Chapter 3 (b) – Wireless LAN Security

advertisement
IWD2243
Wireless & Mobile Security
Chapter 3 : Wireless LAN Security
1
Prepared by : Zuraidy Adnan, FITM UNISEL
3.1 Introduction
802.11 security architecture – Wired Equivalent Privacy
(WEP)
Responsible for the CIA in 802.11 network.
Designed to be “Wireless Ethernet”
Important architectural differences between 802.11 &
TWNs






2
802.11 limited support for roaming, restricted to wireless
access network only
While TWN support seamless roaming over large geographical
areas.
Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP
Key establishment in 802.11




None, out of scope
Relies on preshared key STAs and APs
Does not specify how the keys are established.
Anonymity in 802.11






3
Not a major concern.
The use of IP address unlike IMSI in TWNs
IP address assign to user can change over time
The use of Network Address Translation (NAT)
Mapping the internal IP with Global IP (GIP)
Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.)
Authentication in 802.11









4
Authentication – control access to the network.
Wired LAN – security features being inherits from the
network
WLAN – no physical access authentication
Net authenticate STAs – STA authenticate Net
APs – Broadcast beacon (mgmt frame which announce the
existence of the network)
Each beacon have Service Set Identifier (SSID) – or – Net
name – identify ESS.
STA want to connect – passive / active scan.
STAs send probe request to all available channel
Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.)
Authentication in 802.11 (cont.)





Concerned Aps received a probe – send probe-response
STAs find out which station it can join
STAs choose the network it whishes to join – based on signal
strength
The authentication process start – two options :
Open System Authentication (OSA)



5
See figure 18.2 : 802.11 OSA, page 408
Using OSA – mean no authentication at all
Shared Key Authentication (SKA)
Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.)
Authentication in 802.11 (cont.)


Shared Key Authentication (SKA)





6
See figure 18.3 : 802.11 SKA, page 410
Challenge – response system
SKA divide STAs into 2 groups, 1 – allowed access, 2 – all other STAs
Group 1 – STAs share secret key with Aps
Using SKA requires, the STAs and APs capable of using WEP, and the STAs
and AP have preshared key.
Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.)
Authentication in 802.11 (cont.)


Authentication and Handoffs


What’s wrong with 802.11 authentication?




See figure 18.4 : 802.11 handoffs and security, page 411
No method specified in WEP for each STA to be assigned with unique
key
Many 802.11 deployment share key across Aps
One way – no provision for the STA to authenticate the Net.
Pseudo-Authentication scheme


Allows only STAs that knows the SSID to join the Net
Using MAC address as a secret.

7
Aps maintain a list of STA’s MAC, only registered MAC can access the Net
Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.)
Confidentiality in 802.11






See figure 18.5 : WEP, page 414
5 steps to provide confidentiality in 802.11
See figure 18.6 : A WEP packet, page 415
The packet that been produced after encryption process.
What’s wrong with WEP





8
Usage of RC4 stream chiper, always failed in wireless medium.
Solution : shift synchronization requirement from session to a packet
– change keys for every packet.
IV which concatenated with master key per packet being sent in clear
text
Susceptible to Fluhrer-Mantin-Shamir (FMS) attack.
Specify no rules for IV selection
Prepared by : Zuraidy Adnan, FITM UNISEL
3.2 WEP (cont.)
Data Integrity in 802.11






802.11 uses Integrity Check Value (ICV) field in the packet
See figure 18.7 : Data integrity in WEP, page 419
ICV – Cyclic Redundancy Check-32bits (CRC32)
CRC32 is linear and not cryptographically computed
Eve still can modify the message!
Loopholes in 802.11 security (summary)


9
The list 1-9, page 421 & 422.
Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA



Wi-Fi Protected Access (WPA)
Prestandard subset of 802.11i
Biggest differences –




Usage of AES (Advanced Encryption Standard) for providing
confidentiality and integrity
Usage of Temporal Key Integrity Protocol (TKIP) and
MICHAEL.
Both differences makes big changes in WLAN security
architecture & hardware parts.
Most parts (h/ware) in 802.11 implementation cannot be
used in WPA 802.11i
10
Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.)

