1 / 71

Lecture 9: Wireless Security – WEP/WPA

Lecture 9: Wireless Security – WEP/WPA. CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine Khalife and Tony Barnard. Course Admin. Mid-Term Exam Graded Solution provided To be distributed today HW2 Graded Solution provided

susant
Télécharger la présentation

Lecture 9: Wireless Security – WEP/WPA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lecture 9: Wireless Security – WEP/WPA CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine Khalifeand Tony Barnard

  2. Course Admin • Mid-Term Exam Graded • Solution provided • To be distributed today • HW2 Graded • Solution provided • To be distributed today Lecture 9 - Wireless Security

  3. Course Admin • HW3 • Covers SSL/TLS (lecture 7) • Due 11am on Nov 11 (Monday) • Lab exercise involves capturing SSL/TLS packets using Wireshark • Labs active this Friday Lecture 9 - Wireless Security

  4. Travel Next Week • I’m traveling, presenting at a conference next week http://isc.utdallas.edu/index.html • Bad news: Have to miss the lecture • Good news: TA (Cooper) will present on my behalf • Some interesting stuff on wireless security • Important • Your attendance is strongly encouraged Lecture 9 - Wireless Security

  5. Outline • WiFi Overview • WiFi Security Threats • WEP – Wired Equivalence Privacy • Including vulnerabilities • WPA – WiFi Protected Access Lecture 9 - Wireless Security

  6. HTTP/SMTP/IM TCP/UDP/ICMP IPsec Security at different layers • Application layer: PGP • Transport layer: SSL • Network layer: IPsec • Link layer: WEP / 802.11i (WPA) WiFi Security Approach: WEP/WPA

  7. 802.11 Standards • 802.11a – 54 Mbps@5 GHz • Not interoperable with 802.11b • Limited distance • Cisco products: Aironet 1200 • 802.11b – 11 Mbps@2.4 GHz • Full speed up to 300 feet • Coverage up to 1750 feet • Cisco products: Aironet 340, 350, 1100, 1200 • 802.11g – 54 Mbps@2.4 GHz • Same range as 802.11b • Backward-compatible with 802.11b • Cisco products: Aironet 1100, 1200

  8. 802.11 Standards (Cont.) • 802.11e – QoS • Dubbed “Wireless MultiMedia (WMM)” by Wi-Fi Alliance • 802.11i – Security • Adds AES encryption • Requires high cpu, new chips required • TKIP is interim solution • 802.11n –(2009) • up to 300Mbps • 5Ghz and/or 2.4Ghz • ~230ft range

  9. Wireless Network Modes • The 802.11 wireless networks operate in two basic modes: • Infrastructure mode • Ad-hocmode • Infrastructure mode: • each wireless client connects directly to a central device called Access Point (AP) • no direct connection between wireless clients • AP acts as a wireless hub that performs the connections and handles them between wireless clients

  10. Wireless Network Modes (cont’d) • The hub handles: • the clients’ authentication, • Authorization • link-level data security (access control and enabling data traffic encryption) • Ad-hoc mode: • Each wireless client connects directly with each other • No central device managing the connections • Rapid deployment of a temporal network where no infrastructures exist (advantage in case of disaster…) • Each node must maintain its proper authentication list

  11. AP AP Internet 802.11 LAN architecture • wireless host communicates with base station • base station = access point (AP) • Basic Service Set (BSS) (aka “cell”) in infrastructure mode contains: • wireless hosts • access point (AP): base station • ad hoc mode: hosts only hub, switch or router BSS 1 BSS 2

  12. SSID – Service Set Identification • Identifies a particular wireless network • A client must set the same SSID as the one in that particular AP Point to join the network • Without SSID, the client won’t be able to select and join a wireless network • Hiding SSID is not a security measure because the wireless network in this case is not invisible • It can be defeated by intruders by sniffing it from any probe signal containing it.

  13. Beacon frames & association • AP regularly sends beacon frame • Includes SSID, beacon interval (often 0.1 sec) • host: must associate with an AP • scans channels, listening for beacon frames • selects AP to associate with; initiates association protocol • may perform authentication • After association, host will typically run DHCP to get IP address in AP’s subnet

  14. 6 4 2 2 6 6 6 2 0 - 2312 frame control duration address 1 address 2 address 3 address 4 payload CRC seq control 802.11 frame: addressing Address 4: used only in ad hoc mode Address 1: MAC address of wireless host or AP to receive this frame Address 3: MAC address of router interface to which AP is attached Address 2: MAC address of wireless host or AP transmitting this frame

  15. router AP Internet H1 MAC addr R1 MAC addr source address dest. address 802.3frame H1 MAC addr AP MAC addr R1 MAC addr address 3 address 2 address 1 802.11 frame 802.11 frame: addressing H1 R1

