Wireless LAN Security Fundamentals

Wireless LAN Security Fundamentals

Jon GreenMarch 2014

2CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Today’s Agenda

• Cryptography for Wi-Fi

• Authentication with 802.1X

• Access Control

• WIDS

3CONFIDENTIAL



Cryptography Primer

4CONFIDENTIAL



Why study cryptography?

• Absolutely critical to wireless security

• Heavily used during authentication

process

• Protects data in transit

• Makes you more interesting at parties

5CONFIDENTIAL



Meet Bob and Alice

• Bob and Alice are traditionally used in examples

of cryptography

6CONFIDENTIAL



Symmetric Key Cryptography

7CONFIDENTIAL



Symmetric Key Cryptography

• Strength:– Simple and very fast (order of 1000 to 10000 faster than

asymmetric mechanisms)

• Challenges:– Must agree the key beforehand

– How to securely pass the key to the other party?

• Examples: AES, 3DES, DES, RC4

• AES is the current “gold standard” for security

8CONFIDENTIAL



Public Key Cryptography (Asymmetric)

9CONFIDENTIAL



Public Key Cryptography

• Strength

– Solves problem of passing the key

– Allows establishment of trust context between parties

• Challenges:

– Slow (MUCH slower than symmetric)

– Problem of trusting public key (what if I’ve never met you?)

• Examples: RSA, DSA, ECDSA

10CONFIDENTIAL



Entropy

• When we create a keypair, we need a high

likelihood that it is unique

• We need high quality random numbers for this

• What happens if it’s not unique?

11CONFIDENTIAL



Hybrid Cryptography

• Randomly generate “session” key• Encrypt data with “session” key

(symmetric key cryptography)• Encrypt “session” key with recipient’s public key

(public key cryptography)

12CONFIDENTIAL



Hash Function

• Properties

– it is easy to compute the hash value for any given message

– it is infeasible to find a message that has a given hash

– it is infeasible to find two different messages with the same hash

– it is infeasible to modify a message without changing its hash

• Ensures message integrity

• Also called message digests or fingerprints

• Examples: MD5, SHA1, SHA2 (256/384/512)

13CONFIDENTIAL



Digital Signature

• Combines a hash with an asymmetric crypto algorithm

• The sender’s private key is used in the digital signature

operation

• Digital signature calculation:

14CONFIDENTIAL



Summary: Security Building Blocks

• Encryption provides

– confidentiality, can provide authentication and integrity protection

• Checksums/hash algorithms provide

– integrity protection, can provide authentication

• Digital signatures provide

– authentication, integrity protection, and non-repudiation

• For more info:

Buy this Book!

15CONFIDENTIAL



Certificates, Trust & PKI

16CONFIDENTIAL



What is a Certificate?

• Binds a public key to some identifying

information

– The signer of the certificate is called its

issuer

– The entity talked about in the certificate is

the subject of the certificate

• Certificates in the real world

– Any type of license, government-issued

ID’s, membership cards, ...

– Binds an identity to certain rights, privileges,

or other identifiers

17CONFIDENTIAL



Who do you trust?

Windows: Start->Run->certmgr.msc

18CONFIDENTIAL



Public Key Infrastructure

• A Certificate Authority (CA) guarantees the binding between a public key and another CA or an “End Entity” (EE)

• CA Hierarchies

19CONFIDENTIAL



What is a Certificate?

20CONFIDENTIAL



Certificate Formats

• PEM / PKCS#7– Contains a certificate in base64 encoding (open in

a text editor)

• DER– Contains a certificate in binary encoding

• PFX / PKCS#12– Contains a certificate AND private key, protected

by a password

PEM-PKCS#7:-----BEGIN CERTIFICATE-----

MIID5TCCA2qgAwIBAgIKErZ83wAAAAAAEDAKBggqhkjOPQQDAzBLMRUwEwYKCZIm

iZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRqb24xMRwwGgYDVQQDExNq

b24xLUpPTi1TRVJWRVIyLUNBMB4XDTEzMDIwNjIyNDAzN1oXDTE0MDIwNjIyNDAz

N1owHDEaMBgGA1UEAxMRMDA6MEI6ODY6ODA6MEU6REQwWTATBgcqhkjOPQIBBggq

hkjOPQMBBwNCAATrgMEy+gw3PpVmKmOZPykpKMQmcPBB9B676cnyxPlzGkmAQRR0

EzyD2X5KLBECq8hzmRTaVOlY3OQk/XfI6fVvo4ICYzCCAl8wPQYJKwYBBAGCNxUH

BDAwLgYmKwYBBAGCNxUIhe7KRYPsiXqElZMYhqH9BYTl+0SBA4Sn/SPJgGMCAWQC

AQkwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgOIMBsGCSsGAQQB

gjcVCgQOMAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFAvM3qRuBFR80o4raVwf5uYe

