Layla Pezeshkmehr
Security in Wireless LAN 802.11
Report
CS 265” Security Engineering”
Instructor: Dr. Mark Stamp
Spring 2003
SJSU
1
1. Wireless Security
1.1 Threats with wireless LANS
1.1.1 Sniffing.
1.1.2 Invasion and resource stealing
1.1.3 Traffic redirection
1.1.4 Denial of service
1.1.5 Rouge networks and station redirection
1.2 IEEE 802.11 Security & WEP
1.2.1 Open System Authentication
1.2.2 Shared key Authentication
1.2.3 Identified problems
1.2.4 WEP Protocol
1.2.5 WEP Encryption algorithm
1.2.6 WEP Decryption
1.3 WEP Problems
1.3.1 Problem with RC4
1.3.2 Problem with IV
1.4 Today’s Access Control
1.5 Cisco enhancements to 802.11b WEP to increase security
2
1. Security
Because wireless is a shared medium, IEEE 802.11b radio waves at 2.4GHz easily
penetrate building walls and are receivable from the facility’s parking lot and possibly
a few blocks away. Encryption and authentication should always be considered when
developing a wireless networking.
1.1 Threats with wireless LANs
Sniffing: Interception can occur by using standard receiver such as higain antennas.
Invasion and resource stealing: Attacker could steal a valid access then gain
direct access to all devices within a network.
Traffic redirection: Attacker can make changes in the ARP tables in switches on
the wired network through the AP causing packets to be routed to different
destination.
Denial of service: This attack may happen when attacker attempts to flood a
network, causing congestion, disrupt connection between 2 machines to prevent
access to a service.
Rogue networks and station redirection: An 802.11 wireless network is very
susceptible to a rogue AP attack. A rogue AP is one owned by an attacker that accepts
STA connections and then at a minimum intercepts traffic if not also performing
man-in-the-middle attacks before allowing traffic to flow to the proper network
1.2 IEEE 802.11 Security
IEEE 802.11 defines two authentication subtypes: Open system and Shared key.
Authentication is between two stations. Hence, it can only be performed in unicast
frames but not in the multicast frames.
Open System Authentication: Open System is a default, null authentication
algorithm that involves a two-step process as follows:
A sends an authentication request to B.
B sends the result back to A
If dot11AuthenticationType within B specify “Open System,” the result code is
“successful.”
Otherwise, A is not authenticated.
3
Access point
SD
Authentication Request
(Open System
Authentication)
Authentication Responese
Figure1. 0: Open system Authentication
Shared Key Authentication: This approach provides a better degree of
authentication than the open system approach. Shared Key authentication supports
authentication of stations as either a member of those who know a shared secret
key or a member of those who do not. The secret shared key resides in each
station's MIB in a write-only form and is therefore only available to the MAC
coordinator. For a station to utilize shared-key authentication, it must implement
WEP. The 802.11 standard didn’t specify how to distribute the keys to each
station. Thus, create problem as will be discussed in the WEP problem. The four
basic steps are as follows:
A station sends an authentication request frame to another station (AP here).
AP using WEP to generate a string of octets as the authentication challenge text
and replies to A.
The request station copies the challenge text received into another frame,
encrypts the frame using shared secret key and then transmits the frame, then
sends it back.
At AP, if the WEP ICV check is successful, the responder shall then compare
the decrypted contents of the Challenge Text field to the challenge text that was
sent in step 2 of the sequence. If they are the same, then AP shall respond with a
successful status code in the 4th frame. If the WEP ICV check fails, the responder
shall respond with an unsuccessful status code.
4
Access point
SD
Authentication Request
(Shared key Authentication)
"Challenge" text string
WEP encryption of
challenge text
"Challenge" text string
encrypted with shared key
Positive or Negative result
based on decryption result
WEP decryption of
encrypted text
Figure1.1: Shared-key authentication
Identified problems
Unfortunately, the authentication mechanisms defined in the standard are not satisfactory.
First, let us remark that Open system authentication is in fact a null authentication. The
messages are sent in clear, so anyone could impersonate either the station or the access
point. In Shared key authentication, the station authenticates by proving its knowledge of
the WEP key. On the other hand, there is no mechanism for an access point to prove its
identity to the station, which opens up for malicious access points to try to participate in
the communication. Also, note carefully that only the station is authenticated, not the
user of the station. Hence, the protection against an attacker with access to a wireless
LAN device is not satisfactory.
