va course karlstad university 27/03/2006 ieee 802.11 security
TRANSCRIPT
VA CourseKarlstad University
27/03/2006
IEEE 802.11 Security
VA CourseKarlstad University
27/03/2006
2
IEEE Security Outline
• Introduction to Wireless Local Area Networks• IEEE 802.11• IEEE 802.11 PHY & MAC
• IEEE 802.11 Security• Risks to IEEE 802.11 networks• IEEE 802.11 WEP• Wi-Fi Alliance’s WPA• IEEE 802.11i amendment and WPA2
VA CourseKarlstad University
27/03/2006
3
Who is Who in IEEE 802.11
• IEEE• Institute of Electrical and Electronics Engineers, Inc.• designs the technology & publish the standards
www.ieee.org
• Wi-Fi Alliance*• certify interoperability of WLAN products• +250 member companies and +2800 certified products
www.wifialliance.com
* former WECA - Wireless Ethernet Compatibility Alliance
VA CourseKarlstad University
27/03/2006
4
IEEE 802.11 Evolution• Wireless Evolution:
– early 1990s• first wireless networks operating in the ISM bands• issues: price, performance, interoperability IEEE 802.11 WG is born
– 1997 June• IEEE 802.11 standard is approved.
– 1999 September• standard revision, IEEE 802.11a & IEEE 802.11b are approved.
– 2003 June• IEEE 802.11g amendment is approved
– 2004 July• IEEE 802.11i amendment is approved
VA CourseKarlstad University
27/03/2006
5
IEEE 802.11 Specification
• Operation Modes• infrastructure network• ad hoc network
• IEEE 802.11 standard specifies:• medium access control (MAC)• physical layer protocols (PHY)
PHY
MAC
IP
LLC IEEE 802.2
IEEE 802.11
VA CourseKarlstad University
27/03/2006
6
Operation Modes
• Infrastructure Network Mode– Basic Service Set (BSS) with only one Access Point (AP)
AP
STA
BSS
VA CourseKarlstad University
27/03/2006
7
Operational Modes
• Infrastructure Network Mode– Extended Service Set (ESS)
BSS BSS
ESS
AP
STA
AP
STA
VA CourseKarlstad University
27/03/2006
8
Operational Modes
• Ad Hoc Network Mode– Independent Basic Service Set (IBSS)– no support to multi hopping no routing! PHY & MAC layers only
IBSS
STA
VA CourseKarlstad University
27/03/2006
9
The Spectrum
• Electromagnetic Spectrum– the physical medium “air” from viewpoint of the signal frequencies– frequency usage is regulated / controlled by the local government
• E.U. CEPT* - ERO (European Radio Comm. Office)• Sweden PTS (Post & Telestyrelsen)• U.S. FCC & NTIA• International ITU
*European Conference of Postal and Telecommunications Administrations
VA CourseKarlstad University
27/03/2006
10
The Spectrum
• Electromagnetic Spectrumwww.ntia.doc.gov/osmhome/allochrt.htmlwww.pts.se/www.ero.dk/ecc
1G
Hz
2.4GHz-2.5GHzIEEE 802.11bIEEE 802.11g
5.725GHz5.875GHz
IEEE802.11a902MHZ928MHz
MVL L H UH SHVH EH IR
300
GH
z
300
TH
z
3 K
Hz
microwaves
AM FM AMPS GSM-DCSPCSGSM
VA CourseKarlstad University
27/03/2006
11
Transmission Mechanisms
• Narrow Band– all signal power is concentrated in a narrow spectrum band
• Spread Spectrum -SS– the signal power is spread in the spectrum
VA CourseKarlstad University
27/03/2006
12
Spread Spectrum• Direct Sequence (DS-SS)
– the signal is multiplied by a code signal spreading
si(t)=(2.Pi)-1/2.di(t).pi(t).cos(0.t+ i)
– the signal is retrieved multiplying it the same code
– anti jamming properties– low probability of interception
• low amplitude signal even below noise level!
