Wireless Security - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Wireless Security

Description:

802.11b has certain security features available, but not a whole lot ... Linksys APs have the name linksys' and Cisco APs have the name tsunami. ... – PowerPoint PPT presentation

Number of Views:128
Avg rating:3.0/5.0
Slides: 28
Provided by: Sri672
Category:

less

Transcript and Presenter's Notes

Title: Wireless Security


1
Wireless Security
2
Wireless Security
  • Wireless LAN protocols (IEEE 802.11)
  • Wireless Application Protocol (WAP)
  • Wireless site evaluation
  • Wireless vulnerabilities
  • Unauthorized base stations
  • Sniffing
  • Wireless security tools

3
Wired Equivalent Privacy (WEP)
  • WEP aims to provide the same level of security as
    a wired system wide in the following areas
  • Confidentiality
  • Access control
  • Integrity
  • P plaintext, C cipher text, K encryption
    key, R received text
  • R C xor K P xor K xor K P and so the
    plaintext can be recovered knowing the encrypted
    text and the keystream.

4
Wireless communication security
  • 802.11b has certain security features available,
    but not a whole lot
  • Service Set Identifier (SSID) are introduced to
    differentiate networks
  • Access Point (AP) names are preset by equipment
    manufacturer. Linksys APs have the name
    linksys and Cisco APs have the name tsunami.
    Since these are well known, the user must reset
    the SSIDs just like a secure password
    (non-standard name with non-standard characters,
    non-guessable)
  • APs broadcast SSIDs every few seconds in Beacon
    Frames form

5
Wireless communication security
  • Two methods to establish connection with APs are
  • Shared key authentication
  • Open authentication
  • In shared key authentication, client requests
    connection with AP. AP sends a challenge string
    in clear. Client encrypts using what is known as
    Wired Equivalent Privacy (WEP) method and sends
    the encrypted string back to the AP. AP knows
    what it is expecting as encrypted string. If the
    two match, then access to communicate is granted
    by the AP.

6
Wireless communication security
  • Potential problem is that a hacker will get the
    original challenge string and the encrypted
    response from the client. Hacker can then try to
    break the encryption key. Once the key is
    broken, the WEP itself is compromised as all its
    communications can now be eavesdropped by the
    hacker.
  • In spite of lack of security, the open connection
    is a preferred secure method for AP access. Use
    end-to-end encryption instead for security.

7
Wireless communication security
  • WEP uses a 40-bit key and a separate 24-bit
    initialization vector (IV) with the 40-bit key.
    All 64 bits are used in the encryption. However,
    the IV is sent along with the encrypted text.
    The hacker will be able to see the encrypted text
    and the IV but not the original text.
  • To break the WEP key one needs to try all
    combinations of the 40-bit key with the 24-bit
    IV. The 40-bit key gives nearly a billion
    combinations, and they are within reach of
    todays computing power to mount an exhaustive
    attack

8
Wireless communication security
  • Lucent company has proposed a 128-bit key for
    WEP, known as WEP Plus
  • The 128-key consists of a 104-bit encryption key
    and a 24-bit IV
  • One solution proposed by the industry is to turn
    off the broadcast of SSID. This is being
    practiced now. Users type the SSID in when
    establishing contact with AP. Industry
    recommendation is not to change the SSID
    periodically.

9
Wireless communication security
  • Another recommendation is to rotate the WEP key
    every few seconds. This was proposed by Cisco
    and is implemented by all vendors now. The idea
    is to use the previous WEP key and encrypt the
    new WEP key with it and transmit the new WEP key.
    The life of any WEP key is only a few seconds.
    Since the WEP key encryptions are sequential, any
    one who was not listening at the beginning of the
    session will not be able to break the WEP key
    easily.

10
Default WEP Keys
  • The NetGear Access Point uses the following 4
    sequences as default keys
  • 10 11 12 13 14
  • 21 22 23 24 25
  • 31 32 33 34 35
  • 41 42 43 44 45
  • It is recommended not to use the default WEP keys

11
Wired Equivalent Privacy (WEP)
  • Suppose P1 and P2 are encrypted with the same
    keystream K
  • Let C1 P1 xor K and C2 P2 xor K
  • Then C1 xor C2 P1 xor K xor P2 xor K
  • P1 xor P2
  • 802.11 cards reset the IV counter to 0 for each
    new activation and increment by 1 for each packet
    transmission
  • So initials values of IV become predictable, even
    if it is in encrypted format

12
WEP vulnerabilities
  • Passive attack
  • Attacker observes all wireless traffic until an
    Initial Vector (IV) collision occurs. By XORing
    two packets that use the same IV, the attacker
    obtains the XOR of the two plaintext messages.
    The resulting XOR can be used to infer data about
    the contents of the two messages

13
WEP vulnerabilities
  • Active attack
  • Attacker knows the plaintext of one encrypted
    message. Use this knowledge to construct the
    encrypted text and insert that instead
  • WEP uses RC4 encryption. It is known that RC4(X)
    xor X xor Y RC4(Y) where X is known message and
    RC4(X) is its encrypted message using RC4

14
WEP vulnerabilities
  • WEP uses CRC-32 for error check. However, CRC is
    designed to catch random errors and not malicious
    errors inserted by hackers. So, CRC-32 is not
    effective in WEP as a security mechanism

15
802.11 Standards
  • IEEE 802.11 standard for Wireless LAN was
    released in 1990
  • Standard calls for
  • Infrared transmission
  • Spread spectrum transmission
  • Frequency hopping
  • Direct sequence
  • Data rate was set at 1 Mbps

16
802.11 Standards
  • 802.11a was set for 5GHz band at 54 Mbps over a
    300 feet distance. Standard approved in 1999 but
    did not come to market first
  • 802.11b was set for 2.4GHz band at 11 Mbps over a
    90 feet distance. Standard approved in 1999 and
    came to market first
  • 802.11g was set for 2.54GHz band at 54 Mbps over
    a 150 feet distance. Standard approved in 2002
    and is currently in market

17
802.11 Standards
  • 802.11h was a modification of 802.11g standard
    for compatibility with European WLANs (HiperLAN).
    This standard has not been approved yet.
  • 802.11i has been proposed to fix the security
    flaws in existing 802.11 standards. This is
    still in draft form.
  • 802.11j is currently being developed as a global
    standard in the 5GHz band for interoperability
    with 802.11a

18
Wireless Application Protocol (WAP)
  • WAP is an open, global protocol designed to
    deliver information to portable devices such as
    cell phones and PDAs
  • WAP Forum was formed by Motorola, Ericsson, and
    Nokia
  • WAP 1.0 dealt with Wireless Application Protocol
    (WAP) which is HTML-lite
  • WAP communications go through a WAP gateway to
    the internet and back

19
Wireless Application Protocol (WAP)
  • WAP 2.0 was released in 2002
  • WAP 2.0 uses Wireless TLS (upgraded SSL)
  • WTLS is used for authentication
  • Since devices move from one location to another,
    in WTLS a session exists over many connections.
    This way the security parameters are negotiated
    per session and held for the duration of the
    session.
  • WTLS will be enhanced with the introduction of
    Smart Card security

20
Wireless Site Survey
  • Needs assessment of network users
  • Knowing the number of users on the WLAN
  • Site blueprint
  • Since radio waves do not penetrate all types of
    material, knowing the details of the structure is
    essential
  • Certain building materials reflect signals
  • Concrete, marble, brick, and water are difficult
    to work with while dealing with WLAN

21
Wireless Site Survey
  • Site walk-through
  • Helps identify other devices that operate in the
    same frequency band such as the ISM band
  • Identify power outlets to place the wired portion
    of the wireless LAN
  • Identify Access Point (AP) locations
  • Verify that AP locations will be able to cover
    the entire site

22
Wireless Security Tools
  • Blue Socket
  • Provides a wireless gateway solution for security
    and QoS for 802.11b and Bluetooth
  • EcuTel
  • Provides VPN security
  • Enables roaming from LAN to WLAN
  • NetMotion Wireless
  • Provides VPN security

23
Wireless Security Threats
  • AirSnort recovers encryption keys by passively
    monitoring transmissions
  • Works with 40 or 128 bit encryption keys
  • WEPCrack cracks WEP encryption keys
  • Network Stumbler provides scans of SSID, AP, and
    MAC addresses every second
  • RealSecure
  • BlackICE

24
References
  • Wireless security http//www.arstechnica.com/paedi
    a/w/wireless/security-1.html
  • Wireless security audit http//www.research.ibm.co
    m/gsal/wsa/
  • Wireless LAN security http//www.iss.net/wireless/
    WLAN_FAQ.php

25
References
  • WLAN security http//www.netmotionwireless.com/res
    ource/whitepapers/netmotion_security.asp
  • AirSnort software http//freshmeat.net/projects/a
    irsnort/
  • WEPCrack software http//sourceforge.net/projects
    /wepcrack
  • Network Stumbler software http//www.netstumbler.
    com/

26
References
  • WEP Security http//www.isaac.cs.berkeley.edu/isa
    ac/wep-faq.html
  • WAP http//www.wapforum.org

27
Security Scenario to Solve
  • WLAN design involves several security assessments
    and location of Access Points. Assume that you
    have an open office space with 8000 square feet
    which is partitioned with portable walls that are
    6 feet tall. Portable walls are metal frames
    with a fabric spread. Identify parameters that
    you need to work with designing APs and the data
    rates that can be supported by these APS.
    Identify the manufacturers of APs, cost, and the
    level of security each system provides. Identify
    at least three such systems for consideration.
Write a Comment
User Comments (0)
About PowerShow.com