5
WEP Protocol
Wired Equivalent Privacy (WEP) is the encapsulation of 802.11 data frames. The goal is
to provide data privacy to the level of a wired network. WEP is a symmetric algorithm in
which the same key is used for cipher and deciphe
WEP Encryption algorithm:
Figure 1.2 - WEP encryption
A secret key (40 bits) is shared between all the members of the BSS. The encryption
algorithm is shown in figure 1.2. The secret key is concatenated with an initialization
vector (IV, 24 bits) to produce a seed (64 bits), inputting to a pseudorandom number
generator (PRNG). The PRNG transforms a relatively short secret key into an arbitrarily
long key sequence. In other words, the PRNG outputs a key sequence of pseudorandom
octets of length equal to the number of data bytes to be transmitted in the expanded data
plus 4 bytes (CRC). This is because the key sequence is used to protect the integrity
check value (ICV, 32-bits) as well as the data. To protect against unauthorized data
modification, an integrity algorithm operates on the plaintext to produce an ICV then
concatenate to the plaintext. The result is then exclusive-or with the key sequence
computed earlier. The output after this process is a message containing the IV and 30
ciphertext. The sender then set a bit indicating this is a WEP encrypted packet to
complete the process. In the above process, the secret key remains constant while the IV
might be changed as frequent as every time a packet is sent. Since IV travels with the
message, the receiver will always be able to decipher any message.
6
WEP Decryption:
Figure 1.3 - WEP Decryption
When a packet arrives at the receiver, receiver checks the “encrypted” bit in the frame. If
it is set, the receiver extracts the IV from the frame, appends it to the BSS shared secret
key to produce a seed inputting into the PRNG to generate the “per-packet” RC4 key
sequence. Exclusive-or the Ciphertext with this key sequence gives the original plaintext
and ICV.
To verify the result, receiver performs integrity check algorithm on the recovered
plaintext, producing a new ICV’. This ICV’ is compared to the ICV transmitted with the
message. If ICV’ is not equal to ICV, an error indication is sent to MAC management.
The encryption and decryption general view of packet is in figure 1.4.
802.11 Hdr
Data
Encapsulation
802.11 Hdr
Decapsulation
IV
Data
ICV
Figure 1.4 – encapsulation, de -capsulation of WEP
7
1.3 WEP Problems
As described above, WEP uses the RC4 encryption algorithm, which is known as a
stream cipher. A stream cipher operates by expanding a short key into an infinite pseudorandom key stream. The sender XORs the key sequence with the plaintext to produce
ciphertext. On the receiver side, the reverse process is performed: the same sequence key
is XORed with the ciphertext yielding the original plaintext. IEEE 802.11 didn’t enforce
WEP implementer changing the IV after each packet is sent. In stead, it only advises the
change of IV after each packet is sent.
If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in
the plaintext will be flipped. And if an eavesdropper intercepts two ciphertexts encrypted
with the same key stream, it is possible to obtain the XOR of the two plaintexts. That is:
c1 = p1  b
and
c2 = p2  b
Then:
c1  c2 = (p1  b)  (p2  b) = p1  p2
Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The
statistical attacks become increasingly practical, as more ciphertexts that use the same
key stream are known. Once one of the plaintexts becomes known, it is trivial to recover
all of the others.
Theoretically, WEP was designed to against the above attacks. To prevent packet from
being modified in transit, WEP uses an Integrity Check (IC) field in the packet. To avoid
encrypting two ciphertexts with the same key stream, an Initialization Vector (IV) is used
to augment the shared secret key and produce a different RC4 key for each packet. The
IV is also included in the packet. However, both of these measures are implemented
incorrectly, resulting in poor security.
1.3.1 Problems with RC4
The integrity check field is implemented as a CRC-32 checksum, which is part of the
encrypted payload of the packet. However, CRC-32 is linear, which means that it is
possible to compute the bit difference of two CRCs based on the bit difference of the
messages over which they are taken. In other words, flipping bit ‘n’ in the message
results in a deterministic set of bits in the CRC that must be flipped to produce a correct
checksum on the modified message. Because flipping bits carries through after an RC4
decryption, this allows the attacker to flip arbitrary bits in an encrypted message and
correctly adjust the checksum so that the resulting message appears valid.
