wlan technologies wireless lan security
Post on 12-Sep-2021
6 Views
Preview:
TRANSCRIPT
IY5511-08 WLAN Security 1
Wireless LAN Security
Matthew JoyceVodafone UK
IY5511-08 WLAN Security 2
WLAN Security - Contents
>WLAN Technologies>Wireless LAN 802.11>Technology>Security History>Vulnerabilities>Demonstration
IY5511-08 WLAN Security 3
WLAN Technologies
Wireless LAN TechnologiesWireless LAN Technologies
InfraredInfrared Spread SpectrumSpread
SpectrumNarrow BandNarrow Band
Direct SequenceDirect
Sequence FrequencyHopping
FrequencyHopping
IY5511-08 WLAN Security 4
The ISM Frequency Bands
1 2 3 4 6 810 20 30 40 60 100
GHz
123
Selected regional licensing differences:• 915 MHz only in the Americas (region 2)• 2.4 GHz for global availability (region 1,2,3)Unlicensed spectrum is • difficult to come by and • usually contested
IY5511-08 WLAN Security 5
FREQUENCY
TIME
User 3User 2User 1
• Multiple users share the same frequency channel sequentially
• Time slot sequence repeats over and over
TDMA
TIME
FREQUENCY
CODE
CDMA(also referred to as “Spread Spectrum”)
User 3User 2User 1
• Channel is “spread” over wide frequency band
• Many users share the same frequency band at the same time
• Each user is assigned a unique “code” to identify and separate them
FREQUENCY
TIME
FDMA
1 2 3
Each user assigned a different frequency -like ordinary radio
Multiple Access Methods
IY5511-08 WLAN Security 6
Spread Spectrum Communication
> Spread spectrum signals have bandwidths much wider than that of the data they carry
> This provides the signal with substantial immunity to noise and interference, and to fading and multipath
> The use of different basis signals allows many users to exist simultaneously in the same band, hence CDMA
IY5511-08 WLAN Security 7
Spread Spectrum Properties
> Spread spectrum signals may be overlaid on existing services (this is the rule, rather than the exception in the 2.4 GHz ISM band)
> The distinctive signals allow each user to be automatically identified
> The wide bandwidth of the signals allows multipath diversity to be used
> The data rate may be varied to adapt gracefully to changing load conditions
IY5511-08 WLAN Security 8
DS and FH Spread Spectrum
>Frequency Hopping> Sequential use of multiple
frequencies> Hop sequence and rate
will vary
>Direct Sequence> Each symbol is transmitted
over multiple frequencies atthe same time
> Higher speed than FH atcomparable distances
> System capacity (multiplechannels) higher than FH
COMPLETE WAVEBAND ALLOCATED
Time
Time
IY5511-08 WLAN Security 9
DSSS Transmitter Schema
> Spreading: Information signal (I.e. a “symbol”) is multiplied by a unique, high rate digital code which stretches (spreads) its bandwidth before transmission.
