of 22 /22
Wireless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527

W i reless LAN Security

  • Author
    xannon

  • View
    50

  • Download
    1

Embed Size (px)

DESCRIPTION

W i reless LAN Security. Presented by: Pallavi Priyadarshini Student ID 003503527. Agenda. Brief background on Wireless LAN Basic security mechanisms in 802.11 WEP Vulnerabilities Enhancing wireless security with WPA Comparing WEP and WPA Conclusion. Brief Background. - PowerPoint PPT Presentation

Text of W i reless LAN Security

  • Wireless LAN SecurityPresented by:Pallavi PriyadarshiniStudent ID 003503527

  • AgendaBrief background on Wireless LANBasic security mechanisms in 802.11WEP VulnerabilitiesEnhancing wireless security with WPAComparing WEP and WPAConclusion

  • Brief BackgroundA local area network (LAN) with no wiresSeveral Wireless LAN (WLAN) standards802.11 - 1-2 Mbps speed, 2.4Ghz band802.11b (Wi-Fi) 11 Mbps speed, 2.4Ghz band802.11a (Wi-Fi) - 54 Mbps speed, 5Ghz band802.11g (Wi-Fi) 54 Mbps speed, 2.4Ghz band

  • Wireless network components

  • Security Challenges and SolutionsChallengesBeyond any physical boundariesEncryption, Authentication and IntegrityBasic Security Mechanisms in 802.11Service Set ID (SSID) Acts like a shared secret, but sent in clear.MAC Address Lists Modifiable and also sent in clear. The WEP Algorithm

  • More on WEPStands for Wired Equivalent PrivacyDesigned to encrypt data over radio wavesProvides 3 critical pieces of securityConfidentiality (Encryption)AuthenticationIntegrityUses RC4 encryption algorithmSymmetric key stream cipher64-bit shared RC4 keys, 40-bit WEP key, 24-bit plaintext Initialization Vector (IV)

  • WEP Encryption and IntegrityMessage

    PRNG RC4 Pseudorandom number generation algorithmData payload

  • WEP Authentication2 levels of authenticationOpen : No authenticationShared secret : Station AStation BNonce NE(N, KA-B)Request for shared key auth.Authentication response

  • WEP The flawed SolutionWeakness in key managementSingle key for all access points and client radiosStatic unless manually changedAuthentication and encryption keys are the sameShared key authentication failureNo knowledge of secret to gain network accessWEPPR=C P (where C, P are passively recorded)

    AttackerAPAuthentication requestChallenge R WEPPR RSuccess

  • WEP The flawed Solution (contd.)Weakness in EncryptionShort 24-bit IV, reuse mandatoryWeak per-packet key derivation - exposes RC4 protocol to weak key attacks. Given c1 and c2 with same IV, c1 c2= p1p2 [p1 S p2 S], leading to statistical attacks to recover plaintextsShort 40-bit encryption schemeNo forgery protectionUsing CRC-32 checksum possible to recompute matching ICV for changed data bitsGiven C= RC4(IV, key) , can find C that decrypts to M=M+ such that C= RC4(IV, key)

  • WEP The flawed Solution (contd.)No protection against replaysOptional, mostly not turned on by users

  • Design ConstraintsWEP patches will rely entirely on software upgradeAccess points have little spare CPU capacity for new functionsEncryption functions are hard-wired in the access points

  • Enhancing WLAN Security with WPAWPA - Wireless Protected AccessStrong, standards based, interoperable security for Wi-Fi Addresses all known weaknesses of WEPSubset of forthcoming IEEE 802.11i standard Designed to run as a software upgrade on most Wi-Fi certified products.

