1 / 59

IEEE 802.11 Security

IEEE 802.11 Security. IEEE Security Outline. Introduction to Wireless Local Area Networks IEEE 802.11 IEEE 802.11 PHY & MAC IEEE 802.11 Security Risks to IEEE 802.11 networks IEEE 802.11 WEP Wi-Fi Alliance’s WPA IEEE 802.11i amendment and WPA2. Who is Who in IEEE 802.11. IEEE

sidone
Télécharger la présentation

IEEE 802.11 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IEEE 802.11 Security

  2. IEEE Security Outline • Introduction to Wireless Local Area Networks • IEEE 802.11 • IEEE 802.11 PHY & MAC • IEEE 802.11 Security • Risks to IEEE 802.11 networks • IEEE 802.11 WEP • Wi-Fi Alliance’s WPA • IEEE 802.11i amendment and WPA2

  3. Who is Who in IEEE 802.11 • IEEE • Institute of Electrical and Electronics Engineers, Inc. • designs the technology & publish the standards www.ieee.org • Wi-Fi Alliance* • certify interoperability of WLAN products • +250 member companies and +2800 certified products www.wifialliance.com * former WECA - Wireless Ethernet Compatibility Alliance

  4. IEEE 802.11 Evolution • Wireless Evolution: • early 1990s • first wireless networks operating in the ISM bands • issues: price, performance, interoperability IEEE 802.11 WG is born • 1997 June • IEEE 802.11 standard is approved. • 1999 September • standard revision, IEEE 802.11a & IEEE 802.11b are approved. • 2003 June • IEEE 802.11g amendment is approved • 2004 July • IEEE 802.11i amendment is approved

  5. IEEE 802.11 Specification • Operation Modes • infrastructure network • ad hoc network • IEEE 802.11 standard specifies: • medium access control (MAC) • physical layer protocols (PHY) IP LLC IEEE 802.2 MAC IEEE 802.11 PHY

  6. Operation Modes • Infrastructure Network Mode • Basic Service Set (BSS) with only one Access Point (AP) AP BSS STA

  7. Operational Modes • Infrastructure Network Mode • Extended Service Set (ESS) STA ESS STA AP AP BSS BSS

  8. Operational Modes • Ad Hoc Network Mode • Independent Basic Service Set (IBSS) • no support to multi hopping no routing! PHY & MAC layers only STA IBSS

  9. The Spectrum • Electromagnetic Spectrum • the physical medium “air” from viewpoint of the signal frequencies • frequency usage is regulated / controlled by the local government • E.U. CEPT* - ERO (European Radio Comm. Office) • Sweden PTS (Post & Telestyrelsen) • U.S. FCC & NTIA • International ITU *European Conference of Postal and Telecommunications Administrations

  10. The Spectrum • Electromagnetic Spectrum www.ntia.doc.gov/osmhome/allochrt.html www.pts.se/ www.ero.dk/ecc 300GHz PCS GSM 1GHz GSM-DCS FM AMPS AM VL L M H VH UH SH EH IR 300THz 3 KHz microwaves 5.725GHz5.875GHzIEEE802.11a 902MHZ928MHz 2.4GHz-2.5GHzIEEE 802.11bIEEE 802.11g

  11. Transmission Mechanisms • Narrow Band • all signal power is concentrated in a narrow spectrum band • Spread Spectrum -SS • the signal power is spread in the spectrum

  12. Spread Spectrum • Direct Sequence (DS-SS) • the signal is multiplied by a code signal spreading si(t)=(2.Pi)-1/2.di(t).pi(t).cos(0.t+ i) • the signal is retrieved multiplying it the same code • anti jamming properties • low probability of interception • low amplitude signal even below noise level! code

  13. Spread Spectrum • Direct Sequence (DS-SS) pi(t) pi(t) code code (2.Pi)-1/2.di(t).cos(0.t+ i) (2.Pi)-1/2.di(t).cos(0.t+ i) Original Narrowband Signal ReceivedNarrowbandSignal spread signal   (2.Pi)-1/2.di(t).pi(t).cos(0.t+ i) spread waveform noise noise noise

