Mahalingam Ramkumar
Wireless Dimension
Access to Medium: Unlike wired medium (cables) wireless medium (air) is ubiquitous hence access restrictions to the medium must be handled explicitly, where as in wired environments it is implicit. War Dialing: Attacker gains access to wired medium by exhaustive dialing of phone numbers War Driving: Attacker gains access to wireless medium by just driving by the network coverage area.
The Medium Wireless medium has no explicit boundary This property weakens privacy and authentication mechanisms adopted from wired environment Portability Wireless devices are smaller in size and portable Data in portable devices require more protection than data on non-portable devices Mechanisms to recover stolen or lost devices are important Mechanisms for self-destruction of data are also important
Trust in infrastructure
Wired networks assume certain level of trust in local infrastructure (we trust our routers) In wireless networks this is a weak assumption Would you put same level of trust on an Access Point in JFK as you put on your home AP? Security mechanisms should anticipate these variances in trust Security mechanisms should be independent of location.
Mobility
Trust in location
Wired networks implicitly assume network address is equivalent to physical location (130.18.x.x MSU) In wireless networks physical location not tied to network address. Physical location may change transparent to end nodes. On wired network privacy of location is not a concern In wireless networks location privacy of the user is a serious issue because users can be tracked, their travel behaviors can be used for marketing purposes etc. Similar scenario exists on the Web: A users web surfing pattern can be tracked and this raised several privacy issues in 1999 (Double Clicks Cookie Tracking)
Privacy of location
Hand-held devices have stringent processing power, memory, and energy requirements Current security solutions require expensive processing power & memory Hand-held devices mandate inexpensive substitutes for
Network Topologies
Wired networks usually rely on network topology to deploy security solutions E.g: firewall is installed on a machine where all traffic is visible Wireless networks (esp. ad-hoc) have dynamic topologies Wireless networks may not have single point of convergence (hidden host problem!) Wireless networks put emphasis on host based solutions e.g: distributed firewalls
Based on 802.11b technology Uses Direct Sequence Spread Spectrum (DSSS) modulation at 2.4 Ghz
Serves as an Ethernet-to-wireless bridge Speed between 1 and 11 Mbps (shared bandwidth) Most Access Points (APs) include:
802.11 Components
Components of 802.11
BSS (1)
STA 1 (AP)
DS
STA 2 (AP)
BSS (2)
A MAC, PHY layer specification Serves mobile and portable devices Provides transparency of mobility Appears as 802 LAN to LLC Basic Service Set (BSS) Extended Service Set (ESS) Distribution System (DS) Station (STA) STAs that provide access to Distributed System Service (DSS) are Access Point (AP) 802.11 supports Ad-hoc networking Provides link level security
AP
Client
q q
Connects WLAN to/ extends wired network More units deliver higher speed and greater area coverage
Many media (PCI, PCMCIA, etc.) Support for multiple operating systems
Wireless medium has no packet boundaries WEP controls access to LAN via authentication Wireless is an open medium Provides link-level security equivalent to a closed medium No end-to-end privacy Access Control Provide access control to the underlying medium through authentication Confidentiality Provide confidentiality to data on the underlying medium through encryption Data Integrity Provide means to determine integrity of data between links
An attack on WEP should compromise at least one of these properties Three levels of security
Open system WEP is disabled in this mode. No security. Shared Key Authentication provides access control to medium Encryption provides confidentiality to data on network
That is, you can encrypt all the traffic and not have access control to the medium! Also means a wily hacker can have all his traffic encrypted on our network so that no one see what he is doing!
