Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Security in Wireless Networks IEEE 802.11i Presented by Sean Goggin March 1, 2005 Overview • • • • • Inherent Problems in Wireless Is WEP Really Equivalent? Additional Solutions 802.11i – A New Solution Conclusion 3/1/2005 Sean Goggin 2 Inherent Problems in Wireless • Modern Wired Network – Multiple Nodes Interconnected with CAT-5, RG-58, Fiber, and Etc. – Typically Difficult to Intercept Data CAT 5e Data Computer A 3/1/2005 Computer B Sean Goggin 3 Inherent Problems in Wireless • Modern Wireless Network – Multiple Nodes Interconnected Over Radio Frequency – Lacks Simplest Form of Physical Protection Da t a Da t a Computer A 3/1/2005 Computer B Sean Goggin 4 Inherent Problems in Wireless • Denial-of-Service Attack (DOS Attack) – Media is Open to the Public – Easily Disrupted, Compromises Availability – Only Solution is to Locate and Disable Computer A 3/1/2005 Intruder Sean Goggin Computer B 5 Inherent Problems in Wireless • Man-in-the-Middle Attack (MITM Attack) – Easily Intercepted – Compromises Integrity and Confidentially – Mitigate with use of Encryption Da t a Computer A 3/1/2005 Da t a Intruder Sean Goggin Computer B 6 Inherent Problems in Wireless • Do to the Nature of Wired vs. Wireless, Wired is More Secure • Wireless Requires Protocol to Increase Security • IEEE & Wired Equivalent Privacy – 40-bit (Exportable) and 104-bit Key – RC4 3/1/2005 Sean Goggin 7 Is WEP Really Equivalent? • IEEE Selects RC4 Cipher for WEP • RC4 is a Stream Cipher System – Utilizes a Shared Key and Pseudo Random Number Generator (PRNG) to Create Keystream to XOR with Source’s Data, then Sends Cipher Text – Destination Utilizes the Shared Key and PRNG to Create Keystream to XOR Cipher Text and Decrypt Source’s Data Courtesy of 802.11 Wireless Networks: The Definitive Guide 3/1/2005 Sean Goggin 8 Is WEP Really Equivalent? • WEP Process – 40-bit Key + 24-bit Initialization Vector (IV) = 64-bit RC4 Key – RC4 Key and PRNG Create Keystream Equal in Length to Plain Text + CRC – Keystream XORed with Plain Text and CRC Value – Transmit IV + Cipher Text 3/1/2005 Sean Goggin 9 Is WEP Really Equivalent? • Key Management Issue – Up to 4 WEP Keys Can Be Used – Scalability vs. Security • • • • 3/1/2005 Manually Configure 1-4 Keys in an Enterprise Manually Distribute 1-4 Keys to an Enterprise Terminated Employees Public Keys & Monitoring Station Sean Goggin 10 Is WEP Really Equivalent? • Encryption Issue – “Weaknesses in the Key Scheduling Algorithm of RC4 “ by Fluhrer, Mantin, and Shamir • • • • 3/1/2005 Addressed Poor Implementation of RC4 in WEP Weak IVs are Poorly Chosen and Repeated Reused Keys Make Crypt Analysis Possible Function is Linear, not Exponential Sean Goggin 11 Is WEP Really Equivalent? • Attacking WEP – The Key is Comprised of 5 Bytes or 13 Bytes – The First Byte • LLC Encapsulation & SNAP Header (00xA) • (00xA) XOR First Byte of Cipher Text = First Byte of Keystream – The Remaining Bytes • Weak IVs in form of B+3:FF:N – B Refers to the Byte of the Key – FF is Weak Middle Byte of all 1s – N is any value from 0 to 255 3/1/2005 Sean Goggin 12 Is WEP Really Equivalent? • Attacking WEP, Continued – The Remaining Bytes, Continued • Gather Weak IVs into Groups of B – 5 Groups for 40-bit, 13 Groups for 104-bit – Takes Approximately 115 Samples Per Group to Crack a Byte of the Key • Even Though More Weak IVs are Needed for 104-bit Key, it Provides More Weak IVs by Nature • Cracking 104-bit vs. 40-bit Takes More Time, But Insignificant Amount • More Wireless Network Traffic, Faster Weak IVs Appear 3/1/2005 Sean Goggin 13 Is WEP Really Equivalent? • Tools to Crack WEP – AirSnort • Developed by Bruestle & Hegerle to Demonstrate Work Done by Fluhrer, Mantin, and