Wireless Networking Security “…those who would sacrifice freedom for security deserve neither…” Benjamin Franklin Why go wireless The popularity of wireless network is clearly on the increase. But what are the hidden costs of going wireless? Are we giving up our security? The main benefits of wireless networking are: cost convenience The main drawbacks are: speed security General Security Issues of Wireless Networks Network security issues, whether wired or wireless, fall into three main categories: availability, confidentiality and integrity: Confidentiality: is the information being sent across the network transmitted in such a way that only the intended recipient(s) can read it. Integrity: is the information reaching the recipient intact Availability: is the network available to users whenever it is supposed to be Confidentiality The main way to ensure that data is not disclosed to unauthorised users is by encrypting it during transit, and wireless networks are able to do this in just the same way as wired networks. However, encryption is meaningless without authentication, since an unauthorised user could authenticate themselves onto the network and then be given the key with which to decrypt the data. The traditional model for authorisation is to have some form of centralised system which stores access control lists. This model is fine for use in networks which have a relatively static set of users, and so is suitable for Wi-Fi, but in other networks such as Bluetooth networks, which are much more ad-hoc in nature, this approach becomes impractical. In ad-hoc networks, not only does the dynamically changing set of users make updating access control lists infeasible in terms of cost, but there is also no guarantee that these devices would be able to access any central system. In these systems, a better approach is to form secure transient associations between devices, where the decision on who to trust is made either by each device, or by one master device which instructs the slave devices on how to behave. There is a lot of interest in this model for applications such as controlling police weapons. In America, a large proportion of injuries to police officers come from stolen police guns. If each officer had a very short range ring (the master) associated with the gun (the slave) it would prevent anyone other than that officer from using the weapon. Integrity Because packets of data in wireless networks are sent through the air, they can be intercepted and modified quite easily by malicious users. This means that wireless networks are more vulnerable to attacks on the integrity of data. However, the current methods used by wired networks to ensure the integrity of packets, such as checksums, are perfectly adequate for ensuring the integrity of packets in wireless networks, and so no novel solutions have been adopted. Availability Wireless networks are particularly susceptible to DoS (Denial of Service) attacks. Unlike wired networks, which require the attacker to be physically connected to the network in some way before they can launch such an attack, with wireless networks an attacker only has to be within a certain range of the network (usually 100m) to be able to launch such an attack. These kind of attacks are particularly difficult to stop since network providers want to allow legitimate users to initiate communications with the network, and cannot stop malicious users from exploiting this to cause a denial of service. Another way in which malicious users can potentially restrict the availability of the wireless networks is through radio jamming. This involves sending out a lot of noise on the same frequency as the network uses. However, there are techniques, such as frequency hopping which can make this kind of attack more difficult. Also, this threat is less relevant in the non-military world since the 'jammer' could be reported to the police and arrested. One kind of attack on the availability of wireless networks which has arisen in the last few years is battery exhaustion attacks. Because many wireless network devices are portable and therefore battery powered, malicious users can repeatedly send messages to the device. This prevents it from going into its sleep mode, and the battery runs down much faster. Wi-Fi (Wireless Fidelity) Standards Like with most new geeky technologies there is currently a mish mash of standards. 802.11 original 1997 2.4Ghz wireless Ethernet standard data rate 1 or 2Mbps 802.11a 5Ghz frequency less susceptible to interference not compatible with 802.11b data rate of 54Mbps uses OFDM (Orthogonal Frequency Division Multiplexing) short range (60 feet) 802.11b most widely used standard up to 11Mbps 2.4Ghz frequency is subject to interference uses direct sequence spread spectrum modulation long range (300 feet) 802.11g regarded by most as an extension to the life of 802.11b uses the OFDM bit of 802.11a and 2.4Ghz bit of 802.11b same frequency as 802.11b and so backwards compatible data rate of 54Mbps 802.11i (coming soon) IEEE certified security specification not a wireless protocol as such offers improved security for data in transit better control of who can use the