Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
WLAN Security
รศ. ดร. อนันต์ ผลเพิ.มAsso. Prof. Anan Phonphoem, Ph.D.
[email protected]://www.cpe.ku.ac.th/~anan
Computer Engineering DepartmentKasetsart University, Bangkok, Thailand
Wireless LANs
2
Outline• Secure Communication• Security Mechanisms• Security Threats• IEEE 802.11 Security•WLAN security management
Secure Communication
3
What is Secure Communication?
• Secrecy•Only you and me, no one else• Authentication• Identify that is real you•Message Integrity•Message is not altered
4
Secrecy• Privacy or confidentiality• Cannot block the sniffer!• Requires encryption/decryption mechanism• Encryption at the sender•Decryption at the receiver • using a public or private (secret) key to
decode the encrypted information
5
Authentication• Confirms identity of the communicating party• Assures the real sender and real receiver
6
Message Integrity• Data integrity •Data is transmitted from source to destination
without undetected alteration• Non-repudiation• Prove that a received message came from a
claimed sender
Integrity: การยึดถือหลักคุณธรรม,ความซ่ือสัตย8,ความสมบูรณ8,ความมั่นคง,ความเป?นอันหน่ึงอันเดียวกัน (honesty)
8
Wireless Magnifies Vulnerability
• Traditional wireline link•Benefits from physical security•Access to the wire is required •Access to Switch/Hub is required •Wireless link• Extended range beyond a room or a building• Easy to eavesdrop
Vulnerable: อ"อนแอ ไม"มั่นคง
9
Trust • Communicate to unseen devices• Physically hidden (End user, AP, …)• Problem on both home and foreign networks• Service provider maybe not trustable•Access points•DHCP servers• Intermediate nodes
11
End-to-End/Link Security• End-to-end security provided by •Network layer (e.g., IPsec)•Transport layer (e.g., SSL)•Application layer (e.g., app.-specific)• Link security provided by • Link layer (e.g., IEEE 802.11 WEP, WPA, or
IEEE 802.11i)
12
Outline• Secure Communication• Security Mechanisms• Security Threats• IEEE 802.11 Security•WLAN security management
þ
14
Cryptography
• Symmetric (private) key cryptography• Sender and receiver keys are identical (KA = KB)• Asymmetric (public) key cryptography• Sender (encryption) key (KA) is public• Receiver (decryption) key (KB ¹ KA) is private
Plaintext
EncryptionKA Ciphertext
DecryptionKB Plaintext
15
Public Key Cryptography• Unlike a private key system, one can publish the key for
encryption in a public key encryption system
Decryption
KB-Encryption
KB+
Ciphertext
KB+(m)
Plaintext
m
Plaintext
m = KB-(KB
+(m))
Public key
Private key
16
Authentication (Private Key) • Authentication can be implemented with symmetric
(private) key cryptography
Claim “A”
A B
RGenerate aone-time “nonce”
K(R)
encrypt
Rþdecrypt
nonce: ชั%วขณะหนึ%ง
17
Authentication (Public Key)• Use of public key avoids shared key problem• Vulnerable to “man-in-the-middle” attack
R
Claim “A”
A B
KA-(R)
KA+Compute KA+(KA-(R)) = Rþ
Sender must have used private key of A, so it is AKey Request
KA+: A’s public keyKA-: A’s private key
18
Outline• Secure Communication• Security Mechanisms• Security Threats• IEEE 802.11 Security•WLAN security management
þþ
21
Types of AttacksSpoofing
•Impersonate legitimate device credentials, like MAC address
LAN
Internet
23
Types of AttacksSession Hijacking•Hacker disconnects the
legitimate user but makes AP think that user is still connected
LAN
Internet
24
Types of AttacksDoS
•Flood the network with useless traffic (e.g.repeated login
requests) and eventually shut it down
LAN
Internet
25
Types of AttacksMan in the Middle
•All WLAN traffic from devices is passed through the rogue device
•Lack of strong AP level authentication
LAN
Internet
26
Types of AttacksWarDriving
Driving around town looking for unprotected WLAN connections to
get Internet access
27