> Code bits are called Chips. > Sequence is sometimes called a Barker Code
Source andChannelCoding
RFModulator
CodeGenerator
XMultiplier
Code Bits (Chips)
Digital Signal (Bits)
FrequencySpectrum
f“Spread” Frequency
Spectrumf
IY5511-08 WLAN Security 10
DSSS Signal Convolution
X
=
“symbol”
“Barker” sequence
Result of multiplication
Symbol time ts“1” “0”
Chip time tc
> Due to the multiplication of a symbol with Barker code, the rate-of-change increases with a factor 11 in this example
> This means that cycle rate increases from 1 MHz to 11 MHz
> In terms of spectrum this means that after RF modulation the signal is spread from 2 MHz bandwidth to 22 MHz bandwidth
2 Mhz 22 Mhz
IY5511-08 WLAN Security 11
Data and Spread Signal Spectra
Information signal
Spread signal
Chip Rate = 32
IY5511-08 WLAN Security 12
DSSS Receiver Schema
RFDemodulator
Channeland
SourceDecoding
CodeGenerator
X
Multiplied
Code Bits (Chips)
De-SpreadSignal
f
“Spread” FrequencySpectrum
f
Digital Signal (Bits)
> At the receiver, the spread signal is multiplied again by a synchronized replica of the same code, and is de-spread and recovered
> The outcome of the process is the original symbol
IY5511-08 WLAN Security 13
De-Spreading
Data
:11 chip code
Direct SequenceSpread Spectrum
Signal
+11
-11
+1
-1
Symbol time
> When the incoming signal is de-spread, it results in either a positive (+) or a negative (-) “spike”
> These “spikes” arrive at intervals equal to the symbol time
> A positive spike represents a “1” symbol, a negative spike represents a “0” symbol
IY5511-08 WLAN Security 14
Effects of Reflections/Echoes
echo
echo
peak
Symbol time
> Echoes may arrive at the receiver, fluctuations can be noticed at positions other than at the symbol time boundaries
> These fluctuations are (largely) ignored as the receiver will only interpret the spike at the synchronization points (separated from each other by the symbol time)
IY5511-08 WLAN Security 15
IEEE 802 – The WiFi Context
> IEEE 802 is a collection of standards by IEEE that typically get promulgated to ANSI and ISO standards> E.g. IEEE 802.3 specifies the physical and data link layer
properties of Ethernet (in its various incarnations)> IEEE 802.11 is a family of standards for wireless local
area networks> Baseline IEEE Std 802.11-1997 was approved in June
1997> Current standard is IEEE Std 802.11-1999, which is
supplemented by amendment documents (in the sequence a,b,d,g,h,i, j, and e) and one corrigendum document
> IEEE Std 802.11-1999 was reaffirmed by the 802.11 working group in 2003 without changes
> A recommended practices document for inter-access-point communication (802.11f) was ratified in 2003 but withdrawn in March 2006
IY5511-08 WLAN Security 16
Wireless LANs
>IEEE ratified 802.11 in 1997.>Also known as Wi-Fi.
>Wireless LAN at 1 Mbps & 2 Mbps.>WECA (Wireless Ethernet Compatibility
Alliance) promoted Interoperability.>Now Wi-Fi Alliance
>802.11 provides protocols at Layer 1 & Layer 2 of OSI model.>Physical layer>Data link layer
IY5511-08 WLAN Security 17
802.11 Components
>Two pieces of equipment defined:>Wireless station
>A desktop or laptop PC or PDA with a wireless NIC.
>Access point>A bridge between wireless and wired networks>Composed of
> Radio> Wired network interface (usually 802.3)> Bridging software
>Aggregates access for multiple wireless stations to wired network.
IY5511-08 WLAN Security 18
802.11 modes
> Infrastructure mode> Basic Service Set
> One access point
> Extended Service Set> Two or more BSSs forming a single subnet.
> Corporate WLANs operate in this mode.
> Ad-hoc mode> Also called peer-to-peer.> Independent Basic Service Set> Set of 802.11 wireless stations that communicate
directly without an access point.> Useful for quick & easy wireless networks.
IY5511-08 WLAN Security 19
Infrastructure mode
Basic Service Set (BSS) –Single cell
Extended Service Set (ESS) –Multiple cells
Access Point
Station
IY5511-08 WLAN Security 20
Ad-hoc mode
Independent Basic Service Set (IBSS)
IY5511-08 WLAN Security 21
802.11 Physical Layer
>Originally three alternative physical layers>Two incompatible spread-spectrum radio in
2.4Ghz ISM band>Frequency Hopping Spread Spectrum (FHSS)
> 75 channels>Direct Sequence Spread Spectrum (DSSS)
> 14 channels (11 channels in US)
>One diffuse infrared layer>802.11 speed
>1 Mbps or 2 Mbps.
IY5511-08 WLAN Security 22
802.11 Data Link Layer
> Layer 2 split into:> Logical Link Control (LLC).> Media Access Control (MAC).
> LLC - same 48-bit addresses as 802.3.> MAC - CSMA/CD not possible.
> Can’t listen for collision while transmitting.
> CSMA/CA – Collision Avoidance.> Sender waits for clear air, waits random time, then
sends data.> Receiver sends explicit ACK when data arrives intact.> Also handles interference.> But adds overhead.
> 802.11 always slower than equivalent 802.3.
