Michal Rapco

michal.rapco@anect.com May, 05, 2005

Security issues in Wireless LANs

2

Agenda

IntroductionIEEE 802.11 standard and its WEP methodWhat makes wireless networks differentAuthentication of wireless network clients802.1x and WEP – secure combination?On the way to stronger ciphering and data protectionKey managementAlternative ways for securing communication in wireless networksIdentification of persisting weak points in wireless networksQuestions

3

Introduction

Three phases in WLAN security:

WLANs conforming to IEEE 802.11 security

Proprietary and/or pre-standard IEEE 802.11i security mechanisms

WLANs conforming to IEEE 802.11i security

4

IEEE 802.11 standard and its WEP method

Several security flaws :weak client authentication;

absence of key management;

serious flaws in WEP method ciphering;

insufficient frame protection against modification;

no protection against replay attacks.

SW tools exploiting stated weaknesses are widely accessible

5

What makes wireless networks different

The main difference: a transport media (the radio waves)• no exact physical borders - no well defined security

perimeter;

• physical part of security can’t be applied;

• the radio network coverage can be larger than expected (determined often by technical equipment of possible attacker).

6

Authentication of wireless network clients

Adoption of the mechanism given by IEEE 802.1x and EAP (RFC2284 and 3748)IEEE 802.1x “controlled” and “uncontrolled” port philosophy suitable to control IEEE 802.11 client associationSpecial consideration should be given to use of tunneled EAP methodsRequirements on EAP method:

allows for mutual authentication;contains a mechanism for cryptographic binding;contains specification how to derive necessary cryptographic material.

Examples: EAP-TLS, PEAPv2, EAP-FASTBe aware of the fact that initial message sequence is transmitted in clear (User ID’s)

7

802.1x and WEP – secure combination?

Advantage of this combination:strong user authentication

automatic generation of the keys and their periodic change

Still not addressing all of the security flaws of WEP ciphering

8

On the way to stronger ciphering and data protection

There is a need to replace WEP method and IEEE 802.11 frame protection by some stronger mechanisms

Replacement of WEP using the same HW platform:

proprietary Cisco CKIP+CMIC;

standard based TKIP.

Replacement of WEP using a new HW platform:CCMP (CTR with CBC-MAC) with AES

9

On the way to stronger ciphering and data protection (cont.)

Cisco Key Integrity Protocol/Temporal Key Integrity Protocol – different approach to data ciphering while still using an WEP/RC4 hardwareProprietary CKIP:

Construction of per-MPDU unique WEP seed using a hash function in one stage24bit IV needs more often base WEP key changeIV value used for anti-replay protectionMIC – 4byte value calculated using a hash functionBased on the early specification of TKIP

Standard based TKIP:More sophisticated construction of per-MPDU unique WEP seed using a hash function in two stages48bit TSC - anti-replay, practically avoids an IV collision problemMIC – 8byte value calculated using an algorithm called Michael

10

On the way to stronger ciphering and data protection (cont.)

CCMP – part of IEEE 802.11i specification

Completely new, different approach to data protection in WLANs

Though it can be run in SW, a new HW is recommended for performance reasons:

Encryption – CCM (RFC 3610) with block cipher AES (128bit block length/128bit encryption key)

Data integrity – CBC-MAC (8byte length)

48bits PN field – anti-replay protection

11

Key management

Cryptographic key hierarchy, use and generation

Prerequisite - use of specific EAP method that ends with derivation of so-called AAA key

AAA key can be used :directly as a WEP key (WEP/802.1x)

it can be taken as an input for generation of the keys with different purposes in complex key hierarchy

Proprietary Cisco CKM/ IEEE 802.11i standard

12

Key management (cont.)

Differences between CCKM and IEEE 802.11i :Though similar, the systems are not compatible

Different keys used for unicast encryption and multicast/broadcast encryption + additional keys used for encryption keys derivation/exchange

4-way handshake (exchange of EAPOL-key messages) used to derive a unicast traffic encryption key

2-way handshake used to derive a multicast/broadcast traffic encryption key

Additional keys derived in CCKM allowing for Fast Secure Roaming of wireless client

13

Alternative ways for securing communication in WLANs

Use of IPSec VPN technology without deploying any wireless securityMakes sense in 802.11 LANs without TKIP/IEEE 802.11i securityThe main difference: IPSec VPN deploys the strong cryptographic mechanisms on L3 in comparison to IEEE 802.11i which deploys the comparable mechanisms on L2Due to the lack of wireless security the additional issues need to be considered:

need to protect all hosts by personal FW, antivirus programs and host IDS systems;need to protect the network infrastructure (APs, DHCP servers etc.);network design issues.

IPSec VPN may be used as an additional security feature in TKIP based networks (although no known attack against TKIP has been reported except TKIP-PSK)

14

Identification of persisting weak points in wireless networks

Still susceptible to various DoS attacks against:transport medium (radio jamming);

802.11 MAC layer (unprotected 802.11 management and control frames, frame collisions etc.)

Starting phases of EAP authentication

Michael countermeasure

DoS attacks do not compromise data integrity nor confidentiality in WLANs

15

Questions

?

Thank you for your attention!