"Cheap Certificate Frames - PowerPoint"
Wireless Security 802.11 With a focus on Security by Brian Lee Takehiro Takahashi Survey (1) Do you have wireless networking at home? If yes, I‟m assuming that it is encrypted…. What is your security? WEP WPA Mac filtering I consider my home network as local wireless hotspot Do you think your wireless network is secure? Brief Overview Case Study Current Wireless Technology Overview 802.11 a/b/g WEP New Wireless Security Standard 802.1x WPA WPA2 - 802.11i GOAL Realize the real problem set and the solution in wireless security. GOAL Realize the real problem set and the solution in wireless security. Exploi… (cough) So….. Is wireless network secure? Umm… kind of? Why is it not secure? How insecure is it? Some misunderstanding… How can we make it secure? An exercise in wireless insecurity Tools used: Laptop w/ 802.11a/b/g card GPS Netstumbler Aircrack (or any WEP cracking tool) Ethereal the car of your choice Step1: Find networks to attack An attacker would first use Netstumbler to drive around and map out active wireless networks Using Netstumbler, the attacker locates a strong signal on the target WLAN Netstumbler not only has the ability to monitor all active networks in the area, but it also integrates with a GPS to map AP‟s WarDriving Step 2: Choose the network to attack At this point, the attacker has chosen his target; most likely a business Netstumbler can tell you whether or not the network is encrypted Also, start Ethereal to look for additional information. This time……. Your target is GTwireless Step3: Analyzing the Network WLAN has no broadcasted SSID Netstubmler tells me that SSID is GTwireless Multiple access points Many active users Open authentication method WLAN is encrypted with 40bit WEP WLAN is not using 802.1X (WEB-auth) Step4: Cracking the WEP key Attacker sets NIC drivers to Monitor Mode Begins capturing packets with Airodump Airodump quickly lists the available network with SSID and starts capturing packets. After a few hours of airodump session, launch aircrack to start cracking! WEP key for GTwireless is revealed! Step5: Sniffing the network Once the WEP key is cracked and the NIC is configured appropriately, the attacker is assigned an IP, and can access the WLAN However, a secure proxy with an SSL enabled web based login prevents access to the rest of network and the Internet Attacker begins listening to traffic with Ethereal Step6: Sniffing continued… Sniffing a WLAN is very fruitful because everyone on the WLAN is a peer, therefore you can sniff every wireless client Listening to connections with plain text protocols (in this case FTP and Telnet) to servers on the wired LAN yielded 2 usable logins within 1.5hrs What was accomplished? Complete access to the WLAN Complete access to the wired LAN Complete access to the internet Access to servers on the wired LAN using the sniffed accounts Some anonymity. Usage of Netstumbler and other network probing devices can be detected. Skip that step if possible. Other possibilities Instead of sniffing a valid login, the attacker could have exploited a known vulnerability in the proxy (provided there is one) Attacker could have hijacked a valid user‟s session using a DOS attack against the user, and then assuming his MAC address and IP Both ways present a greater risk for being noticed, something an attacker does not want That‟s it…the network is compromised Most wireless networks remain no more secure than this, many are less secure Hundreds of business‟s, schools, airports, and residences use wireless technology as a major point of access to their networks Basic 802.11b Overview 802.11b was IEEE approved in 1999 Infrastructure Mode or Ad Hoc Utilizes 2.4GHz band on 15 different channels (only 11 in US) 11Mbps shared among all users on access point Cheap!!! Basic 802.11g Overview Faster than 802.11b (54Mbps) Backward compatibility Same interference problem with 802.11b Future work… 802.11n Over 100Mbps actual throughput…?? Backward compatibility with a/b Still trying to come up with the first draft… 802.11 Built in Security Features Service Set Identifier (SSID) Differentiates one access point from another SSID is cast in „beacon frames‟ every few seconds. Beacon frames are in plain text! First layer of security Stealth Mode – probe request Do‟s and Don'ts for SSID‟s Default SSID‟s are well known (Linksys AP‟s default to linksys, CISCO defaults to tsunami, etc) so change them immediately. Do change the settings on your AP so that it does not broadcast the SSID in the beacon frame. Hiding the SSID As stated earlier, the SSID is by default broadcast every few seconds. Turning it off makes it harder to figure out a wireless connection is there Reading raw packets will reveal the SSID since even when using WEP, the SSID is in plain text Increases deployment difficulty MAC address filtering