802.11 security past, present, and future

802.11 SecurityPast, Present, and Future

Chris Shutters, CISSP

February 2004

[email protected]

What We Will Cover

• Introduction - What is 802.11? • Relationship Between 802.11 and Wi-Fi• Original 802.11 Security Goals• Original 802.11 Security• Original Vulnerabilities• Tools• How to Secure Original 802.11 • Current 802.11 Security• WPA Protocol Stack• Future 802.11 Security• Final Thoughts

Introduction - What is 802.11?

• A set of standards for wireless networking– Addresses LANs where devices

Communicate over ‘airwaves’ (radio or infrared) Are within (relatively) close proximity to each other

• Wireless devices may communicate– Directly with each other (independent or ad-hoc networks)– Via an Access Point (AP) (infrastructure mode)

• Data rates– 802.11b: up to 11 Mbps (2.4 GHz frequency range)– 802.11a: up to 54 Mbps (5 GHz frequency range)– 802.11g: up to 54 Mbps (2.4 GHz frequency range)

Relationship Between 802.11 and Wi-Fi

• 802.11 is a series of standards produced by the IEEE– Specify technical details such as:

Radio frequencies Modulation methods Protocol messages

• Wi-Fi is an alliance of major 802.11 manufacturers– Focus is on interoperability testing– Interoperability is defined by a set of “gold standard” products– Products are tested and certified as Wi-Fi compliant

Original 802.11 Security Goals

• Authorization– Verify that all mobile stations are authorized to access the

network

• Privacy– Implement security such that there is no privacy difference

between wireless and wired LANs– Maintain data privacy from all unauthorized stations

Original 802.11 Security

• Two authentication methods available– Open system authentication

Station 1 sends Service Set ID (SSID) to station 2 Station 2 accepts or rejects station 1 based on

knowledge of SSID APs can be configured to accept the broadcast SSID

– Thus allowing anyone to access the AP– Shared key authentication

Stations respond to an authentication challenge from an AP or other device

– AP sends a challenge to be encrypted by the station– Station encrypts the challenge with shared key– AP decrypts challenge and grants or denies authentication

based on decryption results

Original 802.11 Security (cont.)

• Wired Equivalent Privacy (WEP)– Encryption algorithm: RC4 (symmetric stream cipher)

Requires shared key for all communicating stations– Key length: either 40 or 104 bits (plus 24 bit initialization

vector [IV])– Each data frame is encrypted separately with a different IV– Key management: not addressed by 802.11

• WEP key details– RC4 encryption key is constructed by appending IV to

shared key 224 possible encryption keys for each shared key


• Data integrity is protected with a Message Integrity Code (MIC)

– The 32-bit Cyclic Redundancy Check (CRC-32) algorithm was chosen to implement the MIC

Bad choice, as CRC-32 was originally designed to detect random changes to data, not to protect against malicious tampering

An attacker can reliably change both the data and the CRC-32 value such that the CRC-32 matches the altered data

Original Vulnerabilities

• Traffic sniffing– Easier to perform on wireless than on traditional wired LANs– SSID is always sniffable when stations associate to an AP– If WEP is not being used

Plaintext data frames can be sniffed– If WEP is being used

Ciphertext data frames can be sniffed Accumulation of ciphertext data leads to many interesting

attacks– For APs connected to other LANs

Broadcast traffic should be available Vulnerable to ARP spoofing

Original Vulnerabilities (cont.)

• Insertion – connecting an unauthorized station into a Wireless LAN

– Easy if WEP not being used Try broadcast SSID Sniff SSID and use it to gain access Request DHCP address If no DHCP, try a 192.168.1.x address

– If WEP is being used Can still do many things…

• Authentication problems– Currently, authentication only performed by SSID or WEP key

Both of these methods may be sniffed and duplicated


• WEP problems– Inappropriate choice of encryption algorithm

With stream ciphers, it is unsafe to ever reuse a key– Key management problems

Because this issue is not addressed by 802.11, the shared key is rarely if ever changed

– Keyspace problems Reuse of IVs is inevitable

– For randomly-selected IVs: due to Birthday Paradox, it is 99% likely that at least one IV will be reused every 12,500 frames

On a moderately loaded AP, keyspace will be exhausted in a few hours

Capture of large amounts of frames can lead to compromise of shared key


– Known plaintext attacks If the plaintext and corresponding ciphertext of a

message can be obtained, the RC4 keystream for that IV can be recovered

– As discussed before, the shared key authentication method does this for us!

