Lecture 7 ~ Wireless Security ~
Assalamualaikum w.b.t...
Lam lecture kali nie encek ajr kami Wireless Security.. ermmmm... best gak lecture kali nie.. xla busannn.. ermm...
Wireless LANs
•IEEE ratified 802.11 in 1997.
~Also known as Wi-Fi.
•Wireless LAN at 1 Mbps & 2 Mbps.
•WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability.
~Now Wi-Fi Alliance
•802.11 focuses on Layer 1 & Layer 2 of OSI model.
~Physical layer
~Data link layer
802.11 Components
~Two pieces of equipment defined:
•Wireless station
*A desktop or laptop PC or PDA with a wireless NIC.
•Access point
*A bridge between wireless and wired networks
*Composed of
~Radio
~Wired network interface (usually 802.3)
~Bridging software
*Aggregates access for multiple wireless stations to wired network.
802.11 modes
~Infrastructure mode
•Basic Service Set (BSS)
*One access point
•Extended Service Set
*Two or more BSSs forming a single subnet.
•Most corporate LANs in this mode.
~Ad-hoc mode
•Also called peer-to-peer.
•Independent Basic Service Set
•Set of 802.11 wireless stations that communicate directly without an access point.
*Useful for quick & easy wireless networks.
Infrastructure mode
Ad-hoc mode
802.11 Physical Layer
~Originally three alternative physical layers
•Two incompatible spread-spectrum radio in 2.4Ghz ISM band
*Frequency Hopping Spread Spectrum (FHSS)
~75 channels
*Direct Sequence Spread Spectrum (DSSS)
~14 channels (11 channels in US)
•One diffuse infrared layer
•802.11 speed
*1 Mbps or 2 Mbps.
802.11 Data Link Layer
~Layer 2 split into:
•Logical Link Control (LLC).
•Media Access Control (MAC).
~LLC - same 48-bit addresses as 802.3.
~MAC - CSMA/CD not possible.
•Can’t listen for collision while transmitting.
~CSMA/CA – Collision Avoidance.
•Sender waits for clear air, waits random time, then sends data.
•Receiver sends explicit ACK when data arrives intact.
•Also handles interference.
•But adds overhead.
~802.11 always slower than equivalent 802.3
RTS / CTS
~To handle hidden nodes
~Sending station sends
•“Request to Send”
~Access point responds with
•“Clear to Send”
•All other stations hear this and delay any transmissions.
~Only used for larger pieces of data.
•When retransmission may waste significant time.
802.11b
•802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.
•DSSS as physical layer.
~11 channels (3 non-overlapping)
•Dynamic rate shifting.
~Transparent to higher layers
~Ideally 11 Mbps.
~Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
*Higher ranges.
*Interference.
~Shifts back up when possible.
•Maximum specified range 100 meters
•Average throughput of 4Mbps
Joining a BSS
•When 802.11 client enters range of one or more APs
~APs send beacons.
~AP beacon can include SSID.
~AP chosen on signal strength and observed error rates.
~After AP accepts client.
*Client tunes to AP channel.
•Periodically, all channels surveyed.
~To check for stronger or more reliable APs.
~If found, re-associates with new AP.
Roaming and Channels
~Re-association with APs
•Moving out of range.
•High error rates.
•High network traffic.
*Allows load balancing.
~Each AP has a channel.
•14 partially overlapping channels.
•Only three channels that have no overlap.
*Best for multi cell coverage.
802.11a
~802.11a ratified in 2001
~Supports up to 54Mbps in 5 Ghz range.
•Higher frequency limits the range
•Regulated frequency reduces interference from other devices
~12 non-overlapping channels
~Usable range of 30 metres
~Average throughput of 30 Mbps
~Not backwards compatible
802.11g
~802.11g ratified in 2002
~Supports up to 54Mbps in 2.4Ghz range.
•Backwards compatible with 802.11b
~3 non-overlapping channels
~Range similar to 802.11b
~Average throughput of 30 Mbps
~802.11n due for November 2006
•Aiming for maximum 200Mbps with average 100Mbps
Open System Authentication
~Service Set Identifier (SSID)
~Station must specify SSID to Access Point when requesting association.
~Multiple APs with same SSID form Extended Service Set.
~APs can broadcast their SSID.
~Some clients allow * as SSID.
•Associates with strongest AP regardless of SSID.
MAC ACLs and SSID hiding
~Access points have Access Control Lists (ACL).
~ACL is list of allowed MAC addresses.
•E.g. Allow access to:
*00:01:42:0E:12:1F
*00:01:42:F1:72:AE
*00:01:42:4F:E2:01
~But MAC addresses are sniffable and spoofable.
~AP Beacons without SSID
•Essid_jack
*sends deauthenticate frames to client
*SSID then displayed when client sends reauthenticate frames
Interception
•Wireless LAN uses radio signal.
•Not limited to physical building.