  14. IEEE 802.11 PHY • Several different PHY layers MAC Layer MAC 2.4 GHz FH-SS 1 Mbps 2 Mbps 2.4 GHz DS-SS 1 Mbps 2 Mbps Infrared 1 Mbps 2 Mbps 2.4 GHz DS-SS OFDM max 11 Mbps max 54 Mbps 5 GHz OFDM 6, 9, 12, 18, 24, 36, 48, 54 Mbps IEEE802.11b802.11g IEEE802.11a IEEE 802.11

  15. IEEE 802.11 PHY DS-SS • DS-SS: Direct Sequence – Spread Spectrum 5 10 14 4 9 3 8 13 2 7 12 1 6 11 MHz 2427 2400 2412 2432 2452 2472 2492 2417 2422 2437 2442 2447 2457 2462 2467 2477 2482 2487 2497

  16. IEEE 802.11 PHY OFDM • OFDM: Orthogonal Frequency Division Multiplexing • multiple transmissions at the same time • 4 overlayering carriers no interference among the carriers maximum OFDM minimum

  17. IEEE 802.11 PHY 11 1 6 • Channels and Channel reuse • Europe*, USA 1 6 11 1 6 1 11 6 11 1 6 11 1 6 11 1 * except France, Spain

  18. IEEE 802.11 MAC • MAC Layer - Medium Access • medium access without contention • medium access with contention random backoff mechanism • ACK and retransmission Point Coordination Function PCF MAC Distributed CoordinationFunction DCF

  19. IEEE 802.11 MAC • Point Coordination Function (PCF) • the Access Point (AP) defines medium access • only for infrastructure wireless networks (optional) • polling among STA contention-free medium access • Distributed Coordination Function (DCF) • all station (STA) • CSMA/CA Carrier Sense Multiple Access / Collision Avoidance • RTS/CTS mechanism

  20. IEEE 802.11 CSMA/CA • Physical Carrier Sense (PHY) • checks if the physical medium is free • Virtual Carrier Sense • to solve the “hidden-node” problem! • use of RTS and CTS frames Duration/ID field defines the reserved period of time NAV Network Allocation Vector stores the reservation information implemented as a counter

  21. IEEE 802.11 CSMA/CA PIFS – PCF IFS - 10µs SIFS – Short IFS - 30µs DIFS – DCF IFS - 50µs • Virtual Carrier Sense DS-SStimings

  22. IEEE 802.11 CSMA/CA • Random backoff mechanism • after transmission DIFS (DFC interframe space) • if a STA wants to transmit and the medium is free immediate access (>= DIFS) • if a STA wants to transmit and the medium is not free wait for DIFS + random period (contention window) * Networking Computing

  23. DIFS DIFS DIFS Frame Cont. Cont. Wait Cont. IEEE 802.11 CSMA/CA • Backoff mechanism (contention window) DIFS STA A Frame Contention Wait Backoff Frame STA B Wait STA C Wait STA D Frame Frame STA E

  24. Attacker AP Cloned AP Rogue AP Enterprise LAN Risks in IEEE 802.11 networks • Risks? Is it really not secure? • rogue clients logging in into your networks • wireless eavesdropping and network intrusion • non-authorized / rogue AP and cloned AP • bad configuration

  25. IEEE 802.11 Security • Data link security (L2) between AP and STA or STA and STA (ad hoc mode) IEEE 802.11 WEP (Wired Equivalent Privacy) is WEP really that bad? Wi-Fi Alliance’s WPA (Wi-Fi Protected Access) is WPA enough? IEEE 802.11i amendment and WPA2 are we finally secure?

