1 / 40

Network Security

Network Security. Chapter 7. Security in Wireless Local Area Networks. Objectives. WEP(802.11) Key Establishment Anonymity Authentication Confidentiality Data Integrity Loopholes WPA(Wi-Fi protected access) WPA2(802.11i). WEP(Wire Equivalent Privacy). Key Establishment in 802.11.

torie
Télécharger la présentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security Chapter 7. Security in Wireless Local Area Networks

  2. Objectives • WEP(802.11) • Key Establishment • Anonymity • Authentication • Confidentiality • Data Integrity • Loopholes • WPA(Wi-Fi protected access) • WPA2(802.11i)

  3. WEP(Wire Equivalent Privacy)

  4. Key Establishment in 802.11 • Rely on “pre-shared” keys between STA and Aps. • Problems • Manual configuration of keys. • So, open to manual error. • Can not be expect to choose a “strong” key. • No way for each STA to be assigned a unique key. AP has no way of uniquely identifying a STA in a secure fashion. Two group of STA : allowed group, non-allowed group • 802.11 allows each STA( and AP) in a BSS to be configured with 4 different keys. 4 user group  little finer control over reliable STA recognition • In practice, use the same key across BSSs over the whole ESS. • Makes roaming easier and faster. More susceptible to compromise.

  5. Anonymity in 802.11 • 802.11 – IP based networks • For given the IP address, it is extremely difficult to determine the identity of the subscriber. • DHCP(Dynamic Host Configuration Protocol) • NAT(Network Address Translation) ( private IP addr.  NAT  Globally valid IP addr.)

  6. Authentication in 802.11 • AP periodically broadcast beacons(management frames) which announce the existence of a network - SSID(service set ID). • STA network scan • passive scan : scan the channels to find beacon. • active scan • STA Net. : Probe request ( SSID, SSID=0(any) ) • AP  STA : probe response. • STA : choose a network wish to join. • Authentication process (Open System Auth. or Shared Key Auth.)

  7. Open System Authentication • Default Authentication Algorithm • Allows any and all station to join the network(no authentication). • AP can enforce the use of SKA.

  8. Shared Key Authentication • Based on challenge-response system. • Two groups of STA • group 1 : access allowed – shared a secret key with AP • group 2 : access not allowed

  9. Authentication and Handoffs • Roaming in 802.11 • In side BSA(Inter-BAS) : static • between two BSAs(inter-BSA) : 802.11 deals with • between two ESA(Inter-ESAs) : requires Layer 3 support • Inter-BAS roaming • STA : tracks RSS(received signal strength) • RSS < threshold : start to scan for stronger beacon signals. • until RSS > threshold or RSS < break-off threshold • If RSS < break-off threshold, STA disconnect prior AP and connect to new AP. • The prior-AP and the post-AP do not co-ordinate for handoff • Requires re-authentication – contribute big delay to handoff

  10. Problems with 802.11 Authentication • Authentication with shared key. • No way for the AP to reliably determine the exact identity of STA • Share keys across APs • Makes it difficult to remove STAs from the allowed set of STAs. (changing new key to all stations) • One-way Authentication • STA can not authenticate Network • Suffers all drawbacks that WEP suffers.

  11. Pseudo-Authentication Schemes • Network can use other scheme instead of SKA • One schemes • STA  AP : probe-request(SSID) • APSTA : respond if only probe-request contains SSID. • Very weak authentication, protect causal eavesdroppers • SSID send in clear text(beacon) by APs. • AP can hide SSID, but visible with a wireless network analyzer tool Kismet ( www.kismetwireless.net ) • MAC address filtering • AP maintains a list of MAC addresses of all the access allowed STAs. • Station allows the user to change their MAC address • MAC spoofing • In UNIX/Linux OS : ifconfig eth0 hw ether 00:01:02:03:04:05 • Windows system: SMAC, MAC Makeup

