Wireless Security New Standards for 802.11

Encryption and Authentication

Ann Geyer Ann Geyer 209-754-9130209-754-9130

ageyer@tunitas.comageyer@tunitas.comwww.tunitas.comwww.tunitas.com

National Conference on m-Health and EOENational Conference on m-Health and EOE

Minneapolis, MNMinneapolis, MNSept 9, 2003Sept 9, 2003

2

Key Challenges For Healthcare Wireless

Migrating to Migrating to standard standard implementations to protect implementations to protect investment and growth investment and growth

Understanding cellular, WLAN, and WWAN Understanding cellular, WLAN, and WWAN interferenceinterference on medical monitoring and dispensing equipmenton medical monitoring and dispensing equipment

Designing implementations to achieve Designing implementations to achieve coveragecoverage without undue attenuationwithout undue attenuation

Establishing Establishing securitysecurity controls for confidentiality, controls for confidentiality, integrity, and availability – HIPAAintegrity, and availability – HIPAA

Finding Finding authenticationauthentication solutions not just for users and solutions not just for users and devices, but also for code & contentdevices, but also for code & content

IntegratingIntegrating wireless into the communications and wireless into the communications and computing infrastructure and application base computing infrastructure and application base

Understanding the trade-offs between Understanding the trade-offs between ease of useease of use and and form factors, devices, and media controlsform factors, devices, and media controls

3

Wireless Security Landscape

Many projects approved without regard for security Many projects approved without regard for security

Even without a formal wireless project, still need to Even without a formal wireless project, still need to address wireless threats (e.g. rouge Access Points)address wireless threats (e.g. rouge Access Points)

HIPAA is forcing security plans for all types of HIPAA is forcing security plans for all types of networksnetworks

Wireless threat is significant since passive Wireless threat is significant since passive interception makes detection difficult to impossibleinterception makes detection difficult to impossible

Immature standards are rapidly evolving Immature standards are rapidly evolving

Growing body of Best Practices to benchmark againstGrowing body of Best Practices to benchmark against

4

802.11 802.11 Standards

802.11 The original WLAN Standard. Supports 1 Mbps to 2 Mbps.

802.11a High speed WLAN standard for 5 Ghz band. Supports 54 Mbps.

802.11b WLAN standard for 2.4 Ghz band. Supports 11 Mbps.

802.11e Address quality of service requirements for all IEEE WLAN radiointerfaces.

802.11f Defines inter-access point communications to facilitate multiplevendor-distributed WLAN networks.

802.11g Establishes an additional modulation technique for 2.4 Ghzband. Intended to provide speeds up to 54 Mbps. Includesmuch greater security.

802.11h Defines the spectrum management of the 5 Ghz band for use inEurope and in Asia Pacific.

802.11i Address the current security weaknesses for both authenticationand encryption protocols. The standard encompasses 802.1X,TKIP, and AES protocols.

5

Original 802.11 Security

Service set identifier (SSID) Service set identifier (SSID)

– A simple code that identifies the WLAN. A simple code that identifies the WLAN.

– Clients must be configured with the correct SSID to Clients must be configured with the correct SSID to access their WLAN. access their WLAN.

Media access control (MAC) Media access control (MAC)

– MAC address filtering restricts WLAN access to MAC address filtering restricts WLAN access to computers that are on a list you create for each access computers that are on a list you create for each access point on your WLAN. point on your WLAN.

Wired equivalent privacy (WEP) Wired equivalent privacy (WEP)

– Encryption and authentication scheme that protects Encryption and authentication scheme that protects WLAN data streams between clients and access points WLAN data streams between clients and access points (AP) This was discovered to have flaws.(AP) This was discovered to have flaws.

6

WEP Flaws

Two basic flaws undermined its use for Two basic flaws undermined its use for protection against other than the casual browser protection against other than the casual browser - eavesdropper- eavesdropper

– No defined method for encryption key refresh or distributionNo defined method for encryption key refresh or distribution

• Pre-shared keys were set once at installation and rarely Pre-shared keys were set once at installation and rarely if ever changedif ever changed

– Use of RC4 which was designed to be a one-time cipher not Use of RC4 which was designed to be a one-time cipher not intended for multiple message useintended for multiple message use

• But because the pre-shared key is rarely changed, But because the pre-shared key is rarely changed, same key used over and oversame key used over and over

• Attacker monitors traffic and finds enough examples to Attacker monitors traffic and finds enough examples to work out the plaintext from message contextwork out the plaintext from message context

• With knowledge of the cipertext and plaintext, can With knowledge of the cipertext and plaintext, can compute the keycompute the key

7

Encryption

WEP FlawWEP Flaw

– Takes about 10,000 packets to discover the keyTakes about 10,000 packets to discover the key

– Large amounts of known data is the fastest way of Large amounts of known data is the fastest way of determining as many keystreams as possibledetermining as many keystreams as possible

– The information may be as innocuous as the fields in The information may be as innocuous as the fields in the protocol header or the DNS name querythe protocol header or the DNS name query

– Monitoring is passive so undetectableMonitoring is passive so undetectable

– Simple tools and instructions freely available to spit out Simple tools and instructions freely available to spit out the keythe key

– Legal experts postulate this type of monitoring may not Legal experts postulate this type of monitoring may not be illegalbe illegal

8

Other Problems

SSID (service set identifier)SSID (service set identifier)

– Identifies the 802.11 devices that belong to a Basic Identifies the 802.11 devices that belong to a Basic Service Set (BSS).Service Set (BSS).

