Part 2 1

Wireless Security

Part 2

Part 2 2

Wireless Security issues Explore various security feature available

on Access Points Look at Encryption and Authorisation with

WEP, WPA, WPA2 (802.11i) Look at 802.1x Authorisation Discuss on Hotspot and it’s security Share wireless security needs/issues of

your schools

Contents

Part 2 3

Jonathan To, 18, and another teen were charged with computer theft after a routine audit discovered a discrepancy between grade reports and school transcripts

Teens charged with breaking into School computer (Jan 2009)

Kid hacks school comp on teacher's dare (Jan 2001)Fifteen-year-old Washington State high school student Aaron Lutes defeated filtering/security software on a school computer system after his teacher dared the class to try it

US school cheat hack suspect faces 38 years jail (June 2008)Tanvir Singh, 18, allegedly conspired with Khan in an abortive attempt to break into

school and steal a test. The dynamic duo were caught by a school caretaker in the process of trying to log onto a teacher's computer.

Hong Kong student hacks prizes in McDonald's contest (Nov 2008) Hong Kong student has been convicted for hacking into MacDonald's website to claim all the prizes on an online competition

Headlines

Part 2 4

Access point weaknesses Physically insecure installation location Omni-directional antenna that sends signals in every direction Signal power level too high allowing radio signals to leak outside of your

building MAC address controls that are easily circumvented WEP, WPA, or WPA2 not being used or not being used properly Management interfaces that are publicly-accessible -- often with weak or

no administrator password protection

Wireless client weaknesses Windows systems not protected by a personal firewall that are sharing

drives, providing various types of remote connectivity and missing critical software patches

Dual-homed systems that are connected to both the wired and wireless networks at the same time

Wireless clients with ad-hoc mode enabled Printers installed on the wired network with wireless connectivity left

enabled

Wireless Weakness or Hazard

Part 2 5

Ensure no unauthorised access Protect the network from illegal client connect

to your network using your resources “Man in the middle” placed in your network to

capture your network related Several techniques

SSID, MAC Address, Authorisation with Passphrase, Digital certificate, RADIUS server

Security needs

Part 2 6

Name given to identify a wireless network

All devices this same name to communicate

Can be up to 32 characters Broadcast at predetermined time and

client seeks for SSID when joining the network Disable SSID broadcasting – “Invisible network”

SSID – Service Set Identifier

Part 2 7

1. AP - set up an SSID (ITEDxx where xx = 01 - 08) and inform your team member the full SSID name

2. Client – Use Windows “Windows Zero Configuration” connect to the available wireless network via “available wireless network”

3. Repeat the above but hide (disable broadcasting) the SSID

4. Can clients connect and is your network protected?

Workshop – SSID security

Part 2 8

A MAC (Media Access Control) address (physical address) is 12 Hex characters. Example 02-00-54-55-4E-01

Can use MAC address filter to control which clients can access the wireless network

Administrator enters the list of MAC addresses into AP

MAC Address filter

Part 2 9

1. Group members determine the MAC address of your wireless network card

2. AP- Administrator enter the list of MAC into the AP and set the AP with “Open” security

3. Client - Use Windows “Wireless Zero Configuration” connect to your wireless network

4. AP- disable MAC address filtering5. Client – repeat step 36. Were you able to connect successfully?

Workshop – Mac Address filtering

Part 2 10

Encryption Prevent the content from read by

unauthorised people The network traffic is encrypted to a format

that is understood by other party only Authorisation

2 usage Authenticate the accessing device or person is

the correct person Used to verify that the information comes

from a trusted source

Two security features

Part 2 11

WEP – Wireless Equivalent Privacy WPA – WIFI Protected Access WPA2 equivalent to IEEE 802.11i

Wireless technology transmit information through space hence, security features have been design into the relevant protocols. Security consideration:

Message ProtectionAccess Authentication/Authorisation

Encryption Standards

Part 2 12

2 basic information SSID (aka Network Name or Network ID) “Password” or Share key or

“Passphrase” WEP WPA 802.11i (WPA2)

Digital Certificate Radius at backend CA

Wireless LAN authorisation

Part 2 13

Infrastructure mode

To ensure only authorized clients, valid Security Set ID(SSID) must match

An Access Point is requiredAn Access Point is requiredSelect Select INFRSTRUCTURE settingINFRSTRUCTURE setting

SSID of the SSID of the Access Access PointPoint

Network Access Protection

Part 2 14

Wired Equivalent Privacy security WEP encryption is available on all

802.11a/b/n protocols Standard required only 40-bit (64 bits key)

but almost all vendors provide 104-bit (128 bits key) and some even provide 256-bit WEP key.