network 802.11c/d/e/f/h/IR/j/k/m? technical specifications of low level standards Gi-Fi (maybe coming, but not soon) theoretically 2Gbps can be achieved at frequencies of 56Ghz [1] Stream and Block Ciphering Overview Block Ciphers A block cipher is a symmetric cipher that operates on a fixed size block of bytes at a time. The stream of binary digits that make up a message are divided into blocks of a standard size (typically 64 or 128 bits long) and then the encryption algorithm is applied so that all the bits of each block are encrypted at the same time using the same key. Example: Using blocks of 8-bits and a 10-bit key... block 1 block 2 p0,p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14 encrypted using shared secret k01,k2,k3,k4,k5,k6,k7,k8,k9,k1 c0,c1,c2,c3,c4,c5,c6,c7 Following transmission the ciphertext is decrypted a block at a time at the receiver by applying the reverse transformation using the same, shared secret key. Examples of block ciphers are DES, triple DES (3DES), AES and Blowfish. Stream Ciphers A stream cipher is a symmetric (secret key) cipher that operates on small units of data (as small as a single bit) at a time. Sender and receiver both share the secret key To send a message the sender uses the key to produce an infinite pseudo-random keystream. The keystream is then logically combined with the plaintext, typically via an operation such as XOR to produce ciphertext. At the other end of the network, the receiver uses the shared secret key to produce an identical keystream to the sender. This is then XOR-ed with the incoming ciphertext to reproduce the original plaintext. Example of Stream Cipher: RC4 Regardless of the type of symmetric cipher being used it is important to keep changing the key used for encryption. If an attacker can obtain two different ciphertexts encrypted using the same key, statistical analysis of the text’s can be applied to break the encryption and determine the contents of the shared key. Note: In reality an infinite keystream is obviously never produced. The keystream is simply as long as the message being sent. Security flaws with first generation WiFi Pre 802.11i hardware manufacturers are/were free to provide which ever level of security that they saw fit. The baseline security protocol for Wi-Fi is WEP (Wired Equivalent Privacy) this was first used in the early 802.11 wireless standard and also exists in 802.11b unchanged [2]. Run down of WEP Optional encryption standard implemented in the MAC layer. Encryption in WEP: uses a secret key, k (40 or 128 bit). k is shared between the access point and the mobile node. does not specify how k is established – so this is done manually for the moment. k is used to encrypt packets before transmission. integrity check (CRC-32) is used to ensure that packets are not modified in transit. To compute an encrypted frame: 1. the plaintext frame data, M, is first concatenated with its ICV (integrity check value) or checksum, c(M), to produce M + c(M). ICV used after decryption to check that the frame hasn’t been tampered with in transit. If the receiver calculates and ICV that doesn’t match the one found in the frame the receiving station can reject it or flag the user. 2. an initialisation vector (IV) is joined to the secret key to create the packet key, (IV + k). a random 24bit IV lengthens the life of the secret key because it can be changed for each frame transmission. The IV is included unencrypted in the frame so it can be used for decryption. 3. the RC4 cipher is constructed using the packet key RC4(IV + k). 4. the cipher is XORed with the checksummed plaintext to get the ciphertext (encrypted data): C = (M + c(M)) XOR RC4(IV + k) Weaknesses 1. IV – The small space of possible initialisation vectors means that a collision is inevitable. 2. CRC and RC4 – The combination of CRC and RC4 means it is possible to change the message while flipping appropriate bits in the checksum to keep the packet valid. Types of attack 1. Passive attacks to decrypt traffic based on statistical analysis. 2. Active attack to inject new traffic from unauthorised mobile stations, based on known plaintext. 3. Active attack to decrypt traffic by tricking the access point. 4. Dictionary building attack that after a day’s worth of traffic, allows real time automated decryption of traffic. Passive Attack A passive eavesdropper intercepts all wireless traffic, until an IV collision occurs. By XORing two packets that use the same IV, the attacker obtains the XOR of the two plaintext messages. The resulting XOR can be used to infer data about the contents of the two messages. IP traffic is often very predictable and includes a lot of redundancy. This redundancy can be used to eliminate many possibilities for the contents of messages. Further educated guesses about the contents of one or both of the messages can be used to statistically reduce the space of possible messages, and in some cases it is possible to determine the exact contents [2]. An extension of this attack uses a host on the Internet to send known messages to a wireless network station. Because the attacker knows the contents of these messages he will easily be able to decrypt