  12. Confidentiality in 802.11

  13. Problems in WEP • Use RC4 in synchronous mode for data packet encryption. • Data loss desynchronizes the key streams generators at the two endpoint. • Stream cipher is not suitable for wireless medium. • Apply encryption/decryption per packet basis. • Require to use unique key for each packet. • WEP : key = {IV||shared key}, 64/128 bits, • Per-packet key : simple concatenation of IV and shared key • IV : send in clear text, 24b its among 64/128 bits are revealed. • IV reuse, chance of duplicate IV

  14. RC4 weak Keys • Certain keys had bits that when changed had a greater effect on the XORed data than others. • There were also bits that when changed had no effect whatsoever on the output. • They called these keys “weak keys.” • Airsnort discovers WEP keys in a matter of hours in some cases. • wireless NIC be capable of RF monitor mode. • Cisco Aironet • Prism2 based cards using wlan-ng drivers or Host-AP drivers • Orinoco cards and clones using patched orinoco_cs drivers • Orinoc cards using the latest Orinoco drivers >= 0.15 with built in monitor mode support • And many others.

  15. Why the same key should not to be used? • When used with frequency analysis technique it is often enough to get lots of information about the two plaintext. • If P1(one of plaintext) is known, P2 can be calculated easily. • WAP Key space : for 64bit key • 40bit is fixed, 24bit IV  224 key space. • 1500 byte-packet @ 11Mbps : {(1500*8) * 224 } / 11*106 = 5.08 hr • SSL : unique per session. • 10,000 sessions/day : 224 / 1000 ≈ 3 years

  16. Data Integrity in 802.11 • ICV : CRC-32 • Linear, not cryptographically computed. • Change X  Z; , = • flapping a bit in (stream) ciphertext carries through into the plaintext. (proof?) • How can we protect this attack?

  17. Redirection Attack in 802.11 • 802.11 header : not protected by the ICV. • 802.11 STA( Alice) – (AP) – Bob • STA – AP : encrypted, AP decrypt and forward frame to Bob. • Eve capture wireless link frame and modify the destination address to Charlie. • Eve retransmit them to the AP • AP forward it Charlie • Attacker do not need to use WEP. • How can we protect this attack?

  18. Replay Attack in 802.11 • Scenario • Alice : account holder, • Bob : bank, • Eve : another account holder • Alice  Bob : $500 to EVE • (Eve know Alice is going to transfer money) • Eve : captures all data from Alice to Bob • Good guess for $500 transfer message. • Replay this massage a few days later. • How can we protect this attack?

  19. Loopholes in 802.11 Security • Does not provide any key establishment mechanism • WEP use synchronous stream cipher– difficult to synchronization during a complete session. • Use per-packet key. (IC || preshared key)=weak key; exposed to FMS attack • Limited key space. • Changing the IV with each packet is optional, making key reuse highly probable. • CRC-32 is linear • ICV does not protect integrity of 802.11 header – redirection attack • No protection against replay attack • No support for STA to authenticate the network.

  20. WPA( Wi-Fi Protected Access )

  21. WPA • IEEE Task group : 802.11i security standard • Use AES as default mode • WPA2 • Not backward compatible • Wi-Fi alliance (major 802.11 vendors) • Aim to ensure product interoperability • To improve the security of 802.11 network without requiring a hardware upgrade. – for temporary purpose • Temporal key Integrity Protocol(TKIP) – known as WAP • Include the key management and the authentication architecture(802.1X) specified in 802.11i. • WPA : TKIP(confidentiality), MICHAEL(integrity) • WPA2 : AES(confidentiality, integrity)

  22. Key Establishment in TKIP • WEP use hardware encryption engine on a WLAN NIC. • Want to compatible with WEP. • Two environment in 802.11 network • Enterprise network : • 802.1x for key establishment and authentication. • Backend authentication server • 802.1x – can be used with upper layer Authentication protocols to provide access control to the network. • Kerboros, EAP-LEAP, EAP-MDS, EAP-PEAP, EAP-TLS, EAP-TTLA, EAP-SIM • Home network • Out-of-band mechanism (manual configuration) for key establishment