  26. Wired Equivalent Privacy - WEP • the security goals of IEEE 802.11 were: • Authentication • Confidentiality • Data Integrity • WEP introduced in the original IEEE 802.11 standard • designed to protect authorized users from casual eavesdropping • optional security add-on to achieve confidentiality • WEP assumes that AP and clients have shared-keys

  27. Wired Equivalent Privacy - WEP • WEP Confidentiality and Integrity in the Data Link Layer • but what is WEP? “a form of ECB* in which a a block of plaintext is bitwised XORed with a pseudorandom key sequence of equal length” • WEP key (PRNG input) a 40-bit long shared secret + 24-bit long IV • Data integrity with CRC-32 PRNG input is64-bit long MAC IV Ciphered Payload CRC *Electronic Code Book

  28. Ciphering with WEP InitializationVector (IV) 24 bits IV Ciphertext Output || WEP PRNG (RC4)  Key Sequence SecretKey Seed 40 bits 64 bits P  K = C Plaintext || CRC-32 32 bits Integrity Check Value (ICV) ||- concatenation  - bitwise XOR

  29. ? = Deciphering with WEP C  K = P  K  K = P SecretKey || Plaintext 40 bits WEP PRNG (RC4) Key Sequence Seed IV IV Ciphertext  64 bits 24 bits Input CRC-32 Ciphertext ICV ICV’ ||- concatenation  - bitwise XOR

  30. WEP Authentication • WEP authentication modes • Open System null authentication • Shared Key based on WEP STA STA or AP request challenge: (M) response: EWEP(M) OK / NOK

  31. Early comments on WEP • the use of shared-keys in WEP • network security management problem • shared keys are not long enough (40bits) • brute force attacks (feasible, but takes time) just increase the key length to 104bits!

  32. Overview of the WEP Insecurity • March 2000: Simon, Aboba and Moore • several flaws in WEP design • October 2000: Walker • limited IV space leads to IV reuse problem • July 2001: Borisov, Goldberg and Wagner • practical attacks to cause known plaintext to be transmitted • March 2001: Arbaugh et al. • trivial to obtain a keystream • August 2001: the Fluhrer, Mantin and Shamir attack • weakness in RC4 key scheduling algorithm and the popular cracking tools for IEEE 802.11 networks secured with WEP…

  33. Simon, Aboba and Moore (Microsoft) • NIC authentication only no user authentication • lost NICs / device huge security management problem • shared-key authentication is not mutual • rogue AP MitM attacks • ICV is not keyed • no guarantee of data integrity • known plaintext attacks recover the keystream for a given IV C  P = P  K  P = K

  34. J. Walker (Microsoft) • WEP mechanism unsafe at any key size (24-bit long IV) • only 224 values can be derived from a WEP key • IV reuse can lead to data decryption without the secret key • no policy for IV selection on AP C  C’ = P  K  P’  K = P  P’ InitializationVector (IV) 24 bits || WEP PRNG (RC4) Key Sequence SecretKey Seed K 40 bits 64 bits

  35. Borisov, Goldberg and Wagner (UCB) • IV dictionaries are independent of the key size (224 entries) • practical ways to cause known plaintext to be transmitted • broadcasted datagrams obtain a RC4 keystream • Message modification • CRC-32 is a linear function of the message • Message injection and authentication spoofing • one RC4 keystream needed C’ = C  ( Δ||c(Δ) )

  36. Arbaugh et al. (UMD) • trivial to obtain a keystream • shared-key authentication 2nd frame and 3rd frame STA STA or AP request challenge: (M) Plaintext response: EWEP(M) OK / NOK Ciphertext C  P = P  K  P = K RC4 keystream

  37. Fluhrer, Mantin and Shamir • weakeness in RC4 key scheduling algorithm • large class of weak keys collecting weakened packets • derive the first byte of the RC4 output • Stubblefield, Ioannidis and Rubin effectiveness of the attack ca. 106 packets to retrieve a key RC4 KSA PRGA Seed Key Sequence Known 24 bits + 40 bits Secret

  38. Attack Tools on WEP • Fluhrer, Mantin and Shamir Implemented AirSnort http://airsnort.shmoo.com/ WEPCrack http://sourceforge.net/projects/wepcrack/ • wesside - a fragmentation-based attack tool from UCL http://www.cs.ucl.ac.uk/staff/A.Bittau/frag-0.1.tgz

