Wireless Network Security Spring 2015

Similar documents
Wireless Network Security Spring 2016

Mobile Security Fall 2013

Chapter 24 Wireless Network Security

The security of existing wireless networks

Wireless Network Security

Wireless Network Security

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Chapter 17. Wireless Network Security

Physical and Link Layer Attacks

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Wireless LAN Security. Gabriel Clothier

Network Encryption 3 4/20/17

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Wireless Security Security problems in Wireless Networks

Securing Your Wireless LAN

What is Eavedropping?

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

WPA Passive Dictionary Attack Overview

Security in IEEE Networks

EXAM - PW Certified Wireless Security Professional (CWSP) Buy Full Product.

05 - WLAN Encryption and Data Integrity Protocols

Configuring Layer2 Security

WPA-GPG: Wireless authentication using GPG Key

Troubleshooting WLANs (Part 2)

FAQ on Cisco Aironet Wireless Security

Network Security. Thierry Sans

Cisco Desktop Collaboration Experience DX650 Security Overview

WLAN Roaming and Fast-Secure Roaming on CUWN

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Configuring Authentication Types

Hacking Air Wireless State of the Nation. Presented By Adam Boileau

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Network Security: WLAN Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Configuring Cipher Suites and WEP

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

How Insecure is Wireless LAN?

Appendix E Wireless Networking Basics

Table of Contents 1 WLAN Security Configuration Commands 1-1

Wireless Attacks and Countermeasures

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Network Security: WLAN Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

COSC4377. Chapter 8 roadmap

Configuring the Client Adapter through Windows CE.NET

Configuring WEP and WEP Features

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

Open System - No/Null authentication, anyone is able to join. Performed as a two way handshake.

Configuring a WLAN for Static WEP

Wireless technology Principles of Security

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

Lab Configure Enterprise Security on AP

Exam Questions CWSP-205

IEEE i and wireless security

WarDriving. related fixed line attacks war dialing port scanning

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Securing a Wireless LAN

Section 4 Cracking Encryption and Authentication

CSC 4900 Computer Networks: Security Protocols (2)

Security Enhanced IEEE 802.1x Authentication Method for WLAN Mobile Router

Standard For IIUM Wireless Networking

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Cisco Exactexams Questions & Answers

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Overview of Security

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Hooray, w Is Ratified... So, What Does it Mean for Your WLAN?

Wireless KRACK attack client side workaround and detection

Cisco Questions & Answers

3 Data Link Layer Security

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

Link Security A Tutorial

Wireless Network Security

A Comparison of Data-Link and Network Layer Security for IEEE Networks

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

PRODUCT GUIDE Wireless Intrusion Prevention Systems

Configuring a VAP on the WAP351, WAP131, and WAP371

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

Security Setup CHAPTER

Secure Initial Access Authentication in WLAN

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

CS 393/682 Network Security

LESSON 12: WI FI NETWORKS SECURITY

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Wireless Network Security Spring 2011

Wireless Security K. Raghunandan and Geoff Smith. Technology September 21, 2013

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Secure Wireless LAN Design and Deployment

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

WPA Migration Mode: WEP is back to haunt you

Securing Wireless LAN Controllers (WLCs)

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Wireless Networked Systems

Transcription:

Wireless Network Security Spring 2015 Patrick Tague Class #7 More WiFi Security 2015 Patrick Tague 1

Class #7 Continuation of WiFi security 2015 Patrick Tague 2

Device Private WiFi Networks AP Local AAA Server Home AAA Server Access Network Internet Device needs to discover available AP to connect to Network servers store credentials, identity, etc. Device authenticates to AAA server Server provides cryptographic material to AP Device AP secure channel AP Server / Internet secure channel 2015 Patrick Tague 3

WiFi Link Security WiFi link security focuses primarily on access control and encryption In private WiFi systems, access is controlled by a shared key, identity credentials, or proof of payment Most often, authentication is of user/device only, but mutual authentication may be desired/required by some users/devices Confidentiality and integrity over the wireless link Shared medium among untrusted WiFi users 2015 Patrick Tague 4

