Get documents about "WIFI
Document Sample
WIFI
Beth Sicker
David Farley
Katie Delgado
What we’ll cover
• WIFI background
• WIFI security - today
• The future of WIFI
WIFI
• Definition: Wi-Fi (now known as wireless
fidelity) is a wireless technology brand owned
by the Wi-Fi Alliance intended to improve the
interoperability of wireless local area network
products based on the IEEE 802.11
standards.
How does a wireless network
work?
• A wireless network uses radio waves to
communicate.
• A computer’s wireless adapter
translates data into a radio signal and
transmits that to a wireless router, which
receives and decodes it. Then the
router sends the message to the
Internet using an Ethernet connection.
Basic info
• 1985 FCC decided to open up several
bands of wireless spectrum for general
use (no gvt license req’d)
• 1990 decided a standard was needed
• 1997 was when the new standard was
published
The OSI Model
• Open Systems Interconnection
Reference Model is a description for a
common set of rules used to exchange
data across networks. Application
– Format Presentation
– Speed
Session
– Errors
Transport
– Data loss
Network
Data Link
Physical
What makes WIFI different from
radio communication?
• Wireless LAN communications are
transmitted at frequencies of 2.4, 3.6
and 5 GHz.
• These frequencies are higher than the
frequencies used for mobile phones,
walkie-talkies and televisions.
• This allows the signal to carry more
data.
The flavors of 802.11
• 802.11a - 5 GHz, 54 mb/s, OFDM
• 802.11b - slowest, 2.4 GHz, 11 mb/s
• 802.11g - 2.4 GHz, 54 mb/s, OFDM
• 802.11n - newest, 140 mb/s (draft)
QuickTime™ a nd a
TIFF (LZW) de compressor
are need ed to see this picture.
How to increase throughput
• MIMO (smart antenna)
• SDM - spatial division multiplexing
802.11 Security
• Background on 802.11 Security
• MAC Filtering
• WEP
• 802.11i and WPA / WPA2
Background on 802.11 Security
• Security implications for WIFI
• History of 802.11 Security
Security implications for WIFI
• Over the Air Transmission
– Any and All Data Transmitted Data is done so
in full view of the public
– All data can be intercepted without detection
– Data is not authenticated – easily spoofed
– This is the driving reason a separate security
scheme was needed
History of 802.11 Security
• 1997 - Wired Equivalent Security (WEP)
built into 802.11-1997 standard
• 2001 – 802.1x Authentication Standard
Approved
• 2003 – WPA Implemented as Draft
Version of 802.11i Specification
• 2004 – 802.11i Specification Ratified
– WPA2 as its implementation
MAC Filtering
• Though WEP was part of the original 802.11-
1997 specification, some vendors didn’t initially
implement it.
• Implementing a MAC Address based whitelist
was easier than implementing WEP security
Schemes.
• This was obviously insecure.
– Spoofing a MAC address is a trivial task
– This did nothing for confidentiality, snooping was easy
Wired Equivalent Privacy
• WEP utilizes the stream cipher RC4 for
confidentiality and CRC-32 for integrity
between an access point and a client.
• As the name implies, the idea was to
provide the same level of security inherent
to wired networks on wireless networks.
WEP Authentication
Clent sends authentication request
AP sends challenge text
Client sends challenge text encrypted with
Client
WEP key
AP Authenticates Client
WEP Encryption
WEP Decryption
WEP Vulnerabilities
• IV only 20 bits
– Ensures keystream is reuse
• Network password used to encrypt data
rather than negotiating for a session key
– Any authenticated user can eavesdrop on any
other user
• Key and IV used without hashing allows
for key-recovery attacks
Breaking WEP
• Aircrack-ng
– Capture IV’s transmitted in plaintext
• More IV’s needed for larger keys
– Optionally, spoof messages to generate
extra IV’s for capture
– Aircrack-ng
• Uses a combination of statistics and brute
force to crack the secret key
– Very fast
WEP Improvements
• Newer versions of WEP were developed,
but suffer from most of the same flaws as
the original
– WEP2 – 128 bit IV
– This only increases the number of IV’s to
capture for the preceding attack
802.11i
• The shortcomings of WEP made it clear a
replacement was needed – 802.11i
• Two implementations by the WIFI Alliance
– WPA – a bridge between WEP and 802.11
– WPA2
Authentication
• Pre-Shared Key
• 802.1x – uses external authentication
server
– Extensible Authentication Protocol (EAP)
WPA
• This was created to replace the flawed
WEP
• This was instituted before 802.11 was
standardized BUT was designed to be
compatible with the draft version
• A bridge between WEP and WPA2
– WEP hardware supported with firmware
updates
WPA Encryption
• Temporal Key Integrity Protocol
– Designed to maintain compatibility with WEP
hardware
– Also uses RC4 for encryption
• Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol
(CCMP)
– AES based
– Optional under WPA
TKIP
• Wrapper around WEP encryption
• Differences
– IV is not simply pre-pended to the secret key
(bypasses IV-based key attack)
– Utilizes a counter to prevent replay attacks
– Replaced CRC with 64 bit integrity check
(Michael)
WPA 2
• 802.11i implementation
• The primary difference between WPA and
WPA 2 is the mandatory implementation of
CCMP
• TKIP is optionally supported
CCMP
• Based on AES
– Unlike RC4, AES is a block cipher
• Integrity and Confidentiality both covered by
CCMP
– 128 bit keysize
– 128 bit block size
Future of 802.11
802.11n - MIMO
• multiple-input multiple-output (MIMO)
• A technique for boosting wireless
bandwidth and range by taking
advantage of multiplexing.
