Network Security Lecture 8 Wireless LAN Security WLAN

  • Slides: 62
Download presentation
Network Security Lecture 8 Wireless LAN Security WLAN Security 1

Network Security Lecture 8 Wireless LAN Security WLAN Security 1

WLAN Security - Contents > Wireless LAN 802. 11 > Technology > Security History

WLAN Security - Contents > Wireless LAN 802. 11 > Technology > Security History > Vulnerabilities > Demonstration WLAN Security 2

Wireless LANs > IEEE ratified 802. 11 in 1997. > Also known as Wi-Fi.

Wireless LANs > IEEE ratified 802. 11 in 1997. > Also known as Wi-Fi. > Wireless LAN at 1 Mbps & 2 Mbps. > WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability. > Now Wi-Fi Alliance > 802. 11 focuses on Layer 1 & Layer 2 of OSI model. > Physical layer > Data link layer WLAN Security 3

802. 11 Components > Two pieces of equipment defined: > Wireless station > A

802. 11 Components > Two pieces of equipment defined: > Wireless station > A desktop or laptop PC or PDA with a wireless NIC. > Access point > A bridge between wireless and wired networks > Composed of > Radio > Wired network interface (usually 802. 3) > Bridging software > Aggregates access for multiple wireless stations to wired network. WLAN Security 4

802. 11 modes > Infrastructure mode > Basic Service Set > One access point

802. 11 modes > Infrastructure mode > Basic Service Set > One access point > Extended Service Set > Two or more BSSs forming a single subnet. > Most corporate LANs in this mode. > Ad-hoc mode > Also called peer-to-peer. > Independent Basic Service Set > Set of 802. 11 wireless stations that communicate directly without an access point. > Useful for quick & easy wireless networks. WLAN Security 5

Infrastructure mode Access Point Basic Service Set (BSS) – Single cell Station Extended Service

Infrastructure mode Access Point Basic Service Set (BSS) – Single cell Station Extended Service Set (ESS) – Multiple cells WLAN Security 6

Ad-hoc mode Independent Basic Service Set (IBSS) WLAN Security 7

Ad-hoc mode Independent Basic Service Set (IBSS) WLAN Security 7

802. 11 Physical Layer > Originally three alternative physical layers > Two incompatible spread-spectrum

802. 11 Physical Layer > Originally three alternative physical layers > Two incompatible spread-spectrum radio in 2. 4 Ghz ISM band > Frequency Hopping Spread Spectrum (FHSS) > 75 channels > Direct Sequence Spread Spectrum (DSSS) > 14 channels (11 channels in US) > One diffuse infrared layer > 802. 11 speed > 1 Mbps or 2 Mbps. WLAN Security 8

802. 11 Data Link Layer > Layer 2 split into: > Logical Link Control

802. 11 Data Link Layer > Layer 2 split into: > Logical Link Control (LLC). > Media Access Control (MAC). > LLC - same 48 -bit addresses as 802. 3. > MAC - CSMA/CD not possible. > Can’t listen for collision while transmitting. > CSMA/CA – Collision Avoidance. > Sender waits for clear air, waits random time, then sends data. > Receiver sends explicit ACK when data arrives intact. > Also handles interference. > But adds overhead. > 802. 11 always slower than equivalent 802. 3. WLAN Security 9

Hidden nodes WLAN Security 10

Hidden nodes WLAN Security 10

RTS / CTS > To handle hidden nodes > Sending station sends > “Request

RTS / CTS > To handle hidden nodes > Sending station sends > “Request to Send” > Access point responds with > “Clear to Send” > All other stations hear this and delay any transmissions. > Only used for larger pieces of data. > When retransmission may waste significant time. WLAN Security 11

802. 11 b > 802. 11 b ratified in 1999 adding 5. 5 Mbps

802. 11 b > 802. 11 b ratified in 1999 adding 5. 5 Mbps and 11 Mbps. > DSSS as physical layer. > 11 channels (3 non-overlapping) > Dynamic rate shifting. > Transparent to higher layers > Ideally 11 Mbps. > Shifts down through 5. 5 Mbps, 2 Mbps to 1 Mbps. > Higher ranges. > Interference. > Shifts back up when possible. > Maximum specified range 100 metres > Average throughput of 4 Mbps WLAN Security 12

Joining a BSS > When 802. 11 client enters range of one or more

Joining a BSS > When 802. 11 client enters range of one or more APs > APs send beacons. > AP beacon can include SSID. > AP chosen on signal strength and observed error rates. > After AP accepts client. > Client tunes to AP channel. > Periodically, all channels surveyed. > To check for stronger or more reliable APs. > If found, reassociates with new AP. WLAN Security 13

