WLAN Security. รศ. ดร. อน นต ผลเพ ม Asso. Prof. Anan Phonphoem, Ph.D.

Transcription

1 Wireless LANs 2013 WLAN Security รศ. ดร. อน นต ผลเพ ม Asso. Prof. Anan Phonphoem, Ph.D. Computer Engineering Department Kasetsart University, Bangkok, Thailand 1

2 Outline Secure Communication Security Mechanisms Security Threats IEEE Security WLAN security management 2

3 What is Secure Communication? Secrecy Only you and me, no one else Authentication Identify that is real you Message Integrity Message is not altered 3

4 Secrecy Privacy or confidentiality Cannot block the sniffer! Requires encryption/decryption mechanism Encryption at the sender Decryption at the receiver using a public or private (secret) key to decode the encrypted information 4

5 Authentication Confirms identity of the communicating party Assures the real sender and real receiver 5

6 Message Integrity Data integrity Data is transmitted from source to destination without undetected alteration Non-repudiation Prove that a received message came from a claimed sender Integrity: การย ดถ อหล กค ณธรรม,ความซ อส ตย,ความสมบ รณ,ความม นคง,ความเป นอ นหน งอ นเด ยวก น (honesty) 6

7 Wireline VS. Wireless Security 7

8 Wireless Magnifies Vulnerability Traditional wireline link Benefits from physical security Access to the wire is required Access to Switch/Hub is required Wireless link Extended range beyond a room or a building Easy to eavesdrop Vulnerable: อ อนแอ ไม ม นคง 8

9 Trust Communicate to unseen devices Physically hidden (End user, AP, ) Problem on both home and foreign networks Service provider maybe not trustable Access points DHCP servers Intermediate nodes 9

10 End-to-End/Link Security End-to-End Security Link Security Internet 10

11 End-to-End/Link Security End-to-end security provided by Network layer (e.g., IPsec) Transport layer (e.g., SSL) Application layer (e.g., app.-specific) Link security provided by Link layer (e.g., IEEE WEP, WPA, or IEEE i) 11

12 Outline Secure Communication Security Mechanisms Security Threats IEEE Security WLAN security management 12

13 Security Mechanisms Cryptography Authentication 13

14 Cryptography Plaintext K A Ciphertext K B Plaintext Encryption Decryption Symmetric (private) key cryptography Sender and receiver keys are identical (K A = K B ) Asymmetric (public) key cryptography Sender (encryption) key (K A ) is public Receiver (decryption) key (K B K A ) is private 14

15 Public Key Cryptography Unlike a private key system, one can publish the key for encryption in a public key encryption system Plaintext Ciphertext K B + Public key Private key - K Plaintext B Encryption Decryption m K B + (m) m = K B- (K B + (m)) 15

16 Authentication (Private Key) Authentication can be implemented with symmetric (private) key cryptography A B encrypt Claim A R Generate a one-time nonce K(R) decrypt R nonce: ช วขณะหน ง 16

17 Authentication (Public Key) Use of public key avoids shared key problem Vulnerable to man-in-the-middle attack A B Claim A R K - A (R) Key Request K + A K A + : A s public key K A - : A s private key Sender must have used private key of A, so it is A Compute K A + (KA - (R)) = R 17

18 Outline Secure Communication Security Mechanisms Security Threats IEEE Security WLAN security management 18

19 Typical WLAN Topology Internet LAN 19

20 Types of Attacks Internet Sniffing Eavesdrop network traffic SSID broadcast is full text LAN 20

21 Types of Attacks Internet Spoofing Impersonate legitimate device credentials, like MAC address LAN 21

22 Types of Attacks Internet Jamming Introduction of radio signals that prevent WLAN operations LAN 22

23 Types of Attacks Internet Session Hijacking Hacker disconnects the legitimate user but makes AP think that user is still connected LAN 23

24 Types of Attacks Internet DoS Flood the network with useless traffic (e.g.repeated login requests) and eventually shut it down LAN 24

25 Types of Attacks Internet Man in the Middle All WLAN traffic from devices is passed through the rogue device Lack of strong AP level authentication LAN 25