Device AP Private WiFi Networks Local AAA Server Home AAA Server Credentials Access Network Credentials Internet Credentials Authorization Decision and master key for access point Decision and master key for access point Authorization Decision Key Derivation Key Derivation Internet Access 2015 Patrick Tague 5

Wired Equivalent Privacy As name suggests, WEP aims to make the easy task of accessing WLAN much more difficult, as in wired WEP provides encryption and authentication Authentication is challenge-response to prove knowledge of a shared secret key Encryption is based on RC4 stream cipher using same key IV Shared Key RC4 msg + ICV K C IV Shared Key IV RC4 msg + ICV K M E{msg + ICV} IV E{msg + ICV} R K IV Shared Key RC4 M msg + ICV 2015 Patrick Tague 6

WEP Authentication Challenge-response authentication w/ XOR Issue 1: auth is not mutual Issue 2: auth + enc use same secret key Issue 3: auth only occurs on initial connection Issue 4: RC4 w/ XOR Attacker can obtain C and R = C XOR K, thereby getting K Can authenticate in future sessions using same IV from R Since secret key is shared, attacker can spoof anyone 2015 Patrick Tague 7

WEP Integrity Protection Integrity protection is based on the Integrity Check Value (ICV) which is based on CRC Encrypted message is (M CRC(M)) XOR K CRC is linear, i.e., CRC(X XOR Y) = CRC(X) XOR CRC(Y) Uh oh... ((M CRC(M)) XOR K) XOR (DM CRC(DM)) = ((M XOR DM) (CRC(M) XOR CRC(DM))) XOR K = ((M XOR DM) CRC(M XOR DM)) XOR K Also, WEP doesn't provide replay protection 2015 Patrick Tague 8

WEP Confidentiality Confidentiality is handled by the WEP IV Issue 1: 24 bits IVs repeat every few hours per user All users have the same secret key... Issue 2: IV = 0; for each packet: IV++; Pseudo-random sequences are same for every user Attacker can inject messages on time Issue 3: Inappropriate use of RC4 Weak keys as RC4 seeds allow inference of key bits Experts: always throw away first 256B of RC4 output WEP doesn't do this + small number IVs = weak keys encountered attacker can recover entire secret key 2015 Patrick Tague 9

So, WEP is completely broken. How did we solve the WEP problem? 2015 Patrick Tague 10

IEEE 802.11i IEEE specification for robust network security Authentication and access control based on 802.1x Integrity protection and confidentiality mechanisms based on AES to replace RC4 2015 Patrick Tague 11

802.1x Authentication and access control standard Designed for wired LAN, but extended to WLAN Supplicant: authentication and authorization entity on the wireless device requesting access N1, N4 Interfaces Authenticator: authentication and authorization entity in the wired access network (AP/BS or router) N2 Interface N3 Interface Account Authority: trusted third party in the access network or Internet; can authenticate credentials and authorize service types; may handle key management 2015 Patrick Tague 12

NAC Protocols Protocols involved in NAC Extensible Authentication Protocols (EAP) End-to-end auth. between device and account authenticator Supports a variety of client-server authentication methods IEEE 802.1x (extended to 802.11i) Carries EAP over the wireless LAN link (EAPoL) between device and AP 802.11i requires session key per station, not in wired due to per-wire ports Radius Transports EAP between AP and account authenticator Carries provisioned keys, etc. between AP and account authenticator 2015 Patrick Tague 13

Beyond the Shared Key STA and AP share pairwise master key (PMK) used to derive pairwise transient key (PTK) PTK = data encrypt key (DEK), data integrity key (DIK), key encrypt key (KEK), key integrity key (KIK) Four-way handshake using nonces AP sends nonce to STA, STA computes PTK STA sends nonce and MIC using KIK to AP AP computes PTK, verifies MIC, sends MIC + SN (for replay protection) to STA, ready STA verifies MIC, ACK for ready AP and all STAs also share group transient key (GTK) 2015 Patrick Tague 14

