180 likes | 351 Views
Basic Wireless LAN Security Technologies. Most wireless security incidents occur because system administrators do not implement available counter measures. It is important to verify that the countermeasure is in place and working properly
E N D
Basic Wireless LAN Security Technologies • Most wireless security incidents occur because system administrators do not implement available counter measures. • It is important to verify that the countermeasure is in place and working properly • Thus, WLAN security wheel which is a continuous security process is very effective
WLAN Security Wheel • The Four Steps of Wireless Security Policy: Secure Monitor Test Improve
Secure • This step implements WLAN security solutions to stop or prevent unauthorized access or activities and to protect information using the following: Authentication (802.1x) Encryption (WEP or AES) Traffic Filters Controlled wireless coverage area
Monitor • This step involves the following actions: Detecting violations to the WLAN security policy Involving system auditing, logs, and real-time intrusion detection Validating the security implementation in step 1
Test & Improve • Test: This step validates the effectiveness of the WLAN security policy through system auditing and wireless and wired vulnerability scanning • Improve: This step involves the following: Using info from step 3 to improve WLAN implementation Adjusting the security policy
First Generation Wireless Security • Security was not a big concern • Many WLANs used Service Set IDentifier (SSID) as the basic form of security. • Some WLANs controlled access by entering the MAC address of each client into their wireless AP. • Neither option was secure, because wireless sniffing could reveal both valid MAC addresses and the SSID
SSID • SSID is a 1-32 character ASCII string that can be entered on the clients and APs • In 802.11, any client with a NULL string associates to any AP regardless of SSID setting on an AP • Broadcast SSIDs are required by the IEEE standard. • Some vendors have options such as SSID broadcast and allow any SSID
SSID • These features are enabled by default and make it easy to set up a wireless network • Using the allow any SSID option lets the AP allow access to a client with blank SSID • The SSID broadcast option sends beacon frames which advertise the SSID • MAC based authentication is not defined in 802.11 specification
Wired Equivalent Privacy (WEP) • IEEE 802.11 standard includes WEP to protect authorized users of a WLAN from a casual eavesdropping • IEEE 802.11 WEP standard specifies a static 40-bit key • Most vendors have extended WEP to 128 bits or more. • When using WEP, both AP and wireless client must have a matching WEP key • WEP is based on Rivest Cipher 4 (RC4)
WEP • Encryption based on key lengths greater than 64 bits are considered high encryption standard
Rivest-Shamir-Adelman (RSA) Encryption Scheme • In RSA scheme messages are first represented as integers in the range (0,n-1) • Each user chooses his/her own value of n and another pair of positive integers e and d. • The user places the encryption key, (n,e) in the public directory • The decryption key consists of the number pair (n,d)
RSA Scheme • d is kept secret. • Encryption: • Decryption
RSA Scheme • n is obtained by selecting two large prime numbers p and q such that n=pq • Although n is made public, p and q are kept secret due to the great difficulty in factoring n • Then the Euler totient function is formed. That is,
RSA Scheme • The parameter has an interesting property that for any integer X in the range (0, n-1) and for any integer k • A large integer d is randomly chosen so that it is relatively prime to , which means that and d must have no common divisors other than 1
RSA Scheme • That is: gcd[ ,d]=1 Any prime number greater than the larger of (p,q) will suffice. Then the integer e, where 0<e< , is found from the relationship which amounts to choosing e and d to satisfy: Thus,
Example of RSA Scheme • Let p=47, q=59. Therefore, n=pq=2773 • =(p-1)(q-1)=2668. d is chosen to be relatively prime to . For example, choose d=157. Next the value of e is computed as follows: • Thus e=17
RSA Scheme • Consider ITS ALL GREEK TO ME • Replacing each letter with a two-digit number in the range (01, 26); encoding blank as 00 • 0920 1900 0112 1200 0718 0505 1100 2015 0013 0500 • Each message needs to be expressed as an integer in the range (0, n-1); For this example, encryption is done on blocks of 4 digits at a time since this is the maximum number of digits that will always yield a number less than n-1=2772
RSA Scheme • The first 4 digits (0920) of the plaintext are encrypted as: • C=0948 2342 1084 1444 2663 2390 0778 0774 0219 1655