Cheap Certificate Frames - PowerPoint

Document Sample
Cheap Certificate Frames - PowerPoint Powered By Docstoc
					       Wireless Security
802.11 With a focus on Security
                  by Brian Lee
           Takehiro Takahashi
Survey (1)
Do you have wireless networking at
    If yes, I‟m assuming that it is encrypted….
What is your security?
    Mac filtering
    I consider my home network as local wireless hotspot
Do you think your wireless network is
Brief Overview

Case Study
Current Wireless Technology Overview
  802.11 a/b/g
New Wireless Security Standard
  WPA2 - 802.11i

Realize the real problem set and the
 solution in wireless security.

Realize the real problem set and the
 solution in wireless security.

Exploi… (cough)
So….. Is wireless network secure?

Umm… kind of?
Why is it not secure?
How insecure is it?
  Some misunderstanding…
How can we make it secure?
An exercise in wireless insecurity

Tools used:
  Laptop w/ 802.11a/b/g card
  Aircrack (or any WEP cracking tool)
  the car of your choice
Step1: Find networks to attack

An attacker would first use Netstumbler to
 drive around and map out active wireless
Using Netstumbler, the attacker locates a
 strong signal on the target WLAN
Netstumbler not only has the ability to
 monitor all active networks in the area, but
 it also integrates with a GPS to map AP‟s
Step 2: Choose the network to attack

At this point, the attacker has chosen his
 target; most likely a business
Netstumbler can tell you whether or not
 the network is encrypted
Also, start Ethereal to look for additional
                This time…….
     Your target is GTwireless
Step3: Analyzing the Network
WLAN has no broadcasted SSID
Netstubmler tells me that SSID is
Multiple access points
Many active users
Open authentication method
WLAN is encrypted with 40bit WEP
WLAN is not using 802.1X (WEB-auth)
Step4: Cracking the WEP key

Attacker sets NIC drivers to Monitor Mode
Begins capturing packets with Airodump
Airodump quickly lists the available
 network with SSID and starts capturing
After a few hours of airodump session,
 launch aircrack to start cracking!
WEP key for GTwireless is revealed!
Step5: Sniffing the network

Once the WEP key is cracked and the NIC
 is configured appropriately, the attacker is
 assigned an IP, and can access the WLAN
However, a secure proxy with an SSL
 enabled web based login prevents access
 to the rest of network and the Internet
Attacker begins listening to traffic with
Step6: Sniffing continued…
Sniffing a WLAN is very fruitful because
 everyone on the WLAN is a peer,
 therefore you can sniff every wireless
Listening to connections with plain text
 protocols (in this case FTP and Telnet) to
 servers on the wired LAN yielded 2 usable
 logins within 1.5hrs
What was accomplished?

Complete access to the WLAN
Complete access to the wired LAN
Complete access to the internet
Access to servers on the wired LAN using
 the sniffed accounts
Some anonymity. Usage of Netstumbler
 and other network probing devices can be
 detected. Skip that step if possible.
Other possibilities
 Instead of sniffing a valid login, the attacker
  could have exploited a known vulnerability in the
  proxy (provided there is one)
 Attacker could have hijacked a valid user‟s
  session using a DOS attack against the user,
  and then assuming his MAC address and IP
 Both ways present a greater risk for being
  noticed, something an attacker does not want
That‟s it…the network is compromised

Most wireless networks remain no more
 secure than this, many are less secure
Hundreds of business‟s, schools, airports,
 and residences use wireless technology
 as a major point of access to their
Basic 802.11b Overview

802.11b was IEEE approved in 1999
Infrastructure Mode or Ad Hoc
Utilizes 2.4GHz band on 15 different
 channels (only 11 in US)
11Mbps shared among all users on
 access point
Basic 802.11g Overview
Faster than 802.11b (54Mbps)
Backward compatibility
Same interference problem with 802.11b

Future work…
Over 100Mbps actual throughput…??
Backward compatibility with a/b
Still trying to come up with the first draft…
802.11 Built in Security Features

Service Set Identifier (SSID)
Differentiates one access point from
SSID is cast in „beacon frames‟ every few
Beacon frames are in plain text!
First layer of security
Stealth Mode – probe request
Do‟s and Don'ts for SSID‟s
Default SSID‟s are well known (Linksys
 AP‟s default to linksys, CISCO defaults to
 tsunami, etc) so change them immediately.
Do change the settings on your AP so that
 it does not broadcast the SSID in the
 beacon frame.
Hiding the SSID

As stated earlier, the SSID is by default
 broadcast every few seconds.
Turning it off makes it harder to figure out
 a wireless connection is there
Reading raw packets will reveal the SSID
 since even when using WEP, the SSID is
 in plain text
Increases deployment difficulty
MAC address filtering
MAC address filtering works by only
 allowing specific hardware to connect to
 the AP
Management on large networks unfeasible
Using a packet sniffer, one can very easily
 find a valid MAC address and modify their
 OS to use it, even if the data is encrypted
May be good for small networks
Prevents casual hacking..
Associating with the AP
Access points have two ways of initiating
 communication with a client
Shared Key or Open Key authentication
Open key allows anyone to start a
 conversation with the AP
Shared Key is supposed to add an extra
 layer of security by requiring
 authentication info as soon as one
How Shared Key Auth. works

Client begins by sending an association
 request to the AP
AP responds with a challenge text
Client, using the proper WEP key,
 encrypts text and sends it back to the AP
If properly encrypted, AP allows
 communication with the client
Is Open or Shared Key more secure?

Ironically enough, Open key is the answer
 in short
Using passive sniffing, one can gather 2 of
 the three variables needed in Shared Key
 authentication: challenge text and the
 encrypted challenge text
Wired Equivalent Protocol (WEP)

Primary built-in security for 802.11
Provides “Confidentiality”, and “Integrity”.
“Authentication” ?
Uses 40/104 bits RC4 encryption + CRC
Unfortunately, the usage of RC4 in WEP
 has been proven insecure
WEP Encryption
64/40 and 128/104 bits confusion

IV (24bits)
Your WEP key:
  5-ASCII char word = 40bits
  13-ASCII char word = 104bits

Security-wise, it’s really 40bits or 104bits
Problems with WEP
 1 static key
     No encryption is strong if one key is used forever
 Key length is short for default settings(40bits)
     Brute forcing is possible
 Using CRC32 in ICV
     Bit flipping attack: CRC(msg XOR delta) = CRC(M) XOR CRC(delta)
     bits cannot be set or cleared, but could be flipped
 No specification on key distribution
     Lacks scalability
 No protection against replay attack
 Improper RC4 implementation
     Protocol doesn‟t actually specify IV‟s use
     2 existing attacks
Numerical Limitation Attack

IV‟s are only 24bit, and thus there are only
 16,777,216 possible IV‟s
A busy network will repeat IV‟s often
FMS Attack -- weak IV attack --
 Some IV‟s do not work well with RC4
 Using a formula, one can take these weak IV
  and infer parts of the WEP key
  5 % chance of guessing correctly
 Once again, passively monitoring the network for
  a few hours can be enough time to gather
  enough weak IV‟s to figure out the WEP key
 7M~ packets to decrypt 40bit WEP key
 The time needed to deploy the attack is linearly
  proportional to the key length
  104bit key is just as useless as 40bits key
Is RC4 really vulnerable?

There are a few flaws but it is still
 considered safe.
WEP did not use RC4 properly.
Another Attack - KoreK
 Vendors have implemented a „hack‟
 Another statistical analysis based attack on
  WEP key
 Extremely fast
 Possible with as little as 0.1M IVs…
  Traditional method requires more than 4M packets
 Accelerate it with packet injection - ARP

Fast swapping of WEP key is no longer safe
Conclusion: WEP
  FMS attack
  KoreK attack
  Bit-flipping attack
Attacks are passive and difficult to detect

       NO MORE WEP

Wired Equivalent Privacy

Well.. More like

What on the Earth does it Protect?
Virtual Private Networking (VPN)

Deploying a secure VPN over a wireless
 network can greatly increase the security
 of your data
Idea behind this is to treat the wireless
 network the same as an insecure wired
 network (the internet).
VPN is really not the greatest option….

susceptible to any attack against the
 specific VPN

      Bottom Line: Not practical
Finally…. Some Solutions!
 802.1x (Authentication)
   per-user authentication
   Key distribution mechanism
 WPA (Confidentiality, Integrity)
   Subset of 802.11i
   2 forms
      802.1x + EAP + TKIP + MIC
      Pre-shared Key + TKIP + MIC
 WPA2 – 802.11i
   WPA2 is the implementation of 802.11i
   Usage of AES + CCMP



802.1X is a port-based, layer 2 (MAC
 address layer) authentication framework
 on IEEE 802 networks.
Not limited or specific to 802.11 networks
Uses EAP for implementation
802.1X is not an alternative to WEP, it
 works along with the 802.11 protocol to
 manage authentication for WLAN clients
How authentication takes place

A client requests access to the AP
The AP asks for a set of credentials
The client sends the credentials to the AP
 which forwards them to authenticating
The exact method for supplying
 credentials is not defined in 802.1X itself
802.1x authentication
Extensible Authentication Protocol (EAP)

802.1X utilizes EAP for it‟s authentication
flexible: one time passwords, certificates,
 smartcards, own EAP protocol, etc
zero per packet overhead
cost efficient
  802.1X integrates well with other open
   standards such as RADIUS
  RADIUS is de-facto
more benefits of choosing 802.1X…
 Software upgrade
  Access points only need a firmware upgrade to enable
  On the client side, 802.1X can be enabled with an
   updated driver for the NIC
 Depending on the EAP you choose, you can
  have a very secure authentication scheme!
 Proprietary versions of dynamic key
  management available


EAP-MD5 is a simple EAP implementation
Uses and MD5 hash of a username and
 password that is sent to the RADIUS
Authenticates only one way
Man in the middle attack
Bottom line: Not recommended
EAP-LEAP (Cisco Wireless)
 Like MD5-LEAP, it uses a Login/Password
  scheme that it sends to the RADIUS server
 Each user gets a dynamically generated one
  time key upon login
 Authenticates client to AP and vice versa
 Can be used along with RADIUS session time
  out feature, to dynamically generate keys at set
 Only guaranteed to work with Cisco wireless
 Broken – ASLEAP by Joshua Wright
EAP-TLS by Microsoft
 Instead of a username/password scheme, EAP-
  TLS uses certificate based authentication
 Has dynamic one time key generation
 Two way authentication
 Uses TLS (Transport Layer Security) to pass the
  PKI (Public Key Infrastructure) information to
  RADIUS server
 Compatible with many OS‟s
 Harder to implement and deploy because PKI for
  clients are also required
PEAP by Microsoft and Cisco
 A more elegant solution!
 Very similar to EAP-TLS except that the client
  does not have to authenticate itself with the
  server using a certificate, instead it can use a
  login/password based scheme
 Much easier to setup, does not necessarily
  require a PKI
 Currently works natively with Windows XP SP1,
  but other platforms should support it soon
EAP Types
TYPE    Open /       Mutual Auth     Client      Authenticator   Username
       proprietary                                               in clear txt

MD5      Open           NO         User/pass        None            Yes

TLS      Open           YES        Certificate    Certificate       Yes

TTLS     Open           YES        User/pass      Certificate        No

PEAP     Open           YES        User/pass      Certificate        No

LEAP     Prop.          YES        User/pass        None            Yes
802.1x is not perfect…

802.1X is vulnerable to many kinds of
 DOS attacks
  Spoofed packets
  Disassociation attack
Some EAPs are subject to man in the
 middle attacks.
WPA (Wi-Fi Protected Access)

Subset of 802.11i
  Fix flawed encryption mechanism
  TKIP: Per-packet dynamic key mechanism
  Software / Firmware Upgrade
WPA Steps

Confirmation of association capability
PMK creation (through 802.1x)
4way handshake and PTK installation
GK installation
Encryption using TKIP
  802.1x Authentication + PMK

Security level can be selected
PMK is a seed for temporal key generation
 in the next phase
PMK is generated based on the user
 authentication result
802.1x Authentication (recap)
4 Way Handshake and PTK

PTK (512bits) splits in 4 ways
Part of PTK is used to generate the
 encryption key (WEP equivalent) in the
 next phase
4 Way Handshake and PTK
4 Way Handshake and PTK
TKIP (Temporal Key Integrity Protocol)

Expands IV space (24  48bits)
IV sequence is specified
Per-packet Mixing Function
  Very cheap integrity checker for MAC
   addresses and DATA

For home / SOHO use
Removes 802.1x authentication
Pre-shared Key + TKIP
Weak against passive dictionary attack
Attacks exist - brute force
Still much better than WEP
WPA2 - 802.11i

The long-awaited security standard for
 wireless, ratified in June 2004
Better encryption: AES
Key-caching (optional)
Pre-authentication (optional)
Hardware manufactured before 2002 is
 likely to be unsupported: too weak

Skips re-entering of the user credential by
 storing the host information on the network

Pre-authentication (802.11i Specific)
Allows client to become authenticated with
 an AP before moving to it
Useful in encrypted VoIP over Wi-Fi
   Fast Roaming

For the time being, WPA will be good
Completely backward compatible
  Get WPA2 certified product for your next
Things to keep in mind while deploying WLAN

  Hide SSID
  Do NOT use WEP
  Use WPA-PSK with a good pass-phrase
  or Use WPA with 802.1x if possible
tinyPEAP (1)

A self contained PEAP enabled RADIUS
Currently available in Linksys
 WRT54G/GS router and Win32 binary
Native Windows XP SP1 support
Web-based user management
The easiest and the most secure solution
 available in consumer level
tinyPEAP (2)
tinyPEAP (3)
Survey (2)

Ready to reconfigure your wireless
Links to the tools used:

Papers and Wireless Security Web Pages

 Weaknesses in the Key Scheduling Algorithm of
 The Unofficial 802.11 Security Web Page
 Wireless Security Blackpaper
 The IEEE 802.11 specifications (includes WEP
 Paper on detecting Netstumbler and similar
 Further reading on upcoming 802.11 variations
 Assorted 802.11 related crypto algorithms
  written in ANSI C

Description: Cheap Certificate Frames document sample