Wireless Security

1
Wireless Security

• Presented at
• AMCIS 2002
• Dallas, Texas
• By
• Dr. Robert J. Boncella
• Professor of CIS
• School of Business
• Washburn University

2
Overview

• Wireless LAN
• Physical Transport
• 802.11 Standards
• WLAN Architecture
• WLAN Security

• Wireless Local Loops (Wireless WAN)
• Physical Transport
• WAP Protocol 1.x
• WAP Protocol 2.0
• WAP Security

3
Wireless

• Local Area Networks

4
Physical Transport

• RF (Radio Frequency)
• Frequency Hopping Spread Spectrum (FHSS)
• Direct Sequence Spread Spectrum (DSSS)
• IR (Infrared Radiation)
• Point-to-Point
• Diffused

5
RF Transport

• Spread Spectrum
• Expand the initial bandwidth and spread it in
  order to use a portion of the bandwidth for
  portion of the message.
• FHSS - Frequency Hopping Spread Spectrum
• Non-consecutive portions of the spread spectrum
  are used to transmit portions of the message
• DSSS - Direct Sequence Spread Spectrum
• each bit of the message contains additional bits
  for error correction purposes - the message bit
  along with its redundant bits is called the Chip
  Code

6
IR Transport

• Diffused
• Reflect signal off of existing surfaces
• e.g. ceiling
• Try this with TV remote
• Point-to-Point
• Signal sent as beam to IR Switch
• IR Switch relays to next IR Switch
• Ring topology

7
RF and IR Transport
IR Spectrum 850 to 950 nanometers
8
802.11 Standards

• 802.11a (WiFi5)
• operates in the 5GHz RF band
• Max link rate of 54Mbps
• 802.11b (WiFi)
• operates in the 2.4GHz RF band
• max link rate of 11Mbps
• 802.11g (Not Yet Standard)
• Max link rate of 54Mbps
• operates in 2.4GHz RF band
• 802.11i
• improved WEP

• Others
• 802.11d
• 802.11e
• 802.11f
• 802.11h

9
WLAN Architecture

• Basic Service Set - BSS
• Extended Service Set - ESS
• Access Point - AP
• Station Types
• No-Transition Mobility but portable
• BSS-Transition Mobility
• ESS-Transition Mobility

10
BSS
11
ESS
Distribution System (e.g. Ethernet)
Gateway
Server
BSS
BSS
12
WLAN Security

• Requirements
• authentication
• confidentiality
• integrity

13
WLAN Security Exploits

• Insertion Attacks
• Unauthorized Clients or AP
• Interception and Unauthorized Monitoring
• Packet Analysis
• Broadcast Analysis
• AP connected to hub rather than switch
• AP Clone
• Jamming
• Denial of Service - using cordless phones, baby
  monitors, leaky microwave oven, etc.

14
WLAN Security Exploits

• Client-to-Client Attacks
• DOS - duplicate MAC or IP addresses
• TCP/IP Service Attacks against wireless client
  providing these services
• Brute Force Attacks Against AP Passwords
• Dictionary Attacks Against SSID
• Encryption Attacks
• Compromised WEP
• Misconfigurations
• APs ship in an unsecured configuration

15
Secure AP Access

• Service Set Identifier - SSID
• Media Access Control (MAC) Address Filtering
• Wired Equivalent Privacy - WEP

16
SSID

• Mechanism Used to Segment Wireless Networks
• Each AP is programmed with a SSID that
  corresponds to its network
• Client computer presents correct SSID to access
  AP
• Security Compromises
• AP can be configured to broadcast its SSID
• SSID may be shared among users of the wireless
  segment

17
MAC Filtering

• Each client identified by its 802.11 NIC Mac
  Address
• Each AP can be programmed with the set of MAC
  addresses it accepts
• Combine this filtering with the APs SSID
• Overhead of maintaining list of MAC addresses

18
WEP-Based Security

• Employs RC4 PRNG to Encrypt/Decrypt data
• RC4 PRNG
• Symmetric Algorithm
• 40 bit encryption key 24 bit initialization
  vector
• 64 bit string is used as seed to PRNG to generate
  a key sequence
• ICV (integrity check value) is computed for
  plaintext (CRC-32)
• ICV is appended to plaintext to make data bit
  string
• Key Sequence is XORéd to data bit string to
  create ciphertext.
• Ciphertext and IV are sent to receiver.

19
WEP Authentication

• Access request by client
• Challenge text sent to client by AP
• Challenge text encoded by client using shared
  secret then sent to AP
• If challenge text encoded properly AP allows
  access else denied

20
WEP Security Weaknesses

• All clients and APs in wireless network share
  the same encryption key
• No protocol for encryption key distribution
• IV transmitted in the clear
• default Open System authentication

21
WLANs and VPNS

• VPN provides secure tunnel through an
  untrusted network
• Requires VPN Client and Server software
• Wireless path considered the untrusted network
• Alternative to MAC filtering and WEP

22
Best Practices for WiFi Security

• Use WEP
• change default key
• change WEP key frequently
• Password Protect Client Drives and Folders
• Change Default SSID
• Use Sessions Keys If Available
• Use MAC Filtering If Available
• Use A VPN
• Requires VPN Server
• VPN Client Maybe Included With Op Sys

23
Wireless Local Loops

• (Wide Area Networks)

24
WAP Protocol

• Wireless Application Protocol
• used with small low-powered devices
• low bandwidth devices
• e.g. cell phones
• Layered Protocol
• Two versions of protocol stack
• WAP1.x Protocol Stack
• WAP2.0 Protocol Stack
• Used with WAP Devices
• clients - cell phones
• gateways -
• translate wireless protocols into Internet
  protocols
• located near Mobile Telephone Exchange
• Provide Security

25
WAP 1.x Protocol Stack
WAP Device
Wireless Application Environment
Wireless Session Protocol
Wireless Transaction Protocol
Wireless Transport Layer Security
Wireless Datagram Protocol
GSM, TDMA, CDMA, CDPD, et al
26
WAP 1.x Gateway
27
WAP 2.x Protocol Stack
28
WAP 2.0 Proxy
29
Transport Layer Security

• Use of cipher suites
• Certificates of authentication
• Digital Signatures
• Session Resume
• Provides for TLS tunneling
• end-to-end transport layer security

30
Bibliography
Dornan, Andy (2002) "LANs with No Wires, but
Strings Still Attached", Network Magazine, (17)
2, pp. 44-47. Dornan, Andy (2002) "Fast Forward
to 4G?", Network Magazine, (17) 3, pp.
34-39. Fratto, Mike (2001) "Tutorial Wireless
Security", Network Computing, Jan. 22, 2001, 3
pages, http//www.networkcomputing.com/1202/1202f1
d1.html Garber, Lee (2002) "Will 3G Really Be
the Next Big Wireless Technology?", IEEE
Computer, (35) 1, pp.26-32. Gast. Matthew S.
802.11 Wireless Networks The Definitive Guide
OReilly Associates Inc., Sebastopol, CA
(2002). Kapp, Steve (2002) "802.11 Leaving the
Wire Behind", IEEE Internet Computing Online",
January/February 2002, http//www.computer.org/int
ernet/v6n1/w102wire2.htm. Internet Security
Systems, (2001) "Wireless LAN Security 802.11b
and Corporate Networks", http//www.iss.net/suppo
rt/documentation/otherwhitepapers.php Macphee,
Allan (2001), "Understanding Digital Certificates
and Wireless Transport Layer Security (WTLS)",
Entrust Whitepaper, http//www.entrust.com/resour
ces/whitepapers.htm Nichols, Randall K., and
Lekkas, Panos C., Wireless Security Models,
Threats, and Solutions, McGraw-Hill, New York,
NY, 2002. Varshney, Upkar and Vetter, Ron (2000)
"Emerging Mobile and Wireless Networks",
Communications of the ACM, (43) 6, pp. 73-81.
31
These slides will be available on August 12, 2002
on the web site www.washburn.edu/cas/cis/boncella
follow the link Wireless Security Presentation
AMCIS 2002