnerability
Possible with as little as 0.1M IVs (packets)…
Traditional method requires more than 2M packets
Accelerate it with packet injection – ARP
A 40-bit WEP can be cracked in 10 Minutes
Fast swapping of WEP key is no longer safe
Conclusion: WEP
Confidentiality
FMS attack
KoreK attack
Integrity
Bit-flipping attack
Authentication Non-existent
Attacks can be completely passive
NO MORE WEP
WEP….
Wired Equivalent Privacy
Well.. More like
What on the Earth does it Protect?
Finally…. we have solutions!
802.1x (Authentication)
per-user authentication
Key distribution mechanism
WPA (Confidentiality, Integrity)
Subset of 802.11i
2 forms
802.1x Auth + TKIP (Enterprise mode)
Pre-shared Key + TKIP
WPA2 – 802.11i
WPA2 is the implementation of 802.11i
Uses AES-CCMP
WPA2 (802.11i)
WPA
802.1x (Authentication)
802.1X
802.1X is a port-based, layer 2 authentication
framework
Not limited wireless networks
Uses EAP for implementation
End-result
A WEP key for WEP
A seed for an encryption key used in WPA/WPA2
802.1X is not an alternative to WEP
802.1x authentication
Extensible Authentication Protocol
(EAP)
Authentication Framework
runs on the different layer than 802.1x
Very flexible
RADIUS is de-facto
a server for remote user authentication and accounting
Implementations
EAP methods adopted in WPA/WPA2
EAP-MD5
EAP-LEAP
EAP-TLS
EAP-TTLS
PEAP
EAP-MD5
EAP-MD5 is a simple EAP implementation
Uses and MD5 hash of a username and
password that is sent to the RADIUS
server
Authenticates only one way
Man in the middle attack
Bottom line: Not recommended
LEAP (EAP-Cisco)
Like EAP-MD5, it uses a Login/Password scheme that it sends to the RADIUS server
Each user gets a dynamically generated one time key upon login
Authenticates client to AP and vice versa
Only guaranteed to work with Cisco wireless clients
Broken – ASLEAP by Joshua Wright Dictionary attack
EAP-TLS by Microsoft
Instead of a username/password scheme, EAP-TLS uses certificate based authentication
Two way authentication
Uses TLS (Transport Layer Security) to pass the PKI (Public Key Infrastructure) information to RADIUS server
Compatible with many OS’s
Harder to implement and deploy because PKI for clients are also required
PEAP by Microsoft and Cisco
A more elegant solution!
Very similar to EAP-TLS except that the client
does not have to authenticate itself with the
server using a certificate, instead it can use a
login/password based scheme
Much easier to setup, does not necessarily
require a PKI
Currently works natively with Windows XP SP1,
and OSX. 802.1x supplicant exists for linux
WPA (Wi-Fi Protected Access)
Subset of 802.11i
Confidentiality
Fix flawed encryption mechanism
TKIP: Per-packet dynamic key mechanism
Integrity
Upgradeability
Software / Firmware Upgrade
WPA Mechanism
1. Confirmation of association capability
2. Authentication by 802.1x or PSK
3. 4-way handshake
4. Encryption using TKIP
Very Different from WEP which took care of
“everything”
802.1x Authentication (recap)
4 Way Handshake and PTK
802.1x Authentication + PMK
Security level can be selected
Pairwise Master Key (PMK) is a seed for
temporal key generation used in
encryption
PMK is generated based on the user
authentication result
4 Way Handshake and PTK
PTK (512bits) splits in 4 ways
Part of PTK is used to generate the
encryption key (WEP equivalent) in the
next phase
4 Way Handshake and PTK
TKIP (Temporal Key Integrity
Protocol)
The heart of WPA encryption mechanism
Expands IV space (24 48bits)
IV sequence is specified
Generate a key which conforms to WEP
A fresh key is used for every 16M packets
Michael
Very cheap integrity checker for MAC
addresses and DATA
WPA-PSK
For home / SOHO use
Removes 802.1x authentication
Pre-shared Key + TKIP
Weak against passive dictionary attack
Attacks exist - WPA Cracker
Still MUCH better than WEP
WPA Security Insight
No effective attacks found on WPA + 802.1x
WPA-PSK should be used with care
WPA2 - 802.11i
The long-awaited security standard for
wireless, ratified in June 2004
Better encryption: AES-CCMP
Key-caching (optional)
Pre-authentication (optional)
Hardware manufactured before 2002 is
likely to be unsupported: too weak
PMK Key-Caching
Skips re-entering of the user credential by
storing the host information on the network
Allows client to become authenticated with
an AP before moving to it
Useful in encrypted VoIP over Wi-Fi
Fast Roaming
Conclusion
WEP = Dead Meat
WPA-PSK = Potentially Insecure
WPA + 802.1x (Secure EAP) = Secure
WPA2-PSK = Potentially Insecure
WPA2 + 802.1x = Very Secure
Suggested Practice
Hide SSID
Do NOT use WEP
Use WPA-PSK with a good pass-phrase
or Use WPA with 802.1x if possible
Get WPA2 certified product for your next
purchase
tinyPEAP (1)
A self contained PEAP enabled RADIUS
server
Currently available in Linksys
WRT54G/GS router and Win32 binary
Native Windows XP SP1 support
Web-based user management
The easiest and the most secure solution
available in consumer level
tinyPEAP (2)
tinyPEAP (3)
Survey (2)
Ready to reconfigure your wireless
network?