26 Types of Attacks WarDriving Driving around town looking for unprotected WLAN connections to get Internet access 26

27 Outline Secure Communication Security Mechanisms Security Threats IEEE Security WLAN security management 27

28 Authentication & Encryption Std Credentials Certificate MSFT IETF TLS Username/Password CSCO/MSFT IETF PEAP Authentication Protocols EAP 802.1x Encryption Algorithms RC4 RC4 AES Encryption Standards WEP WPA-TKIP i Dan Ziminski & Bill Davidge 28

29 Built-in WLAN Security Wired Equivalent Privacy (WEP) Provides encryption based on RC-4 cipher 802.1x Provides authentication using Extensible Authentication Protocol (EAP) Wi-Fi Protected Access (WPA: subset of i draft) Uses dynamic keys and advanced encryption i (implemented as WPA2 ) Advanced encryption and authentication 29

30 802.11b Security Services Two security services provided: Authentication Shared Key Authentication Encryption Wired Equivalence Privacy 30

31 Wired Equivalence Privacy Shared key between Stations An Access Point Extended Service Set All Access Points will have a same shared key No key management Shared key entered manually into Stations Access points Key management nightmare in large wireless LANs 31

32 RC4 Ron s Code number 4 Symmetric key encryption RSA Security Inc. Designed in 1987 Trade secret until leak in 1994 RC4 can use key sizes from 1 bit to 2048 bits RC4 generates a stream of pseudo random bits XORed with plaintext to create cipher text 32

33 Authentication & Encryption Std Credentials Certificate MSFT IETF TLS Username/Password CSCO/MSFT IETF PEAP Authentication Protocols EAP 802.1x Encryption Algorithms RC4 RC4 AES Encryption Standards WEP WPA-TKIP i Dan Ziminski & Bill Davidge 33

34 WEP Block Diagram Secret Key (40-bit or 128-bit) Secret Key (40-bit or 128-bit) Initialization Vector (IV) Plain Text Pseudo-Random Number Generator RC-4 Integrity Algorithm (CRC-32) + Integrity Check Value (ICV) Key Sequence Bitwise XOR IV Cipher Text WEP Frame IV Key Sequence Cipher Text Pseudo-Random Number Generator Bitwise XOR Integrity Algorithm Plain Text Integrity Check Value (ICV) Encryption Block Sender Site Decryption Block Receiver Site 34

35 WEP Encoding Secret Key (40-bit or 128-bit) IV Initialization Vector (IV) Plain Text Pseudo-Random Number Generator RC-4 + Key Sequence Bitwise XOR Cipher Text Integrity Algorithm (CRC-32) Integrity Check Value (ICV) 35

36 WEP Sending Compute Integrity Check Vector (ICV) Provides integrity 32 bit Cyclic Redundancy Check Appended to message to create plaintext Plaintext encrypted via RC4 Provides confidentiality Plaintext XORed with long key stream of pseudo random bits Key stream is function of 40-bit secret key 24 bit initialisation vector Cipher text is transmitted 36

37 WEP Decryption Secret Key (40-bit or 128-bit) IV Key Sequence Pseudo-Random Number Generator RC-4 Plain Text Cipher Text Bitwise XOR Integrity Algorithm Integrity Check Value (ICV) 37

38 WEP Receiving Cipher text is received Cipher text decrypted via RC4 Cipher text XORed with long key stream of pseudo random bits Key stream is function of 40-bit secret key 24 bit initialisation vector (IV) Check ICV Separate ICV from message Compute ICV for message Compare with received ICV 38

39 Shared Key Authentication When station requests association with AP AP sends random number to station Station encrypts random number Uses RC4, 40 bit shared secret key & 24 bit IV Encrypted random number sent to AP AP decrypts received message Uses RC4, 40 bit shared secret key & 24 bit IV AP compares decrypted random number to transmitted random number If numbers match, station has shared secret key 39

40 WEP Safeguards Shared secret key required for: Associating with an access point Sending data Receiving data Messages are encrypted Confidentiality Messages have checksum Integrity But management traffic still broadcast in clear containing SSID 40

