lecture 9: wireless security – wep/wpa · 11/6/2013 1 lecture 9: wireless security – wep/wpa cs...
TRANSCRIPT
11/6/2013
1
Lecture 9: Wireless Security –
WEP/WPA
CS 336/536: Computer Network Security
Fall 2013
Nitesh Saxena
Adopted from previous lecture by Keith Ross, Amine Khalife and Tony Barnard
Course Admin
• Mid-Term Exam Graded
– Solution provided
– To be distributed today
• HW2 Graded
– Solution provided
– To be distributed today
11/6/2013 Lecture 9 - Wireless Security 2
11/6/2013
2
Course Admin
• HW3
– Covers SSL/TLS (lecture 7)
– Due 11am on Nov 11 (Monday)
– Lab exercise involves capturing SSL/TLS packets
using Wireshark
– Labs active this Friday
11/6/2013 Lecture 9 - Wireless Security 3
Travel Next Week
• I’m traveling, presenting at a conference next
week http://isc.utdallas.edu/index.html
• Bad news: Have to miss the lecture
• Good news: TA (Cooper) will present on my
behalf
– Some interesting stuff on wireless security
– Important
– Your attendance is strongly encouraged
11/6/2013 Lecture 9 - Wireless Security 4
11/6/2013
3
Outline
• WiFi Overview
• WiFi Security Threats
• WEP – Wired Equivalence Privacy
– Including vulnerabilities
• WPA – WiFi Protected Access
11/6/2013 Lecture 9 - Wireless Security 5
6
Security at different layersr Application layer: PGPr Transport layer: SSLr Network layer: IPsec r Link layer: WEP / 802.11i (WPA)WiFi Security Approach:
IPsec
TCP/UDP/ICMP
HTTP/SMTP/IM
WEP/WPA
11/6/2013
4
802.11 Standards
� 802.11a – 54 Mbps@5 GHz� Not interoperable with 802.11b� Limited distance� Cisco products: Aironet 1200
� 802.11b – 11 [email protected] GHz� Full speed up to 300 feet� Coverage up to 1750 feet� Cisco products: Aironet 340, 350, 1100, 1200
� 802.11g – 54 [email protected] GHz� Same range as 802.11b� Backward-compatible with 802.11b� Cisco products: Aironet 1100, 1200
7
802.11 Standards (Cont.)
� 802.11e – QoS� Dubbed “Wireless MultiMedia (WMM)” by Wi-Fi Alliance
� 802.11i – Security� Adds AES encryption� Requires high cpu, new chips required� TKIP is interim solution
� 802.11n –(2009)� up to 300Mbps� 5Ghz and/or 2.4Ghz� ~230ft range
8
11/6/2013
5
Wireless Network Modes
� The 802.11 wireless networks operate in two basic modes:1. Infrastructure mode
2. Ad-hoc mode
� Infrastructure mode:� each wireless client connects directly to a central device called Access Point (AP)
� no direct connection between wireless clients
� AP acts as a wireless hub that performs the connections and handles them between wireless clients 9
Wireless Network Modes (cont’d)
� The hub handles:
�the clients’ authentication,
�Authorization
� link-level data security (access control and enabling data traffic encryption)
� Ad-hoc mode:
� Each wireless client connects directly with each other
� No central device managing the connections
� Rapid deployment of a temporal network where no infrastructures exist (advantage in case of disaster…)
� Each node must maintain its proper authentication list
10
11/6/2013
6
11
802.11 LAN architecture
r wireless host communicates with base station
m base station = access point (AP)
r Basic Service Set (BSS)(aka “cell”) in infrastructure mode contains:
m wireless hosts
m access point (AP): base station
m ad hoc mode: hosts only
BSS 1
BSS 2
Internet
hub, switchor router
AP
AP
SSID – Service Set Identification
� Identifies a particular wireless network
� A client must set the same SSID as the one in that particular AP Point to join the network
� Without SSID, the client won’t be able to select and join a wireless network
� Hiding SSID is not a security measure because the wireless network in this case is not invisible
� It can be defeated by intruders by sniffing it from any probe signal containing it.