– Note: No knowledge of the shared key is required, except the fact that it hasn’t changed

Once at least one RC4 keystream has been recovered, one can

– Authenticate to the network– Insert messages into the network


Often, attacker can inject known plaintext– HTTP requests– PING packets

Known plaintext in a packet allows immediate recovery of the keystream for that particular IV!

A Decryption Dictionary can be assembled– Table indexed by IV that contains recovered keystreams

Approximately 23 GB required for 24 bit IVs Dictionary is the same size for 40 and 104 bit

encryption!– When a new packet that uses a known IV is captured, just

look up the keystream and decrypt the data!– Many implementations reset IVs to zero when initialized,

and sequentially increment IVs In this case the dictionary won’t have to be very big to

be able to decrypt a significant percentage of traffic


• Misconfiguration– Default SSID not changed– Broadcast SSID not disabled– Default passwords not changed– WEP not enabled

Tools

• NetStumbler (http://www.netstumbler.com/)– Windows application that sniffs for presence of wireless

traffic– When it detects traffic, it logs

MAC address SSID Manufacturer Channel WEP enabled (yes or no) Signal strength Signal to noise ratio

– If you have GPS data available, it will also log coordinates

Tools (cont.)

• AiroPeek NX (http://www.wildpackets.com/products/airopeek_nx)

– Commercial 802.11 sniffer and analyzer– Performs full decode of all 802.11 traffic as well as higher-

level network protocols

Tools (cont.)

Tools (cont.)

• AirSnort (http://airsnort.shmoo.com/)– Wireless LAN WEP key recovery program– Sniffs and stores traffic until key can be computed

Typically requires capture of between five to ten million encrypted packets

– Implements attack against RC4 Key Scheduling Algorithm Weakness (http://downloads.securityfocus.com/library/rc4_ksaproc.pdf)

This is commonly known as the FMS attack (for the initials of the discoverers of the attack)

Looks for frames that were encrypted with “weak” RC4 keys (approximately 3,000 out of the 16+ million possible keys)

Once approximately 2,000 “interesting” frames have been gathered, the key can be computed

Tools (cont.)

• Kismet (http://www.kismetwireless.net/)– Linux program for sniffing wireless traffic– Will log the following information

Networks found Captured packets in binary format (suitable for later

replay and analysis) Cryptographically “weak” packets (like AirSnort) IP address blocks in use (via ARP and DHCP analysis) All Cisco products that announce themselves via Cisco

Discovery Protocol (CDP)

How to Secure Original 802.11

• Place the WLAN in a DMZ and require VPN authentication for access to internal systems

– Systems may still be individually attackable by rogue mobile stations

• Enable WEP• Use 128 bit WEP encryption• Change shared keys on a regular basis• Change default SSID• Don’t make SSID something obvious (company name, street

address, etc)• Disable acceptance of “broadcast SSID”• Disable broadcasting of SSID• Change default passwords on all equipment• If possible, restrict access by MAC addresses• Consider not using DHCP (statically assign addresses)

Current 802.11 Security

• Wi-Fi Protected Access (WPA) is the current “state of the art” in 802.11 security

– Why? To specifically address WEP weaknesses in a timely manner

Most existing equipment can implement WPA with a firmware update

– First, use of the Temporal Key Integrity Protocol (TKIP) is specified

CRC is replaced with a MIC called Michael– New algorithm– Compromise between security and ability to be

implemented in current hardware– Can potentially be brute-forced

However, countermeasures are implemented to detect and respond to brute-force attacks

Current 802.11 Security (cont.)

