1 / 38

FELK 19: Security of Wireless Networks *

FELK 19: Security of Wireless Networks *. Mario Č agalj University of Split 201 3/2014. WiFi (In)Security – 2 st part. Assembled from different sources: Walker , Lehembre Buttyan, ... Produced by Mario Čagalj. Introduction: IEEE 802.11i. We have seen that WEP is critically flawed

paiva
Download Presentation

FELK 19: Security of Wireless Networks *

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FELK 19: Security of Wireless Networks* MarioČagalj University of Split 2013/2014.

  2. WiFi (In)Security – 2st part Assembled from different sources: Walker, LehembreButtyan,... Produced by Mario Čagalj

  3. Introduction: IEEE 802.11i • We have seen that WEP is critically flawed • IEEE 802.11i defined to properly secure wireless LANs (2004) • Specifies robust security mechanisms for WLANs • Defines Transition Security Network (TSN) • Called WiFi-Protected Access(WPA) by WiFi-Alliance • Based on “new” TKIP (that uses “old” RC4 like WEP) • Backward compatibility (with old RC4-only hardware) • IEEE 802.1X authentication framework • More importantly defines a Robust Security Network (RSN) • Called WiFi-Protected Access 2(WPA2) by WiFi-Alliance • Based on AES and optionally TKIP • Also uses IEEE 802.1X authentication framework

  4. Tranzicija prema IEEE 802.11i TKIP: Temporal Key Integrity Protocol AES: Advanced Encryption Standard MIC: Message Integrity Code MAC: Message Authentication Code EAP: Extensible Authentication Protocol TLS: Transport Layer Security LEAP: Light EAP (Cisco)

  5. Značajke IEEE 802.11i standarda • Novine u IEEE 802.11i u usporedbi sa WEP-om • Autentifikacija i kontrola pristupa zasnovana na IEEE 802.1X modelu • Fleksibilan autentifikacijski okvir EAP(Extensible Authentication Protocol) • Mogu se koristiti “dokazani” protokoli (npr., TLS) • Autentifikacijski proces rezultira sesijskim tajnim ključem • Različite funkcije koriste različite ključeve koji se izvode iz sesijskog ključa • Enkripcijska funkcija značajno poboljšana (AES, TKIP) • Zaštita integriteta poruka značajno poboljšana • AES-MAC i TKIP-MIC

  6. Autentifikacijski model IEEE 802.1X u WiFi LAN(Internet) Kontroliran port AP Autentifikacijski server Mobilni klijent Slobodan (otvoren) port • Port-based Network Access Control • Mobilniklijentzahtijevapristupuslugama (želi se spojitinamrežu) • AP kontrolirapristupuslugama (kontrolirani port) • Autentifikacijski server (AS) • Mobilniklijenti AS se međusobnoautentificiraju • AS informira AP da može otvoritikontrolirani port mobilnomklijentu

  7. Otkrivanje sigurnosnih funkcionalnosti Rezultat: M i AS -generiraju Master Key (MK) -izvedu Pairwise MK (PMK) 802.1X autentifikacija Distribucija PMK ključa (npr. putem RADIUS-a) Rezultat: M i AP -provjere PMK -izvedu Paiwise Transient Key (PTK) -PTK vezan uz ovaj M i ovu AP 802.1X key management Zaštita podataka (TKIP, CCMP/AES) Operacijske faze IEEE 802.11i Autentikacijski server (AS) Mobilni klijent (M) Pristupna točka (AP) CCMP = Counter-Mode / Cipher Block Chaining Message Authentication Code Protocol based on AES block cipher

  8. Operacijske faze IEEE 802.11i: kućne i ad hoc mreže • Autentifikacijski server nije prisutan • Autentifikacija zasnovana na dijeljenom ključu (Pre-Shared Key, PSK) PSK (umjesto PMK) Pristupna točka (AP) Mobilni klijent (M) Otkrivanje sigurnosnih funkcionalnosti IEEE 802.1X key management (Provjera PSK/PTK– “4-way” handshake) Zaštita podataka (TKIP, CCMP/AES)

  9. Operational phases in IEEE 802.11i • Agreeing on the security policy • IEEE 802.1X authentication (absent in home nets) • Key derivation and distribution • Protecting data confidentiality and integrity

  10. Operational phases in IEEE 802.11i (1/4) • Agreeing on the security policy between M and AP • Security policy advertied in RSN IE (RSN Information Element) • E.g., use PSK (Pre-Shared Key) or 802.1X (auth prot.), TKIP or CCMP/AES, etc. Guillaume Lehembre, hakin9 6/2005

  11. Operational phases in IEEE 802.11i • Agreeing on the security policy • IEEE 802.1X authentication (absent in home nets) • Key derivation and distribution • Protecting data confidentiality and integrity

  12. Operational phases in IEEE 802.11i (2/4) • IEEE 802.1X authentication • Based on EAP (Extensible Authentication Protocol) and the specific authentication method agreed earlier (in the 1st phase) Guillaume Lehembre, hakin9 6/2005

