wireless lan security
Download
Skip this Video
Download Presentation
Wireless LAN Security

Loading in 2 Seconds...

play fullscreen
1 / 60

Wireless LAN Security - PowerPoint PPT Presentation


  • 203 Views
  • Uploaded on

Wireless LAN Security. Matthew Joyce Rutherford Appleton Laboratory, CCLRC. WLAN Security - Contents. Wireless LAN 802.11 Technology Security History Vulnerabilities Demonstration. Wireless LANs. IEEE ratified 802.11 in 1997. Also known as Wi-Fi. Wireless LAN at 1 Mbps & 2 Mbps.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Wireless LAN Security' - jeneva


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
wireless lan security

Wireless LAN Security

Matthew Joyce

Rutherford Appleton Laboratory, CCLRC

WLAN Security

wlan security contents
WLAN Security - Contents
  • Wireless LAN 802.11
  • Technology
  • Security History
  • Vulnerabilities
  • Demonstration

WLAN Security

wireless lans
Wireless LANs
  • IEEE ratified 802.11 in 1997.
    • Also known as Wi-Fi.
  • Wireless LAN at 1 Mbps & 2 Mbps.
  • WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability.
    • Now Wi-Fi Alliance
  • 802.11 focuses on Layer 1 & Layer 2 of OSI model.
    • Physical layer
    • Data link layer

WLAN Security

802 11 components
802.11 Components
  • Two pieces of equipment defined:
    • Wireless station
      • A desktop or laptop PC or PDA with a wireless NIC.
    • Access point
      • A bridge between wireless and wired networks
      • Composed of
        • Radio
        • Wired network interface (usually 802.3)
        • Bridging software
      • Aggregates access for multiple wireless stations to wired network.

WLAN Security

802 11 modes
802.11 modes
  • Infrastructure mode
    • Basic Service Set
      • One access point
    • Extended Service Set
      • Two or more BSSs forming a single subnet.
    • Most corporate LANs in this mode.
  • Ad-hoc mode
    • Also called peer-to-peer.
    • Independent Basic Service Set
    • Set of 802.11 wireless stations that communicate directly without an access point.
      • Useful for quick & easy wireless networks.

WLAN Security

infrastructure mode
Infrastructure mode

Access Point

Basic Service Set (BSS) –

Single cell

Station

Extended Service Set (ESS) –

Multiple cells

WLAN Security

ad hoc mode
Ad-hoc mode

Independent Basic Service Set (IBSS)

WLAN Security

802 11 physical layer
802.11 Physical Layer
  • Originally three alternative physical layers
    • Two incompatible spread-spectrum radio in 2.4Ghz ISM band
      • Frequency Hopping Spread Spectrum (FHSS)
        • 75 channels
      • Direct Sequence Spread Spectrum (DSSS)
        • 14 channels (11 channels in US)
    • One diffuse infrared layer
  • 802.11 speed
    • 1 Mbps or 2 Mbps.

WLAN Security

802 11 data link layer
802.11 Data Link Layer
  • Layer 2 split into:
    • Logical Link Control (LLC).
    • Media Access Control (MAC).
  • LLC - same 48-bit addresses as 802.3.
  • MAC - CSMA/CD not possible.
    • Can’t listen for collision while transmitting.
  • CSMA/CA – Collision Avoidance.
    • Sender waits for clear air, waits random time, then sends data.
    • Receiver sends explicit ACK when data arrives intact.
    • Also handles interference.
    • But adds overhead.
  • 802.11 always slower than equivalent 802.3.

WLAN Security

hidden nodes
Hidden nodes

WLAN Security

rts cts
RTS / CTS
  • To handle hidden nodes
  • Sending station sends
    • “Request to Send”
  • Access point responds with
    • “Clear to Send”
    • All other stations hear this and delay any transmissions.
  • Only used for larger pieces of data.
    • When retransmission may waste significant time.

