Wireless LAN Security

1
Wireless LAN Security Vulnerabilities
andImplementing Wireless LAN Security

• 4DWN
• Session 7

2
Objectives - Wireless LAN Security
Vulnerabilities

• Define information security
• Explain the basic security protections for IEEE
  802.11 WLANs
• List the vulnerabilities of the IEEE 802.11
  standard
• Describe the types of wireless attacks that can
  be launched against a wireless network

3
Objectives - Implementing Wireless LAN Security

• List wireless security solutions
• Tell the components of the transitional security
  model
• Describe the personal security model
• List the components that make up the enterprise
  security model

4
Security Principles What is Information Security?

• Information security Task of guarding digital
  information
• Ensures protective measures properly implemented
• Protects confidentiality, integrity, and
  availability (CIA) on the devices that store,
  manipulate, and transmit the information through
  products, people, and procedures

5
Security Principles Challenges of Securing
Information

• Trends influencing increasing difficultly in
  information security
• Speed of attacks
• Sophistication of attacks
• Faster detection of weaknesses
• Day zero attacks
• Distributed attacks
• The many against one approach
• Impossible to stop attack by trying to identify
  and block source

6
Security Principles Categories of Attackers

• Six categories of attackers
• Hackers
• Not malicious expose security flaws
• Crackers
• Script kiddies
• Spies
• Employees
• Cyberterrorists

7
Security Principles Categories of Attackers
(continued)
Table 8-1 Attacker profiles
8
Security Principles Security Organizations

• Many security organizations exist to provide
  security information, assistance, and training
• Computer Emergency Response Team Coordination
  Center (CERT/CC)
• Forum of Incident Response and Security Teams
  (FIRST)
• InfraGard
• Information Systems Security Association (ISSA)
• National Security Institute (NSI)
• SysAdmin, Audit, Network, Security (SANS)
  Institute

9
Basic IEEE 802.11 Security Protections

• Data transmitted by a WLAN could be intercepted
  and viewed by an attacker
• Important that basic wireless security
  protections be built into WLANs
• Three categories of WLAN protections
• Access control
• Wired equivalent privacy (WEP)
• Authentication
• Some protections specified by IEEE, while others
  left to vendors

10
Access Control

• Intended to guard availability of information
• Wireless access control Limit users admission
  to AP
• Filtering
• Media Access Control (MAC) address filtering
  Based on a nodes unique MAC address

Figure 8-2 MAC address
11
Access Control (continued)
Figure 8-4 MAC address filtering
12
Access Control (continued)

• MAC address filtering considered to be a basic
  means of controlling access
• Requires pre-approved authentication
• Difficult to provide temporary access for guest
  devices

13
Wired Equivalent Privacy (WEP)

• Guard the confidentiality of information
• Ensure only authorized parties can view it
• Used in IEEE 802.11 to encrypt wireless
  transmissions
• Scrambling

14
WEP Cryptography

• Cryptography Science of transforming information
  so that it is secure while being transmitted or
  stored
• scrambles data
• Encryption Transforming plaintext to ciphertext
• Decryption Transforming ciphertext to plaintext
• Cipher An encryption algorithm
• Given a key that is used to encrypt and decrypt
  messages
• Weak keys Keys that are easily discovered

15
WEP Cryptography
Figure 8-5 Cryptography
16
WEP Implementation

• IEEE 802.11 cryptography objectives
• Efficient
• Exportable
• Optional
• Reasonably strong
• Self-synchronizing
• WEP relies on secret key shared between a
  wireless device and the AP
• Same key installed on device and AP
• Private key cryptography or symmetric encryption

17
WEP Implementation
Figure 8-6 Symmetric encryption
18
WEP Implementation

• WEP shared secret keys must be at least 40 bits
• Most vendors use 104 bits
• Options for creating WEP keys
• 40-bit WEP shared secret key (5 ASCII characters
  or 10 hexadecimal characters)
• 104-bit WEP shared secret key (13 ASCII
  characters or 16 hexadecimal characters)
• Passphrase (16 ASCII characters)
• APs and wireless devices can store up to four
  shared secret keys
• Default key used for all encryption

