310 likes | 434 Views
802.11 Security Past, Present, and Future. Chris Shutters, CISSP February 2004 wshutters@unixsecurity.us. What We Will Cover. Introduction - What is 802.11? Relationship Between 802.11 and Wi-Fi Original 802.11 Security Goals Original 802.11 Security Original Vulnerabilities Tools
E N D
802.11 SecurityPast, Present, and Future Chris Shutters, CISSP February 2004 wshutters@unixsecurity.us
What We Will Cover • Introduction - What is 802.11? • Relationship Between 802.11 and Wi-Fi • Original 802.11 Security Goals • Original 802.11 Security • Original Vulnerabilities • Tools • How to Secure Original 802.11 • Current 802.11 Security • WPA Protocol Stack • Future 802.11 Security • Final Thoughts
Introduction - What is 802.11? • A set of standards for wireless networking • Addresses LANs where devices • Communicate over ‘airwaves’ (radio or infrared) • Are within (relatively) close proximity to each other • Wireless devices may communicate • Directly with each other (independent or ad-hoc networks) • Via an Access Point (AP) (infrastructure mode) • Data rates • 802.11b: up to 11 Mbps (2.4 GHz frequency range) • 802.11a: up to 54 Mbps (5 GHz frequency range) • 802.11g: up to 54 Mbps (2.4 GHz frequency range)
Relationship Between 802.11 and Wi-Fi • 802.11 is a series of standards produced by the IEEE • Specify technical details such as: • Radio frequencies • Modulation methods • Protocol messages • Wi-Fi is an alliance of major 802.11 manufacturers • Focus is on interoperability testing • Interoperability is defined by a set of “gold standard” products • Products are tested and certified as Wi-Fi compliant
Original 802.11 Security Goals • Authorization • Verify that all mobile stations are authorized to access the network • Privacy • Implement security such that there is no privacy difference between wireless and wired LANs • Maintain data privacy from all unauthorized stations
Original 802.11 Security • Two authentication methods available • Open system authentication • Station 1 sends Service Set ID (SSID) to station 2 • Station 2 accepts or rejects station 1 based on knowledge of SSID • APs can be configured to accept the broadcast SSID • Thus allowing anyone to access the AP • Shared key authentication • Stations respond to an authentication challenge from an AP or other device • AP sends a challenge to be encrypted by the station • Station encrypts the challenge with shared key • AP decrypts challenge and grants or denies authentication based on decryption results
Original 802.11 Security (cont.) • Wired Equivalent Privacy (WEP) • Encryption algorithm: RC4 (symmetric stream cipher) • Requires shared key for all communicating stations • Key length: either 40 or 104 bits (plus 24 bit initialization vector [IV]) • Each data frame is encrypted separately with a different IV • Key management: not addressed by 802.11 • WEP key details • RC4 encryption key is constructed by appending IV to shared key • 224 possible encryption keys for each shared key
Original 802.11 Security (cont.) • Data integrity is protected with a Message Integrity Code (MIC) • The 32-bit Cyclic Redundancy Check (CRC-32) algorithm was chosen to implement the MIC • Bad choice, as CRC-32 was originally designed to detect random changes to data, not to protect against malicious tampering • An attacker can reliably change both the data and the CRC-32 value such that the CRC-32 matches the altered data
Original Vulnerabilities • Traffic sniffing • Easier to perform on wireless than on traditional wired LANs • SSID is always sniffable when stations associate to an AP • If WEP is not being used • Plaintext data frames can be sniffed • If WEP is being used • Ciphertext data frames can be sniffed • Accumulation of ciphertext data leads to many interesting attacks • For APs connected to other LANs • Broadcast traffic should be available • Vulnerable to ARP spoofing
Original Vulnerabilities (cont.) • Insertion – connecting an unauthorized station into a Wireless LAN • Easy if WEP not being used • Try broadcast SSID • Sniff SSID and use it to gain access • Request DHCP address • If no DHCP, try a 192.168.1.x address • If WEP is being used • Can still do many things… • Authentication problems • Currently, authentication only performed by SSID or WEP key • Both of these methods may be sniffed and duplicated
