shanghai breakout: wireless lan security fundamentals
TRANSCRIPT
![Page 1: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/1.jpg)
Wireless LAN Security Fundamentals
Peter LaneDecember 2014
![Page 2: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/2.jpg)
2CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Today’s Agenda
• Goal: Authentication with 802.1X and
encryption with WPA2
• But first: We need to understand PKI
• And before that, we need a
cryptography primer!
![Page 3: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/3.jpg)
3CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Cryptography Primer
![Page 4: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/4.jpg)
4CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Why study cryptography?
• Absolutely critical to wireless security
• Heavily used during authentication
process
• Protects data in transit
• Makes you more interesting at parties
![Page 5: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/5.jpg)
5CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Symmetric Key Cryptography
![Page 6: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/6.jpg)
6CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Symmetric Key Cryptography
• Strength:– Simple and very fast (order of 1000 to 10000 faster than
asymmetric mechanisms)
• Challenges:– Must agree on the key beforehand
– How to securely pass the key to the other party?
• Examples: AES, 3DES, DES, RC4
• AES is the current “gold standard” for security
![Page 7: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/7.jpg)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Symmetric Cipher “Modes”
![Page 8: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/8.jpg)
8CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Public Key Cryptography (Asymmetric)
![Page 9: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/9.jpg)
9CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Public Key Cryptography
• Strength
– Solves problem of passing the key
– Allows establishment of trust context between parties
• Challenges:
– Slow (MUCH slower than symmetric)
– Problem of trusting public key (what if I’ve never met you?)
• Examples: RSA, DSA, ECDSA, ElGamal
![Page 10: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/10.jpg)
10CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Hybrid Cryptography
• Randomly generate “session” key• Encrypt data with “session” key
(symmetric key cryptography)• Encrypt “session” key with recipient’s public key
(public key cryptography)
![Page 11: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/11.jpg)
11CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Hash Function
• Properties
– it is easy to compute the hash value for any given message
– it is infeasible to find a message that has a given hash
– it is infeasible to find two different messages with the same hash
– it is infeasible to modify a message without changing its hash
• Ensures message integrity
• Also called message digests or fingerprints
• Examples: MD5, SHA1, SHA2 (256/384/512)
![Page 12: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/12.jpg)
12CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Digital Signature
• Combines a hash with an asymmetric crypto algorithm
• The sender’s private key is used in the digital signature
operation
• Digital signature calculation:
![Page 13: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/13.jpg)
13CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Message Authentication
![Page 14: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/14.jpg)
14CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
HMAC
![Page 15: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/15.jpg)
15CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Message Integrity with CBC-MAC
• Set IV=0
• Run message through AES-CBC (or some other
symmetric cipher)
• Discard everything except final block – this
output is the MAC
![Page 16: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/16.jpg)
16CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Entropy(Information-theoretic, not thermodynamic!)
• When we create a random key, it must be unique
and unpredictable
• We need good random numbers for this
• What happens if it’s not unique or unpredictable?
![Page 17: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/17.jpg)
17CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
AES-CCM (Counter with CBC-MAC)
CBC-MAC
AES in
Counter
Mode
![Page 18: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/18.jpg)
18CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Summary: Security Building Blocks
• Encryption provides
– confidentiality, can provide authentication and integrity protection
• Checksums/hash algorithms provide
– integrity protection, can provide authentication
• Digital signatures provide
– authentication, integrity protection, and non-repudiation
• For more info:
Buy this Book!
![Page 19: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/19.jpg)
19CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Certificates, Trust & PKI
![Page 20: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/20.jpg)
20CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
What is a Certificate?
• Binds a public key to some identifying
information
– The signer of the certificate is called its
issuer
– The entity talked about in the certificate is
the subject of the certificate
• Certificates in the real world
– Any type of license, government-issued
ID’s, membership cards, ...