IY5511-08 WLAN Security 23
Hidden nodes
IY5511-08 WLAN Security 24
RTS / CTS
>To handle hidden nodes>Sending station sends
>“Request to Send”
>Access point responds with >“Clear to Send”>All other stations hear this and delay any
transmissions.
>Only used for larger pieces of data.>When retransmission may waste significant
time.
IY5511-08 WLAN Security 25
802.11b
> 802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.
> DSSS as physical layer.> 11 channels (3 non-overlapping)
> Dynamic rate shifting.> Transparent to higher layers> Ideally 11 Mbps.> Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
> Higher ranges.> Interference.
> Shifts back up when possible.
> Maximum specified range 100 metres> Average throughput of 4Mbps
IY5511-08 WLAN Security 26
Joining a BSS
>When 802.11 client enters range of one or more APs>APs send beacons.>AP beacon can include SSID.>AP chosen on signal strength and observed
error rates.>After AP accepts client.
>Client tunes to AP channel.
>Periodically, all channels surveyed.>To check for stronger or more reliable APs.>If found, reassociates with new AP.
IY5511-08 WLAN Security 27
Access Point Roaming
Channel 4
Channel 7
Channel 9
Channel 1
IY5511-08 WLAN Security 28
Roaming and Channels
>Reassociation with APs>Moving out of range.>High error rates.>High network traffic.
>Allows load balancing.
>Each AP has a channel.>14 partially overlapping channels.>Only three channels that have no overlap.
>Best for multicell coverage.
IY5511-08 WLAN Security 29
802.11a
>802.11a ratified in 2001 >Supports up to 54Mbps in 5 Ghz range.
>Higher frequency limits the range>Regulated frequency reduces interference
from other devices
>12 non-overlapping channels>Usable range of 30 metres>Average throughput of 30 Mbps>Not backwards compatible
IY5511-08 WLAN Security 30
802.11g
>802.11g ratified in 2002 >Supports up to 54Mbps in 2.4Ghz
range.>Backwards compatible with 802.11b
>3 non-overlapping channels>Range similar to 802.11b>Average throughput of 30 Mbps>802.11n due for November 2006
>Aiming for maximum 200Mbps with average 100Mbps
IY5511-08 WLAN Security 31
Open System Authentication
>Service Set Identifier (SSID)>Station must specify SSID to Access
Point when requesting association.>Multiple APs with same SSID form
Extended Service Set.>APs can broadcast their SSID.>Some clients allow * as SSID.
>Associates with strongest AP regardless of SSID.
IY5511-08 WLAN Security 32
MAC ACLs and SSID hiding
> Access points have Access Control Lists (ACL).> ACL is list of allowed MAC addresses.
> E.g. Allow access to:> 00:01:42:0E:12:1F> 00:01:42:F1:72:AE> 00:01:42:4F:E2:01
> But MAC addresses are sniffable and spoofable.
> AP Beacons without SSID> Essid_jack
> sends deauthenticate frames to client > SSID then displayed when client sends reauthenticate
frames
IY5511-08 WLAN Security 33
Interception Range
Basic Service Set (BSS) –Single cell
Station outsidebuilding perimeter.
100 metres
IY5511-08 WLAN Security 34
Interception
>Wireless LAN uses radio signal.>Not limited to physical building.>Signal is weakened by:
>Walls>Floors>Interference
>Directional antenna allows interception over longer distances.>Record is 124 miles for an unamplified
802.11b signal (4 metre dish)
IY5511-08 WLAN Security 35
Directional Antenna
> Directional antenna provides focused reception.
> DIY plans available.> Aluminium cake tin> Chinese cooking sieve
> http://www.saunalahti.fi/~elepal/antennie.html> http://www.usbwifi.orcon.net.nz/
IY5511-08 WLAN Security 36
WarDriving
>Software>Netstumbler>And many more
>Laptop>802.11a,b,g PC card>Optional:
>Global Positioning System>Logging of MAC address, network
name, SSID, manufacturer, channel, signal strength, noise (GPS - location).
IY5511-08 WLAN Security 37
WarDriving results
>San Francisco, 2001>Maximum 55 miles per hour.>1500 Access Points>60% in default configuration.>Most connected to internal backbones.>85% use Open System Authentication.