all packets that are sent using the same initialisation vector. Active Attack to inject new traffic If an attacker knows the exact plaintext for one encrypted message, this can be used to construct correct encrypted packets. This procedure involves calculating the checksum for a new message and performing bit flips on the original encrypted message to change the plaintext to the new message. The basic property is that RC4(X) XOR X XOR Y = RC4(Y). This new packet can now be sent to a mobile station or access point and will be accepted as a valid packet. Active Attack to decrypt traffic If the attacker is able to guess part of the header of a packet then he may be able to flip appropriate bits to change the destination IP address of the packet. The address could be changed to a match the address of a machine somewhere on the Internet that the attacker controls. The attacker could then broadcast the modified packet from a rogue mobile station. As most wireless network installations have Internet connectivity the packet will be successfully decrypted by the access point and forwarded unencrypted to the attackers machine on the Internet! Dictionary Building Attack The small space of initialisation vectors allows an attacker to quite quickly build a table of key streams with an entry for each IV. Once a key stream is identified it can be used to decrypt all other packets that use the same IV. Remember that the IV is sent unencrypted in the packet header. Over time the attacker can build an exhaustive table of IVs and corresponding key streams. Once built the attacker can easily decrypt every packet sent over the wireless link, without actually ever knowing the secret key, by looking up the correct key stream in the table. As the initialisation vector in WEP is only a 24-bit field a busy access point will exhaust every possible IV in just 5 hours! Wired Equivalent Privacy isn’t equivalent to the privacy over a wired connection. Solutions to the short comings of original Wi-Fi security Wi-Fi Protected Access (WPA) Wi-Fi Protected Access (WPA) is a subset of the forthcoming IEEE 802.11i security standard (also known as WPA2) and is designed to overcome all of the weaknesses identified in WEP. WPA works with existing 802.11 based hardware using firmware upgrades and will offer full forward compatibility with the new standard following its eventual certification. Features of WPA Enhanced encryption scheme: Temporal Key Integrity Protocol (TKIP) Message Integrity Checks (MIC) Strong User Authentication using one of the standard Extensible Authentication Protocol (EAP) types available Encryption One of WEP’s chief weaknesses was that it used a small (40-bit) static key to initiate encryption. This key is entered manually on the AP (Access Point) and on all clients that communicate with it. It never changes unless it is manually re-entered on all devices. A 24-bit initialization vector is then appended to this to produce a 64-bit key that is used for encryption. On busy networks, the initialization may need to be repeated in a matter of hours meaning that encryption keys are often re-used. TKIP replaces the single static key with keys that are dynamically generated each time a wireless client connects to the network. Key size increased from 40 to 128 bits Initialisation Vector increased from 24 to 48-bits A unique encryption key is generated for every packet After accepting a user’s credentials an authentication server produces a unique master key which is valid for the current computing session only. “TKIP distributes this key to the client and the AP and sets up a key hierarchy and management system, using the pairwise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated during that user’s session” Wi-Fi Alliance white paper, 2003 Message Integrity Checks Designed to prevent an attacker from capturing data packets, altering and then resending them. The MIC provides a strong mathematical function that is calculated by both sender and receiver The receiver compares its calculated value with the contents of the packet If the calculated value does not match what is found inside the packet, the packet is assumed tampered with and discarded Authentication Home Environments Pre-Shared Key: This method for authentication uses a statically configured passphrase on both the client workstations and on the access point. This allows users of the network to be authenticated at the access point without the need for an authentication server, which is unlikely to be available in home or small office environments. Enterprise Security Access to the network is controlled by an authentication server. This holds user credentials (e.g. user names and passwords) and authenticates wireless users before they gain access to the network. One of the Extensible Authentication Protocol (EAP) types available is then used to carry out the authentication. Extensible Authentication Protocol (EAP) EAP is a general protocol for authentication of network users. It does not select a specific authentication mechanism upon establishing a link, preferring to wait until a separate authentication phase. “This allows the authenticator to request more information before determining the specific authentication mechanism.” www.faqs.org A number of mechanisms are supported under this scheme including digital certificates (already widely used in Internet security), unique usernames and passwords, smart cards, secure IDs, or any other identity credential that the IT administrator is comfortable deploying. 