Wireless Security: Common Protocols and Vulnerabilities

Meletis Belsis

Phone number: +30-210-6841287 Fax number: +30-210-6841412

Email address: meletis@telecron.com Mail address:

Telecron Hellas 32 Kiffisias Ave.

Marousi, GR 15125 GREECE

Alkis Simitsis (*)

Phone number: +30-210-7721402, +30-210-7721602

Fax number: +30-210-7721442 Email address: asimi@dblab.ece.ntua.gr

Mail address: Data and Knowledge Base Systems Laboratory

Department of Electrical and Computer Engineering National Technical University of Athens

9 Iroon Polytechniou Street Zographou, GR 15780

GREECE

Stefanos Gritzalis

Phone number: +30-22730-82234, +30-210-6492112 Fax number: +30-22730-82009, +30-210-6492399

Email address: sgritz@aegean.gr Mail address:

Lab. of Information and Communication Systems Security Dept. of Information and Communication Systems Engineering

University of the Aegean Samos, GR 83200

GREECE

(* Corresponding author)

1

Wireless Security: Common Protocols and Vulnerabilities

Meletis Belsis, Telecron, Greece Alkis Simitsis, National Technical University of Athens, Greece

Stefanos Gritzalis, University of the Aegean, Greece

INTRODUCTION

The fast growth of the wireless technology has exponentially increased the abilities

and possibilities of computing equipment. Corporate users can now move around enterprise buildings with their laptops, PDAs and WiFi, enable VoIP handsets and retain communications with their offices. Business users can work from almost anywhere by attaching their laptop to a WiFi hotspot and connect to their corporate network. However, not many enterprises know and understand the potential security vulnerabilities that are introduced by the use of WiFi technologies. Wireless technologies are insecure by their nature. Anyone with the appropriate hardware can steal information transmitted using the airwaves. This chapter discusses the security vulnerabilities that are inherited in wireless networks. Also, it provides a description of the current security trends and protocols used to secure such WiFi networks along with the problems from their application.

BACKGROUND

Currently, several enterprises consider information security as a monolithic

architecture, in which simply they install a firewall or an intrusion detection system. Unfortunately security is not a single device or software: «In the real world, security involves processes. It involves preventive technologies, but also detection and reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not a product; it itself is a process. … » (Schneier, 2000).

The above definition represents the fact that total protection of corporate networks goes beyond a firewall engine. Each appliance that is added and/or changed into a system should incorporate the re-designing of a systems overall security policy and infrastructure. The same principle exists when incorporating wireless devices to extend the overall enterprise architecture. Deploying a wireless network has as consequence the change of the security risks and needs of entire network infrastructure. Nowadays, the techniques that are used for the realization of attacks in wireless connected networks resemble with the ones that are used to target common LANs. In the next paragraphs, we present the major categories of attacks that include techniques that have been successfully used for attacking corporate wireless networks.

Denial of Service. In their simplest form, an adversary can continuously transmit association request packets. Such action could render an access point unavailable to authorized users. Adversaries can use a powerful RF transceiver, to transmit amplified signals in all of frequency bands frequencies (channels), creating an interjection which prevents the communication of terminals with the corporate Access Points (RF Jamming). Such an attack could be easily deployed from the outside premises of an enterprise (e.g., parking). An example appliance that can be used for the concretization of this attack is the Power Signal Generator (PSG -1) by the YDI.

Man-In-The-middle attacks. Combining an RF Jamming attack with the use of a portable computer and necessary software an attacker can easily steal or alter

2

corporate information (Akin, 2003). The adversary will use a denial of service attack to force authorized terminals connected to a corporate Access Point to identify and roam to an access point with better signal that the one already connected to. Using this predetermined behavior the attacker can masquerade his/her laptop as an access point and force all wireless clients to connect to it. By using this technique an adversary can intercept all wireless communications links and read or alter information on them.

Fresnel Zone Sniffing. Stealing information from point-to-point wireless links is difficult. The attacker needs to calculate the link path and identify ways to attach its laptop to the link’s Fresnel Zone.