1.3.2 Problems with IV
The initialization vector in WEP is a 24-bit field, which is sent in the clear text part of a
message. A busy access point, which constantly sends 1500 byte packets at 11Mbps, will
exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours.
This allows an attacker to collect two cipher texts that are encrypted with the same key
stream and perform statistical attacks to recover the plaintext. Worse, when the same key
8
is used by all mobile stations, there are even more chances of IV collision. For example, a
common wireless card from Lucent resets the IV to 0 each time a card is initialized, and
increments the IV by 1 with each packet. This means that two cards inserted at roughly
the same time will provide an abundance of IV collisions for an attacker.
Today’s Access Control
Cisco enhancements to 802.11b WEP to increase security: By employing
dynamic WEP keys, the Cisco Aironet security solution enhances WEP to decrease its
predictability (to the hacker), significantly minimize any attack windows, ties it to the
user session and, optionally, network logon. The following are the key enhancements to
the Cisco security solution.
Mutual authentication—The Cisco Aironet Wireless security offers customers
a mutual authentication scheme instead of one-way authentication. Standardsbased mutual authentication implementations that are easily deployable are still
evolving. Therefore, Cisco created EAP—Cisco Wireless (LEAP) to ensure
mutual authentication between a wireless client and a back end RADIUS server
(Access Control Server 2000 V2.6). Communication between the access point and
the RADIUS server is via a secure channel. This eliminates "man-in-the-middle
attacks" by rogue access points and RADIUS servers. Even though the paper does
not address this area of concern, Cisco recommends that customers factor this
class of vulnerability into their wireless security requirements.
Secure key derivation—The original shared secret secure key derivation is
used to construct responses to the mutual challenges. It undergoes irreversible
one-way hashes that make password-replay attacks impossible. The hash values
sent over the wire are useful for one-time use only at the start of the
authentication process, and therefore, never after.
Dynamic WEP keys—In addition, by offering a hassle-free, dynamic per-user,
per-session WEP key, Cisco has made it easy for administrators to move away
from static WEP keys, thus increasing the security. Cisco believes that one of the
biggest security exposures in WLANs is primarily due to static WEP and the
tremendous administrative burden it imposes. With the Cisco Aironet solution,
session keys are unique to the users and are not shared among them. Also, with
LEAP authentication, the broadcast WEP key is encrypted using the session key
before being delivered to the end client. By having a session key unique to the
user, and by tying it to the network logon, the solution also eliminates
vulnerabilities due to stolen or lost client cards or devices.
Reauthentication policies—Customers can also set policies for
reauthentication at the back-end RADIUS server ACS2000. This will force users
to reauthenticate more often and get new session keys. Because the vulnerability
window can be configured to be very small, we can minimize attacks where
traffic is injected during the session.
Initialization Vector changes—The Cisco Aironet wireless security solution
also changes the initialization vector (IV) on a per-packet basis so that hackers
can find no predetermined sequence to exploit. This capability, coupled with the
reduction in possible attack windows, greatly mitigate exposure to hacker attacks
9
due to frequent key rotation. In particular, this makes it difficult to create tablebased attacks based on the knowledge of the IVs seen on the wireless network.
SSID – Service Set Identifier: Each AP has an SSID that it uses to identify itself. A
common way of configuring a network is to require each STA to know the SSID of the
AP to which it wants to connect.
SSID provides a very modest amount of control. It keeps a STA from accidentally
connecting to a neighboring AP. It does not, by itself, help with other security issues, and
in particular it does not keep an attacker from setting up a “rogue” AP that uses the same
SSID as the valid AP.
MAC filters: Some APs provide the capability for checking the MAC address of the
STA before allowing it to connect to the network. This provides an additional layer of
control in that only STAs with a registered MAC address can connect. This approach
requires that the list of MAC addresses be configured. The list may be kept in long-term
memory on the AP, or the AP may send a RADIUS request with the MAC address as the
userid (and a null password) to a central RADIUS server and the RADIUS server will
check the list. The RADIUS approach is especially appropriate if the MAC addresses are
to be used with multiple APs.
Using MAC filters is considered to be very weak security because on many wireless
cards it is possible to change the MAC address by reconfiguring the card. An attacker
could sniff a valid MAC address from the wireless network traffic and then configure his
card to use it and gain access.
10