802.11i Security (WPA2) Why bother? While WPA offers significantly better security than WEP it can still be strengthened. It uses static keys for user authentication and the RC4 encryption algorithm is known to be vulnerable to some analytic attacks. In addition, one in every 256 keys generated using the RC4 algorithm is likely to be ‘weak’ – “one or more bytes of the generated ciphertext are strongly correlated with a few bytes of the key”. www.ncat.edu 802.11i Features New method for encryption: Advanced Encryption Standard (AES) Combines encryption with authentication using dynamic keys for both Scheduled for certification September 2004 Bluetooth Trivia: named after Danish king Harald "Bluetooth" (Blåtand) 950-986, who united Denmark Bluetooth, like Wi-Fi, is a standard for wireless network communications. However, unlike Wi-Fi, which is designed to replace existing, high bandwidth, long range wired networks Bluetooth is designed primarily for short range, low bandwidth 'Personal Area Networks'. The idea is to provide a common communication specification to allow completely dissimilar devices, such as PDAs, mobile phones, printers and even fridges to communicate with each other. Unlike Wi-Fi, Bluetooth has to be available to devices with low computational power. Bluetooth devices are divided up into 3 power categories: Category 1 devices have a range of between 0.1 and 1m. These devices might include mobile phone headsets, where the communicating devices are most likely to be in close proximity Category 2 devices have a range of between 1 and 10m. This is the most common power range for Bluetooth devices. Most suitable for PAN’s since it provides sufficient range for most applications, but is limited range enough to provide a certain level of security from potential listeners. Category 3 devices have a range of up to 100m. This is equivalent to most current WiFi networks, but given the low bandwidth of Bluetooth(1Mbps theoretical, ~700Kbps actual with Forward Error Correction) is not a direct competitor Another difference to Wi-Fi is the ad-hoc nature of Bluetooth networks. Although Wi-Fi networks are designed with a certain amount of flexibility, they are generally fairly static. In contrast, Bluetooth devices (which are most often mobile) are designed to be able to move in and out of networks as the owner moves around. This difference means that the same security procedures that are used in Wi-Fi are not suited to Bluetooth, and new measures have been adopted. Bluetooth Security In Bluetooth, there are three security modes Security Mode 1: In this mode, the device does not implement any security procedures, and allows any other device to initiate connections with it Security Mode 2: In mode 2, security is enforced after the link is established, allowing higher level applications to run more flexible security policies. Security Mode 3: In mode 3, security controls such as authentication and encryption are implemented at the Baseband level before the connection is established. In this mode, Bluetooth allows different security levels to be defined for devices and services. Devices Devices are other Bluetooth devices that wish to use the services you provide. These devices are divided into two categories: trusted and untrusted Trusted devices have a fixed relationship with your device. They generally have unrestricted access to all services, although this can be refined to set different access policies for each service. Untrusted devices have no permanent fixed relationship with your device (but may have a temporary one) or have a permanent relationship but are considered untrustworthy. They are generally limited as to the services they can access. Services Services are the services you provide to other devices, and are divided into three categories: Services that require authorisation and authentication: Only trusted devices have automatic access; all other devices require manual authorisation Services that require authentication only: authorisation is not required Services that are open to all: access to services is granted without the need for approval Service level security In security mode 2, security is handled by higher level applications rather than at the link level, and is enforced after the communication is established Fig 1: The Bluetooth architecture Because Bluetooth uses the RFCOMM protocol it is able to use existing protocols such as TCP, UDP and WAP, and can use the security measures built into these. Link level In security mode 3, security is enforced before a communications link is established. Security in Bluetooth, like in other networks is based on authentication and encryption. In Bluetooth security there are four main identifiers 1. 48 bit unique IEEE Bluetooth device address (BD_ADDR) 2. 128 bit Link key, used for authentication 3. 