  23. Key Hierarchy in 802.11

  24. TKIP per-packet Data Encryption Key TSC : protect replay attack Key Mixing - IEEE Std 802.111/D3.0” Nov 2003. Overview[p://www.cs.umd.edu/~mhshin/doc/802.11/802.11i-D3.0.pdf

  25. 802.1X/EAP Authentication • Enterprise network : • 802.1x for key establishment and authentication. • Controlled port : open only when the device has been authorized by 802.1X. • Uncontrolled port : • provide a path for EAPoL. • MAC filtering to access control and deter DoS Attacks.

  26. EAP over WLAN

  27. EAP-TLS • Authentication(TLS) : STA Server • Server AP : Shared key (PMK) • PTK derivation (EAPoL Encryption-key, MIC-key)

  28. Alternatives to EAP-TLS • EAP-TLS : • requires server and STA have certificate. • Requires deployment of PKI • Alternatives • EAP-TTLS(tunneled TLS) • PEAP • Use certificate to authenticate the network(server) to the STA(client). • Do not use certificate to authenticate STA(client) to the network(server). • Use CHAP, PAP and so on. • Phase 1 : Authenticate network –establish a TLS tunnel. • Phase 2 : carryout password based authentication protocol to authenticate the client.

  29. Confidentiality • WEP : • weak per-packet key • See slide #17 of this PPT for details. • Enhancement • IV : 24 bits  48 bits • per-packet key : • {IV(24) || per master(40/104)} = {64/128} bits : WEP • Key mixing function (IV(48), MAC, Encryption key(PTK) ) • Increase IV bit size and still compatible with existing WEP HW.

  30. Integrity • WEP : CRC032 • linear, not cryptographically secure integrity protocol. • Enhancement • Use new MIC protocol – MICHAEL(no MUL, just shift and add operation), not as secure as MD5 or SHA • Use IV as sequence counter – protect replay attacks. • MSDU(MAC service data unit) : L3 packet • MPDU (MAC protocol data unit) : L2 frame MICHAEL-IEEE Std 802.111/D3.0” Nov 2003. http://www.cs.umd.edu/~mhshin/doc/802.11/802.11i-D3.0.pdf

  31. TKIP – the complete picture

  32. WPA2(802.11i)

  33. Key Establishment & Authentication • Key-establishment and the key hierarchy architecture • WPA and WPA2 are almost identical • WPA2 use the same key for encryption and integrity protection. • Authentication • Identical with WPA. • Pre-shared or 802.1X.

  34. Confidentiality • AES counter mode • Ci = Mi XOR EK( i ) • Security lies on the counter. • Counter value should not be repeated with same key, the system is secure. - fresh key for every session.

  35. Integrity • AES CBC-MAC protocol. • AES-CCMP(counter-mode CBMC-MAC)

  36. The Overall Picture : confidentiality + Integrity • PTK MSB 256 bit: EAPoL MIC key and encryption key. • LSB 128bits : data key (encryption and Integrity) • Ctr counts up to 216 • MPDU : can be 223 bits long

  37. AES-CCMP Encryption-detail

  38. AES-CCMP Integrity-detail

  39. Criticisms • CCMP succeeds in combining the encryption and integrity protocol in one process. • Encryption of the various message blocks can no longer be carried out in parallel, because of CBC-MAC calculation. Slowdown the protocol. • CBC-MAC require the massage block to be divided into exact number of blocks.  require data padding.

  40. Resources • IEEE Std 802.11i/D3.0, November 2002 • 802.11i –SANS report • 802.11 overview - SANS report • Eaton, Dennis “Dividing into the 802.11i Spec: A tutorial”, Nov. 2004. • MITIGATING DENIAL OF SERVICE ATTACKS IN COMPUTER NETWORKS – Doctoral Dissertation(2006-Helsinki Univ of Tech.)

More Related