Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh...
-
Upload
allan-wiggins -
Category
Documents
-
view
224 -
download
0
description
Transcript of Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh...
![Page 1: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/1.jpg)
Lecture 10: Wireless Security – WEP/WPA
CS 336/536: Computer Network SecurityFall 2015
Nitesh Saxena
Adopted from previous lecture by Keith Ross, Amine Khalife and Tony Barnard
![Page 2: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/2.jpg)
Outline
• WiFi Overview• WiFi Security Threats• WEP – Wired Equivalence Privacy
– Including vulnerabilities• WPA – WiFi Protected Access
05/03/23 Lecture 9 - Wireless Security 2
![Page 3: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/3.jpg)
3
Security at different layers Application layer: PGP Transport layer: SSL Network layer: IPsec Link layer: WEP / 802.11i (WPA)WiFi Security Approach:
IPsec
TCP/UDP/ICMP
HTTP/SMTP/IM
WEP/WPA
![Page 4: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/4.jpg)
802.11 Standards 802.11a – 54 Mbps@5 GHz
Not interoperable with 802.11b Limited distance Cisco products: Aironet 1200
802.11b – 11 [email protected] GHz Full speed up to 300 feet Coverage up to 1750 feet Cisco products: Aironet 340, 350, 1100, 1200
802.11g – 54 [email protected] GHz Same range as 802.11b Backward-compatible with 802.11b Cisco products: Aironet 1100, 1200
4
![Page 5: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/5.jpg)
802.11 Standards (Cont.) 802.11e – QoS
Dubbed “Wireless MultiMedia (WMM)” by Wi-Fi Alliance
802.11i – Security Adds AES encryption Requires high cpu, new chips required TKIP is interim solution
802.11n –(2009) up to 300Mbps 5Ghz and/or 2.4Ghz ~230ft range
5
![Page 6: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/6.jpg)
Wireless Network Modes The 802.11 wireless networks operate in two basic
modes:1. Infrastructure mode2. Ad-hoc mode
Infrastructure mode: each wireless client connects directly to a central device
called Access Point (AP) no direct connection between wireless clients AP acts as a wireless hub that performs the connections
and handles them between wireless clients
6
![Page 7: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/7.jpg)
Wireless Network Modes (cont’d)
The hub handles: the clients’ authentication, Authorization link-level data security (access control and enabling
data traffic encryption) Ad-hoc mode:
Each wireless client connects directly with each other No central device managing the connections Rapid deployment of a temporal network where no
infrastructures exist (advantage in case of disaster…) Each node must maintain its proper authentication list
7
![Page 8: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/8.jpg)
8
802.11 LAN architecture wireless host
communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka “cell”) in infrastructure mode contains: wireless hosts access point (AP):
base station ad hoc mode: hosts
only
BSS 1
BSS 2
Internet
hub, switchor routerAP
AP
![Page 9: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/9.jpg)
SSID – Service Set Identification Identifies a particular wireless network A client must set the same SSID as the one in
that particular AP Point to join the network Without SSID, the client won’t be able to select
and join a wireless network Hiding SSID is not a security measure because
the wireless network in this case is not invisible
It can be defeated by intruders by sniffing it from any probe signal containing it.
9
![Page 10: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/10.jpg)
10
Beacon frames & association AP regularly sends beacon frame
Includes SSID, beacon interval (often 0.1 sec) host: must associate with an AP
scans channels, listening for beacon frames selects AP to associate with; initiates association
protocol may perform authentication After association, host will typically run DHCP to get
IP address in AP’s subnet
![Page 11: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/11.jpg)
11
framecontrol duration address
1address
2address
4address
3 payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
802.11 frame: addressing
Address 2: MAC addressof wireless host or AP transmitting this frame
Address 1: MAC addressof wireless host or AP to receive this frame Address 3: MAC address
of router interface to which AP is attached
Address 4: used only in ad hoc mode
![Page 12: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/12.jpg)
12
Internetrouter
APH1 R1
H1 MAC addr AP MAC addr R1 MAC addraddress 1 address 2 address 3
802.11 frame
H1 MAC addr R1 MAC addr dest. address source address
802.3 frame
802.11 frame: addressing
![Page 13: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/13.jpg)
13
Internetrouter
APH1 R1
AP MAC addr H1 MAC addr R1 MAC addraddress 1 address 2 address 3
802.11 frame
R1 MAC addr H1 MAC addr dest. address source address
802.3 frame
802.11 frame: addressing
![Page 14: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/14.jpg)
14
Type FromAPSubtype To
APMore frag WEPMore
dataPower
mgtRetry RsvdProtocolversion
2 2 4 1 1 1 1 1 11 1
framecontrol duration address
1address
2address
4address
3 payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
frame:
frame control field expanded:
Type/subtype distinguishes beacon, association, ACK, RTS, CTS, etc frames.
To/From AP defines meaning of address fields
802.11 allows for fragmentation at the link layer
802.11 allows stations to enter sleep mode
Seq number identifies retransmitted frames (eg, when ACK lost)
WEP = 1 if encryption is used
802.11 frame (more)
![Page 15: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/15.jpg)
Primary Threats Unauthorized access
Learn SSID and join the network Sniffing/Eavesdropping
Easy since wireless traffic is broadcast in nature
Session Hijacking Similar to wired session hijacking
Evil Twin Attack Attacker fools the user into connecting to its
own AP (rather than the starbucks AP, e.g.)15
![Page 16: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/16.jpg)
Unauthorized Access So easy to find the ID for a “hidden”
network because the beacon broadcasting cannot be turned off
Simply use a utility to show all the current networks: inSSIDer NetStumbler Kismet
16
![Page 17: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/17.jpg)
Unauthorized Access Defense: Access control list
Access control list Simplest security measure Filtering out unknown users Requires a list of authorized clients’ MAC addresses to
be loaded in the AP Won’t protect each wireless client nor the traffic
confidentiality and integrity ===>vulnerable Defeated by MAC spoofing:
ifconfig eth0 hw ether 00:01:02:03:04:05 (Linux)SMAC - KLC Consulting (Windows)MAC Makeup - H&C Works (Windows)
17
![Page 18: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/18.jpg)
18
802.11 Sniffing Requires wireless card that supports raw
monitoring mode (rfmon) Grabs all frames including management frames
Tools: Dump packets using Wireshark;
![Page 19: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/19.jpg)
19
Sniffing Encrypted 802.11 trafficSuppose: Traffic encrypted with
symmetric crypto Attacker can sniff but
can’t break cryptoWhat’s the damage? SSID, Mac addresses Manufacturers of cards
from MAC addrs Count # of devices
Traffic analysis: Size of packets Timing of messages Determine apps being
used But cannot see
anything really useful
Attacker needs the keys, or break crypto Very hard
![Page 20: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/20.jpg)
WEP - Wired Equivalent Privacy
The original native security mechanism for WLAN provide security through a 802.11 network Used to protect wireless communication from eavesdropping
(confidentiality) Prevent unauthorized access to a wireless network (access
control) Prevent tampering with transmitted messages Provide users with the equivalent level of privacy inbuilt in
wireless networks.
![Page 21: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/21.jpg)
21
WEP Feature Goals: Authentication
AP only allows authorized stations to associate
Data integrity Data received is the data sent
Confidentiality Symmetric encryption
![Page 22: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/22.jpg)
22
WEP Design Goals Symmetric key crypto
Confidentiality Station authorization Data integrity
Self synchronizing: each packet separately encrypted Given encrypted packet and key, can decrypt; can
continue to decrypt packets when preceding packet was lost
Unlike Cipher Block Chaining (CBC) in block ciphers Efficient
Can be implemented in hardware or software
![Page 23: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/23.jpg)
23
WEP Keys 40 bits or 104 bits Key distribution not covered in standard Configure manually:
At homeSmall organization with tens of usersNightmare in company >100 users
![Page 24: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/24.jpg)
WEP Procedures
1. Appends a 32-bit CRC checksum to each outgoing frame (INTEGRITY)
2. Encrypts the frame using RC4 stream cipher = 40-bit (standard) or 104-bit (Enhanced) message keys + a 24-bit IV random initialization vector (CONFIDENTIALITY).
3. The Initialization Vector (IV) and default key on the station access point are used to create a key stream
4. The key stream is then used to convert the plain text message into the WEP encrypted frame.
![Page 25: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/25.jpg)
Encrypted WEP frame
encrypted
data ICVIV
MAC payload
KeyID
![Page 26: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/26.jpg)
RC4 keystream XORed with plaintext
26
![Page 27: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/27.jpg)
WEP Components Initialization Vector IV
Dynamic 24-bit value Chosen randomly by the transmitter wireless network
interface 16.7 million possible IVs (224)
Shared Secret Key 40 bits long (5 ASCII characters) 104 bits long (13 ASCII characters)
27
![Page 28: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/28.jpg)
WEP Components (cont’d) RC4 algorithm consists of 2 main parts:
1. The Key Scheduling Algorithm (KSA): involves creating a scrambled state arrayThis state array will now be used as input in the
second phase, called the PRGA phase.
2. The Pseudo Random Generation Algorithm(PRGA):The state array from the KSA process is used here to
generate a final key stream. Each byte of the key stream generated is then Xor’ed
with the corresponding plain text byte to produce the desired cipher text.
28
![Page 29: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/29.jpg)
WEP Components (cont’d)
ICV (Integrity Check Value)= CRC32 (cyclic redundancy check) integrity check
XOR operation denoted as ⊕ plain-text ⊕ keystream= cipher-text cipher-text ⊕ keystream= plain-text plain-text ⊕ cipher-text= keystream
![Page 30: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/30.jpg)
How WEP works
IV
RC4key
IV encrypted packet
original unencrypted packet checksum
![Page 31: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/31.jpg)
Encryption Process
![Page 32: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/32.jpg)
Decryption Process
32
![Page 33: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/33.jpg)
3333
Figure 6 - 802.11 frame format
Recall from CS 334/534:
8.2.5 WEP Frame Body Expansion
CRC-32
![Page 34: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/34.jpg)
3434Figure 46 – Construction of expanded WEP frame body
CRC-32
CRC-32
![Page 35: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/35.jpg)
35
End-point authentication w/ nonce
Nonce: number (R) used only once –in-a-lifetimeHow: to prove Alice “live”, Bob sends Alice nonce, R.
Alicemust return R, encrypted with shared secret key
“I am Alice”
RK (R)A-B
Alice is live, and only Alice knows key to encrypt
nonce, so it must be Alice!
![Page 36: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/36.jpg)
36
WEP Authentication
APauthentication request
nonce (128 bytes)
nonce encrypted shared key
success if decrypted value equals nonce
Not all APs do it, even if WEPis being used. AP indicates if authentication is necessary in beacon frame. Done before association.
![Page 37: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/37.jpg)
37
WEP is flawed Confidentiality problems Authentication problems Integrity problems
![Page 38: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/38.jpg)
A Risk of Keystream Reuse
If IV’s repeat, confidentiality is at risk If we send two ciphertexts (C, C’) using the same IV, then the
xor of plaintexts leaks (P P’ = C C’), which might reveal both plaintexts
Lesson: If RC4 isn’t used carefully, it becomes insecure
IV, P RC4(K, IV)
IV, P’ RC4(K, IV)
38
![Page 39: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/39.jpg)
39
Problems with WEP confidentiality (2)
IV reuse With 17 million IVs and 500 full-length frames/sec,
collisions start after 7 hours Worse when multiple hosts start with IV=0
IV reuse: Trudy guesses some of Alice’s plaintext d1 d2 d3 d4
… Trudy sniffs: ci = di ki
IV
Trudy computes keystream kiIV =ci di
Trudy knows encrypting keystream k1IV k2
IV k3IV …
Next time IV is used, Trudy can decrypt!
![Page 40: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/40.jpg)
Keystream Reuse
WEP didn’t use RC4 carefully The problem: IV’s frequently repeat
The IV is often a counter that starts at zero Hence, rebooting causes IV reuse Also, there are only 16 million possible IV’s,
so after intercepting enough packets, there are sure to be repeats
Attackers can eavesdrop on 802.11 traffic An eavesdropper can decrypt intercepted
ciphertexts even without knowing the key40
![Page 41: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/41.jpg)
41
WEP authentication problems Attacker sniffs nonce, m, sent by AP Attacker sniffs response sent by station:
IV in clear Encrypted nonce, c
Attacker calculates keystream ks = m c, which is the keystream for the IV .
Attacker then requests access to channel, receives nonce m’
Attacker forms response c’ = ks m’ and IV Server decrypts, matches m’ and declares
attacker authenticated !
![Page 42: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/42.jpg)
42
Problems with Message Integrity ICV (Integrity Check Value) supposed to provide
data integrity ICV is a hash/CRC calculation But a flawed one.
Can predict which bits in ICV change if you change single bit in data. Suppose attacker knows that flipping bit 3244 of
plaintext data causes bits 2,7,23 of plaintext ICV to flip Suppose attacker intercepts a frame:
In intercepted encrypted frame, attacker flips bit 3244 in data payload and ICV bits 2,7,23
Will ICV match after decryption at the receiver? After decryption, cleartext bit 3244 is flipped (stream
cipher) Also after decryption, cleartext bits 2,7, 23 also flipped. So cleartext ICV will match up with data!
![Page 43: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/43.jpg)
Attacks on WEPWEP encrypted networks can be cracked in 10 minutes
Goal is to collect enough IVs to be able to crack the key
IV = Initialization Vector, plaintext appended to the key to avoid Repetition
Injecting packets generates IVs
![Page 44: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/44.jpg)
Attacks on WEP Backtrack 5 (Released 1st March 2012)
Tutorial is available
All required tools on a Linux bootable CD + laptop + wireless card
![Page 45: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/45.jpg)
WEP cracking example
45
![Page 46: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/46.jpg)
46
Summary of WEP flawsOne common shared key If any device is stolen or
compromised, must change shared key in all devices
No key distribution mechanism
Infeasible for large organization: approach doesn’t scale
Crypto is flawed Early 2001: Integrity and
authentication attacks published
August 2001 (weak-key attack): can deduce RC4 key after observing several million packets
AirSnort application allows casual user to decrypt WEP traffic
Crypto problems 24 bit IV to short Same key for encryption
and message integrity ICV flawed, does not
prevent adversarial modification of intercepted packets – not a MAC
Cryptanalytic attack allows eavesdroppers to learn key after observing several millions of packets
![Page 47: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/47.jpg)
47
IEEE 802.11i Much stronger encryption
TKIP (temporal key integrity protocol) – stopgap But use RC4 for compatibility with existing WEP hardware Can also support standard crypto algo (CBC AES, CBC
MAC, etc.) Extensible set of authentication mechanisms
Employs 802.1X authentication Key distribution mechanism
Typically public key cryptography RADIUS authentication server
• distributes different keys to each user • also there’s a less secure pre-shared key mode
WPA: Wi-Fi Protected Access Pre-standard subset of 802.11i
![Page 48: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/48.jpg)
4848
IEEE 802i Phases of Operation – preview
Phase 1 - Discovery
Phase 2 - Authentication
Phase 3 - Key Generation and Distribution to STA and AP
Phase 4 - Actual User Data Transfer
Phase 5 - Connection Termination when Transfer Complete
802.11i security is provided only over the wireless link within a BSS, not externally.
05/03/23 Lecture 9 - Wireless Security
![Page 49: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/49.jpg)
4949
Phase 1 – Discovery
The purpose of this phase is for STA and AP to establish (unsecure) contact and negotiate a set of security algorithms to be used in subsequent phases.
STA and AP need to decide on:
► The methods to be used in phase 3 to perform
mutual authentication of STA and AP and generate/distribute keys.
► Confidentiality and integrity algorithms to protect user data in phase 4
05/03/23 Lecture 9 - Wireless Security
![Page 50: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/50.jpg)
5050
The discovery phase uses three message exchanges
► Probe request/response (or observation of a beacon frame)
► Authentication request/response
WEP Open System Authentication, for backward compatibility (provides no security)
APs advertize their capabilities (WEP, WPA, etc.) in InformationElements in their beacon frames and in their probe responses.
► Association request/response
STA chooses methods to be used from AP’s menu
(we will study the case that the station chooses WPA/TKIP)
STA uses an Information Element in Association Request
to inform AP05/03/23 Lecture 9 - Wireless
Security
![Page 51: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/51.jpg)
5151Figure 1 Phase 1 Discovery
This is not Phase 2/3
Authentication!
Phase 1
![Page 52: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/52.jpg)
5252
There are two methods for providing the PSK:
► the exact 256-bit number can be provided and used as PMK
► a passphrase can be adopted, keyed in by user and expanded to 256 bits by the system.
Phase 2 - Authentication
SOHO Mode
A pre-shared key (PSK), is provided in advance to the station and AP by a method external to 802.11i
In this case the lower half of figure 1 is bypassed (and was not shown in the previous slide).
In WPA SOHO mode STA and AP delay authenticating each other until phase 3, when they demonstrate that each knows information
derived from the PSK.
05/03/23 Lecture 9 - Wireless Security
![Page 53: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/53.jpg)
5353
Phase 3 – Key Generation and Distribution
In SOHO mode the PSK has already been shared, so no more distribution is needed and key generation can proceed.
Next step in SOHO: The PSK is adopted to derive Pairwise Master Key (PMK)
Figure 2
![Page 54: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/54.jpg)
5454
The Pairwise Master Key is not used directly in any security operation.
Instead, it will be used to derive a set of keys, the Pairwise Transient Key, to protect the link between AP and station.
