Wireless LANs Security

IC3-8 MPJ WLAN Security 1

Wireless LANs Security

Matthew JoyceRutherford Appleton Laboratory,

CCLRC


Contents

>Wireless LAN 802.11>Understand the technology.>Investigate vulnerabilities.>Examine how security can be provided.>Demonstration


Wireless LAN Standards>IEEE ratified 802.11 in 1997.

>Also known as Wi-Fi.

>802.11 provides Layer 1 & Layer 2 of OSI model.>Physical layer>Data link layer

>Wireless LAN at 1 Mbps & 2 Mbps.>Wi-Fi Alliance formed to promote

interoperability.>802.11b ratified in 1999 adding 5.5

Mbps and 11 Mbps.


Wireless LAN Standards> 802.11a

> Ratified 2001> 5 Ghz radio spectrum.> Maximum speed 54 Mbps.> In practice about 20Mbps> More energy efficient, less battery drain, better

range

> 802.11g> Ratified June 2003> 2.4Ghz spectrum again> Maximum speed 54 Mbps> In practice from 10 to 20Mbps


802.11 Components

>Two pieces of equipment defined:>Wireless station

>A desktop or laptop PC or PDA with a wireless NIC.

>Access point>A bridge between wireless and wired networks>Composed of

> Radio> Wired network interface (usually 802.3)> Bridging software

>Aggregates access for multiple wireless stations to wired network.


802.11 modes> Infrastructure mode

> Basic Service Set> One access point

> Extended Service Set> Two or more BSSs forming a single subnet.

> Most corporate LANs in this mode.

> Ad-hoc mode> Also called peer-to-peer.> Independent Basic Service Set> Set of 802.11 wireless stations that communicate

directly without an access point.> Useful for quick & easy wireless networks.


Infrastructure mode

Basic Service Set (BSS) – Single cell

Extended Service Set (ESS) – Multiple cells

Access Point

Station


Ad-hoc mode

Independent Basic Service Set (IBSS)


802.11 Physical Layer

>Three alternative physical layers>Two incompatible spread-spectrum radio in

2.4Ghz ISM band>Frequency Hopping Spread Spectrum (FHSS)

> 75 channels

>Direct Sequence Spread Spectrum (DSSS)> 14 channels (11 channels in US)

>One diffuse infrared layer


Speed & Range> 802.11 standard.

> 1 Mbps or 2 Mbps.

> 802.11b standard.> Adds 5 Mbps or 11 Mbps.> DSSS as sole physical layer.

> So only 14 channels.> Dynamic rate shifting.

> Transparent to higher layers> Ideally 11 Mbps.> Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.

> Higher ranges.> Interference.

> Shifts back up when possible.

> Maximum specified range 100 metres


802.11 Data Link Layer> Layer 2 split into:

> Logical Link Control (LLC).> Media Access Control (MAC).

> LLC - same 48-bit addresses as 802.3.> MAC - CSMA/CD not possible.

> Can’t listen for collision while transmitting.

> CSMA/CA – Collision Avoidance.> Sender waits for clear air, waits random time, then

sends data.> Receiver sends explicit ACK when data arrives intact.> Also handles interference.> But adds overhead.

> 802.11 always slower than equivalent 802.3.


Joining a BSS

>When 802.11 client enters range of one or more APs>APs send beacons.>AP beacon can include SSID.>AP chosen on signal strength and observed

error rates.>After AP accepts client.

>Client tunes to AP channel.

>Periodically, all channels surveyed.>To check for stronger or more reliable APs.>If found, reassociates with new AP.


Access Point Roaming

Channel 4

Channel 7

Channel 9

Channel 1


Roaming and Channels

>Reassociation with APs>Moving out of range.>High error rates.>High network traffic.

>Allows load balancing.

>Each AP has a channel.>14 partially overlapping channels.>Only three channels that have no overlap.

>1, 6, 11>Best for multicell coverage.


Open System Authentication

>Service Set Identifier (SSID)>Station must specify SSID to Access

Point when requesting association.>Multiple APs with same SSID form

Extended Service Set.>APs can broadcast their SSID

>But this can be turned off

>Some 802.11b clients allow * as SSID.>Associates with strongest AP regardless of

SSID.


MAC Address locking

>Access points have Access Control Lists (ACL).