12
11/6/2013
7
13
Beacon frames & association
r AP regularly sends beacon framem Includes SSID, beacon interval (often 0.1 sec)
r host: must associate with an APm scans channels, listening for beacon frames m selects AP to associate with; initiates association protocol
m may perform authentication m After association, host will typically run DHCP to get IP address in AP’s subnet
14
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
802.11 frame: addressing
Address 2: MAC addressof wireless host or AP transmitting this frame
Address 1: MAC addressof wireless host or AP to receive this frame
Address 3: MAC addressof router interface to which AP is attached
Address 4: used only in ad hoc mode
11/6/2013
8
15
Internetrouter
AP
H1 R1
H1 MAC addr AP MAC addr R1 MAC addr
address 1 address 2 address 3
802.11 frame
H1 MAC addr R1 MAC addr
dest. address source address
802.3 frame
802.11 frame: addressing
16
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
802.11 frame
R1 MAC addr H1 MAC addr
dest. address source address
802.3 frame
802.11 frame: addressing
11/6/2013
9
17
TypeFromAP
SubtypeToAP
More frag
WEPMoredata
Powermgt
Retry RsvdProtocolversion
2 2 4 1 1 1 1 1 11 1
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
frame:
frame control field expanded:
r Type/subtype distinguishes beacon, association, ACK, RTS, CTS, etc frames.
r To/From AP defines meaning of address fields
r 802.11 allows for fragmentation at the link layer
r 802.11 allows stations to enter sleep mode
r Seq number identifies retransmitted frames (eg, when ACK lost)
r WEP = 1 if encryption is used
802.11 frame (more)
Primary Threats
r Unauthorized accessm Learn SSID and join the network
r Sniffing/Eavesdroppingm Easy since wireless traffic is broadcast in nature
r Session Hijackingm Similar to wired session hijacking
r Evil Twin Attackm Attacker fools the user into connecting to its own AP (rather than the starbucks AP, e.g.)
18
11/6/2013
10
Unauthorized Access
� So easy to find the ID for a “hidden” network because the beacon broadcasting cannot be turned off
� Simply use a utility to show all the current networks:
� inSSIDer
� NetStumbler
� Kismet
Lec
tur
19
Unauthorized Access Defense: Access control list
� Access control list
� Simplest security measure
� Filtering out unknown users
� Requires a list of authorized clients’ MAC addresses to be loaded in the AP
� Won’t protect each wireless client nor the traffic confidentiality and integrity ===>vulnerable
� Defeated by MAC spoofing:
� ifconfig eth0 hw ether 00:01:02:03:04:05 (Linux)
�SMAC - KLC Consulting (Windows)
�MAC Makeup - H&C Works (Windows)20
11/6/2013
11
21
802.11 Sniffing
r Requires wireless card that supports raw monitoring mode (rfmon)
m Grabs all frames including management frames
r Tools:m Dump packets using Wireshark;
22
Firewalled Networks with Wi-Fi (1)
r Firewall blocks traceroutes,…
r Traffic sent by wireless hosts/APs not blocked by firewall
m Leaking of internal information
r Trudy can traceroute and port scan through AP
m Establish connectionsm Attempt to overtake
11/6/2013
12
23
Firewalled Networks with Wi-Fi (2)
r Move AP outside of firewall?m Trudy can no longer tracetroute internal network via AP
m But Trudy still gets everything sent/received by wireless hosts
24
Firewalled Networks with Wi-Fi (3)
r Crypto at link layer between wireless hosts and APm Trudy doesn’t hear anythingm Trudy can not port scanm Wireless hosts can access internal services
11/6/2013
13
25
Sniffing Encrypted 802.11 traffic
Suppose:
r Traffic encrypted with symmetric crypto
r Attacker can sniff but can’t break crypto
What’s the damage?