  13. IEEE 802.1X authentication (2nd phase) • EAP (Extensible Authentication Protocol) [RFC 3748] • carrier protocol designed to transport the messages of “real” authentication protocols (e.g., TLS) • very simple, four types of messages: • EAP request – carries messages from AS to M • EAP response – carries messages from M to the AS • EAP success – signals successful authentication • EAP failure – signals authentication failure • authenticator (AP) doesn’t understand what is inside the EAP messages, it recognizes only EAP success and failure • EAP is notan authentication method itself

  14. IEEE 802.1X authentication (2nd phase) • EAP (Extensible Authentication Protocol) • End-to-end transport between M and AS • AP proxies EAP between 802.1X and backend protocol between AP and AS (e.g. RADIUS) within the scope of IEEE 802.11i EAP-TLS EAP EAPoL (802.1X) EAP over RADIUS 802.11 RADIUS TCP/IP 802.3 ili drugi Autentifikacijski server Mobilni klijent Pristupna točka RADIUS: Remote Authentication Dial In User Service

  15. IEEE 802.1X authentication (2nd phase) • EAPoL (EAP over LAN) [802.1X] • used to encapsulate EAP messages into LAN protocols (e.g., Ethernet) • EAPoL is used to carry EAP messages between the M and the AP • RADIUS (Remote Access Dial-InUser Service) [RFC 2865-2869, RFC 2548] • used to carry EAP messages between the AP and the auth server • RADIUS is mandated by WPA and optional for RSN (WPA2) EAP-TLS EAP EAPoL (802.1X) EAP over RADIUS 802.11 RADIUS TCP/IP 802.3 ili drugi Autentifikacijski server Mobilni klijent Pristupna točka

  16. IEEE 802.1X authentication (2nd phase) M AP auth server encapsulated in EAPOL • EAP in action EAPOL-Start encapsulated in RADIUS EAP Request (Identity) EAP Response (Identity) EAP Response (Identity) EAP Request 1 EAP Request 1 EAP Response 1 EAP Response 1 ... ... embedded auth. protocol EAP Request n EAP Request n EAP Response n EAP Response n EAP Success EAP Success

  17. IEEE 802.1X authentication (2nd phase) Examples of embedded authentication protocols • EAP-TLS (TLS over EAP) • only the TLS Handshake Protocol is used • server and client authentication via certificates, generation of master secret • TLS master secret becomes the session key • PEAP (Protected EAP) • phase 1: TLS Handshake without client authentication (only server’s certificate) • phase 2: client authentication protected by the secure channel from phase 1 • we will use it in our labs with WinSrv2008 • EAP-TTLS (used for securing FESB WiFi) • similar to PEAP (mainly different inner/client authentication) • we will use it in our demos • EAP-SIM, EAP-MD5, EAP-PSK and many others

  18. Example: FESB WiFi (EAP-TTLS and PAP) • Tunneled TLS over Extensible Authentication Protocol (EAP-TTLS) • Provides protection for initial authentication messages (plaintext passwords, e.g. PAP used by FESB) <-----------certificate----------> <--no trust--> <--trust--> <--trust--> Autentifikacijski server (AS) Mobilni klijent (M) Pristupna točka (AP) TTLS server Establishing an authentication TLS tunnel Authentication TLS protected authentication WLAN master session key Data traffic on secured link

  19. IEEE 802.1X authentication summary • At the end of authentication: • The AS and M have established a session • The AS and M possess a mutually authenticated Master Key(derived from the concrete EAP method) • Master Key represents decision to grant access based on authentication • M and AS have derived PMK (Pairwise Master Key) • PMK is an authorization token to enforce access control decision at AP • AS has distributed PMK to an AP (hopefully, to the M’sAP)

  20. Operational phases in IEEE 802.11i • Agreeing on the security policy • IEEE 802.1X authentication (absent in home nets) • Key derivation and distribution • Protecting data confidentiality and integrity

  21. Operational phases in IEEE 802.11i (3/4) • Key derivation and distribution • At this stage M and AP both hold PMK (Pairwise Master Key) • They use it to derive a fresh PTK (Pairwise Transient Key) and GTK (Group Transient Key) Guillaume Lehembre, hakin9 6/2005

  22. Key derivation and distribution (3rd phase) • PTK (Pairwise Transient Key) – unique for this M and this AP Guillaume Lehembre, hakin9 6/2005

  23. Key derivation and distribution (3rd phase) • GTK (Group Transient Key) – for multicast, the same for all M’s Guillaume Lehembre, hakin9 6/2005

  24. Key derivation and distribution (3rd phase) PTK = EAPoL-PRF(PMK, ANonce | SNonce | AP MAC Addr | M’s MAC Addr) • 4-Way Handshake (radio channel) PTK Guillaume Lehembre, hakin9 6/2005

