lecture 9: wireless security wep/wpa · lecture 9: wireless security – wep/wpa cs 336/536:...

11/11/2014

1

Lecture 9: Wireless Security – WEP/WPA

CS 336/536: Computer Network Security

Fall 2014

Nitesh Saxena

Adopted from previous lecture by Keith Ross, Amine Khalife and Tony Barnard

Course Admin

• HW3

– We are grading

– Solution will be provided soon

• HW4 will be posted by early next week

• Labs not active this week

• Guest lecture

– How was it?

11/11/2014 Lecture 9 - Wireless Security 2

11/11/2014

2

Outline

• WiFi Overview

• WiFi Security Threats

• WEP – Wired Equivalence Privacy

– Including vulnerabilities

• WPA – WiFi Protected Access

11/11/2014 Lecture 9 - Wireless Security 3

4

Security at different layers Application layer: PGP Transport layer: SSL Network layer: IPsec Link layer: WEP / 802.11i (WPA) WiFi Security Approach:

IPsec

TCP/UDP/ICMP

HTTP/SMTP/IM

WEP/WPA

11/11/2014

3

802.11 Standards

802.11a – 54 Mbps@5 GHz Not interoperable with 802.11b Limited distance Cisco products: Aironet 1200

802.11b – 11 [email protected] GHz Full speed up to 300 feet Coverage up to 1750 feet Cisco products: Aironet 340, 350, 1100, 1200

802.11g – 54 [email protected] GHz Same range as 802.11b Backward-compatible with 802.11b Cisco products: Aironet 1100, 1200

5

802.11 Standards (Cont.)

802.11e – QoS Dubbed “Wireless MultiMedia (WMM)” by Wi-Fi

Alliance 802.11i – Security

Adds AES encryption Requires high cpu, new chips required TKIP is interim solution

802.11n –(2009) up to 300Mbps 5Ghz and/or 2.4Ghz ~230ft range

6

11/11/2014

4

Wireless Network Modes

The 802.11 wireless networks operate in two basic modes: 1. Infrastructure mode

2. Ad-hoc mode

Infrastructure mode: each wireless client connects directly to a

central device called Access Point (AP)

no direct connection between wireless clients

AP acts as a wireless hub that performs the connections and handles them between wireless clients 7

Wireless Network Modes (cont’d)

The hub handles:

the clients’ authentication,

Authorization

link-level data security (access control and enabling data traffic encryption)

Ad-hoc mode:

Each wireless client connects directly with each other

No central device managing the connections

Rapid deployment of a temporal network where no infrastructures exist (advantage in case of disaster…)

Each node must maintain its proper authentication list

8

11/11/2014

5

9

802.11 LAN architecture

wireless host communicates with base station

base station = access point (AP)

Basic Service Set (BSS) (aka “cell”) in infrastructure mode contains:

wireless hosts

access point (AP): base station

ad hoc mode: hosts only

BSS 1

BSS 2

Internet

hub, switch or router

AP

AP

SSID – Service Set Identification

Identifies a particular wireless network

A client must set the same SSID as the one in that particular AP Point to join the network

Without SSID, the client won’t be able to select and join a wireless network

Hiding SSID is not a security measure because the wireless network in this case is not invisible

It can be defeated by intruders by sniffing it from any probe signal containing it.

10

11/11/2014

6

11

Beacon frames & association

AP regularly sends beacon frame Includes SSID, beacon interval (often 0.1 sec)

host: must associate with an AP scans channels, listening for beacon frames selects AP to associate with; initiates association

protocol may perform authentication After association, host will typically run DHCP to get IP

address in AP’s subnet

12

frame

control duration

address

1

address

2

address

4

address

3 payload CRC

2 2 6 6 6 2 6 0 - 2312 4

seq

control

802.11 frame: addressing

Address 2: MAC address of wireless host or AP transmitting this frame

Address 1: MAC address of wireless host or AP to receive this frame

Address 3: MAC address of router interface to which AP is attached

Address 4: used only in ad hoc mode

11/11/2014

7

13

Internet router

AP

H1 R1

H1 MAC addr AP MAC addr R1 MAC addr

address 1 address 2 address 3

802.11 frame

H1 MAC addr R1 MAC addr

dest. address source address

802.3 frame


14

Internet router

AP

H1 R1

AP MAC addr H1 MAC addr R1 MAC addr

address 1 address 2 address 3

802.11 frame

R1 MAC addr H1 MAC addr

dest. address source address

802.3 frame


11/11/2014

8

15

Type From

AP Subtype

To

AP

More

frag WEP

More

data

Power

mgt Retry Rsvd

Protocol

version

2 2 4 1 1 1 1 1 1 1 1

frame

control duration

address

1

address

2

address

4

address

3 payload CRC

2 2 6 6 6 2 6 0 - 2312 4

seq

control

frame:

frame control field expanded:

Type/subtype distinguishes beacon, association, ACK, RTS, CTS, etc frames.