r SSID, Mac addresses
r Manufacturers of cards from MAC addrs
r Count # of devices
r Traffic analysis:m Size of packets
m Timing of messages
m Determine apps being used
r But cannot see anything really useful
r Attacker needs the keys, or break crypto
m Very hard
WEP - Wired Equivalent Privacy
� The original native security mechanism for WLAN
� provide security through a 802.11 network
� Used to protect wireless communication from eavesdropping (confidentiality)
� Prevent unauthorized access to a wireless network (access control)
� Prevent tampering with transmitted messages
� Provide users with the equivalent level of privacy inbuilt in wireless networks.
11/6/2013
14
27
WEP Feature Goals:
r Authenticationm AP only allows authorized stations to associate
r Data integritym Data received is the data sent
r Confidentialitym Symmetric encryption
28
WEP Design Goals
r Symmetric key cryptom Confidentiality
m Station authorization
m Data integrity
r Self synchronizing: each packet separately encrypted
m Given encrypted packet and key, can decrypt; can continue to decrypt packets when preceding packet was lost
m Unlike Cipher Block Chaining (CBC) in block ciphers
r Efficientm Can be implemented in hardware or software
11/6/2013
15
29
WEP Keys
r 40 bits or 104 bitsr Key distribution not covered in standardr Configure manually:
mAt homemSmall organization with tens of usersmNightmare in company >100 users
WEP Procedures
1. Appends a 32-bit CRC checksum to each outgoing frame (INTEGRITY)
2. Encrypts the frame using RC4 stream cipher = 40-bit (standard) or 104-bit (Enhanced) message keys + a 24-bit IV random initialization vector (CONFIDENTIALITY).
3. The Initialization Vector (IV) and default key on the station access point are used to create a key stream
4. The key stream is then used to convert the plain text message into the WEP encrypted frame.
11/6/2013
16
Encrypted WEP frame
encrypted
data ICVIV
MAC payload
KeyID
RC4 keystream XORed with plaintext
32
11/6/2013
17
WEP Components
� Initialization Vector IV� Dynamic 24-bit value� Chosen randomly by the transmitter wireless network interface
� 16.7 million possible IVs (224)
� Shared Secret Key� 40 bits long (5 ASCII characters) � 104 bits long (13 ASCII characters)
33
WEP Components (cont’d)
� RC4 algorithm consists of 2 main parts:
1. The Key Scheduling Algorithm (KSA): � involves creating a scrambled state array�This state array will now be used as input in the second phase, called the PRGA phase.
2. The Pseudo Random Generation Algorithm(PRGA):� The state array from the KSA process is used here to
generate a final key stream.� Each byte of the key stream generated is then Xor’ed with
the corresponding plain text byte to produce the desired cipher text.
34
11/6/2013
18
WEP Components (cont’d)
� ICV (Integrity Check Value)= CRC32 (cyclic redundancy check) integrity check
� XOR operation
� denoted as ⊕
� plain-text ⊕ keystream= cipher-text
� cipher-text ⊕ keystream= plain-text
� plain-text ⊕ cipher-text= keystream
How WEP works
IV
RC4key
IV encrypted packet
original unencrypted packet checksum
11/6/2013
20
3939
Figure 6 - 802.11 frame format
Recall from CS 334/534:
8.2.5 WEP Frame Body Expansion
CRC-32
4040Figure 46 – Construction of expanded WEP frame body
CRC-32
CRC-32
11/6/2013
21
41
End-point authentication w/ nonce
Nonce: number (R) used only once –in-a-lifetime
How: to prove Alice “live”, Bob sends Alice nonce, R. Alicemust return R, encrypted with shared secret key
“I am Alice”
R
K (R)A-B
Alice is live, and only Alice knows key to encrypt nonce, so it must
be Alice!
42
WEP Authentication
APauthentication request
nonce (128 bytes)
nonce encrypted shared key
success if decrypted value equals nonce
Not all APs do it, even if WEPis being used. AP indicates if authentication is necessary in beacon frame. Done before association.