>Commercial directional antenna>25 mile range from hilltops.
> Peter Shipley - http://www.dis.org/filez/openlans.pdf
IY5511-08 WLAN Security 38
WarDriving map Source: www.dis.org/wl/maps/
IY5511-08 WLAN Security 39
Worldwide War Drive 2004
>Fourth and last worldwide war drive>www.worldwidewardrive.org
>228,537 Access points>82,755 (35%) with default SSID>140,890 (60%) with Open System
Authentication>62,859 (27%) with both, probably default
configuration
IY5511-08 WLAN Security 40
Further issues
>Access Point configuration>Mixtures of SNMP, web, serial, telnet.
>Default community strings, default passwords.
>Evil Twin Access Points>Stronger signal, capture user
authentication.
>Renegade Access Points>Unauthorised wireless LANs.
IY5511-08 WLAN Security 41
War Driving prosecutions
> February 2004, Texas, Stefan Puffer acquitted of wrongful access after showing an unprotected county WLAN to officials
> June 2004, North Carolina, Lowes DIY store> Salcedo convicted for stealing credit card numbers via
unprotected WLAN> Botbyl convicted for checking email & web browsing via
unprotected WLAN> June 2004, Connecticut, Myron Tereshchuk guilty of
drive-by extortion via unprotected WLANs> “make the check payable to M.Tereshchuk”
> July 2005, London, Gregory Straszkiewicz guilty of dishonestly obtaining a communications service> Warwalking in Ealing
IY5511-08 WLAN Security 42
802.11b Security Services
>Two security services provided:>Authentication
>Shared Key Authentication
>Encryption>Wired Equivalence Privacy
IY5511-08 WLAN Security 43
Wired Equivalence Privacy
>Shared key between>Stations.>An Access Point.
>Extended Service Set>All Access Points will have same shared key.
>No key management>Shared key entered manually into
>Stations>Access points>Key management nightmare in large wireless
LANs
IY5511-08 WLAN Security 44
RC4
>Ron’s Code number 4>Symmetric key encryption>RSA Security Inc.>Designed in 1987.>Trade secret until leak in 1994.
>RC4 can use key sizes from 1 bit to 2048 bits.
>RC4 generates a stream of pseudo random bits>XORed with plaintext to create ciphertext.
IY5511-08 WLAN Security 45
WEP – Sending
> Compute Integrity Check Vector (ICV).> Provides integrity> 32 bit Cyclic Redundancy Check.> Appended to message to create plaintext.
> Plaintext encrypted via RC4> Provides confidentiality.> Plaintext XORed with long key stream of pseudo
random bits.> Key stream is function of
> 40-bit secret key> 24 bit initialisation vector
> Ciphertext is transmitted.
IY5511-08 WLAN Security 46
WEP Encryption
PRNG
32 bit CRC
⊕
IV
Ciphertext
||
||Plaintext
Secret key
InitialisationVector (IV)
IY5511-08 WLAN Security 47
WEP – Receiving
>Ciphertext is received.>Ciphertext decrypted via RC4
>Ciphertext XORed with long key stream of pseudo random bits.
>Key stream is function of >40-bit secret key>24 bit initialisation vector (IV)
>Check ICV>Separate ICV from message.>Compute ICV for message>Compare with received ICV
IY5511-08 WLAN Security 48
Shared Key Authentication
> When station requests association with Access Point> AP sends random number to station> Station encrypts random number
> Uses RC4, 40 bit shared secret key & 24 bit IV
> Encrypted random number sent to AP> AP decrypts received message
> Uses RC4, 40 bit shared secret key & 24 bit IV
> AP compares decrypted random number to transmitted random number
> If numbers match, station has shared secret key.
IY5511-08 WLAN Security 49
WEP Safeguards
>Shared secret key required for:>Associating with an access point.>Sending data.>Receiving data.
>Messages are encrypted.>Confidentiality.
>Messages have checksum.>Integrity.
>But management traffic still broadcast in clear containing SSID.
IY5511-08 WLAN Security 50
Initialisation Vector
>IV must be different for every message transmitted.
>802.11 standard doesn’t specify how IV is calculated.
