Wireless Security Wireless Security 802.11 With a focus on 802.11 With a focus on Security Security by Brian Lee by Brian Lee Takehiro Takahashi Takehiro Takahashi
Wireless Security
Jun 19, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Wireless SecurityWireless Security
802.11 With a focus on Security802.11 With a focus on Security
by Brian Leeby Brian Lee
Takehiro TakahashiTakehiro Takahashi
Survey (1)Survey (1)
Who has not used wireless?Who has not used wireless?
Are you confident with your wireless Are you confident with your wireless network?network?
Brief OverviewBrief Overview
Wireless Technology OverviewWireless Technology OverviewArchitectureArchitectureFeaturesFeatures
Wireless Security OverviewWireless Security OverviewBuilt-in security features in 802.11Built-in security features in 802.11WEP insecurityWEP insecurity802.1x802.1xWPAWPAWPA2 - 802.11iWPA2 - 802.11i
GOALGOAL
Understand the state of artUnderstand the state of artWEP is insecureWEP is insecureBut we CAN make a wireless network ‘secure’But we CAN make a wireless network ‘secure’
802.11Basics802.11Basics
Infrastructure Mode or Ad HocInfrastructure Mode or Ad Hoc11Mbps with 802.11b11Mbps with 802.11b feels slow….? (effective speed ~ 50%)feels slow….? (effective speed ~ 50%)802.11 a/b/g/n : Physical Layer Spec802.11 a/b/g/n : Physical Layer Spec802.11i : Security Spec802.11i : Security Spec802.11r : QoS802.11r : QoS
802.11 Built-in Features802.11 Built-in Features
802.11 frame types802.11 frame typesAssociation Request/Response FrameAssociation Request/Response FrameBeacon FrameBeacon FrameRTS/CTS FrameRTS/CTS Frame
Shared/Open AuthenticationShared/Open AuthenticationWEP (Layer 2 security)WEP (Layer 2 security)
IntegrityIntegrityConfidentialityConfidentiality
SSIDSSID
Network identifierNetwork identifierSSID is broadcasted in a beacon frameSSID is broadcasted in a beacon frameClear Text!Clear Text!Change it from the defaultChange it from the default
Cisco = tsunamiCisco = tsunamiLinksys = linksysLinksys = linksysNetgear = netgearNetgear = netgear
Stop broadcasting!Stop broadcasting!
MAC Address FilteringMAC Address Filtering
White-list approachWhite-list approachDoes not scaleDoes not scale
Frame headers are Frame headers are never encryptednever encryptedSniffing traffic will reveal valid MAC addressesSniffing traffic will reveal valid MAC addresses
Bottom line…..Bottom line…..Prevents casual hacking..Prevents casual hacking..Quite uselessQuite useless
Shared/Open Authentication (1)Shared/Open Authentication (1)
2 ways of initiating communication 2 ways of initiating communication Shared KeyShared KeyOpen Key authenticationOpen Key authentication
Open key Auth = No authenticationOpen key Auth = No authenticationShared Key Auth = requires WEP Shared Key Auth = requires WEP
Shared Authentication (2)Shared Authentication (2)
The challenge is generated using a PRNG used by WEPThe challenge is generated using a PRNG used by WEP Challenge is then encrypted using WEP key and sent Challenge is then encrypted using WEP key and sent
backback This is bad…….. reveals the WEP keyThis is bad…….. reveals the WEP key
WEP (Wired Equivalent WEP (Wired Equivalent Protocol)Protocol)
Provides “Confidentiality”, and “Integrity”.Provides “Confidentiality”, and “Integrity”.Uses 40/104 bits RC4 encryption + Uses 40/104 bits RC4 encryption +
CRC32CRC32
WEP EncryptionWEP Encryption
64/40 and 128/104 bits 64/40 and 128/104 bits confusionconfusion
IV (24bits)IV (24bits)Your WEP key: Your WEP key:
5-ASCII char word = 40bits5-ASCII char word = 40bits13-ASCII char word = 104bits13-ASCII char word = 104bits
Security-wise, it’s really 40bits or 104bitsSecurity-wise, it’s really 40bits or 104bits
Problems with WEPProblems with WEP 1 Static Key1 Static Key
No encryption is strong if one key is used foreverNo encryption is strong if one key is used forever Key length is short (40bits)Key length is short (40bits)
Brute forcing is possibleBrute forcing is possible 104bits version exists104bits version exists
Using CRC32Using CRC32 CRC is a hash function used to produce a checksumCRC is a hash function used to produce a checksum
Improper use of RC4Improper use of RC4 IV space is too small (24bits)IV space is too small (24bits)
No protection against replay attackNo protection against replay attack No specification on key distributionNo specification on key distribution
Lacks scalabilityLacks scalability
CRC32 and WEPCRC32 and WEP
CRC32 doesn’t have the cryptographic CRC32 doesn’t have the cryptographic strength seen in MD5 or SHA1strength seen in MD5 or SHA1
Bit-flipping is possibleBit-flipping is possibleChange the data, and WEP won’t catch itChange the data, and WEP won’t catch it
Seems trivial….?Seems trivial….?
RC4 and WEP (1)RC4 and WEP (1)
RC4 – Rivest’s Cipher 4RC4 – Rivest’s Cipher 4 Stream CipherStream Cipher
What is a requirement for a stream cipher?What is a requirement for a stream cipher? Avoid key sequence collision at any costAvoid key sequence collision at any cost
{{ M1 XOR RC4-KeyM1 XOR RC4-Key } } XOR XOR {{ M2 XOR RC4-KeyM2 XOR RC4-Key } } = M1 XOR M2= M1 XOR M2
With WEP, key sequences are repeated every 16 With WEP, key sequences are repeated every 16 million packets (2 ^ 24)million packets (2 ^ 24)
Key sequence collision doesn’t reveal the WEP key!Key sequence collision doesn’t reveal the WEP key!
RC4 and WEP (2)RC4 and WEP (2)
Weak IVs reveal the WEP keyWeak IVs reveal the WEP key 5% chance of guessing the portion of the seed (WEP key) 5% chance of guessing the portion of the seed (WEP key)
correctlycorrectly FMS attackFMS attack
2M~ packets to decrypt 40bit WEP key2M~ packets to decrypt 40bit WEP key
The time needed is a linear function to the key lengthThe time needed is a linear function to the key length 104bit key is just as useless as 40bits key 104bit key is just as useless as 40bits key
Replay AttacksReplay Attacks
Reinjection of the captured packets are Reinjection of the captured packets are possiblepossible
IV usage is not specifiedIV usage is not specified
Effective WEP crackingEffective WEP cracking KoreK attack (Aug. 2004)KoreK attack (Aug. 2004) Another statistical analysis based attack on WEP keyAnother statistical analysis based attack on WEP key Extremely fastExtremely fast Decrypts packets using CRC32 vulnerabilityDecrypts packets using CRC32 vulnerability Possible with as little as 0.1M IVs (packets)…Possible with as little as 0.1M IVs (packets)…
Traditional method requires more than 2M packetsTraditional method requires more than 2M packets Accelerate it with packet injection – ARPAccelerate it with packet injection – ARP
A 40-bit WEP can be cracked in 10 MinutesA 40-bit WEP can be cracked in 10 Minutes
Fast swapping of WEP key is no longer safeFast swapping of WEP key is no longer safe
Conclusion: WEPConclusion: WEP
ConfidentialityConfidentialityFMS attackFMS attackKoreK attackKoreK attack
IntegrityIntegrityBit-flipping attackBit-flipping attack
AuthenticationAuthentication Non-existentNon-existent
Attacks can be completely passiveAttacks can be completely passive
NO MORE WEPNO MORE WEP
WEP….WEP….
