Amine Khalife akhal016@uottawa.ca

slurpslapoutNetworking and Communications

Nov 20, 2013 (3 years and 6 months ago)

150 views

Wireless Networks and Mobile Computing (CSI 5169)

Wireless Network Security

Amine Khalife

akhal016@uottawa.ca

Outline

1.

Wireless intro & history

2.
Wireless network modes

3.
SSID

4.
WEP

5.
WPA

6.
WPA2

7.
Wireless Network tools

8.
References


Wireless Network Security

Background & Overview


History


Developed for military use


Security widely noticed after Peter Shipley’s 2001 DefCon
preso on War Driving


DHS labeled Wi
-
Fi a terrorist threat, demanded regulation


Non Wi
-
Fi types


CDPD


19.2 kbps analog


GPRS


171.2 kbps digital


WAP


bandwidth
-
efficient content delivery


Ricochet


176 kbps wireless broadband flop


Bluetooth


personal area networks, range limited only by
transmit power


Blackberry


Use cellular & PCS networks, no
authentication at console


IEEE 802 series standards


802.11


wireless LANs


802.15


wireless personal area networks (e.g., Bluetooth)


802.16


wireless broadband up to 155Mb, wireless ISPs


Wireless Network Security

802.11 Standards


802.11a


54 Mbps@5 GHz


Not interoperable with 802.11b


Limited distance


Dual
-
mode APs require 2 chipsets, look like two APs to
clients


Cisco products: Aironet 1200


802.11b


11 Mbps@2.4 GHz


Full speed up to 300 feet


Coverage up to 1750 feet


Cisco products: Aironet 340, 350, 1100, 1200


802.11g


54 Mbps@2.4 GHz


Same range as 802.11b


Backward
-
compatible with 802.11b


Speeds slower in dual
-
mode


Cisco products: Aironet 1100, 1200


Wireless Network Security

802.11 Standards (Cont.)


802.11e


QoS


Dubbed “Wireless MultiMedia (WMM)” by Wi
-
Fi Alliance


802.11i


Security


Adds AES encryption


Requires high cpu, new chips required


TKIP is interim solution


802.11n

(2009)


up to 300Mbps


5Ghz and/or 2.4Ghz


~230ft range


802.11ac


(under development)



Will provide high through put in the 5 GHz band



Will use wider RF bandwidth


will enable multi
-
station WLAN throughput of at least 1
Gbps


a maximum single link throughput of at least 500 Mbps


Wireless Network Security

Wireless Network Modes


The 802.11 wireless networks operate in two basic
modes:

1.

Infrastructure mode

2.

Ad
-
hoc

mode



Infrastructure mode:


each wireless client connects directly to a central
device called Access Point (AP)


no direct connection between wireless clients


AP acts as a wireless hub that performs the
connections and handles them between wireless
clients

Wireless Network Security

Wireless Network Modes (cont’d)


The hub handles:


the clients’ authentication,


Authorization


link
-
level data security (access control and
enabling data traffic encryption)


Ad
-
hoc mode:


Each wireless client connects directly with each other


No central device managing the connections


Rapid deployment of a temporal network where no
infrastructures exist (advantage in case of disaster…)


Each node must maintain its proper authentication
list

Wireless Network Security

SSID


Service Set Identification


Identifies a particular wireless
network


A client must set the same SSID as the one in that
particular AP Point to join the network


Without SSID, the client won’t be able to select and join
a wireless network


Hiding SSID is not a security measure because the
wireless network in this case is not invisible


It can be defeated by intruders by sniffing it from any
probe signal containing it.


Wireless Network Security

SSID (Cont’d)


A way for vendors to make more money


So easy to find the ID for a “hidden” network because
the beacon broadcasting cannot be turned off


Simply use a utility to show all the current networks:




inSSIDer



NetStumbler




Kismet


Wireless Network Security

IEEE 802.11 Security


Access control list


Access control list


Simplest security measure


Filtering out unknown users


Requires a list of authorized clients’ MAC addresses to
be loaded in the AP


Won’t protect each wireless client nor the traffic
confidentiality and integrity ===>vulnerable


Defeated by MAC spoofing:


ifconfig
eth0

hw ether
00:01:02:03:04:05 (Linux)


SMAC
-

KLC Consulting (Windows)


MAC Makeup


-

H&C Works (Windows)


Wireless Network Security

WEP
-

Wired Equivalent Privacy



The original native security mechanism for WLAN


provide security through a 802.11 network


Used to protect wireless communication from eavesdropping
(confidentiality)


Prevent unauthorized access to a wireless network (access
control)


Prevent tampering with transmitted messages


Provide users with the equivalent level of privacy inbuilt in
wireless networks.

Wireless Network Security

WEP


1.
Appends a
32
-
bit CRC
checksum to each outgoing frame
(INTEGRITY)


2.
Encrypts the frame using
RC4 stream cipher
=
40
-
bit
(standard) or 104
-
bit (Enhanced) message keys

+ a
24
-
bit IV
random initialization vector
(CONFIDENTIALITY)
.


3.
The Initialization Vector (IV) and default key on the station
access point are used to create a key stream


4.
The key stream is then used to convert the plain text message
into the
WEP encrypted frame.

Wireless Network Security

Encrypted WEP frame

Wireless Network Security

RC4 keystream XORed with plaintext

Wireless Network Security

WEP Components


Initialization Vector IV


Dynamic 24
-
bit value


Chosen randomly by the transmitter wireless network
interface


16.7 million possible keys (
2
24
)



Shared Secret Key


40 bits long (5 ASCII characters) when 64 bit key is used


104 bits long (13 ASCII characters) when 128 bit key is used






Wireless Network Security

WEP Components (cont’d)


RC4 algorithm consists of 2 main parts:


1.
The Key Scheduling Algorithm (
KSA
):


involves creating a scrambled state array


This state array will now be used as input in the
second phase, called the PRGA phase.



2.
The Pseudo Random Generation Algorithm(
PRGA
):


The state array from the KSA process is used here to
generate a final key stream.



Each byte of the key stream generated is then Xor’ed
with the corresponding plain text byte to produce the
desired cipher text.



Wireless Network Security

WEP Components (cont’d)



ICV (Integrity Check Value)= CRC32 (cyclic redundancy
check) integrity check



XOR operation


denoted as



plain
-
text


keystream= cipher
-
text


cipher
-
text


keystream= plain
-
text


plain
-
text


cipher
-
text= keystream

Wireless Network Security

How WEP works

Wireless Network Security

IV

RC4

key

IV

encrypted packet

original unencrypted packet

checksum

Encryption Process

Wireless Network Security

Decryption Process

Wireless Network Security

WEP Authentication

1.
The station sends an authentication request to AP

2.
AP sends challenge text to the station.

3.
The station uses its configured 64
-
bit or 128
-
bit default key to
encrypt the challenge text, and it sends the latter to AP.

4.
AP decrypts the encrypted text using its configured WEP key
that corresponds to the station's default key.

5.
AP compares the decrypted text with the original challenge
text.

6.
If the decrypted text matches the original challenge text, then
the access point and the station share the same WEP key, and
the access point authenticates the station.

7.
The station connects to the network.


Wireless Network Security

WEP Authentication (Cont’d)

Wireless Network Security

WEP Authentication (Cont’d)


There

is

a well
-
documented vulnerability with

shared
-
key

authentication.


The

authentication process leaks information about
the

key

stream


It is possible to derive the keystream used for the handshake by
capturing the challenge frames in Shared Key authentication.



SKA is regarded as insecure.


The problem is that a monitoring attacker can observe both the
challenge and the encrypted response.


he can determine the RC4 stream used to encrypt the
response,


He can use that stream to encrypt any challenge he
receives in the future

Wireless Network Security

WEP flaws and vulnerabilities


Weak keys:


It allows an attacker to discover the default key
being used by the Access Point and client stations


This enables an attacker to decrypt all messages
being sent over
the encrypted channel.


IV reuse and small size:


There are
2
24
different IVs


On a busy network, the IV will surely be reused, if
the default key has not been changed and the
original message can be retrieved relatively easily.


Wireless Network Security

WEP flaws and vulnerabilities (cont’d)


With IV reuse, it is possible to determine keystreams
and hence enable an attacker to forge packets
obtaining access to
the WLAN.


If WEP is using 40 bit long key then it will need more
protection from attacks as compared to 128 bit long
WEP key. Hence, both are very weak and unable to
provide the security to Wi
-
Fi Networks.


uses weak authentication algorithm


uses weak data encapsulation method


The use of improper integrity algorithm i.e. CRC
-
32


Lack of mutual authentication and key management




Wireless Network Security

Attacks on WEP

Wireless Network Security


WEP encrypted networks can be cracked in 10
minutes



Goal is to collect enough IVs to be able to crack
the key



IV = Initialization Vector, plaintext appended to the key to
avoid
Repetition



Injecting packets generates IVs



Attacks on WEP



Backtrack 5
(Released 1
st

March 2012)



Tutorial is available



All required tools on a Linux


bootable CD + laptop +


wireless card





Wireless Network Security

WEP cracking example

Wireless Network Security

WPA
-

WI
-
FI Protected Access


New technique in 2002


replacement of security flaws of WEP.


Improved data encryption


Strong user authentication


Because of many attacks related to static key, WPA
minimize shared secret key in accordance with the
frame transmission.


Use the RC4 algorithm in a proper way and provide fast
transfer of the data before someone can decrypt the
data.

Wireless Network Security

WPA


Data is encrypted using the RC4 stream cipher, with a
128
-
bit key and a 48
-
bit initialization vector (IV).


One major improvement in WPA over WEP is the
Temporal Key Integrity Protocol
(TKIP), which
dynamically changes keys as the system is used.


When combined with the much larger IV, this defeats
the well
-
known key recovery attacks on WEP.


WPA also provides vastly
improved payload integrity.


Wireless Network Security

WPA


A more secure message authentication code (usually
known as a MAC, but here termed a
MIC

for "Message
Integrity Code") is used in WPA, an algorithm named
"
Michael
".


The MIC used in WPA includes a frame counter, which
prevents replay attacks being executed.


The
Michael algorithm
is a strong algorithm that would
still work with most older network cards.


WPA includes a special
countermeasure mechanism that
detects an attempt to break TKIP
and temporarily
blocks communications with the attacker.



Wireless Network Security

WPA

Wireless Network Security

How WPA Addresses the WEP Vulnerabilities


WPA wraps RC4 cipher engine in four new algorithms

1.

Extended 48
-
bit IV and IV Sequencing Rules


248 is a large number! More than 500 trillion


Sequencing rules specify how IVs are selected and
verified

2.

A Message Integrity Code (MIC) called Michael


Designed for deployed hardware


Requires use of active countermeasures

3.

Key Derivation and Distribution


Initial random number exchanges defeat man
-
in
-
the
-
middle attacks

4.

Temporal Key Integrity Protocol generates per
-

packet keys


Wireless Network Security

WPA2
-

WI
-
FI Protected Access 2


Based on the IEEE 802.i standard


2 versions: Personal & Enterprise


The primary enhancement over WPA is the use of the
AES

(Advanced Encryption Standard) algorithm


The encryption in WPA2 is done by utilizing either
AES

or
TKIP


The Personal mode uses a
PSK

(Pre
-
shared key) &
does not require a separate authentication of users


The enterprise mode requires the users to be
separately authenticated by using the
EAP

protocol


Wireless Network Security

WPA2


WPA uses
AES

with a key length of 128 bit to encrypt
the data



The AES uses the
Counter
-
Mode/CBC
-
MAC

Protocol
(
CCMP
)



The
CCMP

uses the same key for both encryption and
authentication, but with different initialization vectors.

Wireless Network Security

WPA2


WPA2 has immunity against many types of hacker
attacks


Man
-
in
-
the middle


Authentication forging


Replay


Key collision


Weak keys


Packet forging


Dictionary attacks


Wireless Network Security

WPA2 weaknesses



Can’t protect against layer session hijacking



Can’t stand in front of the physical layer attacks:


RF jamming


Data flooding


Access points failure



Vulnerable to the Mac addresses spoofing


Wireless Network Security

Am I secure if I use WPA
-
PSK


WPA
-
PSK protected networks are vulnerable to
dictionary
attacks


Works with WPA & WPA2 (802.11i)


New attack techniques have increased the speed
of this attack


CowPatty 4.6


Run

CowPatty

against packets to crack the key


Needs SSID to crack the WPA
-
PSK, easily obtainable!


Also supports WPA2
-
PSK cracking with the same pre
-
computed
tables!


Spoof the Mac address of the AP and tell client to
disassociate


Sniff the wireless network for the WPA
-
PSK
handshake (EAPOL)


Wireless Network Security

WPA Cracking Example

Wireless Network Security

WEP vs WPA vs WPA2

Wireless Network Security

WEP

WPA

WPA2

ENCRYPTION

RC4

RC4

AES

KEY ROTATION

NONE

Dynamic

Session Keys

Dynamic

Session
Keys

KEY
DISTRIBUTION

Manually typed
into each device

Automatic
distribution
available

Automatic
distribution
available

AUTHENTICATION

Uses WEP key as
Authentication

Can use 802.1x
& EAP

Can use 802.1x
& EAP

Procedures to improve wireless security


Use wireless intrusion prevention system (WIPS)


Enable WPA
-
PSK


Use a good passphrase (
https://grc.com/password
)


Use WPA2 where possible


AES is more secure, use TKIP for better
performance


Change your SSID every so often


Wireless network users should use or upgrade their
network to the latest security standard released


Wireless Network Security

Wireless Network tools


MAC Spoofing


http://aspoof.sourceforge.net/


http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp


http://www.klcconsulting.net/smac/


WEP Cracking tools


http://www.backtrack
-
linux.org/


http://www.remote
-
exploit.org/articles/backtrack/index.html


http://wepattack.sourceforge.net/


http://wepcrack.sourceforge.net/


Wireless Analysers


http://www.kismetwireless.net/


http://www.netstumbler.com/





Wireless Network Security

Questions

Q1)
Given the cipher
-
text: 11010110 and the plaintext: 00110101.


Compute the keystream.


A1)
cipher
-
text: 1 1 0 1 0 1 1 0




plain
-
text: 0 0 1 1 0 1 0 1




keystream: 1 1 1 0 0 0 1 1


Encrypting: plain
-
text keystream = cipher
-
text


Decrypting: cipher
-
text keystream = plain
-
text

Wireless Network Security

Questions (Cont’d)



Q2)
Why SSID hiding or disabling technique is not an
100% effective?


A2)
The
beacon broadcasting
cannot be turned off and
hackers can still detect the SSID by

sniffing

different
messages using hacking tools.







Wireless Network Security

Questions(Cont’d)

Q3)
List 4 WEP vulnerabilities


A3)

1.
The Initialization Vector (IV) is Too Small

2.
The Integrity Check Value (ICV) algorithm is not
appropriate

3.
WEP’s use of RC4 is weak

4.
Authentication Messages can be easily forged



Wireless Network Security

REFERENCES



1.
Hytnen, R., and Garcia, M.
An Analysis of Wireless Security.
2006

2.
Whalen, S.
Analysis of WEP and RC4 Algorithms. March 2002

3.
http://en.wikipedia.org/wiki/IEEE_802.1X

4.
Wireless LAN Medium Access Control and Physical Layer
Specifications. IEEE Std 802.11. June 2007

5.
http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy

6.
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Wireless Network Security


Thank You!

Questions?

Wireless Network Security