But, RC4 and AES were implemented in hardware, so the upgrade couldn't happen overnight 2015 Patrick Tague 15

WiFi Protected Access Temporal Key Integrity Protocol TKIP 802.11i using RC4 instead of AES Immediate firmware upgrade allowed for use of TKIP WPA is the subset of 802.11i supported through TKIP Auth and access control in WPA and 802.11i are the same Integrity and confidentiality are TKIP-based WPA2 is full 802.11i implementation WPA2 still has some weaknesses. 2015 Patrick Tague 16

So what kind of attacks are possible? 2015 Patrick Tague 17

Fake AP Threats Internet Open AP SSID Network X Open AP SSID Attacker Network X Laptop Laptop w/ policy to Connect to any Network open AP X 2015 Patrick Tague 18

Fake AP Threats in Enterprise Intranet Internet Enterprise AP SSID Company WiFi Personal AP SSID My WiFi Laptop w/ policy to Connect to Company to My WiFi WiFi 2015 Patrick Tague 19

Another Interesting Attack Inverse Wardriving [Beetle & Potter, shmoo.com] Wardriving is using a WiFi client to find open APs to get free service to the Internet Inverse Wardriving is using a Fake AP to find WiFi clients that will connect to it What if the client has an unpatched vulnerability? IW can be used to locate vulnerable clients and exploit them E.g., infect them with a worm Creating a Fake AP is very easy, especially using tools like Airsnarf or similar 2015 Patrick Tague 20

What about insider threats? 2015 Patrick Tague 21

Hole196 Vulnerability Discovered in 2010 by Md. Sohail Ahmad of AirTight Security Named for the page number in IEEE 802.11-v2007 Malicious insider can misuse the GTK Ex: ARP poisoning using the GTK allows the insider to advertise itself as the gateway, tricking them into redirecting their data to the insider via the AP [Image from AirTight Networks whitepaper] 2015 Patrick Tague 22

Hole196 DoS Vulnerability Hole196 also involves a DoS vulnerability Insider can use the replay protection framework in WPA2 to DoS another device Broadcast GTK-encrypted packet with higher sequence number than the current counter value All clients will update their counter to the new value All legitimate broadcast with sequence number below the attacker's value will be dropped 2015 Patrick Tague 23

More Hole196 Issues The insider can launch a number of other attacks using the Hole196 vulnerability Including other malicious payload in spoofed GTKencrypted packets can lead to higher-layer exploits Ex: IP layer attacks on a specific IP address, TCP reset, TCP indirection, DNS manipulation, port scanning, malware injection, privilege escalation See the AirTight Networks whitepaper for details 2015 Patrick Tague 24

Client isolation Patching Hole196 (1) Some controllers and APs can logically separate clients from each other, preventing data traffic from the victim to the insider when both are connected to the same AP or controller domain Not a complete solution, as variants of ARP poisoning and MitM can bypass client isolation Not standardized, so implementations are proprietary and likely vary among vendors 2015 Patrick Tague 25

Don't use the GTK Patching Hole196 (2) Most controller-based WLAN architectures don't use the GTK for anything, as the AP doesn't transmit broadcast traffic Vendors can circumvent the vulnerability by replacing the GTK with a unique (random) value for each client Neutralizes the Hole196 vulnerability with no associated overhead If the AP sends broadcast traffic, it will have to be encrypted using the unique values and unicasted 2015 Patrick Tague 26

WIPS Patching Hole196 (3) Wireless intrusion prevention systems can provide a protective layer to detect GTK-based attacks and block them until the vulnerability is patched 2015 Patrick Tague 27

Summary WiFi security is fairly mature, but still not completely understood, partially due to ubiquity and partially due to complexity 2015 Patrick Tague 28

Feb 5: Project Intro Presentations Feb 10: Broadcast Security & Key Mgmt. 2015 Patrick Tague 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback