Shanghai Breakout: Wireless LAN Security Fundamentals

Wireless LAN Security Fundamentals

Peter LaneDecember 2014

2CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved#AirheadsConf

Today’s Agenda

• Goal: Authentication with 802.1X and

encryption with WPA2

• But first: We need to understand PKI

• And before that, we need a

cryptography primer!

3CONFIDENTIAL



Cryptography Primer

4CONFIDENTIAL



Why study cryptography?

• Absolutely critical to wireless security

• Heavily used during authentication

process

• Protects data in transit

• Makes you more interesting at parties

5CONFIDENTIAL



Symmetric Key Cryptography

6CONFIDENTIAL



Symmetric Key Cryptography

• Strength:– Simple and very fast (order of 1000 to 10000 faster than

asymmetric mechanisms)

• Challenges:– Must agree on the key beforehand

– How to securely pass the key to the other party?

• Examples: AES, 3DES, DES, RC4

• AES is the current “gold standard” for security

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Symmetric Cipher “Modes”

8CONFIDENTIAL



Public Key Cryptography (Asymmetric)

9CONFIDENTIAL



Public Key Cryptography

• Strength

– Solves problem of passing the key

– Allows establishment of trust context between parties

• Challenges:

– Slow (MUCH slower than symmetric)

– Problem of trusting public key (what if I’ve never met you?)

• Examples: RSA, DSA, ECDSA, ElGamal

10CONFIDENTIAL



Hybrid Cryptography

• Randomly generate “session” key• Encrypt data with “session” key

(symmetric key cryptography)• Encrypt “session” key with recipient’s public key

(public key cryptography)

11CONFIDENTIAL



Hash Function

• Properties

– it is easy to compute the hash value for any given message

– it is infeasible to find a message that has a given hash

– it is infeasible to find two different messages with the same hash

– it is infeasible to modify a message without changing its hash

• Ensures message integrity

• Also called message digests or fingerprints

• Examples: MD5, SHA1, SHA2 (256/384/512)

12CONFIDENTIAL



Digital Signature

• Combines a hash with an asymmetric crypto algorithm

• The sender’s private key is used in the digital signature

operation

• Digital signature calculation:

13CONFIDENTIAL



Message Authentication

14CONFIDENTIAL



HMAC

15CONFIDENTIAL



Message Integrity with CBC-MAC

• Set IV=0

• Run message through AES-CBC (or some other

symmetric cipher)

• Discard everything except final block – this

output is the MAC

16CONFIDENTIAL



Entropy(Information-theoretic, not thermodynamic!)

• When we create a random key, it must be unique

and unpredictable

• We need good random numbers for this

• What happens if it’s not unique or unpredictable?

17CONFIDENTIAL



AES-CCM (Counter with CBC-MAC)

CBC-MAC

AES in

Counter

Mode

18CONFIDENTIAL



Summary: Security Building Blocks

• Encryption provides

– confidentiality, can provide authentication and integrity protection

• Checksums/hash algorithms provide

– integrity protection, can provide authentication

• Digital signatures provide

– authentication, integrity protection, and non-repudiation

• For more info:

Buy this Book!

19CONFIDENTIAL



Certificates, Trust & PKI

20CONFIDENTIAL



What is a Certificate?

• Binds a public key to some identifying

information

– The signer of the certificate is called its

issuer

– The entity talked about in the certificate is

the subject of the certificate

• Certificates in the real world

– Any type of license, government-issued

ID’s, membership cards, ...

– Binds an identity to certain rights, privileges,

or other identifiers

21CONFIDENTIAL



Public Key Infrastructure

• A Certificate Authority (CA) guarantees the binding between a public key and another CA or an “End Entity” (EE)

• CA Hierarchies

22CONFIDENTIAL



Who do you trust?

Windows: Start->Run->certmgr.msc

23CONFIDENTIAL



Public CA versus Private CA

• Windows Server includes a domain-aware CA –

why not just use it?

• Disadvantages:

– PKI is complex. Might be easier to let Verisign/Thawte/etc.

do it for you.

– Nobody outside your Windows domain will trust your

certificates

• Advantages:

– Less costly (but very cheap public CAs are available!)

– Better security possible. Low chances of someone outside

organization getting a certificate from your internal PKI

24CONFIDENTIAL



What is a Certificate?

Identity

Trusted

3rd-party

Identity bound

to public key

25CONFIDENTIAL



Public Key Infrastructure

• We trust a certificate if there is a valid chain of trust to a root CA that we explicitly trust• Web browsers also check DNS hostname ==

certificate Common Name (CN)• Chain Building & Validation

26CONFIDENTIAL



Certificate Validity

1. Date/Time

2. Revocation

• CRL

• OCSP

27CONFIDENTIAL



Certificate File Formats

• PEM / PKCS#7– Contains a certificate in

base64 encoding (open in a

text editor)