Outline• Secure Communication• Security Mechanisms• Security Threats• IEEE 802.11 Security•WLAN security management
þþþ
29
Authentication & Encryption Std
EAP
802.1x
WPA-TKIP 802.11i
RC4
TLS
MSFTIETF
Encryption Algorithms
Authentication Protocols
PEAP
CSCO/MSFTIETF
CertificateCredentials Username/Password
Encryption Standards WEP
RC4 AES
Dan Ziminski & Bill Davidge
30
Built-in WLAN Security• Wired Equivalent Privacy (WEP)• Provides encryption based on RC-4 cipher• 802.1x• Provides authentication using Extensible Authentication Protocol (EAP)
• Wi-Fi Protected Access (WPA: subset of 802.11i draft)•Uses dynamic keys and advanced encryption• 802.11i à (implemented as WPA2 )•Advanced encryption and authentication
31
802.11b Security Services• Two security services provided:• Authentication• Shared Key Authentication• Encryption•Wired Equivalence Privacy
32
Wired Equivalence Privacy• Shared key between• Stations•An Access Point• Extended Service Set•All Access Points will have a same shared key• No key management• Shared key entered manually into•Stations•Access points•Key management nightmare in large wireless LANs
33
RC4• Ron’s Code number 4• Symmetric key encryption• RSA Security Inc.• Designed in 1987• Trade secret until leak in 1994• RC4 can use key sizes from 1 bit to 2048 bits• RC4 generates a stream of pseudo random bits• XORed with plaintext to create cipher text
34
Authentication & Encryption Std
EAP
802.1x
WPA-TKIP 802.11i
RC4
TLS
MSFTIETF
Encryption Algorithms
Authentication Protocols
PEAP
CSCO/MSFTIETF
CertificateCredentials Username/Password
Encryption Standards WEP
RC4 AES
Dan Ziminski & Bill Davidge
WEP Block Diagram
35
WEP Frame
IntegrityAlgorithm(CRC-32)
Pseudo-RandomNumber Generator
RC-4
+
BitwiseXOR
Plain Text
Cipher Text
Integrity CheckValue (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
InitializationVector (IV)
IV
Encryption Block
Sender Site
IntegrityAlgorithm
Pseudo-RandomNumber Generator
BitwiseXOR
Cipher TextPlain Text
Integrity CheckValue (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
Decryption Block
Receiver Site
36
WEP – Encoding
IntegrityAlgorithm(CRC-32)
Pseudo-RandomNumber Generator
RC-4
+
BitwiseXOR
Plain Text
Cipher Text
Integrity CheckValue (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
InitializationVector (IV)
IV
37
WEP – Sending• Compute Integrity Check Vector (ICV)• Provides integrity• 32 bit Cyclic Redundancy Check• Appended to message to create plaintext• Plaintext encrypted via RC4• Provides confidentiality• Plaintext XORed with long key stream of pseudo
random bits• Key stream is function of
• 40-bit secret key• 24 bit initialisation vector
• Cipher text is transmitted
38
WEP – Decryption
IntegrityAlgorithm
Pseudo-RandomNumber Generator RC-4
BitwiseXORCipher Text
Plain Text
Integrity CheckValue (ICV)
Key Sequence
IV
Secret Key (40-bit or 128-bit)
39
WEP – Receiving• Cipher text is received• Cipher text decrypted via RC4• Cipher text XORed with long key stream of pseudo
random bits• Key stream is function of •40-bit secret key•24 bit initialisation vector (IV)
• Check ICV• Separate ICV from message• Compute ICV for message• Compare with received ICV
40
Shared Key Authentication• When station requests association with AP• AP sends random number to station• Station encrypts random number
• Uses RC4, 40 bit shared secret key & 24 bit IV• Encrypted random number sent to AP• AP decrypts received message
• Uses RC4, 40 bit shared secret key & 24 bit IV• AP compares decrypted random number to transmitted
random number• If numbers match, station has shared secret key
41
WEP Safeguards• Shared secret key required for:• Associating with an access point• Sending data• Receiving data• Messages are encrypted• Confidentiality• Messages have checksum• Integrity• But management traffic still broadcast in clear
containing SSID
42
Initialization Vector• IV must be different for every message transmitted• 802.1standard does not specify how IV is calculated• Wireless 1 cards use several methods• Some use a simple ascending counter for each message• Some switch between alternate ascending and
descending counters• Some use a pseudo random IV generator• If IV is the same, then two duplicate messages would
result in the same cipher text
43
Passive WEP attack• If 24 bit IV is an ascending counter,• If Access Point transmits at 11 Mbps,•All IVs are exhausted in roughly 5 hours
• Passive attack:•Attacker collects all traffic•Attacker could collect two messages:•Encrypted with same key and same IV•Statistical attacks to reveal plaintext•Plaintext XOR Ciphertext = Keystream
46
Active WEP attack• If attacker knows plaintext and ciphertext pair• Keystream is known• Attacker can create correctly encrypted messages• Access Point is deceived into accepting messages• Bitflipping• Flip a bit in ciphertext• Bit difference in CRC-32 can be computed
47
Limited WEP keys• Some vendors allow limited WEP keys• User types in a passphrase• WEP key is generated from passphrase• Passphrases creates only 21 bits of entropy in 40 bit
key• Reduces key strength to 21 bits = 2,097,152• Remaining 19 bits are predictable• 21 bit key can be brute forced in minutes
• www.lava.net/~newsham/wlan/WEP_password_cracker.ppt
49
Brute force key attack• Capture ciphertext• IV is included in message• Search all 240 possible secret keys• 1,099,511,627,776 keys•~170 days on a modern laptop• Find which key decrypts ciphertext to
plaintext
50
128 bit WEP• Vendors have extended WEP to 128 bit keys• 104 bit secret key• 24 bit IV• Brute force takes 10^19 years for 104-bit key• Effectively safeguards against brute force attacks
51
Key Scheduling Weakness• Paper from Fluhrer, Mantin, Shamir (FMS), 2001• Two weaknesses:•Certain keys leak into key stream•Invariance weakness• If portion of PRNG input is exposed, •Analysis of initial key stream allows key to be
determined•IV weakness
52
IV weakness• WEP exposes part of PRNG input• IV is transmitted with message• Every wireless frame has reliable first byte
• Sub-network Access Protocol header (SNAP) used in logical link control layer, upper sub-layer of data link layer.
• First byte is 0xAA• Attack is:
• Capture packets with weak IV• First byte ciphertext XOR 0xAA = First byte key stream• Can determine key from initial key stream
• Practical for 40 bit and 104 bit keys• Passive attack• Non-intrusive / No warning
53
Wepcrack• First tool to demonstrate attack using IV
weakness• Open source, Anton Rager• Three components• Weaker IV generator• Search sniffer output for weaker IVs & record 1st byte• Cracker to combine weaker IVs and selected 1st bytes • Cumbersome
54
Airsnort• Automated tool• Cypher42, Minnesota, USA.• Does it all!• Sniffs• Searches for weaker IVs• Records encrypted data• Until key is derived.• 100 Mb to 1 Gb of transmitted data.• 3 to 4 hours on a very busy WLAN.
55
Avoid the weak IVs• FMS described a simple method to find weak IVs• Many manufacturers avoid those IVs after 2002• Therefore Airsnort and others may not work on recent
hardware • However David Hulton aka h1kari• Properly implemented FMS attack which shows many
more weak IVs• Identified IVs that leak into second byte of key
stream.• Second byte of SNAP header is also 0xAA• So attack still works on recent hardware• And is faster on older hardware• Dwepcrack, weplab, aircrack
56
Generating WEP traffic • Not capturing enough traffic?•Capture encrypted ARP request packets•Anecdotally lengths of 68, 118 and 368 bytes
appear appropriate•Replay encrypted ARP packets to generate
encrypted ARP replies•Aireplay implements this.
