Wi-Fi Protected Access (WPA) Security and Exploits By: Holly Cosand March 7, 2006 Introduction In wireless networks, by far the most commonly deployed networking technology is Wired Equivalent Privacy (WEP). The security limitations and exploits for WEP are many and have been well publicized. What is less well known are the exploits and security flaws of its more secure successor, Wi-Fi Protected Access (WPA). This protocol and its potential for exploit are covered in this document. We begin by discussing wireless networking; then the fundamentals of the WPA protocol; followed by several exploits that are available against WPA; and conclude by addressing how WPA2 helps address these exploits. The end of the document contains both a table of algorithms and protocols used in the WPA standards and a list of references. Wireless Networking (WiFi) Overview Wireless networking (WLAN) is a set of communication and security technologies that operate over a standard set of radio frequencies for communication. Using these frequencies, a number of standards have been defined, enabling multiple vendors to interoperate. These standards can be segmented into two different categories: 1) basic communication standards and 2) given that this communication travels over open air waves, security standards that help protect the exchange of information through the communication channel. WLANs function in one of two ways: clients connect to a central access point (AP) which acts as a hub to other clients and to a wired network, or clients connect in an ad-hoc peer-to-peer mode. APs facilitate their ability to be located by broadcasting a Service Set Identifier (SSID) at a fixed interval, typically 10 times per second, but the broadcast time may be configurable by the administrator of the AP. The SSID is just the name of the AP which may be used by clients to connect to the wireless network. Clients, equipped with a wireless network interface card (NIC), will see a list of available AP’s SSIDs. The client may then select from the list of APs. If the AP is unsecured, the client may connect to the network, allowing them to use the network resources supported by that AP without authentication or view network traffic traveling over the network, otherwise, authentication will be required. APs are typically left unsecured by default. Administrators of the AP must enable security when placing it on the network. Wi-Fi Protected Access (WPA) Overview Wi-Fi Protected Access (WPA) supports a strong encryption algorithm and user authentication. The WPA standard employs Temporal Key Integrity Protocol (TKIP) with Rivest Cipher 4 (RC4) for encryption and Message Integrity Checking (MIC), using 128 bit keys that are dynamically generated for encryption. In an enterprise, keys are generated leveraging the 802.1X authentication protocol with Extensible Authentication Protocol (EAP). The 802.1X protocol, is a network access control method used on both wired and wireless networks. The 802.1X protocol’s use of EAP, enables Holly Cosand Page 1 2/12/2016 the support of a variety of user credential types, including username/password, smart cards, secure IDs, or any other type of user identification. Clients and Access Points (AP) authenticate against an Authentication Dial-In User Service (RADIUS) server which validates client access to the network, as well as, enabling connected clients to know they are talking to valid APs once they are on the network. In a home and small office environments, “pre-shared keys” (PSK) are used as the basis of packet encryption. In the WPA standard, if enterprise security is employed, a user supplies credentials to the RADIUS server which authenticates the user, or if enterprise security is NOT employed, supplies a manually entered PSK on the client device and Access Point. Once a user is authenticated, a unique master or “pair-wise” key is created for the session. TKIP distributes the key to the client and Access Point (AP), using the pair-wise key to generate unique data encryption keys to encrypt every data packet that is sent during the session. TKIP is initialized with a 48-bit initialization vector (IV) to prevent keys from being reused with any frequency. A Message Integrity Check (MIC) is appended to every sent packet, preventing a “man in the middle” alteration of packets by requiring both the sender and receiver to compute and compare the MIC, assuming an attack and discarding the packet if the MIC doesn’t match. In summary, the improvements in WPA over WEP are: the increase in key length from 40-bits to 128-bits; the increase length of the initialization vector (IV) for RC4 encryption from 24-bit to 48-bit; the use of a newly generated secret key for the encryption of each packet; Message Integrity Checking (MIC); never using Master Keys directly, but rather deriving keys from the master; and built in key management. The table below summarizes the key attributes of WEP, WPA and WPA2. WEP WPA WPA2 Year Ratified Key size Key State Central Key Management Authentication 1999 40 bit Static None WEP Key Challenge 2004 128, 192 or 256 bit Dynamic RADIUS 802.1X authentication protocol with Extensible Authentication Protocol (EAP) Encryption Scheme RC4 2003 128 bit Dynamic RADIUS 802.1X authentication protocol with Extensible Authentication Protocol (EAP) Temporal