WEP uses the RC4 algorithm to encrypt the packet of information as they are sent out

WEP Encryption Key

Part 2 15

Each key (“Packet Key”) consist of two partsEach key (“Packet Key”) consist of two partsPre-shared Password – supplied by userPre-shared Password – supplied by userInitialised Vector (IV) – random generatedInitialised Vector (IV) – random generated

Example: 64 bit keyExample: 64 bit key

Pre-shared Password, supplied by the user (40 bits) Pre-shared Password, supplied by the user (40 bits) = = A7z9bA7z9b = 41377A3962= 41377A3962

4 1 3 7 7 A 3 9 6 2

Initalised Vector, random generated by the system (24 bits) = Initalised Vector, random generated by the system (24 bits) = 810810 = 383130= 383130

Packet Key = Pre-shared Key + IV = A7z9b810Packet Key = Pre-shared Key + IV = A7z9b810 = 41377A3962383130= 41377A3962383130

Encryption Explained

Part 2 16

AP – Administrator formulate a 5 character pre-shared key and enter pre-shared key in Key 1. Set security = “Static WEP”, share key.

Inform all team member of the SSID and pre-share key

Client – Connect with the given SSID and WEP pre-shared key

Workshop – WEP security

Part 2 17

The Wi-fi Alliance look into alternative with IEEE

An interim security standard for replacing WEP A sub set technology that is taken from the

IEEE 802.11i It is designed to secure all versions of 802.11,

including a/b/g/n New Temporal Key Integrity Protocol (TKIP)

encryption is used Employ 802.1X authentication with one of the

standard EAP (Extensible Authentication Protocol) – digital cert, user name and password, smart card.

There is a MAJOR weaknesses in WEP

The encryption code be hacked very easilyThe encryption code be hacked very easily

What is WPA?

Part 2 18

Improvement to WEP Longer key for encryption – 128bits Key mixing function for EVERY packet Each packet transmitted is assigned a

48bits serial number which increases with each new packet – to avoid fake AP’s create “replay attack”

A new base key for each wireless client associated with AP

TKPI (Temporal Key Integrity Protocol)

Part 2 19

WEP WPA

Encryption Flawed, cracked by scientists and hackers

Fixes all WEP flaws

40-bit keys 128-bit keys

Static – same key used by everyone on the network

Dynamic session keys. Per user, per session, per packet keys

Manual distribution of keys - hand typed into each device

Automatic distribution of keys

Authentication Flawed, used WEP key itself for authentication

Strong user authentication, utilizing 802.1X and EAP

WEP vs WPA

Part 2 20

Step 1Enter matching passwords into AP and Client

Step 2AP checks client’s password. If match client joins network. If not a match client kept off network

Step 3Keys derived & installed. Client and AP exchange encrypted data

Access Point/RouterAccess Point/Router

How Does it Work? (in SOHO)

Part 2 21

1. AP – Formulate a passphrase (pre-shared key) 8 - 63 characters

2. Inform all members of the passphrase and SSID

3. Client - Connect with the given SSID and WPA pre-shared key

4. Were you able to connect successfully?

Workshop – WPA setup with Passphrase security

Part 2 22

802.11i is the official IEEE attempt to supply strong security for wireless links

802.11i will use Temporal Key Integrity Protocol (TKIP) similar to WPA.

Additionally added AES (Advance Encryption Standard) offering 128 bits, 192 bits and 256 bits block encryption.

Authentication using 802.1x for port access authentication (EAP-TLS, PEAP, LEAP)

RADIUS for Authentication, Authorisation and Accounting with default port 1812 for authorisation and port 1813 for accounting

IEEE 802.111 (WPA2)

Part 2 23

EAP – MD5

EAP - TLS EAP - TTLS PEAP LEAP

Mutual Authentication

NO YES YES YES YES

Cert - Client NO YES Optional Optional NO

Cert - Server NO YES YES YES NO

Dynamic Key Exchange

NO YES YES YES YES

Credential Integrity

None Strong Strong Strong Moderate

Deployment Difficulty

Easy Hard Moderate Moderate

Moderate

Client ID protection

NO NO YES YES NO

EAP –MD5 (Message-Digest Algorithm 5) : One way Authentication, Uses WEP encryption EAP – TLS (Transport Layer Security): Digital cert used for client and Server authentication, Exchange is done in openEAP – TTLS (Tunneled Transport Layer Service) : Digital Cert is used only at server side authentication. Client’s user id and password is sent in secure connectionPEAP (Protected EAP) : Ditial cert is used at server side. But support only EAP-MD5, EAP-MSCHAPv2 LEAP – Lightweight Extensible Authentication Protocol): Cisco’s version of 802.1x

Authentication Comparison

Part 2 24

InternetInternet

**********

Password

**********

Password

**********

Password

Step 1Enter matching passwords into AP and Client

Step 2AP passes the authentication ID to the RADIUS server instead of performing authentication by itself.