To/From AP defines meaning of address fields

802.11 allows for fragmentation at the link layer

802.11 allows stations to enter sleep mode

Seq number identifies retransmitted frames (eg, when ACK lost)

WEP = 1 if encryption is used

802.11 frame (more)

Primary Threats

Unauthorized access Learn SSID and join the network

Sniffing/Eavesdropping Easy since wireless traffic is broadcast in

nature

Session Hijacking Similar to wired session hijacking

Evil Twin Attack Attacker fools the user into connecting to its

own AP (rather than the starbucks AP, e.g.)

16

11/11/2014

9

Unauthorized Access

So easy to find the ID for a “hidden” network because the beacon broadcasting cannot be turned off

Simply use a utility to show all the current networks:

inSSIDer

NetStumbler

Kismet

17

Unauthorized Access Defense: Access control list

Access control list

Simplest security measure

Filtering out unknown users

Requires a list of authorized clients’ MAC addresses to be loaded in the AP

Won’t protect each wireless client nor the traffic confidentiality and integrity ===>vulnerable

Defeated by MAC spoofing:

ifconfig eth0 hw ether 00:01:02:03:04:05 (Linux)

SMAC - KLC Consulting (Windows)

MAC Makeup - H&C Works (Windows)

18

11/11/2014

10

19

802.11 Sniffing

Requires wireless card that supports raw monitoring mode (rfmon) Grabs all frames including management frames

Tools: Dump packets using Wireshark;

20

Firewalled Networks with Wi-Fi (1)

Firewall blocks traceroutes,…

Traffic sent by wireless hosts/APs not blocked by firewall Leaking of internal

information

Trudy can traceroute and port scan through AP Establish connections Attempt to overtake

11/11/2014

11

21

Firewalled Networks with Wi-Fi (2)

Move AP outside of firewall? Trudy can no longer tracetroute internal network via AP

But Trudy still gets everything sent/received by wireless hosts

22

Sniffing Encrypted 802.11 traffic

Suppose:

Traffic encrypted with symmetric crypto

Attacker can sniff but can’t break crypto

What’s the damage?

SSID, Mac addresses

Manufacturers of cards from MAC addrs

Count # of devices

Traffic analysis: Size of packets

Timing of messages

Determine apps being used

But cannot see anything really useful

Attacker needs the keys, or break crypto Very hard

11/11/2014

12

WEP - Wired Equivalent Privacy

The original native security mechanism for WLAN

provide security through a 802.11 network

Used to protect wireless communication from eavesdropping (confidentiality)

Prevent unauthorized access to a wireless network (access control)

Prevent tampering with transmitted messages

Provide users with the equivalent level of privacy inbuilt in wireless networks.

24

WEP Feature Goals:

Authentication AP only allows authorized stations to associate

Data integrity Data received is the data sent

Confidentiality Symmetric encryption

11/11/2014

13

25

WEP Design Goals

Symmetric key crypto Confidentiality

Station authorization

Data integrity

Self synchronizing: each packet separately encrypted Given encrypted packet and key, can decrypt; can

continue to decrypt packets when preceding packet was lost

Unlike Cipher Block Chaining (CBC) in block ciphers

Efficient Can be implemented in hardware or software

26

WEP Keys

40 bits or 104 bits Key distribution not covered in standard Configure manually:

At home Small organization with tens of users Nightmare in company >100 users

11/11/2014

14

WEP Procedures

1. Appends a 32-bit CRC checksum to each outgoing frame (INTEGRITY)

2. Encrypts the frame using RC4 stream cipher = 40-bit (standard) or 104-bit (Enhanced) message keys + a 24-bit IV random initialization vector (CONFIDENTIALITY).