Rogue wireless gateways. Rogue wireless gateway is a security vulnerability that is detected in many today’s enterprise networks. A rogue wireless gateway is an unauthorized access point that is installed on an enterprise network. Such access points are usually installed by corporate users, to assist them in the everyday work (i.e. transfer files/emails from a desktop to a laptop computer). Unfortunately enterprise users do not know and understand the security implications of installing a wireless device on a system. Leaving such devices connected to the corporate network, provide an opportunity to adversaries to connect and steal corporate information.

AdHoc Networks. The 802.11 protocol specification, allows wireless terminals to interconnect without the use of an Access point. This mode of operation is called AdHoc. Unfortunately many of today’s corporate users enable the ad hoc facility on their laptops and PDA’s either accidentally or deliberately in order to exchange files with other users. Enabling the ad hoc mode without deploying the necessary security procedures (i.e., encryption and authentication) could seriously damage corporate security. Adversaries can search for such unprotected ad hoc networks and connect to those. From there adversaries can either read the locally stored corporate information, or if the user’s device is connected to the corporate networks (i.e., LAN, dialup, and VPN), access the corporate resources (Papadimitratos and Haas, 2002).

The previous example attacks emphasize the need for security that result from the use of wireless technology. The problem of security becomes more apparent when the technology of wireless networking is applied in government owned systems. The need for security in those systems is extensive due to the legislations on personal data protection and the human lives factors involved. MAIN THRUST OF THE CHAPTER

The last few years the computing and telecommunications community has realized

the necessity of deploying security controls on wireless networks. Unfortunately most of today’s wireless security controls have been proven unsafe or managerial infeasible to maintain. The next few paragraphs describe the most common security protocols and techniques as well as their vulnerabilities.

Discovering Wireless Networks

Many enterprises support their notion of using insecure WiFi networks based on

the idea that their small wireless networks are hidden from hackers and adversaries. This notion is called Security through Obscurity, and is something that the IT security community has analyzed and abolished long before the appearance of wireless networks.

3

Modern hackers have invented a number of new techniques collectively known as War Driving or War Chalking, which aim in the discovering of unprotected wireless networks. An adversary uses a laptop computer along with appropriate discovery software (i.e. NetStumbler) and a GPS received to pint point the exact location of Access points on a Map. Today such maps are distributed among the War Driving community. It is not unusual for enterprises to discover their company access points on maps found on War Driving web sites (Figure 1).

Figure 1. A War driving result in Los Angeles

Many enterprise administrators try to hide their wireless networks, by activating

the close system option found on Access Point hardware equipment. This option prohibits the access point from transmitting the network’s beacon information that incorporates the network’s Service Set Identifier (SSID). Unfortunately the SSID is incorporated into almost all network management frames. Software packages like NetStumbler will force the access points in transmitting the SSID by issuing such management frames (i.e. Reassociation Request).

The techniques of War Driving and War Chalking is been used today in an extended degree, and adversaries have developed their own marking symbols (Table 1) in order to denote the buildings where wireless networks are discovered. Writing these symbols in various buildings of the city, adversaries mark their potential targets.

node symbol

open node

closed node

4

WEP node

Table 1. War Chalking Symbols

MAC Access Control Lists

To enhance security many corporations develop Media Access Control (MAC)

control lists declaring the MAC addresses of wireless terminals that are authorized to access the wired segment a corporate network. Unfortunately the deployment of MAC Access Control Lists increases the management time and difficulty without offering real protection from experienced hackers. Having discovered a wireless network an adversary can eavesdrop on the network and detect authorized MAC addresses that connect to an access point. Having a list of such authorized MAC addresses, the adversary can use MAC spoofing attacks and masquerade his laptop as an authorized client (e.g., using the SMAC software, a snapshot of which is depicted in Figure 2).

Figure 2. SMAC Software Screenshot

Wired Equivalent Privacy (WEP)

The first security protocol developed for wireless networks is the Wired Equivalent

Privacy (WEP). WEP uses RC4 PRNG algorithm (LAN MAN, 1999) for the coding of information. The WEP key, with a 24 bit Initializing Vector (IV) are used for the encryption/decryption of wireless data. The protocol works with keys of 64 or the 128 bit (the actual key lengths are 40 and 104 bit but are concatenated with the IV during the encryption phase). In a WEP environment the encryption keys are installed by the administrator of the system in each terminal and access point and, thus, the management of the network becomes more complicated.

