320 likes | 485 Views
Wireless network security standard. Presentation. 1 The evolution of WLAN Security 2 Basic Wireless Security Features of IEEE 802.11 3 Enhanced Security Features 4 Comperison of the Standards 5 Conclusion and Recommendations for Wireless LAN Security
E N D
Wireless network security standard Presentation 1 The evolution of WLAN Security 2 Basic Wireless Security Features of IEEE 802.11 3 Enhanced Security Features 4 Comperison of the Standards 5 Conclusion and Recommendations for Wireless LAN Security by: Jörg Grünauer at 30.06.05 http://134.91.24.143/~gruenauer
1 The evolution of Wireless network Security WLAN Security Standards 1997 the original 802.11 standard only offers - SSID (Service Set Identifier) - MAC Filtering (Media Access Control) - and WEP (Wired Equivalent Privacy) 1999 several industry players formes WECA (Wireless Ethernet Compatibility Alliance) for rapid adaption of 802.11 network products. 2001 Fluhrer, Mantin and Shamir had identified some weaknesses in WEP.IEEE started Task Group i. 2002 WECA was renamed in WI-FI
1 The evolution of Wireless network Security WLAN Security Standards 2003 Wi-Fi introduced the Wi-Fi Protected Access (WPA). - Should be an interim solution for the weakness of WEP. - Some parts of IEEE 802.11i. 2004 The WPA2 was introduced. - It based on the final IEEE 802.11i standard. - Was ratified on June 25.
2 Basic Wireless Security Features of IEEE 802.11 WLAN Security Standards 2.1 (Extended) Service Set Identity, (E)SSID „The name of the wireless network“ Two variants of the SSID: - ad-hoc wireless network (called IBSS Independent Basic Service Set),clients without an AP use SSID. - infrastructure network (called ESS Extended Service Set), include an AP use the ESSID. each client should be configured with a correct (E)SSID. AP`s have function „any“: Access without a SSID possible - sends beacon-frames: SSID will be broadcasted Weakness: STA sends the SSID in the clear: So, Sniffing possible.
2 Basic Wireless Security Features of IEEE 802.11 WLAN Security Standards 2.2 User authentication 802.11 defines two subtypes of authentication service: -> Open System authentication, the simplest Algorithms. - authenticates anyone who request authentication. - provides a NULL authentication process. Initiator Responder Authentication request Authentication response
2 Basic Wireless Security Features of IEEE 802.11 WLAN Security Standards 2.2 User authentication -> Shared-Key authentication - member who know shared key and members who not. - waekness: sniffing the shared key process. Initiator Responder Authentication request “challange“ text string WEP encryption of challange text WEP decryption of encrypted text „challange“ text string Encrypted with shared key Positive / negative response based on decryption result
2 Basic Wireless Security Features of IEEE 802.11 WLAN Security Standards 2.3 MAC-Filtering Clients are identified by a worldwide unique hex. MAC- adresse of 802.11 NIC. Mac-Adresses are listed in AP. Weakness: adresses are easily sniffed by an attacker - appear in the clear, if WEP is enabled. changing of MAC-Adress with software possible.
2 Basic Wireless Security Features of IEEE 802.11 WLAN Security Standards 2.4 Wireless Equivalent Privacy (WEP) Three Security Goals - Access Control: Ensure that the communication partners they are, who they pretend. - Data integrity: Ensure that packets are not modified in the air transfer. - Confidentiality: Ensure that content of wireless traffic are prevented from a eavesdropper through encryption.
2 Basic Wireless Security Features of IEEE 802.11 WLAN Security Standards Secret Key is used to encrypt packets CRC Integrity Check ICV: that packets are not modified in transit. - Compute CRC32 over data plain - CRC to data: (CRC+data) - Pick a random IV and concatenate with secret key: (k+IV) - Input (k+IV) into the RC4 to generate a pseudo-random key - send IV to peer by placing it in front of the ciphertext: C=(data+CRC) xor RC4(k+IV)) 2.4.1 Structure of WEP
2 Basic Wireless Security Features of IEEE 802.11 WLAN Security Standards 2.4.1 RC4 in WEP WEP uses RON´s Code 4 Pseudo Random Generator (PRG). Developed in RSA laboratories Secret Key K: - Manually entered the shared key (not to transmit). - 40bit (reason was the US exportabilitiy) or later 104bit Initialisation Vector IV: - Ensure different Random numbers - 24bit - transmit in clear in front of the cipher (IV+C) Symmetric: Same key is used in encryption and decryption. Key stream is independent of plaintext. Encryption and decyption are fast (~10 times faster than DES). RC4 is simple (see http://www.deadhat.com/wlancrypto/ ).