3. The Initialization Vector (IV) and default key on the station access point are used to create a key stream

4. The key stream is then used to convert the plain text message into the WEP encrypted frame.

Encrypted WEP frame

encrypted

data ICV IV

MAC payload

Key ID

11/11/2014

15

RC4 keystream XORed with plaintext

29

WEP Components

Initialization Vector IV Dynamic 24-bit value Chosen randomly by the transmitter wireless network

interface 16.7 million possible IVs (224)

Shared Secret Key

40 bits long (5 ASCII characters) 104 bits long (13 ASCII characters)

30

11/11/2014

16

WEP Components (cont’d)

RC4 algorithm consists of 2 main parts:

1. The Key Scheduling Algorithm (KSA):

involves creating a scrambled state array This state array will now be used as input in the

second phase, called the PRGA phase.

2. The Pseudo Random Generation Algorithm(PRGA): The state array from the KSA process is used here to

generate a final key stream. Each byte of the key stream generated is then Xor’ed with

the corresponding plain text byte to produce the desired cipher text.

31

WEP Components (cont’d)

ICV (Integrity Check Value)= CRC32 (cyclic redundancy check) integrity check

XOR operation

denoted as ⊕

plain-text ⊕ keystream= cipher-text

cipher-text ⊕ keystream= plain-text

plain-text ⊕ cipher-text= keystream

11/11/2014

17

How WEP works

IV

RC4 key

IV encrypted packet

original unencrypted packet checksum

Encryption Process

11/11/2014

18

Decryption Process

35

36 36

Figure 6 - 802.11 frame format

Recall from CS 334/534:

8.2.5 WEP Frame Body Expansion

CRC-32

11/11/2014

19

37 37 Figure 46 – Construction of expanded WEP frame body

CRC-32

CRC-32

38

End-point authentication w/ nonce

Nonce: number (R) used only once –in-a-lifetime

How: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key

“I am Alice”

R

K (R) A-B

Alice is live, and only Alice knows key to encrypt

nonce, so it must be Alice!

11/11/2014

20

39

WEP Authentication

AP authentication request

nonce (128 bytes)

nonce encrypted shared key

success if decrypted value equals nonce

Not all APs do it, even if WEP is being used. AP indicates if authentication is necessary in beacon frame. Done before association.

40

WEP is flawed

Confidentiality problems

Authentication problems

Integrity problems

11/11/2014

21

A Risk of Keystream Reuse

If IV’s repeat, confidentiality is at risk If we send two ciphertexts (C, C’) using the same IV, then the

xor of plaintexts leaks (P P’ = C C’), which might reveal both plaintexts

Lesson: If RC4 isn’t used carefully, it becomes insecure

IV, P RC4(K, IV)

IV, P’ RC4(K, IV)

41

42

Problems with WEP confidentiality (2)

IV reuse With 17 million IVs and 500 full-length frames/sec,

collisions start after 7 hours Worse when multiple hosts start with IV=0

IV reuse: Trudy guesses some of Alice’s plaintext d1 d2 d3 d4 … Trudy sniffs: ci = di ki

IV

Trudy computes keystream kiIV =ci di

Trudy knows encrypting keystream k1IV k2

IV k3IV …

Next time IV is used, Trudy can decrypt!

11/11/2014

22

Keystream Reuse

WEP didn’t use RC4 carefully The problem: IV’s frequently repeat

The IV is often a counter that starts at zero Hence, rebooting causes IV reuse Also, there are only 16 million possible IV’s, so

after intercepting enough packets, there are sure to be repeats

Attackers can eavesdrop on 802.11 traffic An eavesdropper can decrypt intercepted

ciphertexts even without knowing the key

43

44

WEP authentication problems Attacker sniffs nonce, m, sent by AP Attacker sniffs response sent by station:

IV in clear Encrypted nonce, c

Attacker calculates keystream ks = m c, which is the keystream for the IV .

Attacker then requests access to channel, receives nonce m’

Attacker forms response c’ = ks m’ and IV Server decrypts, matches m’ and declares

attacker authenticated !

11/11/2014

23

45

Problems with Message Integrity

ICV (Integrity Check Value) supposed to provide data integrity ICV is a hash/CRC calculation But a flawed one.

