Hooray, w Is Ratified... So, What Does it Mean for Your WLAN?

Similar documents
Configuring Layer2 Security

Configuring Management Frame Protection

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Wireless KRACK attack client side workaround and detection

The RNS (Robust Secure Network) IE must be enabled with an AES Cipher.

Chapter 24 Wireless Network Security

Attacks on WLAN Alessandro Redondi

Network Encryption 3 4/20/17

Secure Wireless LAN Design and Deployment

Wireless Network Security Spring 2015

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Chapter 1 Describing Regulatory Compliance

Appendix E Wireless Networking Basics

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

BackTrack 5 Wireless Penetration Testing

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

SharkFest'17 US. Basic workshop of. IEEE packet dissection. Megumi Takeshita

Troubleshooting WLANs (Part 2)

Wireless Network Security Spring 2016

GETTING THE MOST OUT OF EVIL TWIN

Troubleshooting WLANs

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

ARUBA INSTANT ROGUE AP TROUBLESHOOTING

Wireless technology Principles of Security

WLAN The Wireless Local Area Network Consortium

Wireless Network Security

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

EXAM - PW Certified Wireless Security Professional (CWSP) Buy Full Product.

Chapter 17. Wireless Network Security

Hacking Air Wireless State of the Nation. Presented By Adam Boileau

Wireless LAN Security. Gabriel Clothier

WLAN Syslog Message. Ver. 1.0

Section 4 Cracking Encryption and Authentication

Mobile Security Fall 2013

WLAN Roaming and Fast-Secure Roaming on CUWN

WIDS Technology White Paper

Viewing Status and Statistics

Overview. Information About wips CHAPTER

Open System - No/Null authentication, anyone is able to join. Performed as a two way handshake.

4.4 IEEE MAC Layer Introduction Medium Access Control MAC Management Extensions

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Table of Contents 1 WLAN Security Configuration Commands 1-1

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

PRODUCT GUIDE Wireless Intrusion Prevention Systems

High Speed Risks in n Networks. Joshua Wright Aruba Networks 4/17/08 WIR-301

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

Securing Your Wireless LAN

Preventing wireless deauthentication attacks over Networks

Security of WiFi networks MARCIN TUNIA

Wireless Networking Basics. Ed Crowley

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

Cisco Exam Securing Wireless Enterprise Networks Version: 7.0 [ Total Questions: 53 ]

Requirements from the

Cisco Questions & Answers

Configuring IDS Signatures

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

network security s642 computer security adam everspaugh

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Securing Wireless Enterprise Networks.

Network Security: WLAN Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Cisco Exactexams Questions & Answers

CSC344 Wireless and Mobile Computing. Department of Computer Science COMSATS Institute of Information Technology

Wireless IDS Challenges and Vulnerabilities. Joshua Wright Senior Security Researcher Aruba Networks

Wireless Network Security

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Wireless Intrusion Detection System

CWNA Exam PW0-100 certified wireless network administrator(cwna) Version: 5.0 [ Total Questions: 120 ]

Configuring WLANsWireless Device Access

Wireless LAN Security: Hacking Techniques and Protection BRKEWN-2020

Does the use of MIMO Technology used by n Reduce or Increase the Impact of Denial of Service Attacks?

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

Cisco Actualtests Exam Questions & Answers

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Wireless Network Security

CWAP-402.exam. Number: CWAP-402 Passing Score: 800 Time Limit: 120 min File Version: CWAP-402

Manual:Interface/Wireless

Obstacle Avoiding Wireless Surveillance Bot

WIRELESS EVIL TWIN ATTACK

Physical and Link Layer Attacks

Securing Wireless LANs

WPA-GPG: Wireless authentication using GPG Key

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Wireless# Guide to Wireless Communications. Objectives

Network Security: WLAN Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Wireless Attacks and Countermeasures

SE-WL-PCI-03-11G PCI CARD DRIVERS INSTALLATION. Table of Contents

Configuring Security Solutions

Missouri University of Science and Technology ACM SIG-Security 2014 Wi-Fi Workshop Exploitation Handbook

The security of existing wireless networks

WPA Passive Dictionary Attack Overview

Robustness in Wireless Network Access Protocols PhD Defense


CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Link Security A Tutorial

Securing a Wireless LAN

Error and Event Messages

Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Institute of Electrical and Electronics Engineers (IEEE) IEEE standards

Multipot: A More Potent Variant of Evil Twin

Configuring a WLAN for Static WEP

Transcription:

