WLAN Technologies Wireless LAN Security

IY5511-08 WLAN Security 1

Wireless LAN Security

Matthew JoyceVodafone UK


WLAN Security - Contents

>WLAN Technologies>Wireless LAN 802.11>Technology>Security History>Vulnerabilities>Demonstration


WLAN Technologies

Wireless LAN TechnologiesWireless LAN Technologies

InfraredInfrared Spread SpectrumSpread

SpectrumNarrow BandNarrow Band

Direct SequenceDirect

Sequence FrequencyHopping

FrequencyHopping


The ISM Frequency Bands

1 2 3 4 6 810 20 30 40 60 100

GHz

123

Selected regional licensing differences:• 915 MHz only in the Americas (region 2)• 2.4 GHz for global availability (region 1,2,3)Unlicensed spectrum is • difficult to come by and • usually contested


FREQUENCY

TIME

User 3User 2User 1

• Multiple users share the same frequency channel sequentially

• Time slot sequence repeats over and over

TDMA

TIME

FREQUENCY

CODE

CDMA(also referred to as “Spread Spectrum”)

User 3User 2User 1

• Channel is “spread” over wide frequency band

• Many users share the same frequency band at the same time

• Each user is assigned a unique “code” to identify and separate them

FREQUENCY

TIME

FDMA

1 2 3

Each user assigned a different frequency -like ordinary radio

Multiple Access Methods


Spread Spectrum Communication

> Spread spectrum signals have bandwidths much wider than that of the data they carry

> This provides the signal with substantial immunity to noise and interference, and to fading and multipath

> The use of different basis signals allows many users to exist simultaneously in the same band, hence CDMA


Spread Spectrum Properties

> Spread spectrum signals may be overlaid on existing services (this is the rule, rather than the exception in the 2.4 GHz ISM band)

> The distinctive signals allow each user to be automatically identified

> The wide bandwidth of the signals allows multipath diversity to be used

> The data rate may be varied to adapt gracefully to changing load conditions


DS and FH Spread Spectrum

>Frequency Hopping> Sequential use of multiple

frequencies> Hop sequence and rate

will vary

>Direct Sequence> Each symbol is transmitted

over multiple frequencies atthe same time

> Higher speed than FH atcomparable distances

> System capacity (multiplechannels) higher than FH

COMPLETE WAVEBAND ALLOCATED

Time

Time


DSSS Transmitter Schema

> Spreading: Information signal (I.e. a “symbol”) is multiplied by a unique, high rate digital code which stretches (spreads) its bandwidth before transmission.

> Code bits are called Chips. > Sequence is sometimes called a Barker Code

Source andChannelCoding

RFModulator

CodeGenerator

XMultiplier

Code Bits (Chips)

Digital Signal (Bits)

FrequencySpectrum

f“Spread” Frequency

Spectrumf


DSSS Signal Convolution

X

=

“symbol”

“Barker” sequence

Result of multiplication

Symbol time ts“1” “0”

Chip time tc

> Due to the multiplication of a symbol with Barker code, the rate-of-change increases with a factor 11 in this example

> This means that cycle rate increases from 1 MHz to 11 MHz

> In terms of spectrum this means that after RF modulation the signal is spread from 2 MHz bandwidth to 22 MHz bandwidth

2 Mhz 22 Mhz


Data and Spread Signal Spectra

Information signal

Spread signal

Chip Rate = 32


DSSS Receiver Schema

RFDemodulator

Channeland

SourceDecoding

CodeGenerator

X

Multiplied

Code Bits (Chips)

De-SpreadSignal

f

“Spread” FrequencySpectrum

f

Digital Signal (Bits)

> At the receiver, the spread signal is multiplied again by a synchronized replica of the same code, and is de-spread and recovered

> The outcome of the process is the original symbol


De-Spreading

Data

:11 chip code

Direct SequenceSpread Spectrum

Signal

+11

-11

+1

-1

Symbol time

> When the incoming signal is de-spread, it results in either a positive (+) or a negative (-) “spike”

> These “spikes” arrive at intervals equal to the symbol time

> A positive spike represents a “1” symbol, a negative spike represents a “0” symbol


Effects of Reflections/Echoes

echo

echo

peak

Symbol time

> Echoes may arrive at the receiver, fluctuations can be noticed at positions other than at the symbol time boundaries

> These fluctuations are (largely) ignored as the receiver will only interpret the spike at the synchronization points (separated from each other by the symbol time)