Step 3Server checks the credential against it’s records. Grants or denies access accordingly. Group key is issued to ALL stations so that they can encrypt data for sending and receiving.

Access Point/RouterAccess Point/Router

ID ?ID ?ID OK !ID OK !

Wired NetworkWired Network

RADIUS = Remote Authentication Dial In User Service

How Does it Work? (in Enterprise)

Part 2 25

InternetInternet

**********

Password

**********

Password

**********

Password

Step 1Station is challenged to enter user ID and Password

Step 2AP passes the authentication ID to the RADIUS server (10.10.13.168)

Access Point/RouterAccess Point/Router

ID ?ID ?ID OK !ID OK !

Wired NetworkWired Network

10.10.13.168

Windows 2003 ServerA member of a Domain running Directory service

Radius Workshop Network Plan

Part 2 26

AP – set to use RADIUS server IP = 10.10.13.168 for authentication

Set WEP as encryption protocol RADIUS – set passphrase for the AP to

logon Client – Configure a wireless connection to

use the trainer’s AP . When connecting to the AP it will challenge

user to enter user ID and Password ( user id and password = userxx where xx = 01-30)

Workshop – Radius Authentication

Part 2 27

No Authentication RADIUS Server Authentication

No Security WPA

Static WEP

WPA - PSK

WPA2 - PSK WPA2 (802.11i)

Weakest

Strongest

Security Summary

Part 2 28

VPN (Virtual Private Network) Creating a virtual connection using IPsec or

other VPN protocols to ensure the transmitted data is encrypted

Need VPN server VLAN (Virtual LAN) with multiple SSID

Separate the users access to separate resources on the network

Need VLAN supporting switch and AP

Other Wireless Securities

Part 2 29

What wireless network is implemented

&What security issues you can

foreseen

SECURITY EXPERIENCE SHARING

Part 2 30

Free Tools NetStumbler quickly identifies basic wireless devices that will respond to

an "anybody out there?" request. Kismet roots out wireless devices that have their SSIDs hidden or

otherwise won't respond to basic NetStumbler probes. If you're not into Linux or don't want to spend hours if not days setting up your wireless card drives in Linux, you can run Kismet directly from the BackTrack Live CD.

Aircrack is for WEP and WPA pre-shared key cracking. FakeAP on the BackTrack Live CD mimics a legitimate access point and

sets up an evil twin attack to see how your users carelessly connect to any old access point.

Wireshark Packet capturing tool

Commercial Tools

AiroPeek wireless network analyzer to quickly and easily capture packets, look for top talkers, discover rogue systems, and more

AirMagnet Laptop Analyzer, among many other things, has a nifty signal strength meter for determining how close or far away a wireless device is when you're walking around trying to locate it.

CommView WiFi is for low-cost packet capturing, packet generation and more.

Wfilter an Internet monitoring tool, web, IM,

Wireless Testing Tools

Part 2 31

Hong Kong “A Wireless City” HK Government has a vision

Current players HK Government with about 3000 APs Commercial operators with 5000 APs FON, ?? Free WiFi shopping malls/resturants/café, etc.

Explore security control with public wifi operators

Public WiFi and Hotspot

Part 2 32

Registered public AP are registered with OFTA

You can find out where there are avaiable WiFi AP at:https://apps.ofta.gov.hk/apps/clr/content/public_search.asp

Recommendation when using public WiFihttp://www.infosec.gov.hk/english/yourself/wireless_3.html

Search For register WiFi AP

Part 2 33

PCCW and Airporthttps://hotspot.netvigator.com/airport/login2.html

A commercial web base application that authenticates user Once logged in it will allow user to connect to the WiFi

network Found in Hotel’s, Airport and shopping malls,

etc.

Captive Portal

Part 2 34

Looked at Wireless LAN standards - IEEE 802.11 a/b/g/n

We have learn how to setup Ah-hoc Enterprise

Looked at various type of standard wireless security SSID, MAC address filtering Encryption – WEP, WPA, WPA2 Authorisation - 802.1x, RADIUS

Evaluated the advantages and disadvantages

Course Summary