450 likes | 602 Views
WLAN Security Basics. Security Basics. Authentication and Access Control Who are you? What can you do/see? Encryption Protecting the data (transit and storage) Integrity Preventing modification, insertion Availability. Eavesdropping is easy in wireless.
E N D
Security Basics • Authentication and Access Control • Who are you? • What can you do/see? • Encryption • Protecting the data (transit and storage) • Integrity • Preventing modification, insertion • Availability
Eavesdropping is easy in wireless • The air is open. As long as one gets close to the access point, one can receive the signal. If there is no security measure, there is a good chance that your neighbors can share your internet access and share the files that can be shared by computers in your home.
Making the Connection State 1 State 2 State 3 Unauthenticated Unassociated Authenticated Unassociated Authenticated Associated
Authentication • Found an AP? • Try to authenticate with AP having desired SSID and strongest signal • Station sends AP an Authentication management frame • AP’s response depends on authentication method • Authentication Methods • Open System: anyone can join • Shared Key: only stations that possess the same shared secret as the AP can join, but it provides a very weak protection. The same key used by AP and all the stations. No individual information is needed. • Later…Deauthenticate
Association • Authenticated? • Try to associate with AP • Station sends AP an Associate Request management frame carrying desired SSID, supported data rates, and station’s capabilities • AP’s Associate Response carries Association ID, supported data rates, and AP’s capabilities • When successful, station can transmit and receive data frames as a member of the WLAN • Later…Disassociate or Reassociate
Simple protection: SSID • Use ‘opaque’ SSIDs (WLAN names) • Change default SSIDs • SSID should not have company or location info • Unless your WLAN is public, reject “any” SSIDs • Have your AP require actual SSID from stations • Sometimes referred to as “closed system” • Modify Windows XP Zero Config default settings • Don’t automatically connect to non-preferred networks
Simple protection: assigning IP addresses • Before we can forward traffic into attached network • STA needs a valid IP address • Alternatives • Give IP to anyone who asks with DHCP • But why should we make it so easy to hop on? • Give fixed (reserved) IPs to known/authorized STAs • Make war drivers work a little harder to gain access • But reservations are harder to administer... • Require STAs to be preconfigured with IPs • ...and configuring every STA is even harder • Bottom Line: It isn’t difficult to observe valid IP addresses • Fixed IPs therefore raise the bar only marginally
Attacks on network: Modification and Insertion • Packet Tampering • 802.11 data frames include CRC (Cyclic Redundancy Checking) error detection • Cannot detect changes that result in valid CRC • Packet Insertion • 802.11 data frames are not sequenced – any STA can inject “extra” frames simply by transmitting them • Frames are not signed, so nothing prevents attackers from “borrowing” MAC address of legitimate STA
Man in the middle II • Rogue APs that pretend to be valid APs • STAs tricked into associating with rogue AP • Valid AP thinks it’s receiving frames from STAs • Attacker can change packets in transit • Attacker can gather authentication information
Simple Security: WEP • What Is WEP? • Stands for Wired Equivalent Privacy – as name implies, intended to make Wi-Fi as secure as a wired Ethernet network. • Encrypts the data sent between two nodes on the WLAN. • Designed when cryptographic standards were hamstrung by government export rules. Original keys were limited to 40 bits. • Uses a single, static, shared key for authentication and encryption.
Built-In Security: WEP • Implementing WEP • No two products implement WEP in quite the same way, but basically . . . • Choose 64-bit or 128-bit key. • Choose whether to set up the WEP key using ASCII (plain alphanumeric text) or Hex (hexadecimal numbers). Not all offer a choice. • Set (same) key on AP and all clients • Some products let you enter multiple keys – you choose which is the primary.
Built-in Security: WEP • Implementing WEP • Hexadecimal: You enter a string of text in hex format, limited to characters A-F and 0-9. • 64-bit – 10 Hex characters (0x456789ABCD) • 128-bit – 26 Hex characters (0x273c642f25223d58687d49516c) • Some software may require the hex code to begin with “0x” (without quotes), as above, or a dollar sign ($).
Built-In Security: WEP • Implementing WEP • ASCII: You enter a string of plain text characters as the key. • 64-bit – 5 ASCII characters • 128-bit – 13 ASCII characters
Built-In Security: WEP • Implementing WEP • Passphrase: Similar to ASCII, you enter a string of plain text characters and the software automatically creates a hex key based on what you type. • Not all products support it, so if you generate a Hex key with a passphrase on one product, you should write it down to use with other products.
