Dec 18, 2015
802.11 Basics
Security in 802.11
WEP summary
WEP Insecurity
ALOHAnet1999: IEEE 802.11a (54 Mbps)1999: IEEE 802.11b (11 Mbps)2003: IEEE 802.11g (54 Mbps)2009: IEEE 802.11n (150 Mbps)
802.11b 2.4-2.485 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence spread
spectrum (DSSS) in physical layer: all hosts use same chipping code
802.11a 5-6 GHz range up to 54 Mbps Physical layer: orthogonal
frequency division multiplexing (OFDM)
802.11g 2.4-2.485 GHz range up to 54 Mbps OFDM
All use CSMA/CA for multiple access
All have base-station and ad-hoc versions
All allow for reducing bit rate for longer range
4
Wireless host communicates with a base station base station = access point (AP)
Basic Service Set (BSS) (a.k.a. “cell”) contains: wireless hosts access point (AP): base station
BSS’s combined to form distribution system (DS)
No AP (i.e., base station) wireless hosts communicate with
each other to get packet from wireless host A to
B may need to route through wireless hosts
Applications: “Laptop” meeting in conference room Vehicle Network Interconnection of “personal” devices Battlefield
802.11b: 2.4GHz-2.485GHz spectrum divided into 11 channels at different frequencies; 3 non-overlapping AP admin chooses frequency for AP interference possible: channel can be same as that
chosen by neighboring AP! AP regularly sends beacon frame
Includes SSID, beacon interval (often 0.1 sec) host: must associate with an AP
scans channels, listening for beacon frames selects AP to associate with; initiates association protocol may perform authentication After association, host will typically run DHCP to get IP
address in AP’s subnet
7
8
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
Address 2: MAC addressof wireless host or AP transmitting this frame
Address 1: MAC addressof wireless host or AP to receive this frame
Address 3: MAC addressof router interface to which AP is attached
Address 4: used only in ad hoc mode
9
Internetrouter
AP
H1 R1
H1 MAC addr AP MAC addr R1 MAC addr
address 1 address 2 address 3
802.11 frame
H1 MAC addr R1 MAC addr
dest. address source address
802.3 frame
802.11 frame: addressing
10
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
802.11 frame
R1 MAC addr H1 MAC addr
dest. address source address
802.3 frame
802.11 frame: addressing
11
TypeFromAP
SubtypeToAP
More frag
WEPMoredata
Powermgt
Retry RsvdProtocolversion
2 2 4 1 1 1 1 1 11 1
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
frame:
frame control field expanded:
Type/subtype distinguishes beacon, association, ACK, RTS, CTS, etc frames.
To/From AP defines meaning of address fields
802.11 allows for fragmentation at the link layer
802.11 allows stations to enter sleep mode
Seq number identifies retransmitted frames (eg, when ACK lost)
WEP = 1 if encryption is used
Service Set Identifier (SSID)Differentiates one access point from
anotherSSID is cast in ‘beacon frames’ every
few seconds.Beacon frames are in plain text!Encryption
802.11 Basics
Security in 802.11
WEP summary
WEP Insecurity
Why do we need the encryption? Wi-Fi networks use radio transmissions
prone to eavesdropping Mechanism to prevent outsiders from
▪ accessing network data & traffic▪ using network resources
Access points have two ways of initiating communication with a client
Shared Key or Open System authentication
Open System: need to supply the correct SSID Allow anyone to start a conversation with the AP
Shared Key is supposed to add an extra layer of security by requiring authentication info as soon as one associates
Client begins by sending an association request to the AP
AP responds with a challenge text (unencrypted)
Client, using the proper key, encrypts text and sends it back to the AP
If properly encrypted, AP allows communication with the client
1997: Original 802.11 standard only offers SSID MAC Filtering
1999: Introduce of Wired Equivalent Privacy (WEP) Several industry players formes WECA
(Wireless Ethernet Compatibility Alliance) for rapid adaption of 802.11 network products
2001: Discover weaknesses in WEP IEEE started Task Group i
2002: WECA was renamed in WI-FI 2003: WiFi Protected Access (WPA)
Interim Solution for the weakness of WEP 2004: WPA2 (IEEE-802.11i-2004)
Primary built security for 802.11 protocol
RC4 encryption 64-bits RC4 keys Non-standard extension uses 128-bit
keys
Many flaws in implementation
Interim solution for replacement of WEP
Goals: improved encryption user authentication
Two Modes WPA Personal : TKIP/MIC ; PSK WPA Enterprise : TKIP/MIC ; 802.1X/EAP
WPA-Personal Also refer to WPA-PSK (WPA Pre-shared Key) Designed for home and small office networks and
doesn't require an authentication server.