MAC address filtering works by only allowing specific hardware to connect to the AP Management on large networks unfeasible Using a packet sniffer, one can very easily find a valid MAC address and modify their OS to use it, even if the data is encrypted May be good for small networks Prevents casual hacking.. Associating with the AP Access points have two ways of initiating communication with a client Shared Key or Open Key authentication Open key allows anyone to start a conversation with the AP Shared Key is supposed to add an extra layer of security by requiring authentication info as soon as one associates How Shared Key Auth. works Client begins by sending an association request to the AP AP responds with a challenge text (unencrypted) Client, using the proper WEP key, encrypts text and sends it back to the AP If properly encrypted, AP allows communication with the client Is Open or Shared Key more secure? Ironically enough, Open key is the answer in short Using passive sniffing, one can gather 2 of the three variables needed in Shared Key authentication: challenge text and the encrypted challenge text Wired Equivalent Protocol (WEP) Primary built-in security for 802.11 protocol Provides “Confidentiality”, and “Integrity”. “Authentication” ? Uses 40/104 bits RC4 encryption + CRC Unfortunately, the usage of RC4 in WEP has been proven insecure WEP Encryption 64/40 and 128/104 bits confusion IV (24bits) Your WEP key: 5-ASCII char word = 40bits 13-ASCII char word = 104bits Security-wise, it’s really 40bits or 104bits Problems with WEP 1 static key No encryption is strong if one key is used forever Key length is short for default settings(40bits) Brute forcing is possible Using CRC32 in ICV Bit flipping attack: CRC(msg XOR delta) = CRC(M) XOR CRC(delta) bits cannot be set or cleared, but could be flipped No specification on key distribution Lacks scalability No protection against replay attack Improper RC4 implementation Protocol doesn‟t actually specify IV‟s use 2 existing attacks Numerical Limitation Attack IV‟s are only 24bit, and thus there are only 16,777,216 possible IV‟s A busy network will repeat IV‟s often FMS Attack -- weak IV attack -- Some IV‟s do not work well with RC4 Using a formula, one can take these weak IV and infer parts of the WEP key 5 % chance of guessing correctly Once again, passively monitoring the network for a few hours can be enough time to gather enough weak IV‟s to figure out the WEP key 7M~ packets to decrypt 40bit WEP key The time needed to deploy the attack is linearly proportional to the key length 104bit key is just as useless as 40bits key Is RC4 really vulnerable? There are a few flaws but it is still considered safe. WEP did not use RC4 properly. IPSEC SSL Another Attack - KoreK Vendors have implemented a „hack‟ Another statistical analysis based attack on WEP key Extremely fast Possible with as little as 0.1M IVs… Traditional method requires more than 4M packets Accelerate it with packet injection - ARP Fast swapping of WEP key is no longer safe Conclusion: WEP Confidentiality FMS attack KoreK attack Integrity Bit-flipping attack Authentication Attacks are passive and difficult to detect NO MORE WEP WEP…. Wired Equivalent Privacy Well.. More like What on the Earth does it Protect? Virtual Private Networking (VPN) Deploying a secure VPN over a wireless network can greatly increase the security of your data Idea behind this is to treat the wireless network the same as an insecure wired network (the internet). VPN is really not the greatest option…. Overhead Deployment Performance susceptible to any attack against the specific VPN Bottom Line: Not practical Finally…. Some Solutions! 802.1x (Authentication) per-user authentication Key distribution mechanism WPA (Confidentiality, Integrity) Subset of 802.11i 2 forms 802.1x + EAP + TKIP + MIC Pre-shared Key + TKIP + MIC WPA2 – 802.11i WPA2 is the implementation of 802.11i Usage of AES + CCMP 802.1x WPA 802.11i 802.1X 802.1X is a port-based, layer 2 (MAC address layer) authentication framework on IEEE 802 networks. Not limited or specific to 802.11 networks Uses EAP for implementation 802.1X is not an alternative to WEP, it works along with the 802.11 protocol to manage authentication for WLAN clients How authentication takes place A client requests access to the AP The AP asks for a set of credentials The client sends the credentials to the AP which forwards them to authenticating server The exact method for supplying credentials is not defined in 802.1X itself 802.1x authentication Extensible Authentication Protocol (EAP) 802.1X utilizes EAP for it‟s authentication framework flexible: one time passwords, certificates, smartcards, own EAP protocol, etc zero per packet overhead cost efficient 802.1X integrates well with other open standards such as RADIUS RADIUS is de-facto more benefits of choosing 