WEP’s problems • WEP has several problems • Keys are known to every STA, thus if one key is lost, then everyone’s key is compromised • There’s no standard key distribution, and keys have to be entered manually, which leads to static keys (keys don’t change often enough) and keystream reuse (see later slides) • WEP encryption can be broken easily by a hacker using readily available software • No good authentication approach • Integrity checking is weak (hacker can tamper the data stream and the receiver can’t detect)
Countermeasures: WEP • Keys are recoverable through cryptanalysis • RC4 is the encryption algorithm used by WEP • Stream ciphers require an Initialization Vector (IV) • To remain synchronized in WLAN, IV must be sent in plaintext on every 802.11b frame • IV is only 24 bits to keep the frame short (too short) • IV appended to shared key to encrypt each frame • Small IV leads to key reuse • Keystream easily obtained from any 2 frames encrypted with same IV, can be used to decrypt future frames
How does WEP work? • WEP uses RC4 cipher, which is a symmetric (secret-key) stream cipher. • A stream cipher uses a stream of bits, called the keystream, which is combined with the message to produce the ciphertext. • To recover the original message, the receiver processes the ciphertext with an identical keystream. • RC4 uses the exclusive OR (XOR) operation to combine the keystream and the message frame (at the transmitter) to generate the ciphertext, and keystream and ciphertext (at the receiver) to recover the sent message frame.
Cipher stream Stream cipher operation
How is a keystream generated? • Stream ciphers use a short secret key (and the Initialization Vector in Wi-Fi) and expand it into a pseudorandom keystream the same length as the message. (See graph below.) • The pseudorandom number generator (PRNG) is a set of rules used to expand the key into a keystream. • To recover the data, both sides must share the same secret key and use the same algorithm to expand the key into a pseudorandom sequence.
Totally random keystream • A totally random keystream is called a one-time pad and is the only known encryption scheme that is mathematically proven to protect against certain types of attacks. One-time pads are not commonly used because the keystream must be perfectly random and the same length as the data that will be protected, and it can never be reused again. • the practical difficulties and cost incurred in generating and distributing the keying material is worthwhile only for short messages that require the utmost security
The length of WEP keys • The 64 (or 128)-bit WEP key contains two parts. The first part is a 24-bit initialization vector (IV), and the second part is a 40 (or 104)-bit WEP key, which is given by the user. So the actual length is only 40 (or 104) bits. • The longer the key, the more difficult to break. (Some venders provide 256-bit WEP key.) • RC4 takes the 64 (128) input bits and generates a keystream equal to the length of the frame body. The keystream is then XORed with the frame body to cipher it. To enable the receiver to decrypt the frame, the IV is placed in the header of the frame in plain text.
The WEP data frame ICV—Integrity Check Vector
Weakness of WEP • Reuse of the keystream is the major weakness in any stream cipher-based cryptosystem. • WEP uses the IV to encrypt different packets with different RC4 keys. However, the IV is part of the packet header and is not encrypted, so eavesdroppers are tipped off to packets that are encrypted with the same RC4 key. • Infrequent rekeying allows attackers to assemble large collections of frames encrypted with the same keystreams. As more frames with the same IV pile up, more information is available about the original frames even if the secret key is not recovered. • A subset of all IVs is particularly weak. A hacker observing those IVs can break the encryption even quicker.
Increase the key length • Products today come standard with both 64-bit and 128-bit WEP– originally only 64-bit was required. • Many vendors have introduced WEP versions with longer keys – 152-bit and even 256-bit – but technical problems mean they don’t add much security.
Beyond WEP: WPA (Wi-Fi Protected Access) • What is WPA (a newer version is WPA2)? • “Hardened WEP” – uses Advanced Encryption Standard (AES) or Temporal Key Integrity Protocol (TKIP) for encryption, plus 802.1X and EAP support for authentication in offices. • Home vs. Office • Hone version uses Pre-shared Key of 256-bit long. • Office version provides 802.1X and EAP support for authentication.
Some features of WPA • Data is encrypted using the RC4 stream cipher plus TKIP (explained below), with a 128-bit key and a 48-bit initialization vector (IV). Much longer than WEP’s IV. • Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. (Remember in WEP the key never changes unless you manually change it.) • WPA2 uses Advanced Encryption Standard (AES) which is more secure than RC 4 + TKIP. • Can use authentication server in an office. • Homes without an authentication server can use Pre-shared key (PSK) mode. Each user must enter a passphrase to access the network. The passphrase is the same for all users in the same network.
Beyond WEP: WPA • WPA at Home (WPA Personal) • A Pre-Shared Key (PSK), the same for everyone in the network, is entered in each device first, very much like WEP. • The difference is that this pre-shared key is not the key used for encryption (In WEP the same key is used for encryption). Instead, TKIP will use this key to derive new encryption keys mathematically and rotates them regularly (in WEP the key doesn’t change). Also, the encryption key is derived based on each user’s MAC address, thus unique for each user (WEP uses the same key for everyone). • Although a hacker can access your network if he knows your PSK, if he doesn’t it would be very difficult for him to find out. (In WEP a hacker can easily find the key by observing the data traffic.) • Better integrity check is provided.
