This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE-0302909.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.

NETW 05A: APPLIED WIRELESS SECURITY

Data-Link Security Solutions

By Mohammad ShanehsazSpring 2005



ObjectivesStatic and Dynamic WEP & TKIP Explain the functionality, strengths,

and weaknesses of WEP and TKIP Explain appropriate scenarios and

applications of static and dynamic WEP and TKIP

Install and configure static and dynamic WEP & TKIP

Illustrate feasibility of WEP exploitation Manage scalable WEP & TKIP solutions



Objectives

802.1x and EAP Explain the functionality of 802.1x & EAP Explain dynamic key generation and

rotation for solution scalability Explain the strengths, weaknesses, and

appropriate applications of 802.1x & EAP Install and configure 802.1x & EAP,

including LEAP, EAP-TLS, EAP-TTLS, EAP-MD5, PEAP,

Manage scalable 802.1x and EAP solutions



802.11 MAC BasicsManagement and control frames are sent in clear text and unauthenticatedThis is the basis for many types of attack scenariosFor some types of attacks particular vendors have instituted proprietary solutions Many of these vulnerabilities will be addressed by the 802.11i standards



Categories of Authentication & Encryption

There are three main categories: Static WEP Dynamic WEP Proprietary protocols

There are variations on each type



Static WEPSecurity solution based on unchanging shared keys that are preconfigured on all nodes by network administratorProtects the wireless link with simple authentication and data encryptionNot a complete solution, it can be cracked using common tools such as WEPcrack or Airsnort



Cracking WEPCracking WEP requires three things: Large number of captured packets Long periods of time to capture those

packets Fast machine to process the information

contained in the packets to derive the WEP key

It can takes days to crack it, is it worth it ?



TKIPTemporal Key Integrity Protocol is a set of modifications to the existing WEP algorithmIEEE 802.11i task group created TKIPTKIP is a type of dynamic WEP solution where WEP keys are rotated on a changeable interval, but static WEP key is still used as keying material



WEP Weaknesses Addressed

TKIP algorithms address the following weaknesses: Forgery Weak-Key attacks Collision attacks Replay attacks



Forgery TKIP supports per-packet authenticationForgery attacks are performed by capturing encrypted packets, changing some data within them, and then resending the packetsTKIP uses message-integrity check (MIC) called “Michael” to thwart attemptsMICs add significant network overhead



Weak Key Attacks

WEP construct a per-packet RC4 key by concatenating an RC4 base key and 24 bits IVTKIP uses key-mixing to derive short–lived encryption keysTKIP uses 128 bit temporal key combined with the client’s MAC address and large 48 bit IVs to produce the key for encryption



Collision and Replay attacks

TKIP uses 48 bit IVs, which increases the possible number of IVs, to prevent collision attacksTKIP prevents replay attacks by using sequencing number for generated packets



Availability

For those products that are currently Wi-Fi certified, most can be upgraded to support TKIP, assuming the vendor has made a firmware upgrade available-check the web site for upgrades



802.1x / EAP802.1x with use of the Extensible Authentication Protocol implements what is generally referred to as dynamic WEPDynamic Key Generation, Distribution, & RotationEAP is a layer 2 authentication protocol replacing PAP and CHAPIt is appropriate for medium to large enterprise environmentBasing authentication on individualized user credentials such as usernames and passwords, certificates, smartcards and other like methods



802.1x StandardIEEE standard that provides an authentication framework for 802-based LANsIt was originally used in wired networks and has since been adapted for wireless networksIt provides port-based access control so that before the switch or access point will establish a connection, the user credentials must be verified802.1x standard addresses only access control and authentication framework and does not address data privacy, so that the problems with WEP still exist, EAP eliminates the problems through dynamic key generation



802.1x StandardThere are three terms defined by the IEEE standard that describe the devices used in 802.1x Supplicant-a client that is being

authenticated Authenticator-an access layer device such

as AP or bridge that requires supplicants to be authenticated in order to pass traffic through it

Authentication server-( typically a RADIUS ) the device that is doing the authentication of the supplicant



802.1x Standard Advantages

Maturity & InteroperabilityUser-based identificationDynamic Key ManagementFlexible Authentication



