1 / 24

Security of Wireless Networks

Security of Wireless Networks. Mario Č agalj University of Split. WiFi (In)Security – 2 st part: Vulnerabilities of WPA and WPA2. Assembled from different sources: Walker , Lehembre Buttyan, ... Produced by Mario Čagalj. Introduction: IEEE 802.11i.

cindyherman
Download Presentation

Security of Wireless Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Wireless Networks MarioČagalj University of Split

  2. WiFi (In)Security – 2st part:Vulnerabilities of WPA and WPA2 Assembled from different sources: Walker, LehembreButtyan,... Produced by Mario Čagalj

  3. Introduction: IEEE 802.11i • We have seen that WEP is critically flawed • IEEE 802.11i defined to properly secure wireless LANs (2004) • Specifies robust security mechanisms for WLANs • Defines Transition Security Network (TSN) • Called WiFi-Protected Access(WPA) by WiFi-Alliance • Based on “new” TKIP (that uses “old” RC4 like WEP) • Backward compatibility (with old RC4-only hardware) • IEEE 802.1X authentication framework • More importantly defines a Robust Security Network (RSN) • Called WiFi-Protected Access 2(WPA2) by WiFi-Alliance • Based on AES and optionally TKIP • Also uses IEEE 802.1X authentication framework

  4. Tranzicija prema IEEE 802.11i TKIP: Temporal Key Integrity Protocol AES: Advanced Encryption Standard MIC: Message Integrity Code MAC: Message Authentication Code EAP: Extensible Authentication Protocol TLS: Transport Layer Security LEAP: Light EAP (Cisco)

  5. Autentifikacijski model IEEE 802.1X u WiFi LAN(Internet) Kontroliran port AP Autentifikacijski server Mobilni klijent Slobodan (otvoren) port • Port-based Network Access Control • Mobilniklijentzahtijevapristupuslugama (želi se spojitinamrežu) • AP kontrolirapristupuslugama (kontrolirani port) • Autentifikacijski server (AS) • Mobilniklijenti AS se međusobnoautentificiraju • AS informira AP da može otvoritikontrolirani port mobilnomklijentu

  6. Vulnerabilities of home networks Assembled from different sources: Walker, LehembreButtyan,...

  7. Operacijske faze IEEE 802.11i: kućne i ad hoc mreže • Autentifikacijski server nije prisutan • Autentifikacija zasnovana na dijeljenom ključu (Pre-Shared Key, PSK) PSK (umjesto PMK) Pristupna točka (AP) Mobilni klijent (M) Otkrivanje sigurnosnih funkcionalnosti IEEE 802.1X key management (Provjera PSK/PTK– “4-way” handshake) Zaštita podataka (TKIP, CCMP/AES)

  8. Key derivation and distribution • PTK (Pairwise Transient Key) – unique for this M and this AP Guillaume Lehembre, hakin9 6/2005

  9. IEEE 802.11i: Pre-Shared Key (PSK) • No explicit authentication! • The IEEE 802.1X authentication exchange absent • Usually a single pre-shared key for entire network • Password-to-Key Mapping • Uses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII password • PMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256) • Salt = SSID, so PSK different for different SSIDs • 4096 is the number of hashes used in this process

  10. 4-Way Handshake (over a radio channel) PTK = EAPoL-PRF(PSK, ANonce | SNonce | AP MAC Addr | M’s MAC Addr) PTK Guillaume Lehembre, hakin9 6/2005

  11. Vulnerabilities of 4-way handshake (1/3) • Affects both WPA and WPA2 • Password-to-Key Mapping • Uses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII password • PMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256) • Salt = SSID, so PSK different for different SSIDs • 4096 is the number of hashes used in this process • Password length between 8 and 63 printable ASCII characters • Vulnerability • The PTK used in 4-way handshake derived from PSK and PSK=f(PWD) • 4-way handshake protected with PTK • 4-way handshake messages transmited over a public radio channel

  12. Vulnerabilities of 4-way handshake(2/3) • The strenght of PTK relies on the PSK • which effectively means on the strength of the password PWD • Offline brute-force and dictionary attackspossible • attacker captures (records) 4-way handshake (only first 2 messages; why?) • attacker performs brute-force or dictionary attacks (at home) • guesses or reads from the dictionary the candidate PWDtest • calculates • PSKtest= PBKDF2 (PWDtest, SSID, SSIDlength, 4096, 256) • PTKtest = EAPoL-PRF(PSKtest, ANonce | SNonce | AP MAC Addr | M’s MAC Addr) • PTKtest gives KCKtest(used for message authentication in 4-way hand) • MICtest = MAC(KCKtest, public info) • if (MICtest==MICcaptured) output PWDtestas the password guesselse go to 1.

  13. Vulnerabilities of 4-way handshake(3/3) • How to capture the 4-way handshake? • Enter the monitoring mode • Discover nearby networks and associated clients • MAC addresses, WPA or WPA2, SSID • Disassociate clients to force them to run again 4-way handshake • Use fake disassociation control packets (not protected by IEEE 802.11i) • Record the new 4-way handshake • e.g., using Aireplay • Go home and launch a dictionary attack • Aircrack

  14. Attack complexity • Depends on the entropy of passwords • Weak passwords easy to crack • Strong passwords • E.g., a random passphrase of 13 characters (selected from the set of 95 permitted characters) gives 9513 ≈ 285 • Slow hashing algorithm (PBKDF2 involves many iteration of HMAC-SHA1) • PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256) • In practice PBKDF2 forces the attacker to iterate SHA1 16.000 times • Increases the attacer’s cost (the time to test a single pwd) • E.g., by slowing down the attacker by the factor of 3650 implies that the effort of 1 day increases to 3650 days (10 years) • Unfortunatelly, people do not select 13 random characters!