Access Point Roaming Channel 1 Channel 4 Channel 9 Channel 7 WLAN Security 14

Access Point Roaming Channel 1 Channel 4 Channel 9 Channel 7 WLAN Security 14

Roaming and Channels > Reassociation with APs > Moving out of range. > High

Roaming and Channels > Reassociation with APs > Moving out of range. > High error rates. > High network traffic. > Allows load balancing. > Each AP has a channel. > 14 partially overlapping channels. > Only three channels that have no overlap. > Best for multicell coverage. WLAN Security 15

802. 11 a > 802. 11 a ratified in 2001 > Supports up to

802. 11 a > 802. 11 a ratified in 2001 > Supports up to 54 Mbps in 5 Ghz range. > Higher frequency limits the range > Regulated frequency reduces interference from other devices > 12 non-overlapping channels > Usable range of 30 metres > Average throughput of 30 Mbps > Not backwards compatible WLAN Security 16

802. 11 g > 802. 11 g ratified in 2002 > Supports up to

802. 11 g > 802. 11 g ratified in 2002 > Supports up to 54 Mbps in 2. 4 Ghz range. > Backwards compatible with 802. 11 b > 3 non-overlapping channels > Range similar to 802. 11 b > Average throughput of 30 Mbps > 802. 11 n due for November 2006 > Aiming for maximum 200 Mbps with average 100 Mbps WLAN Security 17

Open System Authentication > Service Set Identifier (SSID) > Station must specify SSID to

Open System Authentication > Service Set Identifier (SSID) > Station must specify SSID to Access Point when requesting association. > Multiple APs with same SSID form Extended Service Set. > APs can broadcast their SSID. > Some clients allow * as SSID. > Associates with strongest AP regardless of SSID. WLAN Security 18

MAC ACLs and SSID hiding > Access points have Access Control Lists (ACL). >

MAC ACLs and SSID hiding > Access points have Access Control Lists (ACL). > ACL is list of allowed MAC addresses. > E. g. Allow access to: > 00: 01: 42: 0 E: 12: 1 F > 00: 01: 42: F 1: 72: AE > 00: 01: 42: 4 F: E 2: 01 > But MAC addresses are sniffable and spoofable. > AP Beacons without SSID > Essid_jack > sends deauthenticate frames to client > SSID then displayed when client sends reauthenticate frames WLAN Security 19

Interception Range Station outside building perimeter. tres 100 me Basic Service Set (BSS) –

Interception Range Station outside building perimeter. tres 100 me Basic Service Set (BSS) – Single cell WLAN Security 20

Interception > Wireless LAN uses radio signal. > Not limited to physical building. >

Interception > Wireless LAN uses radio signal. > Not limited to physical building. > Signal is weakened by: > Walls > Floors > Interference > Directional antenna allows interception over longer distances. WLAN Security 21

Directional Antenna > Directional antenna provides focused reception. > DIY plans available. > Aluminium

Directional Antenna > Directional antenna provides focused reception. > DIY plans available. > Aluminium cake tin > Chinese cooking sieve > http: //www. saunalahti. fi/~elepal/antennie. html > http: //www. usbwifi. orcon. net. nz/ WLAN Security 22

War. Driving > Software > Netstumbler > And many more > Laptop > 802.

War. Driving > Software > Netstumbler > And many more > Laptop > 802. 11 b, g or a PC card > Optional: > Global Positioning System > Car, bicycle, boat… > Logging of MAC address, network name, SSID, manufacturer, channel, signal strength, noise (GPS - location). WLAN Security 23

War. Driving results > San Francisco, 2001 > Maximum 55 miles per hour. >

War. Driving results > San Francisco, 2001 > Maximum 55 miles per hour. > 1500 Access Points > 60% in default configuration. > Most connected to internal backbones. > 85% use Open System Authentication. > Commercial directional antenna > 25 mile range from hilltops. > Peter Shipley - http: //www. dis. org/filez/openlans. pdf WLAN Security 24

War. Driving map WLAN Security Source: www. dis. org/wl/maps/ 25

War. Driving map WLAN Security Source: www. dis. org/wl/maps/ 25

Worldwide War Drive 2004 > Fourth WWWD > www. worldwidewaredrive. org > 228, 537

Worldwide War Drive 2004 > Fourth WWWD > www. worldwidewaredrive. org > 228, 537 Access points > 82, 755 (35%) with default SSID > 140, 890 (60%) with Open System Authentication > 62, 859 (27%) with both, probably default configuration WLAN Security 26

