Ieee 802 11 network security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

IEEE 802.11 Network Security PowerPoint PPT Presentation


  • 105 Views
  • Uploaded on
  • Presentation posted in: General

IEEE 802.11 Network Security. Rohit Tripathi Graduate Student. University of Southern California. Presentation Overview. IEEE 802.11 Network Security 802.11 Basics 802.11 Architecture 802.11 Security (WEP) WEP Vulnerabilities. Practical Implementation of Attacks.

Download Presentation

IEEE 802.11 Network Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ieee 802 11 network security

IEEE 802.11 Network Security

Rohit Tripathi

Graduate Student.

University of Southern California.


Presentation overview

Presentation Overview

  • IEEE 802.11 Network Security

    • 802.11 Basics

    • 802.11 Architecture

    • 802.11 Security (WEP)

    • WEP Vulnerabilities.

    • Practical Implementation of Attacks.

    • Recent security advancements for Wi-Fi Networks.

    • Summary


What is ieee 802 11

What is IEEE 802.11?

  • IEEE Standard for Wireless LAN’s.

    • Ethernet(networking) capability over radio waves.

    • Increased Mobility and Flexibility.

      • Sometimes even more economical.

      • More practical.(e.g. Large halls, atriums,etc.)

  • 802.11b – 11 Mbps, 802.11g – up to 54Mbps, 802.11a – up to 54Mbps.

    • .11b/g at 2.4GHz radio frequencies. .11a at 5-6GHz.

    • Uses CSMA/CA (MAC protocol for shared Media).

    • Different Modulation schemes provides different data speeds.

    • Range – 100 -150 feet (approx.)


Terminology

Terminology

  • WLAN - Wireless Local Area Network.

  • AP – Access Point.

  • Station – Any device on wireless network.

  • SSID – Service Set Identifier(identifies a network name.).

  • MAC Address – Wireless LAN card address, 6 octets (xx.xx.xx.xx.xx.xx)


Ieee 802 11 network security

Infrastructure Network Mode

Picture from http://www.cse.ohio-state.edu/~jain/


802 11 architecture cont

802.11 Architecture (cont….)

  • Frame Types.

    • Data Frames: Used for Data Transmission.

    • Control Frames: Used for Media Access Control (RTS, CTS, ACK)

    • Management Frames: Used to exchange Management Information. (Beacon, Probe, Association, Authentication.)


802 11 standard security goals

802.11 Standard Security Goals

  • Create Privacy as achieved by a wired network (WEP – Wired Equivalent Privacy).

    • Parking Lot Attack!!.

  • Should Provide

    • Confidentiality: No eavesdropping.

    • Access Control: Deny access to unauthenticated stations.

    • Data Integrity: Prevent tampering with transmitted messages.

  • Research shows that none of the goals are achieved!!


Wep protocol

WEP Protocol

  • Wired Equivalent Privacy.

    • Link Layer Protocol.

    • Two subsystems.

      • WEP Authentication Technique.

        • Provides Access Control.

      • WEP Data Encapsulation Technique.

        • Data Integrity and confidentiality.


Wep authentication

Shared secret distributed out of band

Authentication Challenge (128 octets Nonce)

Authentication Result

Authentication Response (Nonce is RC4 encrypted under shared key)

Authentication Request

WEP Authentication

AP

STA

Decrypted nonce?

From IEEE: Overview of 802.11 Security.


Wep data encryption

WEP Data Encryption

  • Compute Integrity Checksum c(M) and append to original message M.

    • P = <M + c(M)>

  • Key-stream generated using RC4 encryption algorithm on a 24 bit IV concatenated to a pre-shared key (40-bit or 104-bit).

  • XOR “P” with Key-stream to produce ciphertext.

    • C = P  RC4(IV,K)

  • Transmit IV and Ciphertext.

  • Message

    CRC

    XOR

    Key stream = RC4(IV,K)

    IV

    Ciphertext

    Transmitted Data


    Wep data decryption

    WEP Data Decryption

    • Decryption (Reverse Process)

      • Extract IV

      • P’ = C  RC4(IV, K)

        = (P  RC4(IV,K)) RC4(IV,K)

        = P

    • Split P’ into <M’, c’> and re-compute the checksum c(M’) to see if it matches c’. Establishes message integrity.