>Wireless cards use several methods>Some use a simple ascending counter for
each message.>Some switch between alternate ascending
and descending counters.>Some use a pseudo random IV generator.
IY5511-08 WLAN Security 51
Passive WEP attack
>If 24 bit IV is an ascending counter,>If Access Point transmits at 11 Mbps,>All IVs are exhausted in roughly 5 hours.>Passive attack:
>Attacker collects all traffic>Attacker could collect two messages:
>Encrypted with same key and same IV>Statistical attacks to reveal plaintext>Plaintext XOR Ciphertext = Keystream
IY5511-08 WLAN Security 52
Active WEP attack
>If attacker knows plaintext and ciphertext pair>Keystream is known.>Attacker can create correctly encrypted
messages.>Access Point is deceived into accepting
messages.
>Bitflipping>Flip a bit in ciphertext>Bit difference in CRC-32 can be computed
IY5511-08 WLAN Security 53
Limited WEP keys
>Some vendors allow limited WEP keys>User types in a passphrase>WEP key is generated from passphrase>Passphrases creates only 21 bits of entropy
in 40 bit key.>Reduces key strength to 21 bits = 2,097,152>Remaining 19 bits are predictable.>21 bit key can be brute forced in minutes.
>www.lava.net/~newsham/wlan/WEP_password_cracker.ppt
IY5511-08 WLAN Security 54
Creating limited WEP keys
IY5511-08 WLAN Security 55
Brute force key attack
>Capture ciphertext.>IV is included in message.
>Search all 240 possible secret keys.>1,099,511,627,776 keys>~170 days on a modern laptop
>Find which key decrypts ciphertext to plaintext.
IY5511-08 WLAN Security 56
128 bit WEP
>Vendors have extended WEP to 128 bit keys.>104 bit secret key.>24 bit IV.
>Brute force takes 10^19 years for 104-bit key.
>Effectively safeguards against brute force attacks.
IY5511-08 WLAN Security 57
Key Scheduling Weakness
>Paper from Fluhrer, Mantin, Shamir, 2001.
>Two weaknesses:>Certain keys leak into key stream.
>Invariance weakness.
>If portion of PRNG input is exposed, >Analysis of initial key stream allows key to be
determined.>IV weakness.
IY5511-08 WLAN Security 58
IV weakness
> WEP exposes part of PRNG input.> IV is transmitted with message.> Every wireless frame has reliable first byte
> Sub-network Access Protocol header (SNAP) used in logical link control layer, upper sub-layer of data link layer.
> First byte is 0xAA> Attack is:
> Capture packets with weak IV> First byte ciphertext XOR 0xAA = First byte key stream> Can determine key from initial key stream
> Practical for 40 bit and 128 bit keys> Passive attack.
> Non-intrusive.> No warning.
IY5511-08 WLAN Security 59
Wepcrack
>First tool to demonstrate attack using IV weakness.>Open source, Anton Rager.
>Three components>Weaker IV generator.>Search sniffer output for weaker IVs &
record 1st byte.>Cracker to combine weaker IVs and selected
1st bytes.
>Cumbersome.
IY5511-08 WLAN Security 60
Airsnort
>Automated tool>Cypher42, Minnesota, USA.>Does it all!>Sniffs>Searches for weaker IVs>Records encrypted data>Until key is derived.
>100 Mb to 1 Gb of transmitted data.>3 to 4 hours on a very busy WLAN.
IY5511-08 WLAN Security 61
Avoid the weak IVs
> FMS described a simple method to find weak IVs> Many manufacturers avoid those IVs after 2002> Therefore Airsnort and others may not work on
recent hardware
> However David Hulton aka h1kari> Properly implemented FMS attack which shows many
more weak IVs> Identified IVs that leak into second byte of key
stream.> Second byte of SNAP header is also 0xAA> So attack still works on recent hardware> And is faster on older hardware> Dwepcrack, weplab, aircrack
IY5511-08 WLAN Security 62
Generating WEP traffic
>Not capturing enough traffic?>Capture encrypted ARP request packets>Anecdotally lengths of 68, 118 and 368
bytes appear appropriate>Replay encrypted ARP packets to generate
encrypted ARP replies>Aireplay implements this.