YUi5MB8GA1UdIwQYMBaAFOHxRRuokak66iwzfWV/CMvZ129sMIHUBgNVHR8Egcww

gckwgcaggcOggcCGgb1sZGFwOi8vL0NOPWpvbjEtSk9OLVNFUlZFUjItQ0EsQ049

Sk9OLVNFUlZFUjIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO

PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9am9uMSxEQz1sb2NhbD9jZXJ0

aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp

YnV0aW9uUG9pbnQwgcQGCCsGAQUFBwEBBIG3MIG0MIGxBggrBgEFBQcwAoaBpGxk

YXA6Ly8vQ049am9uMS1KT04tU0VSVkVSMi1DQSxDTj1BSUEsQ049UHVibGljJTIw

S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1q

b24xLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0

aWZpY2F0aW9uQXV0aG9yaXR5MAoGCCqGSM49BAMDA2kAMGYCMQDi+o5P1Tsdb24b

wH6JjHSJT1RPNyM1WUYQtPgInUBW0E7LsZtSoS50Jvp0MQ93ge0CMQC1qb/0gUEy

PSIw7GwjFz6MGI5dH42WsxKl9+dW2CptGdI/V9+LSCsgRaMjJt9Teh8=

-----END CERTIFICATE-----

21CONFIDENTIAL



Certificate Crypto

1. Generate entropy

2. Use entropy to create random public/private

keypair (asymmetric crypto)

3. Attach identifying information to public key –

send to CA (Certificate Signing Request)

4. CA issues certificate in X.509 format – includes

public key

5. CA creates hash of certificate (hash algorithm)

6. CA digitally signs certificate with private key

(asymmetric crypto)

22CONFIDENTIAL



Generating Certificate Signing Request

23CONFIDENTIAL



Send CSR to your CA of choice

24CONFIDENTIAL



Certificate Authority Best Practice

• Create self-signed root CAs

• Root CAs issue subordinate CA certs

• Root CA is taken offline

– If the root is compromised, the trust model is broken and the

bad guys can fool you into trusting a cert that is bogus

25CONFIDENTIAL



Certificate Authority Best Practices

Symantec/VeriSign Data Center

26CONFIDENTIAL



Public CA versus Private CA

• Windows Server includes a domain-aware CA –

why not just use it?

• Disadvantages:

– PKI is complex. Might be easier to let Verisign/Thawte/etc.

do it for you.

– Nobody outside your Windows domain will trust your

certificates

• Advantages:

– Less costly

– Better security possible. Low chances of someone outside

organization getting a certificate from your internal PKI

27CONFIDENTIAL



ClearPass as a CA

• Only intended for BYOD – not a general-purpose

CA

– No Web enrollment interface

– No manual enrollment interface

– Limited (BYOD-focused) policy controls

• Recommendation: Use for deploying BYOD

certs which have limited applicability

– Valid for WLAN access to a limited access zone

– Not valid for other enterprise services (email, VPN, app sign-

on, etc.)

28CONFIDENTIAL



Public Key Infrastructure

• We trust a certificate if there is a valid chain of trust to a root CA that we explicitly trust• Web browsers also check DNS hostname ==

certificate Common Name (CN)• Chain Building & Validation

29CONFIDENTIAL



Certificate Validity

30CONFIDENTIAL



OCSP

• Can be used by the client (e.g. web browser) to

verify server’s certificate validity

– OCSP URL is read from server certificate’s AIA field

• Can be used by the server (e.g. mobility

controller) to verify client’s certificate validity

– OCSP URL is most often configured on the server to point to

specific OCSP responders

• OCSP transactions use HTTP for transport

protocol

• Important: Nonce Extension required for replay

prevention

– Some public CAs don’t like this…

31CONFIDENTIAL



For More Info

Buy this Book!

