wireless lan security yen-cheng chen department of information management national chi nan...
TRANSCRIPT
![Page 1: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/1.jpg)
Wireless LAN Wireless LAN SecuritySecurity
Yen-Cheng Chen
Department of Information Management
National Chi Nan University
![Page 2: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/2.jpg)
Outline
1. Introduction2. WLAN Authentication3. WEP (Wired Equivalent Privacy)4. IEEE 802.1x5. Conclusion
![Page 3: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/3.jpg)
1. Introduction
Increasing popularity of IEEE 802.11 Wireless LANs (WLANs)
More laptops and PDAs equipped with WLAN interface. (Intel Centrinotm) By 2005, over 80 percent of professional notebook
PCs will have an WLAN interface. Public Wireless LAN Hotspots
ISPs provide WLAN access services at airports, coffee shops, conference centers, shopping malls, …
![Page 4: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/4.jpg)
Comparisons among 802.11 Versions
![Page 5: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/5.jpg)
InternetInternet
: Access Point
CoffeeShop Airport
ConferenceCenter
Wireless LAN Hotspots
WLANAdapter
![Page 6: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/6.jpg)
Internet/Intranet
RouterSwitch
Router
Switch
WLANAdapter
+
PDANotebook PC
Typical Wireless LAN Configuration
Access Point
![Page 7: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/7.jpg)
IEEE 802.11 Association Services
Three association services defined in 802.11 Association ServiceAssociation Service:
Before a mobile client is allowed to send a data message via an AP, it shall first become associated with the AP.
Reassociation ServiceReassociation Service: The reassociation service is invoked to “move” a current a
ssociation from one AP to another. Disassociation ServiceDisassociation Service:
The disassociation service is invoked whenever an existing association is to be terminated.
![Page 8: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/8.jpg)
A Scenario
Internet
Internet
AP #1 AP #2
AssociateAssociate(1)ReassociateReassociate
(2)
DisassociateDisassociate(3)
move leave
(1) Association(2) Reassociation(3) Disassociation
![Page 9: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/9.jpg)
WiredNetwork
802.11 Client Authentication
![Page 10: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/10.jpg)
802.11 Client Authentication
1. Client broadcasts a probe request frame on every channel2. Access points within range respond with a probe respons
e frame3. The client decides which access point (AP) is the best for
access and sends an authentication request4. The access point will send an authentication reply5. Upon successful authentication, the client will send an as
sociation request frame to the access point6. The access point will reply with an association response7. The client is now able to pass traffic to the access point
![Page 11: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/11.jpg)
Security Threats
Data transmitted can be easily intercepted. Signal coverage area cannot be well limited. Intentional and non-intentional interference.
User authentication to prevent unauthorized
access to network resources Data privacy to protect the integrity and
privacy of transmitted data
![Page 12: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/12.jpg)
2. WLAN Authentication
SSIDs (Service Set IDs) Open Authentication Shared Key Authentication MAC Address Authentication
![Page 13: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/13.jpg)
SSIDs (Service Set IDs)
![Page 14: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/14.jpg)
SSIDs (Service Set IDs)
![Page 15: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/15.jpg)
Vulnerability of Using SSIDs SSID can be obtained by
eavesdropping.
![Page 16: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/16.jpg)
Open Authentication
Null authentication Some hand-held devices do not have
capabilities for complex authentication algorithms.
Any device that knows the SSID can gain access to the WLAN.
![Page 17: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/17.jpg)
Open Authentication with Differing WEP Keys
![Page 18: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/18.jpg)
Shared Key Authentication
1. The client sends an authentication request to the access point requesting shared key authentication
2. The access point responds with an authentication response containing challenge text
3. The client uses its locally configured WEP key to encrypt the challenge text and reply with a subsequent authentication request
4. If the access point can decrypt the authentication request and retrieve the original challenge text, then it responds with an authentication response that grants the client access
![Page 19: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/19.jpg)
Shared Key Authentication• Use of WEP key• Key distribution and
management
![Page 20: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/20.jpg)
Shared Key Authentication Vulnerabilities
Stealing Key stream WEP uses RC4
Man-in-the-Middle Attack
C = P RC4(K)
C P = P RC4(K) P = RC4(K)
![Page 21: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/21.jpg)
Deriving Key Stream
![Page 22: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/22.jpg)
MAC Address Authentication
Not specified in 802.11 Many AP products support MAC
address authentication. MAC address authentication verifies
the client’s MAC address against a locally configured list of allowed addresses or against an external authentication server.
