CS-435 spring semester 2016 Network Technology & Programming Laboratory University of Crete Computer Science Department Stefanos Papadakis & Manolis Spanakis
CS-435 Lecture preview 802.11 Security IEEE 802.1X WEP, WPA
802.11 standards 802.11a 54 Mbps@5 Ghz Not interoperable with 802.11b Limited distance 802.11b 11 Mbps@2.4 Ghz Full speed up to 300 feet Coverage up to 1750 feet 802.11g 54 Mbps@2.4 Ghz Same range as 802.11b Backward-compatible with 802.11b Speeds slower in dual-mode
802.11 standards (cont.) 802.11e QoS Dubbed Wireless Multi-Media (WMM) by WiFi Alliance 802.11n 100Mbps+ 802.11i Security Adds AES encryption Requires high cpu, new chips required TKIP is interim solution Wi-Fi Protected Access (WPA) Subset of 802.11i, forward-compatible with 802.11i (WPA2) Encryption: Version one uses TKIP AuthC: 802.1x & EAP allows auth via RADIUS, also allows auth via PSK
Types of Attacks Wireless medium Physical Theft of hardware Impersonation Attacker masquerades as another person Integrity Undetected modification of data Disclosure Unintended exposure of data Denial of service Keep valid users from access
Summary of 802.11 Vulnerabilities
WLAN Threats Threats Malicious hacking attempts Rogue Access Points Denial-of-Service attacks (DoS) malicious or accidental Mobile devices Hacking Attempts War driving/walking/flying Disgruntled employee Industrial espionage Electronic warfare
Hacking methods Traffic generation Flood network w/captured traffic to break WEP more quickly Break 40-bit WEP in 1 hour (in lab) Defense: Filter weak IVs in AP Man-in-the-middle Can be used w/one-way authentication (open, shared, 802.1x) Must know WEP key if WEP-protected Requires signal that overpowers AP s signal Can be used to collect credentials or deny service
Rogue Access Points Probably the most serious security threat to your network No such thing as a non-wireless company Mitigate by: (1) Strong and documented WLAN security policy (2) Detection: Radio based, client based & network based (3) Provide approved WLAN services: No longer any need for rogue deployments
802.11 security Shared media like a network hub Requires data privacy - encryption Authentication necessary Can access network without physical presence in building Once you connect to wireless, you are an insider on the network
802.11 security approaches Closed network SSID can be captured with passive monitoring MAC filtering MACs can be sniffed/spoofed WEP Can be cracked online/offline given enough traffic & time Change keys frequently Traffic can still be decrypted offline Place APs on DMZ Requires VPN access to get back into network Use VPN Doesn t handle roaming Authentication portal More stuff to configure WPA and/or EAP
Authentication methods [Open systems authentication] Required by 802.11 Just requires SSID from client Only identification required is MAC address of client WEP key not verified, but device will drop packets it can t decrypt
Authentication methods [Shared key authentication] Utilizes challenge/response Requires & matches key Steps Client requests association to AP AP issues challenge to client Client responds with challenge encrypted by WEP key AP decrypts clients & verifies WEAK! Attacker sniffs plaintext AND cipher-text!
Wireless Security Standards Wired Equivalent Privacy (WEP) Part of 802.11 specification Shared key 40/104 bits Initialization vector (IV) = 24 bits Uses RC4 for encryption Weaknesses/attacks Fluhrer-Mantin-Shamir (FMS) key recovery attack weak IVs Filter weak IVs to mitigate IV too short, gets reused after 5 hours IP redirection, MITM attacks Traffic injection attacks Bit-flip attacks WEP2 added, increases key length to 128 bits
WEP? WEP relies on a secret key which is shared between the sender and the receiver. SENDER: Mobile station RECEIVER: Access Point Secret Key is used to encrypt packets before they are transmitted Integrity Check is used to ensure packets are not modified in transit. The standard does not discuss how shared key is established In practice, most installations use a single key which is shared between all mobile stations and access points
WEP? To send a message M: Compute a checksum c(m) (not depend on secret key k) Pick an IV v and generate a keystream RC4(v,k) XOR <M,c(M)> with the keystream to get the ciphertext Transmit v and ciphertext over a radio link When received a message M Use transmitted v and the shared key k to generate the Keystream RC4(v,k) XOR the ciphertext with RC4(v,k) to get <M,c > Check is c =c(m ) If it is, accept M as the message transmitted
RC4 WEP uses the RC4 encryption algorithm known as stream cipher to protect the confidentiality of its data. Stream cipher operates by expanding a short key into an infinite pseudo-random key stream. Sender XORs the key stream with plaintext to produce the ciphertext. Receiver has the copy of the same key, and uses it to generate an identical key stream. XORing the key stream with the ciphertext yields the original message.
