Chapter 3 (b) – Wireless LAN Security
advertisement
IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security 1 Prepared by : Zuraidy Adnan, FITM UNISEL 3.1 Introduction 802.11 security architecture – Wired Equivalent Privacy (WEP) Responsible for the CIA in 802.11 network. Designed to be “Wireless Ethernet” Important architectural differences between 802.11 & TWNs 2 802.11 limited support for roaming, restricted to wireless access network only While TWN support seamless roaming over large geographical areas. Prepared by : Zuraidy Adnan, FITM UNISEL 3.2 WEP Key establishment in 802.11 None, out of scope Relies on preshared key STAs and APs Does not specify how the keys are established. Anonymity in 802.11 3 Not a major concern. The use of IP address unlike IMSI in TWNs IP address assign to user can change over time The use of Network Address Translation (NAT) Mapping the internal IP with Global IP (GIP) Prepared by : Zuraidy Adnan, FITM UNISEL 3.2 WEP (cont.) Authentication in 802.11 4 Authentication – control access to the network. Wired LAN – security features being inherits from the network WLAN – no physical access authentication Net authenticate STAs – STA authenticate Net APs – Broadcast beacon (mgmt frame which announce the existence of the network) Each beacon have Service Set Identifier (SSID) – or – Net name – identify ESS. STA want to connect – passive / active scan. STAs send probe request to all available channel Prepared by : Zuraidy Adnan, FITM UNISEL 3.2 WEP (cont.) Authentication in 802.11 (cont.) Concerned Aps received a probe – send probe-response STAs find out which station it can join STAs choose the network it whishes to join – based on signal strength The authentication process start – two options : Open System Authentication (OSA) 5 See figure 18.2 : 802.11 OSA, page 408 Using OSA – mean no authentication at all Shared Key Authentication (SKA) Prepared by : Zuraidy Adnan, FITM UNISEL 3.2 WEP (cont.) Authentication in 802.11 (cont.) Shared Key Authentication (SKA) 6 See figure 18.3 : 802.11 SKA, page 410 Challenge – response system SKA divide STAs into 2 groups, 1 – allowed access, 2 – all other STAs Group 1 – STAs share secret key with Aps Using SKA requires, the STAs and APs capable of using WEP, and the STAs and AP have preshared key. Prepared by : Zuraidy Adnan, FITM UNISEL 3.2 WEP (cont.) Authentication in 802.11 (cont.) Authentication and Handoffs What’s wrong with 802.11 authentication? See figure 18.4 : 802.11 handoffs and security, page 411 No method specified in WEP for each STA to be assigned with unique key Many 802.11 deployment share key across Aps One way – no provision for the STA to authenticate the Net. Pseudo-Authentication scheme Allows only STAs that knows the SSID to join the Net Using MAC address as a secret. 7 Aps maintain a list of STA’s MAC, only registered MAC can access the Net Prepared by : Zuraidy Adnan, FITM UNISEL 3.2 WEP (cont.) Confidentiality in 802.11 See figure 18.5 : WEP, page 414 5 steps to provide confidentiality in 802.11 See figure 18.6 : A WEP packet, page 415 The packet that been produced after encryption process. What’s wrong with WEP 8 Usage of RC4 stream chiper, always failed in wireless medium. Solution : shift synchronization requirement from session to a packet – change keys for every packet. IV which concatenated with master key per packet being sent in clear text Susceptible to Fluhrer-Mantin-Shamir (FMS) attack. Specify no rules for IV selection Prepared by : Zuraidy Adnan, FITM UNISEL 3.2 WEP (cont.) Data Integrity in 802.11 802.11 uses Integrity Check Value (ICV) field in the packet See figure 18.7 : Data integrity in WEP, page 419 ICV – Cyclic Redundancy Check-32bits (CRC32) CRC32 is linear and not cryptographically computed Eve still can modify the message! Loopholes in 802.11 security (summary) 9 The list 1-9, page 421 & 422. Prepared by : Zuraidy Adnan, FITM UNISEL 3.3 WPA Wi-Fi Protected Access (WPA) Prestandard subset of 802.11i Biggest differences – Usage of AES (Advanced Encryption Standard) for providing confidentiality and integrity Usage of Temporal Key Integrity Protocol (TKIP) and MICHAEL. Both differences makes big changes in WLAN security architecture & hardware parts. Most parts (h/ware) in 802.11 implementation cannot be used in WPA 802.11i 10 Prepared by : Zuraidy Adnan, FITM UNISEL 3.3 WPA (cont.) Key establishment 11 WEP used preshared key establish using out of band mechanism 2 environments – home & enterprise Diff infra capacities to provide security Enterprise – 802.11i use IEEE 802.1X for key establishment & authentication. 