![Page 23: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/23.jpg)
MAC Address Filtering in APs
![Page 24: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/24.jpg)
MAC Authentication via RADIUS
![Page 25: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/25.jpg)
MAC Address Authentication Vulnerabilities
MAC Address Spoofing Valid MAC addresses can be observed by a pr
otocol analyzer. The MACs of some WLAN NICs can be overwrit
ten.
![Page 26: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/26.jpg)
3. WEP (Wired Equivalent Privacy)
IEEE 802.11 Std. Goals
Confidentiality Access Control Data Integrity
WEP Key: 64-bit, 128-bit
![Page 27: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/27.jpg)
WEP (Wired Equivalent Privacy)
-- 4 Keys-- 104-bit key + 24-bit IV
104 bits
![Page 28: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/28.jpg)
(104 bits) (128 bits)
(104 bits) (128 bits)
![Page 29: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/29.jpg)
WEP Vulnerabilities
Key attacks Statistical key derivation – Several IVs
can reveal key bytes after statistical analysis.
Secret key problems Confidentiality attacks Integrity attacks Authentication attack
![Page 30: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/30.jpg)
IV Replay Attack
![Page 31: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/31.jpg)
Growing a Key Stream
![Page 32: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/32.jpg)
Keystream Reuse in WEP
![Page 33: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/33.jpg)
Keystream Reuse in WEP WEP standard recommends that IV be
changed after every packet. Many WLAN cards reset the IV to 0
each time they were re-initialized, and then incremented the IV by one after each packet transmitted.
IV is only 24 bits wide.1500 byte packets, 5 Mbps bandwidthhalf of a day
![Page 34: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/34.jpg)
4. IEEE 802.1X
Port-Based Network Access Control To provide a means of authenticating and authori
zing devices attached to a LAN port that has point-to-point connection characteristics
To prevent access to that port in cases in which the authentication and authorization process fails.
802.1X requires three entities: The supplicant—resides on the wireless LAN client The authenticator—resides on the access point The authentication server—EAP server, mostly RADIUS
server
![Page 35: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/35.jpg)
802.1X in LANs
EAP: Extended Authentication ProtocolRADIUS:Remote Authentication Dial In User Service
• EAP-MD5• EAP-TLS
![Page 36: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/36.jpg)
Supplicant, Authenticator, and Authentication Server
PAE: port access entity
![Page 37: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/37.jpg)
![Page 38: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/38.jpg)
Supplicant Authentication Server
Challenge Text
MD5 (Password + Challenge Text)
Accept / Reject
EAP-MD5
![Page 39: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/39.jpg)
EAP-TLS
TLS: Transport Layer Security Use TLS public key certification
mechanism within EAP. Digital certificate signed by CA Mutual Authentication
Client Certificate Server Certificate
Key exchange / Dynamic session key
![Page 40: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/40.jpg)
Man-In-The-Middle Attack
Absence of Mutual Authentication
![Page 41: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/41.jpg)
Session Hijacking
![Page 42: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/42.jpg)
5. Conclusion IEEE 802.11i
TKIP: Temporal Key Integrity Protocol AES: Advanced Encryption Standard
Certificate based authentication EAP-TLS, EAP-TTLS, PEAP
Password authentication LEAP, Diffie-Hellman exchange, SPEKE: ZKPP(Zero Knowledge Password Proo
f)
![Page 43: Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University ycchen@ncnu.edu.tw](https://reader035.vdocuments.us/reader035/viewer/2022062516/56649db15503460f94a9fe1d/html5/thumbnails/43.jpg)
““A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco Wireless Security Suite”Wireless Security Suite”http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.pdfhttp://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.pdf
““Intercepting Mobile Communications: the Insecurity of 802.11”Intercepting Mobile Communications: the Insecurity of 802.11”, Borisov, N., Goldberg, I., and Wagner, D., Proc. Of the 7th ACM International Conference on Mobile Computing and Networking, Rome, July 2001.
““An Initial Analysis of the IEEE 802.1X Standard”An Initial Analysis of the IEEE 802.1X Standard”, Mishra, A., Arbaugh, W. A., University of Maryland, February 2002.
““IEEE Std 802.11 Wireless LAN Medium Access Control and Physical LayeIEEE Std 802.11 Wireless LAN Medium Access Control and Physical Layer Specifications”r Specifications”IEEE, 1999
Reference