WEP In a Nutshell 40 bits of security == 64 bits of marketing spam. 104 bits of security == 128 bits of marketing spam
Thoughts on WEP Key management beyond a handful of people is impossible Too much trust Difficult administration Key lifetime can get very short in an enterprise No authentication for management frames No per packet auth False Advertising!!!
What is Lacking? Scalability Many clients Large networks Protection for all parties Eliminate invalid trust assumptions
Two simple flaws If an attacker flips a bit in ciphertext, then after decryption, that bit in the plaintext will be flipped. If an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts.
802.1X Security Philosophy A flexible security framework Implement security framework in upper layers Enable plug-in of new authentication, key management methods without changing NIC or Access Point Leverage main CPU resources for cryptographic calculations How it works Security conversation carried out between supplicant and authentication server NIC, Access Point acts as a pass through devices Advantages Decreases hardware cost and complexity Enables customers to choose their own security solution Can implement the latest, most sophisticated authentication and key management techniques with modest hardware Enables rapid response to security issues
Authentication methods [802.1x authentication] Encapsulates EAP traffic over LAN EAP: Standard for securely transporting data Supports a variety of authentication methods LEAP, EAP-TLS, etc. Port-based only access is to authentication server until authentication succeeds Similar to what s used on Ethernet switches Originally designed for campus-wired networks Requires little overhead by access point
Authentication methods [802.1x authentication] (cont.) 3 entities Supplicant (e.g., laptop w/wireless card) Authenticator (e.g., access point) Authentication server (e.g., RADIUS) Keys Unique session key for each client New WEP key each time client reauthenticates Broadcast key Shared by all clients Mixed with IV to generate session keys Rotated (Broadcast Key Rotation BKR) regularly to generate new key space
802.1x authentication source: nwfusion.com
802.1x Port based authentication for all IEEE 802 networks (layer 2 authentication) Originally for Campus networks Extended for wireless Allows for unified AAA services Provides means for key transport
Pre-Authentication State
Post-Authentication State
Wireless Security Standards [TKIP/MIC] Fixes key reuse in WEP Same encryption as WEP (RC4) TKIP Temporal Key Integrity Protocol Protects by removing predictability Broadcast WEP key rotation is a good alternative if you can t support TKIP
Wireless Security Standards [TKIP/MIC] (cont.) MIC Message Integrity Code Protects against bit-flip attacks by adding tamper-proof hash to messages Must be implemented on clients & AP Hash of random num + MAC header + sequence number + payload Sequence number must be in order or packet rejected Part of firmware, not O/S TKIP Steps Start with shared key Add MAC address to get phase 1 key Mix WEP key with IV to derive per-packet keys Each packet encrypted separately, fights weaknesses in RC4 key scheduling algorithm
Wireless Security Standards [WiFi Protected Access (WPA)] Developed to replace WEP, improve authentication Software upgrade to existing hardware Forward-compatible with 802.11i Encryption key management: TKIP Doubled IV to 48-bits Better protection from replay & IV collision attacks Per-packet keying (PPK) Protects against key-recovery attacks Broadcast key rotation
Wireless Security Standards [WiFi Protected Access (WPA)] Message integrity Protects against forgery attacks Authentication: 802.1x and EAP Mutual authentication So you don t join rogue networks and give up your credentials
WEP vs. WPA vs. WPA2 WEP WPA WPA2 Encryption RC4 RC4 AES Key rotation None Dynamic session keys Dynamic session keys Key distribution Manually typed into each device Automatic distribution available Automatic distribution available Authentication Uses WEP key as AuthC Can use 802.1x & EAP Can use 802.1x & EAP