Wireless LAN Mobilitt zu Lasten der Sicherheit

1
Wireless LAN -Mobilität zu Lasten der
Sicherheit ?
IT-Zeitsprünge 2003
Prof. Dr. Ulrich Bühler Fachbereich Angewandte
Informatik Fachhochschule Fulda
ITZ Fulda, 22. Mai 2003
Session B, Vortrag 1
2
Agenda WLAN Mobilität zu Lasten der
Sicherheit ?
1 Einleitung eSociety, Bedrohungen und
WLAN 2 WLAN Standard IEEE 802.11b WEP
Protokoll, Gefährdungen und Schwachstellen 3
Weiterentwicklungen von WEP Standard 802.1x,
Standard 802.11i 4 Virtual Privat Network
Protokolle L2TP, IPSec und L2TP/IPSec 5
Zusammenfassung
3
1 Introduction eSociety
Situation

• Communication in todays information society is
  not to be imagined without IT-systems.
• Telecommunication- and computer-systems are
  increasingly growing together.
• Huge amounts of data are digitally stored,
  computed and transferred via local and public
  networks to private households, institutions,
  administrations and enterprises.

• These interconnections via networks have
  increased the dependence of enterprises and
  public administration on the availability of
  information technology without it they are not
  able to perform there tasks.
• The security of data and IT-systems is essential
  for the further development of eSociety.

4
1 Introduction eSociety
Wireless/Wireline Internet

• laptops, notebooks, personal digital assistants
  need access to LANs without having plug ins
• reduced prices for mobile devices and more
  applications
• Users demands of permanent connection to the
  Internet are increasing
• Increasing number of hot spots at airports and
  railway stations
• War-Chalking etc.

5
1 Introduction Security Threats
Security flaws in eSociety
6
1 Introduction Wireless LAN
Wireless LAN

• Wireless LAN is broadcast over the air using
  radiowaves
• Components of a subnet mobile wireless clients
  (laptops, notebooks, personal digital
  assistants), Access Point (the device that links
  wireless clients to the wired LAN or to other
  stations)
• Ad hoc Network compose of several wireless
  stations communicating each other over the air
• (Mobile Ad Hoc Net, MANET)
• Infrastructure Network wireless stations
  communicate over
• an access point (works as a hub) with other
  networking technologies
• Wireless Access of mobile devices (notebook, PDA,
  etc.) to wired LANs to use their resources, also
  to get access to the Internet
• WLAN Standard IEEE 802.11b, 1999

7
1 Introduction WLAN Security
Eavesdropper can sniff all transmitted data
between mobile client and access point
Eavesdropper can spoof packets or place a rogue
access point (masquerade)
8
2 WLAN 802.11b Wireless LAN
IEEE 802.11b Standard

• In 1999 as an extension of the previous standard
  IEEE 802.11 to define the standard for wireless
  LAN products
• describes the protection of wireless transmission
  on the data link layer of the network
• Theoretical data-transmission rate of 11 Mbps,
  frequency 2,4 GHz
• provides confidentiality by the symmetric
  encryption method RC4 (stream cipher)
• Gives two types of authentication mechanisms
  where only the access point decides which mobile
  Client can associate with it (one way
  authentication)
• Open authentication client and access point
  exchange uncoded informations, for example the
  client must know the Service Set Identifier
  (network name of the access point in the wireless
  network) of the access point
• the clients Media Access Control address (MAC)
  of the wireless netcard is stored in the MAC
  access control list (ACL) on the access point
• Shared-key authentication the access point sends
  a challenge and the client has to send back the
  encrypted challenge using the correct key the
  key must be configured by hand before

9
2 WLAN 802.11b Wireless LAN
IEEE 802.11b Standard ...

• Key management 4 pre-shared static keys between
  mobile stations and an access point no mechanism
  for key negotiation and key distribution
• Security Goals
• Confidentiality prevent the decoding of
  encrypted WLAN traffic by eavesdropper
• Data integrity prevent tampering of the
  transmitted message
• Access control deny access to the wireless
  network by unauthorized users
• Data transmission in 2 phases

10
2 WLAN 802.11b WEP Protocol
Wired Equivalent Privacy (WEP)

• Was intended to provide privacy of wireless LAN
  data streams like in wired networks
• WEP uses the symmetric stream cipher RC4 with a
  variable secret key for encryption
• Key management 4 pre-shared keys between mobile
  stations and an access point the array of 4 keys
  must be configured on each device by hand no
  central point of management and maintenance
• classic WEP specifies the use of 40-bit keys
  (former US government restriction) now 128-bit
  keys (with 24 bit initial vector and 104 bit
  pre-installed on each device) are usual at the
  moment

• Symmetric stream cipher RC4

11
2 WLAN 802.11b WEP Protocol
WEP Protocol by the Sender (Mobile Station)

• Setup
• Globally-shared array of 4 keys a key identifier
  field in each message specify the key being used
• Real secret key k is of length 104 bit since 24
  bits are public known

12
2 WLAN 802.11b WEP Protocol
WEP Protocol by the Reciever (Access Point)
Transmission over the radio link iv
(unencrypted), c (ciphertext)
13
2 WLAN 802.11b Security Vulnerabilities
Data integrity WEP checksum fails to ensure data
integrity

• CRC checksum is a special linear error correcting
  code it provides protection only against
  transmission errors and it is not sufficient to
  ensure data integrity
• We use the fact that every checksum is a linear
  function
• Man-in-the-middle-Attack attackers intercept the
  cipher c before it reach the destination replace
  c by another ciphertext and transmit it by
  spoofing the source

This shows that the new ciphertext will be
decrypted to another message with
the corresponding checksum and the attacker can
modify the message without detection through
checksum verification
14
2 WLAN 802.11b Security Vulnerabilities
Confidentiality WEP encryption fails by the risk
of keystream reuse
15
2 WLAN 802.11b Security Vulnerabilities
Access Control unauthorized users can get
access to the network
16
2 WLAN 802.11b Security Vulnerabilities
Conclusions from Security Threats

• Using MAC filters is a really weak security
  issue hardware theft
• Encryption with static WEP 128-bit keys is a
  risk even without a brute-force attack on the
  secret key an attacker can discover the plaintext
• Since the checksum is not a keyed hashfunction an
  attacker can inject his messages without
  detecting by the receiver
• Reuse of both the initial vector and the secret
  key is reality and compromise the key
• Current implementation of the algorithm RC4
  causes system flaws

We need Device-independent centralized user
authentication, key distribution, Mutual
authentication between client and access
point, Session-based dynamic keys, keyed
hashfunction, per-packet authentication
17
3 Improvements of Security Concerns
Standard IEEE 802.1x Authentication

• Is a proposed standard for centralized wireless
  LAN authentication on device independent items
  such as username, user ID and password (user
  authentication)
• Provides an authentication dialog between the
  mobile client, the access point with port-based
  network access control (uncontrolled and
  controlled slots) and an authentication server
• Principe a wireless client get access to the
  access point and hence to the network resources
  only after successful user authentication from
  the authentication server (based on user
  credentials such as username and password)
  unique port for each association at the access
  point

18
3 Improvements of Security Concerns
WLAN Security with 802.11b and 802.1x/EAP
1. Mobile Client (MC) associates with the access
point (AP) 2. AP blocks the access to the
network resources and requests an identity
(username,) from the user 3. The users
credentials are forwarded by the AP (through the
uncontrolled port) to the authentication
server (AS) to initiate the
authentication dialog between MC and AS 4. AS
(using RADIUS) and MC perform an EAP
authentication dialog (several requests and
appropriate responses) through the AP (EAP
messages between MC and AP are encapsulated
into LAN frames and between AP and AS into RADIUS
packets) 5. In case of a successful
authentication the AP enables its
controlled port to establish the unique
association with the MC (only the MC is
authenticated one way authentication) 6.
Encrypted data exchange between MC and AP (WEP
Protocol) can start
19
3 Improvements of Security Concerns
The system is already vulnerable

• Standard 802.1x requires only the authentication
  of the mobile client mutual authentication is
  optional so that rogue access points can be
  infiltrated into the WLAN
• The authentication dialog is insecure username
  and other authentication credentials will be
  passed in the clear using EAP-MD5 an attacker
  can analyse the authentication challenge and the
  appropriate hash response to detect the users
  credentials (user password)
• The system does not provide key distribution
  facilities
• key is not renewed in short intervals attackers
  try to discover two encrypted packets that use
  the same iv and since many fields of the
  packets are predictable it is possible to recover
  the plaintext (Keystream-reuse-Attack)
• The standard does not provide per-packet
  authentication, only per-packet encryption

We need Dynamic session key and fast session key
renewal, Mutual authentication, per-packet
encryption key, Keyed hashfunction for
per-packet authentication
20
3 Improvements of Security Concerns
Vendor Specific Implementations

• There are a lot of vendor specific enhanced
  security features (MS, Cisco Systems and others)
• EAP-TLS a strong authentication method based on
  public key certificates (user and machine)
• TLS (Transport Layer Security) is a security
  protocol on top of TCP (similar to SSLv3) and
  provides a confidential authentication dialog
  with data integrity and mutual authentication on
  the base of certificates currently supported
  only under Windows XP
• PKI is necessary public and private key, a
  unique certificate (CA) for each network user and
  the application server also smart card based
  authentification systems with user identification
  between the user and the mobile client (knowledge
  and possession)
• EAP-TTLS Tunnel TLS establishes a secure
  connection between the mobile client and the
  authentication server than user credentials can
  be securely exchanged and so there is no need for
  clients certificates
• Protected EAP (PEAP) uses TLS, certificate based
  authentication, competes with EAP-TTLS
• EAP-SRP Secure Remote Password (SRP) is a
  cryptographically strong authentication mechanism
  without requiring a CA it provides also a shared
  key
• Temporal Key Integrity Protocol (TKIP) derive a
  per-packet key for encryption
• Virtual Private Network (VPN) L2TP, IPSec or
  L2TP/IPSec

21
3 Improvements of Security Concerns
WLAN Authentication/Key Exchange with EAP/TLS
Authentication starts Request for Client Identity
802.1x/EAP Protocol Exchange
Access Request with User ID
EAP/TLS Protocol Exchange
Broadcast key encrypted with session key, session
parameters
Session based dynamic WEP Data Exchange
22
3 Improvements of Security Concerns
Vendor Specific Implementations ...

• Protected EAP (PEAP) uses TLS, certificate based
  authentication, competes with EAP-TTLS
• EAP-SRP Secure Remote Password (SRP) is a
  cryptographically strong authentication mechanism
  without requiring a CA it provides also a shared
  key
• Temporal Key Integrity Protocol (TKIP) derive a
  per-packet key for encryption in two phases a
  mixture of the session key with MAC address and
  the initial vector iv give the per-packet key
  for the cipher stream RC4
• Total replacement of WEP/RC4 by the Advanced
  Encryption Standard (AES, Rijndael algorithm,
  symmetric block cipher with key length of 128,
  256 bits and more), but the deployment requires
  hardware acceleration at the moment devices
  cannot support it
• There is other work in progress !

23
4 WLAN Security with VPN Principe
Virtual Private Network (VPN)

• Provides secure data transfer between two or more
  private or trusted network across shared or
  public untrusted networks like the Internet
  (bridge net)
• Emulates a point-to-point private link over an
  untrusted bridge net as a virtual private network
  (Homogenous Principe)
• The data being sent is encapsulated with a header
  to traverse the bridge net between the two tunnel
  endpoints (Tunnel Principe)
• Maintains the security conditions of the
  corporate LAN to other LANs (Branch offices,
  Partner corporations) or Remote Workers using a
  dial-up connection to the local ISP across the
  Internet

24
4 WLAN Security with VPN Tunneling
VPN Tunneling

• Encapsulation Frames or packets of a protocol to
  be securely transferred over a bridge net are
  encapsulated in an additional header (tunnel
  header) at the tunnel start point (VPN client,
  VPN-Gateway)
• Routing The tunnel header contains routing and
  security information (encryption, authentication
  parameters) such as the IP addresses of the
  tunnel start and end point
• Decapsulation Reaching the tunnel endpoint (VPN
  server) the frames are decapsulated and forwarded
  to its final destination
• Tunneling technology can be used on Layer 2
  (data-link layer with frames) or/and Layer 3
  (network layer with packets) of the OSI reference
  model
• Network Security Protocols offer different
  features and are categorized in
• Layer 2 tunneling protocol PPTP, L2TP (based on
  PPP which is used between a dial-up client and a
  NAS)
• Layer 3 tunneling protocol IPSec with IKE

25
4 WLAN Security with VPN L2TP
VPN L2TP Tunneling

• L2TP is a protocol that encapsulates PPP frames
  to be sent over IP, Frame Relay, ATM networks
  (multi-protocol support)
• It was designed for client connections to network
  access servers (NAS) and for gateway-to-gateway
  connections
• It inherits the weak PPP encryption methods (DES,
  3DES) and PPP user authentication mechanisms
  (CHAP with MD5, EAP with multiple methods, such
  as back-end server authentication and PKI)
• L2TP over IP internetworks uses UDP to send a
  series of L2TP control messages for tunnel and
  session maintenance and L2TP data packets to
  carry the encapsulated PPP frames
• The L2TP Header includes information for a
  session within the tunnel between the L2TP client
  (user computer or ISP) and the L2TP server (NAS
  or destination computer in the corporate LAN)
• The L2TP tunnel is established between the L2TP
  endpoints (the tunnel-IP-Header includes the IP
  addresses of source and destination)

26
4 WLAN Security with VPN IPSec
VPN IPSec Tunneling

• IPSec works at network layer and is transparent
  to applications
• Only IP traffic is supported (disadvantage)
• It provides security services (extensions of the
  IPv4, included in IPv6)
• traffic encryption (3DES, IDEA, AES) with fast
  session key renewal (RSA, DH, EC-DH)
• origin machine authentication (DSA, EC-DSA)
• per-packet data integrity (HMAC-SHA-96,
  HMAC-MD5-96)
• Security protocols
• Authentication Header Protocol (AH) provides data
  integrity and data origin authentication for the
  IP packet including the header
• Encapsulating Security Payload Protocol (ESP)
  provides confidentiality of the payload only and
  as an option data integrity and data origin
  authentication for the IP packet including only
  parts of the header
• Additional protocols (IKE, ISAKMP, OAKLEY) must
  be used to define the mechanisms
• for implementing the encryption algorithms, the
  methods for computing the hash value and digital
  signature and
• for the key management including key exchange and
  key renewal

27
4 WLAN Security with VPN IPSec
VPN IPSec Tunneling ...

• IPSec needs established Security Associations
  (SA) to exchange data through tunnels
• IPSec-SA defines security services that are
  provided to the packets
• IPSec-SA is unidirectional (security
  characteristics for the traffic in one direction)
  
• IPSec-SA is identified by the Security Parameter
  Index (SPI) from this the receiving device knows
  how to process the incoming packets SPI refers
  to SAD of the receiver
• For setting up bi-directional IPSec-SAs between
  the peers there must be procedures to protect
  their negotiation The Internet Key Exchange
  protocol (IKE) establishes, modifies, deletes
  and negotiates SAs using the Internet Security
  Association and Key Management protocol (ISAKMP)
  and the Oakley Key Resolution protocol (OAKLEY)
• Secure message exchanges in ISAKMP packets
  (encrypted and authenticated)
• Lifetimes for keys and automatic key refresh with
  methods provided in OAKLEY
• IKE negotiation between two peers take place in
  two phases
• Phase 1 Establishing an ISAKMP-SA (information
  on how to protect further traffic)
• with Main Mode or Aggressive Mode
• Phase 2 Establishing IPSec-SAs
• with Quick Mode

28
4 WLAN Security with VPN IPSec
29
4 WLAN Security with VPN IPSec
30
4 WLAN Security with VPN IPSec
IPSec Protocols
IPSec
Pre-requisite established Security Association
(SA)

• Data integrity
• origin authentication

• Confidentiality
• Data integrity
• origin authentication

31
4 WLAN Security with VPN L2TP/IPSec
VPN L2TP/IPSec Tunneling

• To overcome the disadvantages of L2TP and IPSec
  tunneling a combination of both is useful
• L2TP/IPSec is an implementation of the L2TP
  protocol using IPSec to protect (confidentiality
  and authentication) the L2TP traffic
• Security features controlled by a security policy
• Machine and user authentication (strong
  authentication)
• Per-packet integrity and authentication
• Strong encryption mechanisms
• Multiprotocol support

32
4 WLAN Security with VPN Features
VPN Security Features of the Network Protocols

• User/machine Authentication authenticates the
  machine or/and the user involved in
  communications
• Confidentiality encrypts every frame or packet
  of the traffic
• Data Packet Authentication provides integrity
  and authentication of data packets
• PKI Certificate Authorities can be used to
  implement encryption and authentication methods
• NAT Compatibility passes the data through NAT to
  hide the internal LAN structure or the endpoint
• Multiprotocol Support supports a variety of
  networks (IP, ATM and other)
• Multicast Support supports IP multicast traffic
  (additional to the
• IP unicast traffic)

33
5 Zusammenfassung
Wireless LAN Mobilität zu Lasten der Sicherheit
!!!

• Standard 802.11 b bietet nur Grundschutz für
  Hausgebrauch !
• WEP mit RC4 und statischen 128-bit-Schlüssel
• Statische Schlüssel häufig wechseln
• AP in geschützten Bereich
• Herstellerspezifische Verbesserungen anwenden
• RC4 mit dynamischen Schlüsselmanagement
• Paketweise Schlüsselwechsel mit Temporal Key
  Integrity Protocol (TKIP)
• Zentralisierte Authentifizierung mit
  RADIUS/802.1X
• Gegenseitige Authenfizierung von User und AP mit
  EAP-TLS
• Neuer Standard IEEE 802.11i ist Hoffnungsträger
• Verschlüsselung mit AES
• Paketweise Authentifizierung
• Dynamisches Schlüsselmanagement
• VPN ist sichere Alternative, aber aufwendig

34
Thank you for listening !
Questions ?