Wireless LANs Security Matthew Joyce Rutherford Appleton Laboratory, CCLRC IC 3 -8 MPJ WLAN Security 1
Contents > Wireless LAN 802. 11 > Understand the technology. > Investigate vulnerabilities. > Examine how security can be provided. > Demonstration IC 3 -8 MPJ WLAN Security 2
Wireless LAN Standards > IEEE ratified 802. 11 in 1997. > Also known as Wi-Fi. > 802. 11 provides Layer 1 & Layer 2 of OSI model. > Physical layer > Data link layer > Wireless LAN at 1 Mbps & 2 Mbps. > Wi-Fi Alliance formed to promote interoperability. > 802. 11 b ratified in 1999 adding 5. 5 Mbps and 11 Mbps. IC 3 -8 MPJ WLAN Security 3
Wireless LAN Standards > 802. 11 a > Ratified 2001 > 5 Ghz radio spectrum. > Maximum speed 54 Mbps. > In practice about 20 Mbps > More energy efficient, less battery drain, better range > 802. 11 g > Ratified June 2003 > 2. 4 Ghz spectrum again > Maximum speed 54 Mbps > In practice from 10 to 20 Mbps IC 3 -8 MPJ WLAN Security 4
802. 11 Components > Two pieces of equipment defined: > Wireless station > A desktop or laptop PC or PDA with a wireless NIC. > Access point > A bridge between wireless and wired networks > Composed of > Radio > Wired network interface (usually 802. 3) > Bridging software > Aggregates access for multiple wireless stations to wired network. IC 3 -8 MPJ WLAN Security 5
802. 11 modes > Infrastructure mode > Basic Service Set > One access point > Extended Service Set > Two or more BSSs forming a single subnet. > Most corporate LANs in this mode. > Ad-hoc mode > Also called peer-to-peer. > Independent Basic Service Set > Set of 802. 11 wireless stations that communicate directly without an access point. > Useful for quick & easy wireless networks. IC 3 -8 MPJ WLAN Security 6
Infrastructure mode Access Point Basic Service Set (BSS) – Single cell Station Extended Service Set (ESS) – Multiple cells IC 3 -8 MPJ WLAN Security 7
Ad-hoc mode Independent Basic Service Set (IBSS) IC 3 -8 MPJ WLAN Security 8
802. 11 Physical Layer > Three alternative physical layers > Two incompatible spread-spectrum radio in 2. 4 Ghz ISM band > Frequency Hopping Spread Spectrum (FHSS) > 75 channels > Direct Sequence Spread Spectrum (DSSS) > 14 channels (11 channels in US) > One diffuse infrared layer IC 3 -8 MPJ WLAN Security 9
Speed & Range > 802. 11 standard. > 1 Mbps or 2 Mbps. > 802. 11 b standard. > Adds 5 Mbps or 11 Mbps. > DSSS as sole physical layer. > So only 14 channels. > Dynamic rate shifting. > Transparent to higher layers > Ideally 11 Mbps. > Shifts down through 5. 5 Mbps, 2 Mbps to 1 Mbps. > Higher ranges. > Interference. > Shifts back up when possible. > Maximum specified range 100 metres IC 3 -8 MPJ WLAN Security 10
802. 11 Data Link Layer > Layer 2 split into: > Logical Link Control (LLC). > Media Access Control (MAC). > LLC - same 48 -bit addresses as 802. 3. > MAC - CSMA/CD not possible. > Can’t listen for collision while transmitting. > CSMA/CA – Collision Avoidance. > Sender waits for clear air, waits random time, then sends data. > Receiver sends explicit ACK when data arrives intact. > Also handles interference. > But adds overhead. > 802. 11 always slower than equivalent 802. 3. IC 3 -8 MPJ WLAN Security 11
Joining a BSS > When 802. 11 client enters range of one or more APs > APs send beacons. > AP beacon can include SSID. > AP chosen on signal strength and observed error rates. > After AP accepts client. > Client tunes to AP channel. > Periodically, all channels surveyed. > To check for stronger or more reliable APs. > If found, reassociates with new AP. IC 3 -8 MPJ WLAN Security 12
Access Point Roaming Channel 1 Channel 4 Channel 9 Channel 7 IC 3 -8 MPJ WLAN Security 13