57
Wired Equivalent Privacy (WEP)
• Provides rudimentary 40-bit/128-bit encryption• RC-4 cipher• Weak Point is IV not RC-4• Static encryption keys — must be changed
manually• Attacker’s tools: Airsnort, Yellowjacket, Airfart• Encryption keys can be cracked• Default setting is “OFF”
58
802.1x — A New Hope• Provides secure access using port control• Uses EAP (Extensible Authentication Protocol)• Supports Kerberos, smart cards, one-time
passwords, and so on• Components required:• Wireless device• AP• Authentication server, typically Remote Authentication
Dial-in User Service (RADIUS)
59
Authentication & Encryption Std
EAP
802.1x
WPA-TKIP 802.11i
RC4
TLS
MSFTIETF
Encryption Algorithms
Authentication Protocols
PEAP
CSCO/MSFTIETF
CertificateCredentials Username/Password
Encryption Standards WEP
RC4 AES
Dan Ziminski & Bill Davidge
802.1X Key Management• 802.11i data protocols fail without “fresh” keys• Want to use 802.1X framework• Original 802.1X key management hopelessly
broken, so redesigned by 802.11i
62Intel Communications Group
802.1X Key Management• New model:• Derive a Pairwise Master Key (PMK)• AP and STA use PMK to derive
Pairwise Transient Key (PTK)• Use PTK to protect the link• Limitations:• No explicit binding to earlier association, authentication
• Relies on temporality, PMK freshness for security• Keys are only as good as back-end allows
63Intel Communications Group
Pairwise Key Hierarchy
64
Key Confirmation
Key (KCK) – PTK bits 0–127
Key Encryption Key (KEK) – PTK
bits 128–255
Temporal Key – PTK bits 256–n – can have cipher suite specific structure
Master Key (MK)
Pairwise Master Key (PMK) = TLS-PRF(MasterKey, “client EAP encryption” | clientHello.random | serverHello.random)
Pairwise Transient Key (PTK) = EAPoL-PRF(PMK, AP Nonce | STA Nonce | AP MAC Addr | STA MAC Addr)
Analog of the WEP key
EAPoL: Extensible Authentication Protocol (EAP) over LAN
Key Management Overview
65
Step 1: Use RADIUS to push PMK from AS to AP
Step 2: Use PMK and 4-Way Handshake to derive, bind, and verify PTK
Step 3: Use Group Key Handshake to send GTK from AP to STA
ASAPSTA
Intel Communications Group
EAPoL RADIUS
EAPoL Key Message
67
Descriptor Type – 1 octet
Key Information –2 octets
Key Length – 2 octets
Replay Counter – 8 octets
Nonce – 32 octets
IV – 16 octets
RSC – 8 octets
Key ID – 8 octets
MIC – 16 octets
Data Length – 2 octets
Data – n octets
Intel Communications Group
Intel Communications Group
Step 2: 4-Way Handshake
68
EAPoL-Key(Reply Required, Unicast, ANonce)
Pick Random ANonce
EAPoL-Key(Unicast, SNonce, MIC, STA RSN IE)
EAPoL-Key(Reply Required, Install PTK, Unicast, ANonce, MIC, AP RSN IE)
Pick Random SNonce, Derive PTK = EAPoL-PRF(PMK, ANonce | SNonce | AP MAC Addr | STA MAC Addr)
Derive PTK
EAPoL-Key(Unicast, MIC)
Install TK Install TK
STA
PMK PMK
Step3: Group Key Handshake
69
EAPoL-Key(All Keys Installed, ACK, Group Rx, Key Id, Group , RSC, GNonce, MIC, GTK)
Pick Random GNonce, Pick Random GTK
EAPoL-Key(Group, MIC)
Encrypt GTK with KEK
Decrypt GTK
STA
PTK PTK
unblocked data traffic unblocked data traffic
Intel Communications Group
4-Way Handshake
70http://www.hitchhikersguidetolearning.com/2017/09/17/management-frame-protection-igtk/
Key Management Summary• 4-Way Handshake• Establishes a fresh pairwise key bound to STA and AP
for this session• Proves liveness of peers• Demonstrates there is no man-in-the-middle between
PTK holders if there was no man-in-the-middle holding the PMK• Synchronizes pairwise key use• Group Key Handshake provisions group key to all
STAs
71Intel Communications Group
Authentication Requirements• Want key tied back to authorization decision• Establish a session between AS and STA• Establish a mutually authenticated session key shared by
AS and STA• Session Þ key is fresh• Mutually authenticated Þ bound only to AS and STA