The WEP does not offer user authentication; therefore, discovering the WEP key allows access to a corporate network (Borisov, Goldberg, and Wagner, 2001). The two authentication models provided by WEP are Open System and the Shared-Key Authentication (Lambrinoudakis and Gritzalis, 2005). The Open system model uses

5

the MAC access control lists discussed in the previous paragraphs. In the Shared Key authentication, WEP uses the encryption key to implement a Challenge-Response authentication scheme.

At the same time WEP uses a 32 bit cycle redundancy check algorithm as Integrity Check Value (ICV) in order to ensure the integrity of data. Currently, the CRC algorithm has been already broken by researchers from the University of Berkley (Tyrrell, 2003).

The key recovery process in a system that uses WEP can be actually realized in a few hours. This is due to a vulnerability found in the way WEP uses the RC4 algorithm. The weakness of WEP is based on the fact that the IV is only 24 bit and thus, in a busy network the same IV key is used to encrypt different network packets. Having eavesdropped two or more packets encrypted with the same IV an adversary can apply cryptanalysis techniques and recover the WEP key. Today, a number of freeware software packages that can perform a successful WEP attack are available in the internet. Examples of such software artifacts include the WEPCrack, and AIRSnort (Figure 3)

Due to the fact that WEP encryption keys are static, the time between the discovering of a compromised key and of updating the whole wireless network infrastructure with a new key is extended. This leaves even more time to adversaries to access and copy confidential corporate information.

Figure 3. AirSnort Software Screenshot

WiFi Protected Access (WPA)

Understanding the problems of WEP, the international community has moved

forward in developing a more secure protocol, namely 802.11i (Edney and William, 2003). Due to the delay in the development of the final 802.11i standard, the international community released a pre-802.11i security protocol under the name WiFi Protected Access (WPA) (Edney and William, 2003).

The WPA uses algorithm RC 4 (Fluhrer et al., 2001) for the encryption of air data incorporating the Temporal Key Integrity Protocol (TKIP), in order to use dynamic encryption keys. In order to avoid the security vulnerabilities of CRC – 32, WPA utilizes a novel integrity protection algorithm, the Michael Message Integrity Check (MIC) (Cam-Winget et al., 2003), which uses a 64bit key and partitions data into 32bit blocks.

TKIP uses an IV of 48 bit offering better security than the 24 bit IV used by WEP. It combines a 128 bit temporary key, which is preinstalled in all wireless terminals, with the MAC address of each terminal, and the 48 bit IV in order to create a new encryption key for each terminal. The protocol changes the encryption key every 10.000 packets that are transmitted.

Moreover, WPA employs the 802.1x protocol (port - based access control) to deliver authenticated connections. This protocol allows the usage of a number of

6

authentication methods to be used such as passwords, and digital certificates (Digital Certificates).

The user or terminal authentication process is performed by the Extensible Authentication Protocol (EAP). The EAP protocol is usually associated with a Radius server in order to securely authenticate users or devices on a network. Figure 4 displays an example EAP authentication process.

Figure 4. 802.1x EAP authentication (EAP Authentication, 2005)

Currently, there exist several EAP implementations: EAP –MD 5 (Funk, 2003). It was the first protocol that uses user authentication

based on the 802.1x scheme. It provides only one way authentication, ensuring the authenticity of users but not the servers. The protocol is based on the algorithm MD5. However, researches have already proved that this protocol is subject to dictionary and man-in-the-middle attacks (Asokan, Niemi, and Nyberg, 2002).

CISCO – LEAP. The lightweight EAP (LEAP) was created by CISCO. This protocol, offers bidirectional authentication. The bidirectional authentication makes the protocol immune to man-in-the-middle attacks, but its challenge handshake authentication protocol (MSCHAP ver.2) is subject to dictionary attacks. Currently, there exist several tools on the Internet, like the asleep, that can perform successful attacks on LEAP. CISCO tries to tackle this disadvantage and at this time, they are developing a new protocol called EAP-FAST.

