VARNOST V BREZICNIH OMREJIH Review of Wireless Security

1
VARNOST V BREZICNIH OMREJIHReview of Wireless
Security

• Kruno Kisicek, CISM
• Februar, 2007

2
Contents

• Introduction - Wireless Landscape (Wireless
  technologies, Architectural Models, Components,
  Security Framework,..
• Comprehensive Review of 802.11(i) Wireless LAN
  Security
• Review of GSM/UMTS Wireless Security
• Review of WiMAX Wireless Security
• Summary

3
Background Wireless Landscape
High-Speed Connectivity Hierarchy of Networks
Low Cost Complexity
Personal Area Network
Fixed Broadband Wireless (e.g.802.16) Cellular
Mobile Networks (e.g. GPRS,3G)
High Cost Complexity
Increasing Coverage Area
4
Background Wireless Technologies
WAN (Wide Area Network)
MAN (Metropolitan Area Network)
LAN (Local Area Network)
PAN (Personal Area Network)
5
Comparing Technologies
6
Potential Services
7
IEEE 802.11 Standards - Wireless Fidelity
(Wi-Fi)
802.11n
8
IEEE 802.11 Network Components

• IEEE 802.11 has two fundamental architectural
  components, as follows
• Station (STA). A STA is a wireless endpoint
  device. Typical examples of STAs are laptop
  computers, personal digital assistants (PDA),
  mobile phones, and other consumer electronic
  devices with IEEE 802.11 capabilities.
• Access Point (AP). An AP logically connects
  STAs with a distribution system (DS), which is
  typically an organizations wired infrastructure.
  APs can also logically connect wireless STAs with
  each other without accessing a distribution
  system.

9
IEEE 802.11 Architectural Models
10
Overview of IEEE 802.11 Security

• The most common security objectives for WLANs are
  as follows
• Confidentialityensure that communication cannot
  be read by unauthorized parties
• Integritydetect any intentional or
  unintentional changes to data that occur in
  transit
• Availabilityensure that devices and individuals
  can access a network and its resources whenever
  needed
• Access Controlrestrict the rights of devices or
  individuals to access a network or resources
  within a network.

11
Major Threats against LAN Security
12
Taxonomy for Pre-RSN and RSN Security
13
802.11 Station Authentication
1. Client broadcasts a probe request frame on
every channel 2. Access points within range
respond with a probe response frame 3. The client
decides which access point (AP) is the best for
access and sends an authentication request 4.
The access point will send an authentication
reply 5. Upon successful authentication, the
client will send an association request frame
to the access point 6. The access point will
reply with an association response 7. The client
is now able to pass traffic to the access point
14
Probe Request Frame
15
Access Control and Authentication

• The original IEEE 802.11 specification defines
  two means to validate the identities of wireless
  devices attempting to gain access to a WLAN
• open system authentication and
• shared key authentication.

16
Open system authentication

• Open system authentication is effectively a null
  authentication mechanism that does not provide
  true identity verification. In practice, a STA is
  authenticated to an AP simply by providing the
  following information
• Service Set Identifier (SSID) for the AP. The
  SSID is a name assigned to a WLAN it allows STAs
  to distinguish one WLAN from another. SSIDs are
  broadcast in plaintext in wireless
  communications, so an eavesdropper can easily
  learn the SSID for a WLAN.
• Media Access Control (MAC) address for the STA.
  Many implementations of IEEE 802.11 allow
  administrators to specify a list of authorized
  MAC addresses the AP will permit devices with
  those MAC addresses only to use the WLAN. This is
  known as MAC address filtering. Unfortunately,
  almost all WLAN adapters allow applications to
  set the MAC address, so it is relatively trivial
  to spoof a MAC address, meaning attackers can
  gain unauthorized access easily.

17
Open Authentication with Differing WEP Keys
18
Shared key authentication

• As the name implies, shared key authentication is
  based on a secret cryptographic key known as a
  Wired Equivalent Privacy (WEP) key this key is
  shared by legitimate STAs and APs.

19
Shared key authentication

• Shared key authentication is still weak because
• AP is not authenticated to the STA, so there is
  no assurance that the STA is communicating with a
  legitimate AP
• Challenge-response process can be compromised by
  methods such as man-in-the-middle attacks and
  off-line brute force or dictionary attacks.
• All devices on a WLAN use the same WEP key or the
  same small set of keys
• Does not specify any support for key management.