Maturity & Interoperability

The industry’s choice to use in WLAN because of time-proven use in wired networkSupports of mature protocols such as EAP and RADIUS which are open standards providing max interoperability in centralized identification and key management



User-based IdentificationBasing authentication on actual user not a particular wireless device, on a scalable database such as RADIUS or other databases that RADIUS directly supports (Active Directory, NDS, LDAP, SQL)Centralized authentication and management save time and money



Dynamic Key Management

Per-user per-session keys eliminates attacks based on obtaining the WEP keyAutomated key management systems allow keys to be reissued without an administrator’s intervention



Flexible AuthenticationThere are several supported authentication solutions to choose fromChanging the authentication mechanism does not require any hardware replacement



EAP ProtocolProvides an extensible method for PPP server to authenticate its clientsEAP supports two-and three-factor authentication (passwords, certificates, biometrics, etc)EAP was designed to prevent proprietary authentication solutions from being implemented which would have had a negative effect on the interoperability and compatibility between systemsEAP is within OS of the server or application software on the clientWindows XP natively supports EAP



EAP Authentication Types

There are many EAP types : EAP-MD5 EAP-TLS LEAP EAP-TTLS PEAP



EAP-MD5First Authentication type created by RFC2284 for 802.1xUses the same challenges handshake protocol as PPP-based CHAP, except challenges and responses are sent as EAP messagesIt has three weaknesses: One-way authentication Challenge passwords No per-session WEP keys

Rarely used because of its weaknesses



EAP-MD5 Weaknessesone-way Authentication

Because only the supplicant gets authenticated, an impersonator could be added as rogue RADIUS server to obtain the login credentials of a legitimate user



EAP-MD5 WeaknessesChallenge Passwords

Authentication server challenge the supplicant with a random string of textThe supplicant hashes the challenge with its password and send it backThe server validates the response based on its knowledge of the passwordEavesdropper can obtain both the challenge and the hash, which he/she can break it with dictionary attack to obtain user’s password



EAP-MD5 Weaknessesno per-session WEP keys

After authentication, communication is either not encrypted, or encrypted with a static WEP keyBecause of static WEP vulnerability , it allows eavesdropping on the data



EAP-TLS (EAP-Transport Level Security )

Developed by Microsoft and standardized by Internet Engineering Task ForceIt is based on the secure socket layer protocol used for secure web trafficIt uses both server-side and client-side certificates for user identification (mutual authentication)More appropriate for organizations that have already deployed a PKI (public key infrastructure)Per-session WEP key is set up, and client can be re-authenticated and re-keyed as often as needed without inconveniencing the end user



TLS AuthenticationThe TLS process begins with the handshake process:

1. The SSL client connects to a server and makes an authentication request

2. The server sends its digital certificates to the client3. The client verifies the certificate’s validity and digital

signature4. The server requests client-side authentication5. The client sends its digital certificate to the server6. The server verifies the certificate’s validity and digital

signature7. The encryption and message integrity schemes are

negotiated8. Application data is sent over encrypted tunnel via the

record protocol



EAP-TLS Authentication

The EAP-TLS authentication process is as follows:1. The client sends an EAP start message to the

access point2. The access point replies with an EAP Request

Identity message 3. The client sends its network access identifier (NAI),

which is username, to the access point in an EAP Response message

4. The access point forwards the NAI, encapsulated in a RADIUS Access Request message to the RADIUS server

5. The RADIUS server responds to the client with its digital certificate



EAP-TLS Authentication6. The client validates the RADIUS server’s digital

certificate7. The client replies to the RADIUS server with its digital

certificate8. The RADIUS server validates the client’s credentials

against the client digital certificate9. The client and RADIUS server derive encryption keys10. The RADIUS server sends the access point a RADIUS

ACCEPT message, including the client’s WEP key, indicating successful authentication

11. The access point sends the client an EAP Success message

12. The access point sends the broadcast key and key length to the client, encrypted with the client’s WEP key



EAP-Cisco Wireless (LEAP)Cisco’s proprietary Lightweight Extensible Authentication Protocol was designed to support 802.1x/EAP based authenticationIt was developed to support networks with a variety of OS that may not natively support EAPLEAP supports mutual authentication between a client and a RADIUS serverLEAP provides user-based, centralized authentication as well as per-session WEP keysUsed in Cisco’s Aironet productsIts security level is considered moderate or strong based on the strength of the passwords usedSee figure 11.12 on page 256 for LEAP Process