Wired Equivalent PrivacyWired Equivalent Privacy
Well.. More like Well.. More like
WWhat on the hat on the EEarth does it arth does it PProtect?rotect?
Finally…. we have solutions!Finally…. we have solutions! 802.1x (Authentication)802.1x (Authentication)
per-user authenticationper-user authentication Key distribution mechanismKey distribution mechanism
WPA (Confidentiality, Integrity)WPA (Confidentiality, Integrity) Subset of 802.11iSubset of 802.11i 2 forms2 forms
802.1x Auth + TKIP (Enterprise mode)802.1x Auth + TKIP (Enterprise mode) Pre-shared Key + TKIPPre-shared Key + TKIP
WPA2 – 802.11iWPA2 – 802.11i WPA2 is the implementation of 802.11iWPA2 is the implementation of 802.11i Uses AES-CCMPUses AES-CCMP
WPA2 (802.11i)
WPA
802.1x (Authentication)
802.1X802.1X
802.1X is a port-based, layer 2 authentication 802.1X is a port-based, layer 2 authentication framework framework
Not limited wireless networksNot limited wireless networks Uses EAP for implementationUses EAP for implementation End-resultEnd-result
A WEP key for WEPA WEP key for WEP A seed for an encryption key used in WPA/WPA2A seed for an encryption key used in WPA/WPA2
802.1X is not an alternative to WEP802.1X is not an alternative to WEP
802.1x authentication802.1x authentication
Extensible Authentication Protocol Extensible Authentication Protocol (EAP)(EAP)
Authentication FrameworkAuthentication Framework runs on the different layer than 802.1xruns on the different layer than 802.1x
Very flexibleVery flexibleRADIUS is de-factoRADIUS is de-facto
a server for remote user authentication and a server for remote user authentication and accounting accounting
ImplementationsImplementations
EAP methods adopted in WPA/WPA2EAP methods adopted in WPA/WPA2EAP-MD5EAP-MD5EAP-LEAPEAP-LEAPEAP-TLSEAP-TLSEAP-TTLSEAP-TTLSPEAPPEAP
EAP-MD5EAP-MD5
EAP-MD5 is a simple EAP implementationEAP-MD5 is a simple EAP implementationUses and MD5 hash of a username and Uses and MD5 hash of a username and
password that is sent to the RADIUS password that is sent to the RADIUS serverserver
Authenticates only one wayAuthenticates only one wayMan in the middle attackMan in the middle attackBottom line: Not recommendedBottom line: Not recommended
LEAP (EAP-Cisco)LEAP (EAP-Cisco) Like EAP-MD5, it uses a Login/Password Like EAP-MD5, it uses a Login/Password
scheme that it sends to the RADIUS serverscheme that it sends to the RADIUS server Each user gets a dynamically generated one Each user gets a dynamically generated one
time key upon logintime key upon login Authenticates client to AP and vice versaAuthenticates client to AP and vice versa Only guaranteed to work with Cisco wireless Only guaranteed to work with Cisco wireless
clientsclients Broken – ASLEAP by Joshua WrightBroken – ASLEAP by Joshua Wright
Dictionary attackDictionary attack
EAP-TLS by MicrosoftEAP-TLS by Microsoft
Instead of a username/password scheme, EAP-Instead of a username/password scheme, EAP-TLS uses certificate based authentication TLS uses certificate based authentication
Two way authentication Two way authentication Uses TLS (Transport Layer Security) to pass the Uses TLS (Transport Layer Security) to pass the
PKI (Public Key Infrastructure) information to PKI (Public Key Infrastructure) information to RADIUS serverRADIUS server
Compatible with many OS’sCompatible with many OS’s Harder to implement and deploy because PKI for Harder to implement and deploy because PKI for
clients are also requiredclients are also required
PEAP by Microsoft and CiscoPEAP by Microsoft and Cisco
A more elegant solution!A more elegant solution! Very similar to EAP-TLS except that the client Very similar to EAP-TLS except that the client
does not have to authenticate itself with the does not have to authenticate itself with the server using a certificate, instead it server using a certificate, instead it cancan use a use a login/password based schemelogin/password based scheme