– Binds an identity to certain rights, privileges,
or other identifiers
![Page 21: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/21.jpg)
21CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Public Key Infrastructure
• A Certificate Authority (CA) guarantees the binding between a public key and another CA or an “End Entity” (EE)
• CA Hierarchies
![Page 22: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/22.jpg)
22CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Who do you trust?
Windows: Start->Run->certmgr.msc
![Page 23: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/23.jpg)
23CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Public CA versus Private CA
• Windows Server includes a domain-aware CA –
why not just use it?
• Disadvantages:
– PKI is complex. Might be easier to let Verisign/Thawte/etc.
do it for you.
– Nobody outside your Windows domain will trust your
certificates
• Advantages:
– Less costly (but very cheap public CAs are available!)
– Better security possible. Low chances of someone outside
organization getting a certificate from your internal PKI
![Page 24: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/24.jpg)
24CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
What is a Certificate?
Identity
Trusted
3rd-party
Identity bound
to public key
![Page 25: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/25.jpg)
25CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Public Key Infrastructure
• We trust a certificate if there is a valid chain of trust to a root CA that we explicitly trust• Web browsers also check DNS hostname ==
certificate Common Name (CN)• Chain Building & Validation
![Page 26: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/26.jpg)
26CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Certificate Validity
1. Date/Time
2. Revocation
• CRL
• OCSP
![Page 27: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/27.jpg)
27CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Certificate File Formats
• PEM / PKCS#7– Contains a certificate in
base64 encoding (open in a
text editor)
• DER– Contains a certificate in binary
encoding
• PFX / PKCS#12– Contains a certificate AND
private key, protected by a
password
PEM-PKCS#7:-----BEGIN CERTIFICATE-----
MIID5TCCA2qgAwIBAgIKErZ83wAAAAAAEDAKBggqhkjO
PQQDAzBLMRUwEwYKCZIm
iZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRq
b24xMRwwGgYDVQQDExNq
b24xLUpPTi1TRVJWRVIyLUNBMB4XDTEzMDIwNjIyNDAz
N1oXDTE0MDIwNjIyNDAz
N1owHDEaMBgGA1UEAxMRMDA6MEI6ODY6ODA6MEU6REQw
WTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAATrgMEy+gw3PpVmKmOZPykpKMQmcPBB
9B676cnyxPlzGkmAQRR0
EzyD2X5KLBECq8hzmRTaVOlY3OQk/XfI6fVvo4ICYzCC
Al8wPQYJKwYBBAGCNxUH
BDAwLgYmKwYBBAGCNxUIhe7KRYPsiXqElZMYhqH9BYTl
+0SBA4Sn/SPJgGMCAWQC
AQkwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDgYDVR0PAQH/
BAQDAgOIMBsGCSsGAQQB
gjcVCgQOMAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFAvM
3qRuBFR80o4raVwf5uYe
YUi5MB8GA1UdIwQYMBaAFOHxRRuokak66iwzfWV/CMvZ
129sMIHUBgNVHR8Egcww
gckwgcaggcOggcCGgb1sZGFwOi8vL0NOPWpvbjEtSk9O
LVNFUlZFUjItQ0EsQ049
And so on ……….
-----END CERTIFICATE-----
![Page 28: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/28.jpg)
28CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Creating Certificates A-Z
1. Generate entropy
2. Use entropy to create random public/private
keypair (asymmetric crypto)
3. Attach identifying information to public key –
send to CA (Certificate Signing Request)
4. CA issues certificate in X.509 format
– Contains public key as supplied in CSR
– Contains hash of certificate contents
– Contains digital signature signed with CA’s private key
(hash + asymmetric crypto)
5. Retrieve certificate from CA – match up with
private key. Ready for use.
![Page 29: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/29.jpg)
29CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
For More Info
Buy this Book!
