Wireless LAN Security Gabriel Clothier
Timeline 1997: 802.11 standard released 1999: 802.11b released, WEP proposed [1] 2003: WiFi alliance certifies for WPA 2004: 802.11i released 2005: 802.11w task group formed
Objectives of WLAN Security 1 Preserve Confidentiality
Objectives of WLAN Security 2 Preserve Integrity
Objectives of WLAN Security 3 Preserve Availability of Service
Types of Attacks 1 Monitor packets to access data. Monitor or modify authentication data. Monitor a stream of packets to uncover encryption keys. Denial of service. Man-in-the-middle: trick user into thinking they are on a different network.
Types of Attacks 2 Attempt to gain access via brute force/dictionary attack. Replay attack: gathering a set of packets which handles authentication for a valid user and resending that sequence of packets in order to gain access by an attacker.
WLAN Security Steps Authentication/Authorization User should possess certain credentials to access the network. Data Encryption Need to encrypt data so that those with wireless sniffer tools cannot make use of the payload data.
WLAN Security Standards 1 802.11: WEP (Wired Equivalent Privacy) Authentication is via the user having the correct key. Two modes of data encryption using RC4 stream cipher: 64-bit: 40 bit key + 24 bit initialization vector (IV) 128-bit: 104 bit key + 24 bit IV Because there are a limited IV size, the algorithm can be easily attacked given sufficient number of packets.
Source: J. Hong, R. Lemhachheche, WEP Protocol Weaknesses and Vulnerabilities: http://oregonstate.edu/~lemhachr/ece578/report.htm
WLAN Security Standards 2 IEEE 802.1X Used for any network, including wired networks. Standard for authentication based on thirdparty such as a RADIUS server. Uses EAP (Extensible Authentication Protocol).
IEEE 802.1X Standard
WLAN Security Standards 3 WPA (Wi-Fi Protected Access) Two modes of Authentication: Pre-Shared Key (WPA Personal) 802.1X Server (WPA Enterprise) Data Encryption uses 128-bit RC4 stream cipher. Enforces regular key updates via Temporal Key Integrity Protocol (TKIP).
IEEE 802.11i Standard
WLAN Security Standards 4 802.11i/WPA2 Authentication has two modes as in WPA, but extended with four-way handshake between device and access point. Data encryption is via AES (Advanced Encryption Standard) in CCM mode (cipher block chaining with message authentication code) using 128-bit keys. The AES method is very secure. It would take trillions of years to attempt a brute force attack on a 128-bit AES secured system.
IEEE 802.11i Standard
Extensible Authentication Protocols EAP is a framework around which there are built many methods. Defined in RFC 2284. After link established, authenticator requests identity, challenge, etc. from peer (user/client). Peer sends response of appropriate type. Authenticator returns success or failure.
EAP Method Requirements A set of mandatory and optional requirements for an EAP method is defined in RFC 4017.
EAP Mandatory Requirements Generation of Keys Need to exchange keys for use in data encryption of payload traffic using symmetric key algorithm. Mutual authentication Access point should be able to authenticate device, as well as device should be able to authenticate AP.
EAP Mandatory Requirements 2 Self-Protecting Eavesdropper should not be able to later impersonate AP or client. Synchronization of State Attributes such as protocol, credentials, keys, etc. should be able to be shared between user and authenticator.
EAP Mandatory Requirements 3 Resistance to Dictionary Attacks Should not be susceptible to a user trying a sequence of passwords/brute force attack. Protection against man-in-the-middle attacks Requires cryptographic binding to assure that only one authenticator has been used, integrity protection to assure that packets are authentic, replay protection, and session independence.
EAP Mandatory Requirements 4 Protected Cipher Suite Negotiation Should be able to negotiate with the client an encryption scheme to use to protect the EAP exchange packets. Produce Session Keys Produces keys that are unique to a session and used for authentication and confidentiality.
EAP Optional Requirements 1 Fragmentation Should be able to reassemble the payload if it exceeds the MTU. End-user identity hiding Should not make the end-user s identity available in the EAP procedure. Access Points Should be able to function with all equipment supporting 802.1X
EAP Optional Requirements 2 Authenticate User The user should be authenticated rather than the device to guard against the device being compromised. Minimum message exchange There should be a minimal number of message exchanges necessary as each one consumes time and computing resources.
EAP Optional Requirements 3 Channel Binding Should be able to align EAP data to that in the public space of the packet to assure that a consistent channel is used. Faster Reconnect Re-authentication should be fast in order to permit time-sensitive transactions such as handoff.
EAP Optional Requirements 4 Augments Legacy Methods Can coexist and strengthen existing methods so equipment replacement is not necessary. Low Maintenance Cost Convenient for Users
EAP Methods: EAP-MD5 EAP-MD5 Legacy method, uses MD5 hash of username and password passed to a RADIUS server. MD5 has been proven to not be secure. Only one-way authentication. Requires static keys.
EAP Methods: EAP-TLS EAP-Transport Layer Security Uses public key certificates on client and AP. Secure authentication, supports two-way authentication, and dynamic keys. Costly due to necessity of certificates on every client.
EAP Methods: EAP-TTLS Tunneled TLS Sets up a secure tunnel with the server as a first step so that the actual authentication can be done using a less secure method, such as MD5. Keeps user identity private, supports twoway authentication, and augments legacy methods.
EAP Methods: EAP-PEAP Protected EAP Similar to TTLS but only authenticates server to the client, so no certificate is needed at the client. Sets up encrypted tunnel between server and client then uses a legacy EAP method. Supports fragmentation and fast reconnect.
EAP Methods: LEAP Lightweight EAP Cisco proprietary protocol based on mutual authentication. Uses username/password for authentication with RADIUS server. Supports mutual authentication and session keys but leaves EAP exchanges unencrypted.
Analysis of EAP Methods Attribute MD5 TLS TTLS LEAP PEAP Generation of Keying Material No Not Req Mutual Authentication No Self-Protecting Resistance to Dictionary Attack Stron g Pwd No Protection Against MITM attack No Protected Cipher Suite Negotiation No Not Req
Analysis of EAP Methods 2 Attribute MD5 TLS TTLS LEAP PEAP Produce Session Keys No No User Identity Hiding No No No Access Point Compatibility No Authenticates User Small Pwd Not Req Not Req Not Req Reduced Message Exchange No No No Faster Reconnect No No
Conclusion With time, users of wireless LANs recognized the need for strong security. A number of methods have been developed to add this on to basic WLAN functionality. Some methods are flawed and vulnerable, but recent methods can be trusted.
Questions? Q&A
Questions For You What is the standard of wireless security that uses 128-bit AES? Which EAP should not be used as it is not secure? What is the vulnerability of WEP?
Answers 802.11i or WPA2 EAP-MD5 Initialization vector of only 24 bits in RC4 forces key reuse
References Building a Secure Wireless Network, http://www.atheros.com/pt/atheros_security_whitepaper.pdf IEEE 802.11i standard RFC 4017 RFC 2084 Pfleeger, S., Pfleeger, C. Security In Computing. Third Ed., Prentice-Hall. 2002.