11/6/2013
22
43
WEP is flawed
r Confidentiality problems
r Authentication problems
r Integrity problems
A Risk of Keystream Reuse
r If IV’s repeat, confidentiality is at riskm If we send two ciphertexts (C, C’) using the same IV, then the xor of plaintexts leaks (P ⊕ P’ = C ⊕ C’), which might reveal both plaintexts
� Lesson: If RC4 isn’t used carefully, it becomes insecure
IV, P ⊕⊕⊕⊕ RC4(K, IV)
IV, P’ ⊕⊕⊕⊕ RC4(K, IV)
44
11/6/2013
23
45
Problems with WEP confidentiality (2)
r IV reusem With 17 million IVs and 500
full-length frames/sec, collisions start after 7 hours
m Worse when multiple hosts start with IV=0
r IV reuse:m Trudy guesses some of Alice’s
plaintext d1 d2 d3 d4 … m Trudy sniffs: ci = di ⊕ ki
IV
m Trudy computes keystream ki
IV =ci ⊕ dim Trudy knows encrypting
keystream k1IV k2
IV k3IV …
m Next time IV is used, Trudy can decrypt!
r Worse: Weak Key Attackm Mathematical, complicated, m For certain key values (weak
keys), disproportionate number of bits in first few bytes of the keystream are determined by just a few key bits.
m As the IV cycles, wait for weak keys
m Exploit weak keys to crack the key
m Effort is only linear in key size!
m Cracker script tool available
Keystream Reuse
r WEP didn’t use RC4 carefullyr The problem: IV’s frequently repeat
m The IV is often a counter that starts at zerom Hence, rebooting causes IV reusem Also, there are only 16 million possible IV’s, so after intercepting enough packets, there are sure to be repeats
� Attackers can eavesdrop on 802.11 trafficm An eavesdropper can decrypt intercepted ciphertexts even without knowing the key
46
11/6/2013
24
47
WEP authentication problems r Attacker sniffs nonce, m, sent by APr Attacker sniffs response sent by station:
m IV in clearm Encrypted nonce, c
r Attacker calculates keystream ks = m ⊕ c, which is the keystream for the IV .
r Attacker then requests access to channel, receives nonce m’
r Attacker forms response c’ = ks ⊕ m’ and IVr Server decrypts, matches m’ and declares attacker authenticated !
48
Problems with Message Integrity
r ICV (Integrity Check Value) supposed to provide data integrity
m ICV is a hash/CRC calculationm But a flawed one.
r Can predict which bits in ICV change if you change single bit in data.
m Suppose attacker knows that flipping bit 3244 of plaintext data causes bits 2,7,23 of plaintext ICV to flip
r Suppose attacker intercepts a frame:m In intercepted encrypted frame, attacker flips bit 3244 in data payload and ICV bits 2,7,23
r Will ICV match after decryption at the receiver?m After decryption, cleartext bit 3244 is flipped (stream cipher)
m Also after decryption, cleartext bits 2,7, 23 also flipped. m So cleartext ICV will match up with data!
11/6/2013
25
Attacks on WEP
�WEP encrypted networks can be cracked in 10 minutes
�Goal is to collect enough IVs to be able to crack the key
�IV = Initialization Vector, plaintext appended to the key to
avoid Repetition
�Injecting packets generates IVs
Attacks on WEP
� Backtrack 5 (Released 1st March 2012)
� Tutorial is available
� All required tools on a Linux
bootable CD + laptop +
wireless card
11/6/2013
26
WEP cracking example
51
52
Summary of WEP flaws
One common shared keyr If any device is stolen or
compromised, must change shared key in all devices
r No key distribution mechanismr Infeasible for large
organization: approach doesn’t scale
Crypto is flawedr Early 2001: Integrity and
authentication attacks published
r August 2001 (weak-key attack): can deduce RC4 key after observing several million packets
r AirSnort application allows casual user to decrypt WEP traffic
Crypto problemsr 24 bit IV to shortr Same key for encryption
and message integrityr ICV flawed, does not
prevent adversarial modification of intercepted packets – not a MAC
r Cryptanalytic attack allows eavesdroppers to learn key after observing several millions of packets
11/6/2013
27
53
IEEE 802.11i
r Much stronger encryptionm TKIP (temporal key integrity protocol) – stopgapm But use RC4 for compatibility with existing WEP hardware
m Can also support standard crypto algo (CBC AED, CBC MAC, etc.)