  16. router AP Internet R1 MAC addr H1 MAC addr source address dest. address 802.3frame AP MAC addr H1 MAC addr R1 MAC addr address 3 address 2 address 1 802.11 frame 802.11 frame: addressing H1 R1

  17. frame: 6 4 2 2 6 6 6 2 0 - 2312 frame control duration address 1 address 2 address 3 address 4 payload CRC seq control 2 2 4 1 1 1 1 1 1 1 1 Protocol version Type Subtype To AP From AP More frag Retry Power mgt More data WEP Rsvd frame control field expanded: • Type/subtype distinguishes beacon, association, ACK, RTS, CTS, etc frames. • To/From AP defines meaning of address fields • 802.11 allows for fragmentation at the link layer • 802.11 allows stations to enter sleep mode • Seq number identifies retransmitted frames (eg, when ACK lost) • WEP = 1 if encryption is used 802.11 frame (more)

  18. Primary Threats • Unauthorized access • Learn SSID and join the network • Sniffing/Eavesdropping • Easy since wireless traffic is broadcast in nature • Session Hijacking • Similar to wired session hijacking • Evil Twin Attack • Attacker fools the user into connecting to its own AP (rather than the starbucks AP, e.g.)

  19. Lecture 9 - Wireless Security Unauthorized Access • So easy to find the ID for a “hidden” network because the beacon broadcasting cannot be turned off • Simply use a utility to show all the current networks:   • inSSIDer • NetStumbler • Kismet 

  20. Unauthorized Access Defense: Access control list • Access control list • Simplest security measure • Filtering out unknown users • Requires a list of authorized clients’ MAC addresses to be loaded in the AP • Won’t protect each wireless client nor the traffic confidentiality and integrity ===>vulnerable • Defeated by MAC spoofing: • ifconfig eth0 hw ether 00:01:02:03:04:05 (Linux) • SMAC - KLC Consulting (Windows) • MAC Makeup - H&C Works (Windows)

  21. 802.11 Sniffing • Requires wireless card that supports raw monitoring mode (rfmon) • Grabs all frames including management frames • Tools: • Dump packets using Wireshark;

  22. Firewall blocks traceroutes,… Traffic sent by wireless hosts/APs not blocked by firewall Leaking of internal information Trudy can traceroute and port scan through AP Establish connections Attempt to overtake Firewalled Networks with Wi-Fi (1)

  23. Firewalled Networks with Wi-Fi (2) • Move AP outside of firewall? • Trudy can no longer tracetroute internal network via AP • But Trudy still gets everything sent/received by wireless hosts

  24. Firewalled Networks with Wi-Fi (3) • Crypto at link layer between wireless hosts and AP • Trudy doesn’t hear anything • Trudy can not port scan • Wireless hosts can access internal services

  25. Suppose: Traffic encrypted with symmetric crypto Attacker can sniff but can’t break crypto What’s the damage? SSID, Mac addresses Manufacturers of cards from MAC addrs Count # of devices Traffic analysis: Size of packets Timing of messages Determine apps being used But cannot see anything really useful Attacker needs the keys, or break crypto Very hard Sniffing Encrypted 802.11 traffic

  26. WEP - Wired Equivalent Privacy • The original native security mechanism for WLAN • provide security through a 802.11 network • Used to protect wireless communication from eavesdropping (confidentiality) • Prevent unauthorized access to a wireless network (access control) • Prevent tampering with transmitted messages • Provide users with the equivalent level of privacy inbuilt in wireless networks.

  27. WEP Feature Goals: • Authentication • AP only allows authorized stations to associate • Data integrity • Data received is the data sent • Confidentiality • Symmetric encryption

  28. WEP Design Goals • Symmetric key crypto • Confidentiality • Station authorization • Data integrity • Self synchronizing: each packet separately encrypted • Given encrypted packet and key, can decrypt; can continue to decrypt packets when preceding packet was lost • Unlike Cipher Block Chaining (CBC) in block ciphers • Efficient • Can be implemented in hardware or software

  29. 40 bits or 104 bits Key distribution not covered in standard Configure manually: At home Small organization with tens of users Nightmare in company >100 users WEP Keys

  30. WEP Procedures • Appends a 32-bit CRC checksum to each outgoing frame (INTEGRITY) • Encrypts the frame using RC4 stream cipher = 40-bit (standard) or 104-bit (Enhanced) message keys + a 24-bit IV random initialization vector (CONFIDENTIALITY). • The Initialization Vector (IV) and default key on the station access point are used to create a key stream • The key stream is then used to convert the plain text message into the WEP encrypted frame.