802.1X… Software upgrade Access points only need a firmware upgrade to enable 802.1X On the client side, 802.1X can be enabled with an updated driver for the NIC Depending on the EAP you choose, you can have a very secure authentication scheme! Proprietary versions of dynamic key management available Implementations EAP-MD5 EAP-LEAP EAP-TLS EAP-TTLS PEAP EAP-MD5 EAP-MD5 is a simple EAP implementation Uses and MD5 hash of a username and password that is sent to the RADIUS server Authenticates only one way Man in the middle attack Bottom line: Not recommended EAP-LEAP (Cisco Wireless) Like MD5-LEAP, it uses a Login/Password scheme that it sends to the RADIUS server Each user gets a dynamically generated one time key upon login Authenticates client to AP and vice versa Can be used along with RADIUS session time out feature, to dynamically generate keys at set intervals Only guaranteed to work with Cisco wireless clients Broken – ASLEAP by Joshua Wright EAP-TLS by Microsoft Instead of a username/password scheme, EAP- TLS uses certificate based authentication Has dynamic one time key generation Two way authentication Uses TLS (Transport Layer Security) to pass the PKI (Public Key Infrastructure) information to RADIUS server Compatible with many OS‟s Harder to implement and deploy because PKI for clients are also required PEAP by Microsoft and Cisco A more elegant solution! Very similar to EAP-TLS except that the client does not have to authenticate itself with the server using a certificate, instead it can use a login/password based scheme Much easier to setup, does not necessarily require a PKI Currently works natively with Windows XP SP1, but other platforms should support it soon EAP Types TYPE Open / Mutual Auth Client Authenticator Username proprietary in clear txt MD5 Open NO User/pass None Yes TLS Open YES Certificate Certificate Yes TTLS Open YES User/pass Certificate No PEAP Open YES User/pass Certificate No LEAP Prop. YES User/pass None Yes 802.1x is not perfect… 802.1X is vulnerable to many kinds of DOS attacks Spoofed packets Disassociation attack Flooding Some EAPs are subject to man in the middle attacks. WPA (Wi-Fi Protected Access) Subset of 802.11i Confidentiality Fix flawed encryption mechanism TKIP: Per-packet dynamic key mechanism Integrity Upgradeability Software / Firmware Upgrade WPA Steps Confirmation of association capability PMK creation (through 802.1x) 4way handshake and PTK installation GK installation Encryption using TKIP 802.1x Authentication + PMK Security level can be selected PMK is a seed for temporal key generation in the next phase PMK is generated based on the user authentication result 802.1x Authentication (recap) 4 Way Handshake and PTK PTK (512bits) splits in 4 ways Part of PTK is used to generate the encryption key (WEP equivalent) in the next phase 4 Way Handshake and PTK 4 Way Handshake and PTK TKIP (Temporal Key Integrity Protocol) Expands IV space (24 48bits) IV sequence is specified Per-packet Mixing Function Michael Very cheap integrity checker for MAC addresses and DATA WPA-PSK For home / SOHO use Removes 802.1x authentication Pre-shared Key + TKIP Weak against passive dictionary attack Attacks exist - brute force Still much better than WEP WPA2 - 802.11i The long-awaited security standard for wireless, ratified in June 2004 Better encryption: AES CCMP Key-caching (optional) Pre-authentication (optional) Hardware manufactured before 2002 is likely to be unsupported: too weak Key-Caching Skips re-entering of the user credential by storing the host information on the network Pre-authentication (802.11i Specific) Allows client to become authenticated with an AP before moving to it Useful in encrypted VoIP over Wi-Fi Fast Roaming WPA – WPA2 For the time being, WPA will be good enough. Completely backward compatible Get WPA2 certified product for your next purchase Things to keep in mind while deploying WLAN Hide SSID Do NOT use WEP Use WPA-PSK with a good pass-phrase or Use WPA with 802.1x if possible So…………. tinyPEAP (1) A self contained PEAP enabled RADIUS server Currently available in Linksys WRT54G/GS router and Win32 binary Native Windows XP SP1 support Web-based user management The easiest and the most secure solution available in consumer level tinyPEAP (2) tinyPEAP (3) Survey (2) Ready to reconfigure your wireless network? Links to the tools used: Airsnort http://airsnort.shmoo.com Netstumbler http://www.netstumbler.com Ethereal http://www.ethereal.com tinyPEAP http://www.tinypeap.com Papers and Wireless Security Web Pages Weaknesses in the Key Scheduling Algorithm of RC4 The Unofficial 802.11 Security Web Page Wireless Security Blackpaper The IEEE 802.11 specifications (includes WEP spec) Paper on detecting Netstumbler and similar programs Further reading on upcoming 802.11 variations Assorted 802.11 related crypto algorithms written in ANSI C