code
VA CourseKarlstad University
27/03/2006
13
Spread Spectrum
• Direct Sequence (DS-SS)
ReceivedNarrowband
Signal
Original Narrowband
Signal
spread signal
noisenoisenoise
code
code
spread waveform
pi(t) pi(t)
(2.Pi)-1/2.di(t).cos(0.t+ i)
(2.Pi)-1/2.di(t).pi(t).cos(0.t+ i)
(2.Pi)-1/2.di(t).cos(0.t+ i)
VA CourseKarlstad University
27/03/2006
14
IEEE 802.11 PHY
• Several different PHY layers MAC Layer
2.4 GHzFH-SS
1 Mbps2 Mbps
MAC
2.4 GHzDS-SS1 Mbps2 Mbps
Infrared
1 Mbps2 Mbps
2.4 GHzDS-SSOFDM
max 11 Mbpsmax 54 Mbps
5 GHzOFDM
6, 9, 12, 18, 24, 36,
48, 54 Mbps
IEEE 802.11 IEEE802.11b802.11g
IEEE802.11a
VA CourseKarlstad University
27/03/2006
15
IEEE 802.11 PHY DS-SS
• DS-SS: Direct Sequence – Spread Spectrum
2400
2412
2417
2422
2427
2432
2437
2442
2447
2452
2457
2462
2467
2472
2477
2482
2487
2492
2497
1
2
3
4
5
6
8
7
9
10
11
12
13
14
MHz
VA CourseKarlstad University
27/03/2006
16
IEEE 802.11 PHY OFDM
• OFDM: Orthogonal Frequency Division Multiplexing• multiple transmissions at the same time• 4 overlayering carriers
no interference among the carriers
OFDMminimum
maximum
VA CourseKarlstad University
27/03/2006
176111
6
6 11
1
11
1
1
IEEE 802.11 PHY
• Channels and Channel reuse• Europe*, USA
6 11
6
611
11
1
11
* except France, Spain
VA CourseKarlstad University
27/03/2006
18
IEEE 802.11 MAC
• MAC Layer - Medium Access• medium access without contention• medium access with contention
random backoff mechanism• ACK and retransmission
MACDCF
PCF
Point Coordination
Function
Distributed Coordination
Function
VA CourseKarlstad University
27/03/2006
19
IEEE 802.11 MAC
• Point Coordination Function (PCF)• the Access Point (AP) defines medium access• only for infrastructure wireless networks (optional)• polling among STA contention-free medium access
• Distributed Coordination Function (DCF)• all station (STA)• CSMA/CA Carrier Sense Multiple Access / Collision
Avoidance• RTS/CTS mechanism
VA CourseKarlstad University
27/03/2006
20
IEEE 802.11 CSMA/CA
• Physical Carrier Sense (PHY)• checks if the physical medium is free
• Virtual Carrier Sense• to solve the “hidden-node” problem!• use of RTS and CTS frames
Duration/ID field defines the reserved period of time
NAV Network Allocation Vectorstores the reservation informationimplemented as a counter
VA CourseKarlstad University
27/03/2006
21
IEEE 802.11 CSMA/CA
• Virtual Carrier Sense PIFS – PCF IFS - 10µs SIFS – Short IFS - 30µs DIFS – DCF IFS - 50µs
DS-SStimings
VA CourseKarlstad University
27/03/2006
22
IEEE 802.11 CSMA/CA
• Random backoff mechanism• after transmission DIFS (DFC interframe space)• if a STA wants to transmit and the medium is free
immediate access (>= DIFS)• if a STA wants to transmit and the medium is not free
wait for DIFS + random period (contention window)
* Networking Computing
VA CourseKarlstad University
27/03/2006
23
Frame
IEEE 802.11 CSMA/CA
• Backoff mechanism (contention window)
Frame
DIFS
STA A
STA E
STA D
STA C
STA BWait
Wait
Contention
Frame
Backoff
DIFS
Cont.
Frame
DIFS
Cont.
Frame
DIFS
Cont.
Wait
Wait
VA CourseKarlstad University
27/03/2006
24
Risks in IEEE 802.11 networks
• Risks? Is it really not secure?• rogue clients logging in into your networks• wireless eavesdropping and network intrusion• non-authorized / rogue AP and cloned AP• bad configuration
Cloned AP Rogue AP
Enterprise LAN
Attacker
AP
VA CourseKarlstad University
27/03/2006
25
IEEE 802.11 Security
• Data link security (L2)between AP and STA or STA and STA (ad hoc mode)
IEEE 802.11 WEP (Wired Equivalent Privacy)is WEP really that bad?
Wi-Fi Alliance’s WPA (Wi-Fi Protected Access)is WPA enough?
IEEE 802.11i amendment and WPA2are we finally secure?
