320 likes | 514 Views
CSCD 439/539 Wireless Networks and Security. Lecture 10 WPA and 802.11i (WPA2) Fall 2007. Introduction. 802.11i or WPA2 802.11i proposed security standard for 802.11 networks What is it? What does it require to implement? Is it a standard yet? More details next time, just overview today
E N D
CSCD 439/539Wireless Networks and Security Lecture 10 WPA and 802.11i (WPA2) Fall 2007
Introduction • 802.11i or WPA2 • 802.11i proposed security standard for 802.11 networks • What is it? • What does it require to implement? • Is it a standard yet? • More details next time, just overview today • WPA • Proposed interim security solution after WEP • What is it? • How does it compare with WEP? • How does it compare with 802.11i?
History 802.11i • WEP was a security failure … • Needed something else • Formed the 802.11i IEEE standards group to investigate a secure solution to 802.11 networks • 802.11i is the addendum to 802.11 • Defines security for wireless LANs
History 802.11i • Draft standard was ratified • June 24, 2004 and replaces previous security specification, Wired Equivalent Privacy • The culmination of three and a half years of work by the IEEE 802.11i Task Group • Amendment adds stronger encryption, authentication, and key management strategies that go a long way toward guaranteeing data and system security
802.11i • 802.11i • Figured replace WEP, so defines a new standard – not backwardly compatible • New type of wireless network • RSN – Robust Security Network • Access point only allows RSN capable devices to join • Uses Advanced Encryption Standard (AES) • 802.1x and EAP – for authentication • Security protocol that RSN builds on AES is called the Counter Mode CBC MAC Protocol (CCMP) • AES is not compatible with older hardware and will require devices to upgrade hardware • Because users might not want to upgrade, 802.11i defines • Transitional Security Network – TSN • Allows both RSN and WEP systems to operate in parallel
WPA Transition to 802.11i • Implemented because … • Can’t upgrade many existing WEP devices • Stronger crypto operations endorsed by 802.11i not supported in hardware • WPA could be accomplished with software upgrades • Figured it would be some time before 802.11 networks fully RSN • WPA was designed to be compatible with 802.11i and was based on its early draft specifications • To avoid conflicting standards when 802.11i became standard
WPA Transition to 802.11i • WPA specification published in 2002 • First products produced in 2003 • Still implemented in many home and office networks when full 802.11i is not • WPA consists of three main • components: • TKIP, 802.1x, and MIC • Each component was designed and implemented to address specifics 802.11 weakness • Talk about 802.1x next time …
WPA Improvements • Better than WEP • Data still encrypted using RC4 stream cipher but … • Increased WEP key from 40 to 128 bits • Makes brute force attacks on WEP key impossible • Would take longer than life of the Universe • Doubled the size of IV from 24 to 48 bits • Now capable of 281 trillion different IV keys • Take over 1000 years to repeat a key with a 128-bit key and a 48-bit initialization vector (IV)
WPA Improvements • Better than WEP • Mutual authentication • AP and client both authenticate to each other • Prevents rogue access points from performing Man-in-Middle attacks • Uses 802.1x framework for enterprise wireless networks • Message Integrity Code (MIC) • Prevents messages from being tampered with
WPA Improvements • Better than WEP • Changes keys • Automatically on a regular basis • Happens often enough to keys can’t be reverse engineered • Uses protocol called TKIP • Temporal Key Integrity Protocol
WPA • Recognizes two types of networks • Large corporate networks • Small office/Home network • Difference in how keys are handled • Centralized Radius server for corporate network • Uses 802.1X framework for authentication • Pre-shared keys for small/home office • Manually distribute keys • Authentication done from Access point
TKIP • TKIP new link layer encryption protocol • Major motivation of TKIP was WEP • Purpose of TKIP, upgrade WEP security • But, constrained to use TKIP on same hardware • TKIP’s per-packet key construction is necessary to correct WEP’s misuse of RC4 • Recall that WEP constructs a per-packet RC4 key by concatenating a base key and the packet IV • Does not change base keys very often
TKIP • TKIP is a suite of algorithms wrapping WEP • Achieve best security given hardware constraints • TKIP adds new algorithms to WEP: • A cryptographic message integrity code, or MIC, called Michael, to defeat forgeries • A per-packet key mixing function, to de-correlate the public IVs from weak keys • A rekeying mechanism, to provide fresh encryption and integrity keys, undoing the threat of attacks from key reuse
TKIP • The new per-packet key construction • TKIP key mixing function • Substitutes a temporal key for WEP base key • Temporal keys are so named because they have a fixed lifetime and are replaced frequently • Keys are used by • WEP encryption engine and • Michael MIC algorithm
Michael an MIC • Literature calls this type of code • Message Authentication Codes, or MACs • Since IEEE 802 had already appropriated the acronym MAC to mean “media access control,” had to use MIC • Message Integrity Code • Every MIC has three components • Secret authentication key K (shared only between the sender and receiver) • Tagging function • Verification function