2 Basic Wireless Security Features of IEEE 802.11 WLAN Security Standards 2.4.2 Weakness of the WEP • Oct 2000: Jesse Walker of Intel published: Unsafe at any keysize; An analysis of the WEP encapsulation. • Mar 2001:Scott Fluhrer, Itsik Mantin, Adi Shamir; „Attacks on RC4 and WEP“, „Weaknesses in the Key Scheduling Algorithm of RC4“
2 Basic Wireless Security Features of IEEE 802.11 WLAN Security Standards 2.4.2 Weaknesses in WEP Keys: - The key length of 40bit - no key-management: cons: foulty, keys rarely changed WEP Confidential insecure (IV reuse) - 24bit IV, AP with 1500Byte/packet and 11Mbit/s: 1500*8/(11*10^6)*2^24=18300sec ~ 5hrs C1 xor C2 = P1 xor RC4(k,IV) xor P2 xor RC4(k,IV) = P1 xor P2 Knowing of C1 and C2, possible to get two Plains „xored“
2 Basic Wireless Security Features of IEEE 802.11 WLAN Security Standards 2.4.2 Weaknesses in WEP WEP Data insecure (CRC-Checksum) - Attacker construct C_new= RC4(k,IV) xor (M+CRC(M) xor (D,CRC(D)) that will decrypt to M_new with a valid CRC(M_new) : C_new = (M_new+CRC(M_new)) xor RC4(k,IV) Weak IV´s - Have the form (A+3,N-1,X), where A index of k, N mostly 256 and X can be nearly 60 different values - Iterate over possible WeakIV´s over sequence of datapckets until the RC4 key is found - More details in „Weaknesses in the Key Scheduling Allgorithm of RC4“
3 Enhanced Security Features WLAN Security Standards 3.1 WEPplus first interim solution cames from Lucent Tech. Based on the observation, that tools the found data analysed in order to calculate shared WEP-key backward compatible with a software-Update. generates IV`s for RC4, without appearing weak IV`s. Idea: Weak IV`s are widely known, simply be skipped during the encryption. a collision of identical IV`s can at least be delayed -> only a slight improvement. acceptable at least for home users.
3 Enhanced Security Features WLAN Security Standards 3.2 Wi-Fi Protected Access (WPA) adresses most of WEP`s weaknesses needed as soon as possible! interim solution for replacement of WEP. works with existing 802.11 hardware (firmware update will be required) is a subset of 802.11i; so forward compatible. Cross-Vendor compatible Goals: - improved encryption - user authentication: 2 modes: - WPA Enterprise : TKIP/MIC ; 802.1X/EAP - WPA Personal : TKIP/MIC ; PSK
3 Enhanced Security Features WLAN Security Standards 3.2.1 Wi-Fi Protected Access (WPA) Enterprise Mode Authentication : IEEE 802.1X/EAP - Central management of user credentials - An AAA server is required. - Uses RADIUS protocols for AAA and key distribution. - carry the authentication conversation between STA and RADIUS server. - supports multiple Authentication methods, based on passwords, digital Certificates. - Example: TLS, TTLS: Certificates based methods. PEAP, LEAP: Password based methods.
3 Enhanced Security Features 3.2.1 Wi-Fi Protected Access (WPA) Enterprise Mode Encryption: TKIP WLAN Security Standards - Designed as a wrapper around WEP - uses the same RC4-Engine used by WEP - includes a MIC (called Michael) at the end of each plaintext message ensure that message are not be spoofed. Components: - MIC - TSC (sequence counter) - Per-Packet Key Mixing
3 Enhanced Security Features 3.2.1 Wi-Fi Protected Access (WPA) Enterprise Mode Encryption: TKIP / MIC WLAN Security Standards - Uses a 64bit key - Partitions packets into 32 blocks - Uses shifts, XORs, additions to each 32 block to get a 64bit authentication tag. - Michael is calculated on data source and dest. Adresse (SA / DA) • MIC = Michael_key(SA,DA,PlainMSDU) • prevents capturing, altering, resending data packets
3 Enhanced Security Features 3.2.1 Wi-Fi Protected Access (WPA) Enterprise Mode Encryption: TKIP / TSC WLAN Security Standards - IV is extended to 48 bits. - In realty 32bits are added to 24bit of WEP but 8bits are not used. - uses as a sequence counter (TSC) ,starts from 0 and incremented by 1 for each MPDU. - TSC1 and TSC0 or lower 16bitIV are the seq# in Phase2. - TSC-TSC5 or upper 32bitIV increment by one, after lower IV rotate and is used in Phase 1.