Original Vulnerabilities (cont.) • WEP problems • Inappropriate choice of encryption algorithm • With stream ciphers, it is unsafe to ever reuse a key • Key management problems • Because this issue is not addressed by 802.11, the shared key is rarely if ever changed • Keyspace problems • Reuse of IVs is inevitable • For randomly-selected IVs: due to Birthday Paradox, it is 99% likely that at least one IV will be reused every 12,500 frames • On a moderately loaded AP, keyspace will be exhausted in a few hours • Capture of large amounts of frames can lead to compromise of shared key
Original Vulnerabilities (cont.) • Known plaintext attacks • If the plaintext and corresponding ciphertext of a message can be obtained, the RC4 keystream for that IV can be recovered • As discussed before, the shared key authentication method does this for us! • Note: No knowledge of the shared key is required, except the fact that it hasn’t changed • Once at least one RC4 keystream has been recovered, one can • Authenticate to the network • Insert messages into the network
Original Vulnerabilities (cont.) • Often, attacker can inject known plaintext • HTTP requests • PING packets • Known plaintext in a packet allows immediate recovery of the keystream for that particular IV! • A Decryption Dictionary can be assembled • Table indexed by IV that contains recovered keystreams • Approximately 23 GB required for 24 bit IVs • Dictionary is the same size for 40 and 104 bit encryption! • When a new packet that uses a known IV is captured, just look up the keystream and decrypt the data! • Many implementations reset IVs to zero when initialized, and sequentially increment IVs • In this case the dictionary won’t have to be very big to be able to decrypt a significant percentage of traffic
Original Vulnerabilities (cont.) • Misconfiguration • Default SSID not changed • Broadcast SSID not disabled • Default passwords not changed • WEP not enabled
Tools • NetStumbler (http://www.netstumbler.com/) • Windows application that sniffs for presence of wireless traffic • When it detects traffic, it logs • MAC address • SSID • Manufacturer • Channel • WEP enabled (yes or no) • Signal strength • Signal to noise ratio • If you have GPS data available, it will also log coordinates
Tools (cont.) • AiroPeek NX (http://www.wildpackets.com/products/airopeek_nx) • Commercial 802.11 sniffer and analyzer • Performs full decode of all 802.11 traffic as well as higher-level network protocols
Tools (cont.) • AirSnort (http://airsnort.shmoo.com/) • Wireless LAN WEP key recovery program • Sniffs and stores traffic until key can be computed • Typically requires capture of between five to ten million encrypted packets • Implements attack against RC4 Key Scheduling Algorithm Weakness (http://downloads.securityfocus.com/library/rc4_ksaproc.pdf) • This is commonly known as the FMS attack (for the initials of the discoverers of the attack) • Looks for frames that were encrypted with “weak” RC4 keys (approximately 3,000 out of the 16+ million possible keys) • Once approximately 2,000 “interesting” frames have been gathered, the key can be computed
Tools (cont.) • Kismet (http://www.kismetwireless.net/) • Linux program for sniffing wireless traffic • Will log the following information • Networks found • Captured packets in binary format (suitable for later replay and analysis) • Cryptographically “weak” packets (like AirSnort) • IP address blocks in use (via ARP and DHCP analysis) • All Cisco products that announce themselves via Cisco Discovery Protocol (CDP)
How to Secure Original 802.11 • Place the WLAN in a DMZ and require VPN authentication for access to internal systems • Systems may still be individually attackable by rogue mobile stations • Enable WEP • Use 128 bit WEP encryption • Change shared keys on a regular basis • Change default SSID • Don’t make SSID something obvious (company name, street address, etc) • Disable acceptance of “broadcast SSID” • Disable broadcasting of SSID • Change default passwords on all equipment • If possible, restrict access by MAC addresses • Consider not using DHCP (statically assign addresses)
Current 802.11 Security • Wi-Fi Protected Access (WPA) is the current “state of the art” in 802.11 security • Why? To specifically address WEP weaknesses in a timely manner • Most existing equipment can implement WPA with a firmware update • First, use of the Temporal Key Integrity Protocol (TKIP) is specified • CRC is replaced with a MIC called Michael • New algorithm • Compromise between security and ability to be implemented in current hardware • Can potentially be brute-forced • However, countermeasures are implemented to detect and respond to brute-force attacks