  39. Vendors’ Countermeasures • Increasing the secret key length to 104 bits innocuous:: WEP is insecure at any key-size • MAC filtering MAC spoofing is easily achievable • suppressing of SSID broadcasts network will be detected (management datagrams) • the vendors’ patch blocking potentially harmful IV reduced the IV space even more legacy hosts compromise the solution

  40. Wi-Fi Protected Access (WPA) • WPA (Wi-Fi Protected Access) • recommendation to improve security in IEEE 802.11 networks • published in April 2003 added as subset of IEEE 802.11i for backward compatibility firmware upgrade only is needed • WPA encryption: Temporal Key Integrity Protocol wrapper over WEP • WPA has two authentication modes: Enterprise Mode (Authentication Server is needed) SOHO Mode (using shared-keys)

  41. WPA Encryption with TKIP • TKIP enhancements over WEP are: • a keyed data integrity protocol (MIC – Message Integrity Protocol) MICHAEL 64-bit long keys, calculated over the MSDU • re-keying mechanism to provide fresh keys encryption keys for different purposes • per packet mixing function prevent weak key attacks MAC of the destination is mixed to the temporal key • a discipline for IV sequencing prevent IV reuse IV counter is reseted after the establishment of fresh keys

  42. WPA Authentication Enterprise Mode • Authentication Server provides: • key management and • authentication according to the EAP • EAPOL (IEEE 802.1X) is needed • IEEE 802.1X defines a port-based network control method authenticator AP supplicant AS wired medium wireless medium STA EAP authentication mechanism EAP EAPoL (IEEE 802.1X) RADIUS

  43. IEEE 802.1X Authentication with TLS STA AP AS EAPoL RADIUS 802.1X/EAP Req. ID RADIUS Access Req. / EAP - Resp. ID 802.1X/EAP Resp. ID EAP-TLS Mutual Authentication calculate PMK* calculate PMK* RADIUS Accept + PMK PMK 802.1X/EAP-Success TLS-PseudoRandomFunction( PreMasterKey, “master secret” || random1 || random2 ) *TLS-PRF( MasterKey, “client EAP encryption” || random1 || random2 )

  44. WPA Authentication SOHO Mode • using Pre-Shared Keys (PSK) • shared keys between the AP and STA • useful solution for smaller networks • no need for an authentication server • PSK is vulnerable to dictionary attacks • coWPAtty http://sourceforge.net/projects/cowpatty

  45. IEEE 802.11i • IEEE 802.11i is an amendment to the IEEE 802.11 standard • several components are external to the IEEE 802.11 standard IEEE 802.11i protect data frames EAPoL (IEEE 802.1X) provides authentication key establishment and distribution • RSNA - Robust Secure Network Association • defined as a type of association to secure wireless networks

  46. RSNA • RSNA defines: • key hierarchy and key management algorithms; • a cryptographic key establishment; • enhanced authentication mechanisms; • enhanced data encapsulation mechanism: CTR with CBC-MAC Counter Mode with Cipher Block Chaining with Message Authentication Code (CBC-MAC) Protocol. • TKIP is included for systems not full compliant with RSNA • Open-System Authentication is kept; • WEP is supported only for interoperability with legacy systems.

  47. RSNA Security Algorithm Classes • RSNA algorithms • data confidentiality protocols • network architecture for authentication (based on IEEE 802.1X) • key hierarchy, key setting and distribution method • Pre-RSNA algorithms • WEP and IEEE 802.11 Open System Authentication

  48. RSN and TSN • RSN Information Element (IE) Beacon Frames • RSN IE Group Key Field Suite indicates the network type • Robust Secure Networks (RSN) • RSNA only networks • Transient Secure Networks (TSN) • allows both Pre-RSNA networks (WEP) and RSNA networks

  49. RSNA Operational Phases AS STA AP Discovery Authentication (IEEE 802.1X) Key Distribution Key Management Data Transfer (protected)

  50. RSNA Discovery Phase • Discover of an AP SSID by an STA • RSN IE frames • Definition of: • authentication, key management and cryptographic suite • cipher suite selectors include: WEP-40, WEP-104, TKIP, CCMP, and vendor specifics

More Related