720 likes | 979 Vues
Wireless Security. 802.11 With a focus on Security by Brian Lee Takehiro Takahashi. Survey (1). Do you have wireless networking at home? If yes, I’m assuming that it is encrypted…. What is your security? WEP WPA Mac filtering I consider my home network as local wireless hotspot
E N D
Wireless Security 802.11 With a focus on Security by Brian Lee Takehiro Takahashi
Survey (1) • Do you have wireless networking at home? • If yes, I’m assuming that it is encrypted…. • What is your security? • WEP • WPA • Mac filtering • I consider my home network as local wireless hotspot • Do you think your wireless network is secure?
Brief Overview • Case Study • Current Wireless Technology Overview • 802.11 a/b/g • WEP • New Wireless Security Standard • 802.1x • WPA • WPA2 - 802.11i
GOAL • Realize the real problem set and the solution in wireless security.
GOAL • Realize the real problem set and the solution in wireless security. • Exploi… (cough)
So….. Is wireless network secure? • Umm… kind of? • Why is it not secure? • How insecure is it? • Some misunderstanding… • How can we make it secure?
An exercise in wireless insecurity • Tools used: • Laptop w/ 802.11a/b/g card • GPS • Netstumbler • Aircrack (or any WEP cracking tool) • Ethereal • the car of your choice
Step1: Find networks to attack • An attacker would first use Netstumbler to drive around and map out active wireless networks • Using Netstumbler, the attacker locates a strong signal on the target WLAN • Netstumbler not only has the ability to monitor all active networks in the area, but it also integrates with a GPS to map AP’s
Step 2: Choose the network to attack • At this point, the attacker has chosen his target; most likely a business • Netstumbler can tell you whether or not the network is encrypted • Also, start Ethereal to look for additional information. This time……. Your target is GTwireless
Step3: Analyzing the Network • WLAN has no broadcasted SSID • Netstubmler tells me that SSID is GTwireless • Multiple access points • Many active users • Open authentication method • WLAN is encrypted with 40bit WEP • WLAN is not using 802.1X (WEB-auth)
Step4: Cracking the WEP key • Attacker sets NIC drivers to Monitor Mode • Begins capturing packets with Airodump • Airodump quickly lists the available network with SSID and starts capturing packets. • After a few hours of airodump session, launch aircrack to start cracking! • WEP key for GTwireless is revealed!
Step5: Sniffing the network • Once the WEP key is cracked and the NIC is configured appropriately, the attacker is assigned an IP, and can access the WLAN • However, a secure proxy with an SSL enabled web based login prevents access to the rest of network and the Internet • Attacker begins listening to traffic with Ethereal
Step6: Sniffing continued… • Sniffing a WLAN is very fruitful because everyone on the WLAN is a peer, therefore you can sniff every wireless client • Listening to connections with plain text protocols (in this case FTP and Telnet) to servers on the wired LAN yielded 2 usable logins within 1.5hrs
What was accomplished? • Complete access to the WLAN • Complete access to the wired LAN • Complete access to the internet • Access to servers on the wired LAN using the sniffed accounts • Some anonymity. Usage of Netstumbler and other network probing devices can be detected. Skip that step if possible.
Other possibilities • Instead of sniffing a valid login, the attacker could have exploited a known vulnerability in the proxy (provided there is one) • Attacker could have hijacked a valid user’s session using a DOS attack against the user, and then assuming his MAC address and IP • Both ways present a greater risk for being noticed, something an attacker does not want
That’s it…the network is compromised • Most wireless networks remain no more secure than this, many are less secure • Hundreds of business’s, schools, airports, and residences use wireless technology as a major point of access to their networks
Basic 802.11b Overview • 802.11b was IEEE approved in 1999 • Infrastructure Mode or Ad Hoc • Utilizes 2.4GHz band on 15 different channels (only 11 in US) • 11Mbps shared among all users on access point • Cheap!!!
Basic 802.11g Overview • Faster than 802.11b (54Mbps) • Backward compatibility • Same interference problem with 802.11b Future work… • 802.11n • Over 100Mbps actual throughput…?? • Backward compatibility with a/b • Still trying to come up with the first draft…
802.11 Built in Security Features • Service Set Identifier (SSID) • Differentiates one access point from another • SSID is cast in ‘beacon frames’ every few seconds. • Beacon frames are in plain text! • First layer of security • Stealth Mode – probe request
Do’s and Don'ts for SSID’s • Default SSID’s are well known (Linksys AP’s default to linksys, CISCO defaults to tsunami, etc) so change them immediately. • Do change the settings on your AP so that it does not broadcast the SSID in the beacon frame.
Hiding the SSID • As stated earlier, the SSID is by default broadcast every few seconds. • Turning it off makes it harder to figure out a wireless connection is there • Reading raw packets will reveal the SSID since even when using WEP, the SSID is in plain text • Increases deployment difficulty
MAC address filtering • MAC address filtering works by only allowing specific hardware to connect to the AP • Management on large networks unfeasible • Using a packet sniffer, one can very easily find a valid MAC address and modify their OS to use it, even if the data is encrypted • May be good for small networks • Prevents casual hacking..
