IEEE 802.11 Security

1
IEEE 802.11 Security
2
IEEE Security Outline

• Introduction to Wireless Local Area Networks
• IEEE 802.11
• IEEE 802.11 PHY MAC
• IEEE 802.11 Security
• Risks to IEEE 802.11 networks
• IEEE 802.11 WEP
• Wi-Fi Alliances WPA
• IEEE 802.11i amendment and WPA2

3
Who is Who in IEEE 802.11

• IEEE
• Institute of Electrical and Electronics
  Engineers, Inc.
• designs the technology publish the standards
• www.ieee.org
• Wi-Fi Alliance
• certify interoperability of WLAN products
• 250 member companies and 2800 certified
  products
• www.wifialliance.com

former WECA - Wireless Ethernet Compatibility
Alliance
4
IEEE 802.11 Evolution

• Wireless Evolution
• early 1990s
• first wireless networks operating in the ISM
  bands
• issues price, performance, interoperability
  IEEE 802.11 WG is born
• 1997 June
• IEEE 802.11 standard is approved.
• 1999 September
• standard revision, IEEE 802.11a IEEE 802.11b
  are approved.
• 2003 June
• IEEE 802.11g amendment is approved
• 2004 July
• IEEE 802.11i amendment is approved

5
IEEE 802.11 Specification

• Operation Modes
• infrastructure network
• ad hoc network
• IEEE 802.11 standard specifies
• medium access control (MAC)
• physical layer protocols (PHY)

IP
LLC
IEEE 802.2
MAC
IEEE 802.11
PHY
6
Operation Modes

• Infrastructure Network Mode
• Basic Service Set (BSS) with only one
  Access Point (AP)

AP
BSS
STA
7
Operational Modes

• Infrastructure Network Mode
• Extended Service Set (ESS)

STA
ESS
STA
AP
AP
BSS
BSS
8
Operational Modes

• Ad Hoc Network Mode
• Independent Basic Service Set (IBSS)
• no support to multi hopping no routing!
  PHY MAC layers only

STA
IBSS
9
The Spectrum

• Electromagnetic Spectrum
• the physical medium air from viewpoint of the
  signal frequencies
• frequency usage is regulated / controlled by the
  local government
• E.U. CEPT - ERO (European Radio
  Comm. Office)
• Sweden PTS (Post Telestyrelsen)
• U.S. FCC NTIA
• International ITU

European Conference of Postal and
Telecommunications Administrations
10
The Spectrum

• Electromagnetic Spectrum
• www.ntia.doc.gov/osmhome/allochrt.html
• www.pts.se/
• www.ero.dk/ecc

300GHz
PCS
GSM
1GHz
FM
GSM-DCS
AM
AMPS
M
VL
L
H
UH
SH
VH
EH
IR
300THz
3 KHz
microwaves
5.725GHz5.875GHzIEEE802.11a
902MHZ928MHz
2.4GHz-2.5GHzIEEE 802.11bIEEE 802.11g
11
Transmission Mechanisms

• Narrow Band
• all signal power is concentrated in a narrow
  spectrum band
• Spread Spectrum -SS
• the signal power is spread in the spectrum

12
Spread Spectrum

• Direct Sequence (DS-SS)
• the signal is multiplied by a code
  signal spreading
• si(t)(2.Pi)-1/2.di(t).pi(t).cos(?0.t ?i)
• the signal is retrieved multiplying it the same
  code
• anti jamming properties
• low probability of interception
• low amplitude signal even below
  noise level!

code
13
Spread Spectrum

• Direct Sequence (DS-SS)

pi(t)
pi(t)
code
code
(2.Pi)-1/2.di(t).cos(?0.t ?i)
(2.Pi)-1/2.di(t).cos(?0.t ?i)
ReceivedNarrowbandSignal
Original Narrowband Signal
spread signal
?
?
(2.Pi)-1/2.di(t).pi(t).cos(?0.t ?i)
spread waveform
noise
noise
noise
14
IEEE 802.11 PHY

• Several different PHY layers MAC Layer

MAC
2.4 GHz FH-SS 1 Mbps 2 Mbps
2.4 GHz DS-SS 1 Mbps 2 Mbps
Infrared 1 Mbps 2 Mbps
2.4 GHz DS-SS OFDM max 11 Mbps max 54 Mbps
5 GHz OFDM 6, 9, 12, 18, 24, 36, 48, 54 Mbps
IEEE802.11b802.11g
IEEE802.11a
IEEE 802.11
15
IEEE 802.11 PHY DS-SS

• DS-SS Direct Sequence Spread Spectrum

5
10
14
4
9
3
8
13
2
7
12
1
6
11
MHz
2400
2412
2417
2422
2427
2432
2437
2442
2447
2452
2457
2462
2467
2472
2477
2482
2487
2492
2497
16
IEEE 802.11 PHY OFDM

• OFDM Orthogonal Frequency Division Multiplexing
• multiple transmissions at the same time
• 4 overlayering carriers
• no interference among the carriers

maximum
OFDM
minimum
17
IEEE 802.11 PHY
6
1
11

• Channels and Channel reuse
• Europe, USA

1
1
6
11
6
1
11
6
11
1
1
6
11
6
1
11
except France, Spain
18
IEEE 802.11 MAC

• MAC Layer - Medium Access
• medium access without contention
• medium access with contention
• random backoff mechanism
• ACK and retransmission

Point Coordination Function
PCF
MAC
Distributed CoordinationFunction
DCF
19
IEEE 802.11 MAC

• Point Coordination Function (PCF)
• the Access Point (AP) defines medium access
• only for infrastructure wireless networks
  (optional)
• polling among STA contention-free medium
  access
• Distributed Coordination Function (DCF)
• all station (STA)
• CSMA/CA Carrier Sense Multiple Access / Collision
  Avoidance
• RTS/CTS mechanism

20
IEEE 802.11 CSMA/CA

• Physical Carrier Sense (PHY)
• checks if the physical medium is free
• Virtual Carrier Sense
• to solve the hidden-node problem!
• use of RTS and CTS frames
• Duration/ID field defines the reserved period
  of time
• NAV Network Allocation Vector
• stores the reservation information
• implemented as a counter

21
IEEE 802.11 CSMA/CA
PIFS PCF IFS - 10µs SIFS Short IFS - 30µs
DIFS DCF IFS - 50µs

• Virtual Carrier Sense

DS-SStimings
22
IEEE 802.11 CSMA/CA

• Random backoff mechanism
• after transmission DIFS (DFC interframe
  space)
• if a STA wants to transmit and the medium is
  free immediate access (gt DIFS)
• if a STA wants to transmit and the medium is not
  free
• wait for DIFS random period (contention
  window)

Networking Computing
23
IEEE 802.11 CSMA/CA

• Backoff mechanism (contention window)

DIFS
STA A
Frame
Contention
Wait
Frame
Backoff
STA B
Wait
STA C
Wait
STA D
Frame
Frame
STA E
24
Risks in IEEE 802.11 networks

• Risks? Is it really not secure?
• rogue clients logging in into your networks
• wireless eavesdropping and network intrusion
• non-authorized / rogue AP and cloned AP
• bad configuration

25
IEEE 802.11 Security

• Data link security (L2)
• between AP and STA or STA and STA (ad hoc mode)
• IEEE 802.11 WEP (Wired Equivalent Privacy)
• is WEP really that bad?
• Wi-Fi Alliances WPA (Wi-Fi Protected Access)
• is WPA enough?
• IEEE 802.11i amendment and WPA2
• are we finally secure?