Shamir • Capture Component – Captures Raw Packets using Wireless Interface • Crack Component – Performs Analysis and Cracks Bytes of Key – WEPCrack & dweputils • Similar Functions as AirSnort 3/1/2005 Sean Goggin 14 Is WEP Really Equivalent? • Other Attacks – Simple XOR Attack • Cipher Text is Plain Text XOR Keystream • If a Known Plain Text is then XOR with Cipher Text the KeyStream will be Exposed – Use SPAM, Heavy Virus Network Traffic (ie: Sasser), or Other Well-Known Network Traffic • Used for Message Injection & Authentication Spoofing 3/1/2005 Sean Goggin 15 Is WEP Really Equivalent? • Other Attacks, Continued – Brute-Force Attack • Phrase Key Generators Often Flawed – – – – Uses ASCII Values to Seed the PRNG ASCII Always Start with 0 and Range from 0 to 7F 7F vs FF… 21-bit vs. 32-bit Seed Newsham Attacked 40-bit Key using P3/500, 35 Seconds to Key – Sometimes Applies to 104-bit Key Generator (MD5 Hash) 3/1/2005 Sean Goggin 16 Additional Solutions • Best Practices – Disabling SSID Beaconing • SSID Beaconing Identifies AP to Wireless Interfaces • Easier for Legitimate Users and Intruders/Attackers to Find AP • Disabling SSID May Requires Additional Configuration of User’s Interface • Attacker can Detect Presence of AP, but without SSID cannot Associate with AP 3/1/2005 Sean Goggin 17 Additional Solutions • Best Practices, Continued – MAC Authentication (CSUN) • Legitimate Users Register MAC Address • AP Disregard Packets from Non-Registered MAC – Problems • Both SSID and Legitimate MAC can be Gathered with Network Sniffer and Wireless Card if Weak or No Encryption Used • WEP is Weak, So What is Left? 3/1/2005 Sean Goggin 18 Additional Solutions • Virtual Private Network (VPN) – Secure Data Above the Link-Layer – May Require More Bandwidth – Variety of Protocols • IPsec (CSUN), SSL, & PPTP • Wi-Fi Protected Access (WPA) – After WEP was Exposed a Temporary Solution was Needed 3/1/2005 Sean Goggin 19 Additional Solutions • Wi-Fi Protected Access (WPA), Continued – Wi-Fi Alliance Took Components of 802.11i Draft • • • • • Temporal Key Integrity Protocol Larger IV (48-bit vs. 24-bit) Message Integrity Check (MIC) Replaced CRC 802.1x or Pre-Shared Key (PSK) RC4 – Could be Implemented on Existing Hardware 3/1/2005 Sean Goggin 20 802.11i – A New Solution • Originally Meant to Address Security and Quality of Service (QoS) • Apparent Need for Additional Security Created 802.11e QoS & 802.11i Security • WPA is Released in April 2003 as Temporary Solution Until 802.11i Ratification • 802.11i Ratified on June 24th, 2004 3/1/2005 Sean Goggin 21 802.11i – A New Solution • Components of 802.11i – 802.1x – Advanced Encryption Standard in CounterMode/Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP) – Temporal Key Integrity Protocol (TKIP) 3/1/2005 Sean Goggin 22 802.11i – A New Solution • 802.1x – Based on IETF Extensible Authentication Protocol (EAP) • Future Proof Open Standard • Allows for Any Authentication Standard to be Used • Designed to Regulate at Physical Port – Point of Authenticating User & Network – Typically Uses RADIUS 3/1/2005 Sean Goggin 23 802.11i – A New Solution • 802.1x, Step 1 – Supplicant Request Association with Authenticator – Authenticator Associates with Supplicant – Authenticator Requests Identity from Supplicant via EAP EAP Wireless User (Supplicant) 3/1/2005 AP (Authenticator) Authentication Server Sean Goggin 24 802.11i – A New Solution • 802.1x, Step 2 – Supplicant Responds with Identity to Authenticator via EAP – Authenticator Sends Access Request for Supplicant’s Identity to Authentication Server via RADIUS EAP Wireless User (Supplicant) 3/1/2005 RADIUS AP (Authenticator) Authentication Server Sean Goggin 25 802.11i – A New Solution • 802.1x, Step 3 – Authentication