Wireless Security 802.11, RFID, WTLS SMU CSE 5349/7349 802.11 • 802.11 a, b, … • Components – Wireless station • A desktop or laptop PC or PDA with a wireless NIC. – Access point • A bridge between wireless and wired networks – Radio – Wired network interface (usually 802.3) – Bridging software • Aggregates access for multiple wireless stations to wired network. SMU CSE 5349/7349 802.11 modes • Infrastructure mode – Basic Service Set • One access point – Extended Service Set • Two or more BSSs forming a single subnet. – Most corporate LANs in this mode. • Ad-hoc mode (peer-to-peer) – Independent Basic Service Set – Set of 802.11 wireless stations that communicate directly without an access point. • Useful for quick & easy wireless networks. SMU CSE 5349/7349 Infrastructure mode Access Point Basic Service Set (BSS) – Single cell Station Extended Service Set (ESS) – Multiple cells SMU CSE 5349/7349 Ad-hoc mode Independent Basic Service Set (IBSS) SMU CSE 5349/7349 Open System Authentication • Service Set Identifier (SSID) • Station must specify SSID to Access Point when requesting association. • Multiple APs with same SSID form Extended Service Set. • APs broadcast their SSID. SMU CSE 5349/7349 MAC Address Locking • Access points have Access Control Lists (ACL). • ACL is list of allowed MAC addresses. – E.g. Allow access to: • 00:01:42:0E:12:1F • 00:01:42:F1:72:AE • 00:01:42:4F:E2:01 • But MAC addresses are sniffable and spoofable. • Access Point ACLs are ineffective control. SMU CSE 5349/7349 Interception Range Station outside building perimeter. Basic Service Set (BSS) – Single cell SMU CSE 5349/7349 Interception • Wireless LAN uses radio signal. • Not limited to physical building. • Signal is weakened by: – Walls – Floors – Interference • Directional antenna allows interception over longer distances. SMU CSE 5349/7349 Directional Antenna • Directional antenna provides focused reception. • D-I-Y plans available. – Aluminium cake tin. – 11 Mbps at 750 meters. – http://www.saunalahti.fi/~elepal/antennie.html SMU CSE 5349/7349 802.11b Security Services • Two security services provided: – Authentication • Shared Key Authentication – Encryption • Wired Equivalence Privacy SMU CSE 5349/7349 Wired Equivalence Privacy • Shared key between – Stations. – An Access Point. • Extended Service Set – All Access Points will have same shared key. • No key management – Shared key entered manually into • Stations • Access points • Key management a problem in large wireless LANs SMU CSE 5349/7349 RC4 Refresher: – RC4 uses key sizes from 1 bit to 2048 bits. – RC4 generates a stream of pseudo random bits • XORed with plaintext to create ciphertext. SMU CSE 5349/7349 WEP – Sending • Compute Integrity Check Vector (ICV). – Provides integrity – 32 bit Cyclic Redundancy Check. – Appended to message to create plaintext. • Plaintext encrypted via RC4 – Provides confidentiality. – Plaintext XORed with long key stream of pseudo random bits. – Key stream is function of • 40-bit secret key • 24 bit initialisation vector (more later) • Ciphertext is transmitted. SMU CSE 5349/7349 Initialization Vector • IV must be different for every message transmitted. • 802.11 standard doesn’t specify how IV is calculated. • Wireless cards use several methods – Some use a simple ascending counter for each message. – Some switch between alternate ascending and descending counters. – Some use a pseudo random IV generator. SMU CSE 5349/7349 WEP Encryption IV Initialisation Vector (IV) Secret key || Seed PRNG Key Stream Cipher text Plaintext || 32 bit CRC ICV Message SMU CSE 5349/7349 WEP – Receiving • Ciphertext is received. • Ciphertext decrypted via RC4 – Ciphertext XORed with long key stream of pseudo random bits. • Check ICV – Separate ICV from message. – Compute ICV for message – Compare with received ICV SMU CSE 5349/7349 Shared Key Authentication • When station requests association with Access Point – AP sends random number to station – Station encrypts random number • Uses RC4, 40 bit shared secret key & 24 bit IV – Encrypted random number sent to AP – AP decrypts received message • Uses RC4, 40 bit shared secret key & 24 bit IV – AP compares decrypted random number to transmitted random number SMU CSE 5349/7349 Security - Summary • Shared secret key required for: – Associating with an access point. – Sending data. – Receiving data. • Messages are encrypted. – Confidentiality. • Messages have checksum. – Integrity. • But SSID still broadcast in clear. SMU CSE 5349/7349 Security Attacks • Targeted network segment • Malicious