WLAN Security

802 11b
802.11b
  • 802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.
  • DSSS as physical layer.
    • 11 channels (3 non-overlapping)
  • Dynamic rate shifting.
      • Transparent to higher layers
      • Ideally 11 Mbps.
      • Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
        • Higher ranges.
        • Interference.
      • Shifts back up when possible.
  • Maximum specified range 100 metres
  • Average throughput of 4Mbps

WLAN Security

joining a bss
Joining a BSS
  • When 802.11 client enters range of one or more APs
    • APs send beacons.
    • AP beacon can include SSID.
    • AP chosen on signal strength and observed error rates.
    • After AP accepts client.
      • Client tunes to AP channel.
  • Periodically, all channels surveyed.
    • To check for stronger or more reliable APs.
    • If found, reassociates with new AP.

WLAN Security

access point roaming
Access Point Roaming

Channel 1

Channel 4

Channel 9

Channel 7

WLAN Security

roaming and channels
Roaming and Channels
  • Reassociation with APs
    • Moving out of range.
    • High error rates.
    • High network traffic.
      • Allows load balancing.
  • Each AP has a channel.
    • 14 partially overlapping channels.
    • Only three channels that have no overlap.
      • Best for multicell coverage.

WLAN Security

802 11a
802.11a
  • 802.11a ratified in 2001
  • Supports up to 54Mbps in 5 Ghz range.
    • Higher frequency limits the range
    • Regulated frequency reduces interference from other devices
  • 12 non-overlapping channels
  • Usable range of 30 metres
  • Average throughput of 30 Mbps
  • Not backwards compatible

WLAN Security

802 11g
802.11g
  • 802.11g ratified in 2002
  • Supports up to 54Mbps in 2.4Ghz range.
    • Backwards compatible with 802.11b
  • 3 non-overlapping channels
  • Range similar to 802.11b
  • Average throughput of 30 Mbps
  • 802.11n due for November 2006
    • Aiming for maximum 200Mbps with average 100Mbps

WLAN Security

open system authentication
Open System Authentication
  • Service Set Identifier (SSID)
  • Station must specify SSID to Access Point when requesting association.
  • Multiple APs with same SSID form Extended Service Set.
  • APs can broadcast their SSID.
  • Some clients allow * as SSID.
    • Associates with strongest AP regardless of SSID.

WLAN Security

mac acls and ssid hiding
MAC ACLs and SSID hiding
  • Access points have Access Control Lists (ACL).
  • ACL is list of allowed MAC addresses.
    • E.g. Allow access to:
      • 00:01:42:0E:12:1F
      • 00:01:42:F1:72:AE
      • 00:01:42:4F:E2:01
  • But MAC addresses are sniffable and spoofable.
  • AP Beacons without SSID
    • Essid_jack
      • sends deauthenticate frames to client
      • SSID then displayed when client sends reauthenticate frames

WLAN Security

interception range
Interception Range

Station outside

building perimeter.

100 metres

Basic Service Set (BSS) –

Single cell

WLAN Security

interception
Interception
  • Wireless LAN uses radio signal.
  • Not limited to physical building.
  • Signal is weakened by:
    • Walls
    • Floors
    • Interference
  • Directional antenna allows interception over longer distances.

WLAN Security

directional antenna
Directional Antenna
  • Directional antenna provides focused reception.
  • DIY plans available.
    • Aluminium cake tin
    • Chinese cooking sieve
    • http://www.saunalahti.fi/~elepal/antennie.html
    • http://www.usbwifi.orcon.net.nz/

WLAN Security

wardriving
WarDriving
  • Software
    • Netstumbler
    • And many more
  • Laptop
  • 802.11b,g or a PC card
  • Optional:
    • Global Positioning System
    • Car, bicycle, boat…
  • Logging of MAC address, network name, SSID, manufacturer, channel, signal strength, noise (GPS - location).

WLAN Security

wardriving results
WarDriving results
  • San Francisco, 2001
    • Maximum 55 miles per hour.
    • 1500 Access Points
    • 60% in default configuration.
    • Most connected to internal backbones.
    • 85% use Open System Authentication.
  • Commercial directional antenna
    • 25 mile range from hilltops.
  • Peter Shipley - http://www.dis.org/filez/openlans.pdf

WLAN Security

worldwide war drive 2004
Worldwide War Drive 2004
  • Fourth WWWD
    • www.worldwidewaredrive.org
  • 228,537 Access points
  • 82,755 (35%) with default SSID
  • 140,890 (60%) with Open System Authentication
  • 62,859 (27%) with both, probably default configuration

WLAN Security

further issues
Further issues
  • Access Point configuration
    • Mixtures of SNMP, web, serial, telnet.
      • Default community strings, default passwords.
  • Evil Twin Access Points
    • Stronger signal, capture user authentication.
  • Renegade Access Points
    • Unauthorised wireless LANs.

