wireless news

Wireless NewsWireless News

22


China blacklists 102 wireless servicesChina blacklists 102 wireless services• accused 102 companies in the country's accused 102 companies in the country's

wireless-services industry of illegal wireless-services industry of illegal behaviorbehavior

• If the companies have not corrected If the companies have not corrected themselves within a set period, they will themselves within a set period, they will have their licenses revoked have their licenses revoked

33


Malaysia scraps wireless-broadband Malaysia scraps wireless-broadband license tenderlicense tender• On Tuesday, they cancelled on a tender On Tuesday, they cancelled on a tender

for their first wireless broadband license for their first wireless broadband license • Setback in the country's ambitions to Setback in the country's ambitions to

become a leader in mobile high-speed become a leader in mobile high-speed Internet access by the end of 2006 Internet access by the end of 2006

44


55


66


CWNA Guide to Wireless LANs, CWNA Guide to Wireless LANs, Second EditionSecond Edition

Chapter EightChapter Eight

Wireless LAN Security and Wireless LAN Security and VulnerabilitiesVulnerabilities

88

ObjectivesObjectives

Define information securityDefine information security Explain the basic security protections Explain the basic security protections

for IEEE 802.11 WLANsfor IEEE 802.11 WLANs List the vulnerabilities of the IEEE List the vulnerabilities of the IEEE

802.11 standard802.11 standard Describe the types of wireless Describe the types of wireless

attacks that can be launched against attacks that can be launched against a wireless networka wireless network

99

Security Principles: What is Security Principles: What is Information Security?Information Security?

Information security: Information security: Task of Task of guarding digital informationguarding digital information• Ensures protective measures properly Ensures protective measures properly

implementedimplemented• Protects Protects confidentiality, integrity,confidentiality, integrity, and and

availabilityavailability ( (CIACIA) on the devices that ) on the devices that store, manipulate, and transmit the store, manipulate, and transmit the information through products, people, information through products, people, and proceduresand procedures

1010

Security Principles: What is Security Principles: What is Information Security? Information Security?

Figure 8-1: Information security components

1111

Security Principles: Challenges Security Principles: Challenges of Securing Informationof Securing Information

Trends influencing increasing difficultly in Trends influencing increasing difficultly in information security:information security:• Speed of attacksSpeed of attacks• Sophistication of attacksSophistication of attacks• Faster detection of weaknessesFaster detection of weaknesses

Day zero attacksDay zero attacks

• Distributed attacksDistributed attacks The “many against one” approach The “many against one” approach Impossible to stop attack by trying to identify and block Impossible to stop attack by trying to identify and block

sourcesource

1212

Security Principles: Categories Security Principles: Categories of Attackersof Attackers

Six categories of attackers:Six categories of attackers:• HackersHackers

Not malicious; expose security flawsNot malicious; expose security flaws

• CrackersCrackers• Script kiddiesScript kiddies• SpiesSpies• EmployeesEmployees• CyberterroristsCyberterrorists

1313

Security Principles: Categories Security Principles: Categories of Attackers (continued)of Attackers (continued)

Table 8-1: Attacker profiles

1414

Security Principles: Security Security Principles: Security OrganizationsOrganizations

Many security organizations exist to Many security organizations exist to provide security information, assistance, provide security information, assistance, and trainingand training• Computer Emergency Response Team Computer Emergency Response Team

Coordination Center (CERT/CC)Coordination Center (CERT/CC)• Forum of Incident Response and Security Forum of Incident Response and Security

Teams (FIRST)Teams (FIRST)• InfraGardInfraGard• Information Systems Security Association Information Systems Security Association

(ISSA)(ISSA)• National Security Institute (NSI)National Security Institute (NSI)• SysAdmin, Audit, Network, Security (SANS) SysAdmin, Audit, Network, Security (SANS)

InstituteInstitute

1515

Basic IEEE 802.11 Security Basic IEEE 802.11 Security ProtectionsProtections

Data transmitted by a WLAN could be Data transmitted by a WLAN could be intercepted and viewed by an attackerintercepted and viewed by an attacker• Important that basic wireless security Important that basic wireless security

protections be built into WLANsprotections be built into WLANs Three categories of WLAN protections:Three categories of WLAN protections:

• Access controlAccess control• Wired equivalent privacy (WEP)Wired equivalent privacy (WEP)• AuthenticationAuthentication

Some protections specified by IEEE, while Some protections specified by IEEE, while others left to vendorsothers left to vendors

1616

Access ControlAccess Control

Intended to guard Intended to guard availability availability of informationof information Wireless access control:Wireless access control: Limit user’s Limit user’s

admission to APadmission to AP• FilteringFiltering

Media Access Control (MAC) address Media Access Control (MAC) address filtering:filtering: Based on a node’s unique MAC Based on a node’s unique MAC addressaddress

Figure 8-2: MAC address

1717


Figure 8-4: MAC address filtering

1818


MAC address filtering considered to MAC address filtering considered to be a basic means of controlling be a basic means of controlling accessaccess• Requires pre-approved authenticationRequires pre-approved authentication• Difficult to provide temporary access for Difficult to provide temporary access for

“guest” devices“guest” devices

1919

Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP)

Guard the confidentiality of Guard the confidentiality of informationinformation• Ensure only authorized parties can view itEnsure only authorized parties can view it

Used in IEEE 802.11 to encrypt Used in IEEE 802.11 to encrypt wireless transmissionswireless transmissions• ““Scrambling”Scrambling”

2020

WEP: CryptographyWEP: Cryptography Cryptography:Cryptography: Science of transforming Science of transforming

information so that it is secure while being information so that it is secure while being transmitted or storedtransmitted or stored• scrambles” datascrambles” data

Encryption: Encryption: Transforming Transforming plaintextplaintext to to ciphertextciphertext

Decryption:Decryption: Transforming Transforming ciphertextciphertext to to plaintextplaintext

Cipher:Cipher: An encryption algorithm An encryption algorithm• Given a Given a keykey that is used to encrypt and that is used to encrypt and

decrypt messagesdecrypt messages• Weak keys: Weak keys: Keys that are easily discovered Keys that are easily discovered

2121

WEP: CryptographyWEP: Cryptography

Figure 8-5: Cryptography

2222

WEP: ImplementationWEP: Implementation

IEEE 802.11 cryptography objectives:IEEE 802.11 cryptography objectives:• EfficientEfficient• ExportableExportable• OptionalOptional• Reasonably strongReasonably strong• Self-synchronizingSelf-synchronizing

WEP relies on secret key “shared” WEP relies on secret key “shared” between a wireless device and the APbetween a wireless device and the AP• Same key installed on device and APSame key installed on device and AP• Private key cryptography Private key cryptography or or symmetric symmetric

encryptionencryption

2323


Figure 8-6: Symmetric encryption

2424

WEP: ImplementationWEP: Implementation WEP shared secret keys must be at least WEP shared secret keys must be at least

40 bits40 bits• Most vendors use 104 bitsMost vendors use 104 bits

Options for creating WEP keys:Options for creating WEP keys:• 40-bit WEP shared secret key (5 ASCII 40-bit WEP shared secret key (5 ASCII

characters or 10 hexadecimal characters)characters or 10 hexadecimal characters)• 104-bit WEP shared secret key (13 ASCII 104-bit WEP shared secret key (13 ASCII

characters or 16 hexadecimal characters)characters or 16 hexadecimal characters)• Passphrase (16 ASCII characters)Passphrase (16 ASCII characters)

APs and wireless devices can store up to APs and wireless devices can store up to four shared secret keysfour shared secret keys• Default keyDefault key used for all encryption used for all encryption

2525


Figure 8-8: Default WEP keys

2626


Figure 8-9: WEP encryption process

2727


When encrypted frame arrives at When encrypted frame arrives at destination:destination:• Receiving device separates IV from ciphertext Receiving device separates IV from ciphertext • Combines IV with appropriate secret key Combines IV with appropriate secret key

Create a Create a keystreamkeystream

• Keystream used to extract text and ICVKeystream used to extract text and ICV• Text run through CRC Text run through CRC

Ensure ICVs match and nothing lost in transmissionEnsure ICVs match and nothing lost in transmission Generating keystream using the PRNG is Generating keystream using the PRNG is

based on the based on the RC4 cipher algorithmRC4 cipher algorithm• Stream CipherStream Cipher

2828


Figure 8-10: Stream cipher

2929

AuthenticationAuthentication

IEEE 802.11 authentication:IEEE 802.11 authentication: Process in Process in which AP accepts or rejects a wireless which AP accepts or rejects a wireless devicedevice

Open system authentication: Open system authentication: • Wireless device sends association request Wireless device sends association request

frame to APframe to AP Carries info about supported data rates and service Carries info about supported data rates and service

set identifier (SSID)set identifier (SSID)

• AP compares received SSID with the network AP compares received SSID with the network SSIDSSID

If they match, wireless device authenticatedIf they match, wireless device authenticated

3030

AuthenticationAuthentication

Shared key authentication:Shared key authentication: Uses Uses WEP keysWEP keys• AP sends the wireless device the AP sends the wireless device the

challenge textchallenge text• Wireless device encrypts challenge text Wireless device encrypts challenge text

with its WEP key and returns it to the APwith its WEP key and returns it to the AP• AP decrypts returned result and AP decrypts returned result and

compares to original challenge textcompares to original challenge text If they match, device accepted into networkIf they match, device accepted into network

3131

Vulnerabilities of IEEE 802.11 Vulnerabilities of IEEE 802.11 SecuritySecurity

IEEE 802.11 standard’s security IEEE 802.11 standard’s security mechanisms for wireless networks mechanisms for wireless networks have fallen short of their goalhave fallen short of their goal

Vulnerabilities exist in:Vulnerabilities exist in:• AuthenticationAuthentication• Address filteringAddress filtering• WEP WEP

3232

Open System Authentication Open System Authentication VulnerabilitiesVulnerabilities

Inherently weakInherently weak• Based only on match of SSIDsBased only on match of SSIDs• SSID beaconed from AP during passive SSID beaconed from AP during passive

scanningscanning Easy to discoverEasy to discover

Vulnerabilities:Vulnerabilities:• Beaconing SSID is default mode in all APsBeaconing SSID is default mode in all APs• Not all APs allow beaconing to be turned offNot all APs allow beaconing to be turned off

Or manufacturer recommends against itOr manufacturer recommends against it

• SSID initially transmitted in plaintext SSID initially transmitted in plaintext (unencrypted)(unencrypted)

3333


Vulnerabilities (continued):Vulnerabilities (continued):• If an attacker cannot capture an initial If an attacker cannot capture an initial

negotiation process, can force one to occurnegotiation process, can force one to occur• SSID can be retrieved from an authenticated SSID can be retrieved from an authenticated

devicedevice• Many users do not change default SSIDMany users do not change default SSID

Several wireless tools freely available that Several wireless tools freely available that allow users with no advanced knowledge allow users with no advanced knowledge of wireless networks to capture SSIDsof wireless networks to capture SSIDs

3434


Figure 8-12: Forcing the renegotiation process

3535

Shared Secret Key Shared Secret Key Authentication VulnerabilitiesAuthentication Vulnerabilities

Attackers can view key on an approved Attackers can view key on an approved wireless device (i.e., steal it), and then use wireless device (i.e., steal it), and then use on own wireless deviceson own wireless devices

Brute force attack:Brute force attack: Attacker attempts to Attacker attempts to create every possible key combination create every possible key combination until correct key founduntil correct key found

Dictionary attack: Dictionary attack: Takes each word from Takes each word from a dictionary and encodes it in same way as a dictionary and encodes it in same way as passphrasepassphrase• Compare encoded dictionary words against Compare encoded dictionary words against

encrypted frameencrypted frame

3636


AP sends challenge text in plaintextAP sends challenge text in plaintext• Attacker can capture challenge text and Attacker can capture challenge text and

device’s response (encrypted text and IV) device’s response (encrypted text and IV) Mathematically derive keystreamMathematically derive keystream