It is reasonably strong (?!!) Withstands brute force attacks and cryptanalysis It is self-synchronizing Uses self-synchronizing stream cipher It is efficient Hardware/software implementation It is exportable (Does not matter anymore). Rest of the world needs security too! It is optional WEP layer should be independent of other layers
Current Security
SSID MAC address filtering WEP Unfortunately, most of these mechanisms are off by default All of these mechanisms have problems
Out-of-the-Box settings create open network No real user identification and authentication No support for SecureID, PKI, etc. Encryption methods vulnerable to known plain text attack WEP implementation of RC4 Default keys proliferation Service Set Identifiers (SSID) broadcast in the clear Unauthorized users can join network and inject traffic
Wireless cards broadcast their MAC address Easily captured and programmed onto another card Use of network name as the shared-secret for authentication 1. Sniff network name 2. Reconfigure device to show membership 3. Reboot 4. Access target network Rogue APs Shared-key authentication one-way only User cannot authenticate an AP Unauthorized access can serve as launch pad for DOS attacks by hijacking legitimate clients
Vernam Ciphers
The WEP encryption algorithm RC4 is a Vernam Cipher:
Pseudo-random number generator Random byte b Plaintext data byte p Ciphertext data byte p
Encryption Key K
seed
64
WEP PRNG
key sequence
+
integrity algorithm ICV
cipher text
plaintext
message
WEP uses RC4 PRNG CRC-32 for integrity algorithm IV is renewed for each packet (usu. iv++) actual key size = (vendor advertised size 24) ICV is Integrity Check Value (CRC-32)
WEP Frame
IV 4 PDU >=1 ICV 4
IV 3
Key id is used to choose between four secret keys ICV is integrity check sum (CRC-32) Pad is zero. Unused.
Key id (2)
pad (6)
RC4 algorithm
Proprietary algorithm belonging to RSADS Inc. Secret key stream cipher. Variable length key (up to 2048 bits). Fairly fast (1Mbyte/sec on 33MHz processor). Claimed to be very strong. Exportable outside the U.S. Algorithm leaked onto the Internet in 1994.
Attacks on WEP
Stream ciphers expand a secret key to a stream of pseudo random numbers Message is XORed (denoted by + here after) with random number stream to produce the cipher text Suppose two messages used the same secret key then stream cipher is easily broken so WEP uses an IV to extend the life of secret key But, reusing IV is same as reusing the secret key
C1 = P1 + RC4(IV, key) C2 = P2 + RC4(IV, key) but (C1+C2) = (P1+P2) and (P1+P2) can be easily cryptanalyzed
Given two cipher texts with the same IV, we can remove the effects of XORing with the RC4 stream (for the same secret key)
Attacks on WEP
IV length is fixed 24 bits (224 = 16,777,216) Implementations make the reuse factor worse Every time a card is initialized IV is set to zero IV is collision usually after only 5,000 packets So, obtaining cipher text with same IV is practical Can use legitimate traffic to obtain known plain texts e.g: Login:, password: prompts in a telnet session Bouncing Spam off a mail server through wireless network
Dictionary Attack
Once plaintext corresponding to ciphertext obtained, it is possible to decrypt any ciphertext for same key and IV. Can be done in real time! A dictionary of IVs (~224 entries) can be built For each IV find the associated key stream Ci= Pi + RC4(IVi, key) Tabulate these two fields searchable by IV For each packet, scan the table to find the IV first and then XOR the message with corresponding keystream in the dictionary to decrypt the message. Cn = Pn + RC4(IV, key) we know RC4(IV, key) from the dictionary, we know Cn so we can find Pn! Size of the dictionary depends on size of the IV, which is fixed by the standard at 24 bits! Increasing key size has no affect on this attack!
Key Management
WEP does not specify how keys are to be managed. Assumes array of four possible keys is somehow populated. Each message contains index of key used. Most installations use single key for entire network. Changing keys requires every single user to reconfigure their wireless drivers!! Hence keys seldom changed.
Message Modification
ICV is not key based - CRC-32. It is linear, i.e. crc(x + y) = crc(x) + crc(y). Given C = RC4(v,k) + (M, crc(M)) it is possible to find new ciphertext C which decrypts to M = M + d where d is arbitrary!! To do this XOR (d, crc(d)) with C.