Michael an MIC • Tagging function takes • Key K and a message M as its inputs • Generates a tag T, also called the message integrity code, as its output • Protecting a Message • Protocol protects message M from forgery by having sender compute tag T and send it with the message M • To check for a forgery, receiver inputs K, M and T into the verification function • Function evaluates to TRUE if tag T is what should have been produced by tagging algorithm, and FALSE otherwise
Michael an MIC • If verification indicates FALSE • Message is a failed forgery • If the verification function returns TRUE • Message is presumed authentic • An MIC is considered secure if • Infeasible for an attacker to select the correct tag for some new, never-seen-before message M, without knowing, key K
Michael an MIC • Michael algorithm key is 64-bits • Represented as two 32-bit little-Endian words (K0,K1) • The Michael tagging function first pads a message with the hex value 0x5a and enough zero pad to bring the total message length to a multiple of 32-bits • Then partitions result into a sequence of 32-bit words • M1 M2 … Mn, and • Finally computes tag from the key and message words using a simple iterative structure: • (L,R) ← (K0,K1) • do i from 1 to n • L ← L XOR Mi • (L,R) ← b(L,R) • return (L,R) as the tag • b is a simple function built up from rotates, little-Endian additions, and bit swaps
Michael an MIC • The Michael verification function • Reruns the tagging function over the message • Returns the result of a bit-wise compare of locally computed tag and tag received with the message
TKIP Key Mixing • TKIP process begins with 128-bit "temporal key“ • Shared among clients and access points • TKIP combines temporal key with client's MAC address and then adds relatively large 16-byte initialization vector to produce key that will encrypt the data • This procedure ensures that each station uses different key streams to encrypt data • TKIP changes temporal keys every 10,000 packets
TKIP Key Mixing • Key mixing Steps • Derives unique key for each frame • Key derived from IV, MAC address of frame, and temporal key • Key mixing function • Involved but based on simple operations • Has 2 phases
TKIP Key Mixing • Phase 1 • Input • Sender’s MAC address, high order 32 bits of IV, 128 bit temporal session key • Output • 80 bit value, easy operations, addition, shifts and XOR • Phase 2 • Input • Takes phase 1 result, temporal session key, 16 low order bits of sequence IV • Output • 28 bit RC4 key, can be used as a WEP seed, 16 low order bytes used to generate WEP IV • Middle byte used to avoid generating weak Rc4 keys
TKIP Key Generation • Phase 1 • Combines 802 MAC address of the local wireless interface and the temporal key • Iteratively XORing each of their bytes to index into an S-box1 • Adding local MAC address to temporal key causes different stations and access points to generate different intermediate keys • Even if they begin from same temporal key!
TKIP Key Generation • Phase 1 • This construction forces stream of generated per-packet encryption keys to differ at every station • Phase 1 intermediate key must be computed only when temporal key is updated, so most implementations cache its value as a performance optimization
TKIP Key Generation • Phase 2 • Uses small cipher to “encrypt” packet sequence number under intermediate key, producing a 128-bit per-packet key • The tiny cipher has a Feistel structure, which means its inner loop implements a transformation of the form (L, R) → (R, L XOR f(R)) • Can be implemented using simple operations • XORs, shifts, rotates, and table look-ups - all cheap operations for processors commonly in 802.11 devices • This design makes it difficult for an adversary to correlate IVs and per-packet keys
TKIP Key • Phase 1: Senders MAC address, 128 temporal session key, and upper 32 bits of IV are hashed together • Phase 2: Lower 16 bits of IV is hashed to produce per-packet key • d is a dummy byte designed to avoid weak keys.
WPA and Client Association • Stronger keys + added authentication • Clients and AP’s have different way of associating • Slightly more complex • Don’t need new 802.11 hardware
Client Association with WPA • The following steps show how clients associate to 802.11 network • Station’s Supplicant - Software handles WPA connection - Requests permission to associate with network AP • Supplicant and AP - Ask each other questions - Determine what functionality each supports Example: Can AP handle Radius authentication?
Client Association with WPA • AP and supplicant - Authenticate each other • Once client authenticated - Supplicant and AP do key exchange - 4 way handshake, establishes keys used to encrypt and secure wireless connection between client and AP - Large network, keys come from Radius server - Uses protocols like EAPOL on corporate - SOHO network, keys derived from preshared key Client is now on network, traffic is encrypted!
References 802.11 Security Series by Jesse Walker http://cache-www.intel.com/cd/00/00/01/77/17769_80211_part2.pdf An Overview of 802.11 Wireless Network Security Standards & Mechanisms by Luis Carlos Wong, Sans reading room https://www2.sans.org/reading_room/whitepapers/wireless/1530.php?id=1530&cat=wireless
Finish Next time: 802.1X Authentication, EAP, etc Reading: See Course Notes