Beyond WEP: WPA WPA in the Office (WPA Enterprise) • Combines 802.1X, PSK, and TKIP • A server will authenticate users (requesting each user to enter his/her user name and password) and assign users with their own unique keys. (The home version WPA uses the same PSK for everybody. Users don’t need user name and password.) The server can change the keys frequently. • The only problem is the authentication process is not encrypted, thus the hacker can steal the user name and password. There are several ways to deal with this problem. • WPA and WEP are mutually exclusive; cannot be mixed on a network.
More about TKIP • Three basic algorithmic components • MIC (message integrity code) • Originally message authentication code but the acronym “MAC (Media Access Control)” is already being used! • The MIC used by WPA is called “Michael” • Prevents packet forging • Packet Sequencing • Prevents replay • Per-Packet Key Mixing • Prevents the duplicate keystream attacks
Message Integrity Check (MIC) • MIC (Message Integrity Check) • Protects WEP from modification, injection • Must be implemented on both Stations and APs • Additional bytes (MIC) added to packets before encryption • 20 bits of effective security • Recipient checks MIC for integrity • If there is no match, frame is dropped • Works with TKIP which forces a rekey if there is a MIC validation error
TKIP (Temporal Key Integrity Protocol) • Longer 48-bit Initialization Vector (IV) • Would take ~100 years to exhaust this IV space at 802.11a/g data rates – helps to prevent key reuse • Per-Packet Key (every packet has its own key) • It’s derived from a combination of a base key, the MAC address of the sending station, and the serial number for the packet (the serial number is also the IV). • Key distribution • Home WLANs derive Base Keys from preshared secret. Therefore it still has one of WEP’s weaknesses. • Enterprise WLANs use 802.1X to deliver Base Keys
Countermeasures: WLAN Discovery • Aerosol • http://www.stolenshoes.net/sniph/aerosol.html • Boingo Software • http://www.boingo.com • BSD AirTools • http://www.dachb0den.com/projects/bsd-airtools.html • Kismet • http://www.kismetwireless.net/ • MacStumbler for Airport cards • http://www.macstumbler.com/ • NetStumbler (Win32) and MiniStumbler (PocketPC) • http://www.netstumbler.com/ • WaveStumbler • http://www.cqure.net/tools.jsp?id=8
Simple Security Tips • Set admin (administrator) password, which is needed to access your AP settings. A hacker needs to find the password before he can tamper the settings of your AP. • Change the SSID (your network name) to something difficult to guess.
Simple Security Tips • Broadcasting the SSID or not may not be that important, because a hacker can use free software to find your SSID even though you don’t broadcast.
Simple Security Tips • Use Static IP addresses • By default, most WLANs use DHCP to automatically assign an IP address to a client. • DHCP doesn’t know the difference between your wireless computers and a hacker. • Simple security: Turn off DHCP and Assign Static IP addresses to users. • Easy to do at home with a few computers, almost impossible with a large number of PCs.
Simple Security Tips • Use MAC Filtering • Each product on a network has a unique Media Access Control (MAC) address, for example “04-00-05-B6-6A-B4” hard-coded into the hardware. • Simple security: Filter against MACs so only computers you know about can go on the network. • This is generally only practical for home and small business networks – tracking MAC addresses of each node in an enterprise would be difficult. • Not completely secure: MAC addresses are easily stolen and spoofed.
Simple Security Tips • Personal Firewalls • Not everything important is on the server. People store a lot of data on their individual computers. • Without a personal firewall, even legitimate users on the network could get on to your PC. • Simple security: Install personal firewall software. • (This goes for wired networks, too.)
Simple Security Tips • Physical Security Counts • Many access points can be easily set back to their factory defaults with the push of a reset button. • Why make it easy for hackers to get to the units? • Simple security: Keep APs out of eyesight (i.e., above the ceiling) and disable their serial ports.
Simple Security Tips • WEP Is Better than Nothing • Vendors want WLANs to be easy to set up, so most don’t implement any security out of the box. • Microsoft is currently the only vendor of WLAN products that ships with WEP security turned on! • WEP is far better than no security at all – windows can be broken, but who leaves them open for burglars? • Simple security: Turn on WEP or better yet, WPA.
Simple Security Tips • Change WEP Keys • The longer a given key is used on a WLAN, the more time a hacker has to break it. • Simple security: Change your WEP key regularly. • Inconvenient: If you have a large network, this could mean physically accessing every client and AP to make the change, one by one. • FYI: Don’t use your SSID as a WEP key and don’t store the key somewhere on the network.