EAP-FAST (Ghosh and Gupta, 2005). The EAP-FAST is developed and market by CISCO. The protocol is though to be as secure as EAP-PEAP, and as easy to deploy as EAP-LEAP. The protocol operates similar with the EAP-PEAP. It uses two distinct phases. In phase 1 a secure tunnel is established using a Protected Access Credential (PAC) shared key. PAC is used in order to avoid deploying digital certificates. After the establishment of the secure tunnel, authentication is performed on phase 2 using the MSCHAP v2 protocol. The PAC secret can either be manually shared to all nodes, or can be automated through an optional Diffie-Hellman process. Unfortunately, using the manual shared key distribution process will make the management of the network an extremely difficult. On the other hand the anonymous Diffie-Hellman process can make the protocol suspected to man-in-the-middle attacks. Along with this during the anonymous Diffie-Helman, the protocol transmits the user name in cleartext (unencrypted) and thus possession of a user name could further lead an attacker in performing social engineering attacks. It is going to be a while before the protocol is

7

thorough tested and used by the international community (Lambrinoudakis and Gritzalis, 2005).

EAP – TLS (Aboba and Simon, 1999). The EAP-Transport Layer Security (EAP-TLS) has been developed by Microsoft Corporation. This protocol uses the Transport Layer Security (TLS) protocol with digital certificates for both clients and servers in order to provide bidirectional authentication. The protocol transmits the user name in cleartext. A possible information leakage in this form could provide the basis for further attacks (i.e., social engineering). Along with this, the use of both client and server certificates makes the management of this protocol hassle for large corporate networks.

EAP – TTLS (Funk and Blake-Wilson, 2003). The EAP-Tunneled TLS (EAP-TTLS) protocol was created by the companies Funk and Certicom. It is based on the idea of EAP-TLS, but in order to minimize the management process, it uses their digital certificates only for the servers and not for the clients. Clients authenticate servers by using digital certificates; thus, the protocol builds an encrypted tunnel. The encrypted tunnel provides a secure medium on which clients can be authenticated using a challenge response mechanism. Although, currently, there are not known attacks, the protocol is suspected to be vulnerable to man-in-the-middle attacks (Asokan, Niemi, and Nyberg, 2002).

EAP – PEAP (Palekar et al., 2003). The Protected EAP (PEAP) protocol is the result of a common effort from different IT companies. The PEAP uses digital certificates for servers. Also, clients authenticate servers. After a successful server authentication, the protocol creates an encrypted tunnel between the client and the server. Inside this secure tunnel the system can use any of the previously described EAP authentication methods in order to enable client authentication. The chosen combination today is to use the EAP-TLS inside the encrypted tunnel in order to provide client authentication (EAP-PEAP/EAP-TLS). Similar to the TTLS protocol, no known attack exist today, but PEAP is suspected to be vulnerable to man-in-the-middle attacks.

802.11i

Having discovered the vulnerabilities in WEP, the started producing the

specification of a new protocol, the IEEE 802.11i. The 802.11i follows the similar principles with the WPA, and uses 802.1x and EAP protocols for authentication and key management. The 802.11i uses the Counter-Mode/CBC-MAC Protocol (CCMP) protocol with the Advance Encryption Standard (AES) (NIST, 2001) algorithm to provide data encryption and integrity protection.

In addition to the previous the 802.11i provides the Robust Security Network (RSN) feature. RSN allows the two ends of a communication link to negotiate the encryption algorithms and protocols to be used. This facility enables updating a wireless network with new algorithms and protocols, in order to protect it from future vulnerabilities.

Still, the 802.11i protocol requires special encryption hardware to run the AES algorithm; due to this fact, additional time is needed for the vendors to change their existing hardware to support the 802.11i protocol. To enable the migration of WEP and WPA systems to 802.11i the WiFi Alliance has proposed a new security protocol the WPA2. The new protocol incorporates all 802.11i functionality, but also enables the use of the TKIP protocol, to support devices that do not have the necessary hardware to run the AES algorithm.

8

VPN’s

To provide a solution to the problem of security, many companies are

extending/developing Virtual Private Networks (VPN’s) (Karygiannis and Owens, 2002). Maintaining a VPN requires the engagement of specialized personnel or the training of existing personnel; in both cases, the costs associated with deploying a wireless infrastructure is highly increased. Along with the cost associated with the deployment of a VPN, VPN’s incorporate a number of operational problems on a system.

In networks where the users roam contentiously, a Layer-3 VPN solution will disrupt a user’s connection and may even force the user to re-authenticate. Along with this, applications that run on client terminals and access data stored on the corporate servers may be seriously disrupted from a Layer-3 disconnection. Such disconnections can seriously damage the integrity and availability of corporate information.

