Wireless 802 11 security
1 / 25

Wireless (802.11) Security - PowerPoint PPT Presentation

  • Updated On :

Wireless (802.11) Security. Douglas Reeves NC State University. Southeast Wireless Symposium December 02, 2003. What’s New?. Anybody (in range) can listen or transmit! Security problems not specific to wireless… Spam Viruses Worms “Insider” attacks (e.g., corrupt employees).

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Wireless (802.11) Security' - loretta

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Wireless 802 11 security l.jpg

Wireless (802.11) Security

Douglas Reeves

NC State University

Southeast Wireless Symposium

December 02, 2003

What s new l.jpg
What’s New?

  • Anybody (in range) can listen or transmit!

  • Security problems not specific to wireless…

    • Spam

    • Viruses

    • Worms

    • “Insider” attacks (e.g., corrupt employees)

Characteristics of 802 11 service l.jpg
Characteristics of 802.11 Service

  • Wireless LAN standard, introduced 1997

  • 802.11b

    • most widely used version, up to 11 Mb/s

    • 2.4GHz (unlicensed) frequency band

    • range

      • several hundred feet with omnidirectional antenna

      • up to 25 miles with directional antenna

Modes l.jpg

  • Infrastructure mode

    • clients connect to base stations

    • multiple base stations may cover larger area, allow client roaming

    • identified by SSID

  • Ad Hoc mode

    • clients communicate directly with each other

Scanning for access points l.jpg
Scanning for Access Points

  • Access points periodically transmit beacon frames (SSID, data rate, etc.)

  • Client scans frequencies and picks an access point based on SSID, signal strength, ...

  • Client switches to assigned channel and establishes an association

Sending data l.jpg
Sending Data

  • Sender waits until no one transmitting

  • Then waits random interval and transmits

  • Optional slot reservation

    • Client first sends request-to-send (RTS) frame

    • Access point sends clear-to-send (CTS) frame when ready to receive

    • Requesting client sends data, all other clients must wait

Reliability l.jpg

  • Receiving station checks CRC code in frame to detect errors

  • Acknowledges fault-free frame, lack of acknowledgment means “resend data”

Energy conservation l.jpg
Energy Conservation

  • Client can turn off radio interface when nothing to send or receive

  • Access Point periodically transmits a special frame clients have packets waiting

  • Each client wakes up periodically to receive the special frame

    • if a node has a packet waiting, requests packet after waiting random interval

Security problems of 802 11 l.jpg
Security Problems of 802.11

  • Unauthorized or “rogue” access points on trusted networks

  • Access to network by unauthorized clients (theft of service, "war driving")

  • Interception and monitoring of wireless traffic

    • range can be hundreds of feet

    • packet analyzer software freely available

  • Jamming is easy, unlicensed frequency

Security problems cont d l.jpg
Security Problems (cont'd)

  • Client-to-client attacks (in ad hoc mode)

  • Denial or degradation of service

    • flood with bogus packets, association/authentication requests, …

  • Misconfiguration possibilities

    • no encryption used

    • weak (guessable) password used to generate key

    • weak protection of encryption key on client machine

    • weak protection of management interface for access point

Attacks on control messages l.jpg
Attacks on Control Messages

  • Ex.: Attacker issues spoofed "deauthenticate" or "disassociate" frames

  • Ex.: Attacker continually sends RTS frames to reserve slots

  • Ex.: Power-saving attacks

    • attacker causes access point to discard packets while client is still sleeping

    • attacker convinces client there is no data waiting

  • Trivial to implement (e.g., on PDA)

