Wireless Security

802.11 Basics

Security in 802.11WEP summary

WEP Insecurity

ALOHAnet1999: IEEE 802.11a (54 Mbps)1999: IEEE 802.11b (11 Mbps)2003: IEEE 802.11g (54 Mbps)2009: IEEE 802.11n (150 Mbps)

802.11b 2.4-2.485 GHz unlicensed

radio spectrum up to 11 Mbps direct sequence spread

spectrum (DSSS) in physical layer: all hosts use same chipping code

802.11a 5-6 GHz range up to 54 Mbps Physical layer: orthogonal

frequency division multiplexing (OFDM)

802.11g 2.4-2.485 GHz range up to 54 Mbps OFDM

All use CSMA/CA for multiple access

All have base-station and ad-hoc versions

All allow for reducing bit rate for longer range

4

Wireless host communicates with a base station base station = access point (AP)

Basic Service Set (BSS) (a.k.a. “cell”) contains: wireless hosts access point (AP): base station

BSS’s combined to form distribution system (DS)

No AP (i.e., base station) wireless hosts communicate with

each other to get packet from wireless host A to B

may need to route through wireless hosts

Applications: “Laptop” meeting in conference room Vehicle Network Interconnection of “personal” devices Battlefield

802.11b: 2.4GHz-2.485GHz spectrum divided into 11 channels at different frequencies; 3 non-overlapping AP admin chooses frequency for AP interference possible: channel can be same as that

chosen by neighboring AP! AP regularly sends beacon frame

Includes SSID, beacon interval (often 0.1 sec) host: must associate with an AP

scans channels, listening for beacon frames selects AP to associate with; initiates association protocol may perform authentication After association, host will typically run DHCP to get IP

address in AP’s subnet

7

8

framecontrol duration address

1address

2address

4address

3 payload CRC

2 2 6 6 6 2 6 0 - 2312 4

seqcontrol

Address 2: MAC addressof wireless host or AP transmitting this frame

Address 1: MAC addressof wireless host or AP to receive this frame Address 3: MAC address

of router interface to which AP is attached

Address 4: used only in ad hoc mode

9

Internetrouter

APH1 R1

H1 MAC addr AP MAC addr R1 MAC addraddress 1 address 2 address 3

802.11 frame

H1 MAC addr R1 MAC addr dest. address source address

802.3 frame

802.11 frame: addressing

10

Internetrouter

APH1 R1

AP MAC addr H1 MAC addr R1 MAC addraddress 1 address 2 address 3

802.11 frame

R1 MAC addr H1 MAC addr dest. address source address

802.3 frame

802.11 frame: addressing

11

Type FromAPSubtype To

APMore frag WEPMore

dataPower

mgtRetry RsvdProtocolversion

2 2 4 1 1 1 1 1 11 1

framecontrol duration address

1address

2address

4address

3 payload CRC

2 2 6 6 6 2 6 0 - 2312 4

seqcontrol

frame:

frame control field expanded:

Type/subtype distinguishes beacon, association, ACK, RTS, CTS, etc frames.

To/From AP defines meaning of address fields

802.11 allows for fragmentation at the link layer

802.11 allows stations to enter sleep mode

Seq number identifies retransmitted frames (eg, when ACK lost)

WEP = 1 if encryption is used

Service Set Identifier (SSID)Differentiates one access point from

anotherSSID is cast in ‘beacon frames’ every

few seconds.Beacon frames are in plain text!Encryption

802.11 Basics


WEP Insecurity

Why do we need the encryption? Wi-Fi networks use radio transmissions

prone to eavesdropping Mechanism to prevent outsiders from

▪ accessing network data & traffic▪ using network resources

Access points have two ways of initiating communication with a client

Shared Key or Open System authentication Open System: need to supply the correct SSID

Allow anyone to start a conversation with the AP

Shared Key is supposed to add an extra layer of security by requiring authentication info as soon as one associates

Client begins by sending an association request to the AP

AP responds with a challenge text (unencrypted)

Client, using the proper key, encrypts text and sends it back to the AP

If properly encrypted, AP allows communication with the client

1997: Original 802.11 standard only offers SSID MAC Filtering

1999: Introduce of Wired Equivalent Privacy (WEP) Several industry players formes WECA (Wireless

Ethernet Compatibility Alliance) for rapid adaption of 802.11 network products

2001: Discover weaknesses in WEP IEEE started Task Group i

2002: WECA was renamed in WI-FI 2003: WiFi Protected Access (WPA)

Interim Solution for the weakness of WEP 2004: WPA2 (IEEE-802.11i-2004)

Primary built security for 802.11 protocol

RC4 encryption 64-bits RC4 keys Non-standard extension uses 128-bit

keys

Many flaws in implementation

Interim solution for replacement of WEP

Goals: improved encryption user authentication

Two Modes WPA Personal : TKIP/MIC ; PSK WPA Enterprise : TKIP/MIC ; 802.1X/EAP

WPA-Personal Also refer to WPA-PSK (WPA Pre-shared Key) Designed for home and small office networks and

doesn't require an authentication server.

