NETW 05A: APPLIED WIRELESS SECURITY Data-Link Security Solutions By Mohammad Shanehsaz
advertisement
NETW 05A: APPLIED WIRELESS SECURITY Data-Link Security Solutions By Mohammad Shanehsaz Spring 2005 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Static and Dynamic WEP & TKIP Explain the functionality, strengths, and weaknesses of WEP and TKIP Explain appropriate scenarios and applications of static and dynamic WEP and TKIP Install and configure static and dynamic WEP & TKIP Illustrate feasibility of WEP exploitation Manage scalable WEP & TKIP solutions This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives 802.1x and EAP Explain the functionality of 802.1x & EAP Explain dynamic key generation and rotation for solution scalability Explain the strengths, weaknesses, and appropriate applications of 802.1x & EAP Install and configure 802.1x & EAP, including LEAP, EAP-TLS, EAP-TTLS, EAP-MD5, PEAP, Manage scalable 802.1x and EAP solutions This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. 802.11 MAC Basics Management and control frames are sent in clear text and unauthenticated This is the basis for many types of attack scenarios For some types of attacks particular vendors have instituted proprietary solutions Many of these vulnerabilities will be addressed by the 802.11i standards This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Categories of Authentication & Encryption There are three main categories: Static WEP Dynamic WEP Proprietary protocols There are variations on each type This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Static WEP Security solution based on unchanging shared keys that are preconfigured on all nodes by network administrator Protects the wireless link with simple authentication and data encryption Not a complete solution, it can be cracked using common tools such as WEPcrack or Airsnort This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Cracking WEP Cracking WEP requires three things: Large number of captured packets Long periods of time to capture those packets Fast machine to process the information contained in the packets to derive the WEP key It can takes days to crack it, is it worth it ? This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. TKIP Temporal Key Integrity Protocol is a set of modifications to the existing WEP algorithm IEEE 802.11i task group created TKIP TKIP is a type of dynamic WEP solution where WEP keys are rotated on a changeable interval, but static WEP key is still used as keying material This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. WEP Weaknesses Addressed TKIP algorithms address the following weaknesses: Forgery Weak-Key attacks Collision attacks Replay attacks This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Forgery TKIP supports per-packet authentication Forgery attacks are performed by capturing encrypted packets, changing some data within them, and then resending the packets TKIP uses message-integrity check (MIC) called “Michael” to thwart attempts MICs add significant network overhead This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Weak Key Attacks WEP construct a per-packet RC4 key by concatenating an RC4 base key and 24 bits IV TKIP uses key-mixing to derive short–lived encryption keys TKIP uses 128 bit temporal key combined with the client’s MAC address and large 48 bit IVs to produce the key for encryption This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Collision and Replay attacks TKIP uses 48 bit IVs, which increases the possible number of IVs, to prevent collision attacks TKIP prevents replay attacks by using sequencing number for generated packets This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Availability For those products that are currently Wi-Fi certified, most can be upgraded to support TKIP, assuming the vendor has made a firmware upgrade availablecheck the web site for upgrades This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. 802.1x / EAP 802.1x with use of the Extensible Authentication Protocol implements what is generally referred to as dynamic WEP Dynamic Key Generation, Distribution, & Rotation EAP is a layer 2 authentication protocol replacing PAP and CHAP It is appropriate for medium to large enterprise environment Basing authentication on individualized user credentials such as usernames and passwords, certificates, smartcards and other like methods This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. 802.1x Standard IEEE standard that provides an authentication framework for 802-based LANs It was originally used in wired networks and has since been adapted for wireless networks It provides port-based access control so that before the switch or access point will establish a connection, the user credentials must be verified 802.1x standard addresses only access control and authentication framework and does not address data privacy, so that the problems with WEP still exist, EAP eliminates the problems through dynamic key generation This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. 802.1x Standard There are three terms defined by the IEEE standard that describe the devices used in 802.1x Supplicant-a client that is being authenticated Authenticator-an access layer device such as AP or bridge that requires supplicants to be authenticated in order to pass traffic through it Authentication server-( typically a RADIUS ) the device that is doing the authentication of the supplicant This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. 