Further issues > Access Point configuration > Mixtures of SNMP, web, serial, telnet. >

Further issues > Access Point configuration > Mixtures of SNMP, web, serial, telnet. > Default community strings, default passwords. > Evil Twin Access Points > Stronger signal, capture user authentication. > Renegade Access Points > Unauthorised wireless LANs. WLAN Security 27

War Driving prosecutions > February 2004, Texas, Stefan Puffer acquitted of wrongful access after

War Driving prosecutions > February 2004, Texas, Stefan Puffer acquitted of wrongful access after showing an unprotected county WLAN to officials > June 2004, North Carolina, Lowes DIY store > Botbyl convicted for stealing credit card numbers via unprotected WLAN > Timmins convicted for checking email & web browsing via unprotected WLAN > June 2004, Connecticut, Myron Tereshchuk guilty of drive-by extortion via unprotected WLANs > “make the check payable to M. Tereshchuk” > Sep 2004, Los Angeles, Nicholas Tombros guilty of drive -by spamming via unprotected WLANs WLAN Security 28

802. 11 b Security Services > Two security services provided: > Authentication > Shared

802. 11 b Security Services > Two security services provided: > Authentication > Shared Key Authentication > Encryption > Wired Equivalence Privacy WLAN Security 29

Wired Equivalence Privacy > Shared key between > Stations. > An Access Point. >

Wired Equivalence Privacy > Shared key between > Stations. > An Access Point. > Extended Service Set > All Access Points will have same shared key. > No key management > Shared key entered manually into > Stations > Access points > Key management nightmare in large wireless LANs WLAN Security 30

RC 4 > Ron’s Code number 4 > Symmetric key encryption > RSA Security

RC 4 > Ron’s Code number 4 > Symmetric key encryption > RSA Security Inc. > Designed in 1987. > Trade secret until leak in 1994. > RC 4 can use key sizes from 1 bit to 2048 bits. > RC 4 generates a stream of pseudo random bits > XORed with plaintext to create ciphertext. WLAN Security 31

WEP – Sending > Compute Integrity Check Vector (ICV). > Provides integrity > 32

WEP – Sending > Compute Integrity Check Vector (ICV). > Provides integrity > 32 bit Cyclic Redundancy Check. > Appended to message to create plaintext. > Plaintext encrypted via RC 4 > Provides confidentiality. > Plaintext XORed with long key stream of pseudo random bits. > Key stream is function of > 40 -bit secret key > 24 bit initialisation vector > Ciphertext is transmitted. WLAN Security 32

WEP Encryption Initialisation Vector (IV) Secret key IV || RC 4 Key stream PRNG

WEP Encryption Initialisation Vector (IV) Secret key IV || RC 4 Key stream PRNG Plaintext 32 bit CRC WLAN Security Cipher text || 33

WEP – Receiving > Ciphertext is received. > Ciphertext decrypted via RC 4 >

WEP – Receiving > Ciphertext is received. > Ciphertext decrypted via RC 4 > Ciphertext XORed with long key stream of pseudo random bits. > Key stream is function of > 40 -bit secret key > 24 bit initialisation vector (IV) > Check ICV > Separate ICV from message. > Compute ICV for message > Compare with received ICV WLAN Security 34

Shared Key Authentication > When station requests association with Access Point > AP sends

Shared Key Authentication > When station requests association with Access Point > AP sends random number to station > Station encrypts random number > Uses RC 4, 40 bit shared secret key & 24 bit IV > Encrypted random number sent to AP > AP decrypts received message > Uses RC 4, 40 bit shared secret key & 24 bit IV > AP compares decrypted random number to transmitted random number > If numbers match, station has shared secret key. WLAN Security 35

WEP Safeguards > Shared secret key required for: > Associating with an access point.

WEP Safeguards > Shared secret key required for: > Associating with an access point. > Sending data. > Receiving data. > Messages are encrypted. > Confidentiality. > Messages have checksum. > Integrity. > But management traffic still broadcast in clear containing SSID. WLAN Security 36

Initialisation Vector > IV must be different for every message transmitted. > 802. 11

Initialisation Vector > IV must be different for every message transmitted. > 802. 11 standard doesn’t specify how IV is calculated. > Wireless cards use several methods > Some use a simple ascending counter for each message. > Some switch between alternate ascending and descending counters. > Some use a pseudo random IV generator. WLAN Security 37

Passive WEP attack > If 24 bit IV is an ascending counter, > If

Passive WEP attack > If 24 bit IV is an ascending counter, > If Access Point transmits at 11 Mbps, > All IVs are exhausted in roughly 5 hours. > Passive attack: > Attacker collects all traffic > Attacker could collect two messages: > Encrypted with same key and same IV > Statistical attacks to reveal plaintext > Plaintext XOR Ciphertext = Keystream WLAN Security 38

Active WEP attack > If attacker knows plaintext and ciphertext pair > Keystream is

Active WEP attack > If attacker knows plaintext and ciphertext pair > Keystream is known. > Attacker can create correctly encrypted messages. > Access Point is deceived into accepting messages. > Bitflipping > Flip a bit in ciphertext > Bit difference in CRC-32 can be computed WLAN Security 39

Limited WEP keys > Some vendors allow limited WEP keys > User types in

Limited WEP keys > Some vendors allow limited WEP keys > User types in a passphrase > WEP key is generated from passphrase > Passphrases creates only 21 bits of entropy in 40 bit key. > Reduces key strength to 21 bits = 2, 097, 152 > Remaining 19 bits are predictable. > 21 bit key can be brute forced in minutes. > www. lava. net/~newsham/wlan/WEP_passw ord_cracker. ppt WLAN Security 40

Creating limited WEP keys WLAN Security 41

Creating limited WEP keys WLAN Security 41

Brute force key attack > Capture ciphertext. > IV is included in message. >

Brute force key attack > Capture ciphertext. > IV is included in message. > Search all 240 possible secret keys. > 1, 099, 511, 627, 776 keys > ~170 days on a modern laptop > Find which key decrypts ciphertext to plaintext. WLAN Security 42

128 bit WEP > Vendors have extended WEP to 128 bit keys. > 104

128 bit WEP > Vendors have extended WEP to 128 bit keys. > 104 bit secret key. > 24 bit IV. > Brute force takes 10^19 years for 104 bit key. > Effectively safeguards against brute force attacks. WLAN Security 43

Key Scheduling Weakness > Paper from Fluhrer, Mantin, Shamir, 2001. > Two weaknesses: >

Key Scheduling Weakness > Paper from Fluhrer, Mantin, Shamir, 2001. > Two weaknesses: > Certain keys leak into key stream. > Invariance weakness. > If portion of PRNG input is exposed, > Analysis of initial key stream allows key to be determined. > IV weakness. WLAN Security 44

IV weakness > WEP exposes part of PRNG input. > IV is transmitted with

IV weakness > WEP exposes part of PRNG input. > IV is transmitted with message. > Every wireless frame has reliable first byte > Sub-network Access Protocol header (SNAP) used in logical link control layer, upper sub-layer of data link layer. > First byte is 0 x. AA > Attack is: > Capture packets with weak IV > First byte ciphertext XOR 0 x. AA = First byte key stream > Can determine key from initial key stream > Practical for 40 bit and 104 bit keys > Passive attack. > Non-intrusive. > No warning. WLAN Security 45

Wepcrack > First tool to demonstrate attack using IV weakness. > Open source, Anton

Wepcrack > First tool to demonstrate attack using IV weakness. > Open source, Anton Rager. > Three components > Weaker IV generator. > Search sniffer output for weaker IVs & record 1 st byte. > Cracker to combine weaker IVs and selected 1 st bytes. > Cumbersome. WLAN Security 46

Airsnort > Automated tool > Cypher 42, Minnesota, USA. > Does it all! >

Airsnort > Automated tool > Cypher 42, Minnesota, USA. > Does it all! > Sniffs > Searches for weaker IVs > Records encrypted data > Until key is derived. > 100 Mb to 1 Gb of transmitted data. > 3 to 4 hours on a very busy WLAN Security 47

Avoid the weak IVs > FMS described a simple method to find weak IVs

Avoid the weak IVs > FMS described a simple method to find weak IVs > Many manufacturers avoid those IVs after 2002 > Therefore Airsnort and others may not work on recent hardware > However David Hulton aka h 1 kari > Properly implemented FMS attack which shows many more weak IVs > Identified IVs that leak into second byte of key stream. > Second byte of SNAP header is also 0 x. AA > So attack still works on recent hardware > And is faster on older hardware > Dwepcrack, weplab, aircrack WLAN Security 48

Generating WEP traffic > Not capturing enough traffic? > Capture encrypted ARP request packets

Generating WEP traffic > Not capturing enough traffic? > Capture encrypted ARP request packets > Anecdotally lengths of 68, 118 and 368 bytes appear appropriate > Replay encrypted ARP packets to generate encrypted ARP replies > Aireplay implements this. WLAN Security 49

802. 11 safeguards > Security Policy & Architecture Design > Treat as untrusted LAN