3 Enhanced Security Features 3.2.1 Wi-Fi Protected Access (WPA) Enterprise Mode Encryption: TKIP / Key-Mix WLAN Security Standards - not simple concatenation IV to key - Phase1:128b_res=Mix1(128bTK,48bitMAC,UpperIV32b) - Ensure unique key, if clients share the same key - Phase2:128b_perpacketkey=Mix1(res1,LowerIV16b)
3 Enhanced Security Features 3.2.1 Wi-Fi Protected Access (WPA) Enterprise Mode Encryption: Benefits by TKIP - unique Key to encrypt every packet: keys are stronger - 280 trillion possible keys - IV: 48bit length, reduce IV reuses - IV sents encrypted - MIC replace CRC-Check - upgrade with firmware for WEP hardware possible WLAN Security Standards
3 Enhanced Security Features 3.2.2 Wi-Fi Protected Access (WPA) Personal Mode Encryption: TKIP Authentication: Pre-shared key PSK - special mode (with no 802.1X infrastructure) - enter a passphrase on all STAs and AP (Masterkey is calculated) - based on four-way-key handshake - first pair: STA and AP exchange random values (nonces) - second pair: AP instructs STA to install calculated Key, STA confirmed -> AP does the same. - configuration of Passphrase similar to WEP. WLAN Security Standards
3 Enhanced Security Features WLAN Security Standards 3.3 WPA2 / 802.11 Task Group i WPA is/was a compromise solution, WPA2 is 802.11i 802.11i uses concept of a Robust Security Network (RSN) biggest difference: AES is used for encryption usually AES-Encryption is performed in hardware, is enabled in two mode like WPA: - Enterprise Mode: - authentication: 802.1X/EAP - encryption: AES-CCMP - Personal Mode: - authentication: PSK - encryption: AES-CCMP
3 Enhanced Security Features WLAN Security Standards 3.3.1 WPA2 / 802.11i AES-CCMP AES is a symmetric key-cipher has a block-Size of 128bits, a key-length of 128bits. encryption includes 4 stages to make up 1 round. - Each round is iterated 10,12 or 14 times depending of the bit-size, for WPA2 10. AES uses Counter-Mode/CBC-Mac Protocol (CCMP) CCMP is an special dot11i Encryption algorithm CCM combination of Cipher Block Chaining Counter (CBC-CTR) and Message Authenticity Check (CBC-MAC)
3 Enhanced Security Features WLAN Security Standards CBC-CTR encryption increments counter to the AES-TK XORs the Plaintext to create data Random nonce is the IV, calls the PN Value PacketNumber increase by 1 after encryption PN length< 2^48, is contained in the CCMP MPDU 3.3.2 WPA2 / 802.11i CCMP CBC-CTR
3 Enhanced Security Features WLAN Security Standards encipher process expanded MPDU-Size by 16bytes 4 for PN0-1/Key-ID field, 4 for PN2-5 and 8 for MIC KeyID bit signals an extended PN of 6bytes. 3.3.3 WPA2 / 802.11i CCMP MPDU
3 Enhanced Security Features WLAN Security Standards works by taken 128bit block of data and encrypts with CTR mechanism zero padding, if plaintext not a multiple of AES-Blocksize 16 – (100 mod 16) = n zero pads computation produced in a 128-bit tag value CCMP truncates the tag to most significant 64bits to form the MIC, the other simply are discarded forging this MIC: 1 in 10^19 chances 3.3.4 WPA2 / 802.11i CCMP CBC-MAC (1)
3 Enhanced Security Features WLAN Security Standards 3.3.4 WPA2 / 802.11i CCMP CBC-MAC (2)
3 Enhanced Security Features WLAN Security Standards 3.3.5 CCMP Putting the Pieces together Benefits: - strong encryption - provides data and header integrity - provides confidentiality
4 Comparison of the standards WLAN Security Standards WEP WPA WPA2 Cipher RC4 RC4 AES Key Size 40 or 104bits 104bits perPack 128bits encry. Key Life 24bit IV 48bit IV 48bit IV Packet Key Concatenation TwoPhaseMix Not Needed Data Integrity CRC32 Michael MIC CCM Key Management None 802.1X/EAP/PSK 802.1X/EAP/PSK Security Level
5 Conclusion and Recommendations for Security Security is not a state, it is a process in continue! WLAN Security Standards Some hints to protect a WLAN from attack: ensure compatibilty to use hardware from one vendor, use Wi-Fi Certified devices. change default SSID and disable SSID broadcasting. Use MAC-adress authentication if you have manageable number of Clients and only some AP´s. not only for enterprises: implement user authen. Upgrade AP to use WPA or WPA2/802.11i. enable and use WPA2, WPA or for older hardware that supports WEP, enable this. Uses it at least with 128bit-WEP. change WEP-KEY frequently
References and Literature WLAN Security Standards http://www.wifi.org http://standards.ieee.org/wireless http://www.lancom.de (Techpaper) http://www.cisco.com http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy (etc.) http://en.wikipedia.org/wiki/Wireles_LAN (etc.) http://www.bsi.bund.de/literat/doc/wlan/wlan.pdf http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html http://www.drizzle.com/~aboba/IEEE (etc.) http://www.wardrive.net/security/links (etc.) http://www.cs.umd.edu/~waa/wireless.html William A. Arbaugh, Narendar Shankar, Justin Wan: Your 802.11 Wireless Network has no Clothes: March 30, 2001 Mike Radmacher, Sicherheits- und Schwachstellenanalyse entlang des Wireless-LAN- Protokollstacks, Diplomarbeit DII at the Uni-Duisburg-Essen in WS03/04 Sebastian Papierok, Sicherheit in drahtlosen Netzwerken, Seminar at the Uni-Duisburg- Essen in WS04/05 Scott Fluhrer, Itsik Mantin, Adi Shamir; „Attacks on RC4 and WEP“, „Weaknesses in the Key Scheduling Algorithm of RC4“ Prasad, Anand: 802.11 WLANs and IP networking: security, Qos, and mobility; Boston, Mass.; London Artech House 2005; ISBN 1-580-53789-8