41 Initialization Vector IV must be different for every message transmitted 802.1standard does not specify how IV is calculated Wireless 1 cards use several methods Some use a simple ascending counter for each message Some switch between alternate ascending and descending counters Some use a pseudo random IV generator If IV is the same, then two duplicate messages would result in the same cipher text 41

42 Passive WEP attack If 24 bit IV is an ascending counter, If Access Point transmits at 11 Mbps, All IVs are exhausted in roughly 5 hours Passive attack: Attacker collects all traffic Attacker could collect two messages: Encrypted with same key and same IV Statistical attacks to reveal plaintext Plaintext XOR Ciphertext = Keystream 42

43 Passive WEP attack 43

44 Initialization Vector Reuse Vulnerability 44

45 Active WEP attack If attacker knows plaintext and ciphertext pair Keystream is known Attacker can create correctly encrypted messages Access Point is deceived into accepting messages Bitflipping Flip a bit in ciphertext Bit difference in CRC-32 can be computed 45

46 Limited WEP keys Some vendors allow limited WEP keys User types in a passphrase WEP key is generated from passphrase Passphrases creates only 21 bits of entropy in 40 bit key Reduces key strength to 21 bits = 2,097,152 Remaining 19 bits are predictable 21 bit key can be brute forced in minutes r.ppt 46

47 Creating limited WEP keys 47

48 Brute force key attack Capture ciphertext IV is included in message Search all 2 40 possible secret keys 1,099,511,627,776 keys ~170 days on a modern laptop Find which key decrypts ciphertext to plaintext 48

49 128 bit WEP Vendors have extended WEP to 128 bit keys 104 bit secret key 24 bit IV Brute force takes 10^19 years for 104-bit key Effectively safeguards against brute force attacks 49

50 Key Scheduling Weakness Paper from Fluhrer, Mantin, Shamir (FMS), 2001 Two weaknesses: Certain keys leak into key stream Invariance weakness If portion of PRNG input is exposed, Analysis of initial key stream allows key to be determined IV weakness 50

51 IV weakness WEP exposes part of PRNG input IV is transmitted with message Every wireless frame has reliable first byte Sub-network Access Protocol header (SNAP) used in logical link control layer, upper sub-layer of data link layer. First byte is 0xAA Attack is: Capture packets with weak IV First byte ciphertext XOR 0xAA = First byte key stream Can determine key from initial key stream Practical for 40 bit and 104 bit keys Passive attack Non-intrusive / No warning 51

52 Wepcrack First tool to demonstrate attack using IV weakness Open source, Anton Rager Three components Weaker IV generator Search sniffer output for weaker IVs & record 1 st byte Cracker to combine weaker IVs and selected 1 st bytes Cumbersome 52

53 Airsnort Automated tool Cypher42, Minnesota, USA. Does it all! Sniffs Searches for weaker IVs Records encrypted data Until key is derived. 100 Mb to 1 Gb of transmitted data. 3 to 4 hours on a very busy WLAN. 53

54 Avoid the weak IVs FMS described a simple method to find weak IVs Many manufacturers avoid those IVs after 2002 Therefore Airsnort and others may not work on recent hardware However David Hulton aka h1kari Properly implemented FMS attack which shows many more weak IVs Identified IVs that leak into second byte of key stream. Second byte of SNAP header is also 0xAA So attack still works on recent hardware And is faster on older hardware Dwepcrack, weplab, aircrack 54

55 Generating WEP traffic Not capturing enough traffic? Capture encrypted ARP request packets Anecdotally lengths of 68, 118 and 368 bytes appear appropriate Replay encrypted ARP packets to generate encrypted ARP replies Aireplay implements this. 55

56 Wired Equivalent Privacy (WEP) Provides rudimentary 40-bit/128-bit encryption RC-4 cipher Weak Point is IV not RC-4 Static encryption keys must be changed manually Attacker s tools: Airsnort, Yellowjacket, Airfart Encryption keys can be cracked Default setting is OFF 56