CONCLUSIONS

In this chapter, we have discussed the critical issue of wireless security. We have

presented the security vulnerabilities that are frequently inherited in wireless networks. Also, we have described the most common security protocols and techniques used. Moreover, we have provided a description of the current security trends and protocols used to secure such WiFi networks along with the problems from their application. REFERENCES

Schneier, B. (2000). Secret and Lies. John Wiley and Sons. 1st Edition. Akin, D. (2003). Certified Wireless Security Professional (CWSP) Official Study Guide. McGraw Hill. ISBN 0-07-223012-6. LAN MAN, Standards Committee of the IEEE Computer Society (1999). Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Standard 802.11, 1999 Edition. Borisov, N., Goldberg, I., Wagner, D. (2001). Intercepting Mobile Communications: The Insecurity of 802.11. Retrieved December 16, 2005, from http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf. Tyrrell, K. (2003). An Overview of Wireless Security Issues. SANS Information Security Reading Room. SANS Institute Edney, J., William, A. (2003). Real 802.11 Security: Wi-Fi Protected Access and 802.11i. Addison-Wesley. Fluhrer, S., Mantin, I., Shamir, A. (2001). Weaknesses in the Key Scheduling Algorithm of RC4. In 8th Annual Workshop on Selected Areas in Cryptography, Springer-Verlag . LNCS 2259. Cam-Winget, N., Housley, H., Wagner, D., Walker, J. (2003). Security Flaws in 802.11 Data Link Protocols. Communications of the ACM, 46(5). Funk, P. (2003). The EAP MD5-Tunneled Authentication Protocol (EAP-MD5-Tunneled). IETF Internet Draft. Asokan, N., Niemi, V., Nyberg, K. (2002). Man-in-the-Middle in Tunnelled Authentication Protocols. Cryptology ePrint Archive. Report 2002/163.

9

Aboba, B., Simon, D. (1999). PPP EAP TLS Authentication Protocol. IETF RFC 2716. Funk, P., Blake-Wilson, S. (2003). EAP Tunneled TLS Authentication Protocol (EAP-TTLS). IETF Internet Draft. Palekar, A., Simon, D., Zorn, G., Salowey, J., Zhou, H., Josefsson, S. (2003). Protected EAP Protocol (PEAP) Version 2. IETF Internet Draft. NIST (2001). Announcing the Advance Encryption Standard (AES). Federal Information Processing Standards Publication 197. Karygiannis, T., Owens, L. (2002). Wireless Network Security. NIST Special Publication 800-48. EAP Authentication (2005). Retrieved December 13, 2005, from http://www.wi-fiplanet.com. Papadimitratos, P., Haas, Z.J. (2002). Secure Routing for Mobile Ad Hoc Networks. Working Session on Security in Wireless Ad Hoc Networks, EPFL. Mobile Computing and Communications Review, 6(4). Lambrinoudakis, C., Gritzalis, S. (2005). Security in IEEE 802.11 WLANS, CRC Press. Ghosh, D., Gupta, A. (2005). Analysis of EAP-FAST Wireless Security Protocol. Retrieved December 15, 2005, from http://wwwcsif.cs.ucdavis.edu/~guptaa/finalreport.pdf TERMS AND DEFINITIONS Wireless Computer Network. Any computer network that uses wireless technologies based on the IEEE 802.11x standards to transmit and received data. Encrypted Tunnel. An encrypted logical (virtual) connection, between two ends. Data traveling inside the tunnel are encrypted with an agreed encryption algorithm. Man-in-the-middle attack. An attack where the adversary succeeds in locating himself in an established connection between two or more authorized nodes. Data traveling between the nodes are always passing from the adversary. VPN. Virtual Private Networks are technologies and protocols that used to establish encrypted tunnels between one or more network nodes. WiFi Alliance. A non profit organization, with more than 200 members, devoted in promoting the use and operation of Wireless networks. Products associated by the WiFi Alliance are able to interoperate. Fresnel Zone. The area around the visual line of sight of a wireless link on which the RF waves are spread. This area must be clear from obstacles otherwise the RF signal is weaken. Reassociation Request Frame. A data packet transmitted in a wireless network. The packet enables a client to re connect to an access points. The packet is transmitted after a client disconnection or when a client roams from one access point to another.