26
Wired Equivalent Privacy - WEP

• the security goals of IEEE 802.11 were
• Authentication
• Confidentiality
• Data Integrity
• WEP introduced in the original IEEE
  802.11 standard
• designed to protect authorized users from casual
  eavesdropping
• optional security add-on to achieve
  confidentiality
• WEP assumes that AP and clients have shared-keys

27
Wired Equivalent Privacy - WEP

• WEP Confidentiality and Integrity in the Data
  Link Layer
• but what is WEP?
• a form of ECB in which a a block of plaintext
  is bitwised XORed with a pseudorandom key
  sequence of equal length
• WEP key (PRNG input)
• a 40-bit long shared secret
• 24-bit long IV
• Data integrity
• with CRC-32

PRNG input is64-bit long
MAC
IV
Ciphered Payload
CRC
Electronic Code Book
28
Ciphering with WEP
InitializationVector (IV)
24 bits
IV Ciphertext
Output

WEP PRNG (RC4)
?
Key Sequence
SecretKey
Seed
40 bits
64 bits
P ? K C
Plaintext

CRC-32
32 bits
Integrity Check Value (ICV)
- concatenation ? - bitwise XOR
29
Deciphering with WEP
C ? K P ? K ? K P
SecretKey

Plaintext
40 bits
WEP PRNG (RC4)
Key Sequence
Seed
IV
IV Ciphertext
?
64 bits
24 bits
Input
CRC-32
Ciphertext
ICV
ICV
- concatenation ? - bitwise XOR
30
WEP Authentication

• WEP authentication modes
• Open System
• null authentication
• Shared Key
• based on WEP

STA
STA or AP
request
challenge (M)
response EWEP(M)
OK / NOK
31
Early comments on WEP

• the use of shared-keys in WEP
• network security management problem
• shared keys are not long enough (40bits)
• brute force attacks (feasible, but takes time)
• just increase the key length to 104bits!

32
Overview of the WEP Insecurity

• March 2000 Simon, Aboba and Moore
• several flaws in WEP design
• October 2000 Walker
• limited IV space leads to IV reuse problem
• July 2001 Borisov, Goldberg and Wagner
• practical attacks to cause known plaintext to be
  transmitted
• March 2001 Arbaugh et al.
• trivial to obtain a keystream
• August 2001 the Fluhrer, Mantin and Shamir
  attack
• weakness in RC4 key scheduling algorithm
• and the popular cracking tools for IEEE 802.11
  networks secured with WEP

33
Simon, Aboba and Moore (Microsoft)

• NIC authentication only no user
  authentication
• lost NICs / device huge security
  management problem
• shared-key authentication is not mutual
• rogue AP MitM attacks
• ICV is not keyed
• no guarantee of data integrity
• known plaintext attacks recover the keystream
  for a given IV

C ? P P ? K ? P K
34
J. Walker (Microsoft)

• WEP mechanism unsafe at any key size (24-bit long
  IV)
• only 224 values can be derived from a WEP key
• IV reuse can lead to data decryption without the
  secret key
• no policy for IV selection on AP

C ? C P ? K ? P ? K P ? P
InitializationVector (IV)
24 bits

WEP PRNG (RC4)
Key Sequence
SecretKey
Seed
K
40 bits
64 bits
35
Borisov, Goldberg and Wagner (UCB)

• IV dictionaries are independent of the key size
  (224 entries)
• practical ways to cause known plaintext to be
  transmitted
• broadcasted datagrams obtain a RC4
  keystream
• Message modification
• CRC-32 is a linear function of the message
• Message injection and authentication spoofing
• one RC4 keystream needed

C C ? ( ? c(?) )
36
Arbaugh et al. (UMD)

• trivial to obtain a keystream
• shared-key authentication 2nd frame and 3rd frame

STA
STA or AP
request
challenge (M)
Plaintext
response EWEP(M)
OK / NOK
Ciphertext
C ? P P ? K ? P K
RC4 keystream
37
Fluhrer, Mantin and Shamir

• weakeness in RC4 key scheduling algorithm
• large class of weak keys collecting
  weakened packets
• derive the first byte of the RC4 output
• Stubblefield, Ioannidis and Rubin
  effectiveness of the attack
• ca. 106 packets to retrieve a key

RC4 KSA PRGA
Seed
Key Sequence
24 bits 40 bits
Known
Secret
38
RC4

• stream cipher variable key-size stream cipher
• key scheduling algorithm (KSA)
• pseudo-random generation algorithm (PRGA)