  • Security Mechanisms in WPA - TKIPUses TKIP (Temporal Key Integrity Protocol) Encryption.Suite of algorithms wrapping WEPAdds 4 new algorithms to WEP:New cryptographic message integrity code (MIC) called Michael - to defeat forgeriesNew IV sequencing discipline - to remove replay attacksA re-keying mechanism to provide fresh encryption and integrity keys

  • More on TKIP

    A per-packet key mixing function Phase 1 (Eliminates same key use by all links) - Combines MAC address and temporal key. Input to S-box to produce intermediate keyPhase 2 (De-correlates IVs and per-packet keys) - Packet sequence number encrypted under the intermediate key using a fiestel cipher to produce 128-bit per packet key.TKIP leverages 802.1X/EAP framework for key management

  • 802.1X/EAP ArchitectureSupplicant(wireless client)Authenticator(AP)AuthenticationServer (RADIUS)EAP-startEAP-identity requestEAP-identity responseEAP success/rejectEAP success/reject

  • WPA Modes of Operation - Pre-shared key vs. EnterprisePre-shared Key Mode for home/SOHO usersDoes not require authentication serverShared Secret or password entered manually in the AP and wireless client. WPA takes over automatically.Only the clients with matching passwords are allowed to join the network.The password automatically kicks off the TKIP encryption process.Enterprise Mode for corporate usersRequires an authentication server like RADIUSCentralized management of user credentials

  • WPA modes of operation Enterprise ModeWired Network Services

  • WEP vs. WPA

  • Comparing WPA and 802.11iWPA

  • ConclusionWPA is not an ideal security protocol designHowever, it is a dramatic improvement in Wi-Fi security.Has not been broken (yet).Protects the original hardware investment.If hardware constraint removed, a more robust security solution possible.Such a solution is being developed based on a even stronger cryptographic cipher - Advanced Encryption Standard (AES).

  • References[1] Bruce Potter & Bob Fleck, 802.11 Security, O-Reilly, December 2002[2]James larocca & Ruth larocca, 802.11 Demystified, McGraw-Hill Telecom, 2002[3]Whitepaper on Wireless LAN Security on http://www.wi-fi.org[4]http://www.ieee802.org/1/pages/802.1x.html

    802.11 is an IEEE standard for wireless LANs that enables computing devices such as laptops and PDAs to connect to LANs and to the Internet. There are several specifications in the 802.11 family to be able to support higher speeds:

    802.11 Pertains to wireless LANs and provides either 1 or 2 Mbps transmission in the 2.4 Ghz band.802.11b An extension to 802.11 that pertains to wireless LANs and yields a connection fast as 11Mpbs in the 2.4 GHz band (can conflict with other users of the 2.4 GHz frequency band such as Bluetooth and microwaves).802.11a An extension to 802.11 that pertains to wireless LANs and goes as fast as 54Mpbs in the 5 GHz band.802.11g An extension to 802.11 that pertains to wireless LANs and provides 20+Mpbs (upto 54 Mbps) in the 2.4 GHz band.

    Wi-Fi stands for wireless fidelity and is meant to be used generically when referring of any type of 802.11 network, whether 802.11b, 802.11a 0r 802.11g.

    A personal computer or a laptop with a wireless network adapter is known as a wireless client. Wireless clients can communicate directly with each other or through a wireless access point (AP). A wireless Access Point is a wireless network node that acts as a bridge between the wireless clients and a wired network. Wireless clients communicate with both the wired network and other wireless clients through the wireless AP. The term station refers both to wireless clients and Access points present in a wireless network.Interception of radio communications has been a problem for as long as radios have been used to transmit sensitive information. Since 802.11 uses radio waves instead of cables as its communication medium, anyone with a radio receiver can eavesdrop on the messages exchanged, and anyone with a radio transmitter can write to the channel. In such a scenario, it becomes imperative to protect the confidentiality of data through encryption, to verify the identity of users and machines through authentication and to guarantee the integrity of the messages exchanged.

    802.11 defines a few security mechanisms in the standard itself:SSID is an acronym for service set identifier, a 32-character unique identifier attached to packets sent over a WLAN that acts as a password when a mobile device tries to connect to the Access Point. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the network unless it can provide the unique SSID. The AP will, by default, broadcast the SSID. Moreover, SSID is sent in cleartext as a reply to a probe from the station even if it is not broadcast. Softwares exist that can capture the SSID. Thus, it is not a strong form of security.

    Typically, the Ethernet address, or MAC address, of the users' wireless network interface card can be programmed into a wireless Access Point to allow access only from specific network interface cards. MAC address filters contain a list of MAC addresses of wireless network interface cards that may associate with a given AP. This mechanism is handy for a small wireless installation. However, this security mechanism is not foolproof since MAC Address filters do not provide any encryption and MAC addresses are easy to clone. Also, this mechanism becomes cumbersome if the wireless network is large and dynamic.

