1 / 39

WiFi Security

WiFi Security. Objectives. To understand data-oriented wireless and mobile networks and security systems : Data-oriented wireless networks Wireless LAN (WLAN, 802.11) World Interoperability for Microwave Access (WiMAX, 802.16) Bluetooth (IEEE 802.15) Security in WLAN

lsullivan
Download Presentation

WiFi Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WiFiSecurity

  2. Objectives • To understand data-oriented wireless and mobile networks and security systems: • Data-oriented wireless networks • Wireless LAN (WLAN, 802.11) • World Interoperability for Microwave Access (WiMAX, 802.16) • Bluetooth (IEEE 802.15) • Security in WLAN • Wired Equivalent Privacy (WEP) • Wi-Fi Protected Access (WPA, WPA 2 – IEEE 802.11i) • Summary Data-oriented Wireless NWs & Security

  3. Key Establishment in 802.11 • Rely on “pre-shared” keys between the mobile node or station (STA) and the Access Points (APs.) • So, there is NO key establishment protocol being used. • Problems • Manual configuration of keys -> So, open to manual error. -> Can not be expected to choose a “strong” key. • 802.11 allows each STA (and AP) in a Basic Service Set (BSS) to be configured with 4 different keys. -> 4 user groups  finer control over reliable STA recognition • In practice, use the same key across BSSs over the whole Extended Service Set (ESS.) -> Makes roaming easier and faster. More susceptible to compromise. Data-oriented Wireless NWs & Security

  4. Anonymity in 802.11 • 802.11 – “IP”-based networks • For a given IP address, it is very difficult to determine the identity of the subscriber, since • IP addresses are dynamically assigned using protocols such as DHCP (Dynamic Host Configuration Protocol) • NAT (Network Address Translation) creates two types of IP addresses (i.e., private IP address and global IP address) • Private IP address  NAT  Globally valid IP address • NOTE: In TWNs, the routing of a call is done using IMSI/TMSI (directly associated with the subscriber) Data-oriented Wireless NWs & Security

  5. Open System Authentication • “Default” Authentication Scheme • Allows any and all station to join the network (no authentication). • AP can enforcethe use of “Shared Key Authentication (SKA) Data-oriented Wireless NWs & Security

  6. Open System Authentication Data-oriented Wireless NWs & Security

  7. Shared Key Authentication • Based on “challenge-response” mechanism. • Two groups of STAs • group 1 : access allowed – shared a secret key with AP • group 2 : access not allowed Data-oriented Wireless NWs & Security

  8. Pre-Shared Key Data-oriented Wireless NWs & Security

  9. Problems with 802.11 Authentication • Authentication with shared key. • No way for the AP to reliably determine the exact identity of STA (only checking a “group” of STAs) • One-way Authentication • STA can not authenticate Network • Rouge APs can access virtually everything that the STA sends. • Suffers all drawbacks that WEP suffers. Data-oriented Wireless NWs & Security

  10. Pseudo Authentication • Allows only stations which know the network’s SSID to join the network: poses minimal challenge since the SSID of the network is often transmitted in the clear without encryption. Data-oriented Wireless NWs & Security

  11. MAC Address Filtering • Allows stations with certain MAC addresses to join the network: not a very secure authentication scheme since most wireless access cards used by stations allow the user to change their MAC address via software; Data-oriented Wireless NWs & Security

  12. WEP: Confidentiality in 802.11 • Step 1: Calculate Integrity Check Value (ICV), 4 bytes • ICV is the same as “Message Integrity Check” • Step 2: Select a “master key” • From one of the “four pre-shared secret keys” • Step 3: Obtain a “key seed” • - How? Select an IV, Concatenate it with the “master key” • Step 4: Generate cipher-text • Key seed is fed to an RC4 key generator • The resulting key stream is XORed with MPDU + ICV (step 1) • Step 5: A 4-byte header is appended to the encrypted packet • 3-byte IV value • 1-byte key-id (specifying one of four pre-shared secret keys being used as the “master key” WEP Packet MPDU: MAC Protocol Data Unit Data-oriented Wireless NWs & Security

  13. Data Integrity in 802.11 • To detect data modification • How? • Calculating ICV (Integrity Check Value) over the received data • Comparing it with the ICV attached in the message • ICV : CRC-32 (Cyclic Redundancy Check 32 bits) • Not cryptographically computed -> Weak. Data-oriented Wireless NWs & Security

  14. Problems in WEP • Using a “stream cipher in synchronous mode” (RC4) for encrypting data packets • Requires that “key generators” at the two communicating nodes MUST BE kept “synchronized” (Why? The loss of a single bit of a data stream causes the loss of ALL data following the lost bit!) • In wireless environment, data loss is widespread. • WEP’s approach: Apply encryption/decryption per packet basis. [Changing the problem: from the “session” level to the “packet” level] • Require to use unique key for every packet. • WEP key = {IV||master key}, 64 bits • Per-packet key : simple concatenation of IV (24 bits) and master key (40 bits) • Master Key: fixed (no change), every packet contains it! • IV: to be sent in clear text Data-oriented Wireless NWs & Security

  15. Loopholes in 802.11 Security • Does not provide any key establishment mechanism • WEP use synchronous stream cipher– difficult to perform synchronization during the entire session. • Use per-packet key. (IC || preshared key)=weak key • Limited key space. • Changing the IV with each packet is optional, making key reuse highly probable. • No support for STA to authenticate the network. Data-oriented Wireless NWs & Security