WLAN Security

war driving prosecutions
War Driving prosecutions
  • February 2004, Texas, Stefan Puffer acquitted of wrongful access after showing an unprotected county WLAN to officials
  • June 2004, North Carolina, Lowes DIY store
    • Botbyl convicted for stealing credit card numbers via unprotected WLAN
    • Timmins convicted for checking email & web browsing via unprotected WLAN
  • June 2004, Connecticut, Myron Tereshchuk guilty of drive-by extortion via unprotected WLANs
    • “make the check payable to M.Tereshchuk”
  • Sep 2004, Los Angeles, Nicholas Tombros guilty of drive-by spamming via unprotected WLANs

WLAN Security

802 11b security services
802.11b Security Services
  • Two security services provided:
  • Authentication
    • Shared Key Authentication
  • Encryption
    • Wired Equivalence Privacy

WLAN Security

wired equivalence privacy
Wired Equivalence Privacy
  • Shared key between
    • Stations.
    • An Access Point.
  • Extended Service Set
    • All Access Points will have same shared key.
  • No key management
    • Shared key entered manually into
      • Stations
      • Access points
      • Key management nightmare in large wireless LANs

WLAN Security

slide30
RC4
  • Ron’s Code number 4
    • Symmetric key encryption
    • RSA Security Inc.
    • Designed in 1987.
    • Trade secret until leak in 1994.
  • RC4 can use key sizes from 1 bit to 2048 bits.
  • RC4 generates a stream of pseudo random bits
    • XORed with plaintext to create ciphertext.

WLAN Security

wep sending
WEP – Sending
  • Compute Integrity Check Vector (ICV).
    • Provides integrity
    • 32 bit Cyclic Redundancy Check.
    • Appended to message to create plaintext.
  • Plaintext encrypted via RC4
    • Provides confidentiality.
    • Plaintext XORed with long key stream of pseudo random bits.
    • Key stream is function of
      • 40-bit secret key
      • 24 bit initialisation vector
  • Ciphertext is transmitted.

WLAN Security

wep encryption
WEP Encryption

IV

Cipher

text

Initialisation

Vector (IV)

||

RC4

PRNG

Key stream

Secret key

Plaintext

||

32 bit CRC

WLAN Security

wep receiving
WEP – Receiving
  • Ciphertext is received.
  • Ciphertext decrypted via RC4
    • Ciphertext XORed with long key stream of pseudo random bits.
    • Key stream is function of
      • 40-bit secret key
      • 24 bit initialisation vector (IV)
  • Check ICV
    • Separate ICV from message.
    • Compute ICV for message
    • Compare with received ICV

WLAN Security

shared key authentication
Shared Key Authentication
  • When station requests association with Access Point
    • AP sends random number to station
    • Station encrypts random number
      • Uses RC4, 40 bit shared secret key & 24 bit IV
    • Encrypted random number sent to AP
    • AP decrypts received message
      • Uses RC4, 40 bit shared secret key & 24 bit IV
    • AP compares decrypted random number to transmitted random number
  • If numbers match, station has shared secret key.

WLAN Security

wep safeguards
WEP Safeguards
  • Shared secret key required for:
    • Associating with an access point.
    • Sending data.
    • Receiving data.
  • Messages are encrypted.
    • Confidentiality.
  • Messages have checksum.
    • Integrity.
  • But management traffic still broadcast in clear containing SSID.

WLAN Security

initialisation vector
Initialisation Vector
  • IV must be different for every message transmitted.
  • 802.11 standard doesn’t specify how IV is calculated.
  • Wireless cards use several methods
    • Some use a simple ascending counter for each message.
    • Some switch between alternate ascending and descending counters.
    • Some use a pseudo random IV generator.