Current 802.11 Security (cont.) • IV size increased from 24 to 48 bits • IVs mandated to be used in sequential order • IV rollover or reuse won’t happen for hundreds of years • IV is also used as a replay detector/preventer • The secret key used to encrypt packets is changed for every packet, using Per-Packet Key Mixing • Static Master and Session keys exist, but they are not directly used to encrypt packets • Thus, the tactic of accumulating large amounts of ciphertext to attack a static secret key will no longer work • Countermeasures • The countermeasure against a Michael brute-force attack is to halt all network traffic on the attacked device for one minute • This limits attacker to one attempt per minute • The network interruptions should (in theory) be noticed by network support personnel
Current 802.11 Security (cont.) • Second, use of the Extensible Authentication Protocol (EAP) is specified • This is a simple protocol, designed to transport arbitrary authentication information (originally designed for dialup) • For communication between mobile station and AP, EAP over LAN (EAPOL) is used • For communication between AP and authentication server, EAP over RADIUS is used • Third, use of the 802.1X protocol is specified • 802.1X was designed to implement access control at the point where a user joins the network • Multiple lower-level protocols can implement 802.1X • WPA specifies EAPOL as the 802.1X protocol used between mobile station and AP • WPA specifies RADIUS as the 802.1X protocol used between AP and authentication server
Current 802.11 Security (cont.) • Please note that 802.1X has been shown to be vulnerable to man-in-the-middle and session hijacking attacks (http://www.cs.umd.edu/~waa/1x.pdf) • Fourth, use of Transport Layer Security (TLS, the RFC standardized version of SSL) is specified • TLS is transported over EAP • It is utilized specifically for authentication • This implies existence of a PKI infrastructure for managing keys and certificates • May be non-trivial to implement such an infrastructure • Fifth, specific methods of cryptographic key management are specified • Each authenticated mobile station receives: • A pairwise key that is used to protect communications between it and the AP • A group key that is used to protect broadcast or multicast data
WPA Protocol Stack Security Communication Between Mobile Station and Access Point TLS (RFC2246) TLS over EAP (RFC2716) EAP (RFC2284) 802.1X EAPOL 802.11
WPA Protocol Stack (cont.) Security Communication Between Access Point and Authentication Server TLS (RFC2246) TLS over EAP (RFC2716) EAP (RFC2284) EAP over RADIUS (RFC2869) RADIUS (RFC2865) TCP/IP 802.3 (or other)
Future 802.11 Security • The 802.11i standard is close to being finalized and published • WPA was designed to be upwardly compatible with 802.11i • 802.11i defines a Robust Security Network (RSN) • RSN utilizes almost all of the protocols specified in WPA, but includes some additional changes/options • First, use of the Advanced Encryption Standard (AES) is required, • This replaces RC4 • AES can not be implemented in the majority of existing hardware
Future 802.11 Security (cont.) • Second, the WPA MIC is replaced by Cipher Block Chaining – Message Authentication Code (CBC-MAC) • This is a new implementation of CBC-MAC using AES, but based upon previous implementations of CBC-MAC using other crypto algorithms • Third, TKIP is replaced by Counter Mode – CBC-MAC Protocol, or CCMP (RFC 3610) • This is basically an implementation of a protocol similar to TKIP, only based on AES instead of RC4 • What RC4 is to TKIP, AES is to CCMP
Future 802.11 Security (cont.) • Fourth, multiple additional upper-layer authentication mechanisms (at the same layer as TLS) are specified • Kerberos V5 (RFC 1510) is a well-known, centralized authentication and authorization system • Protected EAP (PEAP) provides a way to do EAP negotiation while not exposing authentication tokens (e.g. passwords, password hashes, or identity credentials) to sniffing attacks • Currently a draft internet standard (http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-07.txt) • EAP-SIM is based on an authentication method used in cellular networks
Final Thoughts • Original 802.11 networks can be secured, but it is not easy • WPA is a dramatic improvement over original 802.11 security • 802.11i will likely be even better, but implementation will almost assuredly require updated hardware • Questions?