Release date - Jan 2010 (speculated)
Op. Frequency - 5 GHz and/or 2.4 GHz
Throughput (Typ) - 108Mbits
Net bit rate (Max) - 600 Mbit/s
Range (Indoor) - ~up to 300 m
MIMO-assisted channel-based
authentication scheme
• The use of multiple receive antennas
improves the detection of spoofing attacks.
• Distinguish channel responses of different
paths to enhance authentication.
• L. Xiao, L. Greenstein, N. Mandayam, W.
Trappe WINLAB, Dept. ECE, Rutgers
University
Eve Tries to Spoof Alice
Security Gains - MIMO
• Eve must use the same number of
transmit antennas to spoof Alice
• If she doesn’t have the same number of
Transmit Antennas or guesses the
wrong amount, Bob will be able to
determine that and know she is not
Alice.
Detecting Response from
Channel
• Bob can determine that the message is sent
from Alice
• “Fingerprints in the Ether:”
– In typical indoor environments, the
wireless channel decorrelates rapidly
in space
– The channel response is hard to
predict and to spoof
802.11w
• IEEE 802.11w is a proposed
amendment to the IEEE 802.11
standard to increase the security of its
management frames.
• 802.11i covers security of the data, but
not the management frames.
Why do we care about
management frames?
• Handshake frames for connection.
• Network related information and handoff
related information flows on the
management frames.
• Denial of Service attacks concentrate
on management frames, use the
connection information.
Management Frames Tasks
• Client-to-access point (AP) association and
disassociation requests.
• AP-generated de-authentication frames
indicating that a client is no longer valid and
resulting in it being kicked off the network.
• Probe responses.
Attacks on Management
Frames
• Hacker can pretend to be an AP
– send disassociation requests to clients that deny
service to the user.
– Once the client is disconnected, the malicious
system might watch and see if it tries to
reauthenticate.
– If weak Wi-Fi security, such as Wired Equivalent
Privacy (WEP), is in use, and the client does
attempt to reconnect, the malicious system might
grab authentication credentials during this
process.
Cisco Solution
• Management Frame Protection (MFP)
• Cisco WLAN systems insert a digital
signature into the management frame (a
field with an encrypted hash), such that
only a legitimate AP can create it.
• A legitimate receiver will have the ability
to validate the signature.
Management Frames after
802.11 w
• Will have a reason code
• Information Element 18 bytes will be
added that will be encrypted with IGTK
(integrity Group Temporal Key)
• 4 way handshake to authenticate AP
and user.
802.11w Conclusion
• 802.11w promises to patch security problems created by the
flow of new and detailed information over management frames.
• By protecting the contents of most frames from eavesdropping,
and of certain crucial frames from forging, 802.11w will stop the
information leakage and reduce some basic DoS attacks.
• Control Frames and certain management frames will remain
unprotected so jamming attacks and physical attacks are still
possible.
• But.. A little more secure…
Questions/Answers
A
• How did the OSI Model help standardize ?
– Format, Speed, Errors, Data loss
• Name one or more vulnerabilities in WEP
– small iv size all but guarantees keystream reuse
– the fact that the IV and key are passed into RC4 unaltered allows for key recovery attacks
• What are the advantages to WPA?
– it allows use of WEP-compliant equipment without the security failings of WEP
• What new security features does 802.11w promise?
– patch security problems
– stop the information leakage
– reduce some basic DoS attacks
• Can MIMO increase security?
– Yes, more antennae increase security