19
WEP Implementation
Figure 8-8 Default WEP keys
20
WEP Implementation
Figure 8-9 WEP encryption process
21
WEP Implementation

• When encrypted frame arrives at destination
• Receiving device separates IV from ciphertext
• Combines IV with appropriate secret key
• Create a keystream
• Keystream used to extract text and ICV
• Text run through CRC
• Ensure ICVs match and nothing lost in
  transmission
• Generating keystream using the PRNG is based on
  the RC4 cipher algorithm
• Stream Cipher

22
WEP Implementation
Figure 8-10 Stream cipher
23
Authentication

• IEEE 802.11 authentication Process in which AP
  accepts or rejects a wireless device
• Open system authentication
• Wireless device sends association request frame
  to AP
• Carries info about supported data rates and
  service set identifier (SSID)
• AP compares received SSID with the network SSID
• If they match, wireless device authenticated

24
Authentication (continued)

• Shared key authentication Uses WEP keys
• AP sends the wireless device the challenge text
• Wireless device encrypts challenge text with its
  WEP key and returns it to the AP
• AP decrypts returned result and compares to
  original challenge text
• If they match, device accepted into network

25
Vulnerabilities of IEEE 802.11 Security

• IEEE 802.11 standards security mechanisms for
  wireless networks have fallen short of their goal
• Vulnerabilities exist in
• Authentication
• Address filtering
• WEP

26
Open System Authentication Vulnerabilities

• Inherently weak
• Based only on match of SSIDs
• SSID beaconed from AP during passive scanning
• Easy to discover
• Vulnerabilities
• Beaconing SSID is default mode in all APs
• Not all APs allow beaconing to be turned off
• Or manufacturer recommends against it
• SSID initially transmitted in plaintext
  (unencrypted)

27
Open System Authentication Vulnerabilities
(continued)

• Vulnerabilities (continued)
• If an attacker cannot capture an initial
  negotiation process, can force one to occur
• SSID can be retrieved from an authenticated
  device
• Many users do not change default SSID
• Several wireless tools freely available that
  allow users with no advanced knowledge of
  wireless networks to capture SSIDs

28
Open System Authentication Vulnerabilities
(continued)
Figure 8-12 Forcing the renegotiation process
29
Shared Secret Key Authentication Vulnerabilities

• Attackers can view key on an approved wireless
  device (i.e., steal it), and then use on own
  wireless devices
• Brute force attack Attacker attempts to create
  every possible key combination until correct key
  found
• Dictionary attack Takes each word from a
  dictionary and encodes it in same way as
  passphrase
• Compare encoded dictionary words against
  encrypted frame

30
Shared Secret Key Authentication Vulnerabilities
(continued)

• AP sends challenge text in plaintext
• Attacker can capture challenge text and devices
  response (encrypted text and IV)
• Mathematically derive keystream

31
Shared Secret Key Authentication Vulnerabilities
Table 8-2 Authentication attacks
32
Address Filtering Vulnerabilities
Table 8-3 MAC address attacks
33
WEP Vulnerabilities

• Uses 40 or 104 bit keys
• Shorter keys easier to crack
• WEP implementation violates cardinal rule of
  cryptography
• Creates detectable pattern for attackers
• APs end up repeating IVs
• Collision Two packets derived from same IV
• Attacker can use info from collisions to initiate
  a keystream attack

34
WEP Vulnerabilities
Figure 8-13 XOR operations
35
WEP Vulnerabilities (continued)
Figure 8-14 Capturing packets
36
WEP Vulnerabilities (continued)

• PRNG does not create true random number
• Pseudorandom
• First 256 bytes of the RC4 cipher can be
  determined by bytes in the key itself

