Top Banner

of 57

Blackhat Win 03 Riley

Apr 06, 2018

Download

Documents

ovehansen
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • 8/3/2019 Blackhat Win 03 Riley

    1/57

    Wireless LAN Securitywith802.1x, EAP-TLS, andPEAP

    Steve RileySenior ConsultantMCS Trustworthy Computing Services

  • 8/3/2019 Blackhat Win 03 Riley

    2/57

  • 8/3/2019 Blackhat Win 03 Riley

    3/57

    Wired equivalent privacy

  • 8/3/2019 Blackhat Win 03 Riley

    4/57

    WEP setup and RC4Secret key shared between access point

    and all clientsEncrypts traffic before transmission

    Performs integrity check after transmission

    WEP uses RC4, a stream cipher[key] XOR [plaintext] [ciphertext]

    Maybe double-XOR for better security? Hah!

    [ciphertext] XOR [key] [plaintext]

  • 8/3/2019 Blackhat Win 03 Riley

    5/57

    Common attacksBit-flipping (encryption integrity)

    Flipping bit n in cipertext flips same bit inplaintext

    Statistical attacks

    Multiple ciphertexts using same key permitdetermination of plaintext XOR

    Enables statistical attacks to recover plaintext

    More ciphertexts eases this

    Once one plaintext is known, recovering othersis trivial

  • 8/3/2019 Blackhat Win 03 Riley

    6/57

    WEPs defensesIntegrity check (IC) field

    CRC-32 checksum, part of encrypted payloadNot keyed

    Subject to bit-flipping can modify IC to make

    altered message appear validInitialization vector (IV) added to key

    Alters key somewhat for each packet

    24-bit field; contained in plaintext portion

    Alas, this small keyspace guarantees reuse

  • 8/3/2019 Blackhat Win 03 Riley

    7/57

    More IV problemsSay an AP constantly sends 1500-byte

    packets at 11mbpsKeyspace exhausted in 5 hours

    Could be quicker if packets are smaller

    Key reuse causes even more collisionsSome cards reset IV to 0 after initialization

    Some cards increment by 1 after each packet

    802.11 standard does notmandate newper-packet IV!

  • 8/3/2019 Blackhat Win 03 Riley

    8/57

    Classes of attacksKey and IV reuse

    Small IV space; no IV replay protectionKnown plaintext attack

    Can recover stream of length N for a given IV

    Then forge packets of length N in absence ofkeyed IC

    Partial known plaintext attack

    Can recover Mbytes of keystream, M< NRepeated probing extend keystream to N

    Weaknesses in RC4 key scheduling

    algorithm

  • 8/3/2019 Blackhat Win 03 Riley

    9/57

    Classes of attacksAuthentication forging

    WEP encrypts challenge using client-chosenIV

    Recovery of keystream for a given IV allows

    reuse of the IV for forging WEP authenticationDoesnt provide key, so cant join LAN

    Realtime decryption

    IV reuse and probing construct dictionary ofIVs and keystreams

    Enables decryption in real time

    Storage: 1500 bytes of keystream for each IV;

  • 8/3/2019 Blackhat Win 03 Riley

    10/57

    ToolsWEPCrackbreaks 802.11 keys

    http://wepcrack.sourceforge.net/AirSnortbreaks 802.11 keys

    Needs only 5-10 million packets

    http://airsnort.shmoo.com/

    NetStumbleraccess pointreconnaissance

    http://www.netstumbler.com

  • 8/3/2019 Blackhat Win 03 Riley

    11/57

    WEP suckageSame key reused over and over again

    Per-packet IV isnt enoughNeed to increase keyspace an attackermust analyze

    Generate new keys (not just IVs) periodically

    Use unique per-client keys

    These are our first requirements

  • 8/3/2019 Blackhat Win 03 Riley

    12/57

    Other problemsRogue access points

    Mutual authenticationAP authenticates toclient

    Disassociation attacks

    Assoc/disassoc messages are unencrypted andunauthenticated

    Fix with keyed message integrity check

    Unauthorized use or monitoringIncorporate user and computer authentication

  • 8/3/2019 Blackhat Win 03 Riley

    13/57

    802.1x

  • 8/3/2019 Blackhat Win 03 Riley

    14/57

    Solution today: 802.1xPort-based access control mechanism

    defined by IEEEWorks on anything, wired and wireless

    Access point must support 802.1x

    No special WIC requirementsAllows choice of authentication methodsusing EAP

    Chosen by peers at authentication time

    Access point doesnt care about EAP methods

    Manages keys automagicallyp p

  • 8/3/2019 Blackhat Win 03 Riley

    15/57

    Is 802.1x enough?No

    It does solve:Key discovery by changing keys often andusing different keys for each client