WLAN Security

passive wep attack
Passive WEP attack
  • If 24 bit IV is an ascending counter,
  • If Access Point transmits at 11 Mbps,
  • All IVs are exhausted in roughly 5 hours.
  • Passive attack:
    • Attacker collects all traffic
    • Attacker could collect two messages:
      • Encrypted with same key and same IV
      • Statistical attacks to reveal plaintext
      • Plaintext XOR Ciphertext = Keystream

WLAN Security

active wep attack
Active WEP attack
  • If attacker knows plaintext and ciphertext pair
    • Keystream is known.
    • Attacker can create correctly encrypted messages.
    • Access Point is deceived into accepting messages.
  • Bitflipping
    • Flip a bit in ciphertext
    • Bit difference in CRC-32 can be computed

WLAN Security

limited wep keys
Limited WEP keys
  • Some vendors allow limited WEP keys
    • User types in a passphrase
    • WEP key is generated from passphrase
    • Passphrases creates only 21 bits of entropy in 40 bit key.
      • Reduces key strength to 21 bits = 2,097,152
      • Remaining 19 bits are predictable.
      • 21 bit key can be brute forced in minutes.
    • www.lava.net/~newsham/wlan/WEP_password_cracker.ppt

WLAN Security

brute force key attack
Brute force key attack
  • Capture ciphertext.
    • IV is included in message.
  • Search all 240 possible secret keys.
    • 1,099,511,627,776 keys
    • ~170 days on a modern laptop
  • Find which key decrypts ciphertext to plaintext.

WLAN Security

128 bit wep
128 bit WEP
  • Vendors have extended WEP to 128 bit keys.
    • 104 bit secret key.
    • 24 bit IV.
  • Brute force takes 10^19 years for 104-bit key.
  • Effectively safeguards against brute force attacks.

WLAN Security

key scheduling weakness
Key Scheduling Weakness
  • Paper from Fluhrer, Mantin, Shamir, 2001.
  • Two weaknesses:
    • Certain keys leak into key stream.
      • Invariance weakness.
    • If portion of PRNG input is exposed,
      • Analysis of initial key stream allows key to be determined.
      • IV weakness.

WLAN Security

iv weakness
IV weakness
  • WEP exposes part of PRNG input.
    • IV is transmitted with message.
    • Every wireless frame has reliable first byte
      • Sub-network Access Protocol header (SNAP) used in logical link control layer, upper sub-layer of data link layer.
      • First byte is 0xAA
    • Attack is:
      • Capture packets with weak IV
      • First byte ciphertext XOR 0xAA = First byte key stream
      • Can determine key from initial key stream
  • Practical for 40 bit and 104 bit keys
  • Passive attack.
    • Non-intrusive.
    • No warning.

WLAN Security

wepcrack
Wepcrack
  • First tool to demonstrate attack using IV weakness.
    • Open source, Anton Rager.
  • Three components
    • Weaker IV generator.
    • Search sniffer output for weaker IVs & record 1st byte.
    • Cracker to combine weaker IVs and selected 1st bytes.
  • Cumbersome.

WLAN Security

airsnort
Airsnort
  • Automated tool
    • Cypher42, Minnesota, USA.
    • Does it all!
    • Sniffs
    • Searches for weaker IVs
    • Records encrypted data
    • Until key is derived.
  • 100 Mb to 1 Gb of transmitted data.
  • 3 to 4 hours on a very busy WLAN.

WLAN Security

avoid the weak ivs
Avoid the weak IVs
  • FMS described a simple method to find weak IVs
    • Many manufacturers avoid those IVs after 2002
    • Therefore Airsnort and others may not work on recent hardware
  • However David Hulton aka h1kari
    • Properly implemented FMS attack which shows many more weak IVs
    • Identified IVs that leak into second byte of key stream.
    • Second byte of SNAP header is also 0xAA
    • So attack still works on recent hardware
    • And is faster on older hardware
    • Dwepcrack, weplab, aircrack

WLAN Security

generating wep traffic
Generating WEP traffic
  • Not capturing enough traffic?
    • Capture encrypted ARP request packets
    • Anecdotally lengths of 68, 118 and 368 bytes appear appropriate
    • Replay encrypted ARP packets to generate encrypted ARP replies
    • Aireplay implements this.