Protection is needed during two phases:
► in phase 3 - the handshake between station and AP
(protocol called “EAPOL”)
► in phase 4 - Passing user data during actual use of the link
05/03/23 Lecture 9 - Wireless Security
![Page 55: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/55.jpg)
5555
In both phases separate keys are needed for integrity and encryption, so the total number of keys needed is four:
► EAPOL-key Encryption key (KEK)
► EAPOL-key Confirmation key (KCK) (Integrity)
► Data Encryption Key (part of Temporal Key)
► Data Integrity Key (part of Temporal Key)
Figure 6.8 (middle)
PSK
05/03/23
![Page 56: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/56.jpg)
5656
Computation of the PTK from the PMK
The PTK is re-computed every time a station associates with an AP.
We want the PTK to be different for each STA-AP pair and different each time a STA associates with an AP (so as not to re-use old keys)Four-way handshake:
TKIP/WPA uses a four-way handshake during establishment of the association relationship between an AP and a station
05/03/23 Lecture 9 - Wireless Security
![Page 57: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/57.jpg)
5757
Recall that in the discovery phase the STA sent its association request to the AP, including the selection of WPA/TKIP for security.
We can force the PTK to be different for each STA-AP pair by mixing their MAC addresses into the computation of the PTK.
But since these do not change between associations, there must also be some dynamic input to the PTK - nonces.
For later use, we can think of the STA randomly generating a nonce (Nonce1) at that point, but not transmitting it.
05/03/23 Lecture 9 - Wireless Security
![Page 58: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/58.jpg)
5858
Four-Way Handshake
Frame 1: AP to STA: a nonce chosen by the AP (Nonce2)Nonce2 gives the STA the last piece of informationit needs to compute the 512-bit PTK:
Computation of PTK from PMK
SHA hash
05/03/23 Lecture 9 - Wireless Security
![Page 59: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/59.jpg)
5959
Four-Way Handshake - continued
Frame 2: STA to AP:
Nonce1, together with a message integrity code (MIC) (standard HMAC-SHA, since done only during handshake)
Nonce1 gives the AP the last piece of information it needs to compute the PTK, so key exchange is complete. This enables the AP to check the validity of the MIC. If correct, this proves that that the STA possesses the PMK and authenticates the STA.
Each side has chosen a nonce, and both nonces have been mixed into the computation of the PTK, so PTK is unique to
each AP-STA pair and to each association session .
05/03/23 Lecture 9 - Wireless Security
![Page 60: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/60.jpg)
6060
Four-Way Handshake - continued
Frame 3: AP to STA: message “AP able to turn on encryption”(includes MIC, so STA can check that AP knows PMK)
Frame 4: STA to AP: message “STA about to turn on encryption”
After sending frame 4, STA activates encryption; on receipt of frame 4, AP activates encryption.
At this point Phase 3 is complete – we have authenticated the STA and the AP, using the EAPOL keys, and have generated the 256-bit
Temporal Key for use in phase 4.
We can proceed to phase 4 – secure transmission of user data.
TKIP stands for Temporal Key Integrity Protocol
(“temporal” = “temporary” - only for this association session)
05/03/23 Lecture 9 - Wireless Security
![Page 61: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/61.jpg)
61
TKIP: Changes from WEP Message integrity scheme that works IV length increased Rules for how the IV values are selected Use IV as a replay counter Generates different message integrity key and
encryption key from master key Hierarchy of keys derived from master key Secret part of encryption key changed in every
packet.
Much more complicated than WEP!
![Page 62: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/62.jpg)
62
TKIP: Message integrity Uses message authentication code
(MAC); called a MIC in 802.11 parlance Different key from encryption key Source and destination MAC addresses
appended to data before hashing Before hashing, key is combined with
data with exclusive ors (not just a concatenation)
Computationally efficient
![Page 63: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/63.jpg)
63
TKIP: IV Selection and Use IV is 56 bits
10,000 short packets/sec• WEP IV: recycle in less than 30 min• TKIP IV: 900 years
Must still avoid two devices separately using same key
IV acts as a sequence counter Starts at 0, increments by 1 But two stations starting up use different
keys:• MAC address is incorporated in key
![Page 64: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/64.jpg)
64
802.11 security summary SSID and access control lists provide
minimal security no encryption/authentication
WEP provides encryption, but is easily broken
Emerging protocol: 802.11i Back-end authentication server Public-key cryptography for authentication and
master key distribution WPA/WPA2: Strong symmetric crypto
techniques
![Page 65: Lecture 10: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine.](https://reader036.fdocuments.in/reader036/viewer/2022062302/5a4d1b2d7f8b9ab059999887/html5/thumbnails/65.jpg)
65
Further Reading Real 802.11 Security by Jon Edney and
William Arbaugh Stallings chapter 7 Intercepting Mobile Communications:
The Insecurity of 802.11. Borisov et al., 2001