Associating with the AP • Access points have two ways of initiating communication with a client • Shared Key or Open Key authentication • Open key allows anyone to start a conversation with the AP • Shared Key is supposed to add an extra layer of security by requiring authentication info as soon as one associates
How Shared Key Auth. works • Client begins by sending an association request to the AP • AP responds with a challenge text (unencrypted) • Client, using the proper WEP key, encrypts text and sends it back to the AP • If properly encrypted, AP allows communication with the client
Is Open or Shared Key more secure? • Ironically enough, Open key is the answer in short • Using passive sniffing, one can gather 2 of the three variables needed in Shared Key authentication: challenge text and the encrypted challenge text
Wired Equivalent Protocol (WEP) • Primary built-in security for 802.11 protocol • Provides “Confidentiality”, and “Integrity”. • “Authentication” ? • Uses 40/104 bits RC4 encryption + CRC • Unfortunately, the usage of RC4 in WEP has been proven insecure
64/40 and 128/104 bits confusion • IV (24bits) • Your WEP key: • 5-ASCII char word = 40bits • 13-ASCII char word = 104bits Security-wise, it’s really 40bits or 104bits
Problems with WEP • 1 static key • No encryption is strong if one key is used forever • Key length is short for default settings(40bits) • Brute forcing is possible • Using CRC32 in ICV • Bit flipping attack: CRC(msg XOR delta) = CRC(M) XOR CRC(delta) • bits cannot be set or cleared, but could be flipped • No specification on key distribution • Lacks scalability • No protection against replay attack • Improper RC4 implementation • Protocol doesn’t actually specify IV’s use • 2 existing attacks
Numerical Limitation Attack • IV’s are only 24bit, and thus there are only 16,777,216 possible IV’s • A busy network will repeat IV’s often
FMS Attack -- weak IV attack -- • Some IV’s do not work well with RC4 • Using a formula, one can take these weak IV and infer parts of the WEP key • 5 % chance of guessing correctly • Once again, passively monitoring the network for a few hours can be enough time to gather enough weak IV’s to figure out the WEP key • 7M~ packets to decrypt 40bit WEP key • The time needed to deploy the attack is linearly proportional to the key length • 104bit key is just as useless as 40bits key
Is RC4 really vulnerable? • There are a few flaws but it is still considered safe. • WEP did not use RC4 properly. • IPSEC • SSL
Another Attack - KoreK • Vendors have implemented a ‘hack’ • Another statistical analysis based attack on WEP key • Extremely fast • Possible with as little as 0.1M IVs… • Traditional method requires more than 4M packets • Accelerate it with packet injection - ARP Fast swapping of WEP key is no longer safe
Conclusion: WEP • Confidentiality • FMS attack • KoreK attack • Integrity • Bit-flipping attack • Authentication • Attacks are passive and difficult to detect NO MORE WEP
WEP…. Wired Equivalent Privacy Well.. More like What on the Earth does it Protect?
Virtual Private Networking (VPN) • Deploying a secure VPN over a wireless network can greatly increase the security of your data • Idea behind this is to treat the wireless network the same as an insecure wired network (the internet).
VPN is really not the greatest option…. • Overhead • Deployment • Performance • susceptible to any attack against the specific VPN Bottom Line: Not practical
Finally…. Some Solutions! 802.1x (Authentication) per-user authentication Key distribution mechanism WPA (Confidentiality, Integrity) Subset of 802.11i 2 forms 802.1x + EAP + TKIP + MIC Pre-shared Key + TKIP + MIC WPA2 – 802.11i WPA2 is the implementation of 802.11i Usage of AES + CCMP
802.1X • 802.1X is a port-based, layer 2 (MAC address layer) authentication framework on IEEE 802 networks. • Not limited or specific to 802.11 networks • Uses EAP for implementation • 802.1X is not an alternative to WEP, it works along with the 802.11 protocol to manage authentication for WLAN clients
How authentication takes place • A client requests access to the AP • The AP asks for a set of credentials • The client sends the credentials to the AP which forwards them to authenticating server • The exact method for supplying credentials is not defined in 802.1X itself
Extensible Authentication Protocol (EAP) • 802.1X utilizes EAP for it’s authentication framework • flexible: one time passwords, certificates, smartcards, own EAP protocol, etc • zero per packet overhead • cost efficient • 802.1X integrates well with other open standards such as RADIUS • RADIUS is de-facto
more benefits of choosing 802.1X… • Software upgrade • Access points only need a firmware upgrade to enable 802.1X • On the client side, 802.1X can be enabled with an updated driver for the NIC • Depending on the EAP you choose, you can have a very secure authentication scheme! • Proprietary versions of dynamic key management available
Implementations • EAP-MD5 • EAP-LEAP • EAP-TLS • EAP-TTLS • PEAP
EAP-MD5 • EAP-MD5 is a simple EAP implementation • Uses and MD5 hash of a username and password that is sent to the RADIUS server • Authenticates only one way • Man in the middle attack • Bottom line: Not recommended
EAP-LEAP (Cisco Wireless) • Like MD5-LEAP, it uses a Login/Password scheme that it sends to the RADIUS server • Each user gets a dynamically generated one time key upon login • Authenticates client to AP and vice versa • Can be used along with RADIUS session time out feature, to dynamically generate keys at set intervals • Only guaranteed to work with Cisco wireless clients • Broken – ASLEAP by Joshua Wright
EAP-TLS by Microsoft • Instead of a username/password scheme, EAP-TLS uses certificate based authentication • Has dynamic one time key generation • Two way authentication • Uses TLS (Transport Layer Security) to pass the PKI (Public Key Infrastructure) information to RADIUS server • Compatible with many OS’s • Harder to implement and deploy because PKI for clients are also required
PEAP by Microsoft and Cisco • A more elegant solution! • Very similar to EAP-TLS except that the client does not have to authenticate itself with the server using a certificate, instead it can use a login/password based scheme • Much easier to setup, does not necessarily require a PKI • Currently works natively with Windows XP SP1, but other platforms should support it soon