Security Issues of 802.11b

Download Security Issues of 802.11b

Post on 20-Jun-2015




1 download

Embed Size (px)


Seminar Paper on Security Issues of 802.11b based on IEEE Whitepaper by Boland, H. and Mousavi, H., Carleton University, Ottawa, Ont., Canada, IEEE Canadian Conference on Electrical and Computer Engineering, 2-5 May 2004


<ul><li> 1. Security Issues of IEEE 802.11b Wireless Local Area Networks Issues | Analysis | Suggestions | Solutions | Adaptations Seminar on Security Issues of 802.11b presented on 21-10-2008 by Sreekanth G S, 274, R7, Computer Science, Sree Chitra Thirunal College of Engineering</li></ul> <p> 2. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li><ul><li><ul><li>Local Area Networks need not scale only up to a building or a particular location. Present scenarios represent Local Area Networks connecting offices across the continents using methods such as VPN (Virtual Private Network). </li></ul></li></ul></li></ul> <ul><li>Local Area Network </li></ul> <ul><li><ul><li>Definition </li></ul></li></ul> <ul><li><ul><li>Scope </li></ul></li></ul> <ul><li><ul><li>Expansion </li></ul></li></ul> <ul><li>Wireless Local Area Network </li></ul> <ul><li><ul><li>Difference from conventional LAN </li></ul></li></ul> <ul><li><ul><li>Current IEEE Standards </li></ul></li></ul> <ul><li><ul><li>Primitivism of IEEE802.11b </li></ul></li></ul> <ul><li><ul><li>Scalability of WLAN </li></ul></li></ul> <ul><li><ul><li>Hotspots Wi-Fi (Wireless Fidelity) </li></ul></li></ul> <p> 3. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li><ul><li><ul><li>99% of the worlds Wi-Fi network issues are caused by interference and most of them from cordless telephones. This issue is termed as Wi-Fi band exploitation and device makers consortium has repeatedly requested IEEE to issue a new freq. band. </li></ul></li></ul></li></ul> <ul><li>Wireless Local Area Network </li></ul> <ul><li><ul><li>Released October 1999 </li></ul></li></ul> <ul><li><ul><li>Frequency band 2.4GHz </li></ul></li></ul> <ul><li><ul><li>Data rate 4.5 Mbit/s (Typical) </li></ul></li></ul> <ul><li><ul><li>Data rate 11 Mbit/s (Maximum) </li></ul></li></ul> <ul><li><ul><li>Range - ~38m (Indoor) </li></ul></li></ul> <ul><li><ul><li>802.11b devices suffer interference from other products operating in the 2.4 GHz band. Devices operating in the 2.4 GHz range include: microwave ovens, Bluetooth devices, baby monitors and cordless telephones. </li></ul></li></ul> <p> 4. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li><ul><li><ul><li>OFDM - Orthogonal Frequency-Division Multiplexing </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>DSSS - Direct-Sequence Spread Spectrum</li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Mod. Modulation technique </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>r in.-Range Indoor, r out. Range Outdoor </li></ul></li></ul></li></ul> <p> 5. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>Wi-Fi is not an easy word to wireless deployment of LAN or WLAN. Any solution whichaddresses all or some of the above mentioned seven security problems need not bean ideal solution to the deployment problems faced by most of the companies. </li></ul> <ul><li>Seven Security Problems </li></ul> <ul><li><ul><li>Easy Access </li></ul></li></ul> <ul><li><ul><li> Rogue Access Points </li></ul></li></ul> <ul><li><ul><li>Unauthorized Use of Service </li></ul></li></ul> <ul><li><ul><li>Service and Performance Constraints </li></ul></li></ul> <ul><li><ul><li>MAC Spoofing and Session Hijacking </li></ul></li></ul> <ul><li><ul><li>Traffic Analysis and Eavesdropping </li></ul></li></ul> <ul><li><ul><li>Higher Level Attacks </li></ul></li></ul> <p> 6. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>Our College is an excellent example of Wi-Fi Easy Access. </li></ul> <ul><li>SSID is broadcasted. </li></ul> <ul><li>Key level encryption is used. </li></ul> <ul><li>1. Easy Acces </li></ul> <ul><li><ul><li>Wireless LANs are easy to find. </li></ul></li></ul> <ul><li><ul><li>All wireless networks need to announce their existence. </li></ul></li></ul> <ul><li><ul><li>The information needed to join a network is also the information needed to launch an attack on a network. </li></ul></li></ul> <ul><li><ul><li>Your 802.11 network and its parameters are available for anybody with an 802.11 card. </li></ul></li></ul> <ul><li><ul><li>Short of moving into heavily-shielded office space that does not allow RF signals to escape, there is no solution for this problem. </li></ul></li></ul> <ul><li><ul><li>The best you can do is to mitigate the risk by using strong access control and encryption solutions. </li></ul></li></ul> <p> 7. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>Any Wi-Fi Router (Example: Linksys WRT54GL) can act as a Wireless AP. </li></ul> <ul><li>AP login with Credentials can make Client login without credentials. </li></ul> <ul><li>Management staff can go rogue. </li></ul> <ul><li>2. Rogue Access Points </li></ul> <ul><li><ul><li>Easy access to wireless LANs is coupled with easy deployment. </li></ul></li></ul> <ul><li><ul><li>Any user can run to a nearby computer store, purchase an access point, and connect it to the corporate network without authorization. </li></ul></li></ul> <ul><li><ul><li>End users are not security experts, and may not be aware of the risks posed by wireless LANs. </li></ul></li></ul> <ul><li><ul><li>Tools like NetStumbler allow network administrators to wander their building looking for unauthorized access points, but it is expensive to devote time to wandering the building looking for new access points. </li></ul></li></ul> <p> 8. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>VPN Virtual Private Network </li></ul> <ul><li>WEP Wired Equivalent Privacy </li></ul> <ul><li>n/w Network </li></ul> <ul><li>3. Unauthorized Use of Service </li></ul> <ul><li><ul><li>Nearly all of the access points running with default configurations have not activated WEP (Wired Equivalent Privacy) or have a default key used by all the vendor's products out of the box. Without WEP, network access is usually there for the taking. </li></ul></li></ul> <ul><li><ul><li>If you have deployed a VPN to protect the network from wireless clients, it probably has strong authentication capabilities already built-in. </li></ul></li></ul> <ul><li><ul><li>For corporate users extending wired networks, access to wireless networks must be as tightly controlled. Strong authentication is a must before granting access to the n/w. </li></ul></li></ul> <p> 9. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>LAN Local Area Network </li></ul> <ul><li>MAC Media Access Control (Burned In Address) </li></ul> <ul><li>Access Point Wireless Service Providing Machine </li></ul> <ul><li>4. Service and Performance Constraints </li></ul> <ul><li><ul><li>Wireless LANs have limited transmission capacity. </li></ul></li></ul> <ul><li><ul><li>This capacity is shared between all the users associated with an access point. Due to MAC-layer overhead, the actual effective throughput tops out at roughly half of the nominal bit rate. </li></ul></li></ul> <ul><li><ul><li>Attackers could also inject traffic into the radio network without being attached to a wireless access point. </li></ul></li></ul> <ul><li><ul><li>Addressing performance problems starts with monitoring and discovering them. </li></ul></li></ul> <ul><li><ul><li>No enterprise-class wireless network management system has yet emerged. </li></ul></li></ul> <p> 10. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>In cryptography, theman-in-the-middle attackis a form ofactive eavesdropping inwhich the attacker makes independent connections with the victims, relays messagesbetween them, making them believe that they are talkingdirectly to each other overa private connection when in fact the entire conversation is controlled by the attacker. </li></ul> <ul><li>5. MAC Spoofing and Session Hijacking </li></ul> <ul><li><ul><li>802.11 networks do not authenticate frames. </li></ul></li></ul> <ul><li><ul><li>Attackers can use spoofed frames to redirect traffic and corrupt ARP tables. </li></ul></li></ul> <ul><li><ul><li>Access points are identified by their broadcasts of Beacon frames. </li></ul></li></ul> <ul><li><ul><li>You must deploy a cryptographic protocol on top of 802.11 to protect against hijacking. </li></ul></li></ul> <ul><li><ul><li>Attackers can, however, easily pretend to be an access point because nothing in 802.11 requires an access point to prove it really is an access point. (Man-in-the-Middle Attack) </li></ul></li></ul> <p> 11. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>SSH Secure Shell </li></ul> <ul><li>SSL Secure Socket Layer </li></ul> <ul><li>IPSec IP (Internet Protocol) Security </li></ul> <ul><li>6. Traffic Analysis and Eavesdropping </li></ul> <ul><li><ul><li>802.11 provides no protection against attacks that passively observe traffic. </li></ul></li></ul> <ul><li><ul><li>A great deal has been written about the flaws in WEP. </li></ul></li></ul> <ul><li><ul><li>Early WEP implementations are vulnerable to cracking by tools such as AirSnort and WEPCrack. </li></ul></li></ul> <ul><li><ul><li>Strong cryptographic solutions like SSH, SSL, and IPSec were designed to transmit data securely over public channels. </li></ul></li></ul> <ul><li><ul><li>It protects only the initial association with the network and user data frames. </li></ul></li></ul> <p> 12. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>Many networks have a hard outer shell composed of perimeter security devices thatare carefully configured and meticulously monitored. Inside the shell, though, is a soft,vulnerable (and tasty?) center. </li></ul> <ul><li>7. Higher Level Attacks </li></ul> <ul><li><ul><li>Once an attacker gains access to a wireless network, it can serve as a launch point for attacks on other systems. </li></ul></li></ul> <ul><li><ul><li>Wireless LANs can be deployed quickly if they are directly connected to the vulnerable backbone, but that exposes the network to attack. </li></ul></li></ul> <ul><li><ul><li>The solution is straightforward in theory: treat the wireless network as something outside the security perimeter, but with special access to the inside of the network. </li></ul></li></ul> <p> 13. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>Access Control ACL Access Control Lists </li></ul> <ul><li>Confidentiality Encryption Algorithms, Cryptography </li></ul> <ul><li>Data Integrity CRC Checks, Parity Checks, Checksum, MD5 Values </li></ul> <ul><li>WEP and its Functionality </li></ul> <ul><li><ul><li>WEPs security goals are </li></ul></li></ul> <ul><li><ul><li><ul><li>Accesscontrol: protectingthewirelessnetworkfrom unauthorized access.</li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Confidentiality:to prevent eavesdropping. </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Dataintegrity:topreventtamperingwithtransmitted messages. </li></ul></li></ul></li></ul> <p> 14. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>Plaintext = Message + CRC (Cycic Redundancy Check) </li></ul> <ul><li>IV Initialization Vector </li></ul> <ul><li>XOR Exclusive OR </li></ul> <ul><li>RC4 Encryption Method </li></ul> <ul><li>WEPs security flaws </li></ul> <ul><li><ul><li>WEPreliesonanencryption algorithm called RC4. </li></ul></li></ul> <ul><li>Making of Plaintext </li></ul> <ul><li>Generation of RC4 Keystream </li></ul> <ul><li>XOR of Plaintext and Key </li></ul> <ul><li>Making of Ciphertext </li></ul> <ul><li>Sending of Ciphertext with IV </li></ul> <p> 15. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>Ciphertext Incoming Encrypted Message </li></ul> <ul><li>KeyStream RC4(v,k) where v is IV transmitted with Ciphertext </li></ul> <ul><li>CRC Cyclic Redundancy Check </li></ul> <ul><li>IV Initialization Vector </li></ul> <p>WEPs security flaws (contd) </p> <ul><li>Stripping out IV </li></ul> <ul><li>Generation of key k </li></ul> <ul><li>Reassembling of keystream </li></ul> <ul><li>XOR with Ciphertext </li></ul> <ul><li>Obtaining of Plaintext </li></ul> <p> 16. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>Why do we need Re-Usable Keystream? Why not 256 bits IV? </li></ul> <ul><li>Starting from the beginning? Resetting IV on Initialization? </li></ul> <ul><li>Key Stream Re-Use </li></ul> <ul><li><ul><li>The IV is only 24 bits long. </li></ul></li></ul> <ul><li><ul><li>Exhaustion of IV Field. </li></ul></li></ul> <ul><li><ul><li>No other choice but to Re-Use. </li></ul></li></ul> <ul><li><ul><li>Two packets will be encrypted using same k and IV. </li></ul></li></ul> <ul><li><ul><li>Key Stream Re-Use is a major vulnerability. </li></ul></li></ul> <p> 17. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>Public Key/ Private Key Encryption Model </li></ul> <ul><li>IV Initialization Vector </li></ul> <ul><li>XOR 1101 XOR 1001 = 01 </li></ul> <ul><li>RC4 Hacking in Detail </li></ul> <ul><li><ul><li>Done using two fields, k and IV. </li></ul></li></ul> <ul><li><ul><li>Secret Key k </li></ul></li></ul> <ul><li><ul><li>Public Key IV </li></ul></li></ul> <ul><li><ul><li>Secret Key k is constant. </li></ul></li></ul> <ul><li><ul><li>Hence, two or more packets are encrypted using same IV. </li></ul></li></ul> <ul><li><ul><li>Means, both packets were encrypted in the very same way. </li></ul></li></ul> <ul><li><ul><li>They can be XORed to cancel out two key streams. </li></ul></li></ul> <ul><li><ul><li>Results in XOR of two original unencrypted packets. </li></ul></li></ul> <ul><li><ul><li>Knowing bit stream in one of the packet gives out the other. </li></ul></li></ul> <ul><li><ul><li>Hence, key k is identified. </li></ul></li></ul> <p> 18. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>TKIP Temporal Key Integrity Protocol </li></ul> <ul><li>WPA Wi-Fi Protected Access </li></ul> <ul><li>IEEE 802.11i-2004 , or802.11i , is an amendment to the IEEE 802.11 standardspecifying security mechanisms for wireless networks.</li></ul> <ul><li>Solutions to Key Stream Re-Use </li></ul> <ul><li><ul><li>Increasing the size of IV field. </li></ul></li></ul> <ul><li><ul><li>A 24 bits to 48 bits increase = 16.7 million to 281 trillion IVs. </li></ul></li></ul> <ul><li><ul><li>Decreases very likelihood of Key Stream Re-Use. </li></ul></li></ul> <ul><li><ul><li>Making secret key k dynamic. </li></ul></li></ul> <ul><li><ul><li>Improvement to WPA. </li></ul></li></ul> <ul><li><ul><li>Implementation of TKIP. </li></ul></li></ul> <ul><li><ul><li>Enhancements including per packet key mixing function. </li></ul></li></ul> <ul><li><ul><li>Message Integrity Check called Michael. </li></ul></li></ul> <ul><li><ul><li>Extended IV with sequencing rules and Re-Keying mech. </li></ul></li></ul> <ul><li><ul><li>Mandatory in upcoming 802.11i </li></ul></li></ul> <p> 19. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>KSA Key Scheduling Algorithm </li></ul> <ul><li>PRGA Pseudo Random Generation Algorithm </li></ul> <ul><li>Apseudorandomprocess is a process that appears random but is not. </li></ul> <ul><li>RC4 Algorithm </li></ul> <ul><li>RC4 generates apseudorandom stream of bits(a keystream) which, for encryption, is combined with the plaintext using bit-wise exclusive-or; decryption is performed the same way (since exclusive-or is a symmetric operation). To generate the keystream, the cipher makes use of a secret internal state which consists of two parts: </li></ul> <ul><li>A permutation of all 256 possible bytes (denoted "S" below).</li></ul> <ul><li>Two 8-bit index-pointers (denoted "i" and "j").</li></ul> <ul><li>The permutation is initialized with a variable length key, typically between 40 and 256 bits, using thekey-schedulingalgorithm (KSA). Once this has been completed, the stream of bits is generated using thepseudo-random generation algorithm(PRGA). </li></ul> <p> 20. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>Pseudorandom sequences typically exhibit statistical randomness while beinggenerated by an entirely deterministic causal process. Such a process is easier toproduce than a genuine random one, and has the benefit that it can be used again andagain to produce exactly the same numbers, useful for testing and fixing software. </li></ul> <p>RC4 Algorithm (contd) The key-scheduling algorithm (KSA) The key-scheduling algorithm is used to initialize the permutation in the array "S". "keylength" is defined as the number of bytes in the key and can be in the range 1 keylength 256, corresponding to a key length of 40 128 bits. First, the array "S" is initialized to the identity permutation. S is then processed for 256 iterations. forifrom0to255S[i] := iendfor j := 0forifrom0to255j := (j + S[i] + key[i mod keylength]) mod 256Swap (S[i],S[j])endfor 21. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>For such applications as cryptography, the use of pseudorandom number generatorsis insecure. When random values are required , the goal is to make amessage as hardto crack as possible, by eliminating or obscuring the parameters used to encrypt themessage from the message itself or from the context in which it is carried. </li></ul> <p>RC4 Algorithm (contd) The pseudo-random generation algorithm (PRGA) For as many iterations as are needed, the PRGA modifies the state and outputs a byte of the keystream. In each iteration, the PRGA incrementsi , adds the value of S pointed to byitoj , exchanges the values of S[ i ] and S[ j ], and then outputs the value of S at the location S[i] + S[j] (modulo 256). Each value of S is swapped at least once every 256 iterations. i := 0j := 0whileGeneratingOutput:i := (i + 1) mod 256j := (j + S[i]) mod 256Swap(S[i],S[j])Output S[(S[i] + S[j]) mod 256] ^ input[i]endwhile 22. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>RC4 Using Streams - WEP, WPA , BitTorrent protocol encryption , Microsoft Point-to- Point Encryption , Secure Sockets Layer , Secure shell , Remote Desktop Client (RDCover RDP) , Kerberos , SASL Mechanism Digest-MD5 . </li></ul> <p>RC4 Algorithm (contd) Test Vectors Sample test vectors are provided below: RC4( "Key", "Plaintext" ) == BBF316E8D940AF0AD3RC4( "Wiki", "pedia" ) == 1021BF0420RC4( "Secret", "Attack at dawn" ) == 45A01F645FC35B383552544B9BF5OR In Plain/Text:Password: Text: Output:RC4( "24g3", "24z0") == nhnWRC4( "24g3", "24z2") == nhnURC4( "5ybdt", "5ybu8") == XJrkp 23. </p> <ul><li><ul><li>Quick Note : </li></ul></li></ul> <ul><li>L2TP Layer 2 Tunneling Protocol </li></ul> <ul><li>RADIUS Remote Authentication Dial In User Service </li></ul> <ul><li>SHA Secure Hash Algorithm </li></ul> <ul><li>LDAP Lightweight Directory Access Protocol </li></ul> <ul><li>VPN, Kerberos, IPSec.. </li></ul> <ul><li><ul><li>Virtual Private Network, a n/w within a n/w. </li></ul></li></ul> <ul><li><ul><li>Kerberos Authentication with RADIUS Servers. </li></ul></li></ul> <ul><li><ul><li>IPSec Implementations with L2TP. </li></ul></li></ul> <ul><li><ul><li>Firewalls, Monitors, Sniffing Detectors. </li></ul></li></ul> <ul><li><ul><li>Better Encryption Algorithms like SHA. </li></ul></li></ul> <ul><li><ul><li>Round Robin Based Key Modifying Methods. </li></ul></li></ul> <ul><li><ul><li>Domain Based Auth Systems. </li></ul></li></ul> <ul><li><ul><li>LDAP Authentication Methods. </li></ul></li></ul> <ul><li><ul><li>BSSID Usages. </li></ul></li></ul> <ul><li><ul><li>Understanding of Security Issues. </li></ul></li></ul> <p> 24. 25. </p> <ul><li>Thank you for your patience and co-operation. </li></ul> <ul><li>This seminar presentation is also available on</li></ul> <ul><li><ul><li>References: </li></ul></li></ul> <ul><li><ul><li>IEEEExplore </li></ul></li></ul> <ul><li><ul><li>Wikipedia -