Key establishment







11
WEP used preshared key establish using out of band
mechanism
2 environments – home & enterprise
Diff infra capacities to provide security
Enterprise – 802.11i use IEEE 802.1X for key establishment &
authentication.
802.1X use backend authentication server
Home user – no backend authentication server – allow out-ofband mechanism for key establishment
See figure 18.8 : Key hierarchy in 802.11, page 425
Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.)

Key establishment (cont.)






12
WPA solve the problem of authentication in WEP by reducing
exposure of master key (MK)
WPA extends the two-tier hierarchy to multiple hierarchy.
Pair-wise master key (PMK) – preshared key, or derived from
802.1X
PMK – 32bytes – too long for human to remember
Allow user to enter shorter password which will be used as a
seed to generate 32byte key.
Pair-wise transient key (PTK) – Session key, consist of 4 keys,
128bits long.
Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.)

Key establishment (cont.)




4 keys – encryption key for data, integrity key for data,
encryption key for EAPoL msg, and integrity key for EAPoL
msg.
PTK derived from PMK using pseudorandom function (PRF)
PRF is based on HMAC-SHA algorithm.
Five input values to obtain PTK from PMK :

13
PTK = PRF-512(PMK, “pair-wise expansion”, AP_MAC || STA_MAC ||
Anonce || Snonce)
5 values – PMK, MAC add for two endpoints, one nonce for
each endpoints.
Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.)

Key establishment (cont.)

Nonce – “number-once” – generated at both side





14
Anonce = PRF-256(Random Number, “Init counter”, AP_MAC || Time)
Snonce = PRF-256 (Random Number, “Init counter”,STA_MAC ||
Time)
Next step – derive per-packet keys from PTK.
See figure 18.9 : TKIP encryption, page 427
See “important features to note in (TKIP encrypt) process”,
page 428.
Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.)

Authentication








15
Home user, 802.11i allows WEP like configuration
Enterprise user, 802.11i specify the use of 802.1X
802.1X architected along with Extensible Authentication
Protocol over LAN (EAPoL)
See figure 18.10a : 802.1X/EAP port model, page 429
See figure 18.10b : EAPoL, page 429
EAP specify 3 net elements – Supplicant, Authenticator,
Authentication Server
See figure 18.10c : EAP over WLAN, page 430
STA – supplicant, AP – authenticator, backend authentication
server
Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.)

Authentication (cont.)


Confidentiality




See figure 18.10d : 802.1X network architecture
Enhancement from WEP confidentiality
TKIP double the IV size from 24 to 48bits
Used for per-packet mixing function, instead of just add more
bits into the size, and still can co-exist in WEP compatible
hardware.
Integrity

16
TKIP use a new message integrity check (MIC) protocol,
MICHAEL
Prepared by : Zuraidy Adnan, FITM UNISEL
3.3 WPA (cont.)

Integrity (cont.)



Overall picture : confidentiality + integrity


MICHAEL – no multiplication operation, instead, just rely on
shift and add operations.
Another enhancement – to use IV as a sequence counter.
See figure 18.10e : TKIP – the complete picture, page 435
How does WPA Fix WEP loopholes

17
See table 18.1 : WEP loopholes and WPA fixes
Prepared by : Zuraidy Adnan, FITM UNISEL
3.4 WPA2


Only few enhancements features from WPA
Enhancements :



18
Authentication - Replaces a stream chiper (RC4) with a strong
block chiper (AES). Instead, WPA2 embed AES in stream chiper.
Integrity – provides for stronger integrity protection using
AES-based CCMP.
See figure 18.15 : WPA2 – the complete picture
See table 18.2 : comparison of WEP, WPA, and WPA2 security
architectures.
Prepared by : Zuraidy Adnan, FITM UNISEL
Download