Roaming and Channels > Reassociation with APs > Moving out of range. > High error rates. > High network traffic. > Allows load balancing. > Each AP has a channel. > 14 partially overlapping channels. > Only three channels that have no overlap. > 1, 6, 11 > Best for multicell coverage. IC 3 -8 MPJ WLAN Security 14
Open System Authentication > Service Set Identifier (SSID) > Station must specify SSID to Access Point when requesting association. > Multiple APs with same SSID form Extended Service Set. > APs can broadcast their SSID > But this can be turned off > Some 802. 11 b clients allow * as SSID. > Associates with strongest AP regardless of SSID. IC 3 -8 MPJ WLAN Security 15
MAC Address locking > Access points have Access Control Lists (ACL). > ACL is list of allowed MAC addresses. > E. g. Allow access to: > 00: 01: 42: 0 E: 12: 1 F > 00: 01: 42: F 1: 72: AE > 00: 01: 42: 4 F: E 2: 01 > But MAC addresses are sniffable and spoofable. > Access Point ACLs are ineffective control. IC 3 -8 MPJ WLAN Security 16
Interception Range Station outside building perimeter. tres 100 me Basic Service Set (BSS) – Single cell IC 3 -8 MPJ WLAN Security 17
Interception > Wireless LAN uses radio signal. > Not limited to physical building. > Signal is weakened by: > Walls > Floors > Interference > Directional antenna allows interception over longer distances. IC 3 -8 MPJ WLAN Security 18
Directional Antenna > Directional antenna provides focused reception. > DIY plans available. > Aluminium cake tin. > 11 Mbps at 750 meters. > http: //www. saunalahti. fi/~elepal/antennie. html > http: //www. turnpoint. net/wireless/has. html > Pringles vs Coffee vs Pasta Sauce vs Beef Stew IC 3 -8 MPJ WLAN Security 19
War. Driving > Software > Netstumbler > THC-Wardrive > Laptop > 802. 11 b PC card > Optional: > Global Positioning System > Car, bicycle, boat… > Logging of MAC address, network name, SSID, manufacturer, channel, signal strength, noise (GPS - location). IC 3 -8 MPJ WLAN Security 20
War. Driving results >http: //www. wigle. net/ > 568, 000 GPS located wireless networks > World. Wide War. Drive Autumn 2002 > Chris Hurley, Def. Con 11 CATEGORY TOTAL PERCENT TOTAL APs FOUND 9374 100 WEP Enabled 2825 30. 13 No WEP Enabled 6549 69. 86 Default SSID 2768 29. 53 Default SSID and No WEP 2497 26. 64 Unique SSIDs 3672 39. 17 Most Common SSID 1778 18. 97 Second Most Common SSID 623 6. 65 IC 3 -8 MPJ WLAN Security 21
War. Driving map IC 3 -8 MPJ WLAN Security Source: www. dis. org/wl/maps/ 22
IC 3 -8 MPJ WLAN Security 23
Further issues > Access Point configuration > Mixtures of SNMP, web, serial, telnet. > Community strings, default passwords. > Evil Twin Access Points > Stronger signal, capture user authentication. > Hub broadcasts > If AP connected to hub, all broadcasts transmitted. > Renegade Access Points > Unauthorised wireless LANs. IC 3 -8 MPJ WLAN Security 24
802. 11 b Security Services > Two security services provided: > Authentication > Shared Key Authentication > Encryption > Wired Equivalence Privacy IC 3 -8 MPJ WLAN Security 25
Wired Equivalence Privacy > Shared key between > Stations. > An Access Point. > Extended Service Set > All Access Points will have same shared key. > No key management > Shared key entered manually into > Stations > Access points > Key management nightmare in large wireless LANs IC 3 -8 MPJ WLAN Security 26
RC 4 > Ron’s Code number 4 > Symmetric key encryption > RSA Security Inc. > Designed in 1987. > Trade secret until leak in 1994. > RC 4 can use key sizes from 1 bit to 2048 bits. > RC 4 generates a stream of pseudo random bits > XORed with plaintext to create ciphertext. IC 3 -8 MPJ WLAN Security 27