    The WEP algorithm and its weaknesses are discussed in the next few slides. Wired Equivalent Privacy (WEP) is an encryption protocol described by the 802.11 specification. Goal of WEP is to make WLAN communications as secure as wired LAN data transmission would be.

    WEP uses RC4 algorithm for providing encryption, authentication and integrity. RC4 is a stream cipher designed by Rivest for RSA Data Security (now RSA Security). It is a variable key-size stream cipher. In this case, the key size is 64 bits, out of which 24 bits are used as Initialization Vector(IV). Shared key mechanism means that the key a client is using for authentication and encryption of data stream must be the same as the key AP uses. Thus, the same secret key is distributed to all wireless clients and access points within a WLAN. Any good encryption scheme folds some amount of extra public data into the underlying data to randomize the encrypted result so that it is difficult for an attacker to deduce any plaintext information through frequency analysis and correlation of enough encrypted data. For example, without randomization an attacker might determine whether two plaintext values are the same since encryption algorithms produce the same output given the same input.

    For its extra public data, WEP encryption scheme uses an Initialization Vector (IV). The transmitting device creates a 24-bit random IV. Secret key (which has been distributed to all clients and AP) is concatenated with an IV to produce a seed. This seed is then used as an input to a RC4 Pseudorandom number generation algorithm (PRNG). The PRNG then outputs a key sequence equal in length to number of data octets to be transmitted plus four octets that will be used to protect the Integrity Check value.

    For computing the integrity check value, original data packet is checksummed using CRC-32 algorithm. Then the checksum is added to the data to form the data payload. The key sequence generated from the PRNG is XORed with the data payload to produce the ciphertext. The device then transmits the IV and the ciphertext to the remote device. The IV is transmitted in the clear because it must be known by the recipient in order for the received message to be successfully decoded. The remote device uses the IV and the shared key to decrypt the data and verify the checksum. When a station first associates itself with AP, the station should first authenticate itself to the AP. WEP allows two levels of authenticating wireless clients:In an open system, all users are allowed to access the wireless network.Shared Secret is a more secure mode that controls access to wireless LANs. Upon receipt of authentication request by Station A, Station B responds with an authentication challenge (Nonce). In response, Station A sends back the challenge encrypted with the shared secret using WEP. Station B then decrypts the encrypted nonce from Station A and verifies that the decrypted payload equals to the nonce it had sent. If the challenge matches and the packets ICV (Integrity Check Value) is valid, Station B notifies Station A that the authentication was successful and an association is formed.Unfortunately, the WEP specification does not provide wired-equivalent privacy. It is now well-known that the WEP design contains many basic flaws that render it ineffective at meeting its design goals.

    Weak Key ManagementProper key management is the bedrock for any cryptographic system. If everyone on the network uses the same key, then anyone on the network can decrypt traffic intended for any other device on the network. Also if a trustworthy user ends up giving his key to another person, it could potentially compromise not just his own traffic, but the entire network. This level of trust is not realistic. Manual key distribution is the de-facto standard for WEP. But entering a key manually tends to be error prone, leading to time consuming process of verifying keys. Because of this, human administrators tend to use keys with recognizable patterns instead of random keys, making any attack still easier!In most cases, the key used to authenticate users is the same as the key used for encrypting data. This causes even more network problems, since a hacker who has a copy of the shared key can not only use it to access the wireless network, but he can also view other users network traffic.

    Authentication failureKnowing the plaintext challenge P, and the encrypted challenge C by listening to a valid authentication between 2 stations, an attacker can recover the WEP pseudo-random stream via WEPPR=C P. He can now authenticate without knowing the shared secret. He sends an authentication request to the access point, which responds with a plaintext challenge. Now he just XORs the plaintext challenge with the recovered pseudo-random stream to get a valid authentication response.