r Extensible set of authentication mechanismsm Employs 802.1X authentication
r Key distribution mechanismm Typically public key cryptographym RADIUS authentication server
• distributes different keys to each user • also there’s a less secure pre-shared key mode
r WPA: Wi-Fi Protected Accessm Pre-standard subset of 802.11i
5454
IEEE 802i Phases of Operation – preview
Phase 1 - Discovery
Phase 2 - Authentication
Phase 3 - Key Generation and Distribution to STA and AP
Phase 4 - Actual User Data Transfer
Phase 5 - Connection Termination when Transfer Complete
802.11i security is provided only over the wireless link within a BSS,
not externally.
11/6/2013 Lecture 9 - Wireless Security
11/6/2013
28
5555
Phase 1 – Discovery
The purpose of this phase is for STA and AP to establish
(unsecure) contact and negotiate a set of security algorithms to
be used in subsequent phases.
STA and AP need to decide on:
► The methods to be used in phase 3 to perform
mutual authentication of STA and AP and generate/distribute keys.
► Confidentiality and integrity algorithms to protect user data in phase 4
11/6/2013 Lecture 9 - Wireless Security
5656
The discovery phase uses three message exchanges (CS334/534):
► Probe request/response (or observation of a beacon frame)
► Authentication request/response
WEP Open System Authentication, for backward compatibility
(provides no security)
APs advertize their capabilities (WEP, WPA, etc.) in InformationElements in their beacon frames and in their probe responses.
► Association request/response
STA chooses methods to be used from AP’s menu
(we will study the case that the station chooses WPA/TKIP)
STA uses an Information Element in Association Request
to inform AP
11/6/2013 Lecture 9 - Wireless Security
11/6/2013
29
5757Figure 6.6 (upper) Phase 1 Discovery
This is not Phase 2/3
Authentication!
Phase 1
5858
There are two methods for providing the PSK:
► the exact 256-bit number can be provided and used as PMK
► a passphrase can be adopted, keyed in by user and expanded
to 256 bits by the system.
Phase 2 - Authentication
SOHO Mode
A pre-shared key (PSK), is provided in advance to the station and AP by a
method external to 802.11i
In this case the lower half of figure 6.6 is bypassed (and was not shown in
the previous slide).
In WPA SOHO mode STA and AP delay authenticating each other
until phase 3, when they demonstrate that each knows information
derived from the PSK.
11/6/2013 Lecture 9 - Wireless Security
11/6/2013
30
5959
Phase 3 – Key Generation and Distribution
In SOHO mode the PSK has already been shared, so no more
distribution is needed and key generation can proceed.
Next step in SOHO: The PSK is adopted to derive
Pairwise Master Key (PMK)
Figure 6.8 (upper)
6060
The Pairwise Master Key is not used directly in any security operation.
Instead, it will be used to derive a set of keys, the Pairwise Transient Key,
to protect the link between AP and station.
Protection is needed during two phases:
► in phase 3 - the handshake between station an AP
(protocol called “EAPOL”)
► in phase 4 - Passing user data during actual use of the link
11/6/2013 Lecture 9 - Wireless Security
11/6/2013
31
6161
In both phases separate keys are needed for integrity and encryption, so
the total number of keys needed is four:
► EAPOL-key Encryption key (KEK)
► EAPOL-key Confirmation key (KCK) (Integrity)
► Data Encryption Key (part of Temporal Key)
► Data Integrity Key (part of Temporal Key)
Figure 6.8 (middle)
PSK
11/6/2013
6262
Computation of the PTK from the PMK
The PTK is re-computed every time a station associates with an AP.