WLAN Security

802 11 safeguards
802.11 safeguards
  • Security Policy & Architecture Design
  • Treat as untrusted LAN
  • Discover unauthorised use
  • Access point audits
  • Station protection
  • Access point location
  • Antenna design

WLAN Security

security policy architecture
Security Policy & Architecture
  • Define use of wireless network
    • What is allowed
    • What is not allowed
  • Holistic architecture and implementation
    • Consider all threats.
    • Design entire architecture
      • To minimise risk.

WLAN Security

wireless as untrusted lan
Wireless as untrusted LAN
  • Treat wireless as untrusted.
    • Similar to Internet.
  • Firewall between WLAN and Backbone.
  • Extra authentication required.
  • Intrusion Detection
    • at WLAN / Backbone junction.
  • Vulnerability assessments

WLAN Security

discover unauthorised use
Discover unauthorised use
  • Search for unauthorised access points, ad-hoc networks or clients.
  • Port scanning
    • For unknown SNMP agents.
    • For unknown web or telnet interfaces.
  • Warwalking!
    • Sniff 802.11 packets
    • Identify IP addresses
    • Detect signal strength
    • But may sniff your neighbours…
  • Wireless Intrusion Detection
    • AirMagnet, AirDefense, Trapeze, Aruba,…

WLAN Security

access point audits
Access point audits
  • Review security of access points.
  • Are passwords and community strings secure?
  • Use Firewalls & router ACLs
    • Limit use of access point administration interfaces.
  • Standard access point config:
    • SSID
    • WEP keys
    • Community string & password policy

WLAN Security

station protection
Station protection
  • Personal firewalls
    • Protect the station from attackers.
  • VPN from station into Intranet
    • End-to-end encryption into the trusted network.
    • But consider roaming issues.
  • Host intrusion detection
    • Provide early warning of intrusions onto a station.
  • Configuration scanning
    • Check that stations are securely configured.

WLAN Security

location of access points
Location of Access Points
  • Ideally locate access points
    • In centre of buildings.
  • Try to avoid access points
    • By windows
    • On external walls
    • Line of sight to outside
  • Use directional antenna to “point” radio signal.

WLAN Security

slide56
WPA
  • Wi-Fi Protected Access
    • Works with 802.11b, a and g
  • “Fixes” WEP’s problems
  • Existing hardware can be used
  • 802.1x user-level authentication
  • TKIP
    • RC4 session-based dynamic encryption keys
    • Per-packet key derivation
    • Unicast and broadcast key management
    • New 48 bit IV with new sequencing method
    • Michael 8 byte message integrity code (MIC)
  • Optional AES support to replace RC4

WLAN Security

wpa and 802 1x
WPA and 802.1x
  • 802.1x is a general purpose network access control mechanism
  • WPA has two modes
    • Pre-shared mode, uses pre-shared keys
    • Enterprise mode, uses Extensible Authentication Protocol (EAP) with a RADIUS server making the authentication decision
    • EAP is a transport for authentication, not authentication itself
    • EAP allows arbitrary authentication methods
    • For example, Windows supports
      • EAP-TLS requiring client and server certificates
      • PEAP-MS-CHAPv2

WLAN Security

practical wpa attacks
Practical WPA attacks
  • Dictionary attack on pre-shared key mode
    • CoWPAtty, Joshua Wright
  • Denial of service attack
    • If WPA equipment sees two packets with invalid MICs in 1 second
      • All clients are disassociated
      • All activity stopped for one minute
      • Two malicious packets a minute enough to stop a wireless network

WLAN Security

802 11i
802.11i
  • Robust Security Network extends WPA
    • Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
    • Based on a mode of AES, with 128 bits keys and 48 bit IV.
    • Also adds dynamic negotiation of authentication and encryption algorithms
    • Allows for future change
  • Does require new hardware
  • www.drizzle.com/~aboba/IEEE/

WLAN Security

relevant rfcs
Relevant RFCs
  • Radius Extensions: RFC 2869
  • EAP: RFC 2284
  • EAP-TLS: RFC 2716

WLAN Security

ad