    Rogue APs and man-in-the-middle attacks byperforming mutual device authentication

    Unauthorized access by authenticating users

    and computersIt does not solve:

    Packet and disassociation spoofing because

    802.1x doesnt use a keyed MIC

  • 8/3/2019 Blackhat Win 03 Riley

    16/57

    Clarifying terminology802.11 is the specification for over-the-air

    wireless networks802.1x is a PHY-independent specificationfor port-based access control

    Combining them makes senseThere is no such thing as 802.11x

    But there is work on something called 802.11i

  • 8/3/2019 Blackhat Win 03 Riley

    17/57

    802.1x over 802.11Supplicant Authenticator

    Authentication

    Server

    802.11 association

    EAPOL-start

    EAP-request/identity

    EAP-response/identity

    RADIUS-access-request

    EAP-request RADIUS-access-challenge

    EAP-response

    (credentials)

    RADIUS-access-request

    EAP-success RADIUS-access-accept

    EAPOW-key (WEP)

    Access blocked

    Access allowed

  • 8/3/2019 Blackhat Win 03 Riley

    18/57

    Association andauthentication

    The 802.11 association happens firstNeed to talk to the AP and get an IP address

    Open authenticationwe dont have the WEPkey yet

    Access beyond AP prohibited until authNsucceeds

    AP drops non-EAPOL traffic

    After key is sent in EAPOW-key, access

    beyond AP is allowedSecurity conversation between supplicantand authentication server

    Wireless NIC and AP are passthrough devices

  • 8/3/2019 Blackhat Win 03 Riley

    19/57

    Before authenticationControlledport preventssupplicant LAN access

    Uncontrolledport allowsauthenticator to contactauthentication server

    Directory

    Supplicant

    AuthN

    ServerAuthenticator

    the Air

  • 8/3/2019 Blackhat Win 03 Riley

    20/57

    After authenticationControlled port nowpermits supplicant toaccess LAN

    Directory

    Supplicant

    AuthN

    ServerAuthenticator

    the Air

  • 8/3/2019 Blackhat Win 03 Riley

    21/57

    802.11/802.1x state machineState 1

    802.11 unauthenticated

    Unassociated

    State 2

    802.11 authenticated

    Unassociated

    State 3

    802.11 authenticated

    Associated

    State 4

    802.11 authenticated

    Associated

    802.1x authenticated

    Successful open authN

    Successful assoc orreassoc

    Successful 802.1x authN

    DeauthN notification

    Disassoc notification

    EAPOL-logoff

    DeauthN

    notification

    Class 1 frames

    Class 1, 2 frames

    Class 1, 2, 3

    frames

    Class 1, 2, 3

    frames

  • 8/3/2019 Blackhat Win 03 Riley

    22/57

    Encryption keys

    Client and RADIUS server generate per-user session WEP keys

    Never sent over the air

    RADIUS server sends key to AP (encryptedwith RADIUS shared secret)

    Access point has a global WEP keyUsed during AP authentication to client

    Sent in EAPOW-key message

    Encrypted with session key

    Session keys regenerated whenKey time exceeded (60 minute default)

    Client roams to new AP

  • 8/3/2019 Blackhat Win 03 Riley

    23/57

    Extensible

    authentication protocol

  • 8/3/2019 Blackhat Win 03 Riley

    24/57

    EAP

    Link-layer security framework

    Simple encapsulation protocol forauthentication mechanisms

    Runs over any link layer, lossy or lossless

    No built-in securityDoesnt assume physically secure link

    Authentication methods must incorporate their

    own security

  • 8/3/2019 Blackhat Win 03 Riley

    25/57

    Authentication methods

    EAP allows choice of authenticationmethods

    For mutual authentication

    TLS: authentication server supplies certificate

    IKE: server demonstrates possession ofpreshared key or private key (certificate)