Server Validates Supplicant’s Identity – Authentication Server Notifies Authenticator the Supplicant is Valid and Issues Keying Material via RADIUS – If Supplicant Fails to be Validated, Authentication Server Submits Identity Request instead RADIUS Wireless User (Supplicant) 3/1/2005 AP (Authenticator) Authentication Server Sean Goggin 26 802.11i – A New Solution • 802.1x, Step 4 – The Authenticator Initiates a 4-Way Handshake with Supplicant to Establish Keys – Once Keys are Established the Supplicant is Permitted to Access the Network EAP Wireless User (Supplicant) 3/1/2005 AP (Authenticator) Authentication Server Sean Goggin 27 802.11i – A New Solution • The 4-Way Handshake in 802.1x – Terminology • • • • • • 3/1/2005 Master Key (MK) Pairwise Master Key (PMK) Authenticator Nonce (Anonce) Supplicant Nonce (Snonce) Pairwise Transient Key (PTK) Group Temporal Key (GTK) Sean Goggin 28 802.11i – A New Solution • The 4-Way Handshake in 802.1x – Both the Supplicant and Authenticator have PMK Derived from MK issued by the Authentication Server – Step 1 • Authenticator Generates Anonce and Sends it to the Supplicant PMK Anonce PMK Anonce AP (Authenticator) Wireless User (Supplicant) 3/1/2005 Sean Goggin 29 802.11i – A New Solution • The 4-Way Handshake in 802.1x – Step 2 • Supplicant Generates Snonce • Supplicant Constructs PTK from Anonce, Snonce, Authenticator MAC, Supplicant MAC, and PMK • Supplicant Sends Snonce and MIC to Authenticator PMK Snonce + MIC Anonce PMK Anonce Snonce PTK AP (Authenticator) Wireless User (Supplicant) 3/1/2005 Sean Goggin 30 802.11i – A New Solution • The 4-Way Handshake in 802.1x – Step 3 • Authenticator Derives PTK from Anonce, Snonce, Authenticator MAC, Supplicant MAC, and PMK • Authenticator Constructs GTK from Above Data and Sends GTK and MIC to Supplicant PMK GTK + MIC Anonce Anonce Snonce Snonce PTK PTK GTK AP (Authenticator) Wireless User (Supplicant) 3/1/2005 PMK Sean Goggin 31 802.11i – A New Solution • The 4-Way Handshake in 802.1x – Step 4 • Supplicant Sends ACK to Authenticator Concluding Handshake Process • Supplicant & Authenticator Have Established All Necessary Keys PMK ACK Anonce Anonce Snonce Snonce PTK GTK PTK GTK AP (Authenticator) Wireless User (Supplicant) 3/1/2005 PMK Sean Goggin 32 802.11i – A New Solution • Pairwise Transient Key (PTK) – Broken into 3 Keys • Key Confirmation Key (KCK) – Used to Compute and Confirm EAP MICs • Key Encryption Key (KEK) – Used for Encryption of EAP Data • Temporal Key (TK) – Used for Encryption of Supplicant-Authenticator Traffic • Group Temporal Key (GTK) – Used for Broadcast and Multicast Encryption 3/1/2005 Sean Goggin 33 802.11i – A New Solution • Additional Features of 802.1x – Key Caching • Authenticator & Supplicant Cache Keys While Roaming • Prevents Excessive Load on Authentication Server – Pre-Authentication • If the Supplicant Sense the Next AP while Roaming it can Begin Authentication via Network to Next AP • Reduces Association Time to Next AP 3/1/2005 Sean Goggin 34 802.11i – A New Solution • AES-CM/CBC-MAC Protocol (AESCCMP) – Features • • • • • • 3/1/2005 128-bit Advanced Encryption Standard Counter-Mode Cipher Block Chaining 48-bit Initialization Vectors 802.1x Key Assignment (TK from PTK) Message Integrity Check Sean Goggin 35 802.11i – A New Solution • Counter-Mode – Turns a Block Cipher into a Stream Cipher – Generates the Next Keystream Block by Encrypting Successive Values of a Counter – Counter is any Simple Function which Produces Sequence which is Guaranteed not to Repeat for a Long Time 3/1/2005 Sean Goggin 36 802.11i – A New Solution Courtesy of: WikiPedia - Block cipher modes of operation 3/1/2005 Sean Goggin 37 802.11i – A New Solution • Cipher Block Chaining – Each Block of