1 / 20

802.11b overview

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering. 802.11b overview. Not originally designed for the business world No load balancing

hbrainard
Download Presentation

802.11b overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Wireless SecurityBy Robert Peterson M.S. C.E.Cryptographic ProtocolsUniversity of FloridaCollege of Information Sciences & Engineering

  2. 802.11b overview • Not originally designed for the business world • No load balancing • SSID was intended to be used much like a strong password (long, non-meaningful strings, symbols) • Access Points (APs) broadcast ‘Beacon Frames’ periodically. SSID scans were not an intended feature of the standard.

  3. There are two types of security in 802.11b • An authentication standard for connecting to an access point • Wireless Encryption Protocol (WEP) which encrypts each wireless data frame

  4. Access Point Authentication There are two choices: • Open Authentication (none) • Shared Key Authentication: a) user sends request to AP b) user receives ChallengeText c) user sends back {ChallengeText}WEP_Key The encryption method used is called RC4 RC4 is a symmetric stream cipher with an arbitrary key size. RC4 was created by Ron Rivest of RSA Security in 1987.

  5. Shared Key Authentication is horrible • A WEP key is just 40 bits and malicious party has access to RC4 (open standard), the ciphertext, and plaintext! • Over all possible RC4 keys, the statistics for the first few bytes of output keystream are strongly non-random. • Every source I read said that open authentication is far safer then Shared Key Authentication (SKA). Why is SKA dangerous to keep on?

  6. Wireless Encryption Protocol (WEP) • Every wireless frame is encrypted with a global 40-bit WEP key and a generated 24-bit number called an initialization vector (IV) • It is completely insecure. You don’t need anything other then a regular wireless card to compromise everything.

  7. Plaintext P = RC4(iv,k) + Cipher text C Checksum c(M) Message M Vulnerability 1 • RC4 is a stream cipher • Produces a stream of keys that is XORed with the plain text • Susceptible to “key stream re-use” attacks 

  8. A Property of Stream Ciphers • Observe: Suppose we are given: C1 = P1 RC4(iv, k) C2 = P2 RC4(iv, k) Then: C1C2 = P1 RC4(iv, k) P2 RC4(iv, k) = P1 P2 • XORing two cipher texts together gives the XOR of the two plain texts!! • C1C2 = P1 P2

  9. Consequences of Observation • Given P1, C1 and C2, you can calculate P2 • In the real world, it is possible to recover P1 and P2 given C1, C2, and P1 P2 using • classical techniques (frequency analysis) • known formats (IP header) • secure and insecure broadcast packets Just observed that: C1C2 = P1 P2

  10. How to fix this problem? • The vulnerability exists because the same key stream is used for both p1 and p2 • Simple fix: change the key stream! • This is done by changing the initialization vector used for each packet • Augment the plain text portion of each packet with its initialization vector • WEP recommends that this be done • In practice, this does NOT prevent key stream reuse attacks!!

  11. IV was an idiotic fix to keep RC4 • Easy to find re-used initialization vectors • Sent as plain text • Management problems • WEP does not specify how it is chosen • Most simply start at 0 upon boot, and increment by 1!!! • WEP specifies that the initialization vector is only 24 bits • Essentially guarantees re-use • WEP does not require changing the initialization vector. • Can stay the same!

  12. Now decryption is easy • Decryption dictionary: • Once the plain text is known from vulnerability 1, the key stream is also known • RC4(iv,k) = C P • An attacker can store this key stream in a table indexed by the initialization vector • Assuming 1.5KB for each of the 224 initialization vectors, this table would only be 24GB • Once created, decryption is easy • This attack is not affected by key size

  13. Vulnerability 2 • Key Management • WEP does not specify how the secret key is distributed • In practice, the key is manually entered • For convenience, most sites use a single shared key • Increases the probability of initialization vector reuse • Due to inconvenience, keys are rarely changed in practice

  14. Vulnerability 3 • WEP does not provide access control • Once a key stream is found, the attacker can inject any messages into the network • Can calculate CRC-32 checksum • Can encrypt message + checksum using the known key stream • This defeats the WEP authentication protocol • Simple challenge-encrypt-reply-decrypt-compare protocol

  15. Proposed Solutions • Use 128-bit WEP Key – still suxors, who cares? IV is the source of attacks not WEP • Rotational WEP Keys – Global Key and Rotating Session keys each encrypted with previous one. Helps but IV still weak link. • MAC address filtering – management nightmare, MAC addresses can be sniffed out of frames

  16. VPN • Each client is configured with a VPN client and tunneled over the wireless network to a VPN concentrator on the wired network • Malicious party just ignores the tunnel! • Some clients have the option to battle with the Operating System and only allow traffic to go through the tunnel, but not common place

  17. 802.11X • New authentication protocol (replaces Shared Key Authentication) • Steps: (1) Client requests connection from AP (2) AP asks for “credentials” (3) AP sends credentials to a RADIUS Server RADIUS = Remote Authentication Dial-In User Service The secure protocol for supplying credentials must follow the 802.11X Extensible Authentication Protocol (EAP) standard

  18. Some EAP implementations • EAP-MD5 - one of the first implementations - passes a hash of a username/password pair to the RADIUS Server - Doesn’t prevent current WEP Attacks • EAP-Cisco Wireless, or LEAP - A one-time WEP key is used to validate credentials - RADIUS has session timeout feature

  19. The Future? IEEE is working on 802.11i, which will go beyond just ratifying authentication which is what 802.11X did - MAC addresses will be reworked - Temporal Key Integrity Protocol (TKIP). Generates new encryption keys for every 10 kilobytes of data transmitted. Still uses WEP and RC4.

  20. References ars technica Wireless Security Black Paper 7/18/2002, http://arstechnica.com/articles/paedia/security.ars/ Intercepting Mobile Communications:The Insecurity of 802.11 Nikita Borisov, Ian Goldberg, David Wagner University of California, Berkeley MobiCom 2001, http://classes.cec.wustl.edu/~cs673/WEP.ppt Real Security for Wireless LANs By: Erlanger, Leon. PC Magazine 8/05/2003, Vol. 22 Issue 13, p72 Beefing Up 802.11b Security Yardena Arar, PCWorld.com 2/04/2002, http://www.pcworld.com/news/article/0,aid,82563,00.asp

More Related