IEEE 802 – The WiFi Context

> IEEE 802 is a collection of standards by IEEE that typically get promulgated to ANSI and ISO standards> E.g. IEEE 802.3 specifies the physical and data link layer

properties of Ethernet (in its various incarnations)> IEEE 802.11 is a family of standards for wireless local

area networks> Baseline IEEE Std 802.11-1997 was approved in June

1997> Current standard is IEEE Std 802.11-1999, which is

supplemented by amendment documents (in the sequence a,b,d,g,h,i, j, and e) and one corrigendum document

> IEEE Std 802.11-1999 was reaffirmed by the 802.11 working group in 2003 without changes

> A recommended practices document for inter-access-point communication (802.11f) was ratified in 2003 but withdrawn in March 2006


Wireless LANs

>IEEE ratified 802.11 in 1997.>Also known as Wi-Fi.

>Wireless LAN at 1 Mbps & 2 Mbps.>WECA (Wireless Ethernet Compatibility

Alliance) promoted Interoperability.>Now Wi-Fi Alliance

>802.11 provides protocols at Layer 1 & Layer 2 of OSI model.>Physical layer>Data link layer


802.11 Components

>Two pieces of equipment defined:>Wireless station

>A desktop or laptop PC or PDA with a wireless NIC.

>Access point>A bridge between wireless and wired networks>Composed of

> Radio> Wired network interface (usually 802.3)> Bridging software

>Aggregates access for multiple wireless stations to wired network.


802.11 modes

> Infrastructure mode> Basic Service Set

> One access point

> Extended Service Set> Two or more BSSs forming a single subnet.

> Corporate WLANs operate in this mode.

> Ad-hoc mode> Also called peer-to-peer.> Independent Basic Service Set> Set of 802.11 wireless stations that communicate

directly without an access point.> Useful for quick & easy wireless networks.


Infrastructure mode

Basic Service Set (BSS) –Single cell

Extended Service Set (ESS) –Multiple cells

Access Point

Station


Ad-hoc mode

Independent Basic Service Set (IBSS)


802.11 Physical Layer

>Originally three alternative physical layers>Two incompatible spread-spectrum radio in

2.4Ghz ISM band>Frequency Hopping Spread Spectrum (FHSS)

> 75 channels>Direct Sequence Spread Spectrum (DSSS)

> 14 channels (11 channels in US)

>One diffuse infrared layer>802.11 speed

>1 Mbps or 2 Mbps.


802.11 Data Link Layer

> Layer 2 split into:> Logical Link Control (LLC).> Media Access Control (MAC).

> LLC - same 48-bit addresses as 802.3.> MAC - CSMA/CD not possible.

> Can’t listen for collision while transmitting.

> CSMA/CA – Collision Avoidance.> Sender waits for clear air, waits random time, then

sends data.> Receiver sends explicit ACK when data arrives intact.> Also handles interference.> But adds overhead.

> 802.11 always slower than equivalent 802.3.


Hidden nodes


RTS / CTS

>To handle hidden nodes>Sending station sends

>“Request to Send”

>Access point responds with >“Clear to Send”>All other stations hear this and delay any

transmissions.

>Only used for larger pieces of data.>When retransmission may waste significant

time.


802.11b

> 802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.

> DSSS as physical layer.> 11 channels (3 non-overlapping)

> Dynamic rate shifting.> Transparent to higher layers> Ideally 11 Mbps.> Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.

> Higher ranges.> Interference.

> Shifts back up when possible.

> Maximum specified range 100 metres> Average throughput of 4Mbps


Joining a BSS

>When 802.11 client enters range of one or more APs>APs send beacons.>AP beacon can include SSID.>AP chosen on signal strength and observed

error rates.>After AP accepts client.

>Client tunes to AP channel.

>Periodically, all channels surveyed.>To check for stronger or more reliable APs.>If found, reassociates with new AP.


Access Point Roaming

Channel 4

Channel 7

Channel 9

Channel 1


Roaming and Channels

>Reassociation with APs>Moving out of range.>High error rates.>High network traffic.

>Allows load balancing.

>Each AP has a channel.>14 partially overlapping channels.>Only three channels that have no overlap.

>Best for multicell coverage.


802.11a

>802.11a ratified in 2001 >Supports up to 54Mbps in 5 Ghz range.