Links to the tools used:
Airsnort
http://airsnort.shmoo.com
Netstumbler
http://www.netstumbler.com
Ethereal
http://www.ethereal.com
tinyPEAP
http://www.tinypeap.com
Papers and Wireless Security Web
Pages Weaknesses in the Key Scheduling Algorithm of
RC4
The Unofficial 802.11 Security Web Page
Wireless Security Blackpaper
The IEEE 802.11 specifications (includes WEP spec)
Paper on detecting Netstumbler and similar programs
Further reading on upcoming 802.11 variations
Assorted 802.11 related crypto algorithms written in ANSI C
An exercise in wireless
insecurity
Tools used:
Laptop w/ 802.11a/b/g card
GPS
Netstumbler
Aircrack (or any WEP cracking tool)
Ethereal
the car of your choice
Step1: Find networks to attack
An attacker would first use Netstumbler to
drive around and map out active wireless
networks
Using Netstumbler, the attacker locates a
strong signal on the target WLAN
Netstumbler not only has the ability to
monitor all active networks in the area, but
it also integrates with a GPS to map AP’s
WarDriving
Step 2: Choose the network to
attack At this point, the attacker has chosen his
target; most likely a business
Netstumbler can tell you whether or not
the network is encrypted
Also, start Ethereal to look for additional
information.
This time…….
Your target is GTwireless
Step3: Analyzing the Network
WLAN has no broadcasted SSID
Netstubmler tells me that SSID is GTwireless
Multiple access points
Open authentication method
WLAN is encrypted with 40bit WEP
WLAN is not using 802.1X (WEB-auth)
Step4: Cracking the WEP key
Attacker sets NIC drivers to Monitor Mode
Begins capturing packets with Airodump
Airodump quickly lists the available
network with SSID and starts capturing
packets.
After a few hours of airodump session,
launch aircrack to start cracking!
WEP key for GTwireless is revealed!
Step5: Sniffing the network
Once the WEP key is cracked and the NIC
is configured appropriately, the attacker is
assigned an IP, and can access the WLAN
However, a secure proxy with an SSL
enabled web based login prevents access
to the rest of network and the Internet
Attacker begins listening to traffic with
Ethereal
Step6: Sniffing continued…
Sniffing a WLAN is very fruitful because everyone on the WLAN is a peer, therefore you can sniff every wireless client
Listening to connections with plain text protocols (in this case FTP, POP, Telnet) to servers on the wired LAN yielded 2 usable logins within 1.5hrs
What was accomplished?
Complete access to the WLAN
Complete access to the wired LAN
Complete access to the internet
Access to servers on the wired LAN using
the sniffed accounts
Some anonymity. Usage of Netstumbler
and other network probing devices can be
detected. Skip that step if possible.
Other possibilities
Instead of sniffing a valid login, the
attacker could have exploited a known
vulnerability in the proxy (provided there is
one)
The greater risk for being noticed,
something an attacker does not want
That’s it…the network is
compromised
As long as WEP is in place, such attack is
always possible
Sadly, many are less secure
How about yours?