IV size increased from 24 to 48 bits– IVs mandated to be used in sequential order– IV rollover or reuse won’t happen for hundreds of years– IV is also used as a replay detector/preventer

The secret key used to encrypt packets is changed for every packet, using Per-Packet Key Mixing

– Static Master and Session keys exist, but they are not directly used to encrypt packets

– Thus, the tactic of accumulating large amounts of ciphertext to attack a static secret key will no longer work

Countermeasures– The countermeasure against a Michael brute-force attack

is to halt all network traffic on the attacked device for one minute

This limits attacker to one attempt per minute The network interruptions should (in theory) be noticed

by network support personnel


– Second, use of the Extensible Authentication Protocol (EAP) is specified

This is a simple protocol, designed to transport arbitrary authentication information (originally designed for dialup)

For communication between mobile station and AP, EAP over LAN (EAPOL) is used

For communication between AP and authentication server, EAP over RADIUS is used

– Third, use of the 802.1X protocol is specified 802.1X was designed to implement access control at the

point where a user joins the network– Multiple lower-level protocols can implement 802.1X

WPA specifies EAPOL as the 802.1X protocol used between mobile station and AP

WPA specifies RADIUS as the 802.1X protocol used between AP and authentication server


Please note that 802.1X has been shown to be vulnerable to man-in-the-middle and session hijacking attacks (http://www.cs.umd.edu/~waa/1x.pdf)

– Fourth, use of Transport Layer Security (TLS, the RFC standardized version of SSL) is specified

TLS is transported over EAP It is utilized specifically for authentication This implies existence of a PKI infrastructure for

managing keys and certificates– May be non-trivial to implement such an infrastructure

– Fifth, specific methods of cryptographic key management are specified

Each authenticated mobile station receives:– A pairwise key that is used to protect communications

between it and the AP– A group key that is used to protect broadcast or multicast

data

WPA Protocol Stack

TLS over EAP (RFC2716)

TLS (RFC2246)

EAP (RFC2284)

802.1X EAPOL

802.11

Security Communication BetweenMobile Station and Access Point

WPA Protocol Stack (cont.)

TLS over EAP (RFC2716)

TLS (RFC2246)

EAP (RFC2284)

EAP over RADIUS (RFC2869)

RADIUS (RFC2865)

Security Communication BetweenAccess Point and Authentication Server

TCP/IP

802.3 (or other)

Future 802.11 Security

• The 802.11i standard is close to being finalized and published

– WPA was designed to be upwardly compatible with 802.11i– 802.11i defines a Robust Security Network (RSN)

RSN utilizes almost all of the protocols specified in WPA, but includes some additional changes/options

First, use of the Advanced Encryption Standard (AES) is required,

– This replaces RC4– AES can not be implemented in the majority of existing

hardware

Future 802.11 Security (cont.)

Second, the WPA MIC is replaced by Cipher Block Chaining – Message Authentication Code (CBC-MAC)

– This is a new implementation of CBC-MAC using AES, but based upon previous implementations of CBC-MAC using other crypto algorithms

Third, TKIP is replaced by Counter Mode – CBC-MAC Protocol, or CCMP (RFC 3610)

– This is basically an implementation of a protocol similar to TKIP, only based on AES instead of RC4

– What RC4 is to TKIP, AES is to CCMP

Future 802.11 Security (cont.)

Fourth, multiple additional upper-layer authentication mechanisms (at the same layer as TLS) are specified

– Kerberos V5 (RFC 1510) is a well-known, centralized authentication and authorization system

– Protected EAP (PEAP) provides a way to do EAP negotiation while not exposing authentication tokens (e.g. passwords, password hashes, or identity credentials) to sniffing attacks

Currently a draft internet standard (http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-07.txt)

– EAP-SIM is based on an authentication method used in cellular networks

Final Thoughts

• Original 802.11 networks can be secured, but it is not easy

• WPA is a dramatic improvement over original 802.11 security

• 802.11i will likely be even better, but implementation will almost assuredly require updated hardware

• Questions?

802.11 security past, present, and future

Documents