  16. WEP Confidentiality Issues • First, the IV size at 24 bits was too short – key space is only 16,777,216; • Second, WEP did not specify how to select an IV for each packet; • Third, WEP did not even make it mandatory to vary the IV on a per-packet basis — this means WEP explicitly allowed reuse of per-packet keys. • Fourth, there was no mechanism to ensure that the IV was unique on a per station basis -- thus making a collision even more likely. • Finally, simply concatenating the IV with the pre-shared key to obtain a per-packet key is cryptographically unsecure, making WEP vulnerable to attacks. Data-oriented Wireless NWs & Security

  17. Problems in WEP (2/2) • IV reuse -> chance of duplicate IV Data-oriented Wireless NWs & Security

  18. WPA Data-oriented Wireless NWs & Security

  19. WPA • IEEE Task group : 802.11i security standard • Use AES as default mode • WPA2 • Not backward compatible • Wi-Fi Alliance (major 802.11 vendors) • Aim to ensure product interoperability • To improve the security of 802.11 network without requiring a hardware upgrade. • Temporal key Integrity Protocol (TKIP) – known as WAP • Include the key management and the authentication architecture(802.1X) specified in 802.11i. • WPA: TKIP (confidentiality), MICHAEL (integrity) • WPA2: AES (confidentiality, integrity) Data-oriented Wireless NWs & Security

  20. Temporal Key Integrity Protocol TKIP was designed to provide backward compatibility with WEP; Has to operate with WEP hardware, which is dedicated to WEP implementation since software implementations of WEP are too slow. To be precise, the WEP encryption process is implemented in hardware. One of the most severe constraints for TKIP designers was that the hardware engine cannot be changed. Data-oriented Wireless NWs & Security

  21. Key Hierarchy in 802.11 • WEP: 2-tier Key Hierarchy • WPA: 3-tier Key Hierarchy • PMK (Pair-wiseMaster Key): Two ways • (1) using 802.1X – usually for “enterprise” • (2) without using 802.1X (via manual administration) – usually for “home” • PTK (Pair-wise Transient Keys): a set of “session keys” (4 of them) • At the beginning of new session (STA <-> AP) Data-oriented Wireless NWs & Security

  22. PMK  PTK Data-oriented Wireless NWs & Security

  23. PTK  Per-Packet Key • Goal: To obtain the per-packet key • Key Idea: Key Mixing in 2 separate phases • Phase 1: the session data encryption key is “combined” with the high order of 32 bit of the IV and the MAC address • Phase 2: output of phase 1 is “combined” with the lower order 16 bits of the IV and fed to phase 2 (to generate the 104-bit per packet key). • Note: (1) The key-mixing function makes it very hard for an eavesdropper to correlate the IV and the per-packet key used to encrypt the packet. Data-oriented Wireless NWs & Security

  24. PTK  Per-Packet Key Data-oriented Wireless NWs & Security

  25. WPA Confidentiality Improvements • TKIP doubles the IV size from 24 bits to 48 bits – increasing the time to key collision from a few hours to a few hundred years; • Using the per-packet key mixing function (much more complicated) instead of simply concatenating the IV to the master key to generate the per-packet key increases the effective IV size (and hence improves on WEP security) while still being compatible with existing WEP hardware. Data-oriented Wireless NWs & Security

  26. Why should the same key not be used? • When used with frequency analysis technique, it is often enough to get enough information about the two plaintext. • If P1 (one of plaintext) is known, P2 can be calculated easily. • WAP Key Space: 64bit key • 40bit is fixed, 24bit IV  224 key space. • 1500 byte-packet @ 11Mbps : {(1500*8) * 224 } / 11*106 = 5.08 hr Data-oriented Wireless NWs & Security

  27. WPA Integrity • Using MICHAEL protocol -- not computation intensive so that it can be used on existing WEP hardware which has very little computation power. • However, it is not cryptographically secure; • If a TKIP implementation detects two failed forgeries in one second, the STA assumes that it is under attack and as a countermeasure deletes its keys, disassociates, waits for a minute and then re-associates. • IV can also be used as a TKIP Sequence Counter (TSC) – avoid replay attack to which WEP was susceptible. Data-oriented Wireless NWs & Security

  28. TKIP Overall Picture Data-oriented Wireless NWs & Security

  29. WAP vs. WEP Data-oriented Wireless NWs & Security

  30. WAP vs. WEP Data-oriented Wireless NWs & Security

  31. WPA2 (IEEE 802.11i) Data-oriented Wireless NWs & Security

  32. Key Establishment & Authentication • Key-establishment and the key hierarchy architecture • WPA and WPA2 are almost identical • WPA2 use the same key for encryption and integrity protection. • Authentication • Identical with WPA. • Pre-shared or 802.1X. Data-oriented Wireless NWs & Security

  33. AES Data-oriented Wireless NWs & Security

  34. Confidentiality • AES counter mode • Ci = Mi XOR EK( i ) • Security lies on the counter. • Counter value should not be repeated with same key, the system is secure. - fresh key for every session. Data-oriented Wireless NWs & Security

  35. Integrity • AES CBC-MAC protocol. • AES-CCMP(counter-mode CBMC-MAC) Data-oriented Wireless NWs & Security

  36. Confidentiality + Integrity Data-oriented Wireless NWs & Security

  37. WPA2 Overall Picture Data-oriented Wireless NWs & Security

  38. WEP vs WAP vs WPA2 Data-oriented Wireless NWs & Security

  39. WEP vs WAP vs WPA2 Data-oriented Wireless NWs & Security

More Related