Table 8-4 WEP attacks
37
Other Wireless Attacks Man-in-the-Middle Attack

• Makes it seem that two computers are
  communicating with each other
• Actually sending and receiving data with computer
  between them
• Active or passive

Figure 8-15 Intercepting transmissions
38
Other Wireless Attacks Man-in-the-Middle Attack
Figure 8-16 Wireless man-in-the-middle attack
39
Other Wireless Attacks Denial of Service (DoS)
Attack

• Standard DoS attack attempts to make a server or
  other network device unavailable by flooding it
  with requests
• Attacking computers programmed to request, but
  not respond
• Wireless DoS attacks are different
• Jamming Prevents wireless devices from
  transmitting
• Forcing a device to continually dissociate and
  re-associate with AP

40
Wireless Security Solutions

• IEEE 802.11a and 802.11b standards included WEP
  specification
• Vulnerabilities quickly realized
• Organizations implemented quick fixes
• Did not adequately address encryption and
  authentication
• IEEE and Wi-Fi Alliance started working on
  comprehensive solutions
• IEEE 802.11i and Wi-Fi Protected Access (WPA)
• Foundations of todays wireless security

41
WEP2

• Attempted to overcome WEP limitations by adding
  two new security enhancements
• WEP key increased to 128 bits
• Kerberos authentication
• User issued ticket by Kerberos server
• Presents ticket to network for a service
• Used to authenticate user
• No more secure than WEP
• Collisions still occur
• New dictionary-based attacks available

42
Dynamic WEP

• Solves weak IV problem by rotating keys
  frequently
• More difficult to crack encrypted packet
• Uses different keys for unicast and broadcast
  traffic
• Unicast WEP key unique to each users session
• Dynamically generated and changed frequently
• Broadcast WEP key must be same for all users on a
  particular subnet and AP

43
Dynamic WEP (continued)
Figure 9-1 Dynamic WEP
44
Dynamic WEP (continued)

• Can be implemented without upgrading device
  drivers or AP firmware
• No-cost and minimal effort to deploy
• Does not protect against man-in-the-middle
  attacks
• Susceptible to DoS attacks

45
IEEE 802.11i

• Provides solid wireless security model
• Robust security network (RSN)
• Addresses both encryption and authentication
• Encryption accomplished by replacing RC4 with a
  block cipher
• Manipulates entire block of plaintext at one time
• Block cipher used is Advanced Encryption Standard
  (AES)
• Three step process
• Second step consists of multiple rounds of
  encryption

46
IEEE 802.11i (continued)
Table 9-1 Time needed to break AES
47
IEEE 802.11i (continued)

• IEEE 802.11i authentication and key management is
  accomplished by IEEE 802.1x standard
• Implements port security
• Blocks all traffic on port-by-port basis until
  client authenticated using credentials stored on
  authentication server
• Key-caching Stores information from a device on
  the network, for faster re-authentication
• Pre-authentication Allows a device to become
  authenticated to an AP before moving to it

48
IEEE 802.11i (continued)
Figure 9-2 IEEE 802.1x
49
Wi-Fi Protected Access (WPA)

• Temporal Key Integrity Protocol (TKIP)
• TKIP was the first attempt to fix WEP security
  holes.
• Not perfect solution to 802.11s security, but
  better than WEP
• TKIP uses RC4 encryption, same as WEP
• WEP uses 64-bit 128-bit keys, TKIP uses only
  128-bit keys
• TKIPs implementation of RC4 encryption is
  stronger than WEPs
• TKIP uses per-packet key mixing and automatic
  rekeying

50
Wi-Fi Protected Access (WPA)

• TKIP - Per Packet Key Mixing
• Each station is assigned a static WEP key which
  is the same for all stations (same as in WEP)
• This key is called the temporal key
• Each stations combines this key with its six-byte
  MAC address to create an encryption key that is
  unique for each station