Key Integrity Protocol (TKIP) with RC4 for encryption Device Compatibility 802.11a,b,g Holly Cosand Page 2 802.11a,b,g Counter Mode CBC MAC Protocol (CCMP) with Advanced Encryption Standard (AES) for encryption 802.11a,b,g 2/12/2016 Wi-Fi Protected Access (WPA) Exploits There are a number of exploits available against Wi-Fi Protected Access (WPA). These include both data integrity/confidentiality attacks and Denial of Service (DOS) attacks. In the integrity/confidentiality realm a passive monitoring or dictionary attack on pre-shared keys is public knowledge as well as security issues around Rivest Cipher 4 (RC4), the underlying encryption protocol. On the DOS front, several attacks are available either by exploiting a specific feature of the protocol or by using the wireless standby of radio frequency jamming. First the data integrity/confidentiality attacks are discussed, followed by the DOS attacks. Data Integrity/Confidentiality Attacks Of the types of attacks covered in this document, data integrity/confidentiality attacks potentially have the greatest risk and exposure in many environments since these attacks can go undetected and leave confidential data openly available to potentially hostile parties, including competitors. The attacks discussed here include a passive monitoring and a dictionary attack against the preshared key mode of WPA, as well as, attacks against the Rivest Cipher 4 (RC4) algorithm used for packet encryption. Pre-Shared Key (PSK) Attacks A pre-shared key (PSK) is a 256 bit number or a pass phrase 8 to 63 bytes long. Each Access Point (AP), when configured in PSK mode, has a single PSK which is used to generate session keys for each user connecting to the AP. The PSK attacks are more relevant to home or small business users than large enterprises as larger organizations are more likely to set up RADIUS servers for authentication, rather than using PSK. Pre-Shared Key (PSK) Monitoring Attack The Pre-Shared Key (PSK) Monitoring attack is performed by the attacker, obtaining the basic information communicated between the client and Access Point (AP), and then generating the Pairwise Transient Key (PTK) for a session, using the already known PSK. The attacker does this by passively listening as another client on the network connects to the Access Point (AP). All necessary information for generating the PTK is readily available: client and AP MAC addresses; 2 nonces from the 4-way handshake; and the selected cipher suite. Once the attacker has this set of information, he can generate the PTK which is a Keyed Hash Message Authentication Code (HMAC), using the PTK (already known by the attacker), two MAC addresses, and the two nonces from the first two packets of the 4-way handshake. At this point, an attacker can decrypt any packets another user of the network may send. Pre-Shared Key (PSK) Dictionary Attack If the attacker does not know the Pre-Shared Key (PSK), they may perform the Pre-Shared Key Dictionary attack to attempt to determine the key. For user selected pass phrases (PSK)s of less than 20 characters, this type of attack is expected to be successful. In this attack, the pass phrase can be determine, using a dictionary of common pass phrases and then running them through a well known algorithm for generating Pairwise Master Key (PMK)s. Holly Cosand Page 3 2/12/2016 This algorithm concatenates the pass phrase, the SSID, and the SSID length into a single string which is hashed 4096 times, generating the PMK. Due to the number of potential pass phrases and the algorithms that must be performed, this attack must be performed off line. Once the attacker has determined the PMK he may use it to generate Pairwise Transient Key (PTK) s for individual sessions as described in the previous attack. The solution for this attack is to use pass phrases of greater than 20 characters or using a relatively shorter, random, hexadecimal key. Rivest Cipher 4 (RC4) Attack Although no specific attacks on Rivest Cipher 4 (RC4) in Wi-Fi Protected Access (WPA) have been published, RC4 has several deficiencies in its security as a cipher which were discovered in its usage for the Wired Equivalent Privacy (WEP) protocol. One attack identified by Fluhrer and McGrew can separate out the keystream from the cipher when provided a gigabyte of data. Although this is substantial network traffic, a passive listener, on a relatively idle wireless network, could collect this data over time, or could collect this data much more rapidly on an active network. Another attack identified by Fluhrer, Mantin and Shamir found that the first few bytes of an output keystream have patterns which allow for the detection of information about the encryption key. WPA has helped mitigate this by using a 48-bit initialization vector (IV) for RC4 rather than the 24-bit IV used in WEP; dynamically generating a new key for each packet; and throwing away the initial portion of the keystream before using it for combination with the plain text. Denial of Service (DOS) Attacks Denial of Service (DOS) attacks are a nuisance attack, leaving clients without wireless network coverage in a service area for a period of time. The DOS attacks discussed here include an attack that was inadvertently exposed as part of the security in the WPA protocol and a well known attack that exists