Global Leader in Wireless Security Hooray, 802.11w Is Ratified... So, What Does it Mean for Your WLAN? A Brief Tutorial on IEEE 802.11w Gopinath K N and Hemant Chaskar AirTight Networks www.airtightnetworks.com

Background 802.11 WiFi going from convenience to mission critical However, ever since inception, WiFi has been vulnerable to Denial of Service (DoS) attacks of various types: RF Jamming Virtual Jamming Spoofed Disconnect EAP Spoofing Connection Request Flooding etc. Client X DoS Attacker Access Point (AP) Page 2

802.11w: A step in the direction of DoS avoidance 802.11w gets rid of Spoofed Disconnect DoS attacks resulting from spoofing of (i) Deauthentication (Deauth), (ii) Disassociation (Disassoc), (iii) Association (Assoc) Request in existing connection, or (iv) Authentication (Auth) Request in existing connection Certain Action Management Frames are also made anti-spoofing Spectrum Management, QoS, BlockAck, Radio Measurement, Fast BSS Transition Page 3

How does 802.11w avoid Spoofed Disconnect DoS 802.11w adds cryptographic protection to Deauth and Disassoc frames to make them anti-spoofing Mechanism called Security Association (SA) teardown protection is added to prevent spoofed Assoc Request or Auth Request from disconnecting the already connected Client Page 4

Example: Deauth Attack Deauthentication frame was meant to gracefully break the connection between AP and Client Problem however is that it is in clear text, so it can be spoofed (in the absence of 802.11w) Page 5

Example: Deauth attack averted with 802.11w Only legitimate Deauth is accepted Spoofed Deauth is ignored Legitimate Deauth MIC (Message Integrity Code) added using shared key Legacy Deauth MIC Secret key shared between AP and Client Spoofed Deauth Legacy Deauth MIC No MIC or bad MIC Page 6

Where does the shared secret key come from It is derived using EAPOL 4-way handshake between AP and Client This also means that 802.11w can only be used if you are using WPA or WPA2 Broadcast/multicast management frames are protected using a key called Integrity Group Temporal Key (IGTK) Unicast management frames are protected using WPA/WPA2 pair-wise encryption key (PTK) Page 7

SA teardown protection Pre 802.11w, if AP receives Assoc or Auth Request from already associated Client, it terminates existing connection to start a new one So existing connection can be broken with spoofed Auth Request or Assoc Request With SA teardown of 802.11w After AP receives Assoc or Auth Request for associated Client, Crypto protected probe is sent to Client If crypto protected response is received, the Assoc or Auth Request is considered spoofed and rejected Else, existing connection is terminated to start a new one Page 8

How are Action Mgmt Frames made spoof resistant By adding authentication & encryption using IGTK Spectrum Management QoS DLS Block Ack Radio measurement Fast BSS Transition HT SA Query Protected Dual of Public Action Page 9

802.11w: A piece in WiFi security puzzle 802.11w averts Spoofed Disconnect DoS and makes Action Management Frames spoof-resistant Other DoS attacks (RF jamming, virtual jamming, EAP spoofing, connection request flooding etc.) are outside the scope of 802.11w WPA/WPA2 is still needed for client authentication and data encryption. Also WPA/WPA2 is needed for 802.11w to work Threats from unmanaged devices (rogue APs, mis-associations, ad hoc connections, honeypots (Evil Twin), AP/client MAC spoofing, cracking, infrastructure attacks (skyjacking) etc.) are outside the scope of 802.11w You should definitely enable 802.11w in your WLAN when it becomes available (shortly) in WLAN equipment, but one should not be complacent that it will solve all wireless security problems Page 10

Questions/comments Please discuss@ http://blog.airtightnetworks.com/802-11w-tutorial/ Page 11

Appendix 1: Broadcast Integrity Protocol (BIP) Provides authentication and replay protection for broadcast/multicast Management Frames Uses Integrity Group Temporal Key (IGTK), a new key derived & distributed via EAPOL 4-way handshake Transmitter appends each protected frame with a Management MIC Information Element (IE) Receiver validates the MIC before accepting the frame Page 12

Appendix 2: Message Integrity Check (MIC) IE ID Information Element number Key ID Indicates the IGTK used for computing MIC IPN Used for replay protection Monotonically increasing non-negative number MIC The keyed cryptographic hash derived over management frame body (Payload + MAC header) Page 13 ID Length Key ID IPN MIC

Appendix 3: 802.11w parameter negotiation Negotiated at the beginning of Association MFP Mandatory MFPR = 1 MFPC = 0 AES-128-CMAC Page 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback