Security of Wireless LANs

1
Security of Wireless LANs

• Naveen Kumar Santhapuri
• 09/06/2005

2
Outline

• Wireless LANs
• Wireless Standards Overview
• Wireless (In)Security
• WEP
• Wireless Security Goals Redefined
• WPA
• 802.11i RSN
• An attack on RSN authentication
• WDAP
• Future wireless and security challenges

3
Introduction

• Personal Area networks (WPAN)
• Bluetooth, Infrared
• Local Area networks (WLAN)
• 802.11
• Wide Area Networks (WWAN)
• 802.16
• 3G Cellular and beyond

4
WLAN Terminology and principles
Image credit http//hit.bme.hu/mcl
5
Outline

• Wireless LANs
• Wireless Standards Overview
• Wireless (In)Security
• WEP
• More attacks, tools
• Wireless Security Goals Redefined
• WPA
• 802.11i RSN
• An attack on RSN authentication
• WDAP
• Future wireless and security challenges

6
Wireless Standards Overview
7
Wireless Standards Overview

• 802.11 1 or 2 Mbps
• 802.11b 1, 2, 5.5 and 11 Mbps
• introduced as extension to wired Ethernet
  standards
• 802.11a 5 Ghz 54 Mbps less range
• 802.11g Combines good parts of a and b
• 802.11i Enhanced Security
• 802.11e QoS, 802.11f IAPP, 802.11c, d, h, j
• More to come k, m, n, o, p, q, r, s

8
Outline

• Wireless LANs
• Wireless Standards Overview
• Wireless (In)Security
• WEP
• Wireless Security Goals Redefined
• WPA
• 802.11i RSN
• An attack on RSN authentication
• WDAP
• Future wireless and security challenges

9
Wireless Security Issues

• Do not need physical access to attack
• Sophisticated attack tools
• Weak Security
• Low awareness (at least 50 of wireless users do
  not turn on security features)
• Risks
• - Low bandwidth (in case of home users)
• - Loss of data and privacy
• - Monetary and reputation loss

10
Simple attacks

• Stumbling
• Tools to identify wireless networks
• Beacon information
• Netstumbler.com
• Sniffing
• Capture data from the wireless network which is
  passed across the air
• Ethereal, AiroPeek

Image credit http//www.wildpackets.com
11
Outline

• Wireless LANs
• Wireless Standards Overview
• Wireless (In)Security
• WEP
• Wireless Security Goals Redefined
• WPA
• 802.11i RSN
• An attack on RSN authentication
• WDAP
• Future wireless and security challenges

12
802.11 Security and goals

• Goal was to create privacy achieved by wired
  network
• Optional Authentication and optional Encryption
• Data Encapsulation called WEP (Wired Equivalent
  Privacy)
• Authentication algorithm called shared key
  authentication

13
RC4 algorithm
Stream Cipher
Image credit The definitive guide OReilly
14
WEP Encryption
802.11 Hdr
IV
Data
ICV

• WEP Summary
• Encryption Algorithm RC4
• Per-packet encryption key 24-bit IV
  concatenated to a pre-shared key
• WEP allows IV to be reused with any frame
• Data integrity provided by CRC-32 of the
  plaintext data (the ICV)
• Data and ICV are encrypted using the per-packet
  encryption key

15
802.11b Authentication

• 802.11 Authentication Summary
• Authentication key distributed out-of-band
• Access Point generates a random challenge
• Station encrypts challenge using pre-shared
  secret and responds

16
Attacks on WEP Authentication and Access Control

• P R C and C P R
• R is a part of RC4 key stream
• Weve Cipher text and plain text from 1st step of
  authentication phase
• Use the same IV
• Encrypt the challenge and send it!
• Adversary gets authenticated without knowing the
  key!!
• No encryption key yet to decipher messages
• Access Control based on MAC is flawed

17
Attacks on WEP Confidentiality

• IV is used along with the key stream to get a
  different encryption key each time
• Only 16 million possibilities of IV, at 500
  frames/sec IV space gets exhausted in a few hours
• For two messages with same IV
• C1 C2 (P1 K) (P2 K) P1 P2
  Statistical attacks?
• RC4 weak keys weaknesses in key scheduling
  algorithm of RC4, Aug 2001
• Direct Key attacks (brute force)

18
The attacks keep coming

• ICV is calculated using CRC which is a linear
  method bits changes in ICV can be predicted
• Replay attacks
• Key distribution and refreshing done manually
• DoS attacks

19
More attack tools

• WEP cracking
• AirSnort
• WEP crack

20
COEIT Wireless VPN
Image credit http//www.engr.sc.edu/its
21
Outline

• Wireless LANs
• Wireless Standards Overview
• Wireless (In)Security
• WEP
• Wireless Security Goals Redefined
• WPA
• 802.11i RSN
• An attack on RSN authentication
• WDAP
• Future wireless and security challenges

22
Wireless Security Goals Redefined

• Robust Method for proving identity that cannot be
  spoofed
• Do not trust the access point!
• - Mutual Authentication
• Key Hierarchy to localize failure session keys,
  Master keys

23
New Security Standard

• Mutual Authentication Strong MAC Layer
  Authentication
• Port Authentication 802.1x/EAP
• User Authentication TLS/Kerberos
• Strong Encryption and Integrity
• IEEE 802.11i draft approved in June 2004
• WPA (stop gap arrangement) improve security
  before the actual standard gets ratified

24
Outline

• Wireless LANs
• Wireless Standards Overview
• Wireless (In)Security
• WEP
• Wireless Security Goals Redefined
• WPA
• 802.11i RSN
• An attack on RSN authentication
• WDAP
• Future wireless and security challenges

25
Wi-Fi Protected Access (WPA)

• Subset of 802.11i Transitional Security Network
  (TSN)
• Patches to WEP
• - Extended IV (24 to 48-bit)
• - Integrity code calculated using Michael
  
• - Per packet keying, defeating weak keys
• Snapshot of unfinished 802.11i (TKIP 802.1x)
• Degrades Performance
• Not an ideal design

26
802.1x port based Authentication
AP
WS
AS
Associate
PMK derived
27
Outline

• Wireless LANs
• Wireless Standards Overview
• Wireless (In)Security
• WEP
• Wireless Security Goals Redefined
• WPA
• 802.11i RSN
• An attack on RSN authentication
• WDAP
• Future wireless and security challenges

28
Robust Security Network

• 3 Security Layers
• Upper-Layer Authentication
• 802.1x Authentication
• 4-Way Handshake
• AES - CCMP 128-bit
• HMAC-MD5/SHA-1 for integrity
• Key hierarchy

29
4-way Handshake

• PMK Exchanged between AS and WS during 802.1x
• AP has no knowledge of PMK
• AP ? WS Nonce1, WS generates Nonce2 and
  session keys
• WS ? AP Nonce2 MIC, AP generates session
  keys, verifies MIC
• AP ? WS Nonce1 Seq MIC
• WS ? AP Nonce2 Seq MIC, for
  synchronization
• Mutual Authentication complete
• By product EAPOL KEK, EAPOL KIK, AES session key

30
Outline

• Wireless LANs
• Wireless Standards Overview
• Wireless (In)Security
• WEP
• Wireless Security Goals Redefined
• WPA
• 802.11i RSN
• Not safe yet. An attack on RSN authentication
• WDAP
• Future wireless and security challenges

31
Attack on RSN Authentication

• Malicious AP!? Improbable but not impossible
  (insider attack)
• Attack due to some bias for AP in the Mutual
  Authentication mechanism
• Malicious AP can spoof any AP in range more
  possibilities with a mobile AP

32
Solution

• Use an authentication mechanism which provides
  unbiased authentication
• Idea Authentication provided by third party (AS)
  ?
• Should eliminate the problem of using same
  Primary Master Key (PMK) which gave additional
  power to the AP

33
Outline

• Wireless LANs
• Wireless Standards Overview
• Wireless (In)Security
• WEP
• Wireless Security Goals Redefined
• WPA
• 802.11i RSN
• Not safe yet. An attack on RSN authentication
• WDAP
• Future wireless and security challenges

34
Wireless Dual Authentication Protocol

• Third party (AS) authenticates the duo (AP and
  WS), instead of Mutual Authentication
• No 4-way Handshake
• Thwarts an attack by malicious AP

35
WDAP Deauthentication

• Can be initiated either way
• Better clean up operations
• Thwarts DoS attacks

36
WDAP Roaming Authentication

• Key Revocation
• Adds strength to authentication mechanism
• Helps in maintenance

37
Hostap Driver

• Open source for 802.11b drivers
• Works with the Intersil Prism Chipset 2/2.5
• V0.1.3 supports just WEP
• Recent version has support for TKIP and RSN

38
Network Setup

• Two APs for Roaming
• Authentication Server
• One Wireless Station
• NetGear MA311 Cards used as wireless station and
  AP
• Used a user generated signal for roaming
• User space program (host) which interacts with
  the driver needed for this

39
Comparison of Architecture

• WDAP seems to have a 2-layered architecture 3rd
  layer embedded in the 2nd one
• No 4-way handshake
• WDAP fits into the scheme of 802.11i
  recommendations

40
Comparison of Authentication Latencies

• RSN phases
• - Open Authentication and 802.1x authentication
• - Association
• - 4-way Handshake
• WDAP Authentication phases
• - Open and 802.1x authentication
• - Association
• Did not make use of TLS/Kerberos (common time for
  both)

41
Latency Comparison (RSN and WDAP)
42
Outline

• Wireless LANs
• Wireless Standards Overview
• Wireless (In)Security
• WEP
• Wireless Security Goals Redefined
• WPA
• 802.11i RSN
• Not safe yet. An attack on RSN authentication
• WDAP
• Future wireless and security challenges

43
Conclusions

• 802.11 technology is very insecure
• RSN is robust enough?
• Results show that WDAP has almost equal (slightly
  better) latency times as RSN (without key
  caching) and performs slightly worse than RSN
  (with key caching)
• Some works show DoS attacks and Key capture
  attacks on 802.11i - even before release!!
• Further study needed before deploying 802.11i
  compliant hardware

44
Future Wireless

• Integration of PAN, WLAN and WWAN (mobility and
  authentication issues)
• RFID tags (privacy issues)
• Spychips.com
• Blocker Tag
• Simulates all RFIDs and acts like a jammer

Image credit RSA Security