20
Encryption

• The WEP protocol, part of the IEEE 802.11
  standard, uses the RC4 stream cipher algorithm to
  encrypt wireless communications, which protects
  their contents from disclosure to eavesdroppers.
• The standard for WEP specifies support for a
  40-bit WEP key only however, many vendors offer
  non-standard extensions to WEP that support key
  lengths of up to 104 bits.
• WEP also uses a 24-bit value known as an
  initialization vector (IV) as a seed value for
  initializing the cryptographic key stream. For
  example, a 104-bit WEP key with a 24-bit IV
  becomes a 128-bit RC4 key.

21
WEP Encryption and Its Weaknesses

• With ECB (Electronic Code Book) mode encryption,
  the same plain-text input always generates the
  same cipher-text output.
• There are two encryption techniques to overcome
  this issue
• Initialization vectors
• Feedback modes
• An initialization vector (IV) is used to alter
  the key stream. The IV is a numeric value that is
  concatenated to the base key before the key
  stream is generated. Every time the IV changes,
  so does the key stream.
• Feedback modes are generally used with block
  ciphers, and the most common feedback mode is
  known as cipher block chaining (CBC) mode.

22
WEP Privacy Using RC4 Algorithm
23
Encryption

• Most attacks against WEP encryption have been
  based on IV-related vulnerabilities. For example,
  the IV portion of the RC4 key is sent in
  cleartext, which allows an eavesdropper that
  monitors and analyzes a relatively small amount
  of network traffic to recover the key by taking
  advantage of the IV value knowledge, the
  relatively small 24-bit IV key space, and a
  weakness in the way WEP implements the RC4
  algorithm.

24
Vulnerability of Shared Key Authentication
25
Initialization Vector Replay Attacks

• A known plain-text message is sent to an
  observable wireless LAN client (an e-mail
  message)
• The network attacker will sniff the wireless LAN
  looking for the predicted cipher text
• The network attacker will find the known frame
  and derive the key stream
• The network attacker can grow the key stream
  using the same IV/WEP key pair as the observed
  frame
• This attack is based on the knowledge that
  the IV and base WEP key can be reused or replayed
  repeatedly to generate a key stream large enough
  to subvert the network.

26
Initialization Vector Replay Attacks

• The network attacker can build a frame one byte
  larger than the known key stream size an
  Internet Control Message Protocol (ICMP) echo
  frame is ideal because the access point solicits
  a response
• The network attacker then augments the key stream
  by one byte
• The additional byte is guessed because only 256
  possible values are possible
• When the network attacker guesses the correct
  value, the expected response is received in this
  example, the ICMP echo reply message
• The process is repeated until the desired key
  stream length is obtained

27
Bit-Flipping Attack
28
Bit-Flipping Attack
29
CBC Mode Block Cipher
30
VPN WLAN Design
31
WEP Cracking Tools

• Airsnort (airsnort.schmoo.com)
• WepAttack (wepattack.sourcefourge.net)
• WEPCrack (sourceforge.net/projects/wepcrack)
• Weplab (sourceforge.net/projects/weplab)
• Aircrack (www.aircrack-ng.org)

32
Typical Security Incidents

• Unauthorized association and snooping
• Access Point Intrusion
• Intrusion attempts (WLAN and Wired Network)
• Loss of confidential data
• Data Capture and Replay Attacks
• Bandwidth Theft
• Unauthorized Rogue Access Points
• Wireless clients associate with wrong access
  point (Fake Access Points)

33
Step 1 Security Policy Review

• Wireless LAN treated as external network
• Approval for wireless infrastructure and clients
• Security Architecture and Design Review
• Access Point Configuration Standards
• Authentication and Encryption Baseline
• Logging, Monitoring, Intrusion Detection
• Wireless Vulnerability Assessment

34
Step 2 Architecture Assessment

• Security Architecture and Design
• Network segmentation control (firewall)
• Secure configuration of Access Points
• VPN (IPsec or SSL)
• Authentication of wireless clients
• Encryption of wireless traffic
• Logging, and monitoring wireless security logs

35
Step 3 Risk Assessment

• Document Wireless Architecture,
  Components,Security Configuration
• Threat Assessment
• Vulnerability Assessment
• Controls Assessment
• Assess Risk
• Control Recommendations

36
Vulnerability Assessment

• Wireless Assessment Toolkit
• Linux-based toolkits
• Knoppix (knoppix.net)
• Nmap Nessus (testing from wired LAN)
• Tools
• Network Discovery
• WEP/WPA Cracking Tools
• Packet Capture Tools
• Known exploit code

37
Network Discovery

• Laptop / PDA
• Wireless network card
• Network Discovery Tools
• Kismet
• NetStumbler
• Ministumbler
• Antenna
• GPS Unit

38
Rogue Access Pointdetection

• Tools / Solutions
• Airmagnet (www.airmagnet.com)
• Retina WiFi Scanner (www.eeye.com)
• Kismet (www.kismetwireless.net)
• Pocketwarrior (www.pocketwarrior.org)
• WiFiFoFum (www.aspecto-software.com)

39
Step 4 AP Configuration Review

• Access Point Configuration
• telnet, http, snmp
• default authentication
• SSID Configuration
• Authentication Encryption Setup
• Logging Enabled

40
Step 5 Authentication Encryption

• WPA
• Subset of 802.11i
• ConfidentialityTKIP
• Authentication - Per-user or Pre-shared key
• Integrity Mechanisms
• 802.11i (WPA2)
• Addresses the main problems of WEP and Shared-Key
  Authentication
• Temporal Key Integrity Protocol (TKIP)
• Message Integrity Control Michael
• AES Encryption replacement for RC4
• 802.1x
• Framework to control port access between devices,
  AP, and servers
• Not specific to 802.11 networks
• Uses dynamic keys instead of the WEP
  authentication static key

41
Wi-Fi Alliance Certification Programs

• The Wi-Fi Alliance began conducting
  interoperability testing in April 2000 and has
  since awarded its Wi-Fi CERTIFIED label to over
  2,500 WLAN products. Product categories include
  access points and a wide variety of clients.
• Three basic types of certifications radio
  standards, network security, and multimedia
  content support.
• The Wi-Fi Alliance also manages a licensing
  program for Wi-Fi providers called Wi-Fi Zone.
  Organizations participating in the program agree
  to use Wi-Fi CERTIFIEDTM products only and adhere
  to certain service standards.

42
Wi-Fi Alliance

• The Wi-Fi Alliance introduced WPA in early 2003
  to address serious vulnerabilities inherent in
  WEP, which was the only available IEEE 802.11
  security protection at that time. WPA is
  essentially a subset of IEEE 802.11i that
  provides a solution to WEPs major problems. To
  accomplish this protection, WPA leverages the
  following core security features from IEEE
  802.11i
• IEEE 802.1X and EAP authentication
• Key generation and distribution based on the IEEE
  802.11i 4-Way Handshake
• TKIP mechanisms including
• Encapsulation and decapsulation
• Replay protection
• Michael MIC integrity protection.

43
Brief Overview of IEEE 802.11i Security

• IEEE 802.11i references the Extensible
  Authentication Protocol (EAP) standard, which is
  a means for providing mutual authentication
  between STAs and the WLAN infrastructure, as well
  as performing automatic cryptographic key
  distribution.
• IEEE 802.11i also uses some techniques derived
  from the Internet Protocol Security (IPsec)
  standard, such as generating cryptographic
  checksums through hash message authentication
  codes (HMAC).

44
802.1X Layers
EAP SIMGSM SIM Authentication
45
802.1X Ports

• 802.1X requires three entities
• The supplicantResides on the wireless LAN
  client
• The authenticatorResides on the access point
• The authentication serverResides on the RADIUS
  server
• IEEE 802.1X defines IEEE 802 encapsulation of EAP
  messages
• EAP over LAN (EAPOL) messages

46
802.1X and EAP Message Flow
47
EAP

• EAP supports a wide variety of authentication
  methods (rfc3748), also called EAP methods. These
  methods include authentication based on
  passwords, certificates, smart cards, and tokens.
  
• EAP methods can also include combinations of
  authentication techniques, such as a certificate
  followed by a password, or the option of using
  either a smart card or a token.

48
EAP methods

• The current WPA/WPA2 certified EAP methods are
• EAP-TLS (originally certified protocol)
• EAP-TTLS/MSCHAPv2
• PEAPv0/EAP-MSCHAPv2
• PEAPv1/EAP-GTC
• EAP-SIM

49
Pairwise Key Hierarchy
50
Summary of Data Confidentiality and Integrity
Protocols
51
The EAP Cisco Authentication Algorithm

• Mutual Authentication
• User-Based Authentication
• Dynamic WEP Keys
• Data Privacy with TKIP
• A message integrity check (MIC) function on all
  WEP-encrypted data frames
• Initialization vector/base key reuseThe MIC adds
  a sequence number field to the wireless frame.
  The access point will drop frames received out of
  order.
• Frame tampering/bit flippingThe MIC feature adds
  a MIC field to the wireless frame. The MIC field
  provides a frame integrity check not vulnerable
  to the same mathematical shortcomings as the ICV.
• Per-packet keying on all WEP-encrypted data
  frames

52
Per-packet keying
Cisco LEAP - password-based algorithm.
53
EAP-TLS Authentication Process
54
EAP Transport Layer Security

• TLS comprises three protocols
• Handshake protocolThe handshake protocol
  negotiates the parameters for the SSL session.
  The SSL client and server negotiate the protocol
  version, encryption algorithms, authenticate each
  another, and derive encryption keys.
• Record protocolThe record protocol facilitates
  encrypted exchanges between the SSL client and
  the server. The negotiated encryption scheme and
  encryption keys are used to provide a secure
  tunnel for application data between the SSL
  endpoints.
• Alert protocolThe alert protocol is the
  mechanism used to notify the SSL client or server
  of errors as well as session termination.

55
Protected EAP

• Protected EAP (PEAP), is EAP authentication type
  that is designed to allow hybrid authentication.
• PEAP employs server-side PKI authentication. For
  client-side authentication, PEAP can use any
  other EAP authentication type.
• Because PEAP establishes a secure tunnel via
  server-side authentication, non-mutually
  authenticating EAP types can be used for
  client-side authentication, such as EAP generic
  token card (GTC) for one-time passwords (OTP),
  and EAP MD5 for password based authentication.
• PEAP is based on server-side EAP-TLS, and it
  addresses the manageability and scalability
  shortcomings of EAP-TLS.
• Organizations can avoid the issues associated
  with installing digital certificates on every
  client machine as required by EAP-TLS and select
  the method of client authentication that best
  suits them.

56
Protected EAP
57
EAP SIM Architecture

• EAP SIM authentication is based on the
  authentication and encryption algorithms stored
  on the Global System for Mobile
• Communications (GSM) SIM, which is a Smartcard
  designed according to the specific requirements
  detailed in the GSM
• standards.
• GSM authentication is based on a
  challenge-response mechanism and employs a shared
  secret key, Ki, which is stored on the SIM and
  otherwise known only to the GSM operators
  Authentication Center (AuC).
• When a GSM SIM is given a 128-bit random
  number (RAND) as a challenge, it calculates a
  32-bit response (SRES) and a 64-bit encryption
  key (Kc) using an operator-specific confidential
  algorithm. In GSM systems, Kc is used to encrypt
  mobile phone conversations over the air
  interface.

58
EAP SIM Authentication
59
UMTS system architecture (R99)

60
UMTS and GSM Security objectives

• Problems with GSM Security
• Weak authentication and encryption algorithms
  (COMP128has a weakness allowing user
  impersonation A5 can bebroken to revealthe
  cipher key)
• Short key length (32 bits)
• No data integrity (allows certain denial of
  service attacks)
• No network authentication (false base station
  attack possible)
• Limited encryption scope (Encryption terminated
  at the base station, in clear on microwave
  links)
• Insecure key transmission (Cipher keys and
  authenticationparameters are transmitted in
  clear between and withinnetworks)

61
3G Security Features

• Mutual Authentication
• The mobile user and the serving network
  authenticate each other
• Data Integrity
• Signaling messages between the mobile station and
  RNC protected by integrity code
• Network to Network Security
• Secure communication between serving networks.
  IPsec suggested
• Wider Security Scope
• Security is based within the RNC rather than the
  base station
• Secure IMSI (International Mobile Subscriber
  Identity) Usage
• The user is assigned a temporary IMSI by the
  serving network

62
3G Security Features

• User Mobile Station Authentication
• The user and the mobile station share a secret
  key, PIN
• Secure Services
• Protect against misuse of services provided by
  the home network and the serving network
• Secure Applications
• Provide security for applications resident on
  mobile station
• Fraud Detection
• Mechanisms to combating fraud in roaming
  situations
• Flexibility
• Security features can be extended and enhanced as
  required by new threats and services

63
3G Security Features

• Visibility and Configurability
• Users are notified whether security is on and
  what level of security is available
• Multiple Cipher and Integrity Algorithms
• The user and the network negotiate and agree on
  chipher and integrity algorithms. At least one
  encryption algorithm exported on world-wide
  basis (KASUMI)
• Lawful Interception
• Mechanisms to provide authorized agencies with
  certain information about subscribers
• GSM Compatibility
• GSM subscribers roaming in 3G network are
  supported by GSM security context (vulnerable to
  false base station)

64
Authentication and Key Agreement
65
Encryption

• Signaling and user data protected from
  eavesdropping. Secret key, block cipher algorithm
  (KASUMI) uses 128 bit cipher key.
• At the mobile station and RNC (radio network
  controller)

66
Integrity Check

• Integrity and authentication of origin of
  signalling data provided. The integrity algorithm
  (KASUMI) uses 128 bit key and generates 64 bit
  message authentication code.
• At the mobile station and RNC (radio network
  controller)

67
WiMAX Overview

• Complement the existing last mile wired networks
  (i.e. xDSL, cable modem)
• Fast deployment, cost saving
• High speed data, voice and video services
• Fixed BWA, Mobile BWA

68
WiMAX Applications
69
Benefits of WiMAX

• Speed
• Faster than broadband service
• Wireless
• Not having to lay cables reduces cost
• Easier to extend to suburban and rural areas
• Broad coverage
• Much wider coverage than WiFi hotspots

70
Security Issues

• Provides subscribers with privacy across the
  fixed broadband wireless network
• Protect against unauthorized access to the data
  transport services
• Encrypt the associated service flows across the
  network.
• Implemented by encrypting connections between SS
  and BS
• Security mechanisms
• Authentication
• Access control
• Message encryption
• Message modification detection (Integrity)
• Message replay protection
• Key management
• Key generation, key transport, key protection,
  Key derivation, Key usage

71
Security Association

• Data SA
• 16-bit SA identifier
• Cipher to protect data DES-CBC
• 2 TEK
• TEK key identifier (2-bit)
• TEK lifetime
• 64-bit IV

• Authorization SA
• X.509 certificate ? SS
• 160-bit authorization key (AK)
• 4-bit AK identification tag
• Lifetime of AK
• KEK for distribution of TEK
• Truncate-128(SHA1(((AK 044) xor 5364)
• Downlink HMAC key
• SHA1((AK044) xor 3A64)
• Uplink HMAC key
• SHA1((AK044) xor 5C64)
• A list of authorized data SAs

72
IEEE 802.16 Security Process
73
Authentication
SS ?BS Cert(Manufacturer(SS)) SS ?BS Cert(SS)
Capabilities SAID BS ?SS RSA-Encrypt(PubKey(SS)
, AK) Lifetime SeqNo SAIDList
74
Key Derivation

• KEK Truncate-128(SHA1(((AK 044) xor 5364)

• Downlink HMAC key SHA1((AK044) xor 3A64)
• Uplink HMAC key SHA1((AK044) xor 5C64)

75
Data Key Exchange
76
Data Key Exchange

• Traffic Encryption Key (TEK)
• TEK is generated by BS randomly
• TEK is encrypted with
• Triple-DES (use 128 bits KEK)
• RSA (use SSs public key)
• AES (use 128 bits KEK)
• Key Exchange message is authenticated by
  HMAC-SHA1 (provides Message Integrity and AK
  confirmation)

77
Data Encryption
78
Data Encryption

• Encrypt only data message not management message
• DES in CBC Mode
• 56 bit DES key (TEK)
• No Message Integrity Detection
• No Replay Protection

79
Key Management

• Message 1
• BS ?SS SeqNo SAID HMAC(1)
• Message 2
• SS ?BS SeqNo SAID HMAC(2)
• Message 3
• BS ?SS SeqNo SAID OldTEK NewTEK HMAC(3)
• M1 to rekey a data SA, or create a new SA
• TEK encrypted with Triple-DES-ECB

80
IEEE 802.16 Security Flaws

• Lack of Explicit Definitions
• Authorization SA not explicitly defined
• SA instances not distinguished open to replay
  attacks
• Solution Need to add nonces from BS and SS to
  the authorization SA
• Data SA treats 2-bit key as circular buffer
• Attacker can interject reused TEKs
• SAID 2 bits ? at least 12 bits (AK lasts 70 days
  while TEK lasts for 30 minutes)
• TEKs need expiration due to DES-CBC mode
• Determine the period 802.16 can safely produce
  232 64-bit blocks only.

81
IEEE 802.16 Security Flaws

• Need for mutual authentication
• Authentication is one way
• BS authenticates SS
• No way for SS to authenticate BS
• Rouge BS ? possible because all information's are
  public
• Possible enhancement BS certificate
• SS?BS Cert (Manufacturer)
• SS?BS SS-Rand Cert(SS) Capabilities SAID
• BS?SS BS-Rand SS-Rand E(Pub(SS),AK)
  Lifetime Seq No SAID Cert (BS) Sig (BS)

82
IEEE 802.16 Security Flaws

• Authentication Key (AK) generation
• BS generates AK
• No contribution from SS
• SS must trust BS for the generation of AK
• AK HMAC-SHA1(contribution from SS contribution
  from BS)
• AK HMAC-SHA1(pre-AK, SS-Random BS-Random
  SS-MAC-Addr BS-MAC-Addr 160)

83
IEEE 802.16 Security Flaws

• Key management
• TEK sequence space (2-bit sequence )
• Replay attack can force reuse of TEK/IV
• Increase it to 12-bit
• No specification on the generation of TEK and
  therefore TEKs are random
• No TEK freshness assurance
• Message 1
• BS ? SS SS-Random BS-Random SeqNo12 SAID
  HMAC(1)
• Message 2
• SS ? BS SS-Random BS-Random SeqNo12 SAID
  HMAC(2)
• Message 3
• BS ?SS SS-Random BS-Random SeqNo12 SAID
  OldTEK NewTEK HMAC(3)
• Not transmit TEK, generate TEK
• TEK HMAC-SHA1(pre-TEK, SS-Random BS-Random
  SS-MAC-Addr BS-MAC-Addr SeqNo12 160)
• SS-Random BS-Random is used as an instance
  identifier

84
IEEE 802.16 Security Flaws

• Alternative Cryptographic Suite
• IEEE 802.16 used DES-CBC
• DES uses 64 bit block size
• According to studies a CBC mode using block
  cipher with n-bit block loses its security after
  operating on 2n/2 blocks with the same
  encryption key.
• So IEEE 802.16 can safely produce 232 64-bit
  blocks.
• Also IV used in DES-CBC are predictable.
• Use AES-CCM as encryption primitive
• 128 bit key (TEK)
• HMAC-SHA1
• Replay Protection using Packet Number

85
IEEE 802.16 Security Flaws

• Data protection errors
• 56-bit DES does not offer strong data
  confidentiality
• Forgeries or replies (WEP-like vulnerability)
• Writes are not prevented, read-protects only
• even w/o encryption key
• Uses a PREDICTABLE initialization vector (while
  DES-CBC requires a random IV)
• IV is the xor of the IV in SA and the PHY
  synchronization field from the most recent GMH
• Generates each per-frame IV randomly and inserts
  into the payload.
• Though increases overhead, no other choice.

86
IEEE 802.16 Security Flaws

• No data Authentication
• Encryption only prevents reading but any one
  without key can write (change the message).
• Strong MAC needs to be included in the message

87
References

• Wireless Security Reference Site
• www.wardrive.net
• Wireless Security Policies
• www.sans.org/resources/policies
• NIST Wireless Network Security (includes wireless
  security checklist)
• csrc.nist.gov/publications/drafts/draft-sp800-97.p
  df
• Wireless Security Checklists
• www.cisecurity.org
• www.sans.org/score/