256-bytes State Vector S256-bytes Temp Vector
Tkey (8 bytes for WEP)
S0 S255T0 T255
initalization for i 0 to 255 S i
i j 0 scrambling for i0 to
255 j ( j S i K i ) mod 256 swap
( S i , S j )
IV of a weakened or resolved packet (A3, N-1, X)
255
39
Attack Tools on WEP

• Fluhrer, Mantin and Shamir Implemented
• AirSnort
• http//airsnort.shmoo.com/
• WEPCrack
• http//sourceforge.net/projects/wepcrack/
• wesside - a fragmentation-based attack tool from
  UCL
• http//www.cs.ucl.ac.uk/staff/A.Bittau/frag-0.1.
  tgz

40
Vendors Countermeasures

• Increasing the secret key length to 104 bits
• innocuous WEP is insecure at any key-size
• MAC filtering
• MAC spoofing is easily achievable
• suppressing of SSID broadcasts
• network will be detected (management datagrams)
• the vendors patch blocking potentially
  harmful IV
• reduced the IV space even more
• legacy hosts compromise the solution

41
Wi-Fi Protected Access (WPA)

• WPA (Wi-Fi Protected Access)
• recommendation to improve security in IEEE 802.11
  networks
• published in April 2003
• added as subset of IEEE 802.11i for backward
  compatibility
• firmware upgrade only is needed
• WPA encryption
• Temporal Key Integrity Protocol wrapper
  over WEP
• WPA has two authentication modes
• Enterprise Mode (Authentication Server is
  needed)
• SOHO Mode (using shared-keys)

42
WPA Encryption with TKIP

• TKIP enhancements over WEP are
• a keyed data integrity protocol (MIC Message
  Integrity Protocol)
• MICHAEL 64-bit long keys, calculated
  over the MSDU
• re-keying mechanism to provide fresh keys
• encryption keys for different purposes
• per packet mixing function prevent weak
  key attacks
• MAC of the destination is mixed to the temporal
  key
• a discipline for IV sequencing prevent IV
  reuse
• IV counter is reseted after the establishment
  of fresh keys

43
WPA Authentication Enterprise Mode

• Authentication Server provides
• key management and
• authentication according to the EAP
• EAPOL (IEEE 802.1X) is needed
• IEEE 802.1X defines a port-based network control
  method

authenticator
AP
supplicant
AS
wired medium
wireless medium
STA
EAP authentication mechanism
EAP
EAPoL (IEEE 802.1X)
RADIUS
44
IEEE 802.1X Authentication with TLS
AP
STA
AS
EAPoL
RADIUS
802.1X/EAP Req. ID
RADIUS Access Req. / EAP - Resp. ID
802.1X/EAP Resp. ID
EAP-TLS Mutual Authentication
calculate PMK
calculate PMK
RADIUS Accept PMK
PMK
802.1X/EAP-Success
TLS-PseudoRandomFunction( PreMasterKey, master
secret random1 random2 )
TLS-PRF( MasterKey, client EAP encryption
random1 random2 )
45
WPA Authentication SOHO Mode

• using Pre-Shared Keys (PSK)
• shared keys between the AP and STA
• useful solution for smaller networks
• no need for an authentication server
• PSK is vulnerable to dictionary attacks
• coWPAtty http//sourceforge.net/projects/cowpat
  ty

46
IEEE 802.11i

• IEEE 802.11i is an amendment to the IEEE 802.11
  standard
• several components are external to the IEEE
  802.11 standard
• IEEE 802.11i protect data frames
• EAPoL (IEEE 802.1X) provides authentication
• key establishment and distribution
• RSNA - Robust Secure Network Association
• defined as a type of association to secure
  wireless networks

47
RSNA

• RSNA defines
• key hierarchy and key management algorithms
• a cryptographic key establishment
• enhanced authentication mechanisms
• enhanced data encapsulation mechanism CTR with
  CBC-MAC
• Counter Mode with Cipher Block Chaining with
  Message Authentication Code (CBC-MAC) Protocol.
• TKIP is included for systems not full compliant
  with RSNA
• Open-System Authentication is kept
• WEP is supported only for interoperability with
  legacy systems.