802. 11 safeguards > Security Policy & Architecture Design > Treat as untrusted LAN > Discover unauthorised use > Access point audits > Station protection > Access point location > Antenna design WLAN Security 50

Security Policy & Architecture > Define use of wireless network > What is allowed

Security Policy & Architecture > Define use of wireless network > What is allowed > What is not allowed > Holistic architecture and implementation > Consider all threats. > Design entire architecture > To minimise risk. WLAN Security 51

Wireless as untrusted LAN > Treat wireless as untrusted. > Similar to Internet. >

Wireless as untrusted LAN > Treat wireless as untrusted. > Similar to Internet. > Firewall between WLAN and Backbone. > Extra authentication required. > Intrusion Detection > at WLAN / Backbone junction. > Vulnerability assessments WLAN Security 52

Discover unauthorised use > Search for unauthorised access points, ad-hoc networks or clients. >

Discover unauthorised use > Search for unauthorised access points, ad-hoc networks or clients. > Port scanning > For unknown SNMP agents. > For unknown web or telnet interfaces. > Warwalking! > Sniff 802. 11 packets > Identify IP addresses > Detect signal strength > But may sniff your neighbours… > Wireless Intrusion Detection > Air. Magnet, Air. Defense, Trapeze, Aruba, … WLAN Security 53

Access point audits > Review security of access points. > Are passwords and community

Access point audits > Review security of access points. > Are passwords and community strings secure? > Use Firewalls & router ACLs > Limit use of access point administration interfaces. > Standard access point config: > SSID > WEP keys > Community string & password policy WLAN Security 54

Station protection > Personal firewalls > Protect the station from attackers. > VPN from

Station protection > Personal firewalls > Protect the station from attackers. > VPN from station into Intranet > End-to-end encryption into the trusted network. > But consider roaming issues. > Host intrusion detection > Provide early warning of intrusions onto a station. > Configuration scanning > Check that stations are securely configured. WLAN Security 55

Location of Access Points > Ideally locate access points > In centre of buildings.

Location of Access Points > Ideally locate access points > In centre of buildings. > Try to avoid access points > By windows > On external walls > Line of sight to outside > Use directional antenna to “point” radio signal. WLAN Security 56

WPA > Wi-Fi Protected Access > Works with 802. 11 b, a and g

WPA > Wi-Fi Protected Access > Works with 802. 11 b, a and g > “Fixes” WEP’s problems > Existing hardware can be used > 802. 1 x user-level authentication > TKIP > RC 4 session-based dynamic encryption keys > Per-packet key derivation > Unicast and broadcast key management > New 48 bit IV with new sequencing method > Michael 8 byte message integrity code (MIC) > Optional AES support to replace RC 4 WLAN Security 57

WPA and 802. 1 x > 802. 1 x is a general purpose network

WPA and 802. 1 x > 802. 1 x is a general purpose network access control mechanism > WPA has two modes > Pre-shared mode, uses pre-shared keys > Enterprise mode, uses Extensible Authentication Protocol (EAP) with a RADIUS server making the authentication decision > EAP is a transport for authentication, not authentication itself > EAP allows arbitrary authentication methods > For example, Windows supports > EAP-TLS requiring client and server certificates > PEAP-MS-CHAPv 2 WLAN Security 58

Practical WPA attacks > Dictionary attack on pre-shared key mode > Co. WPAtty, Joshua

Practical WPA attacks > Dictionary attack on pre-shared key mode > Co. WPAtty, Joshua Wright > Denial of service attack > If WPA equipment sees two packets with invalid MICs in 1 second > All clients are disassociated > All activity stopped for one minute > Two malicious packets a minute enough to stop a wireless network WLAN Security 59

802. 11 i > Robust Security Network extends WPA > Counter Mode with Cipher

802. 11 i > Robust Security Network extends WPA > Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) > Based on a mode of AES, with 128 bits keys and 48 bit IV. > Also adds dynamic negotiation of authentication and encryption algorithms > Allows for future change > Does require new hardware > www. drizzle. com/~aboba/IEEE/ WLAN Security 60

Relevant RFCs > Radius Extensions: RFC 2869 > EAP: RFC 2284 > EAP-TLS: RFC

Relevant RFCs > Radius Extensions: RFC 2869 > EAP: RFC 2284 > EAP-TLS: RFC 2716 WLAN Security 61

Demonstration > War driving > Packet sniffing > Faking Aps > Cracking WEP >

Demonstration > War driving > Packet sniffing > Faking Aps > Cracking WEP > brute force > Dictionary attack > FMS / H 1 kari attack > Airsnarf? > Packet injection? WLAN Security 62