•Signal is weakened by:
~Walls
~Floors
~Interference
•Directional antenna allows interception over longer distances.
•Directional antenna provides focused reception.
802.11 Wireless LAN
~Three basic security services defined by IEEE for the WLAN environment
•Authentication
*provide a security service to verify the identity of communicating client
stations
•Integrity
*to ensure that messages are not modified in transit between the wireless
clients and the access point in an active attack
~Confidentiality
•to provide “privacy achieved by a wired network”
802.11 Authentication
802.11b Security Services
~Two security services provided:
•Authentication
*Shared Key Authentication
•Encryption
*Wired Equivalence Privacy
Wired Equivalence Privacy
~Shared key between
•Stations.
•An Access Point.
~Extended Service Set
•All Access Points will have same shared key.
~No key management
•Shared key entered manually into
*Stations
*Access points
*Key management nightmare in large wireless LANs
RC4
~Ron’s Code number 4
•Symmetric key encryption
•RSA Security Inc.
•Designed in 1987.
•Trade secret until leak in 1994.
~RC4 can use key sizes from 1 bit to 2048 bits.
~RC4 generates a stream of pseudo random bits
•XORed with plaintext to create ciphertext.
802.11 Confidentiality
WEP – Sending
~Compute Integrity Check Vector (ICV).
•Provides integrity
•32 bit Cyclic Redundancy Check.
•Appended to message to create plaintext.
~Plaintext encrypted via RC4
•Provides confidentiality.
•Plaintext XORed with long key stream of pseudo random bits.
•Key stream is function of
~40-bit secret key
~24 bit initialisation vector
~Ciphertext is transmitted.
WEP Encryption
WEP – Receiving
~Ciphertext is received.
~Ciphertext decrypted via RC4
•Ciphertext XORed with long key stream of pseudo random bits.
•Key stream is function of
~40-bit secret key
~24 bit initialisation vector (IV)
~Check ICV
•Separate ICV from message.
•Compute ICV for message
•Compare with received ICV
Shared Key Authentication
~When station requests association with Access Point
•AP sends random number to station
•Station encrypts random number
•Uses RC4, 40 bit shared secret key & 24 bit IV
•Encrypted random number sent to AP
•AP decrypts received message
•Uses RC4, 40 bit shared secret key & 24 bit IV
•AP compares decrypted random number to transmitted random number
~If numbers match, station has shared secret key.
WEP Safeguards
~Shared secret key required for:
•Associating with an access point.
•Sending data.
•Receiving data.
~Messages are encrypted.
•Confidentiality.
~Messages have checksum.
•Integrity.
~But management traffic still broadcast in clear containing SSID.
Initialization Vector
~IV must be different for every message transmitted.
~802.11 standard doesn’t specify how IV is calculated.
~Wireless cards use several methods
•Some use a simple ascending counter for each message.
•Some switch between alternate ascending and descending counters.
•Some use a pseudo random IV generator.
Passive WEP attack
~If 24 bit IV is an ascending counter,
~If Access Point transmits at 11 Mbps,
~All IVs are exhausted in roughly 5 hours.
~Passive attack:
•Attacker collects all traffic
•Attacker could collect two messages:
*Encrypted with same key and same IV
*Statistical attacks to reveal plaintext
*Plaintext XOR Ciphertext = Keystream
Active WEP attack
~If attacker knows plaintext and ciphertext pair
•Keystream is known.
•Attacker can create correctly encrypted messages.
•Access Point is deceived into accepting messages.
~Bitflipping
•Flip a bit in ciphertext
•Bit difference in CRC-32 can be computed
Limited WEP keys
~Some vendors allow limited WEP keys
•User types in a passphrase
•WEP key is generated from passphrase
•Passphrases creates only 21 bits of entropy in 40 bit key.
~Reduces key strength to 21 bits = 2,097,152
~Remaining 19 bits are predictable.
~21 bit key can be brute forced in minutes.
Creating limited WEP keys
Brute force key attack
•Capture ciphertext.
~IV is included in message.
•Search all 240 possible secret keys.
~1,099,511,627,776 keys
~170 days on a modern laptop
•Find which key decrypts ciphertext to plaintext.
128 bit WEP
~Vendors have extended WEP to 128 bit keys.
•104 bit secret key.
•24 bit IV.
~Brute force takes 10^19 years for 104-bit key.
~Effectively safeguards against brute force attacks.
IV weakness
~WEP exposes part of PRNG input.
•IV is transmitted with message.
•Every wireless frame has reliable first byte
*Sub-network Access Protocol header (SNAP) used in logical link control layer,
upper sub-layer of data link layer.
*First byte is 0xAA
•Attack is:
*Capture packets with weak IV
*First byte ciphertext XOR 0xAA = First byte key stream
*Can determine key from initial key stream
~Practical for 40 bit and 104 bit keys
~Passive attack.
•Non-intrusive.
•No warning.
Wepcrack
•First tool to demonstrate attack using IV weakness.