VA CourseKarlstad University
27/03/2006
26
Wired Equivalent Privacy - WEP
• the security goals of IEEE 802.11 were:– Authentication– Confidentiality– Data Integrity
• WEP introduced in the original IEEE 802.11 standard• designed to protect authorized users from casual eavesdropping• optional security add-on to achieve confidentiality
• WEP assumes that AP and clients have shared-keys
VA CourseKarlstad University
27/03/2006
27
Wired Equivalent Privacy - WEP
• WEP Confidentiality and Integrity in the Data Link Layer• but what is WEP?
“a form of ECB* in which a a block of plaintext is bitwised XORed with a pseudorandom key sequence of equal length”
• WEP key (PRNG input)a 40-bit long shared secret+ 24-bit long IV
• Data integritywith CRC-32
PRNG input is64-bit long
*Electronic Code Book
MAC IV Ciphered Payload CRC
VA CourseKarlstad University
27/03/2006
28
Ciphering with WEP
InitializationVector (IV)
SecretKey
Plaintext
||
IV
CiphertextWEPPRNG(RC4)
Seed
||CRC-32
Key Sequence
Integrity Check Value
(ICV) || - concatenation - bitwise XOR
24 bits
40 bits 64 bits
32 bits
Output
P K = C
VA CourseKarlstad University
27/03/2006
29
Deciphering with WEP
SecretKey
IV
Ciphertext
WEPPRNG(RC4)
Key Sequence
CRC-32
||Seed
ICV
Plaintext
ICV’=?
Ciphertext
IV
24 bits
40 bits
64 bitsInput
C K = P K K = P
|| - concatenation - bitwise XOR
VA CourseKarlstad University
27/03/2006
30
WEP Authentication
• WEP authentication modes– Open System
null authentication
– Shared Keybased on WEPSTA STA
or APrequest
challenge: (M)
response: EWEP(M)
OK / NOK
VA CourseKarlstad University
27/03/2006
31
Early comments on WEP
• the use of shared-keys in WEP• network security management problem
• shared keys are not long enough (40bits)• brute force attacks (feasible, but takes time)
just increase the key length to 104bits!
VA CourseKarlstad University
27/03/2006
32
Overview of the WEP Insecurity• March 2000: Simon, Aboba and Moore
• several flaws in WEP design
• October 2000: Walker• limited IV space leads to IV reuse problem
• July 2001: Borisov, Goldberg and Wagner• practical attacks to cause known plaintext to be transmitted
• March 2001: Arbaugh et al.• trivial to obtain a keystream
• August 2001: the Fluhrer, Mantin and Shamir attack• weakness in RC4 key scheduling algorithm
and the popular cracking tools for IEEE 802.11 networks secured with WEP…
VA CourseKarlstad University
27/03/2006
33
Simon, Aboba and Moore (Microsoft)
• NIC authentication only no user authentication• lost NICs / device huge security management problem
• shared-key authentication is not mutual• rogue AP MitM attacks
• ICV is not keyed• no guarantee of data integrity
• known plaintext attacks recover the keystream for a given IV
C P = P K P = K
VA CourseKarlstad University
27/03/2006
34
J. Walker (Microsoft)
• WEP mechanism unsafe at any key size (24-bit long IV)• only 224 values can be derived from a WEP key• IV reuse can lead to data decryption without the secret key• no policy for IV selection on AP
InitializationVector (IV)
SecretKey ||
WEPPRNG(RC4)
SeedKey
Sequence
24 bits
40 bits 64 bitsK
C C’ = P K P’ K = P P’
VA CourseKarlstad University
27/03/2006
35
Borisov, Goldberg and Wagner (UCB)
• IV dictionaries are independent of the key size (224 entries)
• practical ways to cause known plaintext to be transmitted• broadcasted datagrams obtain a RC4 keystream
• Message modification• CRC-32 is a linear function of the message
• Message injection and authentication spoofing• one RC4 keystream needed
C’ = C ( Δ || c(Δ) )
VA CourseKarlstad University
27/03/2006
36
Arbaugh et al. (UMD)
• trivial to obtain a keystream• shared-key authentication 2nd frame and 3rd frame
STA STA or AP
request
challenge: (M)
response: EWEP(M)
OK / NOK
Plaintext
Ciphertext
C P = P K P = K
RC4 keystream
VA CourseKarlstad University
27/03/2006
37
Fluhrer, Mantin and Shamir
• weakeness in RC4 key scheduling algorithm• large class of weak keys collecting weakened packets• derive the first byte of the RC4 output
• Stubblefield, Ioannidis and Rubin effectiveness of the attackca. 106 packets to retrieve a key
RC4
KSA
PRGA
Seed Key Sequence24 bits
+40 bitsSecret
Known
VA CourseKarlstad University
27/03/2006
39
Attack Tools on WEP
• Fluhrer, Mantin and Shamir ImplementedAirSnort
http://airsnort.shmoo.com/
WEPCrackhttp://sourceforge.net/projects/wepcrack/
• wesside - a fragmentation-based attack tool from UCL
http://www.cs.ucl.ac.uk/staff/A.Bittau/frag-0.1.tgz
VA CourseKarlstad University
27/03/2006
40
Vendors’ Countermeasures• Increasing the secret key length to 104 bits
innocuous:: WEP is insecure at any key-size
• MAC filteringMAC spoofing is easily achievable
• suppressing of SSID broadcastsnetwork will be detected (management datagrams)
• the vendors’ patch blocking potentially harmful IVreduced the IV space even morelegacy hosts compromise the solution
VA CourseKarlstad University
27/03/2006
41
Wi-Fi Protected Access (WPA)
• WPA (Wi-Fi Protected Access)• recommendation to improve security in IEEE 802.11 networks• published in April 2003
added as subset of IEEE 802.11i for backward compatibility
firmware upgrade only is needed
• WPA encryption:Temporal Key Integrity Protocol wrapper over WEP
• WPA has two authentication modes:Enterprise Mode (Authentication Server is needed)SOHO Mode (using shared-keys)
VA CourseKarlstad University
27/03/2006
42
WPA Encryption with TKIP
• TKIP enhancements over WEP are:• a keyed data integrity protocol (MIC – Message Integrity Protocol)
MICHAEL 64-bit long keys, calculated over the MSDU
• re-keying mechanism to provide fresh keysencryption keys for different purposes
• per packet mixing function prevent weak key attacksMAC of the destination is mixed to the temporal key
• a discipline for IV sequencing prevent IV reuseIV counter is reseted after the establishment of fresh
keys
VA CourseKarlstad University
27/03/2006
43
WPA Authentication Enterprise Mode
• Authentication Server provides:• key management and • authentication according to the EAP
• EAPOL (IEEE 802.1X) is needed• IEEE 802.1X defines a port-based network control method
EAP authentication mechanism
EAP
EAPoL (IEEE 802.1X) RADIUS
ASSTA
APwireless medium
wired medium
supplicantauthenticator
VA CourseKarlstad University
27/03/2006
44
IEEE 802.1X Authentication with TLS
APSTA AS
802.1X/EAP Req. ID
802.1X/EAP Resp. ID RADIUS Access Req. / EAP - Resp. ID
EAP-TLS Mutual Authenticationcalculate PMK* calculate PMK*
RADIUS Accept + PMK
802.1X/EAP-Success
EAPoL RADIUS
*TLS-PRF( MasterKey, “client EAP encryption” || random1 || random2 )
TLS-PseudoRandomFunction( PreMasterKey, “master secret” || random1 || random2 )
PMK
VA CourseKarlstad University
27/03/2006
45
WPA Authentication SOHO Mode
• using Pre-Shared Keys (PSK)• shared keys between the AP and STA
• useful solution for smaller networks• no need for an authentication server
• PSK is vulnerable to dictionary attacks• coWPAtty http://sourceforge.net/projects/cowpatty
VA CourseKarlstad University
27/03/2006
46
IEEE 802.11i
• IEEE 802.11i is an amendment to the IEEE 802.11 standard• several components are external to the IEEE 802.11 standard
IEEE 802.11i protect data framesEAPoL (IEEE 802.1X) provides authentication
key establishment and distribution
• RSNA - Robust Secure Network Association• defined as a type of association to secure wireless networks
VA CourseKarlstad University
27/03/2006
47
RSNA
• RSNA defines:• key hierarchy and key management algorithms;• a cryptographic key establishment;• enhanced authentication mechanisms;• enhanced data encapsulation mechanism: CTR with CBC-MAC
Counter Mode with Cipher Block Chaining with Message Authentication Code (CBC-MAC) Protocol.
• TKIP is included for systems not full compliant with RSNA• Open-System Authentication is kept;• WEP is supported only for interoperability with legacy systems.