due to the underlying use of radio frequencies for wireless networks. Each is discussed in the following sections. Wi-Fi Protected Access (WPA) Protocol Shutdown Attack In Wi-Fi Protected Access (WPA)’s quest for improved security, it exposed itself to a Denial of Service (DOS) vulnerability within its protocol. This vulnerability occurs because WPA will shut down whenever it detects two attack packets (packet forgeries) from a client to an Access Point (AP) within a 1 second window. In this case, two packets with invalid Message Integrity Check (MIC)s. In the shutdown process, the AP will delete its keys and disconnect all clients, wait a minute and then reconnect with the clients. This allows for malicious clients to sit on the network, forging packets to the AP, shutting down service for users of the AP. With high frequencies of these forged packets, it can cause the AP to be nearly perpetually unavailable and thus unusable to clients. The solution to this attack is to employ Access Control Lists (ACL)s for APs such that only valid clients can access the APs services. Holly Cosand Page 4 2/12/2016 Radio Frequency (RF) Jamming Attack This Denial of Service (DOS) exploit is available in all wireless networking protocols. With this exploit a radio frequency jamming device can be used to disrupt client communications with Access Points (AP) in a service area. The solution to this attack is to secure the perimeter of the service area, where possible. However, this is not always possible in open areas like coffee shops and university campuses. Wi-Fi Protected Access 2 (WPA2) Overview The WiFi Protected Access 2 (WPA2) standard, also known as 802.11i, is a superset of WPA. It includes the 802.1X/EAP authentication for corporate environments and PSK authentication for home environments as does WPA. In addition, a new encryption scheme called Advanced Encryption Standard (AES) has been added as the block cipher, operating on 128 bit data blocks. The AES standard is much more secure than the Rivest Cipher 4 (RC4) standard used in WPA. It supports encryption, using keys of 128, 192 or 256 bits. Counter Mode CBC MAC Protocol (CCMP) is an additional security protocol, used by WPA2. CCMP is responsible for key rotation, packet encryption and Message Integrity Checking (MIC) in the same way TKIP is in the WPA standard. CCMP calculates a MIC on each packet, using the Cipher Block Chaining Message Authentication Code (CBC-MAC) algorithm. This algorithm is very strong in that changing a single bit in the message, produces a different MIC. The WPA2 standard is compatible with existing WPA WiFi devices. Wi-Fi Protected Access (WPA) Cryptographic Algorithms and Protocols Below is a listing of the primary cryptographic algorithms and protocols used by the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access (WPA) 2 standards as discussed in this document. NAME TYPE Advanced Block Encryption Cipher Standard (AES) Cipher Block Chaining Message Authentication Code (CBCMAC) Counter Mode CBC MAC Holly Cosand MIC STD DESCRIPTION WPA2 Block cipher with a fixed block size of 128 bits and a key size of 128, 192 or 256 bits. The algorithm typically operates on a 4x4 byte matrix, applying operations: add round key, substitute bytes from a look up table, shift rows, and mix columns over multiple rounds. WPA2 Uses AES cipher blocks in a chain to perform integrity checking of the message. Each subsequent block is dependent upon the proper encryption of the preceding block. Encryption WPA2 Performs packet encryption, using AES and message and MIC authentication/integrity checking, using CBC-MAC. It Page 5 2/12/2016 Protocol (CCMP) Keyed Hash Message Authentication Code (HMAC) is equivalent in function to TKIP. Hash Rivest Cipher 4 Stream (RC4) Cipher Temporal Key Integrity Protocol (TKIP) WPA WPA Encryption WPA and MIC Performs message authentication/verification, using a cryptographic hash function, using a secret key. The cryptographic strength of the hash depends upon the underlying hash function (e.g. Sha1) and the size of the key. See http://csrc.nist.gov/publications/fips/fips198/fips198a.pdf Variable key sized (typically 256 bits) stream cipher. A random bit stream is XOR’d with plaintext to create an encrypted stream. The key schedule is created by first initializing the 256 bit vector and then performing a pseudo random key generating algorithm on the vector. Specifies a newly generated key for each encrypted packet, a Message Integrity Check (MIC) for each packet, and new key generation for each session. Uses the RC4 stream cipher with 128 bit keys for encryption and 64 bit keys for authentication. References 1. Weakness in Passphrase Choice in WPA Interface; By Glenn Fleishman, Robert Moskowitz 2. Weakness Reported in Wireless Security Protocol; By Larry Seltzer; November 6, 2003 3. Passphrase Flaw Exposed in WPA Wireless Security, TechNewsWorld; By Jay Lyman; 11/06/03 3:12 PM PT 4. WPA versus 802.11i (WPA2): How your Choice Affects your Wireless Network Security 5. Wireless security; By Lisa Phifer; 13 Dec 2002 6. Wi-Fi Encryption Fix Not Perfect 7. WPA Security Enhancements; By Jim Geier; March 20, 2003 8. Making the WPA Upgrade; By Steven J. Vaughan-Nichols; May 5, 2003 9. Wi-Fi Security: Are We There Yet?; December 5, 2005 11:42AM Holly Cosand Page 6 2/12/2016