    Encryption WeaknessThe vulnerabilities exposed in WEP can be traced back to two main problems: (1) the limitations of the initialization vector (IV) combined with (2) weaknesses in how packet encryption keys are derived from the initialization vector when a secret key is shared between a wireless LAN client and an access point.The IV is just a 24-bit field. This means that there are only 224 WEP IVs available, so to meet the requirement of no pair reuse, an administrator must change the WEP key after 224 packets. But in reality, because of heavy network traffic, all IVs will be used in a relatively short period of time, and it is very difficult to change the keys manually on such a regular basis. A network may cycle through all possible IVs in just 2-5 hours. The attacks against WEP are not a result of a weakness of the algorithm, but instead a weakness in WEP key derivation that produce weak RC4 keys that are very similar for different data packets. RC4 is the popular algorithm protecting the millions of users who access secure Web pages and send data via the SSL/TLS protocol and has not been broken in SSL. Because WEP encryption is based on the RC4 stream cipher, it is important each packet have a different WEP key. While the WEP standard had specified using different keys for different data packets, the key derivation function (how to derive a key from a common starting point) was flawed. IV collisions produce identical WEP keys when the same IV is used with the same shared secret key for more than one data frame and this is the weakness attackers exploit. Simply put, the keys for different data packets were too similar. Hackers could exploit this similarity to extract information about the shared secret after analyzing a modest number of packets. For example, given ciphertexts c1 and c2 with same IV, information about plaintext can be recovered via c1 c2= p1p2. The resulting XOR can be used to infer data about the contents of the two messages through statistical analysis. As a special case, when one plaintext is known, the other is immediately recovered. When such statistical analysis is inconclusive based on only two messages, the attacker can look for more collisions of the same IV. With only a small factor in the amount of time necessary, it is possible to recover a modest number of messages encrypted with the same key stream, and the success rate of statistical analysis grows quickly .Thus, WEP misuses the RC4 encryption algorithm in a way that exposes the protocol to weak key attacks. By reusing initialization vectors, WEP enables an attacker to decrypt encrypted data without ever learning the encryption keys or even resorting to high tech techniques. IEEE selected 40-bit encryption because it is exportable under most national encryption laws. Unfortunately, a modern PC can search a key space of 40-bits in a matter of hour or two. Once the shared secret is discovered, a malicious hacker could decrypt data packets being passed along the exposed network.

    No forgery ProtectionThe CRC-32 Integrity Check Value is neither keyed nor collision-proof. The use of this checksum is not recommended. An attacker might be able to generate an alternative message that satisfies the checksum. Using the CRC-32 checksum algorithm, it is possible to change data bits in the message and recompute an appropriate matching ICV. It enables an attacker to send a valid new packet using an existing packet. If he knows the plaintext for an encrypted message, he can construct a new message, recalculate the ICV, flip the bits on the original encrypted message (changing it to the desired message), and have it received as valid. The use of collision-proof checksums is recommended for environments where such attacks represent a significant threat.

    No replay protectionAn adversary can simply record WEP packets and retransmit them later. Replay attacks can be used to derive information about the encryption key and the data it protects.

    Optional featureDespite the weakness of WEP algorithm, having WEP security is better than having no security because it is another obstacle the hacker would have to get through first to break into the network. However, WEP is not enabled by default on the access points shipped to consumers. Studies have shown that most users do not even enable WEP! If WEP is not enabled, everything sent over the air is sent as is, so anyone can eavesdrop on the connection very easily.

    WEP is so seriously flawed that IEEEs most promising avenue is to create a new security protocol from scratch. This way the new design would not be constrained by the WEP design. However, millions of WEP-based devices have been shipped and the industry has an obligation to correct the security defects into the installed base if possible. Design of any new security protocol to achieve optimum security is constrained by several factors:

    802.11 devices are comprised of hardware and software. It is not cost effective to add or swap out hardware chips in WLAN device or replace the entire hardware unit. Thus, to protect the investment in hardware, the WEP patches operating on already-deployed 802.11 equipment will rely entirely on software upgrade.

    Access points present a fundamental computational bottleneck in the system with little spare CPU capacity. In an infrastructure mode, the access point handles every message exchanged across the wireless network, even between 2 wireless clients. In order to be competitive, access points are implemented with the cheapest microprocessor available. The load generated by the WLAN traffic often consumes 90% or more of microprocessor bandwidth. Thus, very few spare cycles are available for new functions. This poses a major design constraint given that good iterative cryptographic functions are very CPU-hungry algorithms.

    Nearly all shipping access points due to the limited CPU capacity have custom hardware to offload the encryption function from the CPU. Most of this hardware is tuned to perform per-packet WEP encryption, which leaves any new patch using the existing hardware with no other encryption choice but RC4.

