1 The evolution of WLAN Security

1
Presentation
Wireless network security standard

• 1 The evolution of WLAN Security
• 2 Basic Wireless Security Features of IEEE
  802.11
• 3 Enhanced Security Features
• 4 Comperison of the Standards
• 5 Conclusion and Recommendations for Wireless
  LAN Security
• by Jörg Grünauer at 30.06.05
• http//134.91.24.143/gruenauer

2
WLAN Security Standards
1 The evolution of Wireless network Security

• 1997 the original 802.11 standard only offers
• - SSID (Service Set Identifier)
• - MAC Filtering (Media Access Control)
• - and WEP (Wired Equivalent Privacy)
• 1999 several industry players formes WECA
  (Wireless Ethernet Compatibility Alliance) for
  rapid adaption of 802.11 network products.
• 2001 Fluhrer, Mantin and Shamir had identified
  some weaknesses in WEP. IEEE started Task Group
  i.
• 2002 WECA was renamed in WI-FI

3
WLAN Security Standards
1 The evolution of Wireless network Security

• 2003 Wi-Fi introduced the Wi-Fi Protected Access
  (WPA).
• - Should be an interim solution for the
  weakness of WEP.
• - Some parts of IEEE 802.11i.
• 2004 The WPA2 was introduced.
• - It based on the final IEEE 802.11i
  standard.
• - Was ratified on June 25.

4
WLAN Security Standards
2 Basic Wireless Security Features of IEEE 802.11

• 2.1 (Extended) Service Set Identity, (E)SSID
• The name of the wireless network
• Two variants of the SSID
• - ad-hoc wireless network (called IBSS
  Independent Basic Service Set), clients without
  an AP use SSID.
• - infrastructure network (called ESS Extended
  Service Set), include an AP use the ESSID.
• each client should be configured with a correct
  (E)SSID.
• APs have function any Access without a SSID
  possible
• - sends beacon-frames SSID will be
  broadcasted
• Weakness STA sends the SSID in the clear So,
  Sniffing
• possible.

5
WLAN Security Standards
2 Basic Wireless Security Features of IEEE 802.11

• 2.2 User authentication
• 802.11 defines two subtypes of authentication
  service
• -gt Open System authentication, the simplest
  Algorithms.
• - authenticates anyone who request
  authentication.
• - provides a NULL authentication process.

Initiator
Responder
Authentication request
Authentication response
6
WLAN Security Standards
2 Basic Wireless Security Features of IEEE 802.11

• 2.2 User authentication
• -gt Shared-Key authentication
• - member who know shared key and members
  who not.
• - waekness sniffing the shared key
  process.

Initiator
Responder
Authentication request
challange text string
WEP encryption of challange text
WEP decryption of encrypted text
challange text string
Encrypted with shared key
Positive / negative response
based on decryption result
7
WLAN Security Standards
2 Basic Wireless Security Features of IEEE 802.11

• 2.3 MAC-Filtering
• Clients are identified by a worldwide unique
  hex. MAC- adresse of 802.11 NIC.
• Mac-Adresses are listed in AP.
• Weakness
• adresses are easily sniffed by an attacker
• - appear in the clear, if WEP is enabled.
• changing of MAC-Adress with software possible.

8
WLAN Security Standards
2 Basic Wireless Security Features of IEEE 802.11

• 2.4 Wireless Equivalent Privacy (WEP)
• Three Security Goals
• - Access Control Ensure that the
  communication partners they are, who they
  pretend.
• - Data integrity Ensure that packets are not
  modified in the air transfer.
• - Confidentiality Ensure that content of
  wireless traffic are prevented from a
  eavesdropper through encryption.

9
WLAN Security Standards
2 Basic Wireless Security Features of IEEE 802.11

• 2.4.1 Structure of WEP

• Secret Key is used to encrypt packets
• CRC Integrity Check ICV that packets are not
  modified in transit.
• - Compute CRC32 over data plain
• - CRC to data (CRCdata)
• - Pick a random IV and concatenate with secret
  key (kIV)
• - Input (kIV) into the RC4 to generate a
  pseudo-random key
• - send IV to peer by placing it in front of the
  ciphertext
• C(dataCRC) xor RC4(kIV))

10
WLAN Security Standards
2 Basic Wireless Security Features of IEEE 802.11

• 2.4.1 RC4 in WEP
• WEP uses RONs Code 4 Pseudo Random Generator
  (PRG).
• Developed in RSA laboratories
• Secret Key K
• - Manually entered the shared key (not to
  transmit).
• - 40bit (reason was the US exportabilitiy) or
  later 104bit
• Initialisation Vector IV
• - Ensure different Random numbers
• - 24bit
• - transmit in clear in front of the cipher
  (IVC)
• Symmetric Same key is used in encryption and
  decryption.
• Key stream is independent of plaintext.
• Encryption and decyption are fast (10 times
  faster than DES).
• RC4 is simple (see http//www.deadhat.com/wlancry
  pto/ ).

11
WLAN Security Standards
2 Basic Wireless Security Features of IEEE 802.11

• 2.4.2 Weakness of the WEP

• Oct 2000 Jesse Walker of Intel published
  Unsafe at any keysize An analysis of the WEP
  encapsulation.
• Mar 2001 Scott Fluhrer, Itsik Mantin, Adi
  Shamir Attacks on RC4 and WEP, Weaknesses in
  the Key Scheduling Algorithm of RC4

12
WLAN Security Standards
2 Basic Wireless Security Features of IEEE 802.11

• 2.4.2 Weaknesses in WEP
• Keys
• - The key length of 40bit
• - no key-management cons foulty, keys rarely
  changed
• WEP Confidential insecure (IV reuse)
• - 24bit IV, AP with 1500Byte/packet and
  11Mbit/s
• 15008/(11106)22418300sec 5hrs
• C1 xor C2 P1 xor RC4(k,IV) xor P2 xor
  RC4(k,IV) P1 xor P2
• Knowing of C1 and C2, possible to get
  two Plains xored

13
WLAN Security Standards
2 Basic Wireless Security Features of IEEE 802.11

• 2.4.2 Weaknesses in WEP
• WEP Data insecure (CRC-Checksum)
• - Attacker construct C_new RC4(k,IV) xor
  (MCRC(M) xor (D,CRC(D))
• that will decrypt to M_new with a valid
  CRC(M_new)
• C_new (M_newCRC(M_new)) xor RC4(k,IV)
• Weak IVs
• - Have the form (A3,N-1,X), where A index of
  k, N mostly 256 and X
• can be nearly 60 different values
• - Iterate over possible WeakIVs over sequence
  of datapckets until the
• RC4 key is found
• - More details in Weaknesses in the Key
  Scheduling Allgorithm of RC4

14
WLAN Security Standards
3 Enhanced Security Features

• 3.1 WEPplus
• first interim solution cames from Lucent Tech.
• Based on the observation, that tools the found
  data
• analysed in order to calculate shared WEP-key
• backward compatible with a software-Update.
• generates IVs for RC4, without appearing weak
  IVs.
• Idea Weak IVs are widely known, simply be
  skipped
• during the encryption.
• a collision of identical IVs can at least be
  delayed -gt
• only a slight improvement.
• acceptable at least for home users.

15
WLAN Security Standards
3 Enhanced Security Features

• 3.2 Wi-Fi Protected Access (WPA)
• adresses most of WEPs weaknesses
• needed as soon as possible!
• interim solution for replacement of WEP.
• works with existing 802.11 hardware (firmware
• update will be required)
• is a subset of 802.11i so forward compatible.
• Cross-Vendor compatible
• Goals
• - improved encryption
• - user authentication
• 2 modes
• - WPA Enterprise TKIP/MIC 802.1X/EAP
• - WPA Personal TKIP/MIC PSK

16
WLAN Security Standards
3 Enhanced Security Features

• 3.2.1 Wi-Fi Protected Access (WPA) Enterprise
  Mode
• Authentication IEEE 802.1X/EAP
• - Central management of user credentials
• - An AAA server is required.
• - Uses RADIUS protocols for AAA and key
  distribution.
• - carry the authentication conversation
  between STA and
• RADIUS server.
• - supports multiple Authentication methods,
  based
• on passwords, digital Certificates.
• - Example TLS, TTLS Certificates based
  methods.
• PEAP, LEAP Password based methods.

17
WLAN Security Standards
3 Enhanced Security Features

• 3.2.1 Wi-Fi Protected Access (WPA) Enterprise
  Mode
• Encryption TKIP

• - Designed as a wrapper around WEP
• - uses the same RC4-Engine used by WEP
• - includes a MIC (called Michael) at the end of
  each plaintext message
• ensure that message are not be spoofed.

Components - MIC - TSC (sequence counter)
- Per-Packet Key Mixing
18
WLAN Security Standards
3 Enhanced Security Features

• 3.2.1 Wi-Fi Protected Access (WPA) Enterprise
  Mode
• Encryption TKIP / MIC

- Uses a 64bit key - Partitions packets into 32
blocks - Uses shifts, XORs, additions to each
32 block to get a 64bit authentication tag. -
Michael is calculated on data source and dest.
Adresse (SA / DA)

• MIC Michael_key(SA,DA,PlainMSDU)
• prevents capturing, altering, resending data
  packets

19
WLAN Security Standards
3 Enhanced Security Features

• 3.2.1 Wi-Fi Protected Access (WPA) Enterprise
  Mode
• Encryption TKIP / TSC

• - IV is extended to 48 bits.
• - In realty 32bits are added to 24bit of WEP but
  8bits are not used.
• - uses as a sequence counter (TSC) ,starts from 0
  and incremented by 1
• for each MPDU.
• - TSC1 and TSC0 or lower 16bitIV are the seq in
  Phase2.
• - TSC-TSC5 or upper 32bitIV increment by one,
  after lower IV rotate and
• is used in Phase 1.

20
WLAN Security Standards
3 Enhanced Security Features

• 3.2.1 Wi-Fi Protected Access (WPA) Enterprise
  Mode
• Encryption TKIP / Key-Mix

• - not simple concatenation
• IV to key

- Phase1128b_res1Mix1(128bTK,48bitMAC,UpperIV32b
)
- Ensure unique key, if clients share the same key
- Phase2128b_perpacketkeyMix2(res1,LowerIV16b)
21
WLAN Security Standards
3 Enhanced Security Features

• 3.2.1 Wi-Fi Protected Access (WPA) Enterprise
  Mode
• Encryption Benefits by TKIP
• - unique Key to encrypt every packet keys
  are stronger
• - 280 trillion possible keys
• - IV 48bit length, reduce IV reuses
• - IV sents encrypted
• - MIC replace CRC-Check
• - upgrade with firmware for WEP hardware
  possible

22
WLAN Security Standards
3 Enhanced Security Features

• 3.2.2 Wi-Fi Protected Access (WPA) Personal Mode
• Encryption TKIP
• Authentication Pre-shared key PSK
• - special mode (with no 802.1X
  infrastructure)
• - enter a passphrase on all STAs and AP
  (Masterkey is
• calculated)
• - based on four-way-key handshake
• - first pair STA and AP exchange
  random values (nonces)
• - second pair AP instructs STA to
  install calculated Key,
• STA confirmed -gt
  AP does the same.
• - configuration of Passphrase similar to WEP.

23
WLAN Security Standards
3 Enhanced Security Features

• 3.3 WPA2 / 802.11 Task Group i
• WPA is/was a compromise solution, WPA2 is
  802.11i
• 802.11i uses concept of a Robust Security
  Network (RSN)
• biggest difference AES is used for encryption
• usually AES-Encryption is performed in hardware,
  
• is enabled in two mode like WPA
• - Enterprise Mode
• - authentication 802.1X/EAP
• - encryption AES-CCMP
• - Personal Mode
• - authentication PSK
• - encryption AES-CCMP

24
WLAN Security Standards
3 Enhanced Security Features

• 3.3.1 WPA2 / 802.11i AES-CCMP
• AES is a symmetric key-cipher
• has a block-Size of 128bits, a key-length of
  128bits.
• encryption includes 4 stages to make up 1 round.
• - Each round is iterated 10,12 or 14 times
  depending of
• the bit-size, for WPA2 10.
• AES uses Counter-Mode/CBC-Mac Protocol (CCMP)
• CCMP is an special dot11i Encryption algorithm
• CCM combination of Cipher Block Chaining Counter
• (CBC-CTR) and Message Authenticity Check
  (CBC-MAC)

25
WLAN Security Standards
3 Enhanced Security Features

• 3.3.2 WPA2 / 802.11i CCMP CBC-CTR

• CBC-CTR encryption increments counter to the
  AES-TK
• XORs the Plaintext to create data
• Random nonce is the IV, calls the PN Value
• PacketNumber increase by 1 after encryption
• PN lengthlt 248, is contained in the CCMP MPDU

26
WLAN Security Standards
3 Enhanced Security Features

• 3.3.3 WPA2 / 802.11i CCMP MPDU

• encipher process expanded MPDU-Size by 16bytes
• 4 for PN0-1/Key-ID field, 4 for PN2-5 and 8 for
  MIC
• KeyID bit signals an extended PN of 6bytes.

27
WLAN Security Standards
3 Enhanced Security Features

• 3.3.4 WPA2 / 802.11i CCMP CBC-MAC (1)

• works by taken 128bit block of data and encrypts
  with CTR
• mechanism
• zero padding, if plaintext not a multiple of
  AES-Blocksize
• 16 (fieldlength mod 16) n zero pads
• computation produced in a 128-bit tag value
• CCMP truncates the tag to most significant
  64bits to form
• the MIC, the other simply are discarded
• forging this MIC 1 in 1019 chances

28
WLAN Security Standards
3 Enhanced Security Features

• 3.3.4 WPA2 / 802.11i CCMP CBC-MAC (2)

29
WLAN Security Standards
3 Enhanced Security Features

• 3.3.5 CCMP Putting the Pieces together

• Benefits
• - strong encryption
• - provides data and header integrity
• - provides confidentiality

30
WLAN Security Standards
4 Comparison of the standards

• WEP WPA WPA2
• Cipher RC4 RC4 AES
• Key Size 40 or 104bits 104bits perPack 128bits
  encry.
• Key Life 24bit IV 48bit IV 48bit IV
• Packet Key Concatenation TwoPhaseMix Not Needed
• Data Integrity CRC32 Michael MIC CCM
• Key Management None 802.1X/EAP/PSK 802.1X/EAP/PS
  K

Security Level
31
WLAN Security Standards
5 Conclusion and Recommendations for Security

• Security is not a state, it is a process in
  continue!

• Some hints to protect a WLAN from attack
• ensure compatibilty to use hardware from one
  vendor, use Wi-Fi Certified devices.
• change default SSID and disable SSID
  broadcasting.
• Use MAC-adress authentication if you have
  manageable number of Clients and only some APs.
• not only for enterprises implement user authen.
  Upgrade AP to use WPA or WPA2/802.11i.
• enable and use WPA2, WPA or for older hardware
  that supports WEP, enable this. Uses it at least
  with 128bit-WEP.
• change WEP-KEY frequently

32
WLAN Security Standards
References and Literature

• http//www.wifi.org
• http//standards.ieee.org/wireless
• http//www.lancom.de (Techpaper)
• http//www.cisco.com
• http//en.wikipedia.org/wiki/Wired_Equivalent_P
  rivacy (etc.)
• http//en.wikipedia.org/wiki/Wireles_LAN
  (etc.)
• http//www.bsi.bund.de/literat/doc/wlan/wlan.pd
  f
• http//www.isaac.cs.berkeley.edu/isaac/wep-faq.
  html
• http//www.drizzle.com/aboba/IEEE (etc.)
• http//www.wardrive.net/security/links (etc.)
• http//www.cs.umd.edu/waa/wireless.html
• William A. Arbaugh, Narendar Shankar, Justin
  Wan Your 802.11 Wireless Network has no
  Clothes March 30, 2001
• Mike Radmacher, Sicherheits- und
  Schwachstellenanalyse entlang des
  Wireless-LAN- Protokollstacks, Diplomarbeit DII
  at the Uni-Duisburg-Essen in WS03/04
• Sebastian Papierok, Sicherheit in drahtlosen
  Netzwerken, Seminar at the Uni-Duisburg- Essen in
  WS04/05
• Scott Fluhrer, Itsik Mantin, Adi Shamir
  Attacks on RC4 and WEP, Weaknesses in the Key
  Scheduling Algorithm of RC4
• Prasad, Anand 802.11 WLANs and IP networking
  security, Qos, and mobility Boston, Mass.
  London Artech House 2005 ISBN 1-580-53789-8