EAP-TTLS (Tunneled Transport Layer Security )Was co-developed by Funk Software and Certicom, supported in Funk’s Odyssey softwareEAP-TTLS requires only an authentication server certificateTTLS uses TLS channel to exchange “attribute-value pairs” (AVPs)After authentication server is authenticated using its digital certificate, an encrypted tunnel is established between the supplicant and authentication server to pass the supplicant’s authentication credentialsSee figure 11.13 for EAP-TTLS Process



Key security Features of EAP-TTLSAlmost any kind of supplicant authentication credentials (passwords, tokens, etc ) can be used inside the encrypted tunnelLow overhead since requirement of only server-side certificate Many types of authentication algorithms may be used inside the encrypted tunnel-MS-CHAPv2, MS-CHAP, CHAP, PAP,EAP-MD5Strong protection against eavesdroppers seeking to perform dictionary attackMutual authentication, fast connections while roaming, and automatic re-keying of encryption keys



Protected EAP ( PEAP )PEAP was developed by Microsoft, Cisco and RSA Security to address deficiencies of EAP (Unprotected user information during the EAP negotiation, No support for fast reconnections when roaming, No support for fragmentation and reassembly)PEAP was designed to protect EAP communication between clients and authenticatorsIt provides support for identity protection by using TLS to create an encrypted tunnel after verifying the identity of authentication server



Protected EAP (PEAP) continue

After encrypted tunnel is established a second EAP authorization process occurs inside the tunnelThe client is authenticated inside the tunnel using any implemented EAP authorization type (tokens, passwords,etc)It has built-in support for packet fragmentation and reassembly, as well as fast reconnectsSee figure 11.15 on page 263 for PEAP process



PEAP Authentication1. The client sends an EAP start message to the access

point2. The access point replies with an EAP Request Identity

message3. The client sends its network access identifier (NAI), which

is its username, to the access point in an EAP Response message

4. The access point forwards the NAI to the RADIUS server encapsulated in a RADIUS Access Request message

5. The RADIUS server responds to the client with its digital certificate

6. The client validates the RADIUS server’s digital certificate



PEAP Authentication7. The client and server negotiate and create an

encrypted tunnel8. This tunnel provides a secure data path for client

authentication9. Using the TLS Record protocol, a new EAP

authentication is initiated by the RADIUS server10. The exchange includes the transactions specific

to the EAP type used for client authentication11. The RADIUS server sends the access point a

RADIUS ACCEPT message, including the client’s WEP key, indicating successful authentication



EAP-TTLS vs PEAP

Both were designed to use older authentication methods while maintaining the strong cryptographic foundation of TLS Both have similar structureBoth are two-stage protocols that establish security in stage one and then exchange authentication in stage twoStage one establish a TLS tunnel and authenticates the authentication server to the client with a certificate



EAP-TTLS vs PEAPMicrosoft and Cisco both support PEAP Cisco’s Aironet Client Utility (ACU) and Windows XP with service pack1There are two types of PEAP supported by Microsoft: PEAP-EAP-MS-CHAPv2 and PEAP-EAP-TLSPEAP-EAP-TLS, server and client side certificates are requiredPEAP-EAP-MS-CHAPv2, server certificates and client passwords are required



EAP Considerations

The factors to include when deciding: Mutual Authentication Dynamic Key Generation, Rotation, and

Distribution Cost and Management Overhead Acceptance, Standardization, and Support Availability and Implementation



Proprietary ProtocolsThese protocols are used because: Added security through per packet

authentication Added security through use of leading-edge

encryption algorithms not yet supported by standards

Added security due to the entire communications process between client and server being strongly encrypted

Compression to increase throughput over the half-duplex medium



Proprietary ProtocolsEnterprise Encryption Gateways use proprietary protocols in order to achieve stronger security and increased throughput, but the main disadvantage here is vendor interoperability

This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

Documents

national science foundation

dynamic wep tkip

eap solutions

grant number

weaknesses of wep

static wep security

scalable wep tkip solutions

airsnort slide