>ACL is list of allowed MAC addresses.>E.g. Allow access to:

>00:01:42:0E:12:1F>00:01:42:F1:72:AE>00:01:42:4F:E2:01

>But MAC addresses are sniffable and spoofable.

>Access Point ACLs are ineffective control.


Interception Range

Basic Service Set (BSS) – Single cell

Station outsidebuilding perimeter.

100 metres


Interception

>Wireless LAN uses radio signal.>Not limited to physical building.>Signal is weakened by:

>Walls>Floors>Interference

>Directional antenna allows interception over longer distances.


Directional Antenna>Directional antenna provides focused

reception.>DIY plans available.

>Aluminium cake tin.>11 Mbps at 750 meters.

> http://www.saunalahti.fi/~elepal/antennie.html> http://www.turnpoint.net/wireless/has.html

> Pringles vs Coffee vs Pasta Sauce vs Beef Stew


WarDriving>Software

>Netstumbler>THC-Wardrive

>Laptop>802.11b PC card>Optional:

>Global Positioning System>Car, bicycle, boat…

>Logging of MAC address, network name, SSID, manufacturer, channel, signal strength, noise (GPS - location).


WarDriving results

CATEGORY TOTAL PERCENT

TOTAL APs FOUND 9374 100

WEP Enabled 2825 30.13

No WEP Enabled 6549 69.86

Default SSID 2768 29.53

Default SSID and No WEP

2497 26.64

Unique SSIDs 3672 39.17

Most Common SSID 1778 18.97

Second Most Common SSID

623 6.65

>http://www.wigle.net/> 568,000 GPS located wireless networks

> WorldWide WarDrive Autumn 2002> Chris Hurley, DefCon11


WarDriving map Source: www.dis.org/wl/maps/


Further issues>Access Point configuration

>Mixtures of SNMP, web, serial, telnet.>Community strings, default passwords.

>Evil Twin Access Points>Stronger signal, capture user

authentication.

>Hub broadcasts>If AP connected to hub, all broadcasts

transmitted.

>Renegade Access Points>Unauthorised wireless LANs.


802.11b Security Services

>Two security services provided:>Authentication

>Shared Key Authentication

>Encryption>Wired Equivalence Privacy


Wired Equivalence Privacy

>Shared key between>Stations.>An Access Point.

>Extended Service Set>All Access Points will have same shared key.

>No key management>Shared key entered manually into

>Stations>Access points>Key management nightmare in large wireless

LANs


RC4

>Ron’s Code number 4>Symmetric key encryption>RSA Security Inc.>Designed in 1987.>Trade secret until leak in 1994.

>RC4 can use key sizes from 1 bit to 2048 bits.

>RC4 generates a stream of pseudo random bits>XORed with plaintext to create ciphertext.


WEP – Sending>Compute Integrity Check Vector (ICV).

>Provides integrity>32 bit Cyclic Redundancy Check.>Appended to message to create plaintext.

>Plaintext encrypted via RC4>Provides confidentiality.>Plaintext XORed with long key stream of

pseudo random bits.>Key stream is function of

>40-bit secret key>24 bit initialisation vector

>Ciphertext is transmitted.


WEP Encryption

PRNG

32 bit CRC

IV

Ciphertext

||

||Plaintext

Secret key

InitialisationVector (IV)


WEP – Receiving

>Ciphertext is received.>Ciphertext decrypted via RC4

>Ciphertext XORed with long key stream of pseudo random bits.

>Key stream is function of >40-bit secret key>24 bit initialisation vector (IV)

>Check ICV>Separate ICV from message.>Compute ICV for message>Compare with received ICV


Shared Key Authentication>When station requests association with

Access Point>AP sends random number to station>Station encrypts random number

>Uses RC4, 40 bit shared secret key & 24 bit IV

>Encrypted random number sent to AP>AP decrypts received message

>Uses RC4, 40 bit shared secret key & 24 bit IV

>AP compares decrypted random number to transmitted random number

>If numbers match, station has shared secret key.


WEP Safeguards

>Shared secret key required for:>Associating with an access point.>Sending data.>Receiving data.

>Messages are encrypted.>Confidentiality.

>Messages have checksum.>Integrity.

>But SSID still broadcast in clear.


Initialisation Vector

>IV must be different for every message transmitted.

>802.11 standard doesn’t specify how IV is calculated.

