Wireless Security

1
Wireless Security

• You understand this material if you can
• State weaknesses of simple security methods
• Illustrate non-intuitive aspects of security
• Explain key features of WPA
• Suggest security approaches for a situation
• Are wireless LANs less secure than wired ones?

2
Simple Security

• Disabling SSID Broadcasts (Beacon frames)
• Stations need to know SSID
• Media Access Control (MAC) Authentication
• Only take calls from known addresses
• Difficult to maintain list registration process
• Not defined in 802.11
• Allowed by Access Point manufacturers
• Easily defeated by
• Sniffer programs and MAC Spoofing

3
Wired Equivalent Privacy
Media access control
Avoiding tampering

• Aims
• Confidentiality, access control, data integrity
• Works at the 802.11 MAC layer only
• Defects in WEP
• Static Encryption Key
• Most WEP networks share a key on all Mobile
  Stations AP
• No defined key management
• Keys used for too long
• Compromised keys hard to replace on big nets.
• Poor encryption approach - can be cracked
• E.g. encrypted challenge response allowed a
  plaintext attack
• Key Size is too small (40/104 bits)
• 40 bits is small

4
WEP Algorithm
Change the key to reduce attack time
Initialisation Vector
Shared Key
IV
Data
Random Bit Stream
Integrity Check Value A checksum
5
Authentication with WEP
Access Point
Mobile Station
6
WPA WiFi Protected Access

• WPA before 802.11i Security Specification
• MSs can be authorised based on passwords, PKI
  certificates or other authentication tokens

Public Key Infrastructure
RADIUS Remote Authentication Dial In User Service
de facto standard for remote authentication
Mobile Station
7
WPA Authentication

• WPA authentication uses 802.1X EAP
• MS asks AP for connection (on open 802.11X port)
• AP asks MS for identity
• MS sends identity to AP.
• AP sends the identity to the Authentication
  Server
• AS challenges MS until convinced it is valid
• Authentication Server sends Accept to AP.
• AP then opens all ports

Extensible Authorisation Protocol
Can use different authorisation methods
8
WPA1 Temporal Key Integrity Protocol

• Temporal short-lived
• Integrity can detect changes
• TKIP creates a new key for every frame
• Why?
• Has method for distributing changing keys
• Reduces risk of replay attack
• Also generates a Message Integrity Code
• Checksum based on data a secret key
• More secure than CRC32

9
WPA1 Weaknesses

• With no Authentication Server use pre-shared key
• Pre-shared key is often a password
• It has to be entered manually into devices
• Weak passwords can be broken with a dictionary
  attack
• This can make WPA as dangerous as WEP
• It uses the same encryption algorithm as WEP,
  RC4, may be breakable with increasing power.

10
IEEE 802.11i WPA2

• Works like WPA but uses CCMP not TKIP
• Similar key management
• Use stronger encryption (AES)
• Needs special encryption hardware
• Can use various authentication schemes
• E.g. Kerberos, smart cards
• Extensible Authentication Protocol
• Between suppliant authenticator
• Remote Authentication Dial-in User Service
• Between authenticator authentication service

Youll go mad if you try to remember all the
abbreviations
You need to know that its changed is more
secure
Counter Mode-Cipher Block Chaining (CBC)-Message
Authentication Code (MAC) Protocol
Hide Data Integrity Checking Tamper Protection
11
Rogue Access Points

• Avoid risk of unauthorised Access Points
• Police the radio frequencies
• Improve physical security
• Address users demand for wireless
• Ensure they dont bring in their own
• Provide proper technical support
• APs work out of the box with no security

12
Mobile Devices

• Easy to steal
• Especially PDAs, immediately remove access rights
• Encrypt Stored Data
• Virus Risks laptops usually protected but PDAs?
• Good practices
• Strong passwords
• Disable inactive ports
• Monitoring of staff
• IDS Intrusion Detection Systems

13
DMZ

• Wireless Networks can be isolated from main
  network by using a DMZ

Main Network
FireWall
14
Problems with Link-level Security

• Link level security is not enough

Application
Application
Unprotected Application data
Application Layer
Application Layer
Transport Layer
Transport Layer
IP Layer
IP Layer
IP Layer
Link Security
Link Security
Link Security
Link Layer
Link Layer
Link Layer
Physical Layer
Physical Layer
Physical Layer
Encrypted data
15
VPNs

• Virtual Private Networks
• Encryption at higher protocol levels
• Create secure network over insecure lower levels
• Can also be used with wireless networks
• IPSec at the Internet Layer
• SSL at the Transport Layer

16
IPSEC
IP Security

• Framework of open standards
• Secure communication over insecure network
• Operates at the network (IP) layer
• Software installed on all participating machines
• Services
• Data confidentiality encryption
• Data integrity check packets not altered
• Data origin authentication check the source
• Anti-replay receiver can detect reject replays

17
Summary

• What security do we need?
• Authentication, Secrecy, Tamper protection
• Threats
• Decrypt (e.g. brute force, known data attack)
• Replay messages
• Insert messages
• Methods
• Simple methods weak SSID, MAC authorisation
• WEP not secure
• WPA basically secure but shared key vulnerable