association • Interference Jamming • Attack against MAC authentication • Vulnerability through ad hoc mode – Free Internet – Malicious use of identity – Access to other network resources – Host AP – Easy to jam the signals – DOS through repeated, albeit unsuccessful access requests (management messages are not authenticated. Egs. Wlan-jack) – DoS through disassociation commands – Interference with other appliances (2.4 G spectrum) SMU – Can spoof MAC with loadable firmware – Defense? CSE 5349/7349 802.11 Insecurities • Authentication – two options – Open – Shared-key – Shared-key more insecure? • Static key management – If one device is compromised/stolen, everyone should change the key – Hard to detect • WEP keys – 40 or 128 can be cracked in less than 15 minutes SMU CSE 5349/7349 IV Collision attack • If 24 bit IV is an ascending counter, – If Access Point transmits at 11 Mbps, IVs exhausted in roughly 5 hours. • Passive attack: – Attacker collects all traffic – Attacker could collect two encrypted messages: • If two messages EM1, EM2, both encrypted with same key stream ( same key and same IV) • EM1 EM2 = M1 M2 • Effectively removes the key stream • Can now try to derive plaintext messages SMU CSE 5349/7349 Limited WEP keys • Some vendors allow limited WEP keys – User types in a password – WEP key is generated from passphrase – Passphrases creates only 21 bits of 40 bit key. • Reduces key strength to 21 bits = 2,097,152 • Remaining 19 bits are predictable. • 21 bit key can be brute forced in minutes. SMU CSE 5349/7349 Brute Force Key Attack • Capture ciphertext. – IV is included in message. • Search all 240 possible secret keys. – 1,099,511,627,776 keys – ~200 days on a modern laptop • Find which key decrypts ciphertext to plaintext. SMU CSE 5349/7349 128 bit WEP • Vendors have extended WEP to 128 bit keys. – 104 bit secret key. – 24 bit IV. • Brute force takes 10^19 years for 104-bit key. • Effectively safeguards against brute force attacks. SMU CSE 5349/7349 IV weakness • WEP exposes part of PRNG input. – IV is transmitted with message. • Initial keystream can be derived – TCP/IP has fixed structure at start of packets • Attack is practical. • Passive attack. – Non-intrusive. – No warning. SMU CSE 5349/7349 Wepcrack • First tool to demonstrate attack using IV weakness. – Open source • Three components – Weaker IV generator. – Search sniffer output for weaker IVs & record 1st byte. – Cracker to combine weaker IVs and selected 1st bytes. SMU CSE 5349/7349 Airsnort • Automated tool – – – – – SMU Does it all! Sniffs Searches for weaker IVs Records encrypted data Until key is derived. CSE 5349/7349 Safeguards • • • • • • • Security Policy & Architecture Design Treat as untrusted LAN Discover unauthorised use Access point audits Station protection Access point location Antenna design SMU CSE 5349/7349 Wireless as Untrusted LAN • Treat wireless as untrusted. – Similar to Internet. • Firewall between WLAN and Backbone. • Extra authentication required. • Intrusion Detection – WLAN / Backbone junction. • Vulnerability assessments SMU CSE 5349/7349 Discover Unauthorised Use • Search for unauthorised access points or ad-hoc networks • Port scanning – For unknown SNMP agents. – For unknown web or telnet interfaces. • Warwalking! – – – – SMU Sniff 802.11 packets Identify IP addresses Detect signal strength May sniff your neighbours… CSE 5349/7349 Location of AP • Ideally locate access points – In centre of buildings. • Try to avoid access points – By windows – On external walls – Line of sight to outside • Use directional antenna to “point” radio signal. SMU CSE 5349/7349 IPSec VPN • IPSec client placed on every PC connected to the WLAN • Filters to prevent traffic from reaching anywhere other than VPN gateway and DHCP/DNS server • Can combine user authentication also SMU CSE 5349/7349 IEEE 802.11i • A new framework for wireless security – Centralized authentication – Dynamic key distribution – Will apply to 802.11 a,b & g • Uses 802.1X as authentication framework – Extensible Authentication Protocol (EAP), RFC 2284 (EAP-TLS & LEAP) – Mutual authentication between client and authentication server (RADIUS) – Encryption keys dynamically derived after authentication – Session timeout triggers reauthentication SMU CSE 5349/7349 802.11i – Encryption Enhancements • Temporal Key Integrity Protocol (TKIP) – – – – RC4 still used Per-packet keys Hash functions for MIC instead of CRC 32 Only firmware upgrade required • AES – AES cipher replaces RC4 – Will require new hardware SMU CSE 5349/7349