Can predict which bits in ICV change if you change single bit in data. Suppose attacker knows that flipping bit 3244 of

plaintext data causes bits 2,7,23 of plaintext ICV to flip

Suppose attacker intercepts a frame: In intercepted encrypted frame, attacker flips bit 3244

in data payload and ICV bits 2,7,23

Will ICV match after decryption at the receiver? After decryption, cleartext bit 3244 is flipped (stream

cipher) Also after decryption, cleartext bits 2,7, 23 also flipped. So cleartext ICV will match up with data!

Attacks on WEP

WEP encrypted networks can be cracked in 10 minutes

Goal is to collect enough IVs to be able to crack the key

IV = Initialization Vector, plaintext appended to the key to

avoid Repetition

Injecting packets generates IVs

11/11/2014

24

Attacks on WEP

Backtrack 5 (Released 1st March 2012)

Tutorial is available

All required tools on a Linux

bootable CD + laptop +

wireless card

WEP cracking example

48

11/11/2014

25

49

Summary of WEP flaws

One common shared key If any device is stolen or

compromised, must change shared key in all devices

No key distribution mechanism Infeasible for large

organization: approach doesn’t scale

Crypto is flawed Early 2001: Integrity and

authentication attacks published

August 2001 (weak-key attack): can deduce RC4 key after observing several million packets

AirSnort application allows casual user to decrypt WEP traffic

Crypto problems 24 bit IV to short Same key for encryption

and message integrity ICV flawed, does not

prevent adversarial modification of intercepted packets – not a MAC

Cryptanalytic attack allows eavesdroppers to learn key after observing several millions of packets

50

IEEE 802.11i

Much stronger encryption TKIP (temporal key integrity protocol) – stopgap But use RC4 for compatibility with existing WEP

hardware Can also support standard crypto algo (CBC AES, CBC

MAC, etc.)

Extensible set of authentication mechanisms Employs 802.1X authentication

Key distribution mechanism Typically public key cryptography RADIUS authentication server

• distributes different keys to each user • also there’s a less secure pre-shared key mode

WPA: Wi-Fi Protected Access Pre-standard subset of 802.11i

11/11/2014

26

51 51

IEEE 802i Phases of Operation – preview

Phase 1 - Discovery

Phase 2 - Authentication

Phase 3 - Key Generation and Distribution to STA and AP

Phase 4 - Actual User Data Transfer

Phase 5 - Connection Termination when Transfer Complete

802.11i security is provided only over the wireless link within a BSS,

not externally.

11/11/2014 Lecture 9 - Wireless Security

52 52

Phase 1 – Discovery

The purpose of this phase is for STA and AP to establish

(unsecure) contact and negotiate a set of security algorithms to

be used in subsequent phases.

STA and AP need to decide on:

► The methods to be used in phase 3 to perform

mutual authentication of STA and AP and generate/distribute keys.

► Confidentiality and integrity algorithms to protect user data in phase 4


11/11/2014

27

53 53

The discovery phase uses three message exchanges

► Probe request/response (or observation of a beacon frame)

► Authentication request/response

WEP Open System Authentication, for backward compatibility

(provides no security)

APs advertize their capabilities (WEP, WPA, etc.) in Information

Elements in their beacon frames and in their probe responses.

► Association request/response

STA chooses methods to be used from AP’s menu

(we will study the case that the station chooses WPA/TKIP)

STA uses an Information Element in Association Request

to inform AP


54 54 Figure 1 Phase 1 Discovery

This is not

Phase 2/3

Authentication!

Phase 1

11/11/2014

28

55 55

There are two methods for providing the PSK:

► the exact 256-bit number can be provided and used as PMK

► a passphrase can be adopted, keyed in by user and expanded

to 256 bits by the system.

Phase 2 - Authentication

SOHO Mode

A pre-shared key (PSK), is provided in advance to the station and AP by a

method external to 802.11i

In this case the lower half of figure 1 is bypassed (and was not shown in the

previous slide).

In WPA SOHO mode STA and AP delay authenticating each other

until phase 3, when they demonstrate that each knows information

derived from the PSK.


56 56

Phase 3 – Key Generation and Distribution

In SOHO mode the PSK has already been shared, so no more

distribution is needed and key generation can proceed.

Next step in SOHO: The PSK is adopted to derive

Pairwise Master Key (PMK)

Figure 2

11/11/2014

29

57 57

The Pairwise Master Key is not used directly in any security operation.

Instead, it will be used to derive a set of keys, the Pairwise Transient Key,

to protect the link between AP and station.