    Attacks on wep

    Attacks on WEP

    • WEP allows IV to be reused with any frame

      • Same IV produces same key stream (RC4(IV,K)).

    • Risks of Key-stream Reuse.

      • Now If C1 = P1  RC4(IV, K)

        and C2 = P2  RC4(IV, K)

        then C1  C2 = (P1  RC4(IV, K))  (P2  RC4(IV, K))

        = P1  P2 (i.e. XOR of two plain texts)

      • Key-stream reuse to read encrypted traffic.

        • Known techniques to find out P1 and P2 given P1  P2.

        • Becomes easier with more intercepted packets using same IV value.


    Key stream reuse continued

    Key-stream reuse (continued…)

    • Decryption Dictionaries

      • Over time attacker can build a table of key-stream corresponding to each IV (Need known plaintext).

        • Helped by well defined protocol structures(IP headers, login sequence,etc.)

        • Attacker can transmit known plaintext (e.g. email spam) and intercept the cipher text to gain the key-stream.

    • Table size depends only on the IV length and not the key size.

      • Standard fixes IV size as 24 bits.

      • Gives a modest space requirement. E.g. 1500 bytes for each of the 2^24 possible IV’s needs 24GB.

      • Even first few thousands IV’s table can be effective in most cases because of most PMCIA cards reset IV value to 0 when reinitialized.


    Attacks on wep continued

    Attacks on WEP (continued…)

    • Message Modification

      • CRC is insufficient to detect message tampering (not a cryptographically secure authentication code).

      • Controlled modification of cipher-text possible without disrupting the checksum.

      • CRC is linear function i.e. c(x  y) = c(x)  c(y).

      • Original Cipher-text C = RC4(IV, K)  <M, c(M)>

      • Possible to find C’ that decrypts to a modified message M’ = M Δ

      • C’ = C  <Δ, c(Δ)> = RC4(IV, K)  <M, c(M)>  < Δ, c(Δ)> = RC4(IV, K)  <M Δ, c(M)  c(Δ)> = RC4(IV, K)  <M Δ, c(M Δ)> = RC4(IV, K)  <M’, c(M’)>

      • C’ decrypts to P  Δ, but with right checksum!!


    Authentication spoofing

    Challenge (Nonce- Plain Text)

    Response (Nonce RC4 encrypted under shared key)

    Authentication Request

    Authentication Spoofing

    • A challenge-response pair gives the key-stream.

    AP

    STA

    Decrypted nonce OK?

    • This key-stream can be used to encrypt any subsequent challenge.


    Ip redirection

    IP Redirection

    • For decrypting a ciphertext without knowing the key.

    • Trick the AP into decrypting ciphertext for the attacker.

      • Sniff an encrypted packet.

      • Modify the encrypted message so that the destination address is that of the attacker.(already shown that message modification is possible without any alarm.)


    Practical implementation of attacks

    Practical Implementation of Attacks

    • Till now we talked about retrieving the Key-stream.

    • But is it possible to recover the secret key(Ultimate Break)??

      • Fluhrer, Mantin and Shamir Attack.

        • RC4 – Key Scheduling Algorithm, Output Generator (PRGA).

        • Knowledge of IV and and first output byte gives information about the key bytes (called Resolved Cases).

      • Practical Implementation: AT&T Labs Tech Report.

        • Passive Attack.

        • Eased by the clear text transfer of IV.

        • Coding for the simulated Attack < 2 hours.

        • Full key recovered with 256 probable resolved cases.

        • Off the shelf hardware and software to capture packets.


    Practical attacks continued

    Practical Attacks (continued…)

    • Mounting the Attack

      • P  C = P  (P  RC4(IV,K)) = RC4(IV,K) i.e. Key-stream.

        • Got “P” from 802.2 Encapsulation header added to IP/ARP traffic.

      • 5/6 *10^6 packets to recover 128 bit key.(Very practical on a busy network.)

    • Improving the Attack

      • User Memorable pass-phrase used as key.

        • Check if the decoded key byte is an ASCII, number or punctuation.

    • Key recovered in reasonable time - Ultimate Break of WEP!!


    Conclusions

    Conclusions…..

    • Assume that the 802.11 link layer WEP offers no security.

    • Use E2E higher-level security mechanisms (IPSec, SSH).