WEP – Sending > Compute Integrity Check Vector (ICV). > Provides integrity > 32 bit Cyclic Redundancy Check. > Appended to message to create plaintext. > Plaintext encrypted via RC 4 > Provides confidentiality. > Plaintext XORed with long key stream of pseudo random bits. > Key stream is function of > 40 -bit secret key > 24 bit initialisation vector > Ciphertext is transmitted. IC 3 -8 MPJ WLAN Security 28
WEP Encryption Initialisation Vector (IV) IV || PRNG Secret key Plaintext 32 bit CRC IC 3 -8 MPJ WLAN Security Cipher text || 29
WEP – Receiving > Ciphertext is received. > Ciphertext decrypted via RC 4 > Ciphertext XORed with long key stream of pseudo random bits. > Key stream is function of > 40 -bit secret key > 24 bit initialisation vector (IV) > Check ICV > Separate ICV from message. > Compute ICV for message > Compare with received ICV IC 3 -8 MPJ WLAN Security 30
Shared Key Authentication > When station requests association with Access Point > AP sends random number to station > Station encrypts random number > Uses RC 4, 40 bit shared secret key & 24 bit IV > Encrypted random number sent to AP > AP decrypts received message > Uses RC 4, 40 bit shared secret key & 24 bit IV > AP compares decrypted random number to transmitted random number > If numbers match, station has shared secret key. IC 3 -8 MPJ WLAN Security 31
WEP Safeguards > Shared secret key required for: > Associating with an access point. > Sending data. > Receiving data. > Messages are encrypted. > Confidentiality. > Messages have checksum. > Integrity. > But SSID still broadcast in clear. IC 3 -8 MPJ WLAN Security 32
Initialisation Vector > IV must be different for every message transmitted. > 802. 11 standard doesn’t specify how IV is calculated. > Wireless cards use several methods > Some use a simple ascending counter for each message. > Some switch between alternate ascending and descending counters. > Some use a pseudo random IV generator. IC 3 -8 MPJ WLAN Security 33
WEP attacks > Statistical attack > If 24 bit IV is an ascending counter, > If Access Point transmits at 11 Mbps, > All IVs are exhausted in roughly 5 hours. > Passive attack: > Attacker collects all traffic > Attacker could collect two messages: > Encrypted with same key and same IV > So XORed with same key stream > Ciphertext 1 XOR Ciphertext 2 = Plaintext 1 XOR Plaintext 2 > Statistical attacks to reveal plaintext > More than two messages with same key and same IV… IC 3 -8 MPJ WLAN Security 34
More WEP attacks > If attacker knows plaintext and ciphertext pair > Key is known. > Attacker can create correctly encrypted messages. > Access Point is deceived into accepting messages. IC 3 -8 MPJ WLAN Security 35
Limited WEP keys > Some vendors allow limited WEP keys > User types in a password > WEP key is generated from passphrase > Passphrases creates only 21 bits of entropy in 40 bit key. > Reduces key strength to 21 bits = 2, 097, 152 > Remaining 19 bits are predictable. > 21 bit key can be brute forced in minutes. > http: //www. lava. net/~newsham/wlan/ IC 3 -8 MPJ WLAN Security 36
Creating limited WEP keys IC 3 -8 MPJ WLAN Security 37
Brute force key attack > Capture ciphertext. > IV is included in message. > Search all 240 possible secret keys. > 1, 099, 511, 627, 776 keys > ~100 days on a modern machine > Find which key decrypts ciphertext to plaintext. IC 3 -8 MPJ WLAN Security 38
128 bit WEP > Vendors have extended WEP to 128 bit keys. > 104 bit secret key. > 24 bit IV. > Brute force takes 10^19 years for 104 bit key. > Effectively safeguards against brute force attacks. IC 3 -8 MPJ WLAN Security 39
Key Scheduling Weakness > Paper from Fluhrer, Mantin, Shamir, 2001. > Two weaknesses: > Certain keys leak into key stream. > Invariance weakness. > If portion of PRNG input is exposed, > Analysis of initial key stream allows key to be determined. > IV weakness. IC 3 -8 MPJ WLAN Security 40