    Kerberos: server demonstrates knowledge of

    session key

  • 8/3/2019 Blackhat Win 03 Riley

    26/57

    AuthN supported in Windows

    EAP-MD5 disallowed for wireless

    Cant create encrypted session betweensupplicant and authenticator

    Would transfer password hashes in the clear

    Cannot perform mutual authenticationVulnerable to man-in-the-middle attacks

    EAP-TLS in Windows XP release

    Requires client certificatesBest to have machine and user

    Service pack 1 adds protected EAP

  • 8/3/2019 Blackhat Win 03 Riley

    27/57

    Protected EAP (PEAP)

    Extension to EAP

    Allows use of any secure authenticationmechanism for EAP

    No need to write individual EAP-enabled

    methodsWindows PEAP allows:

    MS-CHAPv2passwords

    TLScertificates

    SecurID

    For many deployments, passwords stillalas are necessar

  • 8/3/2019 Blackhat Win 03 Riley

    28/57

    EAP architecture

    TLSGSS_API

    KerberosPEAP IKE MD5

    EAP

    PPP 802.3 802.5 802.11 Anything

    method

    layer

    EAP

    layer

    media

    layer

    MS-CHAPv

    2

    TLS

    SecurID

  • 8/3/2019 Blackhat Win 03 Riley

    29/57

    Note

    Do not configure IAS and XP for both

    EAP-TLS alonePEAP with any method

    Man-in-the-middle vulnerability

    If you need TLS and MS-CHAPv2together

    Deploy only PEAP

    Select both MS-CHAPv2 and TLS methods

  • 8/3/2019 Blackhat Win 03 Riley

    30/57

    How it works:The Windows logonprocess over PEAP withMS-CHAPv2

  • 8/3/2019 Blackhat Win 03 Riley

    31/57

    Security requirements, again

    Mutual device authentication

    Workstation and APNo rogue access points

    Prevents man-in-the-middle attacks

    Ensures key is transferred to correct entity

    User authentication

    No unauthorized access or interception

    WEP key uniqueness and regeneration

    Stop packet/disassociation spoofing

  • 8/3/2019 Blackhat Win 03 Riley

    32/57

    Windows domain logon

    Two logons occur

    MachineUser

    Machine accounts look like user accounts

    Certificate credential

    User ID/password/domain credential

    Take advantage of this

  • 8/3/2019 Blackhat Win 03 Riley

    33/57

    Windows PEAPauthentication

    First phasemachine logon

    802.11 associationAuthenticate AP

    Authenticate computer

    Transition controlled port statusFor machine account access to authorizedresources

    Second phaseuser logonAuthenticate user

    Transition controlled port status

    For user account access to authorized resources

  • 8/3/2019 Blackhat Win 03 Riley

    34/57

    Windows PEAP authentication

    First phase1. Supplicant performs regular 802.11

    association

    2. Supplicant sets up TLS channel withauthenticator and requests authentication

    servers certificate3. Supplicant

    Verifies name and dates on certificate

    Validates chain

  • 8/3/2019 Blackhat Win 03 Riley

    35/57

    Our requirements so far

    Mutual device authentication

    Workstation and APNo rogue access points

    User authentication

    No unauthorized access or interception

    WEP key uniqueness and regeneration

    Packet/disassociation spoofing

  • 8/3/2019 Blackhat Win 03 Riley

    36/57

  • 8/3/2019 Blackhat Win 03 Riley

    37/57

    Windows PEAP authentication

    First phase7. If valid, RADIUS generates WEP key

    8. Authenticator delivers key to supplicantand transitions controlled port status topermit supplicant access to LAN (to

    resources allowed access throughmachine account only)

    9. Computer logs on to domain

  • 8/3/2019 Blackhat Win 03 Riley

    38/57

    Our requirements so far

    Mutual device authentication

    Workstation and APNo rogue access points

    User authentication

    No unauthorized access or interception

    WEP key uniqueness and regeneration

    Packet/disassociation spoofing

  • 8/3/2019 Blackhat Win 03 Riley

    39/57

    Windows PEAP authentication

    Second phase1. Logon dialog appears

    2. Supplicant sends user credentials toauthenticator

    3. Authenticator checks validity by

    contacting authentication server(RADIUS)

    4. Authentication server contacts directory

    5. If valid, authenticator extends controlledport status to permit supplicant fullaccessto LAN

  • 8/3/2019 Blackhat Win 03 Riley

    40/57

    Our requirements so far

    Mutual device authentication

    Workstation and APNo rogue access points

    User authentication

    No unauthorized access or interception

    WEP key uniqueness and regeneration

    Packet/disassociation spoofing

  • 8/3/2019 Blackhat Win 03 Riley

    41/57

    Why use machine accounts?