IY5511-08 WLAN Security 63
802.11 safeguards
>Security Policy & Architecture Design>Treat as untrusted LAN>Discover unauthorised use>Access point audits>Station protection>Access point location>Antenna design
IY5511-08 WLAN Security 64
Security Policy & Architecture
>Define use of wireless network>What is allowed >What is not allowed
>Holistic architecture and implementation >Consider all threats.>Design entire architecture
>To minimise risk.
IY5511-08 WLAN Security 65
Wireless as untrusted LAN
>Treat wireless as untrusted.>Similar to Internet.
>Firewall between WLAN and Backbone.>Extra authentication required.>Intrusion Detection
>at WLAN / Backbone junction.
>Vulnerability assessments
IY5511-08 WLAN Security 66
Discover unauthorised use
> Search for unauthorised access points, ad-hoc networks or clients.
> Port scanning> For unknown SNMP agents.> For unknown web or telnet interfaces.
> Warwalking!> Sniff 802.11 packets> Identify IP addresses> Detect signal strength> But may sniff your neighbours…
> Wireless Intrusion Detection> AirMagnet, AirDefense, Trapeze, Aruba,…
IY5511-08 WLAN Security 67
Access point audits
>Review security of access points. >Are passwords and community strings
secure?>Use Firewalls & router ACLs
>Limit use of access point administration interfaces.
>Standard access point config:>SSID>WEP keys>Community string & password policy
IY5511-08 WLAN Security 68
Station protection
> Personal firewalls> Protect the station from attackers.
> VPN from station into Intranet> End-to-end encryption into the trusted network.> But consider roaming issues.
> Host intrusion detection> Provide early warning of intrusions onto a station.
> Configuration scanning> Check that stations are securely configured.
IY5511-08 WLAN Security 69
Location of Access Points
>Ideally locate access points>In centre of buildings.
>Try to avoid access points>By windows>On external walls>Line of sight to outside
>Use directional antenna to “point” radio signal.
IY5511-08 WLAN Security 70
Wireless IDS/IPS
>Sensors deployed in WLAN>Monitoring to detect
>Unauthorised clients by MAC address>Accidental>Malicious
>Ad-hoc mode networks>Unauthorised access points>Policy violations
>Possible to identify approximate locations
IY5511-08 WLAN Security 71
WPA
> Wi-Fi Protected Access> Works with 802.11b, a and g
> “Fixes” WEP’s problems> Existing hardware can be used> 802.1x user-level authentication> TKIP
> RC4 session-based dynamic encryption keys> Per-packet key derivation> Unicast and broadcast key management> New 48 bit IV with new sequencing method> Michael 8 byte message integrity code (MIC)
> Optional AES support to replace RC4
IY5511-08 WLAN Security 72
WPA and 802.1x
> 802.1x is a general purpose network access control mechanism
> WPA has two modes> Pre-shared mode, uses pre-shared keys> Enterprise mode, uses Extensible Authentication
Protocol (EAP) with a RADIUS server making the authentication decision
> EAP is a transport for authentication, not authentication itself
> EAP allows arbitrary authentication methods> For example, Windows supports
> EAP-TLS requiring client and server certificates> PEAP-MS-CHAPv2
IY5511-08 WLAN Security 73
Practical WPA attacks
>Dictionary attack on pre-shared key mode>CoWPAtty, Joshua Wright
>Denial of service attack>If WPA equipment sees two packets with
invalid MICs in 1 second>All clients are disassociated>All activity stopped for one minute>Two malicious packets a minute enough to stop a
wireless network
IY5511-08 WLAN Security 74
802.11i (WPA2)
> Robust Security Network extends WPA> Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol (CCMP)> Based on a mode of AES, with 128 bits keys and 48
bit IV.> Also adds dynamic negotiation of authentication and
encryption algorithms> Allows for future change
> Does require new hardware> Lots more info
> www.drizzle.com/~aboba/IEEE/
IY5511-08 WLAN Security 75
Relevant RFCs
>Radius Extensions: RFC 2869>EAP: RFC 2284>EAP-TLS: RFC 2716
IY5511-08 WLAN Security 76
Demonstration
>War driving>Packet sniffing>Cracking WEP
top related