57 802.1x A New Hope Provides secure access using port control Uses EAP (Extensible Authentication Protocol) Supports Kerberos, smart cards, one-time passwords, and so on Components required: Wireless device AP Authentication server, typically Remote Authentication Dial-in User Service (RADIUS) 57

58 Authentication & Encryption Std Credentials Certificate MSFT IETF TLS Username/Password CSCO/MSFT IETF PEAP Authentication Protocols EAP 802.1x Encryption Algorithms RC4 RC4 AES Encryption Standards WEP WPA-TKIP i Dan Ziminski & Bill Davidge 58

59 How 802.1x Works Wireless Device Access Point Authentication Server (RADIUS) User requests connection AP requests user ID User sends ID AP requests user credentials User sends AP credentials AP confirms credentials AP requests RADIUS connection for user RADIUS asks for credentials AP sends credentials to RADIUS RADIUS confirms credentials If credentials are correct, user is given access to the network through the AP, according to policies enforced by the authentication server 59

60 802.1x EAP-TLS Authentication Client digital cert From XYZ CA Station Supplicant Server Digital cert From XYZ CA Access Point Authenticator RADIUS Server Authorizer Dan Ziminski & Bill Davidge 60

61 802.1x PEAP authentication Phase 1: Authenticate AP. Secure tunnel to AP using TLS Station Supplicant Digital cert From XYZ CA Access Point Authenticator Phase 2: Password authentication with directory server Username: ABC Password: encrypted Success/Fail Dan Ziminski & Bill Davidge 61

62 802.1x The Downside Only does authentication Encryption is still required If used with WEP, the encryption keys are still static even though the authentication keys change Authenticator and device must use the same authentication method Only supports client-level authentication 62

63 WPA (Wi-Fi Protected Access) 802.1X TKIP and AES WPA 63

64 WPA (Wi-Fi Protected Access) WPA = 802.1X + TKIP WPA requires authentication and encryption 802.1X authentication choices include LEAP, PEAP, TLS WPA has strong industry supporters Adds to 802.1X and TKIP Widespread adoption of WPA will add robust security and remove the security issue from the WLAN industry WPA will become accepted as the standard It is an interim standard 64

65 WPA Fixed WEP s Problems IV changes to 48 bits with no weak keys (900 years to repeat an IV at 10k packets/sec) Use IV as a replay counter Message integrity Check (MIC) Per-packet keying Dan Ziminski & Bill Davidge 65

66 TKIP Per Packet Keying Fixes the weaknesses of WEP key generation but still uses the RC4 algorithm 48 bit IV 32 bit upper IV 16 bit lower IV IV 128 bits 24 bits 104 bits d IV Per-Packet-Key Key mixing Key mixing MAC Address Session Key Dan Ziminski & Bill Davidge 66

67 802.11i Mutual authentication Dynamic session key Message Integrity Check (MIC) Temporal Key Integrity Protocol (TKIP) Initialization vector sequencing Rapid re-keying Per-packet key hashing Future Stronger encryption schemes, such as AES 67

68 802.11i and WPA Uses 802.1x authentication Uses Temporal Key Integrity Protocol (TKIP) to dynamically change encryption keys after 10,000 packets are transferred Uses Advanced Encryption Standard (AES) encryption, which is much better than WEP A subset of i, Wi-Fi Protected Access (WPA) is available as a firmware upgrade today 68

69 802.11i and WPA Pitfalls Keys can be cracked using much less than 10,000 packets Michael feature shuts down AP if it receives two login attempts within one second. Hackers can use this to perpetrate a DoS attack i WPA2 69

70 Encryption Effects Wireless Encryption Type Desktop Control Needed Cost to Implement Difficult to Manage Vendor Support Problems Vulnerable to Attack none low low low low high WEP medium low high low medium WPA TKIP high high high medium low i AES high high high high none VPN high high medium low none Dan Ziminski & Bill Davidge 70

71 End-to-End/Link Security End-to-End Security Link Security Interne t 71

72 VPN Authentication & Encryption Station Access Point VPN Gateway LAN IPSEC VPN Tunnel Dan Ziminski & Bill Davidge 72

73 Web Authentication Station Access Point Web auth security device LAN HTTPS Login page Backend RADIUS Server Dan Ziminski & Bill Davidge 73