• Defend against eavesdropping, man-in-the-middle attacks, forgeries, replay, dictionary attacks against either party• Cannot expose non-public portions of credentials
• Identity protection not a goal• Can’t hide the MAC address
72Intel Communications Group
Authentication Components
74
802.1X (EAPoL)
Authentication Server
Access Point
802.11
Wireless Station
EAP-TLS
EAP
RADIUS
UDP/IP
Intel Communications Group
Intel Communications Group
Authentication Overview
75
802.1X/EAP-Request Identity
802.1X/EAP-Response Identity (EAP type specific)
RADIUS Access Request/Identity
EAP type specific mutual authentication
RADIUS Accept (with PMK)
802.1X/EAP-SUCCESS
Derive Pairwise Master Key (PMK) Derive Pairwise Master Key (PMK)
AS
APSTA
802.1X RADIUS
AP 802.1X blocks port for data traffic
STA 802.1X blocks port for data traffic
EAP-TLS• EAP-TLS is not part of 802.11i; neither is any other
specific authentication method• But EAP-TLS is the de facto 802.11i authentication
method• Can meet all 802.11i requirements• Other widely deployed methods do not
• EAP-TLS = TLS Handshake over EAP• EAP-TLS defined by RFC 2716• TLS defined by RFC 2246
• Always requires provisioning AS certificate on the STA• Mutual authentication requires provisioning STA
certificates
76
Transport Layer Security (TLS)
Intel Communications Group
77
802.1x EAP-TLS Authentication
StationSupplicant
Access PointAuthenticator RADIUS Server
Authorizer
Client digital certFrom XYZ CA
Server Digital certFrom XYZ CA
Dan Ziminski & Bill Davidge
Example – EAP-TLS (1)
78
802.1X/EAP-Request Identity
802.1X/EAP-Response Identity (My ID)
RADIUS Access Request/EAP-Response Identity
RADIUS Access Challenge/EAP-Request802.1X/EAP-Request(TLS)
802.1X/EAP-Response(TLS ClientHello(random1))
RADIUS Access Request/EAP-Response TLS ClientHello
RADIUS Access Challenge/EAP-Request
802.1X/EAP-Request(TLS ServerHello(random2) || TLS
Certificate || TLS CertificateRequest || TLS
server_key_exchange || TLS server_done)
AP-RADIUS Key AS
APSTA
Intel Communications Group
Example – EAP-TLS (2)
79
802.1X/EAP-Response(TLS client_key_exchange || TLS || TLS certificate || TLS certificateVerify ||
TLS change_cipher_suite || TLS finished
RADIUS Access Request/EAP-Response
RADIUS Access Challenge/EAP-Request
802.1X/EAP-Request(TLS change_cipher_suite || TLS
finished)
MasterKey = TLS-PRF(PreMasterKey, “master secret” || random1 || random2)
AP-RADIUS Key
802.1X/EAP-Response RADIUS Access Request/EAP-Response Identity
ASAPSTA
RADIUS Accept/EAP-Success, PMK802.1X/EAP-Success
PMK = TLS-PRF(MasterKey, “client EAP encryption” || random1 || random2)
Intel Communications Group
Authentication Summary• At the end of authentication
• The AS and STA have established a session if concrete EAP method does
• The AS and STA possess a mutually authenticated Master Key if concrete EAP method does• Master Key represents decision to grant access based on
authentication• STA and AS have derived PMK• PMK is an authorization token to enforce access control decision
• AS has distributed PMK to an AP (hopefully, to the STA’s AP)
80
Intel Communications Group
81
802.1x PEAP authentication
StationSupplicant
Access PointAuthenticator
Digital certFrom XYZ CA
Phase 1:Authenticate AP. Secure tunnelto AP using TLS
Phase 2:Password authenticationwith directory server
Username: ABCPassword: encrypted
Success/Fail
Dan Ziminski & Bill Davidge
PEAP Overview
82
Wireless Station
Authentication Server
Step 1: Use EAP-TLS to authenticate AS to Station
Step 2: Use TLS key to protect the channel between Station, AS
Step 3: Use Legacy method protected by TLS key to authenticate Station to AS
AP
Intel Communications Group
PEAP Man-in-Middle Attack
83
EAP/Identity Request EAP-Method in Tunnel
EAP/Identity Request
EAP/Identity Response (user id@realm)
WLAN Session Stolen
STA MitM AAA-H Server
PEAP ServerAP
EAP/Identity Response (anonymous@realm)
EAP/Response/ Method Response