51
Wi-Fi Protected Access (WPA)

• TKIP - Per Packet Key Mixing
• TKIP also uses a six-byte IV instead of WEPs
  three-byte IV.
• This is known as Phase 1 intermediate key
• The second phase, the Phase 1 intermediate key is
  run through a simple algorithm known as mixing
  algorithm to produce the encryption key for the
  frame. (makes it hard to determine if using WEP
  or not)

52
Wi-Fi Protected Access (WPA)

• TKIP - Automatic rekeying
• TKIP provides a mechanism whereby a stations
  temporal key can be periodically changed.
• This is performed every 10,000 frames
• Rekeying ensures that
• No station has a temporal key long enough to
  exhaust the keystream associated with that key
• No station has a temporal key long enough for an
  attacker to crack the key
• If an attacker does crack the key it is only good
  for the balance of the current set of 10,000
  frames

53
Wi-Fi Protected Access (WPA)

• TKIP
• TKIP addresses replay attacks by enforcing
  sequence number ordering on frames
• TKIP addresses frame forgery through use of a
  message integrity checksum (MIC)
• This is a small eight-byte additional encryption
  method that detects if the frame has been modified

54
Wi-Fi Protected Access (continued)
Figure 9-3 Message Integrity Check (MIC)
55
Wi-Fi Protected Access 2 (WPA2)

• Second generation of WPA security
• Based on final IEEE 802.11i standard
• Uses AES for data encryption
• Supports IEEE 802.1x authentication or PSK
  technology
• Allows both AES and TKIP clients to operate in
  same WLAN

56
Summary of Wireless Security Solutions

• Wi-Fi Alliance categorizes WPA and WPA2 by modes
  that apply to personal use and to larger
  enterprises

Figure 9-4 Security timeline
57
Summary of Wireless Security Solutions
(continued)
Table 9-2 Wi-Fi modes
Table 9-3 Wireless security solutions
58
Transitional Security Model

• Transitional wireless implementation
• Should be temporary
• Until migration to stronger wireless security
  possible
• Should implement basic level of security for a
  WLAN
• Including authentication and encryption

59
Authentication Shared Key Authentication

• First and perhaps most important step
• Uses WEP keys
• Networks that support multiple devices should use
  all four keys
• Same key should not be designated as default on
  each device

60
Authentication SSID Beaconing

• Turn off SSID beaconing by configuring APs to not
  include it
• Beaconing the SSID is default mode for all APs
• Good practice to use cryptic SSID
• Should not provide any information to attackers

61
WEP Encryption

• Although vulnerabilities exist, should be turned
  on if no other options for encryption are
  available
• Use longest WEP key available
• May prevent script kiddies or casual
  eavesdroppers from attacking

Table 9-4 Transitional security model
62
Personal Security Model

• Designed for single users or small office home
  office (SOHO) settings
• Generally 10 or fewer wireless devices
• Two sections
• WPA Older equipment
• WPA2 Newer equipment

63
WPA Personal Security PSK Authentication

• Uses passphrase (PSK) that is manually entered to
  generate the encryption key
• PSK used as seed for creating encryption keys
• Key must be created and entered in AP and also on
  any wireless device (shared) prior to (pre)
  the devices communicating with AP

64
WPA Personal Security TKIP Encryption

• TKIP is a substitute for WEP encryption
• Fits into WEP procedure with minimal change
• Device starts with two keys
• 128-bit temporal key
• 64-bit MIC
• Three major components to address
  vulnerabilities
• MIC
• IV sequence
• TKIP key mixing
• TKIP required in WPA

65
WPA Personal Security TKIP Encryption
Figure 9-7 TKIP/MIC process
66
WPA2 Personal Security PSK Authentication

• PSK intended for personal and SOHO users without
  enterprise authentication server
• Provides strong degree of authentication
  protection
• PSK keys automatically changed (rekeyed) and
  authenticated between devices after specified
  period of time or after set number of packets
  (10K) transmitted (rekey interval)
• Employs consistent method for creating keys
• Uses shared secret entered at AP and devices
• Random sequence of at least 20 characters or 24
  hexadecimal digits

