8/3/2019 Blackhat Win 03 Riley
1/57
Wireless LAN Securitywith802.1x, EAP-TLS, andPEAP
Steve RileySenior ConsultantMCS Trustworthy Computing Services
8/3/2019 Blackhat Win 03 Riley
2/57
8/3/2019 Blackhat Win 03 Riley
3/57
Wired equivalent privacy
8/3/2019 Blackhat Win 03 Riley
4/57
WEP setup and RC4Secret key shared between access point
and all clientsEncrypts traffic before transmission
Performs integrity check after transmission
WEP uses RC4, a stream cipher[key] XOR [plaintext] [ciphertext]
Maybe double-XOR for better security? Hah!
[ciphertext] XOR [key] [plaintext]
8/3/2019 Blackhat Win 03 Riley
5/57
Common attacksBit-flipping (encryption integrity)
Flipping bit n in cipertext flips same bit inplaintext
Statistical attacks
Multiple ciphertexts using same key permitdetermination of plaintext XOR
Enables statistical attacks to recover plaintext
More ciphertexts eases this
Once one plaintext is known, recovering othersis trivial
8/3/2019 Blackhat Win 03 Riley
6/57
WEPs defensesIntegrity check (IC) field
CRC-32 checksum, part of encrypted payloadNot keyed
Subject to bit-flipping can modify IC to make
altered message appear validInitialization vector (IV) added to key
Alters key somewhat for each packet
24-bit field; contained in plaintext portion
Alas, this small keyspace guarantees reuse
8/3/2019 Blackhat Win 03 Riley
7/57
More IV problemsSay an AP constantly sends 1500-byte
packets at 11mbpsKeyspace exhausted in 5 hours
Could be quicker if packets are smaller
Key reuse causes even more collisionsSome cards reset IV to 0 after initialization
Some cards increment by 1 after each packet
802.11 standard does notmandate newper-packet IV!
8/3/2019 Blackhat Win 03 Riley
8/57
Classes of attacksKey and IV reuse
Small IV space; no IV replay protectionKnown plaintext attack
Can recover stream of length N for a given IV
Then forge packets of length N in absence ofkeyed IC
Partial known plaintext attack
Can recover Mbytes of keystream, M< NRepeated probing extend keystream to N
Weaknesses in RC4 key scheduling
algorithm
8/3/2019 Blackhat Win 03 Riley
9/57
Classes of attacksAuthentication forging
WEP encrypts challenge using client-chosenIV
Recovery of keystream for a given IV allows
reuse of the IV for forging WEP authenticationDoesnt provide key, so cant join LAN
Realtime decryption
IV reuse and probing construct dictionary ofIVs and keystreams
Enables decryption in real time
Storage: 1500 bytes of keystream for each IV;
8/3/2019 Blackhat Win 03 Riley
10/57
ToolsWEPCrackbreaks 802.11 keys
http://wepcrack.sourceforge.net/AirSnortbreaks 802.11 keys
Needs only 5-10 million packets
http://airsnort.shmoo.com/
NetStumbleraccess pointreconnaissance
http://www.netstumbler.com
8/3/2019 Blackhat Win 03 Riley
11/57
WEP suckageSame key reused over and over again
Per-packet IV isnt enoughNeed to increase keyspace an attackermust analyze
Generate new keys (not just IVs) periodically
Use unique per-client keys
These are our first requirements
8/3/2019 Blackhat Win 03 Riley
12/57
Other problemsRogue access points
Mutual authenticationAP authenticates toclient
Disassociation attacks
Assoc/disassoc messages are unencrypted andunauthenticated
Fix with keyed message integrity check
Unauthorized use or monitoringIncorporate user and computer authentication
8/3/2019 Blackhat Win 03 Riley
13/57
802.1x
8/3/2019 Blackhat Win 03 Riley
14/57
Solution today: 802.1xPort-based access control mechanism
defined by IEEEWorks on anything, wired and wireless
Access point must support 802.1x
No special WIC requirementsAllows choice of authentication methodsusing EAP
Chosen by peers at authentication time
Access point doesnt care about EAP methods
Manages keys automagicallyp p