>Wireless cards use several methods>Some use a simple ascending counter for

each message.>Some switch between alternate ascending

and descending counters.>Some use a pseudo random IV generator.


WEP attacks

> Statistical attack> If 24 bit IV is an ascending counter,> If Access Point transmits at 11 Mbps,> All IVs are exhausted in roughly 5 hours.> Passive attack:

> Attacker collects all traffic> Attacker could collect two messages:

> Encrypted with same key and same IV> So XORed with same key stream> Ciphertext 1 XOR Ciphertext 2 = Plaintext 1 XOR Plaintext 2> Statistical attacks to reveal plaintext

> More than two messages with same key and same IV…


More WEP attacks

>If attacker knows plaintext and ciphertext pair>Key is known.>Attacker can create correctly encrypted

messages.>Access Point is deceived into accepting

messages.


Limited WEP keys

>Some vendors allow limited WEP keys>User types in a password>WEP key is generated from passphrase>Passphrases creates only 21 bits of entropy

in 40 bit key.>Reduces key strength to 21 bits = 2,097,152>Remaining 19 bits are predictable.>21 bit key can be brute forced in minutes.

>http://www.lava.net/~newsham/wlan/


Creating limited WEP keys


Brute force key attack

>Capture ciphertext.>IV is included in message.

>Search all 240 possible secret keys.>1,099,511,627,776 keys>~100 days on a modern machine

>Find which key decrypts ciphertext to plaintext.


128 bit WEP

>Vendors have extended WEP to 128 bit keys.>104 bit secret key.>24 bit IV.

>Brute force takes 10^19 years for 104-bit key.

>Effectively safeguards against brute force attacks.


Key Scheduling Weakness

>Paper from Fluhrer, Mantin, Shamir, 2001.

>Two weaknesses:>Certain keys leak into key stream.

>Invariance weakness.

>If portion of PRNG input is exposed, >Analysis of initial key stream allows key to be

determined.>IV weakness.


IV weakness

>WEP exposes part of PRNG input.>IV is transmitted with message.

>Attack is practical.>For 40 bit keys – WEP.>For 128 bit keys – enhanced WEP.

>Passive attack.>Non-intrusive.>No warning.


Wepcrack

>First tool to demonstrate attack using IV weakness.>Open source, Anton Rager.

>Three components>Weaker IV generator.>Search sniffer output for weaker IVs &

record 1st byte.>Cracker to combine weaker IVs and selected

1st bytes.

>Cumbersome.


Airsnort

>Automated tool>Cypher42, Minnesota, USA.>Does it all!>Sniffs>Searches for weaker IVs>Records encrypted data>Until key is derived.

>100 Mb to 1 Gb of transmitted data.>3 to 4 hours on a busy WLAN.


802.11b safeguards

>Security Policy & Architecture Design>Treat as untrusted LAN>Discover unauthorised use>Access point audits>Station protection>Access point location>Antenna design


Security Policy & Architecture

>Define use of wireless network>What is allowed >What is not allowed

>Holistic architecture and implementation >Consider all threats.>Design entire architecture

>To minimise risk.


Wireless as untrusted LAN

>Treat wireless as untrusted.>Similar to Internet.

>Firewall between WLAN and Backbone.>Extra authentication required.>Intrusion Detection

>at WLAN / Backbone junction.

>Vulnerability assessments


Discover unauthorised use>Search for unauthorised access points

or ad-hoc networks.>Port scanning

>For unknown SNMP agents.>For unknown web or telnet interfaces.

>Warwalking!>Sniff 802.11 packets>Identify IP addresses>Detect signal strength>NetStumbler, but may sniff your

neighbours…


Access point audits

>Review security of access points. >Are passwords and community strings

secure?>Use Firewalls & router ACLs

>Limit use of access point administration interfaces.

>Standard access point config:>SSID>WEP keys>Community string & password policy


Station protection>Personal firewalls

>Protect the station from attackers.

>VPN from station into Intranet>End-to-end encryption into the trusted

network.>But consider roaming issues.

>Host intrusion detection>Provide early warning of intrusions onto a

station.

>Configuration scanning>Check that stations are securely configured.


Location of Access Points

>Ideally locate access points>In centre of buildings.

>Try to avoid access points>By windows>On external walls>Line of sight to outside

>Use directional antenna to “point” radio signal.