Protection is needed during two phases:

► in phase 3 - the handshake between station and AP

(protocol called “EAPOL”)

► in phase 4 - Passing user data during actual use of the link


58 58

In both phases separate keys are needed for integrity and encryption, so

the total number of keys needed is four:

► EAPOL-key Encryption key (KEK)

► EAPOL-key Confirmation key (KCK) (Integrity)

► Data Encryption Key (part of Temporal Key)

► Data Integrity Key (part of Temporal Key)

Figure 6.8 (middle)

PSK

11/11/2014

11/11/2014

30

59 59

Computation of the PTK from the PMK

The PTK is re-computed every time a station associates with an AP.

We want the PTK to be different for each STA-AP pair and different

each time a STA associates with an AP (so as not to re-use old keys)

Four-way handshake:

TKIP/WPA uses a four-way handshake during establishment of the

association relationship between an AP and a station


60 60

Recall that in the discovery phase the STA sent its association request

to the AP, including the selection of WPA/TKIP for security.

We can force the PTK to be different for each STA-AP pair by mixing

their MAC addresses into the computation of the PTK.

But since these do not change between associations, there must also

be some dynamic input to the PTK - nonces.

For later use, we can think of the STA randomly generating a

nonce (Nonce1) at that point, but not transmitting it.


11/11/2014

31

61 61

Four-Way Handshake

Frame 1: AP to STA: a nonce chosen by the AP (Nonce2)

Nonce2 gives the STA the last piece of information

it needs to compute the 512-bit PTK:

Computation of PTK from PMK

SHA

hash


62 62

Four-Way Handshake - continued

Frame 2: STA to AP:

Nonce1, together with a message integrity code (MIC)

(standard HMAC-SHA, since done only during handshake)

Nonce1 gives the AP the last piece of information it needs to compute

the PTK, so key exchange is complete. This enables the AP to check

the validity of the MIC. If correct, this proves that that the STA

possesses the PMK and authenticates the STA.

Each side has chosen a nonce, and both nonces have been

mixed into the computation of the PTK, so PTK is unique to

each AP-STA pair and to each association session .


11/11/2014

32

63 63

Four-Way Handshake - continued

Frame 3: AP to STA: message “AP able to turn on encryption”

(includes MIC, so STA can check that AP knows PMK)

Frame 4: STA to AP: message “STA about to turn on encryption”

After sending frame 4, STA activates encryption;

on receipt of frame 4, AP activates encryption.

At this point Phase 3 is complete – we have authenticated the STA

and the AP, using the EAPOL keys, and have generated the 256-bit

Temporal Key for use in phase 4.

We can proceed to phase 4 – secure transmission of user data.

TKIP stands for Temporal Key Integrity Protocol

(“temporal” = “temporary” - only for this association session)


64

TKIP: Changes from WEP

Message integrity scheme that works IV length increased Rules for how the IV values are selected Use IV as a replay counter Generates different message integrity key and

encryption key from master key Hierarchy of keys derived from master key Secret part of encryption key changed in every

packet. Much more complicated than WEP!

11/11/2014

33

65

TKIP: Message integrity

Uses message authentication code (MAC); called a MIC in 802.11 parlance

Different key from encryption key

Source and destination MAC addresses appended to data before hashing

Before hashing, key is combined with data with exclusive ors (not just a concatenation)

Computationally efficient

66

TKIP: IV Selection and Use

IV is 56 bits 10,000 short packets/sec

• WEP IV: recycle in less than 30 min

• TKIP IV: 900 years

Must still avoid two devices separately using same key

IV acts as a sequence counter Starts at 0, increments by 1

But two stations starting up use different keys: • MAC address is incorporated in key

11/11/2014

34

67

802.11 security summary

SSID and access control lists provide minimal security no encryption/authentication

WEP provides encryption, but is easily broken

Emerging protocol: 802.11i Back-end authentication server

Public-key cryptography for authentication and master key distribution

WPA/WPA2: Strong symmetric crypto techniques

68

Further Reading

Real 802.11 Security by Jon Edney and William Arbaugh

Stallings chapter 7

Intercepting Mobile Communications: The Insecurity of 802.11. Borisov et al., 2001

lecture 9: wireless security wep/wpa · lecture 9: wireless security – wep/wpa cs 336/536:...

Documents