8/3/2019 Blackhat Win 03 Riley
15/57
Is 802.1x enough?No
It does solve:Key discovery by changing keys often andusing different keys for each client
Rogue APs and man-in-the-middle attacks byperforming mutual device authentication
Unauthorized access by authenticating users
and computersIt does not solve:
Packet and disassociation spoofing because
802.1x doesnt use a keyed MIC
8/3/2019 Blackhat Win 03 Riley
16/57
Clarifying terminology802.11 is the specification for over-the-air
wireless networks802.1x is a PHY-independent specificationfor port-based access control
Combining them makes senseThere is no such thing as 802.11x
But there is work on something called 802.11i
8/3/2019 Blackhat Win 03 Riley
17/57
802.1x over 802.11Supplicant Authenticator
Authentication
Server
802.11 association
EAPOL-start
EAP-request/identity
EAP-response/identity
RADIUS-access-request
EAP-request RADIUS-access-challenge
EAP-response
(credentials)
RADIUS-access-request
EAP-success RADIUS-access-accept
EAPOW-key (WEP)
Access blocked
Access allowed
8/3/2019 Blackhat Win 03 Riley
18/57
Association andauthentication
The 802.11 association happens firstNeed to talk to the AP and get an IP address
Open authenticationwe dont have the WEPkey yet
Access beyond AP prohibited until authNsucceeds
AP drops non-EAPOL traffic
After key is sent in EAPOW-key, access
beyond AP is allowedSecurity conversation between supplicantand authentication server
Wireless NIC and AP are passthrough devices
8/3/2019 Blackhat Win 03 Riley
19/57
Before authenticationControlledport preventssupplicant LAN access
Uncontrolledport allowsauthenticator to contactauthentication server
Directory
Supplicant
AuthN
ServerAuthenticator
the Air
8/3/2019 Blackhat Win 03 Riley
20/57
After authenticationControlled port nowpermits supplicant toaccess LAN
Directory
Supplicant
AuthN
ServerAuthenticator
the Air
8/3/2019 Blackhat Win 03 Riley
21/57
802.11/802.1x state machineState 1
802.11 unauthenticated
Unassociated
State 2
802.11 authenticated
Unassociated
State 3
802.11 authenticated
Associated
State 4
802.11 authenticated
Associated
802.1x authenticated
Successful open authN
Successful assoc orreassoc
Successful 802.1x authN
DeauthN notification
Disassoc notification
EAPOL-logoff
DeauthN
notification
Class 1 frames
Class 1, 2 frames
Class 1, 2, 3
frames
Class 1, 2, 3
frames
8/3/2019 Blackhat Win 03 Riley
22/57
Encryption keys
Client and RADIUS server generate per-user session WEP keys
Never sent over the air
RADIUS server sends key to AP (encryptedwith RADIUS shared secret)
Access point has a global WEP keyUsed during AP authentication to client
Sent in EAPOW-key message
Encrypted with session key
Session keys regenerated whenKey time exceeded (60 minute default)
Client roams to new AP
8/3/2019 Blackhat Win 03 Riley
23/57
Extensible
authentication protocol
8/3/2019 Blackhat Win 03 Riley
24/57
EAP
Link-layer security framework
Simple encapsulation protocol forauthentication mechanisms
Runs over any link layer, lossy or lossless
No built-in securityDoesnt assume physically secure link
Authentication methods must incorporate their
own security
8/3/2019 Blackhat Win 03 Riley
25/57
Authentication methods
EAP allows choice of authenticationmethods
For mutual authentication
TLS: authentication server supplies certificate
IKE: server demonstrates possession ofpreshared key or private key (certificate)
Kerberos: server demonstrates knowledge of
session key
8/3/2019 Blackhat Win 03 Riley
26/57
AuthN supported in Windows
EAP-MD5 disallowed for wireless
Cant create encrypted session betweensupplicant and authenticator
Would transfer password hashes in the clear
Cannot perform mutual authenticationVulnerable to man-in-the-middle attacks