– A BSS is analogous to a LAN segment in wired termsA BSS is analogous to a LAN segment in wired terms

– SSID is meant as a method to identify what Service Set SSID is meant as a method to identify what Service Set you want to communicate with; you want to communicate with; not as a security layer not as a security layer authenticationauthentication

– Even when using WEP, the SSID remains fully visibleEven when using WEP, the SSID remains fully visible

– Some mgfr even allow the WLAN cards to poll for the Some mgfr even allow the WLAN cards to poll for the SSID and self configureSSID and self configure

9

Other Problems

MAC (media access control)MAC (media access control)

– Possible to restrict access by MAC address on many AP Possible to restrict access by MAC address on many AP (access points) by means of an ACL(access points) by means of an ACL

– All standards compliant NIC cards, including WLAN cards, All standards compliant NIC cards, including WLAN cards, should have unique MAC, some software allow this address should have unique MAC, some software allow this address to be ‘spoofed’to be ‘spoofed’

Spoofing WirelessSpoofing Wireless

– Is easyIs easy

– Unlike internet devices which have routing issues to Unlike internet devices which have routing issues to overcome, IP addresses of wireless devices can be manually overcome, IP addresses of wireless devices can be manually changed at willchanged at will

– Some networks systems serve up the IP address dynamicallySome networks systems serve up the IP address dynamically

10

Improved Security Standards

802.1x Authentication (2001)802.1x Authentication (2001)

WPA (Wi-Fi Protected Access) (2002)WPA (Wi-Fi Protected Access) (2002)

802.11i (2003-4)802.11i (2003-4)

11

802.1X Authentication and EAP

802.1X802.1X

– Framework to control port access between devices, AP, and Framework to control port access between devices, AP, and serversservers

Uses Extensible Authentication Protocol (EAP) Uses Extensible Authentication Protocol (EAP) (RFC 2284) (RFC 2284)

– Uses dynamic keys instead of the WEP authentication static Uses dynamic keys instead of the WEP authentication static keykey

– Requires mutual authentication protocolRequires mutual authentication protocol

– User’s transmission must go thru WLAN AP to reach User’s transmission must go thru WLAN AP to reach authentication server performing the authenticationauthentication server performing the authentication

• Permits number of authentication methodsPermits number of authentication methods

• RADIUS is the market de facto standardRADIUS is the market de facto standard

12

EAP Types

EAP-TLS (RFC 2716)EAP-TLS (RFC 2716)

– EAP is extension of PPP providing for additional EAP is extension of PPP providing for additional authentication methodsauthentication methods

– TLS provides for mutual authentication and session key TLS provides for mutual authentication and session key exchangeexchange

– Negotiated mutual key becomes Master-Key for 802.11 Negotiated mutual key becomes Master-Key for 802.11 TKIPTKIP

– Requires client & server certificates (PKI based)Requires client & server certificates (PKI based)

– Deployed by Microsoft for its corporate networkDeployed by Microsoft for its corporate network

– Shipping in Windows 2000 and XPShipping in Windows 2000 and XP

13

Other EAP Types EAP-TTLSEAP-TTLS

– ““Tunneled” TLS -- -- uses two TLS sessions Tunneled” TLS -- -- uses two TLS sessions

• Outer--TLS session with Server certificate for Outer--TLS session with Server certificate for server authentication server authentication

• Inner Inner--TLS session using certificates at both Inner Inner--TLS session using certificates at both ends and passwordends and password

– Protects user’s identity from intermediary entitiesProtects user’s identity from intermediary entities

PEAPPEAP

– Similar to EAP-TTLS, but only allows EAP for authenticationSimilar to EAP-TTLS, but only allows EAP for authentication

– Server authentication via Server certificateServer authentication via Server certificate

• User’s password delivered through SSL protected channelUser’s password delivered through SSL protected channel

• Session continues when user’s password verified Session continues when user’s password verified

– Client-side certificate optionalClient-side certificate optional

14

WPA Interim 802.11 Security

Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)

Interim Solution between WEP and 802.11iInterim Solution between WEP and 802.11i

– Plugs holes in legacy 802.11 devices; typically requires Plugs holes in legacy 802.11 devices; typically requires firmware or driver upgrade, but not new hardwarefirmware or driver upgrade, but not new hardware

– Subset of the 802.11i and is forward compatibleSubset of the 802.11i and is forward compatible

Sponsored by the Wi-Fi AllianceSponsored by the Wi-Fi Alliance

– Will require WPA for current certificationsWill require WPA for current certifications