8-128 bit symmetric encryption key 4. 128 bit random numbers (RAND) generated as required Authentication To authenticate devices in Bluetooth, a link key is generated for the connection, followed by a challenge-response strategy to ensure that the claimant device knows the link key. There are four types of link key defined in the Bluetooth specification: unit keys, initialisation keys, combination keys and master keys. In addition, Bluetooth defines four algorithms (E1, E21, E22 and E3) for key generation and authentication. They are all based on the SAFER+ block cipher algorithm. Unit key: The unit key is generated in the device when it is first turned on, using the E21 key generating algorithm. Once generated, it is stored in the non-volatile memory of the device and rarely changes. The unit key can be used as a link key between two devices, however it is a last resort since sharing the unit key allows the device to be 'spoofed'. For example, if device A communicates with device B using A's unit key as the link key, device B then has a copy of A's unit key. Device B can then pretend to be device A and start a communication with device C, or can intercept and decode communications between A and C if A's unit key is used as the link key. In general, the unit key is only used as a link key when one of the devices has very limited memory and is not capable of remembering any extra keys. Fig 2: The E21 key generation algorithm used in generating unit and combination keys Initialisation key: The initialisation key is needed for two devices who have never communicated before. A PIN code of between 1 and 16 octets in length is entered into both devices, and an initialisation key is generated using the E22 key generating algorithm. The algorithm is given the PIN (augmented with the BD_ADDR of the claimant device), and a 128bit random number from the verifying device. This key is then used for key exchange during the generation of a link key after which it is discarded. Fig 3: The E22 key generation algorithm, used in generating initialisation and master keys Combination key: The combination key is generated using another key, usually the initialisation key, and is the most secure of the four keys. Firstly, each unit generates a temporary key using the same method as used for unit key creation (e.g. device 1 inputs RAND1 and BD_ADDR1 into the E21 algorithm to produce KEY1, device 2 inputs RAND2 and BD_ADDR2 to produce KEY2). Device 1 then XORs its temporary key (KEY1) with the current link key and sends it to device 2. Similarly, device 2 XORs KEY2 and sends it to device 1. Each device then decrypts the random number, and using the BD_ADDR of the other device, calculates the other temporary key. Both devices then XOR KEY1 and KEY2 to produce the combination key. Master key: This key is the only temporary key and is generated when one device needs to communicate with several others (one master, several slaves). Firstly, the master key is created (by the master) by putting two random numbers into the E22 key generation algorithm. The master then sends another random number to each slave. The master and all the slaves then put the current link key and the random number into the key generating algorithm to produce an overlay. The master then XORs the master key with that overlay and transmits it to all of the slaves. The slaves (which each have a copy of the overlay) can then calculate the master key. Once the link key has been established, Bluetooth uses a challenge-response scheme for authentication, and relies on both parties sharing the same secret key. Firstly, the verifier sends the claimant a 128 bit random number. The claimant inputs this number, the current link key and its own BD_ADDR into the authentication algorithm E1, and sends the output back to the verifier. If the response matches the value calculated by the verifier, the claimant is authenticated. A by-product of the authentication algorithm is the ACO (Authenticated Ciphering Offset) which is stored by both devices for use later on in the encryption process. Fig 4: The E1 authentication algorithm Encryption To encrypt payloads of their packets, Bluetooth devices uses private encryption key derived from the current link key, the 96 bit COF (Ciphering Offset Number - based on the ACO generated during the authentication process) and a 128 bit random number. This encryption key, along with the device clock, the device address and a random number are fed into the E0 stream cipher algorithm (based on the Massey and Rueppel summation stream cipher generator). The encryption key is regenerated every new packet transmission. Fig 5: Encryption in Bluetooth Since the encryption key size varies from 8 bits to128 bits, the devices have to negotiate the length of the encrytpion key. Firstly, the master sends a suggested length to the slave. The slave can then accept this, or reject it and send back a suggestion for another length. This continues until a consensus is reached, or until one of the devices aborts the negotiation. Weaknesses with Bluetooth There are three main types of attacks on Bluetooth connections Attacks on the confidentiality It has been suggested that the