C = C + (d, c(d)) = RC4(v,k) + (M, crc(M)) + (d, crc(d)) = RC4(v,k) + (M + d, crc(M) + crc(d)) = RC4(v,k) + (M + d, crc(M+d)) = RC4(v,k) + (M, crc(M))
Message Injection
If you know one (C, P) ciphertext, plaintext pair for a IV and key, then you can inject any message with the same IV. This is because P + C = P + (P + RC4(v, k)) = RC4(v,k). Which is the key stream And it can be reused indefinitely (almost) Key seldom gets changed and IV reuse happens often so this is not a problem.
128 nonce
nonce+RC4(IV, key) IV Decrypt the packet and verify nonce
client Request.Authentication
nonce+RC4(IV, key) Request received
128 nonce
nonce+RC4(IV, key) IV Decrypt the packet and verify nonce
hacker
server
It is possible to get authenticated without knowing the secret key! (shown in red) We only need a plaintext, ciphertext pair of one legitimate authentication. (shown in black) and we can authenticate ourselves for the same key.
ARP Spoofing
Wireless AP is a transparent bridge New hardware, same old problems (and a few new ones Subject to a man-in-the-middle attack
I am A
B --> A
Attacker
Victim B
Switch
d an y p rd Co rwa Fo
Victim A
ARP Spoofing
This attack also translates to a wireless network It also may compromise the integrity of a wired network (from the parking lot)
Attacker
Victim B
Switch
d an y p rd Co rwa Fo
Victim A
Other Mechanisms
If these mechanisms are insufficient, what else can we do? Dont trust the wireless network
Unique identification of users at the edge of the network Identity take-over must be impossible Ease of use for the end-user Per-institution provisioning of users in one database of the institutions network Low maintenance Ease of use for guests Enabling various authenticationmechanisms
Increases size of IV space to 128 bits VPN Use of EAP for authentication within IEEE 802.1X (Off line password guessing attacks)
Key may be changed periodically via IEEE 802.1X reauthentication to avoid staleness No keyed MIC No authentication for re-associate, disassociate (Denial of Service attacks) No IV replay protection
VPN-based Security
Enterprise Network
Contivity
802.11 APs
802.11 terminals
WEP Security
IEEE 802.1X
Access solution (Layer 2) between client and AP Several available authenticationmechanisms (EAP-MD5, EAP-TLS, EAP-TTLS, PEAP) Standardised Also encrypts all data, using dynamic keys RADIUS back end:
802.1X 802.11x
802.11x is sometimes used to summarise all ethernet standards (i.e. 802.11a, 802.11b) but it is not a standard! 802.1X is a standard from the 802.1a, 1b series, developed by 3Com, HP, and Microsoft 802.1X is a transport mechanism. The actual authentication takes place in the EAP-protocol on top of 802.1X.
802.1x Framework
Pre-Authentication State
Post-Authentication State
Extensible Authentication Protocol (RFC 2284) provides an architecture in which several authentication-mechanisms can be used EAP-MD5 Username/Password (unsafe) EAP-TLS PKI (certificates), strong authentication EAP-TTLS Username/Password (safe) MS-CHAPv2 Microsoft Username/Password (not safe) LEAP/PEAP Microsoft/Cisco tunnel module for safe transport of MS-CHAPv2
Protocol Overview
CHAP PAP EAP EAP
MD5
TLS
PEAP
MS-CHAPv2
PPP
802.11
EAP Messages
LEAP
Lightweight Extensible Authentication Protocol An authentication protocol based on IETF RFC2284, Extensible Authentication Protocol, or EAP Provides mutual authentication between Cisco Aironet client cards and a backend RADIUS server Developed by Cisco Systems Also called, EAP-Cisco Wireless Implemented in Cisco Aironet wireless NICs
Radius Server
d io a R
tr
Auth dB
Access Point
User Machine
(with client adapter)
Auth dB
Access Point RADIUS server and client mutually authenticate and derive WEP session key
Client and access point activate WEP. Client and access point use WEP and key for protection of transmissions.