>Higher frequency limits the range>Regulated frequency reduces interference

from other devices

>12 non-overlapping channels>Usable range of 30 metres>Average throughput of 30 Mbps>Not backwards compatible


802.11g

>802.11g ratified in 2002 >Supports up to 54Mbps in 2.4Ghz

range.>Backwards compatible with 802.11b

>3 non-overlapping channels>Range similar to 802.11b>Average throughput of 30 Mbps>802.11n due for November 2006

>Aiming for maximum 200Mbps with average 100Mbps


Open System Authentication

>Service Set Identifier (SSID)>Station must specify SSID to Access

Point when requesting association.>Multiple APs with same SSID form

Extended Service Set.>APs can broadcast their SSID.>Some clients allow * as SSID.

>Associates with strongest AP regardless of SSID.


MAC ACLs and SSID hiding

> Access points have Access Control Lists (ACL).> ACL is list of allowed MAC addresses.

> E.g. Allow access to:> 00:01:42:0E:12:1F> 00:01:42:F1:72:AE> 00:01:42:4F:E2:01

> But MAC addresses are sniffable and spoofable.

> AP Beacons without SSID> Essid_jack

> sends deauthenticate frames to client > SSID then displayed when client sends reauthenticate

frames


Interception Range

Basic Service Set (BSS) –Single cell

Station outsidebuilding perimeter.

100 metres


Interception

>Wireless LAN uses radio signal.>Not limited to physical building.>Signal is weakened by:

>Walls>Floors>Interference

>Directional antenna allows interception over longer distances.>Record is 124 miles for an unamplified

802.11b signal (4 metre dish)


Directional Antenna

> Directional antenna provides focused reception.

> DIY plans available.> Aluminium cake tin> Chinese cooking sieve

> http://www.saunalahti.fi/~elepal/antennie.html> http://www.usbwifi.orcon.net.nz/


WarDriving

>Software>Netstumbler>And many more

>Laptop>802.11a,b,g PC card>Optional:

>Global Positioning System>Logging of MAC address, network

name, SSID, manufacturer, channel, signal strength, noise (GPS - location).


WarDriving results

>San Francisco, 2001>Maximum 55 miles per hour.>1500 Access Points>60% in default configuration.>Most connected to internal backbones.>85% use Open System Authentication.

>Commercial directional antenna>25 mile range from hilltops.

> Peter Shipley - http://www.dis.org/filez/openlans.pdf


WarDriving map Source: www.dis.org/wl/maps/


Worldwide War Drive 2004

>Fourth and last worldwide war drive>www.worldwidewardrive.org

>228,537 Access points>82,755 (35%) with default SSID>140,890 (60%) with Open System

Authentication>62,859 (27%) with both, probably default

configuration


Further issues

>Access Point configuration>Mixtures of SNMP, web, serial, telnet.

>Default community strings, default passwords.

>Evil Twin Access Points>Stronger signal, capture user

authentication.

>Renegade Access Points>Unauthorised wireless LANs.


War Driving prosecutions

> February 2004, Texas, Stefan Puffer acquitted of wrongful access after showing an unprotected county WLAN to officials

> June 2004, North Carolina, Lowes DIY store> Salcedo convicted for stealing credit card numbers via

unprotected WLAN> Botbyl convicted for checking email & web browsing via

unprotected WLAN> June 2004, Connecticut, Myron Tereshchuk guilty of

drive-by extortion via unprotected WLANs> “make the check payable to M.Tereshchuk”

> July 2005, London, Gregory Straszkiewicz guilty of dishonestly obtaining a communications service> Warwalking in Ealing


802.11b Security Services

>Two security services provided:>Authentication

>Shared Key Authentication

>Encryption>Wired Equivalence Privacy


Wired Equivalence Privacy

>Shared key between>Stations.>An Access Point.

>Extended Service Set>All Access Points will have same shared key.

>No key management>Shared key entered manually into

>Stations>Access points>Key management nightmare in large wireless

LANs


RC4

>Ron’s Code number 4>Symmetric key encryption>RSA Security Inc.>Designed in 1987.>Trade secret until leak in 1994.

>RC4 can use key sizes from 1 bit to 2048 bits.

>RC4 generates a stream of pseudo random bits>XORed with plaintext to create ciphertext.


WEP – Sending

> Compute Integrity Check Vector (ICV).> Provides integrity> 32 bit Cyclic Redundancy Check.> Appended to message to create plaintext.