EAP/ Request / Method Challenge
EAP/ Success
Tunnel establishment
Tunnel Keys DerivedTunnel Keys Derived
Inner EAP Method Keys Derived & Not used
Inner Method Keys Derived
Intel Communications Group
84
802.1x — The Downside• Only does authentication• Encryption is still required• If used with WEP, the encryption keys are still
static even though the authentication keys change• Authenticator and device must use the same
authentication method• Only supports client-level authentication
86
WPA (Wi-Fi Protected Access)
• WPA = 802.1X + TKIP• WPA requires authentication and encryption• 802.1X authentication choices include LEAP, PEAP, TLS• WPA has strong industry supporters• Adds to 802.1X and TKIP• Widespread adoption of WPA will add robust security
and remove the “security issue” from the WLAN industry• WPA will become accepted as the standard• It is an interim standard
87
WPA – Fixed WEP’s Problems
• IV changes to 48 bits with no weak keys (900 years to repeat an IV at 10k packets/sec)• Use IV as a replay counter•Message integrity Check (MIC)• Per-packet keying
Dan Ziminski & Bill Davidge
88
TKIP – Per Packet Keying
48 bit IV16 bit lower IV32 bit upper IV
Key mixing Key mixing
Per-Packet-KeyIVIV d
Session KeyMAC Address
104 bits24 bits128 bits
Fixes the weaknesses of WEP key generation but still uses the RC4 algorithm
Dan Ziminski & Bill Davidge
802.11i Overview• Confirmed Standard - 2004.6.24• Data Security (Key Management/Crypto Algorithm) • IEEE 802.1aa• Accept 802.11i Key Descriptor• Define Key exchange state machine
• IEEE 802.11i• RSN (Robust Security Network)• Access control based on 802.1X• Dynamic Key Exchange and Management
• New Crypto Algorithm • TKIP – For backward compatibility (WEP) • CCMP – AES-CCM mode
89ETRIhttp://www.ieee802.org/
802.11i Overview• User Authentication
• IEEE 802.1X • Port-Based Network Access Control • Before authentication: uncontrolled port • After authentication: controlled port open
• IEEE 802.1aa• Extra document for 802.1X• After authentication and Key exchange: controlled port open
• EAP (Extensible Authentication Protocol)• Various authentication mechanism will be acceptable • EAP-MD5, EAP-TLS, EAP-TTLS
• AAA (Authentication, Authorization and Accounting) Server • RADIUS (Remote Authentication Dial In User Service) Server - RFC 2865 • Diameter Server - RFC 3588
90ETRIhttp://www.ieee802.org/
93
802.11i and WPA• Uses 802.1x authentication• Uses Temporal Key Integrity Protocol (TKIP) to
dynamically change encryption keys after 10,000 packets are transferred• Uses Advanced Encryption Standard (AES)
encryption, which is much better than WEP• A subset of 802.11i, Wi-Fi Protected Access
(WPA) is available as a firmware upgrade today
94
802.11i and WPA Pitfalls• Keys can be cracked using much less than
10,000 packets•Michael feature — shuts down AP if it
receives two login attempts within one second. Hackers can use this to perpetrate a DoS attack.• 802.11i à WPA2
802.11i & 802.1x
95https://www.semanticscholar.org/paper/Security-enhanced-IEEE-802.1x-authentication-method-Park-Kim/c61874e7e8a5b9457fa37338357c90b3aea61091
96
Encryption Effects
Wireless Encryption
Type
Desktop Control Needed
Cost to Implement
Difficult to Manage
Vendor Support
Problems
Vulnerable to Attack
none low low low low high
WEP medium low high low medium
WPA TKIP high high high medium low
802.11i AES high high high high none
VPN high high medium low none
Dan Ziminski & Bill Davidge
98
VPN Authentication & Encryption
StationAccess Point VPN Gateway
LAN
IPSEC VPN Tunnel
Dan Ziminski & Bill Davidge
99
Web Authentication
StationAccess Point Web auth
security device
LAN
HTTPSLogin page
BackendRADIUSServer
Dan Ziminski & Bill Davidge
100
Authentication TypeWireless Auth
TypeDesktop Control Needed
Cost to Implement
Difficult to Manage
Vendor Support
Problems
Vulnerable to Attack
VPN high high medium low low