![Page 30: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/30.jpg)
30CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Putting it all together: 802.1X
![Page 31: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/31.jpg)
31CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Authentication with 802.1X
• Authenticates users before
granting access to L2 media
• Makes use of EAP
(Extensible Authentication
Protocol)
• 802.1X authentication
happens at L2 – users will
be authenticated before an
IP address is assigned
![Page 32: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/32.jpg)
32CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Sample EAP Transaction
• 2-stage process
– Outer tunnel establishment
– Credential exchange happens inside encrypted tunnel
Clie
nt
Auth
entic
atio
n S
erv
er
Request Identity
Response Identity (anonymous) Response Identity
TLS Start
CertificateClient Key exchange
Cert. verification
Request credentials
Response credentials
Success
EAPOL RADIUS
Auth
entic
ato
r
EAPOL Start
![Page 33: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/33.jpg)
33CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
802.1X Packet Capture
![Page 34: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/34.jpg)
34CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
802.1X Acronym Soup
• PEAP (Protected EAP)
– Uses a digital certificate on the network side
– Password or certificate on the client side
• EAP-TLS (EAP with Transport Level Security)
– Uses a certificate on network side
– Uses a certificate on client side
• TTLS (Tunneled Transport Layer Security)
– Uses a certificate on the network side
– Password, token, or certificate on the client side
• EAP-FAST
– Cisco proprietary
– Do not use – known security weaknesses
![Page 35: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/35.jpg)
35CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Isn’t MSCHAPv2 broken?
• Short answer: Yes – because of things like
rainbow tables, distributed cracking, fast GPUs,
etc.
• This is why we use MSCHAPv2 inside a PEAP
(TLS) tunnel for Wi-Fi
– What happens if you don’t properly validate the server
certificate?
– Look up FreeRADIUS-WPE
• Still using PPTP for VPN? Watch out…
![Page 36: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/36.jpg)
36CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
![Page 37: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/37.jpg)
37CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Configure Supplicant Properly
• Configure the Common
Name of your RADIUS
server (matches CN in
server certificate)
• Configure trusted CAs (an
in-house CA is better than
a public CA)
• ALWAYS validate the
server certificate
• Do not allow users to add
new CAs or trust new
servers
• Enforce with group policy
![Page 38: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/38.jpg)
38CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
WPA2 Key Management Summary
Step 1: Use RADIUS to push PMK from AS to AP
Step 2: Use PMK and 4-Way Handshake to
derive, bind, and verify PTK
Step 3: Use Group Key Handshake to send GTK
from AP to STA
Auth Server
AP/Controller
![Page 39: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/39.jpg)
39CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
4-Way Handshake
EAPoL-Key(Reply Required, Unicast, ANonce)
Pick Random ANonce
EAPoL-Key(Unicast, SNonce, MIC, STA SSN IE)
EAPoL-Key(Reply Required, Install PTK,
Unicast, ANonce, MIC, AP SSN IE)
Pick Random SNonce, Derive PTK = EAPoL-PRF(PMK, ANonce |
SNonce | AP MAC Addr | STA MAC Addr)
Derive PTK
EAPoL-Key(Unicast, ANonce, MIC)
Install PTK Install PTK
PMK PMK
![Page 40: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/40.jpg)
40CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Summary
• Security/crypto is complex
• Once you understand it, people will envy you
• Make Facebook posts to confuse your parents
• More importantly: Do it right so you don’t get
hacked
![Page 41: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/41.jpg)
41CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Credits
• Some graphics stolen from: http://cevi-
users.cevi.be/Portals/ceviusers/images/default/U
serdag-20101125-Certs.pptx
• Some others stolen from:
http://acs.lbl.gov/~mrt/talks/secPrimer.ppt
![Page 42: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/42.jpg)
42CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
![Page 43: Shanghai Breakout: Wireless LAN Security Fundamentals](https://reader030.vdocument.in/reader030/viewer/2022032616/55a86a381a28abac1b8b45dc/html5/thumbnails/43.jpg)
43CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
Thank You
#AirheadsConf