3737


Table 8-2: Authentication attacks

3838

Address Filtering VulnerabilitiesAddress Filtering Vulnerabilities

Table 8-3: MAC address attacks

3939

WEP VulnerabilitiesWEP Vulnerabilities

Uses 40 or 104 bit keysUses 40 or 104 bit keys• Shorter keys easier to crackShorter keys easier to crack

WEP implementation violates cardinal rule WEP implementation violates cardinal rule of cryptographyof cryptography• Creates detectable pattern for attackersCreates detectable pattern for attackers• APs end up repeating IVsAPs end up repeating IVs

Collision:Collision: Two packets derived from same Two packets derived from same IVIV• Attacker can use info from collisions to initiate Attacker can use info from collisions to initiate

a a keystream attackkeystream attack

4040

WEP VulnerabilitiesWEP Vulnerabilities

Figure 8-13: XOR operations

4141

WEP Vulnerabilities (continued)WEP Vulnerabilities (continued)

Figure 8-14: Capturing packets

4242

WEP Vulnerabilities (continued)WEP Vulnerabilities (continued)

PRNG does not create true random number PRNG does not create true random number • PseudorandomPseudorandom• First 256 bytes of the RC4 cipher can be determined by First 256 bytes of the RC4 cipher can be determined by

bytes in the key itselfbytes in the key itself

Table 8-4: WEP attacks

4343

Other Wireless Attacks: Man-in-Other Wireless Attacks: Man-in-the-Middle Attackthe-Middle Attack

Makes it seem that two computers are Makes it seem that two computers are communicating with each othercommunicating with each other• Actually sending and receiving data with Actually sending and receiving data with

computer between themcomputer between them• Active or passiveActive or passive

Figure 8-15: Intercepting transmissions

4444

Other Wireless Attacks: Man-in-Other Wireless Attacks: Man-in-the-Middle Attackthe-Middle Attack

Figure 8-16: Wireless man-in-the-middle attack

4545

Other Wireless Attacks: Denial Other Wireless Attacks: Denial of Service (DoS) Attackof Service (DoS) Attack

Standard DoS attack attempts to make a Standard DoS attack attempts to make a server or other network device unavailable server or other network device unavailable by flooding it with requestsby flooding it with requests• Attacking computers programmed to request, Attacking computers programmed to request,

but not respondbut not respond Wireless DoS attacks are different:Wireless DoS attacks are different:

• Jamming: Jamming: Prevents wireless devices from Prevents wireless devices from transmittingtransmitting

• Forcing a device to continually dissociate and Forcing a device to continually dissociate and re-associate with APre-associate with AP

4646

SummarySummary

Information security protects the Information security protects the confidentiality, integrity, and availability of confidentiality, integrity, and availability of information on the devices that store, information on the devices that store, manipulate, and transmit the information manipulate, and transmit the information through products, people, and proceduresthrough products, people, and procedures

Significant challenges in keeping wireless Significant challenges in keeping wireless networks and devices securenetworks and devices secure

Six categories of attackers: Hackers, Six categories of attackers: Hackers, crackers, script kiddies, computer spies, crackers, script kiddies, computer spies, employees, and cyberterroristsemployees, and cyberterrorists

4747

SummarySummary

Three categories of default wireless Three categories of default wireless protection: access control, wired protection: access control, wired equivalent privacy (WEP), and equivalent privacy (WEP), and authenticationauthentication

Significant security vulnerabilities exist in Significant security vulnerabilities exist in the IEEE 802.11 security mechanismsthe IEEE 802.11 security mechanisms

Man-in-the-middle attacks and denial of Man-in-the-middle attacks and denial of service attacks (DoS) can be used to service attacks (DoS) can be used to attack wireless networksattack wireless networks

wireless news

Documents

wireless lans

wireless networkcwna

security information

security protectionsdata

vulnerabilitiescwna

editioncwna guide

procedurescwna guide

vendorscwna guide