WEP medium low high low high
802.1x EAP TLS
ceritficates
high high high medium low
802.1x PEAP medium medium medium medium low
Web Auth low low medium low medium
Dan Ziminski & Bill Davidge
101
Outline• Secure Communication• Security Mechanisms• Security Threats• IEEE 802.11 Security•WLAN security management
þþþþ
102
Wireless Security Concerns
•Management of device security• Corruption of data sent to wireless devices•Malicious code (viruses, Trojans, worms)• Unauthorized users• Confidentiality of data sent wirelessly• Security of data stored on a handheld
device
103
WLAN security management• Open Access• No WEP, WPA, encryption• Broadcast Mode• Basic Security• 40-bit, 128-bit, 256-bit Static Encryption Key• Enhanced Security• Dynamic Encryption Key / Scalable Key Management • Mutual 802.1x/EAP Authentication• TKIP/WPA• Traveling Security• Virtual Private Network (VPN)
104
Wireless Policy Issues• Policy needs to dictate permitted services and
usage• Needs a means of identifying and enforcing
wireless policies• Existing organization security policies need to be
updated to cope with wireless security issues• Policy needs to indicate how access will be
controlled, for instance, time of day
105
Wireless Policy Issues• Every access needs to be logged• User compliance and standards
enforcement• Centralized control of security policies•Wireless intrusion alert issues• Process to update client software levels• Intrusion detection policies
106
Knows Your Organization
12
3
4
User Involvement, Awareness and Roles
Key Password Quality
User and Key Administration
Environment Integrity and Robustness
Network Security and Technology Issues
ClientSecurity
ApplicationSecurity
Audits and Controls, and IDS
Process Management and Standards
Weakness
Strength
Weakness
Weakness
107
More SecurityA laptop in your network connecting to a neighboring Wi-Fi network exposing your corporate data.
Neighbor’s Network
Hacker attacking your network through an internal laptop acting as an unofficial software access point.
Unofficial Access Point
Rogue Access PointHacker attacking your network through an unofficial access point connected to the network.
Hacker attacking your network through an unofficial connection with a misconfigured AP.
Misconfigured Access PointDO NOT
ENTER
DO NOT
ENTER
DO NOT
ENTER
DO NOT
ENTER
110
Client DifferentiationChannel: 1
SSID: Laptop VLAN: 1
Channel: 6 SSID: PDA VLAN: 2
Channel: 11 SSID: Phone VLAN: 3
802.1Q wired network with
VLANs
111
SSID: Laptop VLAN: 1SSID: PDA VLAN: 2SSID: Phone VLAN: 3
Client Differentiation802.1Q wired network with
VLANs
112
Conclusions • Wireless technology is becoming embedded• Notebooks, PDAs, cell phones, etc.• WLAN is currently unsecure• 802.11 WEP security is insufficient for the enterprise• 802.11i (WPA2) and WPA offer great improvements • People, processes, policies and architecture are
required to deploy WLAN securely
113
References• “WLAN teaching materials” by Anan Phonphoem, Computer Engineering
Dept., Kasetsart University• “Who’s Watching Your Wireless Network?” by Ian Hameroff, Computer
Associates, eTrust™ Security solutions, CA World 2003• “Wireless Configuration and Security Issues” by Greg Gabet, IBMGS, CA
world 2003• “Addressing the Challenges of Adopting Secured Mobility in the Enterprise”
by Hans-Georg Büttner, Ernst & Young IT-Security GmbH, Germany, CA World 2003
• “Wireless Local Area Network Security” by Robert Simkins, University of Derby, UK
• “WLAN Security”, Matthew Joyce, Rutherford Appleton Laboratory, CCLRC• Wireless LAN Security, Threats & Countermeasures, By Joseph Tomasone, Senior
Network Security Engineer, Fortress Technologies, Inc., Session 8, August 10, 2005, Infragard National Conference 2005
• CSG 256 Final Project Presentation, by Dan Ziminski & Bill Davidge• 802.11i Overview, Jesse Walker, Intel Corporation, [email protected]