IV weakness > WEP exposes part of PRNG input. > IV is transmitted with message. > Attack is practical. > For 40 bit keys – WEP. > For 128 bit keys – enhanced WEP. > Passive attack. > Non-intrusive. > No warning. IC 3 -8 MPJ WLAN Security 41
Wepcrack > First tool to demonstrate attack using IV weakness. > Open source, Anton Rager. > Three components > Weaker IV generator. > Search sniffer output for weaker IVs & record 1 st byte. > Cracker to combine weaker IVs and selected 1 st bytes. > Cumbersome. IC 3 -8 MPJ WLAN Security 42
Airsnort > Automated tool > Cypher 42, Minnesota, USA. > Does it all! > Sniffs > Searches for weaker IVs > Records encrypted data > Until key is derived. > 100 Mb to 1 Gb of transmitted data. > 3 to 4 hours on a busy WLAN. IC 3 -8 MPJ WLAN Security 43
802. 11 b safeguards > Security Policy & Architecture Design > Treat as untrusted LAN > Discover unauthorised use > Access point audits > Station protection > Access point location > Antenna design IC 3 -8 MPJ WLAN Security 44
Security Policy & Architecture > Define use of wireless network > What is allowed > What is not allowed > Holistic architecture and implementation > Consider all threats. > Design entire architecture > To minimise risk. IC 3 -8 MPJ WLAN Security 45
Wireless as untrusted LAN > Treat wireless as untrusted. > Similar to Internet. > Firewall between WLAN and Backbone. > Extra authentication required. > Intrusion Detection > at WLAN / Backbone junction. > Vulnerability assessments IC 3 -8 MPJ WLAN Security 46
Discover unauthorised use > Search for unauthorised access points or ad-hoc networks. > Port scanning > For unknown SNMP agents. > For unknown web or telnet interfaces. > Warwalking! > Sniff 802. 11 packets > Identify IP addresses > Detect signal strength > Net. Stumbler, but may sniff your neighbours… IC 3 -8 MPJ WLAN Security 47
Access point audits > Review security of access points. > Are passwords and community strings secure? > Use Firewalls & router ACLs > Limit use of access point administration interfaces. > Standard access point config: > SSID > WEP keys > Community string & password policy IC 3 -8 MPJ WLAN Security 48
Station protection > Personal firewalls > Protect the station from attackers. > VPN from station into Intranet > End-to-end encryption into the trusted network. > But consider roaming issues. > Host intrusion detection > Provide early warning of intrusions onto a station. > Configuration scanning > Check that stations are securely configured. IC 3 -8 MPJ WLAN Security 49
Location of Access Points > Ideally locate access points > In centre of buildings. > Try to avoid access points > By windows > On external walls > Line of sight to outside > Use directional antenna to “point” radio signal. IC 3 -8 MPJ WLAN Security 50
802. 1 x Access Control for WLAN > 802. 1 x (IEEE) > Data link layer protocol for port-based network access control > Independent of physical layer, so wired or wireless > Uses EAP (RFC 2284) > Extensible Authentication Protocol > Allows choice of authentication methods > Authentication chosen by peers > Access point doesn’t care about EAP methods > Manages user and session WEP keys > Session key used for a limited time > User key for rekeying session key > RADIUS server provides authentication service > Remote Authentication Dial In User Service > RFC 2138 IC 3 -8 MPJ WLAN Security 51
802. 11 + 802. 1 X/EAP Supplicant Authenticator Authentication Server 802. 11 association EAPOL-start EAP-request/identity EAP-response/identity RADIUS-access-request EAP-request (credentials) EAP-response (credentials) RADIUS-access-challenge RADIUS-access-request EAP-succcess RADIUS-access-accept EAPOW-key (WEP) Access allowed IC 3 -8 MPJ WLAN Security 52