EAP-TLS in Windows XP release
Requires client certificatesBest to have machine and user
Service pack 1 adds protected EAP
8/3/2019 Blackhat Win 03 Riley
27/57
Protected EAP (PEAP)
Extension to EAP
Allows use of any secure authenticationmechanism for EAP
No need to write individual EAP-enabled
methodsWindows PEAP allows:
MS-CHAPv2passwords
TLScertificates
SecurID
For many deployments, passwords stillalas are necessar
8/3/2019 Blackhat Win 03 Riley
28/57
EAP architecture
TLSGSS_API
KerberosPEAP IKE MD5
EAP
PPP 802.3 802.5 802.11 Anything
method
layer
EAP
layer
media
layer
MS-CHAPv
2
TLS
SecurID
8/3/2019 Blackhat Win 03 Riley
29/57
Note
Do not configure IAS and XP for both
EAP-TLS alonePEAP with any method
Man-in-the-middle vulnerability
If you need TLS and MS-CHAPv2together
Deploy only PEAP
Select both MS-CHAPv2 and TLS methods
8/3/2019 Blackhat Win 03 Riley
30/57
How it works:The Windows logonprocess over PEAP withMS-CHAPv2
8/3/2019 Blackhat Win 03 Riley
31/57
Security requirements, again
Mutual device authentication
Workstation and APNo rogue access points
Prevents man-in-the-middle attacks
Ensures key is transferred to correct entity
User authentication
No unauthorized access or interception
WEP key uniqueness and regeneration
Stop packet/disassociation spoofing
8/3/2019 Blackhat Win 03 Riley
32/57
Windows domain logon
Two logons occur
MachineUser
Machine accounts look like user accounts
Certificate credential
User ID/password/domain credential
Take advantage of this
8/3/2019 Blackhat Win 03 Riley
33/57
Windows PEAPauthentication
First phasemachine logon
802.11 associationAuthenticate AP
Authenticate computer
Transition controlled port statusFor machine account access to authorizedresources
Second phaseuser logonAuthenticate user
Transition controlled port status
For user account access to authorized resources
8/3/2019 Blackhat Win 03 Riley
34/57
Windows PEAP authentication
First phase1. Supplicant performs regular 802.11
association
2. Supplicant sets up TLS channel withauthenticator and requests authentication
servers certificate3. Supplicant
Verifies name and dates on certificate
Validates chain
8/3/2019 Blackhat Win 03 Riley
35/57
Our requirements so far
Mutual device authentication
Workstation and APNo rogue access points
User authentication
No unauthorized access or interception
WEP key uniqueness and regeneration
Packet/disassociation spoofing
8/3/2019 Blackhat Win 03 Riley
36/57
8/3/2019 Blackhat Win 03 Riley
37/57
Windows PEAP authentication
First phase7. If valid, RADIUS generates WEP key
8. Authenticator delivers key to supplicantand transitions controlled port status topermit supplicant access to LAN (to
resources allowed access throughmachine account only)
9. Computer logs on to domain
8/3/2019 Blackhat Win 03 Riley
38/57
Our requirements so far
Mutual device authentication
Workstation and APNo rogue access points
User authentication
No unauthorized access or interception
WEP key uniqueness and regeneration
Packet/disassociation spoofing
8/3/2019 Blackhat Win 03 Riley
39/57
Windows PEAP authentication
Second phase1. Logon dialog appears
2. Supplicant sends user credentials toauthenticator
3. Authenticator checks validity by
contacting authentication server(RADIUS)
4. Authentication server contacts directory
5. If valid, authenticator extends controlledport status to permit supplicant fullaccessto LAN
8/3/2019 Blackhat Win 03 Riley
40/57
Our requirements so far
Mutual device authentication
Workstation and APNo rogue access points
User authentication
No unauthorized access or interception
WEP key uniqueness and regeneration
Packet/disassociation spoofing
8/3/2019 Blackhat Win 03 Riley
41/57
Why use machine accounts?