    Domain logon required for:

    Machine group policies

    Computer startup scripts

    Software installation settings

    When user account passwords expireNeed associated WIC and transitionedcontrolled port for user notification and change

    dialogMachine account logon phase allows passwordexpiration notices and changes to occur normally

    Ciscos LEAP cant deal with this

  • 8/3/2019 Blackhat Win 03 Riley

    42/57

  • 8/3/2019 Blackhat Win 03 Riley

    43/57

    Remaining vulnerabilities

  • 8/3/2019 Blackhat Win 03 Riley

    44/57

    Remaining vulnerabilities

    Two related vulnerabilities not addressedwith 802.1x

    Bit flipping with known IVs packet spoofing

    Disassociation denials of service

    Simple addition to 802.1x will solve both

    Bi fli i k

  • 8/3/2019 Blackhat Win 03 Riley

    45/57

    Bit-flipping attacks

    WEP doesnt perform per-packetauthentication

    IC is not a keyed message integrity check

    Flipped bits in WEP packet recalculated IC

    To spoof or replay:Flip bits in WEP packet where IV is known

    AP accepts packet

    Layer 3 device rejects, sends predictableresponse

    Build response database and derive key

    Di i i k

  • 8/3/2019 Blackhat Win 03 Riley

    46/57

    Disassociation attacks

    802.11 associate/disassociate messagesare unauthenticated and unencrypted

    Attacker can forge disassociation message

    Bothersome denials of service

    S l ti k d IC

  • 8/3/2019 Blackhat Win 03 Riley

    47/57

    Solution: keyed IC

    Change behavior of WEPs IC

    Derive key from seed value, source anddestination MACs, payload

    Any change to these will alter the IC

    Include in every WEP packet

  • 8/3/2019 Blackhat Win 03 Riley

    48/57

    Deployment

  • 8/3/2019 Blackhat Win 03 Riley

    49/57

    S t

  • 8/3/2019 Blackhat Win 03 Riley

    50/57

    Setup

    1. Build Windows Server 2003 IAS server

    2. Join to domain3. Enroll computer certificate

    4. Register IAS in Active Directory

    5. Configure RADIUS logging

    6. Add AP as RADIUS client

    7. Configure AP for RADIUS and 802.1x8. Create wireless client access policy

    9. Configure clients p

    Access policy

  • 8/3/2019 Blackhat Win 03 Riley

    51/57

    Access policy

    Policy conditionNAS-port-type = Wireless IEEE 802.11 and

    Wireless otherWindows-group =

    Optional; allows administrative control

    Should contain user and computer accountsProfile

    No regular authentication methods

    EAP type: protected EAP; use certificate fromstep 3

    Encryption: only strongest (MPPE 128-bit)

    Attributes: Ignore-user-dialin-properties =

  • 8/3/2019 Blackhat Win 03 Riley

    52/57

    What else?

    Interoperability

  • 8/3/2019 Blackhat Win 03 Riley

    53/57

    Interoperability

    PEAP standards authors

    Microsoft

    Cisco

    RSA

    Our implementation is version 0Not compatible with version 1

    Working towards interoperability

    PEAP allows servers and clients to supportmultiple versions

    802 1x alternative

  • 8/3/2019 Blackhat Win 03 Riley

    54/57

    802.1x alternative

    WPA (Wi-Fi protected access)

    Includes TKIP (temporal key integrityprotection)

    Uses RC4, rotates keys every 10,000 packets

    Combines shared 128-bit key with client MACand 128-bit IV

    Provides key uniqueness

    WPA relies on 802.1x for user and mutualdevice authentication

    In beta now for Windows XP

  • 8/3/2019 Blackhat Win 03 Riley

    55/57

    References

  • 8/3/2019 Blackhat Win 03 Riley

    56/57

    References

    Security of the WEP Algorithmhttp://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

    802.1x--Port Based Network AccessControl

    http://www.ieee802.org/1/pages/802.1x.html

    PPP Extensible Authentication Protocolhttp://www.ietf.org/rfc/rfc2284.txt

    PPP EAP-TLS Authentication Protocolhttp://www.ietf.org/rfc/rfc2176.txt

    Protected EAP Protocolftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-

  • 8/3/2019 Blackhat Win 03 Riley

    57/57

    2003 Microsoft Corporation. All rights reserved.

    This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.