Plain Text is XORed with Previous Block of Cipher Text Before Being Encrypted – Each Cipher Text Block is then Dependent on the Blocks that Preceded 3/1/2005 Sean Goggin 38 802.11i – A New Solution Courtesy of: WikiPedia - Block cipher modes of operation 3/1/2005 Sean Goggin 39 802.11i – A New Solution • AES-CCMP, Continued – AES-CM Provides Confidentiality – CBC-MAC Provides Authentication & Integrity – CCMP Protects Non-Encrypted Fields • Such as Source & Destination Data • Protects Against Replay Attack – 16 Octets Larger then Non-Encrypted Data • Slight Speed Decrease, Large Security Increase – More Enterprise then Home Consumer 3/1/2005 Sean Goggin 40 802.11i – A New Solution • AES-CCMP vs. WEP – AES vs. RC4 – 128-bit vs. 104-bit Key – Block Cipher vs. Stream Cipher – 48-bit vs. 24-bit Initialization Vector – CBC-MAC vs. RC4 – New vs. Established 3/1/2005 Sean Goggin 41 802.11i – A New Solution • Temporal Key Integrity Protocol (TKIP) – Features • 128-bit RC4 • Per-Packet Key Mixing • Enhanced Initialization Vectors including Sequencing Rules • 802.1x Key Assignment (TK from PTK) • Michael MIC • Runs on Legacy Hardware 3/1/2005 Sean Goggin 42 802.11i – A New Solution Courtesy of: How Secure Is Your Wireless Network? Safeguarding Your Wi-Fi LAN 3/1/2005 Sean Goggin 43 802.11i – A New Solution • TKIP – Phase 1 – Source MAC XORed with TK = Mixed Key • TKIP – Phase 2 – Mixed Key XORed with Trip Sequence Counter = Per-Packet Mixed Key – Feed to WEP Engine as 128-bit Key 3/1/2005 Sean Goggin 44 802.11i – A New Solution • Michael MIC – 64-bit MIC Key, Source Address, Destination Address, and Plain Text used to Generate 8 Byte MIC Hash – MIC replaces CRC – Plain Text+ MIC are Fed to WEP Engine as Plain Text • WEP Now Performs RC4 Operations Using 128-bit Key and Plain Text + MIC 3/1/2005 Sean Goggin 45 802.11i – A New Solution 3/1/2005 Sean Goggin 46 802.11i – A New Solution • Michael’s Countermeasure – If CRC, Integrity Check Value, and IV Fail Verification, Only then Check MIC • Avoids False Positive – If All Fail, Attack Underway • Stop Using Current Keys & Re-Key • Rate Limit Re-Keying to Once Per Minute 3/1/2005 Sean Goggin 47 802.11i – A New Solution • AES-CCMP vs. TKIP – AES vs. RC4 – Block vs. Stream Cipher – CBC-MAC vs. RC4 – New Hardware vs. Existing Hardware – New vs. Relatively New 3/1/2005 Sean Goggin 48 802.11i – A New Solution • Additional Features of 802.11i – Pre-Shared Key (PSK) • Utilized instead of PMK, Less Secure? • Home or Ad Hoc Network – Password-to-Key Mapping • Generates 256-bit PSK from ASCII – Random Number Generation • Established Minimum Guide Line 3/1/2005 Sean Goggin 49 802.11i – A New Solution • 802.11i & WPA 2 – Wi-Fi Alliance Certification Program for 802.11i Compliance – Possibly Misleading, WPA Hardware May Not Be Compatible • TKIP is in WPA & WPA 2 • Most WPA Hardware Not Capable of AES-CCMP – User-Friendly Name for 802.11i 3/1/2005 Sean Goggin 50 Conclusion • 802.11i Shows Promise, Only Proven with Test of Time • Performance/Security Trade-off Worth it? • May Not Be as Important to Home Users as it is for Enterprises 3/1/2005 Sean Goggin 51 Conclusion • With Major Investment in Last 5 Years in 802.11b, New Hardware May Not Be Adopted Promptly • Why Buy 802.11i Instead of 802.16 or 802.20? • Where is the Hardware? 3/1/2005 Sean Goggin 52 Questions & Answers Security in Wireless Networks 802.11i Next Time… Advances in Optical Networks SONET April 19, 2005 References • Wireless Security’s Future (PDF) • Intercepting Mobile Communications: The Insecurity of 802.11(PDF) • IEEE 802.11i Overview (PDF) • 802.11i and Wireless Security • 802.11 Security • Wikipedia – Block Cipher Modes of Operation • Wikipedia – Advanced Encryption Standard 3/1/2005 Sean Goggin 55