WPA Security and Exploits

advertisement
Wi-Fi Protected Access (WPA) Security and Exploits
By: Holly Cosand
March 7, 2006
Introduction
In wireless networks, by far the most commonly deployed networking technology is Wired
Equivalent Privacy (WEP). The security limitations and exploits for WEP are many and have
been well publicized. What is less well known are the exploits and security flaws of its more
secure successor, Wi-Fi Protected Access (WPA). This protocol and its potential for exploit are
covered in this document.
We begin by discussing wireless networking; then the fundamentals of the WPA protocol;
followed by several exploits that are available against WPA; and conclude by addressing how
WPA2 helps address these exploits. The end of the document contains both a table of algorithms
and protocols used in the WPA standards and a list of references.
Wireless Networking (WiFi) Overview
Wireless networking (WLAN) is a set of communication and security technologies that operate
over a standard set of radio frequencies for communication. Using these frequencies, a number
of standards have been defined, enabling multiple vendors to interoperate. These standards can
be segmented into two different categories: 1) basic communication standards and 2) given that
this communication travels over open air waves, security standards that help protect the
exchange of information through the communication channel.
WLANs function in one of two ways: clients connect to a central access point (AP) which acts
as a hub to other clients and to a wired network, or clients connect in an ad-hoc peer-to-peer
mode. APs facilitate their ability to be located by broadcasting a Service Set Identifier (SSID) at
a fixed interval, typically 10 times per second, but the broadcast time may be configurable by the
administrator of the AP. The SSID is just the name of the AP which may be used by clients to
connect to the wireless network. Clients, equipped with a wireless network interface card (NIC),
will see a list of available AP’s SSIDs. The client may then select from the list of APs. If the
AP is unsecured, the client may connect to the network, allowing them to use the network
resources supported by that AP without authentication or view network traffic traveling over the
network, otherwise, authentication will be required. APs are typically left unsecured by default.
Administrators of the AP must enable security when placing it on the network.
Wi-Fi Protected Access (WPA) Overview
Wi-Fi Protected Access (WPA) supports a strong encryption algorithm and user authentication.
The WPA standard employs Temporal Key Integrity Protocol (TKIP) with Rivest Cipher 4
(RC4) for encryption and Message Integrity Checking (MIC), using 128 bit keys that are
dynamically generated for encryption.
In an enterprise, keys are generated leveraging the 802.1X authentication protocol with
Extensible Authentication Protocol (EAP). The 802.1X protocol, is a network access control
method used on both wired and wireless networks. The 802.1X protocol’s use of EAP, enables
Holly Cosand
Page 1
2/12/2016
the support of a variety of user credential types, including username/password, smart cards,
secure IDs, or any other type of user identification. Clients and Access Points (AP) authenticate
against an Authentication Dial-In User Service (RADIUS) server which validates client access to
the network, as well as, enabling connected clients to know they are talking to valid APs once
they are on the network.
In a home and small office environments, “pre-shared keys” (PSK) are used as the basis of
packet encryption.
In the WPA standard, if enterprise security is employed, a user supplies credentials to the
RADIUS server which authenticates the user, or if enterprise security is NOT employed, supplies
a manually entered PSK on the client device and Access Point. Once a user is authenticated, a
unique master or “pair-wise” key is created for the session. TKIP distributes the key to the client
and Access Point (AP), using the pair-wise key to generate unique data encryption keys to
encrypt every data packet that is sent during the session. TKIP is initialized with a 48-bit
initialization vector (IV) to prevent keys from being reused with any frequency. A Message
Integrity Check (MIC) is appended to every sent packet, preventing a “man in the middle”
alteration of packets by requiring both the sender and receiver to compute and compare the MIC,
assuming an attack and discarding the packet if the MIC doesn’t match.
In summary, the improvements in WPA over WEP are: the increase in key length from 40-bits to
128-bits; the increase length of the initialization vector (IV) for RC4 encryption from 24-bit to
48-bit; the use of a newly generated secret key for the encryption of each packet; Message
Integrity Checking (MIC); never using Master Keys directly, but rather deriving keys from the
master; and built in key management.
The table below summarizes the key attributes of WEP, WPA and WPA2.
WEP
WPA
WPA2
Year Ratified
Key size
Key State
Central Key Management
Authentication
1999
40 bit
Static
None
WEP Key
Challenge
2004
128, 192 or 256 bit
Dynamic
RADIUS
802.1X authentication
protocol with
Extensible
Authentication Protocol
(EAP)
Encryption Scheme
RC4
2003
128 bit
Dynamic
RADIUS
802.1X
authentication
protocol with
Extensible
Authentication
Protocol (EAP)
Temporal Key
Integrity Protocol
(TKIP) with RC4
for encryption
Device Compatibility
802.11a,b,g
Holly Cosand
Page 2
802.11a,b,g
Counter Mode CBC
MAC Protocol
(CCMP) with
Advanced Encryption
Standard (AES) for
encryption
802.11a,b,g
2/12/2016
Wi-Fi Protected Access (WPA) Exploits
There are a number of exploits available against Wi-Fi Protected Access (WPA). These include
both data integrity/confidentiality attacks and Denial of Service (DOS) attacks. In the
integrity/confidentiality realm a passive monitoring or dictionary attack on pre-shared keys is
public knowledge as well as security issues around Rivest Cipher 4 (RC4), the underlying
encryption protocol. On the DOS front, several attacks are available either by exploiting a
specific feature of the protocol or by using the wireless standby of radio frequency jamming.