Association and Authentication > 802. 11 association happens first > Open authentication > Provides access to the AP and allows an IP address to be supplied > Access beyond the AP is still prohibited > AP drops non-EAPOL traffic > Authentication conversation between supplicant and authentication server > Wireless NIC and AP are pass through devices > After authentication, AP allows traffic through IC 3 -8 MPJ WLAN Security 53
EAP-MD 5 > Authentication server (AS) sends session ID and challenge > Supplicant returns user name and MD 5 hash of session id, challenge and user password. > AS authenticates supplicant by verifying an MD 5 hash of each user's password. > Good for trusted Ethernets. > Not good for public Ethernets or wireless LANs > Can sniff supplicant identities > Can sniff & use dictionary attack on > plaintext session id, plaintext challenge & session id/challenge/password hash > Can masquerade as access points to trick stations into authenticating with them - MITM IC 3 -8 MPJ WLAN Security 54
EAP-TLS (RFC 2716) > EAP with Transport Layer Security is the only standard secure option for wireless LANs at this time. > Requires the station and RADIUS server to mutually authenticate > Secured by an encrypted TLS tunnel > Fast reconnect via TLS session resumption for roaming > Establishes session keys > Station's identity (the name bound to the certificate) can still be sniffed. > Most attractive when using only Windows XP/2000/2003 with deployed certificates. IC 3 -8 MPJ WLAN Security 55
EAP-TLS Supplicant Authentication Server Authenticator 802. 11 Association EAPOL-start Request/identity Response/identity Request/TLS Start Response/TLS Client Hello Request/TLS Server Hello, Certificate, Certificate Request, Server Done Response/TLS Certificate, TLS client key ex, TLS CCS, Certificate verify, TLS Fin EAP-request/TLS CCS, TLS Fin Response EAP-Success IC 3 -8 MPJ WLAN Security 56
EAP-TTLS & PEAP > EAP with Tunnelled TLS (EAP-TTLS) > Protected EAP (PEAP) > Both are Internet Drafts > To simplify 802. 1 X deployment. > Both require certificate-based RADIUS server authentication > No certificate-based authentication of client > Both support an extensible set of user authentication methods. > Can use Windows Domain Controllers, Active Directories, and other existing user databases. > As strong as EAP-TLS to sniffing attacks. > User passwords can be guessed, shared, or disclosed. IC 3 -8 MPJ WLAN Security 57
EAP summary EAP-MD 5 Server Authentication Supplicant Authentication Dynamic Key Delivery Security Risks IC 3 -8 MPJ EAP-TLS EAP-TTLS PEAP None Public Key (Certificate) Password hash Public Key (Certificate or Smart Card) CHAP, PAP, MSCHAP(v 2), EAP Any EAP, like EAP -MS-CHAPv 2 or Public Key No Yes Yes Identity exposed, Dictionary attack, Man-in-the-Middle (Mit. M) attack Identity exposed Mit. M attack WLAN Security 58
802. 11 i / WPA > Draft standard > Will apply to 802. 11 a, b & g > Uses 802. 1 X & EAP as authentication framework > Temporal Key Integrity Protocol (TKIP) > RC 4 still used > 128 bit temporal key shared with all clients > Per-packet key from temporal key, MAC address & 16 bit initialisation vector > Temporal key regenerated every 10, 000 packets > Only firmware upgrade required > AES cipher replaces RC 4 > Will require new hardware IC 3 -8 MPJ WLAN Security 59
Any Questions? IC 3 -8 MPJ WLAN Security 60
Demonstration IC 3 -8 MPJ WLAN Security 61
Скачать презентацию Wireless LANs Security Matthew Joyce Rutherford Appleton Laboratory
518a6856e15d14129141a9735ff36979.ppt