CWNA Guide to Wireless LANs, Second Edition

1
CWNA Guide to Wireless LANs, Second Edition

• Chapter Eight
• Wireless LAN Security and Vulnerabilities

2
Objectives

• Define information security
• Explain the basic security protections for IEEE
  802.11 WLANs
• List the vulnerabilities of the IEEE 802.11
  standard
• Describe the types of wireless attacks that can
  be launched against a wireless network

3
Security Principles What is Information Security?

• Information security Task of guarding digital
  information
• Ensures protective measures properly implemented
• Protects confidentiality, integrity, and
  availability (CIA) on the devices that store,
  manipulate, and transmit the information through
  products, people, and procedures

4
Security Principles What is Information
Security? (continued)
Figure 8-1 Information security components
5
Security Principles Challenges of Securing
Information

• Trends influencing increasing difficultly in
  information security
• Speed of attacks
• Sophistication of attacks
• Faster detection of weaknesses
• Day zero attacks
• Distributed attacks
• The many against one approach
• Impossible to stop attack by trying to identify
  and block source

6
Security Principles Categories of Attackers

• Six categories of attackers
• Hackers
• Not malicious expose security flaws
• Crackers
• Script kiddies
• Spies
• Employees
• Cyberterrorists

7
Security Principles Categories of Attackers
(continued)
Table 8-1 Attacker profiles
8
Security Principles Security Organizations

• Many security organizations exist to provide
  security information, assistance, and training
• Computer Emergency Response Team Coordination
  Center (CERT/CC)
• Forum of Incident Response and Security Teams
  (FIRST)
• InfraGard
• Information Systems Security Association (ISSA)
• National Security Institute (NSI)
• SysAdmin, Audit, Network, Security (SANS)
  Institute

9
Basic IEEE 802.11 Security Protections

• Data transmitted by a WLAN could be intercepted
  and viewed by an attacker
• Important that basic wireless security
  protections be built into WLANs
• Three categories of WLAN protections
• Access control
• Wired equivalent privacy (WEP)
• Authentication
• Some protections specified by IEEE, while others
  left to vendors

10
Access Control

• Intended to guard availability of information
• Wireless access control Limit users admission
  to AP
• Filtering
• Media Access Control (MAC) address filtering
  Based on a nodes unique MAC address

Figure 8-2 MAC address
11
Access Control (continued)
Figure 8-4 MAC address filtering
12
Access Control (continued)

• MAC address filtering considered to be a basic
  means of controlling access
• Requires pre-approved authentication
• Difficult to provide temporary access for guest
  devices

13
Wired Equivalent Privacy (WEP)

• Guard the confidentiality of information
• Ensure only authorized parties can view it
• Used in IEEE 802.11 to encrypt wireless
  transmissions
• Scrambling

14
WEP Cryptography

• Cryptography Science of transforming information
  so that it is secure while being transmitted or
  stored
• scrambles data
• Encryption Transforming plaintext to ciphertext
• Decryption Transforming ciphertext to plaintext
• Cipher An encryption algorithm
• Given a key that is used to encrypt and decrypt
  messages
• Weak keys Keys that are easily discovered

15
WEP Cryptography (continued)
Figure 8-5 Cryptography
16
WEP Implementation

• IEEE 802.11 cryptography objectives
• Efficient
• Exportable
• Optional
• Reasonably strong
• Self-synchronizing
• WEP relies on secret key shared between a
  wireless device and the AP
• Same key installed on device and AP
• Private key cryptography or symmetric encryption

17
WEP Implementation (continued)
Figure 8-6 Symmetric encryption
18
WEP Implementation (continued)

• WEP shared secret keys must be at least 40 bits
• Most vendors use 104 bits
• Options for creating WEP keys
• 40-bit WEP shared secret key (5 ASCII characters
  or 10 hexadecimal characters)
• 104-bit WEP shared secret key (13 ASCII
  characters or 16 hexadecimal characters)
• Passphrase (16 ASCII characters)
• APs and wireless devices can store up to four
  shared secret keys
• Default key used for all encryption

19
WEP Implementation (continued)
Figure 8-8 Default WEP keys
20
WEP Implementation (continued)
Figure 8-9 WEP encryption process
21
WEP Implementation (continued)

• When encrypted frame arrives at destination
• Receiving device separates IV from ciphertext
• Combines IV with appropriate secret key
• Create a keystream
• Keystream used to extract text and ICV
• Text run through CRC
• Ensure ICVs match and nothing lost in
  transmission
• Generating keystream using the PRNG is based on
  the RC4 cipher algorithm
• Stream Cipher