802.1x Access Control for WLAN> 802.1x (IEEE)

> Data link layer protocol for port-based network access control

> Independent of physical layer, so wired or wireless

> Uses EAP (RFC 2284)> Extensible Authentication Protocol> Allows choice of authentication methods> Authentication chosen by peers> Access point doesn’t care about EAP methods

> Manages user and session WEP keys> Session key used for a limited time> User key for rekeying session key

> RADIUS server provides authentication service> Remote Authentication Dial In User Service> RFC 2138


802.11 + 802.1X/EAPSupplicant Authenticator

AuthenticationServer

802.11 association

EAPOL-start

EAP-request/identity

EAP-response/identity

EAP-request (credentials)

EAP-response (credentials)

EAP-succcess

EAPOW-key (WEP)

RADIUS-access-request

RADIUS-access-challenge

RADIUS-access-request

RADIUS-access-accept

Access allowed


Association and Authentication> 802.11 association happens first

> Open authentication> Provides access to the AP and allows an IP address to

be supplied

> Access beyond the AP is still prohibited> AP drops non-EAPOL traffic

> Authentication conversation between supplicant and authentication server> Wireless NIC and AP are pass through devices

> After authentication, AP allows traffic through


EAP-MD5> Authentication server (AS) sends session ID

and challenge> Supplicant returns user name and MD5 hash of

session id, challenge and user password.> AS authenticates supplicant by verifying an

MD5 hash of each user's password.> Good for trusted Ethernets.> Not good for public Ethernets or wireless LANs

> Can sniff supplicant identities > Can sniff & use dictionary attack on

> plaintext session id, plaintext challenge & session id/challenge/password hash

> Can masquerade as access points to trick stations into authenticating with them - MITM


EAP-TLS (RFC 2716)> EAP with Transport Layer Security is the only

standard secure option for wireless LANs at this time.

> Requires the station and RADIUS server to mutually authenticate

> Secured by an encrypted TLS tunnel> Fast reconnect via TLS session resumption for

roaming> Establishes session keys> Station's identity (the name bound to the

certificate) can still be sniffed. > Most attractive when using only Windows

XP/2000/2003 with deployed certificates.


EAP-TLSSupplicant

AuthenticationServer

EAPOL-start

Request/identity

Response/TLS Certificate,TLS client key ex, TLS CCS,

Certificate verify, TLS Fin

Response/identity

Response/TLS Client Hello

Request/TLS Server Hello, Certificate,

Certificate Request, Server Done

Request/TLS Start

EAP-request/TLS CCS, TLS Fin

802.11 Association

Response

EAP-Success

Authenticator


EAP-TTLS & PEAP> EAP with Tunnelled TLS (EAP-TTLS)> Protected EAP (PEAP)> Both are Internet Drafts

> To simplify 802.1X deployment. > Both require certificate-based RADIUS server

authentication> No certificate-based authentication of client> Both support an extensible set of user authentication

methods.

> Can use Windows Domain Controllers, Active Directories, and other existing user databases.

> As strong as EAP-TLS to sniffing attacks. > User passwords can be guessed, shared, or

disclosed.


EAP summary

EAP-MD5 EAP-TLS EAP-TTLS PEAP

Server Authentication

NonePublic Key

(Certificate)Public Key

(Certificate)Public Key

(Certificate)

Supplicant Authentication

Password hashPublic Key

(Certificate or Smart Card)

CHAP, PAP, MS-CHAP(v2), EAP

Any EAP, like EAP-MS-CHAPv2 or

Public Key

Dynamic Key Delivery

No Yes Yes Yes

Security Risks

Identity exposed, Dictionary attack, Man-in-the-Middle

(MitM) attack

Identity exposed MitM attack MitM attack


802.11i / WPA> Draft standard> Will apply to 802.11 a, b & g> Uses 802.1X & EAP as authentication

framework> Temporal Key Integrity Protocol (TKIP)

> RC4 still used> 128 bit temporal key shared with all clients> Per-packet key from temporal key, MAC address &

16 bit initialisation vector> Temporal key regenerated every 10,000 packets> Only firmware upgrade required

> AES> AES cipher replaces RC4> Will require new hardware


Any Questions?


Demonstration

Wireless LANs Security

Documents

Transcript of Wireless LANs Security