~Open source, Anton Rager.
•Three components
~Weaker IV generator.
~Search sniffer output for weaker IVs & record 1st byte.
~Cracker to combine weaker IVs and selected 1st bytes.
•Cumbersome.
Airsnort
~Automated tool
•Cypher42, Minnesota, USA.
•Does it all!
•Sniffs
•Searches for weaker IVs
•Records encrypted data
•Until key is derived.
~100 Mb to 1 Gb of transmitted data.
~3 to 4 hours on a very busy WLAN.
Avoid the weak IVs
•FMS described a simple method to find weak IVs
~Many manufacturers avoid those IVs after 2002
~Therefore Airsnort and others may not work on recent hardware
•However David Hulton aka h1kari
~Properly implemented FMS attack which shows many more weak IVs
~Identified IVs that leak into second byte of key stream.
~Second byte of SNAP header is also 0xAA
~So attack still works on recent hardware
~And is faster on older hardware
~Dwepcrack, weplab, aircrack
Generating WEP traffic
•Not capturing enough traffic?
~Capture encrypted ARP request packets
~Anecdotally lengths of 68, 118 and 368 bytes appear appropriate
~Replay encrypted ARP packets to generate encrypted ARP replies
~Aireplay implements this.
802.11 safeguards
•Security Policy & Architecture Design
•Treat as untrusted LAN
•Discover unauthorised use
•Access point audits
•Station protection
•Access point location
•Antenna design
Security Policy & Architecture
•Define use of wireless network
~What is allowed
~What is not allowed
•Holistic architecture and implementation
~Consider all threats.
~Design entire architecture
•To minimize risk.
Wireless as untrusted LAN
~Treat wireless as untrusted.
•Similar to Internet.
~Firewall between WLAN and Backbone.
~Extra authentication required.
~Intrusion Detection
•at WLAN / Backbone junction.
~Vulnerability assessments
Discover unauthorized use
•Search for unauthorised access points, ad-hoc networks or clients.
•Port scanning
~For unknown SNMP agents.
~For unknown web or telnet interfaces.
•Warwalking!
~Sniff 802.11 packets
~Identify IP addresses
~Detect signal strength
~But may sniff your neighbours…
•Wireless Intrusion Detection
~AirMagnet, AirDefense, Trapeze, Aruba,…
Access point audits
•Review security of access points.
•Are passwords and community strings secure?
•Use Firewalls & router ACLs
~Limit use of access point administration interfaces.
•Standard access point config:
~SSID
~WEP keys
~Community string & password policy
Station protection
•Personal firewalls
~Protect the station from attackers.
•VPN from station into Intranet
~End-to-end encryption into the trusted network.
~But consider roaming issues.
•Host intrusion detection
~Provide early warning of intrusions onto a station.
•Configuration scanning
~Check that stations are securely configured.
Location of Access Points
•Ideally locate access points
~In centre of buildings.
•Try to avoid access points
~By windows
~On external walls
~Line of sight to outside
•Use directional antenna to “point” radio signal.
WPA
•Wi-Fi Protected Access
~Works with 802.11b, a and g
•“Fixes” WEP’s problems
•Existing hardware can be used
•802.1x user-level authentication
•TKIP
~RC4 session-based dynamic encryption keys
~Per-packet key derivation
~Unicast and broadcast key management
~New 48 bit IV with new sequencing method
~Michael 8 byte message integrity code (MIC)
•Optional AES support to replace RC4
WPA and 802.1x
~802.1x is a general purpose network access control mechanism
~WPA has two modes
•Pre-shared mode, uses pre-shared keys
•Enterprise mode, uses Extensible Authentication Protocol (EAP) with a RADIUS
server making the authentication decision
•EAP is a transport for authentication, not authentication itself
•EAP allows arbitrary authentication methods
•For example, Windows supports
~EAP-TLS requiring client and server certificates
~PEAP-MS-CHAPv2
Practical WPA attacks
•Dictionary attack on pre-shared key mode
~CoWPAtty, Joshua Wright
•Denial of service attack
~If WPA equipment sees two packets with invalid MICs in 1 second
•All clients are disassociated
•All activity stopped for one minute
•Two malicious packets a minute enough to stop a wireless network
Summary
•WAP is used on small, handheld devices like cell phones for out-of-the-office
connectivity
•Designers created WTLS (Wireless Transport Layer Security) as a method to ensure
privacy of the data because it was being broadcast
•802.11 does not allow physical control of the transport mechanism
•Transmission of all network data wirelessly transmits frames to all wireless
machines, not just a single client
•Poor authentication. The SSID is broadcast to anyone listening
•Flawed implementation of the RC4 encryption algorithm makes even encrypted traffic
subject to interception and decryption
•WEP is used to encrypt wireless communications in an 802.11 environment and S/MIME
for email
huhuhuuu.. quite byk gak la mender yg nk kne ingt lam lecture nie.. ermmm.. layann....
alhamdulillah...
