Wireless Security

1
Wireless Security

• 802.11 With a focus on Security
• by Brian Lee
• Takehiro Takahashi

2
Survey (1)

• Do you have wireless networking at home?
• If yes, Im assuming that it is encrypted.
• What is your security?
• WEP
• WPA
• Mac filtering
• I consider my home network as local wireless
  hotspot
• Do you think your wireless network is secure?

3
Brief Overview

• Case Study
• Current Wireless Technology Overview
• 802.11 a/b/g
• WEP
• New Wireless Security Standard
• 802.1x
• WPA
• WPA2 - 802.11i

4
GOAL

• Realize the real problem set and the solution in
  wireless security.

5
GOAL

• Realize the real problem set and the solution in
  wireless security.
• Exploi (cough)

6
So.. Is wireless network secure?

• Umm kind of?
• Why is it not secure?
• How insecure is it?
• Some misunderstanding
• How can we make it secure?

7
An exercise in wireless insecurity

• Tools used
• Laptop w/ 802.11a/b/g card
• GPS
• Netstumbler
• Aircrack (or any WEP cracking tool)
• Ethereal
• the car of your choice

8
Step1 Find networks to attack

• An attacker would first use Netstumbler to drive
  around and map out active wireless networks
• Using Netstumbler, the attacker locates a strong
  signal on the target WLAN
• Netstumbler not only has the ability to monitor
  all active networks in the area, but it also
  integrates with a GPS to map APs

9
WarDriving
10
Step 2 Choose the network to attack

• At this point, the attacker has chosen his
  target most likely a business
• Netstumbler can tell you whether or not the
  network is encrypted
• Also, start Ethereal to look for additional
  information.
• This time.
• Your target is GTwireless

11
Step3 Analyzing the Network

• WLAN has no broadcasted SSID
• Netstubmler tells me that SSID is GTwireless
• Multiple access points
• Many active users
• Open authentication method
• WLAN is encrypted with 40bit WEP
• WLAN is not using 802.1X (WEB-auth)

12
Step4 Cracking the WEP key

• Attacker sets NIC drivers to Monitor Mode
• Begins capturing packets with Airodump
• Airodump quickly lists the available network with
  SSID and starts capturing packets.
• After a few hours of airodump session, launch
  aircrack to start cracking!
• WEP key for GTwireless is revealed!

13
Step5 Sniffing the network

• Once the WEP key is cracked and the NIC is
  configured appropriately, the attacker is
  assigned an IP, and can access the WLAN
• However, a secure proxy with an SSL enabled web
  based login prevents access to the rest of
  network and the Internet
• Attacker begins listening to traffic with
  Ethereal

14
Step6 Sniffing continued

• Sniffing a WLAN is very fruitful because everyone
  on the WLAN is a peer, therefore you can sniff
  every wireless client
• Listening to connections with plain text
  protocols (in this case FTP and Telnet) to
  servers on the wired LAN yielded 2 usable logins
  within 1.5hrs

15
What was accomplished?

• Complete access to the WLAN
• Complete access to the wired LAN
• Complete access to the internet
• Access to servers on the wired LAN using the
  sniffed accounts
• Some anonymity. Usage of Netstumbler and other
  network probing devices can be detected. Skip
  that step if possible.

16
Other possibilities

• Instead of sniffing a valid login, the attacker
  could have exploited a known vulnerability in the
  proxy (provided there is one)
• Attacker could have hijacked a valid users
  session using a DOS attack against the user, and
  then assuming his MAC address and IP
• Both ways present a greater risk for being
  noticed, something an attacker does not want

17
Thats itthe network is compromised

• Most wireless networks remain no more secure than
  this, many are less secure
• Hundreds of businesss, schools, airports, and
  residences use wireless technology as a major
  point of access to their networks

18
Basic 802.11b Overview

• 802.11b was IEEE approved in 1999
• Infrastructure Mode or Ad Hoc
• Utilizes 2.4GHz band on 15 different channels
  (only 11 in US)
• 11Mbps shared among all users on access point
• Cheap!!!