Support announced by Microsoft, Intel, othersSupport announced by Microsoft, Intel, others

– ColubrisColubris– Funk SftwFunk Sftw– IntesilIntesil

– ProximProxim– ResonextResonext– TITI

– AgereAgere– AtherosAtheros– AthnelAthnel

15

WPA

Improves WEP encryptionImproves WEP encryption

Based on TKIP protocol and algorithmBased on TKIP protocol and algorithm

– Changes the way keys are derived Changes the way keys are derived

– Refreshes keys more oftenRefreshes keys more often

– Adds message integrity control to prevent packet forgeriesAdds message integrity control to prevent packet forgeries

Benefits Benefits

– Encryption weakness improved but not solvedEncryption weakness improved but not solved

– Some concern that TKIP may degrade WLAN Some concern that TKIP may degrade WLAN performance without hardware acceleratorperformance without hardware accelerator

– But protects current device investment But protects current device investment

– Will be available sooner than 802.11iWill be available sooner than 802.11i

16

WPA

Works similarly to 802.1X authenticationWorks similarly to 802.1X authentication

– Both Clients and AP must be WPA enabled for Both Clients and AP must be WPA enabled for encryption to and from 802.1X EAP serverencryption to and from 802.1X EAP server

– Key in a pass phrase (master key) in both client and APKey in a pass phrase (master key) in both client and AP

– If pass phrase matches, then AP allows entry to the If pass phrase matches, then AP allows entry to the networknetwork

– Pass phrase remains constant, but a new encryption Pass phrase remains constant, but a new encryption key is generated for each sessionkey is generated for each session

17

TKIP

Temporal Key Integrity ProtocolTemporal Key Integrity Protocol

– Quick fix to overcome the the reuse of encryption key Quick fix to overcome the the reuse of encryption key problem with WEPproblem with WEP

– Combines the pre-shared key with the client’s MAC and Combines the pre-shared key with the client’s MAC and and larger IV to ensure each client uses different key and larger IV to ensure each client uses different key streamstream

– Still uses WEP RC4, but changes temporal key every Still uses WEP RC4, but changes temporal key every 10K packets10K packets

– Mandates use of MIC (Michael) to prevent packet forgeryMandates use of MIC (Michael) to prevent packet forgery

BenefitsBenefits

– Uses existing device calculation capabilities to perform Uses existing device calculation capabilities to perform the encryption operationsthe encryption operations

– Improves security, but is still only a short-term fixImproves security, but is still only a short-term fix

18

New 802.11i Security

Addresses the main problems of WEP and Addresses the main problems of WEP and Shared-Key AuthenticationShared-Key Authentication

– Temporal Key Integrity Protocol (TKIP) Temporal Key Integrity Protocol (TKIP)

– Message Integrity Control ~ MichaelMessage Integrity Control ~ Michael

– AES Encryption replacement for RC4AES Encryption replacement for RC4

– Robust Security Network (RSN)Robust Security Network (RSN)

Require new wireless hardwareRequire new wireless hardware

Ratification ~ YE 2003Ratification ~ YE 2003

19

Robust Security Network

RSN uses Dynamic NegotiationRSN uses Dynamic Negotiation

– For authentication and encryption algorithms between For authentication and encryption algorithms between AP and client devicesAP and client devices

– Authentication is based on 802.1X and EAPAuthentication is based on 802.1X and EAP

– AES EncryptionAES Encryption

20

How RSN Works

11. Client sends request for association and security negotiation to AP, which forward to WLAN switch.. Client sends request for association and security negotiation to AP, which forward to WLAN switch.

2. WLAN switch passes request to Authentication Server (RADIUS).2. WLAN switch passes request to Authentication Server (RADIUS).

3. RADIUS authenticates client.3. RADIUS authenticates client.

4. Switch and client initiate 4 way key negotiation to create unique session key. Switch pushes key, 4. Switch and client initiate 4 way key negotiation to create unique session key. Switch pushes key, which is AES encrypted to AP. AES encrypts all data traffic.which is AES encrypted to AP. AES encrypts all data traffic.

ClientAccessPoint

WLANSwitch

EthernetSwitch

RADIUSServer

1. 2. 3.

4

21

Final Words

802.11 is truly useful technology802.11 is truly useful technology

Wireless networking will continue to expandWireless networking will continue to expand

As the networking standards change so will the As the networking standards change so will the security issuessecurity issues

Network security specialists need to understand Network security specialists need to understand wireless networking; and vice versawireless networking; and vice versa

Start evaluating and deploying new security standardsStart evaluating and deploying new security standards

SANS Institute Information Security Reading RoomSANS Institute Information Security Reading Room

– http://www.sans.org/rr/wireless/http://www.sans.org/rr/wireless/

NIST Wireless Network SecurityNIST Wireless Network Security

– http://csrc.nist.gov/publications/drafts/draft-sp800-48.pdfhttp://csrc.nist.gov/publications/drafts/draft-sp800-48.pdf