Mutual Authentication
Are you who you say you are? Are you who you say you are?
Auth dB
User Machine
(with client adapter)
User ID Password
Hash
Key
Password
Hash
Key
Challenge
Hash
Hash
Response
=?
Determine Action
K4
User5 User3
User4
Auth dB
Access Point
User Machine
(with client adapter)
User / client will disclose some information violating anonymity. Disclosed Parameters: MAC Address Programmed SSID User ID
d io a R
tr
s mi s an
Radius Server
Auth dB
Access Point
User Machine
(with client adapter)
Adversary can eavesdrop on wireless link Capture: User IDs Random challenges Responses (Hashed passwords)
User ID Password
Hash
Key
Password
Hash
Key
Challenge
Hash
Hash
Response
=?
Stolen Parameters
Determine Action
Index
Index database
Increment Index
Captured Response
password cracked
Hash
Computed Response
=? Yes No
EAP-TTLS
Auth dB
User Machine
(with client adapter)
TLS Server
Radius Server
Two phases
Phase 1 is used to authenticate TTLS server to client (and optionally, vice versa)
Results is activation of cipher suite Allows Phase 2 to proceed (using TLS record)
Auth dB
dio a R
m ns a tr
is
n sio
User Machine
(with client adapter)
Whats Right
change as needed address flaws in existing wireless security No encapsulation, no per packet overhead simply periodic authentication transactions
Lightweight
Gateway authenticates the client Client has no explicit means to authenticate the Gateway Rouge gateways put client at risk
MITM
Send Authentication Successful to client Client associates with malicious AP Send deassociation message to client AP is in the dark Change MAC to client and have live connection
Hijacking
Authentication takes a non-trivial amount of time can disrupt data in transit Many AP implementations dont allow multiple RADIUS servers Most RADIUS server failover is non-transparent
Whats Next
Integration of existing solutions to raise the bar Limited 802.1x implementations 802.11i (Task Group I Security)
On track the right track Mutual auth, per packet auth 802.1x a part of the solution
Can be implemented in software Reuses existing WEP hardware Runs WEP as a sub-component
Fast Packet Keying Packet MAC Dynamic Re-keying Key distribution via 802.1x Still RC4 based to be backward compatible AES with 802.1x keying in the distant future
On existing AP hardware
33 or 25 MHz ARM7 or i486 already running at 90% CPU utilization before TKIP Utilize existing WEP off-load hardware Software/firmware upgrade only Dont unduly degrade performance
TKIP Design
Build a better per-packet encryption key by preventing weak-key attacks and decorrelating WEP IV and per-packet key must be efficient on existing hardware
Intermediate key Base key
Phase 1 Mixer
4 msb
Per-packet key
Phase 2 Mixer
2 lsb
802.1x http://standards.ieee.org/reading/ieee/std/lanman/802.1X-2001.pdf RFCs: see http://www.ietf-editor.org EAP RFC 2284 EAP-MD5 RFC 1994, RFC 2284 EAP-TLS RFC 2716 EAP-TTLS http://www.funk.com/NIdx/draft-ietf-pppext-eap-ttls01.txt PEAP http://www.globecom.net/ietf/draft/draft-josefsson-pppexteap-tls-eap-02.html RADIUS RFC 2865, 2866, 2867, 2868, 2869 (I/w EAP)
Overview of IEEE 802.11b Security, Sultan Weatherspoon Intercepting Mobile Communications: The Insecurity of 802.11, Nikita Borisov, Ian Goldberg et al. Coping with Risk: Moving to Coping with Risk: Moving to Wireless Wireless Using the Fluhrer, Mantin, and Shamir Attack to Break WEP, Adam Stubblefield, John Ioannidis, et al.