802.1X use backend authentication server Home user – no backend authentication server – allow out-ofband mechanism for key establishment See figure 18.8 : Key hierarchy in 802.11, page 425 Prepared by : Zuraidy Adnan, FITM UNISEL 3.3 WPA (cont.) Key establishment (cont.) 12 WPA solve the problem of authentication in WEP by reducing exposure of master key (MK) WPA extends the two-tier hierarchy to multiple hierarchy. Pair-wise master key (PMK) – preshared key, or derived from 802.1X PMK – 32bytes – too long for human to remember Allow user to enter shorter password which will be used as a seed to generate 32byte key. Pair-wise transient key (PTK) – Session key, consist of 4 keys, 128bits long. Prepared by : Zuraidy Adnan, FITM UNISEL 3.3 WPA (cont.) Key establishment (cont.) 4 keys – encryption key for data, integrity key for data, encryption key for EAPoL msg, and integrity key for EAPoL msg. PTK derived from PMK using pseudorandom function (PRF) PRF is based on HMAC-SHA algorithm. Five input values to obtain PTK from PMK : 13 PTK = PRF-512(PMK, “pair-wise expansion”, AP_MAC || STA_MAC || Anonce || Snonce) 5 values – PMK, MAC add for two endpoints, one nonce for each endpoints. Prepared by : Zuraidy Adnan, FITM UNISEL 3.3 WPA (cont.) Key establishment (cont.) Nonce – “number-once” – generated at both side 14 Anonce = PRF-256(Random Number, “Init counter”, AP_MAC || Time) Snonce = PRF-256 (Random Number, “Init counter”,STA_MAC || Time) Next step – derive per-packet keys from PTK. See figure 18.9 : TKIP encryption, page 427 See “important features to note in (TKIP encrypt) process”, page 428. Prepared by : Zuraidy Adnan, FITM UNISEL 3.3 WPA (cont.) Authentication 15 Home user, 802.11i allows WEP like configuration Enterprise user, 802.11i specify the use of 802.1X 802.1X architected along with Extensible Authentication Protocol over LAN (EAPoL) See figure 18.10a : 802.1X/EAP port model, page 429 See figure 18.10b : EAPoL, page 429 EAP specify 3 net elements – Supplicant, Authenticator, Authentication Server See figure 18.10c : EAP over WLAN, page 430 STA – supplicant, AP – authenticator, backend authentication server Prepared by : Zuraidy Adnan, FITM UNISEL 3.3 WPA (cont.) Authentication (cont.) Confidentiality See figure 18.10d : 802.1X network architecture Enhancement from WEP confidentiality TKIP double the IV size from 24 to 48bits Used for per-packet mixing function, instead of just add more bits into the size, and still can co-exist in WEP compatible hardware. Integrity 16 TKIP use a new message integrity check (MIC) protocol, MICHAEL Prepared by : Zuraidy Adnan, FITM UNISEL 3.3 WPA (cont.) Integrity (cont.) Overall picture : confidentiality + integrity MICHAEL – no multiplication operation, instead, just rely on shift and add operations. Another enhancement – to use IV as a sequence counter. See figure 18.10e : TKIP – the complete picture, page 435 How does WPA Fix WEP loopholes 17 See table 18.1 : WEP loopholes and WPA fixes Prepared by : Zuraidy Adnan, FITM UNISEL 3.4 WPA2 Only few enhancements features from WPA Enhancements : 18 Authentication - Replaces a stream chiper (RC4) with a strong block chiper (AES). Instead, WPA2 embed AES in stream chiper. Integrity – provides for stronger integrity protection using AES-based CCMP. See figure 18.15 : WPA2 – the complete picture See table 18.2 : comparison of WEP, WPA, and WPA2 security architectures. Prepared by : Zuraidy Adnan, FITM UNISEL
