1 / 25

Wireless (802.11) Security

Wireless (802.11) Security. Douglas Reeves NC State University. Southeast Wireless Symposium December 02, 2003. What’s New?. Anybody (in range) can listen or transmit! Security problems not specific to wireless… Spam Viruses Worms “Insider” attacks (e.g., corrupt employees).

loretta
Download Presentation

Wireless (802.11) Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless (802.11) Security Douglas Reeves NC State University Southeast Wireless Symposium December 02, 2003

  2. What’s New? • Anybody (in range) can listen or transmit! • Security problems not specific to wireless… • Spam • Viruses • Worms • “Insider” attacks (e.g., corrupt employees)

  3. Characteristics of 802.11 Service • Wireless LAN standard, introduced 1997 • 802.11b • most widely used version, up to 11 Mb/s • 2.4GHz (unlicensed) frequency band • range • several hundred feet with omnidirectional antenna • up to 25 miles with directional antenna

  4. Modes • Infrastructure mode • clients connect to base stations • multiple base stations may cover larger area, allow client roaming • identified by SSID • Ad Hoc mode • clients communicate directly with each other

  5. Scanning for Access Points • Access points periodically transmit beacon frames (SSID, data rate, etc.) • Client scans frequencies and picks an access point based on SSID, signal strength, ... • Client switches to assigned channel and establishes an association

  6. Sending Data • Sender waits until no one transmitting • Then waits random interval and transmits • Optional slot reservation • Client first sends request-to-send (RTS) frame • Access point sends clear-to-send (CTS) frame when ready to receive • Requesting client sends data, all other clients must wait

  7. Reliability • Receiving station checks CRC code in frame to detect errors • Acknowledges fault-free frame, lack of acknowledgment means “resend data”

  8. Energy Conservation • Client can turn off radio interface when nothing to send or receive • Access Point periodically transmits a special frame clients have packets waiting • Each client wakes up periodically to receive the special frame • if a node has a packet waiting, requests packet after waiting random interval

  9. Security Problems of 802.11 • Unauthorized or “rogue” access points on trusted networks • Access to network by unauthorized clients (theft of service, "war driving") • Interception and monitoring of wireless traffic • range can be hundreds of feet • packet analyzer software freely available • Jamming is easy, unlicensed frequency

  10. Security Problems (cont'd) • Client-to-client attacks (in ad hoc mode) • Denial or degradation of service • flood with bogus packets, association/authentication requests, … • Misconfiguration possibilities • no encryption used • weak (guessable) password used to generate key • weak protection of encryption key on client machine • weak protection of management interface for access point

  11. Attacks on Control Messages • Ex.: Attacker issues spoofed "deauthenticate" or "disassociate" frames • Ex.: Attacker continually sends RTS frames to reserve slots • Ex.: Power-saving attacks • attacker causes access point to discard packets while client is still sleeping • attacker convinces client there is no data waiting • Trivial to implement (e.g., on PDA) • May require changes to the standard 

  12. (In)Security in 802.11b • Authentication is the process of proving identity • open: just supply correct SSID • shared key: relies on WEP • WEP: Wired Equivalent Privacy

  13. WEP • Without WEP, no confidentiality, integrity, or authentication of user data • The cipher used in WEP is RC4, keylength from 40 up to 128 bits • Key is shared by all clients and the base station • compromising one node compromises network • Manual key distribution among clients makes changing the key difficult

  14. WEP Encryption Weakness • Initialization Vector (IV) used during encryption is only 24 bits long • Key to cracking: find packets with duplicate public IVs • repetition of IV guaranteed on busy networks due to small IV space • Tools: WEPCrack, AirSnort • 15 minutes to 24 hours to collect enough packets

  15. Improvement (to WEP) #1: 802.1x • Port-based user authentication and key distribution • Currently supported by most access points and client OSes

  16. Improvement #2: WPA (Wi-Fi Protected Access) • Incorporates 802.1X • Advantages • stronger, centralized user authentication • automatically negotiated per-user keys with frequent key updates • stronger encryption algorithm choices • Hardware support may be needed for adequate performance

  17. TKIP (Temporal Key Integrity Protocol) • Extension of IV to 48 bits • Includes IV sequencing (rotates keys more often) • Adds a frame integrity-check function that is much stronger than CRC

  18. Extensible Authentication Protocol (EAP) • During association, client must provide “credentials” • Access point requests authentication of user from RADIUS server • If successful, access point will accept traffic from client, encryption keys derived for the session • When client logs off, the access point will disable the client's ports

  19. EAP Authentication Types • 5 contenders, no clear consensus (wait for the dust to settle?) • PEAP has support from Microsoft+Cisco+RSA, being standardized by IETF • EAP-TTLS also being standardized • LEAP is Cisco-proprietary • interoperability problems • User credentials = name/password, or digital certificate • use of certificates requires certificate server infrastructure

  20. Improvement #3: 802.11i • WPA + dynamic negotiation of authentication and encryption algorithms • AES is the primary encryption algorithm • Requires hardware support • newer access points + wireless cards will be firmware upgradeable • older access points + wireless cards will have to be replaced • Still under development; ratified and available mid-2004?

  21. Security Through Other Means • Use firewalls to isolate wireless traffic from wired network • Use intrusion detection to detect attacks on wireless networks • Use IPSec / VPNs to protect traffic at IP layer • Use TLS (SSL) to protect traffic at application layer

  22. Recommendations: General • Get informed about risks! • Regular security audits and penetration assessments • Require "strong" passwords, limit number of login attempts • Disable ad hoc mode • invites access by unauthorized nodes to your computer

  23. Recommendations: Access Points • Enforce standard security settings for each 802.11b access point • Regularly search to identify unknown access points • Require centralized user authentication (RADIUS) to configure the access point • Encrypt all access point management traffic

  24. Recommendations: Other • Use distributed personal firewall on each client • Use VPNs to supplement encryption and authentication for 802.11b • Maintain an intrusion detection system on the wireless network • Use firewalls to separate wireless networks from internal networks

  25. Recommendations: WLAN Security • WEP (fair) • enable wireless frame encryption • use longest key • change the WEP key regularly (manually) • 802.1X and WPA (user authentication + dynamic keys) (better) • use as soon as practical and stable • set rekeying to occur every few hours • 802.11i (best) • upgrade / use when available and supported

More Related