22
WEP Implementation (continued)
Figure 8-10 Stream cipher
23
Authentication

• IEEE 802.11 authentication Process in which AP
  accepts or rejects a wireless device
• Open system authentication
• Wireless device sends association request frame
  to AP
• Carries info about supported data rates and
  service set identifier (SSID)
• AP compares received SSID with the network SSID
• If they match, wireless device authenticated

24
Authentication (continued)

• Shared key authentication Uses WEP keys
• AP sends the wireless device the challenge text
• Wireless device encrypts challenge text with its
  WEP key and returns it to the AP
• AP decrypts returned result and compares to
  original challenge text
• If they match, device accepted into network

25
Vulnerabilities of IEEE 802.11 Security

• IEEE 802.11 standards security mechanisms for
  wireless networks have fallen short of their goal
• Vulnerabilities exist in
• Authentication
• Address filtering
• WEP

26
Open System Authentication Vulnerabilities

• Inherently weak
• Based only on match of SSIDs
• SSID beaconed from AP during passive scanning
• Easy to discover
• Vulnerabilities
• Beaconing SSID is default mode in all APs
• Not all APs allow beaconing to be turned off
• Or manufacturer recommends against it
• SSID initially transmitted in plaintext
  (unencrypted)

27
Open System Authentication Vulnerabilities
(continued)

• Vulnerabilities (continued)
• If an attacker cannot capture an initial
  negotiation process, can force one to occur
• SSID can be retrieved from an authenticated
  device
• Many users do not change default SSID
• Several wireless tools freely available that
  allow users with no advanced knowledge of
  wireless networks to capture SSIDs

28
Open System Authentication Vulnerabilities
(continued)
Figure 8-12 Forcing the renegotiation process
29
Shared Secret Key Authentication Vulnerabilities

• Attackers can view key on an approved wireless
  device (i.e., steal it), and then use on own
  wireless devices
• Brute force attack Attacker attempts to create
  every possible key combination until correct key
  found
• Dictionary attack Takes each word from a
  dictionary and encodes it in same way as
  passphrase
• Compare encoded dictionary words against
  encrypted frame

30
Shared Secret Key Authentication Vulnerabilities
(continued)

• AP sends challenge text in plaintext
• Attacker can capture challenge text and devices
  response (encrypted text and IV)
• Mathematically derive keystream

31
Shared Secret Key Authentication Vulnerabilities
(continued)
Table 8-2 Authentication attacks
32
Address Filtering Vulnerabilities
Table 8-3 MAC address attacks
33
WEP Vulnerabilities

• Uses 40 or 104 bit keys
• Shorter keys easier to crack
• WEP implementation violates cardinal rule of
  cryptography
• Creates detectable pattern for attackers
• APs end up repeating IVs
• Collision Two packets derived from same IV
• Attacker can use info from collisions to initiate
  a keystream attack

34
WEP Vulnerabilities (continued)
Figure 8-13 XOR operations
35
WEP Vulnerabilities (continued)
Figure 8-14 Capturing packets
36
WEP Vulnerabilities (continued)

• PRNG does not create true random number
• Pseudorandom
• First 256 bytes of the RC4 cipher can be
  determined by bytes in the key itself

Table 8-4 WEP attacks
37
Other Wireless Attacks Man-in-the-Middle Attack

• Makes it seem that two computers are
  communicating with each other
• Actually sending and receiving data with computer
  between them
• Active or passive

Figure 8-15 Intercepting transmissions
38
Other Wireless Attacks Man-in-the-Middle Attack
(continued)
Figure 8-16 Wireless man-in-the-middle attack
39
Other Wireless Attacks Denial of Service (DoS)
Attack

• Standard DoS attack attempts to make a server or
  other network device unavailable by flooding it
  with requests
• Attacking computers programmed to request, but
  not respond
• Wireless DoS attacks are different
• Jamming Prevents wireless devices from
  transmitting
• Forcing a device to continually dissociate and
  re-associate with AP

40
Summary

• Information security protects the
  confidentiality, integrity, and availability of
  information on the devices that store,
  manipulate, and transmit the information through
  products, people, and procedures
• Significant challenges in keeping wireless
  networks and devices secure
• Six categories of attackers Hackers, crackers,
  script kiddies, computer spies, employees, and
  cyberterrorists

41
Summary (continued)

• Three categories of default wireless protection
  access control, wired equivalent privacy (WEP),
  and authentication
• Significant security vulnerabilities exist in the
  IEEE 802.11 security mechanisms
• Man-in-the-middle attacks and denial of service
  attacks (DoS) can be used to attack wireless
  networks