Domain logon required for:
Machine group policies
Computer startup scripts
Software installation settings
When user account passwords expireNeed associated WIC and transitionedcontrolled port for user notification and change
dialogMachine account logon phase allows passwordexpiration notices and changes to occur normally
Ciscos LEAP cant deal with this
8/3/2019 Blackhat Win 03 Riley
42/57
8/3/2019 Blackhat Win 03 Riley
43/57
Remaining vulnerabilities
8/3/2019 Blackhat Win 03 Riley
44/57
Remaining vulnerabilities
Two related vulnerabilities not addressedwith 802.1x
Bit flipping with known IVs packet spoofing
Disassociation denials of service
Simple addition to 802.1x will solve both
Bi fli i k
8/3/2019 Blackhat Win 03 Riley
45/57
Bit-flipping attacks
WEP doesnt perform per-packetauthentication
IC is not a keyed message integrity check
Flipped bits in WEP packet recalculated IC
To spoof or replay:Flip bits in WEP packet where IV is known
AP accepts packet
Layer 3 device rejects, sends predictableresponse
Build response database and derive key
Di i i k
8/3/2019 Blackhat Win 03 Riley
46/57
Disassociation attacks
802.11 associate/disassociate messagesare unauthenticated and unencrypted
Attacker can forge disassociation message
Bothersome denials of service
S l ti k d IC
8/3/2019 Blackhat Win 03 Riley
47/57
Solution: keyed IC
Change behavior of WEPs IC
Derive key from seed value, source anddestination MACs, payload
Any change to these will alter the IC
Include in every WEP packet
8/3/2019 Blackhat Win 03 Riley
48/57
Deployment
8/3/2019 Blackhat Win 03 Riley
49/57
S t
8/3/2019 Blackhat Win 03 Riley
50/57
Setup
1. Build Windows Server 2003 IAS server
2. Join to domain3. Enroll computer certificate
4. Register IAS in Active Directory
5. Configure RADIUS logging
6. Add AP as RADIUS client
7. Configure AP for RADIUS and 802.1x8. Create wireless client access policy
9. Configure clients p
Access policy
8/3/2019 Blackhat Win 03 Riley
51/57
Access policy
Policy conditionNAS-port-type = Wireless IEEE 802.11 and
Wireless otherWindows-group =
Optional; allows administrative control
Should contain user and computer accountsProfile
No regular authentication methods
EAP type: protected EAP; use certificate fromstep 3
Encryption: only strongest (MPPE 128-bit)
Attributes: Ignore-user-dialin-properties =
8/3/2019 Blackhat Win 03 Riley
52/57
What else?
Interoperability
8/3/2019 Blackhat Win 03 Riley
53/57
Interoperability
PEAP standards authors
Microsoft
Cisco
RSA
Our implementation is version 0Not compatible with version 1
Working towards interoperability
PEAP allows servers and clients to supportmultiple versions
802 1x alternative
8/3/2019 Blackhat Win 03 Riley
54/57
802.1x alternative
WPA (Wi-Fi protected access)
Includes TKIP (temporal key integrityprotection)
Uses RC4, rotates keys every 10,000 packets
Combines shared 128-bit key with client MACand 128-bit IV
Provides key uniqueness
WPA relies on 802.1x for user and mutualdevice authentication
In beta now for Windows XP
8/3/2019 Blackhat Win 03 Riley
55/57
References
8/3/2019 Blackhat Win 03 Riley
56/57
References
Security of the WEP Algorithmhttp://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
802.1x--Port Based Network AccessControl
http://www.ieee802.org/1/pages/802.1x.html
PPP Extensible Authentication Protocolhttp://www.ietf.org/rfc/rfc2284.txt
PPP EAP-TLS Authentication Protocolhttp://www.ietf.org/rfc/rfc2176.txt
Protected EAP Protocolftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-
8/3/2019 Blackhat Win 03 Riley
57/57
2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.