> Plaintext encrypted via RC4> Provides confidentiality.> Plaintext XORed with long key stream of pseudo

random bits.> Key stream is function of

> 40-bit secret key> 24 bit initialisation vector

> Ciphertext is transmitted.


WEP Encryption

PRNG

32 bit CRC

⊕

IV

Ciphertext

||

||Plaintext

Secret key

InitialisationVector (IV)


WEP – Receiving

>Ciphertext is received.>Ciphertext decrypted via RC4

>Ciphertext XORed with long key stream of pseudo random bits.

>Key stream is function of >40-bit secret key>24 bit initialisation vector (IV)

>Check ICV>Separate ICV from message.>Compute ICV for message>Compare with received ICV


Shared Key Authentication

> When station requests association with Access Point> AP sends random number to station> Station encrypts random number

> Uses RC4, 40 bit shared secret key & 24 bit IV

> Encrypted random number sent to AP> AP decrypts received message

> Uses RC4, 40 bit shared secret key & 24 bit IV

> AP compares decrypted random number to transmitted random number

> If numbers match, station has shared secret key.


WEP Safeguards

>Shared secret key required for:>Associating with an access point.>Sending data.>Receiving data.

>Messages are encrypted.>Confidentiality.

>Messages have checksum.>Integrity.

>But management traffic still broadcast in clear containing SSID.


Initialisation Vector

>IV must be different for every message transmitted.

>802.11 standard doesn’t specify how IV is calculated.

>Wireless cards use several methods>Some use a simple ascending counter for

each message.>Some switch between alternate ascending

and descending counters.>Some use a pseudo random IV generator.


Passive WEP attack

>If 24 bit IV is an ascending counter,>If Access Point transmits at 11 Mbps,>All IVs are exhausted in roughly 5 hours.>Passive attack:

>Attacker collects all traffic>Attacker could collect two messages:

>Encrypted with same key and same IV>Statistical attacks to reveal plaintext>Plaintext XOR Ciphertext = Keystream


Active WEP attack

>If attacker knows plaintext and ciphertext pair>Keystream is known.>Attacker can create correctly encrypted

messages.>Access Point is deceived into accepting

messages.

>Bitflipping>Flip a bit in ciphertext>Bit difference in CRC-32 can be computed


Limited WEP keys

>Some vendors allow limited WEP keys>User types in a passphrase>WEP key is generated from passphrase>Passphrases creates only 21 bits of entropy

in 40 bit key.>Reduces key strength to 21 bits = 2,097,152>Remaining 19 bits are predictable.>21 bit key can be brute forced in minutes.

>www.lava.net/~newsham/wlan/WEP_password_cracker.ppt


Creating limited WEP keys


Brute force key attack

>Capture ciphertext.>IV is included in message.

>Search all 240 possible secret keys.>1,099,511,627,776 keys>~170 days on a modern laptop

>Find which key decrypts ciphertext to plaintext.


128 bit WEP

>Vendors have extended WEP to 128 bit keys.>104 bit secret key.>24 bit IV.

>Brute force takes 10^19 years for 104-bit key.

>Effectively safeguards against brute force attacks.


Key Scheduling Weakness

>Paper from Fluhrer, Mantin, Shamir, 2001.

>Two weaknesses:>Certain keys leak into key stream.

>Invariance weakness.

>If portion of PRNG input is exposed, >Analysis of initial key stream allows key to be

determined.>IV weakness.


IV weakness

> WEP exposes part of PRNG input.> IV is transmitted with message.> Every wireless frame has reliable first byte

> Sub-network Access Protocol header (SNAP) used in logical link control layer, upper sub-layer of data link layer.

> First byte is 0xAA> Attack is:

> Capture packets with weak IV> First byte ciphertext XOR 0xAA = First byte key stream> Can determine key from initial key stream

> Practical for 40 bit and 128 bit keys> Passive attack.

> Non-intrusive.> No warning.


Wepcrack

>First tool to demonstrate attack using IV weakness.>Open source, Anton Rager.

>Three components>Weaker IV generator.>Search sniffer output for weaker IVs &

record 1st byte.>Cracker to combine weaker IVs and selected

1st bytes.

>Cumbersome.


Airsnort

>Automated tool>Cypher42, Minnesota, USA.>Does it all!>Sniffs>Searches for weaker IVs>Records encrypted data>Until key is derived.

>100 Mb to 1 Gb of transmitted data.>3 to 4 hours on a very busy WLAN.