32CONFIDENTIAL



Putting it all together: 802.1X

33CONFIDENTIAL



Authentication with 802.1X

• Authenticates users before

granting access to L2 media

• Makes use of EAP

(Extensible Authentication

Protocol)

• 802.1X authentication

happens at L2 – users will

be authenticated before an

IP address is assigned

34CONFIDENTIAL



Sample EAP Transaction

• 2-stage process

– Outer tunnel establishment

– Credential exchange happens inside encrypted tunnel

Clie

nt

Auth

entic

atio

n S

erv

er

Request Identity

Response Identity (anonymous) Response Identity

TLS Start

CertificateClient Key exchange

Cert. verification

Request credentials

Response credentials

Success

EAPOL RADIUS

Auth

entic

ato

r

EAPOL Start

35CONFIDENTIAL



802.1X Packet Capture

36CONFIDENTIAL



802.1X Acronym Soup

• PEAP (Protected EAP)

– Uses a digital certificate on the network side

– Password or certificate on the client side

• EAP-TLS (EAP with Transport Level Security)

– Uses a certificate on network side

– Uses a certificate on client side

• TTLS (Tunneled Transport Layer Security)

– Uses a certificate on the network side

– Password, token, or certificate on the client side

• EAP-FAST

– Cisco proprietary

– Do not use – known security weaknesses

37CONFIDENTIAL



38CONFIDENTIAL



Configure Supplicant Properly

• Configure the Common

Name of your RADIUS

server (matches CN in

server certificate)

• Configure trusted CAs (an

in-house CA is better than

a public CA)

• ALWAYS validate the

server certificate

• Do not allow users to add

new CAs or trust new

servers

• Enforce with group policy

39CONFIDENTIAL



Isn’t MSCHAPv2 broken?

• Short answer: Yes – because of things like

rainbow tables, distributed cracking, fast GPUs,

etc.

• This is why we use MSCHAPv2 inside a PEAP

(TLS) tunnel for Wi-Fi

– What happens if you don’t properly validate the server

certificate?

– Look up FreeRADIUS-WPE

• Still using PPTP for VPN? Watch out…

40CONFIDENTIAL



WPA2 Key Management Summary

Step 1: Use RADIUS to push PMK from AS to AP

Step 2: Use PMK and 4-Way Handshake to

derive, bind, and verify PTK

Step 3: Use Group Key Handshake to send GTK

from AP to STA

Auth Server

AP/Controller

41CONFIDENTIAL



4-Way Handshake

EAPoL-Key(Reply Required, Unicast, ANonce)

Pick Random ANonce

EAPoL-Key(Unicast, SNonce, MIC, STA SSN IE)

EAPoL-Key(Reply Required, Install

PTK, Unicast, ANonce, MIC, AP SSN IE)

Pick Random SNonce, Derive PTK = EAPoL-PRF(PMK, ANonce |

SNonce | AP MAC Addr | STA MAC Addr)

Derive PTK

EAPoL-Key(Unicast, ANonce, MIC)

Install PTK Install PTK

PMK PMK

What’s Left?

43CONFIDENTIAL



Centralized, User Centric Security Architecture

ApplicationsServices

Staff

Partner

Guest

Command

AAA

RADIUSLDAPADPKI

Role-Based Access Control

Flow / Application Classification

Role-based Firewalls

Centralized Crypto

Sessions

AP is Untrusted

Virtual AP 1SSID: Corp

Virtual AP 2SSID: Guest

SecurityBoundary

End-to-end crypto boundaryPer-user virtual connection

44CONFIDENTIAL



Why Worry About Authorization?Where is the “network perimeter” today?

Mobility brings us:

Disappearance of physical security

New mobile users, devices appearing everyday

Increased exposure to malware

Assuming that “the bad guys are outside the firewall, the good guys are inside” is a recipe for disaster

We meet

again, 007!

45CONFIDENTIAL



Wireless Intrusion Detection/Protection

46CONFIDENTIAL



Summary

• Security is complex

• Once you understand it, people will envy you

• Make Facebook posts to confuse your parents

• More importantly: Do it right so you don’t get

hacked

47CONFIDENTIAL



Credits

• Some graphics stolen from: http://cevi-

users.cevi.be/Portals/ceviusers/images/default/U

serdag-20101125-Certs.pptx

• Some others stolen from:

http://acs.lbl.gov/~mrt/talks/secPrimer.ppt

http://cevi-users.cevi.be/Portals/ceviusers/images/default/Userdag-20101125-Certs.pptx











48

Technology

Wireless LAN Security Fundamentals