E0 stream cipher can be broken in 2^66 in some circumstances. However, the fact that Bluetooth devices resynchronise the stream cipher every packet means that malicious users attempting to break the encryption in this way would not have sufficient time to succeed. If a device's unit key is used as the link key, trusted devices can spoof that device and can initiate communications posing as that device, or can intercept communications between that device and another which use the unit key as a link key. The fact that Bluetooth uses 4 digit pins for the initialisation key is a weakness. With only 10000 possibilities, PINs can be exhaustively searched and the key broken. In addition to this, research has shown that 50% of PINs are ‘0000’, putting the security of PINs further into question. One way to avoid this threat is by only pairing devices in secure locations. Given that the range of most Bluetooth devices is only 10m (less when the signal has to travel through walls) this is not too inconvenient, and generally only prohibits users from pairing in busy locations such as stations or airports. Attacks on the availability Bluetooth uses the unlicensed and heavily used, 2.45Ghz frequency. This makes it susceptible to interference from other devices, such as microwaves. However, to combat this it uses the technique of frequency hopping. This improves the clarity and also discourages casual eavesdropping, since only synchronised devices can communicate. Another form of denial of service attack, the battery exhaustion attack, is one that Bluetooth devices are susceptible to. Unfortunately, it is very difficult to prevent this kind of attack without restricting the usability of the device. For example, users can choose to turn off Bluetooth until they need it, but this is irritating for the user. Work is underway by the Bluetooth Special Interest Group to find a solution, but currently there is no effective defence. Attacks on user privacy Another issue with Bluetooth is that of user privacy. Since the address of the device is freely available, once it is associated with an individual it can be used to carry out profiling, and other more questionable forms of monitoring, violating user privacy. Bluejacking is where users can send anonymous, unsolicited messages to other Bluetooth users Bluetooth in the form of business cards, exploiting the Bluetooth standard of accepting them. Although currently this is a relatively small and innocuous craze, the same property could be used by unscrupulous marketers to target passing customers (and indeed in some places, this is already happening). The combination of these two attacks on privacy could prove to be extremely annoying and intrusive to end users. For example, companies with your details (including the address of your Bluetooth device) on record could bombard you with personalised adverts and offers whenever you are near their store. Conclusion 1. Wired Equivalent Privacy is vulnerable to attack, has many weaknesses and is difficult to use. a. We think that the flaws with WEP are due to it being rushed to market to create demand for wireless networks. b. The security specification was not certified before being put into production, this mistake must be learnt from. 2. Wi-Fi Protected Access is more resilient to attack and is easier to use. a. WPA greatly improves on the security of WEP, but is only a stopgap for 802.11i 3. Bluetooth a. Security is sufficient for personal use, but for more security critical applications improvements need to be made In general, the biggest threat to the security of the network is the incompetence of the network administrators or users. The existing standards are strong enough to protect networks from all but the most determined of hackers, yet in many wireless networks these measures are not implemented. If users are considering going wireless, they need to worry less about the about the existing standards, and more about their own knowledge. References 1. Glenn Fleishman (2003), “Gi-Fi?”, (Wi-Finetnews.com) 2. Nikita Borisov, Ian Goldberg, and David Wagner (2001), “Security of the WEP algorithm”, (http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html) 3. Adam Stubblefield, John Ioannidis, Aviel D. Rubin (2001), “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP”, AT&T Labs Technical Report TD-4ZCPZZ. 4. Jim Geier (2002), “802.11 WEP: Concepts and Vulnerability”, (www.wifiplanet.com) 5. F.L.Wong (2003), “Security considerations for a short-range wireless technology”, (www.security.org.sg) 6. Juha T. Vainio (2000), “Bluetooth Security”, Helsinki University of Technology 7. Frank Stajano, Ross Anderson (1999), “The Resurrecting Duckling: Security Issues for Ad-hoc wireless networks” 8. Thomas Xydis (2000), “Security Comparison: Bluetooth Communications vs 802.11”, (www.bluetooth.org) 9. Thomas Muller (1999), “Bluetooth Security Architecture”, (www.bluetooth.org) 10. Christian Gehrmann (2002), “Bluetooth Security White Paper”, (www.bluetooth.org) 11. Wi-Fi Alliance (2003), “Wi-Fi Protected Access: Strong, standards-based, interoperable security for today’s Wi-Fi networks” 12. HP (2002), “Wi-Fi Security – Addressing Concerns”