    Wireless Protected Access is a specification brought about by the Wi-Fi Alliance in conjunction with IEEE (The Wi-Fi Alliance is a non-profit association formed to certify interoperability of wireless LAN products based on IEEE 802.11 specifications). In the face of constraints faced in designing any new security system, WPA represents a quantum leap forward in Wi-Fi security. WPA is derived from and is forward-compatible with the upcoming 802.11i standard. It is designed to improve the level of data protection and access control by running on existing hardware as a software upgrade.The Temporal Key Integrity Protocol, pronounced tee-kip, is part of the IEEE 802.11i encryption standard for wireless LANs. TKIP is the next generation of WEP and fixes the flaws of WEP. It is IEEEs response to the need to do something to improve the security of already deployed 802.11 equipment. TKIP improves security in WLANs through four new algorithms:1) Michael computes the MIC (Message Integrity Code) from the secret authentication key and the message using a simple iterative structure.

    2) An MIC cannot detect replayed packet. TKIP uses the WEP IV field as a packet sequence number. Both transmitter and receiver initialize the packet sequence number to zero whenever new TKIP keys are set, and the transmitter increments the sequence number with each packet it sends.

    3)TKIP uses the 802.1X authentication server to push a common set of encryption keys both to the wireless client and the access point before reuse of any key becomes mandatory. We will discuss more about 802.1X architecture shortly.

    4) Recall that WEP constructs a per packet RC4 key by simply concatenating a base key and the packet IV which makes recovering the key easier knowing the public IV. The new per-packet key construction, called the TKIP key mixing function, substitutes a temporal key for the WEP base key and constructs the per-packet key in a novel fashion. Temporal keys are so named because they have a fixed lifetime and are replaced frequently. Wireless endpoints begin with a 128-bit shared secret, referred to a temporal key (TK). The transmitter's MAC address is mixed with TK which is used as an index into an S-box, to produce an intermediate key. Mixing the address of transmitter into each encryption key ensures that each station ends up with its own encryption key. Thus, TKIP manufactures different keys for each direction of communication over each link.

    Phase 2 then uses a tiny Fiestel cipher to encrypt the packet sequence number under the intermediate key, producing a 128-bit per packet key. Thus, each key is used with RC4 to encrypt one and only one data packet. This defeats the attacks based on weak keys in the RC4 algorithm.

    802.1X As the IEEE standard for access control for wireless and wired LANs, 802.1x provides a means of authenticating and authorizing devices to attach to a LAN port. This standard defines the Extensible Authentication Protocol (EAP), which uses a central authentication server to authenticate each user on the network. EAP is an 802.1x standard that allows developers to pass security authentication data between authentication server, access point (AP) and wireless client. EAP is a misnomer, since it is not an authentication protocol per se, rather it is a transport protocol tailored to the needs of authentication mechanisms.

    802.1X will let wireless LANs scale by allowing centralized authentication of wireless users or stations. The standard is flexible enough to allow multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication.

    The client tries to connect to the access point. The access point detects the client and enables the client's port. It forces the port into an unauthorized state, so only 802.1X traffic is forwarded. Traffic such as Dynamic Host Configuration Protocol, HTTP, FTP, Simple Mail Transfer Protocol and Post Office Protocol 3 is blocked. The client then sends an EAP-start message. The access point will then reply with an EAP-identity request message to obtain the client's identity. The client's EAP-response packet containing the client's identity is forwarded to the authentication server. The authentication server is configured to authenticate clients with a specific authentication algorithm. The result is an accept or reject packet from the authentication server to the access point.

    Upon receiving the accept packet, the access point will transition the client's port to an authorized state, and traffic will be forwarded. If configured to implement dynamic key exchange, the 802.1X authentication server can return session keys to the access point along with the accept message, which can then be forwarded to the wireless client. The Authentication Server uses this key to secure distribution of any fresh key to the AP and the wireless client.

    WPA incorporates several features of 802.11i, which can be implemented using the old hardware. Given proper key management, WPA fixes all known problems with WEP, but still cannot provide security assurances inline with original WEP design goals. So, the 802.11 Work Group is defining the forthcoming standard 802.11i based on Advanced Encryption Standard (AES) that can meet the original design goals, but will require new hardware.