WPA-Enterprise Known as WPA-802.1X Designed for enterprise networks and requires an
authentication server An Extensible Authentication Protocol (EAP) is used for
authentication Supports multiple authentication method based on:
▪ passwords (Sample: PEAP)▪ digital certificates (Sample: TLS, TTLS)
TKIP (Temporal Key Integrity Protocol) The 128 bit RC4 stream cipher used in WPA
CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) An AES-based encryption mechanism used in
WPA2
Approved in July 2004
AES is used for encryption
Two mode like WPA: Enterprise Mode:
▪ authentication: 802.1X/EAP▪ encryption: AES-CCMP
Personal Mode:▪ authentication: PSK▪ encryption: AES-CCMP
23
WEP WPA WPA2
Cipher RC4 RC4 AES
Key Size (bits) 64/128 128 128
Key Life 24 bit IV 48 bit IV 48 bit IV
Packet Key Concatenation Two Phase Mix Not Need
Data Integrity CRC32 Michael CCM
Key Management
None 802.1X/PSK 802.1X/PSK
• WEP is no longer a secure wireless method • WPA2 with AES encryption is currently the best
encryption scheme
• If on an unsecured network, use SSH or VPN tunneling to secure your data
802.11 Basics
Security in 802.11
WEP summary
WEP Insecurity
26
A block of plaintext is bitwise XORed with a pseudorandom key sequence of equal length
RC4 PRNG
Header Payload ICVPayload
802.11 Frame
ICV computed – 32-bit CRC of payload
CRC
32
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
KeyKeynumber
Key 1
Key 2
Key 3
Key 440
4 x 40
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits IV selected – 24-bits, prepended to
keynumber
IV keynumber
24 8
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits IV selected – 24-bits, prepended to
keynumber IV+key used to encrypt
payload+ICV
IV Key
ICVPayload ICVPayloadRC4
64
ICV computed – 32-bit CRC of payloadOne of four keys selected – 40-bits IV selected – 24-bits, prepended to
keynumber IV+key used to encrypt payload+ICV IV+keynumber prepended to
encrypted payload+ICV
ICVPayloadIV keynumberHeader
WEP Frame
Keynumber is used to select key
KeyKeynumber
Key 1
Key 2
Key 3
Key 440
4 x 40
IV Key
ICVPayload ICVPayloadRC4
64
Keynumber is used to select key
ICV+key used to decrypt payload+ICV
CRC
ICVPayload
Header Payload
ICV’
Keynumber is used to select key
ICV+key used to decrypt payload+ICV
ICV recomputed and compared against original
32
Purpose – increase the encryption key size
Non-standard, but in wide use IV and ICV set as before104-bit key selected IV+key concatenated to form 128-
bit RC4 key
IV Key
ICVPayload ICVPayloadRC4
24 104128-bits
Keys are manually distributed Keys are statically configured
often infrequently changed and easy to remember!
Key values can be directly set as hex data Key generators provided for convenience
ASCII string is converted into keying material Non-standard but in wide use Different key generators for 64- and 128-bit
http://www.wepkey.com/
38
802.11 Basics
Security in 802.11
WEP summary
WEP Insecurity
Problem: Keystream ReuseWEP’ s Solution: Per Packet IvsBut…
40
so knowing one plaintext will get you the other
XOR cancels keystream
IV only 24-bits in WEP, It must repeat after 2^24 or ~ 16.7M packets practical? How long to exhaust the IV space in busy
network? A busy AP constantly send 1500 bytes packet Consider Data Rate 11 Mbps IV exhausts after..
Consequences:– Keystream for corresponding IV is obtained
41
2001: Fluhrer, Mantin, Shamir : Weaknesses in the Key Scheduling Algorithm of RC4.
completely passive attack
Inductive chosen plaintext attack Takes 5-10M. packets to find secret key
Showed that WEP is near useless
42
In 2001, airsnort was released but needs millions of packets
‹In 2004, aircrack and weblap require only hundreds of thousands of packets
http://securityfocus.com/infocus/1814 ‹http://www.securityfocus.com/
infocus/1824
43
One common shared key If any device is stolen or
compromised, must change shared key in all devices
No key distribution mechanism
Infeasible for large organization: approach doesn’t scale
Crypto is flawed Early 2001: Integrity and
authentication attacks published
August 2001 (weak-key attack): can deduce RC4 key after observing several million packets
AirSnort application allows casual user to decrypt WEP traffic
Crypto problems 24 bit IV to short Same key for encryption
and message integrity ICV flawed, does not
prevent adversarial modification of intercepted packets
Cryptanalytic attack allows eavesdroppers to learn key after observing several millions of packets
44
SSID and access control lists provide minimal security no encryption
WEP provides encryption, but is easily broken
Emerging protocol: 802.11i Back-end authentication server Public-key cryptography for authentication
and master key distribution TKIP: Strong symmetric crypto techniques
45
Fluhrer, Mantin, Shamir - Weakness in the Key Scheduling Algorithm of RC4.http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf
Stubblefield, Loannidis, Rubin – Using the Fluhrer, Mantin, and Shamir Attack to Break WEP.http://www.cs.rice.edu/~astubble/wep/wep_attack.pdf
Rivest – RSA Security Response to Weakness in the Key Scheduling Algorithm of RC4.http://www.rsasecurity.com/rsalabs/technotes/wep.html
RC4 Encryption Algorithm.http://www.ncat.edu/~grogans/algorithm_breakdown.htm
46