Avoid the weak IVs

> FMS described a simple method to find weak IVs> Many manufacturers avoid those IVs after 2002> Therefore Airsnort and others may not work on

recent hardware

> However David Hulton aka h1kari> Properly implemented FMS attack which shows many

more weak IVs> Identified IVs that leak into second byte of key

stream.> Second byte of SNAP header is also 0xAA> So attack still works on recent hardware> And is faster on older hardware> Dwepcrack, weplab, aircrack


Generating WEP traffic

>Not capturing enough traffic?>Capture encrypted ARP request packets>Anecdotally lengths of 68, 118 and 368

bytes appear appropriate>Replay encrypted ARP packets to generate

encrypted ARP replies>Aireplay implements this.


802.11 safeguards

>Security Policy & Architecture Design>Treat as untrusted LAN>Discover unauthorised use>Access point audits>Station protection>Access point location>Antenna design


Security Policy & Architecture

>Define use of wireless network>What is allowed >What is not allowed

>Holistic architecture and implementation >Consider all threats.>Design entire architecture

>To minimise risk.


Wireless as untrusted LAN

>Treat wireless as untrusted.>Similar to Internet.

>Firewall between WLAN and Backbone.>Extra authentication required.>Intrusion Detection

>at WLAN / Backbone junction.

>Vulnerability assessments


Discover unauthorised use

> Search for unauthorised access points, ad-hoc networks or clients.

> Port scanning> For unknown SNMP agents.> For unknown web or telnet interfaces.

> Warwalking!> Sniff 802.11 packets> Identify IP addresses> Detect signal strength> But may sniff your neighbours…

> Wireless Intrusion Detection> AirMagnet, AirDefense, Trapeze, Aruba,…


Access point audits

>Review security of access points. >Are passwords and community strings

secure?>Use Firewalls & router ACLs

>Limit use of access point administration interfaces.

>Standard access point config:>SSID>WEP keys>Community string & password policy


Station protection

> Personal firewalls> Protect the station from attackers.

> VPN from station into Intranet> End-to-end encryption into the trusted network.> But consider roaming issues.

> Host intrusion detection> Provide early warning of intrusions onto a station.

> Configuration scanning> Check that stations are securely configured.


Location of Access Points

>Ideally locate access points>In centre of buildings.

>Try to avoid access points>By windows>On external walls>Line of sight to outside

>Use directional antenna to “point” radio signal.


Wireless IDS/IPS

>Sensors deployed in WLAN>Monitoring to detect

>Unauthorised clients by MAC address>Accidental>Malicious

>Ad-hoc mode networks>Unauthorised access points>Policy violations

>Possible to identify approximate locations


WPA

> Wi-Fi Protected Access> Works with 802.11b, a and g

> “Fixes” WEP’s problems> Existing hardware can be used> 802.1x user-level authentication> TKIP

> RC4 session-based dynamic encryption keys> Per-packet key derivation> Unicast and broadcast key management> New 48 bit IV with new sequencing method> Michael 8 byte message integrity code (MIC)

> Optional AES support to replace RC4


WPA and 802.1x

> 802.1x is a general purpose network access control mechanism

> WPA has two modes> Pre-shared mode, uses pre-shared keys> Enterprise mode, uses Extensible Authentication

Protocol (EAP) with a RADIUS server making the authentication decision

> EAP is a transport for authentication, not authentication itself

> EAP allows arbitrary authentication methods> For example, Windows supports

> EAP-TLS requiring client and server certificates> PEAP-MS-CHAPv2


Practical WPA attacks

>Dictionary attack on pre-shared key mode>CoWPAtty, Joshua Wright

>Denial of service attack>If WPA equipment sees two packets with

invalid MICs in 1 second>All clients are disassociated>All activity stopped for one minute>Two malicious packets a minute enough to stop a

wireless network


802.11i (WPA2)

> Robust Security Network extends WPA> Counter Mode with Cipher Block Chaining Message

Authentication Code Protocol (CCMP)> Based on a mode of AES, with 128 bits keys and 48

bit IV.> Also adds dynamic negotiation of authentication and

encryption algorithms> Allows for future change

> Does require new hardware> Lots more info

> www.drizzle.com/~aboba/IEEE/


Relevant RFCs

>Radius Extensions: RFC 2869>EAP: RFC 2284>EAP-TLS: RFC 2716


Demonstration

>War driving>Packet sniffing>Cracking WEP

Documents

WLAN Technologies Wireless LAN Security