Layla Pezeshkmehr Security in Wireless LAN 802.11 Report CS 265” Security Engineering” Instructor: Dr. Mark Stamp Spring 2003 SJSU 1 1. Wireless Security 1.1 Threats with wireless LANS 1.1.1 Sniffing. 1.1.2 Invasion and resource stealing 1.1.3 Traffic redirection 1.1.4 Denial of service 1.1.5 Rouge networks and station redirection 1.2 IEEE 802.11 Security & WEP 1.2.1 Open System Authentication 1.2.2 Shared key Authentication 1.2.3 Identified problems 1.2.4 WEP Protocol 1.2.5 WEP Encryption algorithm 1.2.6 WEP Decryption 1.3 WEP Problems 1.3.1 Problem with RC4 1.3.2 Problem with IV 1.4 Today’s Access Control 1.5 Cisco enhancements to 802.11b WEP to increase security 2 1. Security Because wireless is a shared medium, IEEE 802.11b radio waves at 2.4GHz easily penetrate building walls and are receivable from the facility’s parking lot and possibly a few blocks away. Encryption and authentication should always be considered when developing a wireless networking. 1.1 Threats with wireless LANs Sniffing: Interception can occur by using standard receiver such as higain antennas. Invasion and resource stealing: Attacker could steal a valid access then gain direct access to all devices within a network. Traffic redirection: Attacker can make changes in the ARP tables in switches on the wired network through the AP causing packets to be routed to different destination. Denial of service: This attack may happen when attacker attempts to flood a network, causing congestion, disrupt connection between 2 machines to prevent access to a service. Rogue networks and station redirection: An 802.11 wireless network is very susceptible to a rogue AP attack. A rogue AP is one owned by an attacker that accepts STA connections and then at a minimum intercepts traffic if not also performing man-in-the-middle attacks before allowing traffic to flow to the proper network 1.2 IEEE 802.11 Security IEEE 802.11 defines two authentication subtypes: Open system and Shared key. Authentication is between two stations. Hence, it can only be performed in unicast frames but not in the multicast frames. Open System Authentication: Open System is a default, null authentication algorithm that involves a two-step process as follows: A sends an authentication request to B. B sends the result back to A If dot11AuthenticationType within B specify “Open System,” the result code is “successful.” Otherwise, A is not authenticated. 3 Access point SD Authentication Request (Open System Authentication) Authentication Responese Figure1. 0: Open system Authentication Shared Key Authentication: This approach provides a better degree of authentication than the open system approach. Shared Key authentication supports authentication of stations as either a member of those who know a shared secret key or a member of those who do not. The secret shared key resides in each station's MIB in a write-only form and is therefore only available to the MAC coordinator. For a station to utilize shared-key authentication, it must implement WEP. The 802.11 standard didn’t specify how to distribute the keys to each station. Thus, create problem as will be discussed in the WEP problem. The four basic steps are as follows: A station sends an authentication request frame to another station (AP here). AP using WEP to generate a string of octets as the authentication challenge text and replies to A. The request station copies the challenge text received into another frame, encrypts the frame using shared secret key and then transmits the frame, then sends it back. At AP, if the WEP ICV check is successful, the responder shall then compare the decrypted contents of the Challenge Text field to the challenge text that was sent in step 2 of the sequence. If they are the same, then AP shall respond with a successful status code in the 4th frame. If the WEP ICV check fails, the responder shall respond with an unsuccessful status code. 4 Access point SD Authentication Request (Shared key Authentication) "Challenge" text string WEP encryption of challenge text "Challenge" text string encrypted with shared key Positive or Negative result based on decryption result WEP decryption of encrypted text Figure1.1: Shared-key authentication Identified problems Unfortunately, the authentication mechanisms defined in the standard are not satisfactory. First, let us remark that Open system authentication is in fact a null authentication. The messages are sent in clear, so anyone could impersonate either the station or the access point. In Shared key authentication, the station authenticates by proving its knowledge of the WEP key. On the other hand, there is no mechanism for an access point to prove its identity to the station, which opens up for malicious access points to try to participate in the communication. Also, note carefully that only the station is authenticated, not the user of the station. Hence, the protection against an attacker with access to a wireless LAN device is not satisfactory. 5 WEP Protocol Wired Equivalent Privacy (WEP) is the encapsulation of 802.11 data frames. The goal is to provide data privacy to the level of a wired network. WEP is a symmetric algorithm in which the same key is used for cipher and deciphe WEP Encryption algorithm: Figure 1.2 - WEP encryption A secret key (40 bits) is shared between all the members of the BSS. The encryption algorithm is shown in figure 1.2. The secret key is concatenated with an initialization vector (IV, 24 bits) to produce a seed (64 bits), inputting to a pseudorandom number generator (PRNG). The PRNG transforms a relatively short secret key into an arbitrarily long key sequence. In other words, the PRNG outputs a key sequence of pseudorandom octets of length equal to the number of data bytes to be transmitted in the expanded data plus 4 bytes (CRC). This is because the key sequence is used to protect the integrity check value (ICV, 32-bits) as well as the data. To protect against unauthorized data modification, an integrity algorithm operates on the plaintext to produce an ICV then concatenate to the plaintext. The result is then exclusive-or with the key sequence computed earlier. The output after this process is a message containing the IV and 30 ciphertext. The sender then set a bit indicating this is a WEP encrypted packet to complete the process. In the above process, the secret key remains constant while the IV might be changed as frequent as every time a packet is sent. Since IV travels with the message, the receiver will always be able to decipher any message. 6 WEP Decryption: Figure 1.3 - WEP Decryption When a packet arrives at the receiver, receiver checks the “encrypted” bit in the frame. If it is set, the receiver extracts the IV from the frame, appends it to the BSS shared secret key to produce a seed inputting into the PRNG to generate the “per-packet” RC4 key sequence. Exclusive-or the Ciphertext with this key sequence gives the original plaintext and ICV. To verify the result, receiver performs integrity check algorithm on the recovered plaintext, producing a new ICV’. This ICV’ is compared to the ICV transmitted with the message. If ICV’ is not equal to ICV, an error indication is sent to MAC management. The encryption and decryption general view of packet is in figure 1.4. 802.11 Hdr Data Encapsulation 802.11 Hdr Decapsulation IV Data ICV Figure 1.4 – encapsulation, de -capsulation of WEP 7 1.3 WEP Problems As described above, WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudorandom key stream. The sender XORs the key sequence with the plaintext to produce ciphertext. On the receiver side, the reverse process is performed: the same sequence key is XORed with the ciphertext yielding the original plaintext. IEEE 802.11 didn’t enforce WEP implementer changing the IV after each packet is sent. In stead, it only advises the change of IV after each packet is sent. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. And if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. That is: c1 = p1 b and c2 = p2 b Then: c1 c2 = (p1 b) (p2 b) = p1 p2 Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The statistical attacks become increasingly practical, as more ciphertexts that use the same key stream are known. Once one of the plaintexts becomes known, it is trivial to recover all of the others. Theoretically, WEP was designed to against the above attacks. To prevent packet from being modified in transit, WEP uses an Integrity Check (IC) field in the packet. To avoid encrypting two ciphertexts with the same key stream, an Initialization Vector (IV) is used to augment the shared secret key and produce a different RC4 key for each packet. The IV is also included in the packet. However, both of these measures are implemented incorrectly, resulting in poor security. 1.3.1 Problems with RC4 The integrity check field is implemented as a CRC-32 checksum, which is part of the encrypted payload of the packet. However, CRC-32 is linear, which means that it is possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken. In other words, flipping bit ‘n’ in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum on the modified message. Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid. 1.3.2 Problems with IV The initialization vector in WEP is a 24-bit field, which is sent in the clear text part of a message. A busy access point, which constantly sends 1500 byte packets at 11Mbps, will exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours. This allows an attacker to collect two cipher texts that are encrypted with the same key stream and perform statistical attacks to recover the plaintext. Worse, when the same key 8 is used by all mobile stations, there are even more chances of IV collision. For example, a common wireless card from Lucent resets the IV to 0 each time a card is initialized, and increments the IV by 1 with each packet. This means that two cards inserted at roughly the same time will provide an abundance of IV collisions for an attacker. Today’s Access Control Cisco enhancements to 802.11b WEP to increase security: By employing dynamic WEP keys, the Cisco Aironet security solution enhances WEP to decrease its predictability (to the hacker), significantly minimize any attack windows, ties it to the user session and, optionally, network logon. The following are the key enhancements to the Cisco security solution. Mutual authentication—The Cisco Aironet Wireless security offers customers a mutual authentication scheme instead of one-way authentication. Standardsbased mutual authentication implementations that are easily deployable are still evolving. Therefore, Cisco created EAP—Cisco Wireless (LEAP) to ensure mutual authentication between a wireless client and a back end RADIUS server (Access Control Server 2000 V2.6). Communication between the access point and the RADIUS server is via a secure channel. This eliminates "man-in-the-middle attacks" by rogue access points and RADIUS servers. Even though the paper does not address this area of concern, Cisco recommends that customers factor this class of vulnerability into their wireless security requirements. Secure key derivation—The original shared secret secure key derivation is used to construct responses to the mutual challenges. It undergoes irreversible one-way hashes that make password-replay attacks impossible. The hash values sent over the wire are useful for one-time use only at the start of the authentication process, and therefore, never after. Dynamic WEP keys—In addition, by offering a hassle-free, dynamic per-user, per-session WEP key, Cisco has made it easy for administrators to move away from static WEP keys, thus increasing the security. Cisco believes that one of the biggest security exposures in WLANs is primarily due to static WEP and the tremendous administrative burden it imposes. With the Cisco Aironet solution, session keys are unique to the users and are not shared among them. Also, with LEAP authentication, the broadcast WEP key is encrypted using the session key before being delivered to the end client. By having a session key unique to the user, and by tying it to the network logon, the solution also eliminates vulnerabilities due to stolen or lost client cards or devices. Reauthentication policies—Customers can also set policies for reauthentication at the back-end RADIUS server ACS2000. This will force users to reauthenticate more often and get new session keys. Because the vulnerability window can be configured to be very small, we can minimize attacks where traffic is injected during the session. Initialization Vector changes—The Cisco Aironet wireless security solution also changes the initialization vector (IV) on a per-packet basis so that hackers can find no predetermined sequence to exploit. This capability, coupled with the reduction in possible attack windows, greatly mitigate exposure to hacker attacks 9 due to frequent key rotation. In particular, this makes it difficult to create tablebased attacks based on the knowledge of the IVs seen on the wireless network. SSID – Service Set Identifier: Each AP has an SSID that it uses to identify itself. A common way of configuring a network is to require each STA to know the SSID of the AP to which it wants to connect. SSID provides a very modest amount of control. It keeps a STA from accidentally connecting to a neighboring AP. It does not, by itself, help with other security issues, and in particular it does not keep an attacker from setting up a “rogue” AP that uses the same SSID as the valid AP. MAC filters: Some APs provide the capability for checking the MAC address of the STA before allowing it to connect to the network. This provides an additional layer of control in that only STAs with a registered MAC address can connect. This approach requires that the list of MAC addresses be configured. The list may be kept in long-term memory on the AP, or the AP may send a RADIUS request with the MAC address as the userid (and a null password) to a central RADIUS server and the RADIUS server will check the list. The RADIUS approach is especially appropriate if the MAC addresses are to be used with multiple APs. Using MAC filters is considered to be very weak security because on many wireless cards it is possible to change the MAC address by reconfiguring the card. An attacker could sniff a valid MAC address from the wireless network traffic and then configure his card to use it and gain access. 10