First the data integrity/confidentiality attacks are discussed, followed by the DOS attacks.
Data Integrity/Confidentiality Attacks
Of the types of attacks covered in this document, data integrity/confidentiality attacks potentially
have the greatest risk and exposure in many environments since these attacks can go undetected
and leave confidential data openly available to potentially hostile parties, including competitors.
The attacks discussed here include a passive monitoring and a dictionary attack against the preshared key mode of WPA, as well as, attacks against the Rivest Cipher 4 (RC4) algorithm used
for packet encryption.
Pre-Shared Key (PSK) Attacks
A pre-shared key (PSK) is a 256 bit number or a pass phrase 8 to 63 bytes long. Each Access
Point (AP), when configured in PSK mode, has a single PSK which is used to generate session
keys for each user connecting to the AP.
The PSK attacks are more relevant to home or small business users than large enterprises as
larger organizations are more likely to set up RADIUS servers for authentication, rather than
using PSK.
Pre-Shared Key (PSK) Monitoring Attack
The Pre-Shared Key (PSK) Monitoring attack is performed by the attacker, obtaining the basic
information communicated between the client and Access Point (AP), and then generating the
Pairwise Transient Key (PTK) for a session, using the already known PSK.
The attacker does this by passively listening as another client on the network connects to the
Access Point (AP). All necessary information for generating the PTK is readily available: client
and AP MAC addresses; 2 nonces from the 4-way handshake; and the selected cipher suite.
Once the attacker has this set of information, he can generate the PTK which is a Keyed Hash
Message Authentication Code (HMAC), using the PTK (already known by the attacker), two
MAC addresses, and the two nonces from the first two packets of the 4-way handshake. At this
point, an attacker can decrypt any packets another user of the network may send.
Pre-Shared Key (PSK) Dictionary Attack
If the attacker does not know the Pre-Shared Key (PSK), they may perform the Pre-Shared Key
Dictionary attack to attempt to determine the key. For user selected pass phrases (PSK)s of less
than 20 characters, this type of attack is expected to be successful.
In this attack, the pass phrase can be determine, using a dictionary of common pass phrases and
then running them through a well known algorithm for generating Pairwise Master Key (PMK)s.
Holly Cosand
Page 3
2/12/2016
This algorithm concatenates the pass phrase, the SSID, and the SSID length into a single string
which is hashed 4096 times, generating the PMK. Due to the number of potential pass phrases
and the algorithms that must be performed, this attack must be performed off line. Once the
attacker has determined the PMK he may use it to generate Pairwise Transient Key (PTK) s for
individual sessions as described in the previous attack.
The solution for this attack is to use pass phrases of greater than 20 characters or using a
relatively shorter, random, hexadecimal key.
Rivest Cipher 4 (RC4) Attack
Although no specific attacks on Rivest Cipher 4 (RC4) in Wi-Fi Protected Access (WPA) have
been published, RC4 has several deficiencies in its security as a cipher which were discovered in
its usage for the Wired Equivalent Privacy (WEP) protocol.
One attack identified by Fluhrer and McGrew can separate out the keystream from the cipher
when provided a gigabyte of data. Although this is substantial network traffic, a passive listener,
on a relatively idle wireless network, could collect this data over time, or could collect this data
much more rapidly on an active network.
Another attack identified by Fluhrer, Mantin and Shamir found that the first few bytes of an
output keystream have patterns which allow for the detection of information about the encryption
key.
WPA has helped mitigate this by using a 48-bit initialization vector (IV) for RC4 rather than the
24-bit IV used in WEP; dynamically generating a new key for each packet; and throwing away
the initial portion of the keystream before using it for combination with the plain text.
Denial of Service (DOS) Attacks
Denial of Service (DOS) attacks are a nuisance attack, leaving clients without wireless network
coverage in a service area for a period of time. The DOS attacks discussed here include an
attack that was inadvertently exposed as part of the security in the WPA protocol and a well
known attack that exists due to the underlying use of radio frequencies for wireless networks.
Each is discussed in the following sections.
Wi-Fi Protected Access (WPA) Protocol Shutdown Attack
In Wi-Fi Protected Access (WPA)’s quest for improved security, it exposed itself to a Denial of
Service (DOS) vulnerability within its protocol. This vulnerability occurs because WPA will
shut down whenever it detects two attack packets (packet forgeries) from a client to an Access
Point (AP) within a 1 second window. In this case, two packets with invalid Message Integrity
Check (MIC)s. In the shutdown process, the AP will delete its keys and disconnect all clients,
wait a minute and then reconnect with the clients. This allows for malicious clients to sit on the
network, forging packets to the AP, shutting down service for users of the AP. With high
frequencies of these forged packets, it can cause the AP to be nearly perpetually unavailable and
thus unusable to clients.