Much easier to setup, does not necessarily Much easier to setup, does not necessarily require a PKIrequire a PKI
Currently works natively with Windows XP SP1, Currently works natively with Windows XP SP1, and OSX. 802.1x supplicant exists for linuxand OSX. 802.1x supplicant exists for linux
WPA (Wi-Fi Protected Access)WPA (Wi-Fi Protected Access)
Subset of 802.11iSubset of 802.11iConfidentialityConfidentiality
Fix flawed encryption mechanismFix flawed encryption mechanismTKIP: Per-packet dynamic key mechanismTKIP: Per-packet dynamic key mechanism
IntegrityIntegrityUpgradeabilityUpgradeability
Software / Firmware UpgradeSoftware / Firmware Upgrade
WPA MechanismWPA Mechanism
1.1. Confirmation of association capabilityConfirmation of association capability
2.2. Authentication by 802.1x or PSKAuthentication by 802.1x or PSK
3.3. 4-way handshake4-way handshake
4.4. Encryption using TKIPEncryption using TKIP
Very Different from WEP which took care of “everything”
802.1x Authentication (recap)802.1x Authentication (recap)
4 Way Handshake and PTK4 Way Handshake and PTK
802.1x Authentication + PMK802.1x Authentication + PMK
Security level can be selectedSecurity level can be selectedPairwise Master Key (PMK) is a seed for Pairwise Master Key (PMK) is a seed for
temporal key generation used in temporal key generation used in encryptionencryption
PMK is generated based on the user PMK is generated based on the user authentication resultauthentication result
4 Way Handshake and PTK4 Way Handshake and PTK
PTK (512bits) splits in 4 waysPTK (512bits) splits in 4 waysPart of PTK is used to generate the Part of PTK is used to generate the
encryption key (WEP equivalent) in the encryption key (WEP equivalent) in the next phasenext phase
4 Way Handshake and PTK4 Way Handshake and PTK
TKIP (Temporal Key Integrity TKIP (Temporal Key Integrity Protocol)Protocol)
The heart of WPA encryption mechanismThe heart of WPA encryption mechanismExpands IV space (24 Expands IV space (24 48bits) 48bits) IV sequence is specifiedIV sequence is specifiedGenerate a key which conforms to WEPGenerate a key which conforms to WEPA fresh key is used for every 16M packetsA fresh key is used for every 16M packetsMichaelMichael
Very cheap integrity checker for MAC Very cheap integrity checker for MAC addresses and DATAaddresses and DATA
WPA-PSKWPA-PSK
For home / SOHO useFor home / SOHO useRemoves 802.1x authenticationRemoves 802.1x authenticationPre-shared Key + TKIPPre-shared Key + TKIPWeak against passive dictionary attackWeak against passive dictionary attack
Attacks existAttacks exist - WPA Cracker - WPA Cracker
Still MUCH better than WEPStill MUCH better than WEP
WPA Security InsightWPA Security Insight
No effective attacks found on WPA + 802.1xNo effective attacks found on WPA + 802.1x
WPA-PSK should be used with careWPA-PSK should be used with care
WPA2 - 802.11iWPA2 - 802.11i
The long-awaited security standard for The long-awaited security standard for wireless, ratified in June 2004wireless, ratified in June 2004
Better encryption: AES-CCMPBetter encryption: AES-CCMPKey-caching (optional)Key-caching (optional)Pre-authentication (optional)Pre-authentication (optional)Hardware manufactured before 2002 is Hardware manufactured before 2002 is
likely to be unsupported: too weaklikely to be unsupported: too weak
PMK Key-CachingPMK Key-Caching
Skips re-entering of the user credential by Skips re-entering of the user credential by storing the host information on the network storing the host information on the network
Allows client to become authenticated with Allows client to become authenticated with an AP before moving to itan AP before moving to it
Useful in encrypted VoIP over Wi-FiUseful in encrypted VoIP over Wi-Fi Fast RoamingFast Roaming
ConclusionConclusion
WEP = Dead MeatWEP = Dead MeatWPA-PSK = Potentially InsecureWPA-PSK = Potentially InsecureWPA + 802.1x (Secure EAP) = SecureWPA + 802.1x (Secure EAP) = SecureWPA2-PSK = Potentially InsecureWPA2-PSK = Potentially InsecureWPA2 + 802.1x = Very SecureWPA2 + 802.1x = Very Secure
Suggested PracticeSuggested Practice
Hide SSIDHide SSIDDo NOT use WEPDo NOT use WEPUse WPA-PSK with a good pass-phraseUse WPA-PSK with a good pass-phraseor Use WPA with 802.1x if possibleor Use WPA with 802.1x if possibleGet WPA2 certified product for your next Get WPA2 certified product for your next
purchasepurchase
tinyPEAP (1)tinyPEAP (1)
A self contained PEAP enabled RADIUS A self contained PEAP enabled RADIUS serverserver
Currently available in Linksys Currently available in Linksys WRT54G/GS router and Win32 binaryWRT54G/GS router and Win32 binary
Native Windows XP SP1 supportNative Windows XP SP1 supportWeb-based user managementWeb-based user managementThe easiest and the most secure solution The easiest and the most secure solution
available in consumer levelavailable in consumer level
tinyPEAP (2)tinyPEAP (2)
tinyPEAP (3)tinyPEAP (3)
Survey (2)Survey (2)
Ready to reconfigure your wireless Ready to reconfigure your wireless network?network?
Links to the tools used:Links to the tools used:
AirsnortAirsnorthttp://airsnort.shmoo.comhttp://airsnort.shmoo.com
NetstumblerNetstumblerhttp://www.netstumbler.comhttp://www.netstumbler.com
EtherealEtherealhttp://www.ethereal.comhttp://www.ethereal.com
tinyPEAPtinyPEAP
http://http://www.tinypeap.comwww.tinypeap.com
Papers and Wireless Security Web Papers and Wireless Security Web PagesPages
Weaknesses in the Key Scheduling Algorithm of Weaknesses in the Key Scheduling Algorithm of RC4 RC4
The Unofficial 802.11 Security Web PageThe Unofficial 802.11 Security Web Page Wireless Security Wireless Security BlackpaperBlackpaper The IEEE 802.11 specifications (includes WEP sThe IEEE 802.11 specifications (includes WEP s
pec) pec) Paper on detecting Netstumbler and similar progPaper on detecting Netstumbler and similar prog
ramsrams Further reading on upcoming 802.11 variationsFurther reading on upcoming 802.11 variations Assorted 802.11 related crypto algorithms writteAssorted 802.11 related crypto algorithms writte
n in ANSI Cn in ANSI C
An exercise in wireless An exercise in wireless insecurityinsecurity
Tools used: Tools used: Laptop w/ 802.11a/b/g cardLaptop w/ 802.11a/b/g cardGPSGPSNetstumblerNetstumblerAircrack (or any WEP cracking tool)Aircrack (or any WEP cracking tool)EtherealEthereal the car of your choicethe car of your choice
Step1: Find networks to attackStep1: Find networks to attack
An attacker would first use Netstumbler to An attacker would first use Netstumbler to drive around and map out active wireless drive around and map out active wireless networksnetworks
Using Netstumbler, the attacker locates a Using Netstumbler, the attacker locates a strong signal on the target WLANstrong signal on the target WLAN
Netstumbler not only has the ability to Netstumbler not only has the ability to monitor all active networks in the area, but monitor all active networks in the area, but it also integrates with a GPS to map AP’sit also integrates with a GPS to map AP’s
WarDrivingWarDriving
Step 2: Choose the network to Step 2: Choose the network to attackattack
At this point, the attacker has chosen his At this point, the attacker has chosen his target; most likely a businesstarget; most likely a business
Netstumbler can tell you whether or not Netstumbler can tell you whether or not the network is encryptedthe network is encrypted
Also, start Ethereal to look for additional Also, start Ethereal to look for additional information.information.