WPA-Enterprise Known as WPA-802.1X Designed for enterprise networks and requires an authentication

server An Extensible Authentication Protocol (EAP) is used for

authentication Supports multiple authentication method based on:

▪ passwords (Sample: PEAP)▪ digital certificates (Sample: TLS, TTLS)

TKIP (Temporal Key Integrity Protocol) The 128 bit RC4 stream cipher used in WPA

CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) An AES-based encryption mechanism used in

WPA2

Approved in July 2004

AES is used for encryption

Two mode like WPA: Enterprise Mode:

▪ authentication: 802.1X/EAP▪ encryption: AES-CCMP

Personal Mode:▪ authentication: PSK▪ encryption: AES-CCMP

23

WEP WPA WPA2Cipher RC4 RC4 AESKey Size (bits) 64/128 128 128Key Life 24 bit IV 48 bit IV 48 bit IVPacket Key Concatenation Two Phase Mix Not NeedData Integrity CRC32 Michael CCMKey Management

None 802.1X/PSK 802.1X/PSK

• WEP is no longer a secure wireless method • WPA2 with AES encryption is currently the best

encryption scheme

• If on an unsecured network, use SSH or VPN tunneling to secure your data

802.11 Basics


WEP Insecurity

26

A block of plaintext is bitwise XORed with a pseudorandom key sequence of equal length

RC4 PRNG

Header Payload ICVPayload802.11 Frame

ICV computed – 32-bit CRC of payload

CRC

32


One of four keys selected – 40-bits

KeyKeynumber

Key 1Key 2Key 3Key 4 40

4 x 40


One of four keys selected – 40-bits IV selected – 24-bits, prepended to

keynumber

IV keynumber24 8


One of four keys selected – 40-bits IV selected – 24-bits, prepended to

keynumber IV+key used to encrypt

payload+ICV

IV Key

ICVPayload ICVPayloadRC4

64

ICV computed – 32-bit CRC of payload One of four keys selected – 40-bits IV selected – 24-bits, prepended to

keynumber IV+key used to encrypt payload+ICV IV+keynumber prepended to

encrypted payload+ICV

ICVPayloadIV keynumberHeaderWEP Frame

Keynumber is used to select key

KeyKeynumber

Key 1Key 2Key 3Key 4 40

4 x 40

IV Key


64


ICV+key used to decrypt payload+ICV

CRCICVPayload

Header PayloadICV’


ICV+key used to decrypt payload+ICV

ICV recomputed and compared against original

32

Purpose – increase the encryption key size

Non-standard, but in wide use IV and ICV set as before104-bit key selected IV+key concatenated to form 128-

bit RC4 key

IV Key


24 104128-bits

Keys are manually distributed Keys are statically configured

often infrequently changed and easy to remember!

Key values can be directly set as hex data Key generators provided for convenience

ASCII string is converted into keying material Non-standard but in wide use Different key generators for 64- and 128-bit

http://www.wepkey.com/

38

802.11 Basics


WEP Insecurity

Problem: Keystream ReuseWEP’ s Solution: Per Packet IvsBut…

40

so knowing one plaintext will get you the other

XOR cancels keystream

IV only 24-bits in WEP, It must repeat after 2^24 or ~ 16.7M packets practical? How long to exhaust the IV space in busy

network? A busy AP constantly send 1500 bytes packet Consider Data Rate 11 Mbps IV exhausts after..

Consequences:– Keystream for corresponding IV is obtained

41

2001: Fluhrer, Mantin, Shamir : Weaknesses in the Key Scheduling Algorithm of RC4.

completely passive attack Inductive chosen plaintext attack

Takes 5-10M. packets to find secret key Showed that WEP is near useless

42

In 2001, airsnort was released but needs millions of packets

‹In 2004, aircrack and weblap require only hundreds of thousands of packets

http://securityfocus.com/infocus/1814 ‹http://www.securityfocus.com/

infocus/182443

One common shared key If any device is stolen or

compromised, must change shared key in all devices

No key distribution mechanism

Infeasible for large organization: approach doesn’t scale

Crypto is flawed Early 2001: Integrity and

authentication attacks published

August 2001 (weak-key attack): can deduce RC4 key after observing several million packets

AirSnort application allows casual user to decrypt WEP traffic

Crypto problems 24 bit IV to short Same key for encryption

and message integrity ICV flawed, does not

prevent adversarial modification of intercepted packets

Cryptanalytic attack allows eavesdroppers to learn key after observing several millions of packets

44

SSID and access control lists provide minimal security no encryption

WEP provides encryption, but is easily broken

Emerging protocol: 802.11i Back-end authentication server Public-key cryptography for authentication

and master key distribution TKIP: Strong symmetric crypto techniques

45

Fluhrer, Mantin, Shamir - Weakness in the Key Scheduling Algorithm of RC4.http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf

Stubblefield, Loannidis, Rubin – Using the Fluhrer, Mantin, and Shamir Attack to Break WEP.http://www.cs.rice.edu/~astubble/wep/wep_attack.pdf

Rivest – RSA Security Response to Weakness in the Key Scheduling Algorithm of RC4.http://www.rsasecurity.com/rsalabs/technotes/wep.html

RC4 Encryption Algorithm.http://www.ncat.edu/~grogans/algorithm_breakdown.htm

46

Wireless Security

Documents

Transcript of Wireless Security