48
RSNA Security Algorithm Classes

• RSNA algorithms
• data confidentiality protocols
• network architecture for authentication (based on
  IEEE 802.1X)
• key hierarchy, key setting and distribution
  method
• Pre-RSNA algorithms
• WEP and IEEE 802.11 Open System Authentication

49
RSN and TSN

• RSN Information Element (IE) Beacon Frames
• RSN IE Group Key Field Suite indicates the
  network type
• Robust Secure Networks (RSN)
• RSNA only networks
• Transient Secure Networks (TSN)
• allows both Pre-RSNA networks (WEP) and RSNA
  networks

50
RSNA Operational Phases
AS
STA
AP
Discovery
Authentication (IEEE 802.1X)
Key Distribution
Key Management
Data Transfer
(protected)
51
RSNA Discovery Phase

• Discover of an AP SSID by an STA
• RSN IE frames
• Definition of
• authentication, key management and cryptographic
  suite
• cipher suite selectors include
• WEP-40, WEP-104, TKIP, CCMP, and vendor
  specifics

52
RSNA Key Hierarchy and Distribution

• RSNA key hierarchies
• unicast traffic pairwise hierarchy
• multicast and broadcast traffic group
  temporal key hierarchy
• RSNA key distribution
• 4-way handshake

53
RSNA Pairwise Key Hierarchy
product of the IEEE802.1X authentication
Pre-SharedKey (PSK)
AAAKey
256 bits
first256 bits
OR
authorization to the IEEE802.11 medium
positive access decision
Pairwise Master Key (PMK)
256 bits
PRF
Pairwise Transient Key (PTK)
384 or 512 bits
54
Pairwise Transient Key

• KCK (Key Confirmation Key) confirms the
  possession of the PMK
• KEK (Key Encryption Key) for the distribution
  of group keys
• TK (Temporal Key) for data confidentiality

Temporal Key
Pairwise Transient Key (PTK)
KCK
KEK
127
128
255
256
0
n(383 or 512)
55
RSNA Group Key Hierarchy
Group MasterKey (GMK)
chosen by the authenticator
nonceASAS address
PRF
CCMP
Group TemporalKey (GTK)
128 or256 bits
TKIP
56
4-Way Handshake

• PTK setting and GTK distribution
• confirm that a live peer holds the PMK and the
  PMK is current
• derive a fresh PTK from the PMK
• install encryption and integrity keys
• confirm the cipher suite

57
4-Way Handshake
SupplicantSTA
AuthenticatorAP
PMK
PMK
generate nonceSTA
generate nonceAP
EAPoL-Key ( nonceAP )
nonceAP
EAPoL-Key ( nonceSTA , MIC )
derive PTK
nonceSTA
generateGTK
derive PTK
EAPoL-Key ( Install PTK, MIC, EKEKGTK )
EAPOL-Key ( MIC )
installPTK and GTK
installPTK
if needed
58
RSNA Confidentiality Integrity

• RSNA defines
• TKIP should only be used when CCMP is not
  available
• CCMP mandatory for full compliance
• CCMP
• based on AES on CCM mode provable secure
• CCM uses a single 128-bit key for both data
  encryption and MIC
• requires a fresh TK for every session, and a
  unique nonce per frame 48-bit packet number
  (PN) field

59
RSNA Confidentiality Integrity

• TKIP MICHAEL
• CCMP
• AES based
• confidentiality, authentication, integrity and
  replay protection
• 128-bit long key for both data encryption and MIC
  computing
• a fresh Temporal Key (TK) is needed for every
  session

60
MIC
Michael

• MICHAEL
• TKIP
• CBC-MAC
• CCMP

DA
SA
MIC
Payload
8 bytes
KCK
MIC
padding
padding
DA SA
Payload
MIC
0
0


B1
BK
BK1
BR
AES
IV
AES
AES

KCK
KCK
KCK
Calculated using MSDU - WEP uses the MPDU only
Counter Mode with Cipher Block Chaining (CBC)