• DER– Contains a certificate in binary

encoding

• PFX / PKCS#12– Contains a certificate AND

private key, protected by a

password

PEM-PKCS#7:-----BEGIN CERTIFICATE-----

MIID5TCCA2qgAwIBAgIKErZ83wAAAAAAEDAKBggqhkjO

PQQDAzBLMRUwEwYKCZIm

iZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRq

b24xMRwwGgYDVQQDExNq

b24xLUpPTi1TRVJWRVIyLUNBMB4XDTEzMDIwNjIyNDAz

N1oXDTE0MDIwNjIyNDAz

N1owHDEaMBgGA1UEAxMRMDA6MEI6ODY6ODA6MEU6REQw

WTATBgcqhkjOPQIBBggq

hkjOPQMBBwNCAATrgMEy+gw3PpVmKmOZPykpKMQmcPBB

9B676cnyxPlzGkmAQRR0

EzyD2X5KLBECq8hzmRTaVOlY3OQk/XfI6fVvo4ICYzCC

Al8wPQYJKwYBBAGCNxUH

BDAwLgYmKwYBBAGCNxUIhe7KRYPsiXqElZMYhqH9BYTl

+0SBA4Sn/SPJgGMCAWQC

AQkwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDgYDVR0PAQH/

BAQDAgOIMBsGCSsGAQQB

gjcVCgQOMAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFAvM

3qRuBFR80o4raVwf5uYe

YUi5MB8GA1UdIwQYMBaAFOHxRRuokak66iwzfWV/CMvZ

129sMIHUBgNVHR8Egcww

gckwgcaggcOggcCGgb1sZGFwOi8vL0NOPWpvbjEtSk9O

LVNFUlZFUjItQ0EsQ049

And so on ……….

-----END CERTIFICATE-----

28CONFIDENTIAL



Creating Certificates A-Z

1. Generate entropy

2. Use entropy to create random public/private

keypair (asymmetric crypto)

3. Attach identifying information to public key –

send to CA (Certificate Signing Request)

4. CA issues certificate in X.509 format

– Contains public key as supplied in CSR

– Contains hash of certificate contents

– Contains digital signature signed with CA’s private key

(hash + asymmetric crypto)

5. Retrieve certificate from CA – match up with

private key. Ready for use.

29CONFIDENTIAL



For More Info

Buy this Book!

30CONFIDENTIAL



Putting it all together: 802.1X

31CONFIDENTIAL



Authentication with 802.1X

• Authenticates users before

granting access to L2 media

• Makes use of EAP

(Extensible Authentication

Protocol)

• 802.1X authentication

happens at L2 – users will

be authenticated before an

IP address is assigned

32CONFIDENTIAL



Sample EAP Transaction

• 2-stage process

– Outer tunnel establishment

– Credential exchange happens inside encrypted tunnel

Clie

nt

Auth

entic

atio

n S

erv

er

Request Identity

Response Identity (anonymous) Response Identity

TLS Start

CertificateClient Key exchange

Cert. verification

Request credentials

Response credentials

Success

EAPOL RADIUS

Auth

entic

ato

r

EAPOL Start

33CONFIDENTIAL



802.1X Packet Capture

34CONFIDENTIAL



802.1X Acronym Soup

• PEAP (Protected EAP)

– Uses a digital certificate on the network side

– Password or certificate on the client side

• EAP-TLS (EAP with Transport Level Security)

– Uses a certificate on network side

– Uses a certificate on client side

• TTLS (Tunneled Transport Layer Security)

– Uses a certificate on the network side

– Password, token, or certificate on the client side

• EAP-FAST

– Cisco proprietary

– Do not use – known security weaknesses

35CONFIDENTIAL



Isn’t MSCHAPv2 broken?

• Short answer: Yes – because of things like

rainbow tables, distributed cracking, fast GPUs,

etc.

• This is why we use MSCHAPv2 inside a PEAP

(TLS) tunnel for Wi-Fi

– What happens if you don’t properly validate the server

certificate?

– Look up FreeRADIUS-WPE

• Still using PPTP for VPN? Watch out…

36CONFIDENTIAL



37CONFIDENTIAL



Configure Supplicant Properly

• Configure the Common

Name of your RADIUS

server (matches CN in

server certificate)

• Configure trusted CAs (an

in-house CA is better than

a public CA)

• ALWAYS validate the

server certificate

• Do not allow users to add

new CAs or trust new

servers

• Enforce with group policy

38CONFIDENTIAL



WPA2 Key Management Summary

Step 1: Use RADIUS to push PMK from AS to AP

Step 2: Use PMK and 4-Way Handshake to

derive, bind, and verify PTK

Step 3: Use Group Key Handshake to send GTK

from AP to STA

Auth Server

AP/Controller

39CONFIDENTIAL



4-Way Handshake

EAPoL-Key(Reply Required, Unicast, ANonce)

Pick Random ANonce

EAPoL-Key(Unicast, SNonce, MIC, STA SSN IE)

EAPoL-Key(Reply Required, Install PTK,

Unicast, ANonce, MIC, AP SSN IE)

Pick Random SNonce, Derive PTK = EAPoL-PRF(PMK, ANonce |

SNonce | AP MAC Addr | STA MAC Addr)

Derive PTK

EAPoL-Key(Unicast, ANonce, MIC)

Install PTK Install PTK

PMK PMK

40CONFIDENTIAL



Summary

• Security/crypto is complex

• Once you understand it, people will envy you

• Make Facebook posts to confuse your parents

• More importantly: Do it right so you don’t get

hacked

41CONFIDENTIAL



Credits

• Some graphics stolen from: http://cevi-

users.cevi.be/Portals/ceviusers/images/default/U

serdag-20101125-Certs.pptx

• Some others stolen from:

http://acs.lbl.gov/~mrt/talks/secPrimer.ppt

http://cevi-users.cevi.be/Portals/ceviusers/images/default/Userdag-20101125-Certs.pptx

http://acs.lbl.gov/~mrt/talks/secPrimer.ppt

42CONFIDENTIAL



43CONFIDENTIAL


All rights reserved

Thank You

#AirheadsConf

Technology

Shanghai Breakout: Wireless LAN Security Fundamentals