Download Document

Wireless (802.11) Security
Douglas Reeves
NC State University
Southeast Wireless Symposium
December 02, 2003
What’s New?

Anybody (in range) can listen or transmit!

Security problems not specific to wireless…
•
•
•
•
Spam
Viruses
Worms
“Insider” attacks (e.g., corrupt employees)
Characteristics of 802.11 Service

Wireless LAN standard, introduced 1997

802.11b
• most widely used version, up to 11 Mb/s
• 2.4GHz (unlicensed) frequency band
• range


several hundred feet with omnidirectional antenna
up to 25 miles with directional antenna
Modes

Infrastructure mode
• clients connect to base stations
• multiple base stations may cover larger area,
allow client roaming
• identified by SSID

Ad Hoc mode
• clients communicate directly with each other
Scanning for Access Points



Access points periodically transmit beacon
frames (SSID, data rate, etc.)
Client scans frequencies and picks an access
point based on SSID, signal strength, ...
Client switches to assigned channel and
establishes an association
Sending Data

Sender waits until no one transmitting

Then waits random interval and transmits

Optional slot reservation
• Client first sends request-to-send (RTS) frame
• Access point sends clear-to-send (CTS) frame
when ready to receive
• Requesting client sends data, all other clients
must wait
Reliability


Receiving station checks CRC code in frame
to detect errors
Acknowledges fault-free frame, lack of
acknowledgment means “resend data”
Energy Conservation



Client can turn off radio interface when
nothing to send or receive
Access Point periodically transmits a special
frame clients have packets waiting
Each client wakes up periodically to receive
the special frame
• if a node has a packet waiting, requests packet
after waiting random interval
Security Problems of 802.11
1. Unauthorized or “rogue” access points on
trusted networks
2. Access to network by unauthorized clients
(theft of service, "war driving")
3. Interception and monitoring of wireless
traffic
• range can be hundreds of feet
• packet analyzer software freely available
4. Jamming is easy, unlicensed frequency
Security Problems (cont'd)
5. Client-to-client attacks (in ad hoc mode)
6. Denial or degradation of service
• flood with bogus packets,
association/authentication requests, …
7. Misconfiguration possibilities
• no encryption used
• weak (guessable) password used to generate
key
• weak protection of encryption key on client
machine
• weak protection of management interface for
access point
Attacks on Control Messages



Ex.: Attacker issues spoofed
"deauthenticate" or "disassociate" frames
Ex.: Attacker continually sends RTS frames
to reserve slots
Ex.: Power-saving attacks
• attacker causes access point to discard packets
while client is still sleeping
• attacker convinces client there is no data waiting

Trivial to implement (e.g., on PDA)

May require changes to the standard 
(In)Security in 802.11b

Authentication is the process of proving
identity
• open: just supply correct SSID
• shared key: relies on WEP

WEP: Wired Equivalent Privacy
WEP



Without WEP, no confidentiality, integrity, or
authentication of user data
The cipher used in WEP is RC4, keylength
from 40 up to 128 bits
Key is shared by all clients and the base
station
• compromising one node compromises network

Manual key distribution among clients
makes changing the key difficult
WEP Encryption Weakness


Initialization Vector (IV) used during
encryption is only 24 bits long
Key to cracking: find packets with duplicate
public IVs
• repetition of IV guaranteed on busy networks
due to small IV space

Tools: WEPCrack, AirSnort
• 15 minutes to 24 hours to collect enough
packets
Improvement (to WEP) #1: 802.1x


Port-based user authentication and key
distribution
Currently supported by most access points
and client OSes
Improvement #2: WPA (Wi-Fi Protected
Access)

Incorporates 802.1X

Advantages
• stronger, centralized user authentication
• automatically negotiated per-user keys with
frequent key updates
• stronger encryption algorithm choices

Hardware support may be needed for
adequate performance
TKIP (Temporal Key Integrity Protocol)



Extension of IV to 48 bits
Includes IV sequencing (rotates keys more
often)
Adds a frame integrity-check function that is
much stronger than CRC
Extensible Authentication Protocol (EAP)
1. During association, client must provide
“credentials”
2. Access point requests authentication of
user from RADIUS server
3. If successful, access point will accept traffic
from client, encryption keys derived for the
session
4. When client logs off, the access point will
disable the client's ports
EAP Authentication Types

5 contenders, no clear consensus (wait for
the dust to settle?)
• PEAP has support from Microsoft+Cisco+RSA,
being standardized by IETF
• EAP-TTLS also being standardized
• LEAP is Cisco-proprietary
• interoperability problems

User credentials = name/password, or
digital certificate
• use of certificates requires certificate server
infrastructure
Improvement #3: 802.11i

WPA + dynamic negotiation of
authentication and encryption algorithms

AES is the primary encryption algorithm

Requires hardware support
• newer access points + wireless cards will be
firmware upgradeable
• older access points + wireless cards will have to
be replaced

Still under development; ratified and
available mid-2004?
Security Through Other Means




Use firewalls to isolate wireless traffic from
wired network
Use intrusion detection to detect attacks on
wireless networks
Use IPSec / VPNs to protect traffic at IP
layer
Use TLS (SSL) to protect traffic at
application layer
Recommendations: General
1. Get informed about risks!
2. Regular security audits and penetration
assessments
3. Require "strong" passwords, limit number
of login attempts
4. Disable ad hoc mode
• invites access by unauthorized nodes to your
computer
Recommendations: Access Points
5. Enforce standard security settings for each
802.11b access point
6. Regularly search to identify unknown
access points
7. Require centralized user authentication
(RADIUS) to configure the access point
8. Encrypt all access point management
traffic
Recommendations: Other
9. Use distributed personal firewall on each
client
10.Use VPNs to supplement encryption and
authentication for 802.11b
11.Maintain an intrusion detection system on
the wireless network
12.Use firewalls to separate wireless networks
from internal networks
Recommendations: WLAN Security

WEP (fair)
• enable wireless frame encryption
• use longest key
• change the WEP key regularly (manually)

802.1X and WPA (user authentication +
dynamic keys) (better)
• use as soon as practical and stable
• set rekeying to occur every few hours

802.11i (best)
• upgrade / use when available and supported