74 Authentication Type Wireless Auth Type Desktop Control Needed Cost to Implement Difficult to Manage Vendor Support Problems Vulnerable to Attack VPN high high medium low low WEP medium low high low high 802.1x EAP TLS ceritficates high high high medium low 802.1x PEAP medium medium medium medium low Web Auth low low medium low medium Dan Ziminski & Bill Davidge 74

75 Outline Secure Communication Security Mechanisms Security Threats IEEE Security WLAN security management 75

76 Wireless Security Concerns Management of device security Corruption of data sent to wireless devices Malicious code (viruses, Trojans, worms) Unauthorized users Confidentiality of data sent wirelessly Security of data stored on a handheld device 76

77 WLAN security management Open Access No WEP, WPA, encryption Broadcast Mode Basic Security 40-bit, 128-bit, 256-bit Static Encryption Key Enhanced Security Dynamic Encryption Key / Scalable Key Management Mutual 802.1x/EAP Authentication TKIP/WPA Traveling Security Virtual Private Network (VPN) 77

78 Wireless Policy Issues Policy needs to dictate permitted services and usage Needs a means of identifying and enforcing wireless policies Existing organization security policies need to be updated to cope with wireless security issues Policy needs to indicate how access will be controlled, for instance, time of day 78

79 Wireless Policy Issues Every access needs to be logged User compliance and standards enforcement Centralized control of security policies Wireless intrusion alert issues Process to update client software levels Intrusion detection policies 79

80 Knows Your Organization User Involvement, Awareness and Roles Process Management and Standards Weakness Audits and Controls, and IDS Key Password Quality User and Key Administration Weakness Application Security Weakness Client Security Environment Integrity and Robustness Strength Network Security and Technology Issues 80

81 More Security Misconfigured Access Point Hacker attacking your DO NOT network through an ENTER unofficial connection with a misconfigured AP. DO NOT ENTER Neighbor s Network A laptop in your network connecting to a neighboring Wi-Fi network exposing your corporate data. DO NOT ENTER DO NOT ENTER Rogue Access Point Hacker attacking your network through an unofficial access point connected to the network. Unofficial Access Point Hacker attacking your network through an internal laptop acting as an unofficial software access point. 81

82 More Secure WLAN Topology Internet LAN RADIUS 82

83 Client Differentiation 802.1Q wired network with VLANs Channel: 1 SSID: Laptop VLAN: 1 Channel: 6 SSID: PDA VLAN: 2 Channel: 11 SSID: Phone VLAN: 3 83

84 Client Differentiation 802.1Q wired network with VLANs SSID: Laptop VLAN: 1 SSID: PDA VLAN: 2 SSID: Phone VLAN: 3 84

85 Conclusions Wireless technology is becoming embedded Notebooks, PDAs, cell phones, etc. WLAN is currently unsecure WEP security is insufficient for the enterprise i (WPA2) and WPA offer great improvements People, processes, policies and architecture are required to deploy WLAN securely 85

86 References WLAN teaching materials by Anan Phonphoem, Computer Engineering Dept., Kasetsart University Who s Watching Your Wireless Network? by Ian Hameroff, Computer Associates, etrust Security solutions, CA World 2003 Wireless Configuration and Security Issues by Greg Gabet, IBMGS, CA world 2003 Addressing the Challenges of Adopting Secured Mobility in the Enterprise by Hans-Georg Büttner, Ernst & Young IT-Security GmbH, Germany, CA World 2003 Wireless Local Area Network Security by Robert Simkins, University of Derby, UK WLAN Security, Matthew Joyce, Rutherford Appleton Laboratory, CCLRC Wireless LAN Security, Threats & Countermeasures, By Joseph Tomasone, Senior Network Security Engineer, Fortress Technologies, Inc., Session 8, August 10, 2005, Infragard National Conference 2005 CSG 256 Final Project Presentation, by Dan Ziminski & Bill Davidge 86