The solution to this attack is to employ Access Control Lists (ACL)s for APs such that only valid
clients can access the APs services.
Holly Cosand
Page 4
2/12/2016
Radio Frequency (RF) Jamming Attack
This Denial of Service (DOS) exploit is available in all wireless networking protocols. With this
exploit a radio frequency jamming device can be used to disrupt client communications with
Access Points (AP) in a service area.
The solution to this attack is to secure the perimeter of the service area, where possible.
However, this is not always possible in open areas like coffee shops and university campuses.
Wi-Fi Protected Access 2 (WPA2) Overview
The WiFi Protected Access 2 (WPA2) standard, also known as 802.11i, is a superset of WPA. It
includes the 802.1X/EAP authentication for corporate environments and PSK authentication for
home environments as does WPA.
In addition, a new encryption scheme called Advanced Encryption Standard (AES) has been
added as the block cipher, operating on 128 bit data blocks. The AES standard is much more
secure than the Rivest Cipher 4 (RC4) standard used in WPA. It supports encryption, using keys
of 128, 192 or 256 bits.
Counter Mode CBC MAC Protocol (CCMP) is an additional security protocol, used by WPA2.
CCMP is responsible for key rotation, packet encryption and Message Integrity Checking (MIC)
in the same way TKIP is in the WPA standard. CCMP calculates a MIC on each packet, using
the Cipher Block Chaining Message Authentication Code (CBC-MAC) algorithm. This
algorithm is very strong in that changing a single bit in the message, produces a different MIC.
The WPA2 standard is compatible with existing WPA WiFi devices.
Wi-Fi Protected Access (WPA) Cryptographic Algorithms and
Protocols
Below is a listing of the primary cryptographic algorithms and protocols used by the Wi-Fi
Protected Access (WPA) and Wi-Fi Protected Access (WPA) 2 standards as discussed in this
document.
NAME
TYPE
Advanced
Block
Encryption
Cipher
Standard (AES)
Cipher Block
Chaining
Message
Authentication
Code (CBCMAC)
Counter Mode
CBC MAC
Holly Cosand
MIC
STD
DESCRIPTION
WPA2 Block cipher with a fixed block size of 128 bits and a
key size of 128, 192 or 256 bits. The algorithm
typically operates on a 4x4 byte matrix, applying
operations: add round key, substitute bytes from a look
up table, shift rows, and mix columns over multiple
rounds.
WPA2 Uses AES cipher blocks in a chain to perform integrity
checking of the message. Each subsequent block is
dependent upon the proper encryption of the preceding
block.
Encryption WPA2 Performs packet encryption, using AES and message
and MIC
authentication/integrity checking, using CBC-MAC. It
Page 5
2/12/2016
Protocol
(CCMP)
Keyed Hash
Message
Authentication
Code (HMAC)
is equivalent in function to TKIP.
Hash
Rivest Cipher 4 Stream
(RC4)
Cipher
Temporal Key
Integrity
Protocol
(TKIP)
WPA
WPA
Encryption WPA
and MIC
Performs message authentication/verification, using a
cryptographic hash function, using a secret key. The
cryptographic strength of the hash depends upon the
underlying hash function (e.g. Sha1) and the size of the
key. See
http://csrc.nist.gov/publications/fips/fips198/fips198a.pdf
Variable key sized (typically 256 bits) stream cipher.
A random bit stream is XOR’d with plaintext to create
an encrypted stream. The key schedule is created by
first initializing the 256 bit vector and then performing
a pseudo random key generating algorithm on the
vector.
Specifies a newly generated key for each encrypted
packet, a Message Integrity Check (MIC) for each
packet, and new key generation for each session. Uses
the RC4 stream cipher with 128 bit keys for encryption
and 64 bit keys for authentication.
References
1. Weakness in Passphrase Choice in WPA Interface; By Glenn Fleishman, Robert Moskowitz
2. Weakness Reported in Wireless Security Protocol; By Larry Seltzer; November 6, 2003
3. Passphrase Flaw Exposed in WPA Wireless Security, TechNewsWorld; By Jay Lyman;
11/06/03 3:12 PM PT
4. WPA versus 802.11i (WPA2): How your Choice Affects your Wireless Network Security
5. Wireless security; By Lisa Phifer; 13 Dec 2002
6. Wi-Fi Encryption Fix Not Perfect
7. WPA Security Enhancements; By Jim Geier; March 20, 2003
8. Making the WPA Upgrade; By Steven J. Vaughan-Nichols; May 5, 2003
9. Wi-Fi Security: Are We There Yet?; December 5, 2005 11:42AM
Holly Cosand
Page 6
2/12/2016
Download