67
WPA2 Personal Security AES-CCMP Encryption

• WPA2 personal security model encryption
  accomplished via AES
• AES-CCMP Encryption protocol in 802.11i
• CCMP based on Counter Mode with CBC-MAC (CCM) of
  AES encryption algorithm
• CCM provides data privacy
• CBC-MAC provides data integrity and
  authentication
• AES processes blocks of 128 bits
• Cipher key length can be 128, 192 and 256 bits
• Number of rounds can be 10, 12, and 14

68
WPA2 Personal Security AES-CCMP Encryption
(continued)

• AES encryption/decryption computationally
  intensive
• Better to perform in hardware

Table 9-5 Personal security model
69
Enterprise Security Model

• Most secure level of security that can be
  achieved today for wireless LANs
• Designed for medium to large-size organizations
• Intended for setting with authentication server
• Like personal security model, divided into
  sections for WPA and WPA2
• Additional security tools available to increase
  network protection

70
WPA Enterprise Security IEEE 802.1x
Authentication

• Uses port-based authentication mechanisms
• Network supporting 802.1x standard should consist
  of three elements
• Supplicant Wireless device which requires secure
  network access
• Authenticator Intermediary device accepting
  requests from supplicant
• Can be an AP or a switch
• Authentication Server Accepts requests from
  authenticator, grants or denies access

71
WPA Enterprise Security IEEE 802.1x
Authentication (continued)
Figure 9-8 802.1x protocol
72
WPA Enterprise Security IEEE 802.1x
Authentication (continued)

• Supplicant is software on a client implementing
  802.1x framework
• Authentication server stores list of names and
  credentials of authorized users
• Remote Authentication Dial-In User Service
  (RADIUS) typically used
• Allows user profiles to be maintained in central
  database that all remote servers can share

73
WPA Enterprise Security IEEE 802.1x
Authentication

• 802.1x based on Extensible Authentication
  Protocol (EAP)
• Several variations
• EAP-Transport Layer Security (EAP-TLS)
• Lightweight EAP (LEAP)
• EAP-Tunneled TLS (EAP-TTLS)
• Protected EAP (PEAP)
• Flexible Authentication via Secure Tunneling
  (FAST)
• Each maps to different types of user logons,
  credentials, and databases used in authentication

74
WPA Enterprise Security TKIP Encryption

• TKIP is a wrapper around WEP
• Provides adequate encryption mechanism for WPA
  enterprise security
• Dovetails into existing WEP mechanism
• Vulnerabilities may be exposed in the future

75
WPA2 Enterprise Security IEEE 802.1x
Authentication

• Enterprise security model using WPA2 provides
  most secure level of authentication and
  encryption available on a WLAN
• IEEE 802.1x is strongest type of wireless
  authentication currently available
• Wi-Fi Alliance certifies WPA and WPA2 enterprise
  products using EAP-TLS
• Other EAP types not tested, but should run a WPA
  or WPA2 environment

76
WPA2 Enterprise Security AES-CCMP Encryption

• AES Block cipher that uses same key for
  encryption and decryption
• Bits encrypted in blocks of plaintext
• Calculated independently
• block size of 128 bits
• Three possible key lengths 128, 192, and 256
  bits
• WPA2/802.11i uses128-bit key length
• Includes four stages that make up one round
• Each round is iterated 10 times

77
WPA2 Enterprise Security AES-CCMP Encryption
(continued)
Table 9-6 Enterprise security model
78
Other Enterprise Security Tools Virtual Private
Network (VPN)

• Virtual private network (VPN) Uses a public,
  unsecured network as if it were private, secured
  network
• Two common types
• Remote-access VPN User-to-LAN connection used by
  remote users
• Site-to-site VPN Multiple sites can connect to
  other sites over Internet
• VPN transmissions are achieved through
  communicating with endpoints