This time…….This time…….
Your target is Your target is GTwirelessGTwireless
Step3: Analyzing the NetworkStep3: Analyzing the Network
WLAN has no broadcasted SSIDWLAN has no broadcasted SSIDNetstubmler tells me that SSID is Netstubmler tells me that SSID is
GTwirelessGTwirelessMultiple access pointsMultiple access pointsOpen authentication methodOpen authentication methodWLAN is encrypted with 40bit WEPWLAN is encrypted with 40bit WEPWLAN is not using 802.1X (WEB-auth)WLAN is not using 802.1X (WEB-auth)
Step4: Cracking the WEP keyStep4: Cracking the WEP key
Attacker sets NIC drivers to Monitor ModeAttacker sets NIC drivers to Monitor ModeBegins capturing packets with AirodumpBegins capturing packets with AirodumpAirodump quickly lists the available Airodump quickly lists the available
network with SSID and starts capturing network with SSID and starts capturing packets.packets.
After a few hours of airodump session, After a few hours of airodump session, launch aircrack to start cracking!launch aircrack to start cracking!
WEP key for GTwireless is revealed!WEP key for GTwireless is revealed!
Step5: Sniffing the networkStep5: Sniffing the network
Once the WEP key is cracked and the NIC Once the WEP key is cracked and the NIC is configured appropriately, the attacker is is configured appropriately, the attacker is assigned an IP, and can access the WLANassigned an IP, and can access the WLAN
However, a secure proxy with an SSL However, a secure proxy with an SSL enabled web based login prevents access enabled web based login prevents access to the rest of network and the Internetto the rest of network and the Internet
Attacker begins listening to traffic with Attacker begins listening to traffic with EtherealEthereal
Step6: Sniffing continued…Step6: Sniffing continued…
Sniffing a WLAN is Sniffing a WLAN is veryvery fruitful because fruitful because everyone on the WLAN is a peer, everyone on the WLAN is a peer, therefore you can sniff every wireless therefore you can sniff every wireless clientclient
Listening to connections with plain text Listening to connections with plain text protocols (in this case FTP, POP, Telnet) protocols (in this case FTP, POP, Telnet) to servers on the wired LAN yielded 2 to servers on the wired LAN yielded 2 usable logins within 1.5hrs usable logins within 1.5hrs
What was accomplished?What was accomplished?
Complete access to the WLANComplete access to the WLANComplete access to the wired LANComplete access to the wired LANComplete access to the internetComplete access to the internetAccess to servers on the wired LAN using Access to servers on the wired LAN using
the sniffed accountsthe sniffed accountsSome anonymity. Usage of Netstumbler Some anonymity. Usage of Netstumbler
and other network probing devices can be and other network probing devices can be detected. Skip that step if possible. detected. Skip that step if possible.
Other possibilitiesOther possibilities
Instead of sniffing a valid login, the Instead of sniffing a valid login, the attacker could have exploited a known attacker could have exploited a known vulnerability in the proxy (provided there is vulnerability in the proxy (provided there is one)one)
The greater risk for being noticed, The greater risk for being noticed, something an attacker does not wantsomething an attacker does not want
That’s it…the network is That’s it…the network is compromisedcompromised
As long as WEP is in place, such attack is As long as WEP is in place, such attack is always possiblealways possible
Sadly, many are Sadly, many are lessless secure secure
How about yours?How about yours?
Related Documents
