1 / 43

Wireless LAN Security

Wireless LAN Security. Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw. Outline. Introduction WLAN Authentication WEP (Wired Equivalent Privacy) IEEE 802.1x Conclusion. 1. Introduction.

zoie
Download Presentation

Wireless LAN Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw

  2. Outline • Introduction • WLAN Authentication • WEP (Wired Equivalent Privacy) • IEEE 802.1x • Conclusion

  3. 1. Introduction • Increasing popularity of IEEE 802.11 Wireless LANs (WLANs) • More laptops and PDAs equipped with WLAN interface. (Intel Centrinotm) • By 2005, over 80 percent of professional notebook PCs will have an WLAN interface. • Public Wireless LAN Hotspots • ISPs provide WLAN access services at airports, coffee shops, conference centers, shopping malls, …

  4. Comparisons among 802.11 Versions

  5. Wireless LAN Hotspots Coffee Shop Airport WLAN Adapter Internet : Access Point Conference Center

  6. Access Point Notebook PC Typical Wireless LAN Configuration Switch Router Internet/ Intranet Router WLAN Adapter Switch + PDA

  7. IEEE 802.11 Association Services • Three association services defined in 802.11 • Association Service: • Before a mobile client is allowed to send a data message via an AP, it shall first become associated with the AP. • Reassociation Service: • The reassociation service is invoked to “move” a current association from one AP to another. • Disassociation Service: • The disassociation service is invoked whenever an existing association is to be terminated.

  8. (1) Disassociate Associate Reassociate (3) (2) move leave A Scenario (1) Association (2) Reassociation (3) Disassociation Internet AP #2 AP #1

  9. Wired Network 802.11 Client Authentication

  10. 802.11 Client Authentication 1. Client broadcasts a probe request frame on every channel 2. Access points within range respond with a probe response frame 3. The client decides which access point (AP) is the best for access and sends an authentication request 4. The access point will send an authentication reply 5. Upon successful authentication, the client will send an association request frame to the access point 6. The access point will reply with an association response 7. The client is now able to pass traffic to the access point

  11. Security Threats • Data transmitted can be easily intercepted. • Signal coverage area cannot be well limited. • Intentional and non-intentional interference.  • User authentication to prevent unauthorized access to network resources • Data privacy to protect the integrity and privacy of transmitted data

  12. 2. WLAN Authentication • SSIDs (Service Set IDs) • Open Authentication • Shared Key Authentication • MAC Address Authentication

  13. SSIDs (Service Set IDs)

  14. SSIDs (Service Set IDs)

  15. Vulnerability of Using SSIDs • SSID can be obtained by eavesdropping.

  16. Open Authentication • Null authentication • Some hand-held devices do not have capabilities for complex authentication algorithms. • Any device that knows the SSID can gain access to the WLAN.

  17. Open Authentication with Differing WEP Keys

  18. Shared Key Authentication 1. The client sends an authentication request to the access point requesting shared key authentication 2. The access point responds with an authentication response containing challenge text 3. The client uses its locally configured WEP key to encrypt the challenge text and reply with a subsequent authentication request 4. If the access point can decrypt the authentication request and retrieve the original challenge text, then it responds with an authentication response that grants the client access

  19. Shared Key Authentication • Use of WEP key • Key distribution and management

  20. Shared Key Authentication Vulnerabilities • Stealing Key stream • WEP uses RC4 • Man-in-the-Middle Attack C = P  RC4(K) C  P = P  RC4(K)  P = RC4(K)

  21. Deriving Key Stream

  22. MAC Address Authentication • Not specified in 802.11 • Many AP products support MAC address authentication. • MAC address authentication verifies the client’s MAC address against a locally configured list of allowed addresses or against an external authentication server.

  23. MAC Address Filtering in APs

  24. MAC Authentication via RADIUS

  25. MAC Address Authentication Vulnerabilities • MAC Address Spoofing • Valid MAC addresses can be observed by a protocol analyzer. • The MACs of some WLAN NICs can be overwritten.

  26. 3. WEP (Wired Equivalent Privacy) • IEEE 802.11 Std. • Goals • Confidentiality • Access Control • Data Integrity • WEP Key: 64-bit, 128-bit

  27. WEP (Wired Equivalent Privacy) -- 4 Keys -- 104-bit key + 24-bit IV 104 bits

  28. (104 bits) (128 bits) (104 bits) (128 bits)

  29. WEP Vulnerabilities • Key attacks • Statistical key derivation – Several IVs can reveal key bytes after statistical analysis. • Secret key problems • Confidentiality attacks • Integrity attacks • Authentication attack

  30. IV Replay Attack

  31. Growing a Key Stream

  32. Keystream Reuse in WEP

  33. Keystream Reuse in WEP • WEP standard recommends that IV be changed after every packet. • Many WLAN cards reset the IV to 0 each time they were re-initialized, and then incremented the IV by one after each packet transmitted. • IV is only 24 bits wide. 1500 byte packets, 5 Mbps bandwidth half of a day

  34. 4. IEEE 802.1X • Port-Based Network Access Control • To provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics • To prevent access to that port in cases in which the authentication and authorization process fails. • 802.1X requires three entities: • The supplicant—resides on the wireless LAN client • The authenticator—resides on the access point • The authentication server—EAP server, mostly RADIUS server

  35. 802.1X in LANs • EAP-MD5 • EAP-TLS EAP: Extended Authentication Protocol RADIUS: Remote Authentication Dial In User Service

  36. Supplicant, Authenticator, and Authentication Server PAE: port access entity

  37. EAP-MD5 Supplicant Authentication Server Challenge Text MD5 (Password + Challenge Text) Accept / Reject

  38. EAP-TLS • TLS: Transport Layer Security • Use TLS public key certification mechanism within EAP. • Digital certificate signed by CA • Mutual Authentication • Client Certificate • Server Certificate • Key exchange / Dynamic session key

  39. Man-In-The-Middle Attack • Absence of Mutual Authentication

  40. Session Hijacking

  41. 5. Conclusion • IEEE 802.11i • TKIP: Temporal Key Integrity Protocol • AES: Advanced Encryption Standard • Certificate based authentication • EAP-TLS, EAP-TTLS, PEAP • Password authentication • LEAP, Diffie-Hellman exchange, • SPEKE: ZKPP(Zero Knowledge Password Proof)

  42. Reference “A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite” http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.pdf “Intercepting Mobile Communications: the Insecurity of 802.11”, Borisov, N., Goldberg, I., and Wagner, D., Proc. Of the 7th ACM International Conference on Mobile Computing and Networking, Rome, July 2001. “An Initial Analysis of the IEEE 802.1X Standard”, Mishra, A., Arbaugh, W. A., University of Maryland, February 2002. “IEEE Std 802.11 Wireless LAN Medium Access Control and Physical Layer Specifications” IEEE, 1999

More Related