  31. encrypted IV KeyID data ICV MAC payload Encrypted WEP frame

  32. RC4 keystream XORed with plaintext

  33. WEP Components • Initialization Vector IV • Dynamic 24-bit value • Chosen randomly by the transmitter wireless network interface • 16.7 million possible IVs (224) • Shared Secret Key • 40 bits long (5 ASCII characters) • 104 bits long (13 ASCII characters)

  34. WEP Components (cont’d) • RC4 algorithm consists of 2 main parts: • The Key Scheduling Algorithm (KSA): • involves creating a scrambled state array • This state array will now be used as input in the second phase, called the PRGA phase. • The Pseudo Random Generation Algorithm(PRGA): • The state array from the KSA process is used here to generate a final key stream. • Each byte of the key stream generated is then Xor’ed with the corresponding plain text byte to produce the desired cipher text.

  35. WEP Components (cont’d) • ICV (Integrity Check Value)= CRC32 (cyclic redundancy check) integrity check • XOR operation • denoted as ⊕ • plain-text ⊕ keystream= cipher-text • cipher-text ⊕ keystream= plain-text • plain-text ⊕ cipher-text= keystream

  36. checksum RC4 key IV encrypted packet How WEP works IV original unencrypted packet

  37. Encryption Process

  38. Decryption Process

  39. 8.2.5 WEP Frame Body Expansion Recall from CS 334/534: CRC-32 Figure 6 - 802.11 frame format 39

  40. CRC-32 CRC-32 Figure 46 – Construction of expanded WEP frame body 40

  41. K (R) A-B End-point authentication w/ nonce Nonce:number (R) used only once –in-a-lifetime How:to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice!

  42. AP authentication request nonce (128 bytes) nonce encrypted shared key success if decrypted value equals nonce WEP Authentication Not all APs do it, even if WEP is being used. AP indicates if authentication is necessary in beacon frame. Done before association.

  43. WEP is flawed • Confidentiality problems • Authentication problems • Integrity problems

  44. IV, P  RC4(K, IV) IV, P’  RC4(K, IV) A Risk of Keystream Reuse • If IV’s repeat, confidentiality is at risk • If we send two ciphertexts (C, C’) using the same IV, then the xor of plaintexts leaks (P  P’ = C  C’), which might reveal both plaintexts  Lesson: If RC4 isn’t used carefully, it becomes insecure

  45. IV reuse With 17 million IVs and 500 full-length frames/sec, collisions start after 7 hours Worse when multiple hosts start with IV=0 IV reuse: Trudy guesses some of Alice’s plaintext d1 d2 d3 d4 … Trudy sniffs: ci = dikiIV Trudy computes keystream kiIV =ci di Trudy knows encrypting keystream k1IV k2IV k3IV … Next time IV is used, Trudy can decrypt! Worse: Weak Key Attack Mathematical, complicated, For certain key values (weak keys), disproportionate number of bits in first few bytes of the keystream are determined by just a few key bits. As the IV cycles, wait for weak keys Exploit weak keys to crack the key Effort is only linear in key size! Cracker script tool available Problems with WEP confidentiality (2)

  46. Keystream Reuse • WEP didn’t use RC4 carefully • The problem: IV’s frequently repeat • The IV is often a counter that starts at zero • Hence, rebooting causes IV reuse • Also, there are only 16 million possible IV’s, so after intercepting enough packets, there are sure to be repeats  Attackers can eavesdrop on 802.11 traffic • An eavesdropper can decrypt intercepted ciphertexts even without knowing the key

  47. WEP authentication problems • Attacker sniffs nonce, m, sent by AP • Attacker sniffs response sent by station: • IV in clear • Encrypted nonce, c • Attacker calculates keystream ks = m  c, which is the keystream for the IV . • Attacker then requests access to channel, receives nonce m’ • Attacker forms response c’ = ks  m’ and IV • Server decrypts, matches m’ and declares attacker authenticated !

  48. Problems with Message Integrity • ICV (Integrity Check Value) supposed to provide data integrity • ICV is a hash/CRC calculation • But a flawed one. • Can predict which bits in ICV change if you change single bit in data. • Suppose attacker knows that flipping bit 3244 of plaintext data causes bits 2,7,23 of plaintext ICV to flip • Suppose attacker intercepts a frame: • In intercepted encrypted frame, attacker flips bit 3244 in data payload and ICV bits 2,7,23 • Will ICV match after decryption at the receiver? • After decryption, cleartext bit 3244 is flipped (stream cipher) • Also after decryption, cleartext bits 2,7, 23 also flipped. • So cleartext ICV will match up with data!

  49. Attacks on WEP • WEP encrypted networks can be cracked in 10 minutes • Goal is to collect enough IVs to be able to crack the key • IV = Initialization Vector, plaintext appended to the key to avoid Repetition • Injecting packets generates IVs

  50. Attacks on WEP • Backtrack 5 (Released 1st March 2012) • Tutorial is available • All required tools on a Linux bootable CD + laptop + wireless card

More Related