VA CourseKarlstad University
27/03/2006
48
RSNA Security Algorithm Classes
• RSNA algorithms• data confidentiality protocols• network architecture for authentication (based on IEEE 802.1X)• key hierarchy, key setting and distribution method
• Pre-RSNA algorithms• WEP and IEEE 802.11 Open System Authentication
VA CourseKarlstad University
27/03/2006
49
RSN and TSN
• RSN Information Element (IE) Beacon Frames• RSN IE Group Key Field Suite indicates the network type
• Robust Secure Networks (RSN)• RSNA only networks
• Transient Secure Networks (TSN)• allows both Pre-RSNA networks (WEP) and RSNA networks
VA CourseKarlstad University
27/03/2006
50
RSNA Operational Phases
ASSTAAP
Discovery
Key Management
Authentication (IEEE 802.1X)
Data Transfer(protected)
Key Distribution
VA CourseKarlstad University
27/03/2006
51
RSNA Discovery Phase
• Discover of an AP SSID by an STA• RSN IE frames
• Definition of:• authentication, key management and cryptographic suite• cipher suite selectors include:
WEP-40, WEP-104, TKIP, CCMP, and vendor specifics
VA CourseKarlstad University
27/03/2006
52
RSNA Key Hierarchy and Distribution
• RSNA key hierarchies• unicast traffic pairwise hierarchy• multicast and broadcast traffic group temporal key hierarchy
• RSNA key distribution• 4-way handshake
VA CourseKarlstad University
27/03/2006
53
RSNA Pairwise Key Hierarchy
Pre-SharedKey (PSK)
Pairwise Master Key (PMK)
Pairwise Transient Key (PTK)
PRF
AAAKey
256 bits
384 or 512 bits
OR
256 bitsfirst
256 bits
product of the IEEE802.1X
authentication
positive access decision
authorization to the IEEE802.11
medium
VA CourseKarlstad University
27/03/2006
54
Pairwise Transient Key
• KCK (Key Confirmation Key) confirms the possession of the PMK
• KEK (Key Encryption Key) for the distribution of group keys• TK (Temporal Key) for data confidentiality
Pairwise Transient Key (PTK)
KCK KEK Temporal Key
0127 128 255 256
n(383 or 512)
VA CourseKarlstad University
27/03/2006
55
RSNA Group Key Hierarchy
Group MasterKey (GMK)
Group TemporalKey (GTK)
PRFnonceAS
AS address
128 or256 bits
chosen by the authenticator
TKIP
CCMP
VA CourseKarlstad University
27/03/2006
56
4-Way Handshake
• PTK setting and GTK distribution• confirm that a live peer holds the PMK and the PMK is current• derive a fresh PTK from the PMK• install encryption and integrity keys• confirm the cipher suite
VA CourseKarlstad University
27/03/2006
57
4-Way HandshakeSupplicantSTA
AuthenticatorAP PMKPMK
EAPoL-Key ( nonceAP )
EAPoL-Key ( nonceSTA , MIC )
generate nonceSTAgenerate nonceAP
derive PTK
derive PTK
nonceAP
nonceSTA
generateGTK*
*if needed
EAPoL-Key ( Install PTK, MIC, EKEK[GTK] )
EAPOL-Key ( MIC )
installPTK and GTK
installPTK
VA CourseKarlstad University
27/03/2006
58
RSNA Confidentiality & Integrity
• RSNA defines:• TKIP should only be used when CCMP is not
available• CCMP mandatory for full compliance
• CCMP• based on AES on CCM mode provable secure• CCM uses a single 128-bit key for both data encryption and MIC• requires a fresh TK for every session, and a unique nonce per
frame 48-bit packet number (PN) field
VA CourseKarlstad University
27/03/2006
59
RSNA Confidentiality & Integrity
• TKIP + MICHAEL• CCMP
• AES based• confidentiality, authentication, integrity and replay protection• 128-bit long key for both data encryption and MIC computing• a fresh Temporal Key (TK) is needed for every session
VA CourseKarlstad University
27/03/2006
60
MIC*• MICHAEL
TKIP
• CBC-MAC**CCMP
*Calculated using MSDU - WEP uses the MPDU only
DASA
Payload
Michael
KCK
MIC8 bytes
MIC
** Counter Mode with Cipher Block Chaining (CBC)
DA SA Payload0 0
padding padding
B1
AES
BK… BK+1 BR…
IV … AES
KCK KCK
AES
KCK
MIC