    • Anyone within the physical range can access the network as a valid user.

    • Other kinds of Attacks: MAC spoofing, Jamming(DoS), Insertion Attacks(Rogue AP’s).

    • This paved the way for further research to create more secure WLAN’s.


    Wi fi protected access wpa

    Wi-Fi Protected Access(WPA)

    • Specification from Wi-Fi Alliance(2003)

      • Strong, standards-based, interoperable security for today’s Wi-Fi networks.

    • What needs to be addressed (~ flaws in WEP).

      • Weak User Authentication.

      • Weak Key Management.

      • Weak IV selection.

      • CRC is good for detecting random errors and not message tampering.

      • Additionally the new system should be backward compatible.


    Security mechanisms in wpa

    Security Mechanisms in WPA

    • Authentication (and Key Management).

    • Encryption.


    Authentication and key management

    Authentication and Key Management

    • Based on Extensible Authentication Protocol (EAP).

      • Supports many flavors of EAP.

      • Uses existing key (temporary keys) distribution methods such as KDC, Kerberos, Needham-Shroeder.

    • Can handle any form of user credentials.

      • Digital certificates, username and passwords, secure ID’s,etc.

    • Creates a framework where client workstations mutually authenticates with the Authentication Server (4 way handshake).


    Authentication process

    Associate

    EAP Identity Request

    EAP Identity Response

    EAP Identity Response

    EAP Auth Request

    EAP Auth Request

    EAP Auth Response

    EAP Auth Response

    EAP-Success

    Authentication Process

    AP

    Authentication Server

    STA

    From IEEE: Overview of 802.11 Security.


    Session key distribution

    Session Key Distribution

    • Kc and Ks: Long term Keys.(Only used once!!)

    • Kcs : Session Key. (Temporary)

    Authentication Server (~KDC)

    c,s,n

    {Kcs,s,n}Kc AND {Kcs,c,n}Ks

    C (Kc)

    AP s(Ks)

    {Kcs,c,n}Ks AND {data}Kcs


    Encryption

    Encryption

    • WPA uses Temporal Key Integrity Protocol (TKIP)

      • Dynamic Key (against static WEP key) distributed by Authentication Server.

      • Key size increased to 128 bits.

      • Change in WEP key requires manual work.

      • Already shown that intruder who collects enough encrypted data (with static WEP key) can exploit the system.

      • Sets up an hierarchy to generate more data encryption keys using the pair-wise key.(per packet key construction)

    • Uses Message Integrity Check(MIC) against CRC.

      • Provides strong mathematical function to check msg integrity.


    Wpa deployment

    WPA Deployment.

    • Can be installed as software upgrade on most Wi-Fi devices.

      • Clients require software upgrade to the NIC.

    • Enterprise would require an authentication server.

      • Typically Remote Authentication Dial-In-User Service (RADIUS)

    • Small Office and Home Office (SOHO) can use pre-shared key.

      • But still use strong TKIP encryption, per packet key construction.

    • All the upgrades (transition) can happen in steps.

      • Allows mixed mode.(though not recommended)


    The future wpa 2

    The Future: WPA-2

    • Existing WPA features.

      • TKIP encryption.

      • EAP authentication

    • Additionally use Advanced Encryption Standard(AES) for encryption.

      • Currently considered to be a very strong encryption algorithm.

      • Variable Key size of 128, 192 or 256 bits.

      • Drawback: Requires hardware upgrade.


    Summary

    Summary

    • 802.11 security does not meet any of its objectives.

    • Current Work to replace.

      • Authentication Scheme using 802.1X (EAP) and Kerberos.

      • Encryption scheme using AES.

      • Key management using established mechanisms.

    • Wi-Fi Alliance working on WPA2.


    References

    References

    • Nikita Borisov, Ian Goldberg, David Wagner, Intercepting Mobile Communications: The Insecurity of 802.11, ACM Mobicom 2001.

    • Adam Stubblefield, John Ioannidis, Aviel D Rubin, Using the Fluhrer, Mantin, and Shamir Attack to Break WEP, AT&T Labs Technical Report TD-4ZCPZZ, 2001.

    • Wi-Fi Alliance, Wi-Fi Protected Access, 2003.

    • http://grouper.ieee.org/groups/802/11/Tutorial/


    Questions

    Questions

    ???


  • Login