19
Basic 802.11g Overview

• Faster than 802.11b (54Mbps)
• Backward compatibility
• Same interference problem with 802.11b

Future work

• 802.11n
• Over 100Mbps actual throughput??
• Backward compatibility with a/b
• Still trying to come up with the first draft

20
802.11 Built in Security Features

• Service Set Identifier (SSID)
• Differentiates one access point from another
• SSID is cast in beacon frames every few
  seconds.
• Beacon frames are in plain text!
• First layer of security
• Stealth Mode probe request

21
Dos and Don'ts for SSIDs

• Default SSIDs are well known (Linksys APs
  default to linksys, CISCO defaults to tsunami,
  etc) so change them immediately.
• Do change the settings on your AP so that it does
  not broadcast the SSID in the beacon frame.

22
Hiding the SSID

• As stated earlier, the SSID is by default
  broadcast every few seconds.
• Turning it off makes it harder to figure out a
  wireless connection is there
• Reading raw packets will reveal the SSID since
  even when using WEP, the SSID is in plain text
• Increases deployment difficulty

23
MAC address filtering

• MAC address filtering works by only allowing
  specific hardware to connect to the AP
• Management on large networks unfeasible
• Using a packet sniffer, one can very easily find
  a valid MAC address and modify their OS to use
  it, even if the data is encrypted
• May be good for small networks
• Prevents casual hacking..

24
Associating with the AP

• Access points have two ways of initiating
  communication with a client
• Shared Key or Open Key authentication
• Open key allows anyone to start a conversation
  with the AP
• Shared Key is supposed to add an extra layer of
  security by requiring authentication info as soon
  as one associates

25
How Shared Key Auth. works

• Client begins by sending an association request
  to the AP
• AP responds with a challenge text (unencrypted)
• Client, using the proper WEP key, encrypts text
  and sends it back to the AP
• If properly encrypted, AP allows communication
  with the client

26
Is Open or Shared Key more secure?

• Ironically enough, Open key is the answer in
  short
• Using passive sniffing, one can gather 2 of the
  three variables needed in Shared Key
  authentication challenge text and the encrypted
  challenge text

27
Wired Equivalent Protocol (WEP)

• Primary built-in security for 802.11 protocol
• Provides Confidentiality, and Integrity.
• Authentication ?
• Uses 40/104 bits RC4 encryption CRC
• Unfortunately, the usage of RC4 in WEP has been
  proven insecure

28
WEP Encryption
29
64/40 and 128/104 bits confusion

• IV (24bits)
• Your WEP key
• 5-ASCII char word 40bits
• 13-ASCII char word 104bits
• Security-wise, its really 40bits or 104bits

30
Problems with WEP

• 1 static key
• No encryption is strong if one key is used
  forever
• Key length is short for default settings(40bits)
• Brute forcing is possible
• Using CRC32 in ICV
• Bit flipping attack CRC(msg XOR delta) CRC(M)
  XOR CRC(delta)
• bits cannot be set or cleared, but could be
  flipped
• No specification on key distribution
• Lacks scalability
• No protection against replay attack
• Improper RC4 implementation
• Protocol doesnt actually specify IVs use
• 2 existing attacks

31
Numerical Limitation Attack

• IVs are only 24bit, and thus there are only
  16,777,216 possible IVs
• A busy network will repeat IVs often

32
FMS Attack -- weak IV attack --

• Some IVs do not work well with RC4
• Using a formula, one can take these weak IV and
  infer parts of the WEP key
• 5 chance of guessing correctly
• Once again, passively monitoring the network for
  a few hours can be enough time to gather enough
  weak IVs to figure out the WEP key
• 7M packets to decrypt 40bit WEP key
• The time needed to deploy the attack is linearly
  proportional to the key length
• 104bit key is just as useless as 40bits key

33
Is RC4 really vulnerable?

• There are a few flaws but it is still considered
  safe.
• WEP did not use RC4 properly.
• IPSEC
• SSL

34
Another Attack - KoreK

• Vendors have implemented a hack
• Another statistical analysis based attack on WEP
  key
• Extremely fast
• Possible with as little as 0.1M IVs
• Traditional method requires more than 4M packets
• Accelerate it with packet injection - ARP
• Fast swapping of WEP key is no longer safe

35
Conclusion WEP

• Confidentiality
• FMS attack
• KoreK attack
• Integrity
• Bit-flipping attack
• Authentication
• Attacks are passive and difficult to detect
• NO MORE WEP

36
WEP.

• Wired Equivalent Privacy
• Well.. More like
• What on the Earth does it Protect?

37
Virtual Private Networking (VPN)

• Deploying a secure VPN over a wireless network
  can greatly increase the security of your data
• Idea behind this is to treat the wireless network
  the same as an insecure wired network (the
  internet).

38
VPN is really not the greatest option.

• Overhead
• Deployment
• Performance
• susceptible to any attack against the specific VPN

Bottom Line Not practical
39
Finally. Some Solutions!

• 802.1x (Authentication)
• per-user authentication
• Key distribution mechanism
• WPA (Confidentiality, Integrity)
• Subset of 802.11i
• 2 forms
• 802.1x EAP TKIP MIC
• Pre-shared Key TKIP MIC
• WPA2 802.11i
• WPA2 is the implementation of 802.11i
• Usage of AES CCMP

40
(No Transcript)
41
802.1X

• 802.1X is a port-based, layer 2 (MAC address
  layer) authentication framework on IEEE 802
  networks.
• Not limited or specific to 802.11 networks
• Uses EAP for implementation
• 802.1X is not an alternative to WEP, it works
  along with the 802.11 protocol to manage
  authentication for WLAN clients

42
How authentication takes place

• A client requests access to the AP
• The AP asks for a set of credentials
• The client sends the credentials to the AP which
  forwards them to authenticating server
• The exact method for supplying credentials is not
  defined in 802.1X itself

43
802.1x authentication
44
Extensible Authentication Protocol (EAP)

• 802.1X utilizes EAP for its authentication
  framework
• flexible one time passwords, certificates,
  smartcards, own EAP protocol, etc
• zero per packet overhead
• cost efficient
• 802.1X integrates well with other open standards
  such as RADIUS
• RADIUS is de-facto

45
more benefits of choosing 802.1X

• Software upgrade
• Access points only need a firmware upgrade to
  enable 802.1X
• On the client side, 802.1X can be enabled with an
  updated driver for the NIC
• Depending on the EAP you choose, you can have a
  very secure authentication scheme!
• Proprietary versions of dynamic key management
  available

46
Implementations

• EAP-MD5
• EAP-LEAP
• EAP-TLS
• EAP-TTLS
• PEAP

47
EAP-MD5

• EAP-MD5 is a simple EAP implementation
• Uses and MD5 hash of a username and password that
  is sent to the RADIUS server
• Authenticates only one way
• Man in the middle attack
• Bottom line Not recommended

48
EAP-LEAP (Cisco Wireless)

• Like MD5-LEAP, it uses a Login/Password scheme
  that it sends to the RADIUS server
• Each user gets a dynamically generated one time
  key upon login
• Authenticates client to AP and vice versa
• Can be used along with RADIUS session time out
  feature, to dynamically generate keys at set
  intervals
• Only guaranteed to work with Cisco wireless
  clients
• Broken ASLEAP by Joshua Wright

49
EAP-TLS by Microsoft

• Instead of a username/password scheme, EAP-TLS
  uses certificate based authentication
• Has dynamic one time key generation
• Two way authentication
• Uses TLS (Transport Layer Security) to pass the
  PKI (Public Key Infrastructure) information to
  RADIUS server
• Compatible with many OSs
• Harder to implement and deploy because PKI for
  clients are also required

50
PEAP by Microsoft and Cisco

• A more elegant solution!
• Very similar to EAP-TLS except that the client
  does not have to authenticate itself with the
  server using a certificate, instead it can use a
  login/password based scheme
• Much easier to setup, does not necessarily
  require a PKI
• Currently works natively with Windows XP SP1, but
  other platforms should support it soon

51
EAP Types
52
802.1x is not perfect

• 802.1X is vulnerable to many kinds of DOS attacks
• Spoofed packets
• Disassociation attack
• Flooding
• Some EAPs are subject to man in the middle
  attacks.

53
WPA (Wi-Fi Protected Access)

• Subset of 802.11i
• Confidentiality
• Fix flawed encryption mechanism
• TKIP Per-packet dynamic key mechanism
• Integrity
• Upgradeability
• Software / Firmware Upgrade

54
WPA Steps

• Confirmation of association capability
• PMK creation (through 802.1x)
• 4way handshake and PTK installation
• GK installation
• Encryption using TKIP

55
802.1x Authentication PMK

• Security level can be selected
• PMK is a seed for temporal key generation in the
  next phase
• PMK is generated based on the user authentication
  result

56
802.1x Authentication (recap)
57
4 Way Handshake and PTK

• PTK (512bits) splits in 4 ways
• Part of PTK is used to generate the encryption
  key (WEP equivalent) in the next phase

58
4 Way Handshake and PTK
59
4 Way Handshake and PTK
60
TKIP (Temporal Key Integrity Protocol)

• Expands IV space (24 ? 48bits)
• IV sequence is specified
• Per-packet Mixing Function
• Michael
• Very cheap integrity checker for MAC addresses
  and DATA

61
WPA-PSK

• For home / SOHO use
• Removes 802.1x authentication
• Pre-shared Key TKIP
• Weak against passive dictionary attack
• Attacks exist - brute force
• Still much better than WEP

62
WPA2 - 802.11i

• The long-awaited security standard for wireless,
  ratified in June 2004
• Better encryption AES
• CCMP
• Key-caching (optional)
• Pre-authentication (optional)
• Hardware manufactured before 2002 is likely to be
  unsupported too weak

63
Key-Caching

• Skips re-entering of the user credential by
  storing the host information on the network

Pre-authentication (802.11i Specific)

• Allows client to become authenticated with an AP
  before moving to it
• Useful in encrypted VoIP over Wi-Fi
• ? Fast Roaming

64
WPA WPA2

• For the time being, WPA will be good enough.
• Completely backward compatible
• Get WPA2 certified product for your next purchase

65
Things to keep in mind while deploying WLAN

• Hide SSID
• Do NOT use WEP
• Use WPA-PSK with a good pass-phrase
• or Use WPA with 802.1x if possible
• So.

66
tinyPEAP (1)

• A self contained PEAP enabled RADIUS server
• Currently available in Linksys WRT54G/GS router
  and Win32 binary
• Native Windows XP SP1 support
• Web-based user management
• The easiest and the most secure solution
  available in consumer level

67
tinyPEAP (2)
68
tinyPEAP (3)
69
Survey (2)

• Ready to reconfigure your wireless network?

70
Questions?
71
Links to the tools used

• Airsnorthttp//airsnort.shmoo.com
• Netstumblerhttp//www.netstumbler.com
• Etherealhttp//www.ethereal.com
• tinyPEAP
• http//www.tinypeap.com

72
Papers and Wireless Security Web Pages

• Weaknesses in the Key Scheduling Algorithm of RC4
  
• The Unofficial 802.11 Security Web Page
• Wireless Security Blackpaper
• The IEEE 802.11 specifications (includes WEP
  spec)
• Paper on detecting Netstumbler and similar
  programs
• Further reading on upcoming 802.11 variations
• Assorted 802.11 related crypto algorithms written
  in ANSI C