We want the PTK to be different for each STA-AP pair and different
each time a STA associates with an AP (so as not to re-use old keys)
Four-way handshake:
TKIP/WPA uses a four-way handshake during establishment of the
association relationship between an AP and a station
11/6/2013 Lecture 9 - Wireless Security
11/6/2013
32
6363
Recall that in the discovery phase the STA sent its association request
to the AP, including the selection of WPA/TKIP for security.
We can force the PTK to be different for each STA-AP pair by mixing
their MAC addresses into the computation of the PTK.
But since these do not change between associations, there must also
be some dynamic input to the PTK - nonces.
For later use, we can think of the STA randomly generating a
nonce (Nonce1) at that point, but not transmitting it.
11/6/2013 Lecture 9 - Wireless Security
6464
Four-Way Handshake
Frame 1: AP to STA: a nonce chosen by the AP (Nonce2)
Nonce2 gives the STA the last piece of information
it needs to compute the 512-bit PTK:
Computation of PTK from PMK
SHA
hash
11/6/2013 Lecture 9 - Wireless Security
11/6/2013
33
6565
Four-Way Handshake - continued
Frame 2: STA to AP:
Nonce1, together with a message integrity code (MIC)
(standard HMAC-SHA, since done only during handshake)
Nonce1 gives the AP the last piece of information it needs to compute
the PTK, so key exchange is complete. This enables the AP to check
the validity of the MIC. If correct, this proves that that the STA
possesses the PMK and authenticates the STA.
Each side has chosen a nonce, and both nonces have been
mixed into the computation of the PTK, so PTK is unique to
each AP-STA pair and to each association session .
11/6/2013 Lecture 9 - Wireless Security
6666
Four-Way Handshake - continued
Frame 3: AP to STA: message “AP able to turn on encryption”
(includes MIC, so STA can check that AP knows PMK)
Frame 4: STA to AP: message “STA about to turn on encryption”
After sending frame 4, STA activates encryption;
on receipt of frame 4, AP activates encryption.
At this point Phase 3 is complete – we have authenticated the STA
and the AP, using the EAPOL keys, and have generated the 256-bit
Temporal Key for use in phase 4.
We can proceed to phase 4 – secure transmission of user data.
TKIP stands for Temporal Key Integrity Protocol
(“temporal” = “temporary” - only for this association session)
11/6/2013 Lecture 9 - Wireless Security
11/6/2013
34
67
TKIP: Changes from WEP
r Message integrity scheme that worksr IV length increasedr Rules for how the IV values are selectedr Use IV as a replay counterr Generates different message integrity key and encryption key from master key
r Hierarchy of keys derived from master keyr Secret part of encryption key changed in every packet.
r Much more complicated than WEP!
68
TKIP: Message integrity
r Uses message authentication code (MAC); called a MIC in 802.11 parlance
r Different key from encryption key
r Source and destination MAC addresses appended to data before hashing
r Before hashing, key is combined with data with exclusive ors (not just a concatenation)
r Computationally efficient
11/6/2013
35
69
TKIP: IV Selection and Use
r IV is 56 bitsm 10,000 short packets/sec
• WEP IV: recycle in less than 30 min
• TKIP IV: 900 years
m Must still avoid two devices separately using same key
r IV acts as a sequence counterm Starts at 0, increments by 1
m But two stations starting up use different keys:• MAC address is incorporated in key
70
802.11 security summary
r SSID and access control lists provide minimal securitym no encryption/authentication
r WEP provides encryption, but is easily broken
r Emerging protocol: 802.11im Back-end authentication server
m Public-key cryptography for authentication and master key distribution
m TKIP: Strong symmetric crypto techniques
m Support for strong crypto