  25. Key derivation and distribution (3rd phase) • Key Management Summary • 4-Way Handshake • Establishes a fresh pairwise key bound to M and AP for this session • Proves liveness of peers • Demonstrates there is no man-in-the-middle between PTK holders if there was no man-in-the-middle between PMK holders • Synchronizes pairwise key use • Provisions fresh group key GTK to all mobile stations (for multicast traffic)

  26. Example:the 3 phases withPEAP + MS-CHAPv2

  27. Operational phases in IEEE 802.11i • Agreeing on the security policy • IEEE 802.1X authentication (absent in home nets) • Key derivation and distribution • Protecting data confidentiality and integrity

  28. Operational phases in IEEE 802.11i (4/4) • Protecting data confidentiality and integrity • IEEE 802.11i defines 3 protocols to protect data • TKIP (Temporal Key Integrity Protocol) • for legacy (old RC4 devices) • WPA • CCMP (Counter Mode with CBC-MAC Protocol) • uses AES • manadatory in WPA2 • WRAP (Wireless Robust Authenticated Protocol) • uses AES and patent-protected authenticated-encryption method OCB • optional in WPA2 • Three protocols instead of one due to politics

  29. Protecting data confidentiality and integrity (4th phase) • Data Transfer Requirements • Never send or receive unprotected packets • Message origin authenticity —prevent forgeries • Sequence packets —detect replays • Avoid rekeying —48 bit packet sequence number • Protect source and destination addresses • Use one strong cryptographic primitive for both confidentiality and integrity

  30. Zaštita podataka TKIP-om • TKIP - Temporal Key Integrity Protocol • Radi sa starim hardverom (koji podržava RC4) • Rješava sve sigurnosne probleme sa WEP protokolom, npr. • Povećava inicijalizacijski vektor (ext v) na 48 bitova (WEP - 24 bita), da bi se izbjeglo ponavljanje istog init. vektora • Novi mehanizam za zaštitu integriteta – Michael (Message Integrity Code) • Inicijalizacijski vektor kao brojač služi za zaštitu od “replay” napada 802.11 hdr 802.11 hdr Podaci CRC Podaci MIC CRC  TKIP-RC4(PTK,ext v)  WEP-RC4(k,v) 802.11 hdr ext v Podaci 802.11 hdr v Podaci CRC MIC CRC WEP TKIP

  31. TKIP dizajn • Pairwise Transient Key (PTK) je dug 512 bitova • Enkripcijski ključ = PTK bitovi 256-383 (128 bitova) • Autentifikacijski ključ = PTK bitovi 384-511 (128 bitova) • Message Integrity Code (8 bytes) • Zaštita od “replay” napada • Za svaki paket inicijalizacijski vektor se inkrementira ( + 1 ) • Odbacuje se paket koji je primljen izvan sekvence (…, n, n+1, n, …) • Miješanje enkripcijskog ključa – rješavanje “slabih” RC4 ključeva MAC Adresa Izvora MAC Adresa Odredišta Podaci MIC Michael algoritam Autentifikacijski ključ

  32. Protecting data with CCMP m1 m2 m3 mN • Based on AES in CCM mode • Counter Mode Encryption with CBC-MAC (Whiting, Ferguson and Housley) • Counter Mode Encryption:Decription: • CBC-MAC counter + i counter + i IV CN-1 + + + + (n) (n) … E E E E K K K K E E K K (n) (n) MAC = CN (n) (n) (n) (n) Ci Pi Pi Ci + +

  33. CCM Mode Overview • Use CBC-MAC to compute a MIC (Message Integrity Code) on the plaintext header, length of the plaintext header, and the payload • Use CTR mode to encrypt the payload • Counter values 1, 2, 3, … • Use CTR mode to encrypt the MIC • Counter value 0

  34. Protecting data with CCMP

  35. Protecting data with CCMP • CCM provides authenticity and privacy • A CBC-MAC of the plaintext is appended to the plaintext to form an encoded plaintext • The encoded plaintext is encrypted in CTR mode • CCM is packet oriented • CCM can leave any number of initial blocks of the plaintext unencrypted • CCM has a high security level • It is provably secure

  36. IEEE 802.11i: Pre-Shared Key (PSK) • Autentifikacijski server nije prisutan (npr. kućne i ad hoc mreže) • Autentifikacija zasnovana na dijeljenom ključu (Pre-Shared Key, PSK) PSK (umjesto PMK) Pristupna točka (AP) Mobilni klijent (M) Otkrivanje sigurnosnih funkcionalnosti IEEE 802.1X key management (Provjera PSK/PTK– “4-way” handshake) Zaštita podataka (TKIP, CCMP/AES)

  37. IEEE 802.11i: Pre-Shared Key (PSK) • No explicit authentication! • The IEEE 802.1X authentication exchange absent • Can have a single pre-shared key for entire network (insecure)… • …or one per STA pair (secure) • Password-to-Key Mapping • Uses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII password • PMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256) • Salt = SSID, so PSK different for different SSIDs • 4096 is the number of hashes used in this process

  38. Next time • Vulnerabilities of WPA, WPA2, IEEE 802.1X

More Related