180 likes | 322 Views
IWD2243 Wireless & Mobile Security. Chapter 3 : Wireless LAN Security. 3.1 Introduction. 802.11 security architecture – Wired Equivalent Privacy (WEP) Responsible for the CIA in 802.11 network. Designed to be “Wireless Ethernet” Important architectural differences between 802.11 & TWNs
E N D
IWD2243Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL
3.1 Introduction • 802.11 security architecture – Wired Equivalent Privacy (WEP) • Responsible for the CIA in 802.11 network. • Designed to be “Wireless Ethernet” • Important architectural differences between 802.11 & TWNs • 802.11 limited support for roaming, restricted to wireless access network only • While TWN support seamless roaming over large geographical areas. Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP • Key establishment in 802.11 • None, out of scope • Relies on preshared key STAs and APs • Does not specify how the keys are established. • Anonymity in 802.11 • Not a major concern. • The use of IP address unlike IMSI in TWNs • IP address assign to user can change over time • The use of Network Address Translation (NAT) • Mapping the internal IP with Global IP (GIP) Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.) • Authentication in 802.11 • Authentication – control access to the network. • Wired LAN – security features being inherits from the network • WLAN – no physical access authentication • Net authenticate STAs – STA authenticate Net • APs – Broadcast beacon (mgmt frame which announce the existence of the network) • Each beacon have Service Set Identifier (SSID) – or – Net name – identify ESS. • STA want to connect – passive / active scan. • STAs send probe request to all available channel Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.) • Authentication in 802.11 (cont.) • Concerned Aps received a probe – send probe-response • STAs find out which station it can join • STAs choose the network it whishes to join – based on signal strength • The authentication process start – two options :- • Open System Authentication (OSA) • See figure 18.2 : 802.11 OSA, page 408 • Using OSA – mean no authentication at all • Shared Key Authentication (SKA) Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.) • Authentication in 802.11 (cont.) • Shared Key Authentication (SKA) • See figure 18.3 : 802.11 SKA, page 410 • Challenge – response system • SKA divide STAs into 2 groups, 1 – allowed access, 2 – all other STAs • Group 1 – STAs share secret key with Aps • Using SKA requires, the STAs and APs capable of using WEP, and the STAs and AP have preshared key. Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.) • Authentication in 802.11 (cont.) • Authentication and Handoffs • See figure 18.4 : 802.11 handoffs and security, page 411 • What’s wrong with 802.11 authentication? • No method specified in WEP for each STA to be assigned with unique key • Many 802.11 deployment share key across Aps • One way – no provision for the STA to authenticate the Net. • Pseudo-Authentication scheme • Allows only STAs that knows the SSID to join the Net • Using MAC address as a secret. • Aps maintain a list of STA’s MAC, only registered MAC can access the Net Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.) • Confidentiality in 802.11 • See figure 18.5 : WEP, page 414 • 5 steps to provide confidentiality in 802.11 • See figure 18.6 : A WEP packet, page 415 • The packet that been produced after encryption process. • What’s wrong with WEP • Usage of RC4 stream chiper, always failed in wireless medium. • Solution : shift synchronization requirement from session to a packet – change keys for every packet. • IV which concatenated with master key per packet being sent in clear text • Susceptible to Fluhrer-Mantin-Shamir (FMS) attack. • Specify no rules for IV selection Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.) • Data Integrity in 802.11 • 802.11 uses Integrity Check Value (ICV) field in the packet • See figure 18.7 : Data integrity in WEP, page 419 • ICV – Cyclic Redundancy Check-32bits (CRC32) • CRC32 is linear and not cryptographically computed • Eve still can modify the message! • Loopholes in 802.11 security (summary) • The list 1-9, page 421 & 422. Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA • Wi-Fi Protected Access (WPA) • Prestandard subset of 802.11i • Biggest differences – • Usage of AES (Advanced Encryption Standard) for providing confidentiality and integrity • Usage of Temporal Key Integrity Protocol (TKIP) and MICHAEL. • Both differences makes big changes in WLAN security architecture & hardware parts. • Most parts (h/ware) in 802.11 implementation cannot be used in WPA 802.11i Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.) • Key establishment • WEP used preshared key establish using out of band mechanism • 2 environments – home & enterprise • Diff infra capacities to provide security • Enterprise – 802.11i use IEEE 802.1X for key establishment & authentication. • 802.1X use backend authentication server • Home user – no backend authentication server – allow out-of-band mechanism for key establishment • See figure 18.8 : Key hierarchy in 802.11, page 425 Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.) • Key establishment (cont.) • WPA solve the problem of authentication in WEP by reducing exposure of master key (MK) • WPA extends the two-tier hierarchy to multiple hierarchy. • Pair-wise master key (PMK) – preshared key, or derived from 802.1X • PMK – 32bytes – too long for human to remember • Allow user to enter shorter password which will be used as a seed to generate 32byte key. • Pair-wise transient key (PTK) – Session key, consist of 4 keys, 128bits long. Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.) • Key establishment (cont.) • 4 keys – encryption key for data, integrity key for data, encryption key for EAPoLmsg, and integrity key for EAPoL msg. • PTK derived from PMK using pseudorandom function (PRF) • PRF is based on HMAC-SHA algorithm. • Five input values to obtain PTK from PMK :- • PTK = PRF-512(PMK, “pair-wise expansion”, AP_MAC || STA_MAC || Anonce || Snonce) • 5 values – PMK, MAC add for two endpoints, one nonce for each endpoints. Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.) • Key establishment (cont.) • Nonce – “number-once” – generated at both side • Anonce = PRF-256(Random Number, “Init counter”, AP_MAC || Time) • Snonce = PRF-256 (Random Number, “Init counter”,STA_MAC || Time) • Next step – derive per-packet keys from PTK. • See figure 18.9 : TKIP encryption, page 427 • See “important features to note in (TKIP encrypt) process”, page 428. Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.) • Authentication • Home user, 802.11i allows WEP like configuration • Enterprise user, 802.11i specify the use of 802.1X • 802.1X architected along with Extensible Authentication Protocol over LAN (EAPoL) • See figure 18.10a : 802.1X/EAP port model, page 429 • See figure 18.10b : EAPoL, page 429 • EAP specify 3 net elements – Supplicant, Authenticator, Authentication Server • See figure 18.10c : EAP over WLAN, page 430 • STA – supplicant, AP – authenticator, backend authentication server Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.) • Authentication (cont.) • See figure 18.10d : 802.1X network architecture • Confidentiality • Enhancement from WEP confidentiality • TKIP double the IV size from 24 to 48bits • Used for per-packet mixing function, instead of just add more bits into the size, and still can co-exist in WEP compatible hardware. • Integrity • TKIP use a new message integrity check (MIC) protocol, MICHAEL Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.) • Integrity (cont.) • MICHAEL – no multiplication operation, instead, just rely on shift and add operations. • Another enhancement – to use IV as a sequence counter. • Overall picture : confidentiality + integrity • See figure 18.10e : TKIP – the complete picture, page 435 • How does WPA Fix WEP loopholes • See table 18.1 : WEP loopholes and WPA fixes Prepared by : Zuraidy Adnan, FITM UNISEL
3.4 WPA2 • Only few enhancements features from WPA • Enhancements :- • Authentication - Replaces a stream chiper (RC4) with a strong block chiper (AES). Instead, WPA2 embed AES in stream chiper. • Integrity – provides for stronger integrity protection using AES-based CCMP. • See figure 18.15 : WPA2 – the complete picture • See table 18.2 : comparison of WEP, WPA, and WPA2 security architectures. Prepared by : Zuraidy Adnan, FITM UNISEL