802.1x Standard Advantages Maturity & Interoperability User-based identification Dynamic Key Management Flexible Authentication This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Maturity & Interoperability The industry’s choice to use in WLAN because of time-proven use in wired network Supports of mature protocols such as EAP and RADIUS which are open standards providing max interoperability in centralized identification and key management This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. User-based Identification Basing authentication on actual user not a particular wireless device, on a scalable database such as RADIUS or other databases that RADIUS directly supports (Active Directory, NDS, LDAP, SQL) Centralized authentication and management save time and money This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Dynamic Key Management Per-user per-session keys eliminates attacks based on obtaining the WEP key Automated key management systems allow keys to be reissued without an administrator’s intervention This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Flexible Authentication There are several supported authentication solutions to choose from Changing the authentication mechanism does not require any hardware replacement This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP Protocol Provides an extensible method for PPP server to authenticate its clients EAP supports two-and three-factor authentication (passwords, certificates, biometrics, etc) EAP was designed to prevent proprietary authentication solutions from being implemented which would have had a negative effect on the interoperability and compatibility between systems EAP is within OS of the server or application software on the client Windows XP natively supports EAP This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP Authentication Types There are many EAP types : EAP-MD5 EAP-TLS LEAP EAP-TTLS PEAP This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP-MD5 First Authentication type created by RFC2284 for 802.1x Uses the same challenges handshake protocol as PPP-based CHAP, except challenges and responses are sent as EAP messages It has three weaknesses: One-way authentication Challenge passwords No per-session WEP keys Rarely used because of its weaknesses This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP-MD5 Weaknesses one-way Authentication Because only the supplicant gets authenticated, an impersonator could be added as rogue RADIUS server to obtain the login credentials of a legitimate user This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP-MD5 Weaknesses Challenge Passwords Authentication server challenge the supplicant with a random string of text The supplicant hashes the challenge with its password and send it back The server validates the response based on its knowledge of the password Eavesdropper can obtain both the challenge and the hash, which he/she can break it with dictionary attack to obtain user’s password This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP-MD5 Weaknesses no per-session WEP keys After authentication, communication is either not encrypted, or encrypted with a static WEP key Because of static WEP vulnerability , it allows eavesdropping on the data This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP-TLS (EAP-Transport Level Security ) Developed by Microsoft and standardized by Internet Engineering Task Force It is based on the secure socket layer protocol used for secure web traffic It uses both server-side and client-side certificates for user identification (mutual authentication) More appropriate for organizations that have already deployed a PKI (public key infrastructure) Per-session WEP key is set up, and client can be reauthenticated and re-keyed as often as needed without inconveniencing the end user This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. TLS Authentication The TLS process begins with the handshake process: 1. The SSL client connects to a server and makes an authentication request 2. The server sends its digital certificates to the client 3. The client verifies the certificate’s validity and digital signature 4. The server requests client-side authentication 5. The client sends its digital certificate to the server 6. The server verifies the certificate’s validity and digital signature 7. The encryption and message integrity schemes are negotiated 8. Application data is sent over encrypted tunnel via the record protocol This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP-TLS Authentication The EAP-TLS authentication process is as follows: 1. The client sends an EAP start message to the access point 2. The access point replies with an EAP Request Identity message 3. The client sends its network access identifier (NAI), which is username, to the access point in an EAP Response message 4. The access point forwards the NAI, encapsulated in a RADIUS Access Request message to the RADIUS server 5. The RADIUS server responds to the client with its digital certificate This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP-TLS Authentication 6. The client validates the RADIUS server’s digital certificate 7. The client replies to the RADIUS server with its digital certificate 8. The RADIUS server validates the client’s credentials against the client digital certificate 9. The client and RADIUS server derive encryption keys 10. The RADIUS server sends the access point a RADIUS ACCEPT message, including the client’s WEP key, indicating successful authentication 11. The access point sends the client an EAP Success message 12. The access point sends the broadcast key and key length to the client, encrypted with the client’s WEP key This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP-Cisco Wireless (LEAP) Cisco’s proprietary Lightweight Extensible Authentication Protocol was designed to support 802.1x/EAP based authentication It was developed to support networks with a variety of OS that may not natively support EAP LEAP supports mutual authentication between a client and a RADIUS server LEAP provides user-based, centralized authentication as well as per-session WEP keys Used in Cisco’s Aironet products Its security level is considered moderate or strong based on the strength of the passwords used See figure 11.12 on page 256 for LEAP Process This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP-TTLS (Tunneled Transport Layer Security ) Was co-developed by Funk Software and Certicom, supported in Funk’s Odyssey software EAP-TTLS requires only an authentication server certificate TTLS uses TLS channel to exchange “attribute-value pairs” (AVPs) After authentication server is authenticated using its digital certificate, an encrypted tunnel is established between the supplicant and authentication server to pass the supplicant’s authentication credentials See figure 11.13 for EAP-TTLS Process This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Key security Features of EAPTTLS Almost any kind of supplicant authentication credentials (passwords, tokens, etc ) can be used inside the encrypted tunnel Low overhead since requirement of only server-side certificate Many types of authentication algorithms may be used inside the encrypted tunnel-MS-CHAPv2, MS-CHAP, CHAP, PAP,EAP-MD5 Strong protection against eavesdroppers seeking to perform dictionary attack Mutual authentication, fast connections while roaming, and automatic re-keying of encryption keys This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Protected EAP ( PEAP ) PEAP was developed by Microsoft, Cisco and RSA Security to address deficiencies of EAP (Unprotected user information during the EAP negotiation, No support for fast reconnections when roaming, No support for fragmentation and reassembly) PEAP was designed to protect EAP communication between clients and authenticators It provides support for identity protection by using TLS to create an encrypted tunnel after verifying the identity of authentication server This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Protected EAP (PEAP) continue After encrypted tunnel is established a second EAP authorization process occurs inside the tunnel The client is authenticated inside the tunnel using any implemented EAP authorization type (tokens, passwords,etc) It has built-in support for packet fragmentation and reassembly, as well as fast reconnects See figure 11.15 on page 263 for PEAP process This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. PEAP Authentication 1. The client sends an EAP start message to the access point 2. The access point replies with an EAP Request Identity message 3. The client sends its network access identifier (NAI), which is its username, to the access point in an EAP Response message 4. The access point forwards the NAI to the RADIUS server encapsulated in a RADIUS Access Request message 5. The RADIUS server responds to the client with its digital certificate 6. The client validates the RADIUS server’s digital certificate This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. PEAP Authentication 7. The client and server negotiate and create an encrypted tunnel 8. This tunnel provides a secure data path for client authentication 9. Using the TLS Record protocol, a new EAP authentication is initiated by the RADIUS server 10. The exchange includes the transactions specific to the EAP type used for client authentication 11. The RADIUS server sends the access point a RADIUS ACCEPT message, including the client’s WEP key, indicating successful authentication This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP-TTLS vs PEAP Both were designed to use older authentication methods while maintaining the strong cryptographic foundation of TLS Both have similar structure Both are two-stage protocols that establish security in stage one and then exchange authentication in stage two Stage one establish a TLS tunnel and authenticates the authentication server to the client with a certificate This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP-TTLS vs PEAP Microsoft and Cisco both support PEAP Cisco’s Aironet Client Utility (ACU) and Windows XP with service pack1 There are two types of PEAP supported by Microsoft: PEAP-EAP-MS-CHAPv2 and PEAP-EAP-TLS PEAP-EAP-TLS, server and client side certificates are required PEAP-EAP-MS-CHAPv2, server certificates and client passwords are required This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. EAP Considerations The factors to include when deciding: Mutual Authentication Dynamic Key Generation, Rotation, and Distribution Cost and Management Overhead Acceptance, Standardization, and Support Availability and Implementation This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Proprietary Protocols These protocols are used because: Added security through per packet authentication Added security through use of leading-edge encryption algorithms not yet supported by standards Added security due to the entire communications process between client and server being strongly encrypted Compression to increase throughput over the halfduplex medium This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Proprietary Protocols Enterprise Encryption Gateways use proprietary protocols in order to achieve stronger security and increased throughput, but the main disadvantage here is vendor interoperability This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation.