  15. Speeding up the dictionary attack • Recall the dictionary attack • attacker captures (records) 4-way handshake • attacker performs dictionary attacks (at home) • reads from the dictionary the candidate PWDtest • calculates • PSKtest= PBKDF2 (PWDtest, SSID, SSIDlength, 4096, 256) • PTKtest = EAPoL-PRF(PSKtest, ANonce | SNonce | AP MAC Addr | M’s MAC Addr) • PTKtest gives KCKtest(used for message authentication in 4-way hand) • MICtest = MAC(KCKtest, public info) • if (MICtest==MICcaptured) output PWDtestas the password guesselse go to 1. This part is slow

  16. Speeding up the dictionary attack • Pre-compute the slow part (before attacking) and re-use against many networks • PSKtest= PBKDF2 (PWDtest, SSID, SSIDlength, 4096, 256) • Observe, nothing specific about the current session • Where can the attacker re-use the pre-computed data? • With networks sharing the same SSID • How much data the attacker has to store? • It depends on the concrete attack implementation and targeted success probability • E.g. 100.000.000 passwords of average length 10 chars (letters and numbers) -> 232B i.e. about 4GB

  17. Securing against the dictionary attacks • To secure your network against these pre-computed dictionaries make sure that • Your SSID is unique (does not appear in the existing tables) • Your PWD is strong enough (sufficiently long and random :-)

  18. Vulnerabilities of enterprise networks Assembled from different sources: Walker, LehembreButtyan,...

  19. Autentifikacijski model IEEE 802.1X u WiFi LAN(Internet) Kontroliran port AP Autentifikacijski server Mobilni klijent Slobodan (otvoren) port • Port-based Network Access Control • Mobilniklijentzahtijevapristupuslugama (želi se spojitinamrežu) • AP kontrolirapristupuslugama (kontrolirani port) • Autentifikacijski server (AS) • Mobilniklijenti AS se međusobnoautentificiraju • AS informira AP da može otvoritikontrolirani port mobilnomklijentu

  20. Otkrivanje sigurnosnih funkcionalnosti Rezultat: M i AS -generiraju Master Key (MK) -izvedu Pairwise MK (PMK) 802.1X autentifikacija Distribucija PMK ključa (npr. putem RADIUS-a) Rezultat: M i AP -provjere PMK -izvedu Paiwise Transient Key (PTK) -PTK vezan uz ovaj M i ovu AP 802.1X key management Zaštita podataka (TKIP, CCMP/AES) Operacijske faze IEEE 802.11i Autentikacijski server (AS) Mobilni klijent (M) Pristupna točka (AP) CCMP = Counter-Mode / Cipher Block Chaining Message Authentication Code Protocol based on AES block cipher

  21. Example: FESB WiFi (EAP-TTLS and PAP) • Tunneled TLS over Extensible Authentication Protocol (EAP-TTLS) • Provides protection for initial authentication messages (plaintext passwords, e.g. PAP used by FESB) <-----------certificate----------> <--no trust--> <--trust--> <--trust--> Autentifikacijski server (AS) Mobilni klijent (M) Pristupna točka (AP) TTLS server Establishing an authentication TLS tunnel Authentication TLS protected authentication WLAN master session key Data traffic on secured link

  22. Example: FESB WiFi (EAP-TTLS and PAP) • Validation of the authentication server based oncertificate validation • Trusted issuing authority, matching certificate owner’s Common Name (CN) • Many PEAP (EAP-TTLS) deployments fail to properlydeploy • Malicious authentication server gains access toinner authentication methods • PEAP: MS-CHAPv2 • TTLS: MS-CHAPv2, CHAP, PAP, etc. controlled by the attacker (Rogue AP) <--no trust--> <--trust--> <--trust--> Mobilni klijent (M) Pristupna točka (AP) TTLS server Establishing an authentication TLS tunnelwith the rogue AuthSrv Record session TLS protectedinner authentication

  23. How to set properly setup PEAP-like authentication methods PEAP: Pwned Extensible Authentication Protocol by Joshua Wright and Brad Antoniewicz, ShmooCon 2008

  24. Wi-Fi Protected Setup (WPS) Insecurities (home nets again) • A standard that attempts to allow easy establishment of a secure wireless home network • The standard allows four usage modes aimed at a home network user adding a new device to the network: • PIN Method (e.g., enter the PIN on AP into the client) • Push-Button-Method (a user simultaneously pushes a button on the AP and the client) • Near-Field-Communication Method (bring the client close to the AP) • USB Method • In December 2011 researcher Stefan Viehböck reported a design and implementation flaw that makes brute-force attacks against PIN-based WPS feasible to perform on WPS-enabled Wi-Fi networks • A successful attack on WPS allows unauthorized parties to gain access to the network • The only effective workaround is to disable WPS • Impossible on some APs

More Related