  • May require changes to the standard 

In security in 802 11b l.jpg
(In)Security in 802.11b

  • Authentication is the process of proving identity

    • open: just supply correct SSID

    • shared key: relies on WEP

  • WEP: Wired Equivalent Privacy

Slide13 l.jpg

  • Without WEP, no confidentiality, integrity, or authentication of user data

  • The cipher used in WEP is RC4, keylength from 40 up to 128 bits

  • Key is shared by all clients and the base station

    • compromising one node compromises network

  • Manual key distribution among clients makes changing the key difficult

Wep encryption weakness l.jpg
WEP Encryption Weakness

  • Initialization Vector (IV) used during encryption is only 24 bits long

  • Key to cracking: find packets with duplicate public IVs

    • repetition of IV guaranteed on busy networks due to small IV space

  • Tools: WEPCrack, AirSnort

    • 15 minutes to 24 hours to collect enough packets

Improvement to wep 1 802 1x l.jpg
Improvement (to WEP) #1: 802.1x

  • Port-based user authentication and key distribution

  • Currently supported by most access points and client OSes

Improvement 2 wpa wi fi protected access l.jpg
Improvement #2: WPA (Wi-Fi Protected Access)

  • Incorporates 802.1X

  • Advantages

    • stronger, centralized user authentication

    • automatically negotiated per-user keys with frequent key updates

    • stronger encryption algorithm choices

  • Hardware support may be needed for adequate performance

Tkip temporal key integrity protocol l.jpg
TKIP (Temporal Key Integrity Protocol)

  • Extension of IV to 48 bits

  • Includes IV sequencing (rotates keys more often)

  • Adds a frame integrity-check function that is much stronger than CRC

Extensible authentication protocol eap l.jpg
Extensible Authentication Protocol (EAP)

  • During association, client must provide “credentials”

  • Access point requests authentication of user from RADIUS server

  • If successful, access point will accept traffic from client, encryption keys derived for the session

  • When client logs off, the access point will disable the client's ports

Eap authentication types l.jpg
EAP Authentication Types

  • 5 contenders, no clear consensus (wait for the dust to settle?)

    • PEAP has support from Microsoft+Cisco+RSA, being standardized by IETF

    • EAP-TTLS also being standardized

    • LEAP is Cisco-proprietary

    • interoperability problems

  • User credentials = name/password, or digital certificate

    • use of certificates requires certificate server infrastructure

Improvement 3 802 11i l.jpg
Improvement #3: 802.11i

  • WPA + dynamic negotiation of authentication and encryption algorithms

  • AES is the primary encryption algorithm

  • Requires hardware support

    • newer access points + wireless cards will be firmware upgradeable

    • older access points + wireless cards will have to be replaced

  • Still under development; ratified and available mid-2004?

Security through other means l.jpg
Security Through Other Means

  • Use firewalls to isolate wireless traffic from wired network

  • Use intrusion detection to detect attacks on wireless networks

  • Use IPSec / VPNs to protect traffic at IP layer

  • Use TLS (SSL) to protect traffic at application layer

Recommendations general l.jpg
Recommendations: General

  • Get informed about risks!

  • Regular security audits and penetration assessments

  • Require "strong" passwords, limit number of login attempts

  • Disable ad hoc mode

    • invites access by unauthorized nodes to your computer

Recommendations access points l.jpg
Recommendations: Access Points

  • Enforce standard security settings for each 802.11b access point

  • Regularly search to identify unknown access points

  • Require centralized user authentication (RADIUS) to configure the access point

  • Encrypt all access point management traffic

Recommendations other l.jpg
Recommendations: Other

  • Use distributed personal firewall on each client

  • Use VPNs to supplement encryption and authentication for 802.11b

  • Maintain an intrusion detection system on the wireless network

  • Use firewalls to separate wireless networks from internal networks

Recommendations wlan security l.jpg
Recommendations: WLAN Security

  • WEP (fair)

    • enable wireless frame encryption

    • use longest key

    • change the WEP key regularly (manually)

  • 802.1X and WPA (user authentication + dynamic keys) (better)

    • use as soon as practical and stable

    • set rekeying to occur every few hours

  • 802.11i (best)

    • upgrade / use when available and supported