Wireless Security

Wireless LANs

• IEEE ratified 802.11 in 1997.
  
  • Also known as Wi-Fi.
• Wireless LAN at 1 Mbps & 2 Mbps.
• WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability.
  
  • Now Wi-Fi Alliance
• 802.11 focuses on Layer 1 & Layer 2 of OSI model.
  
  • Physical layer
  • Data link layer

802.11 Components
Two pieces of equipment defined:

• Wireless station
  
  • A desktop or laptop PC or PDA with a wireless NIC.
• Access point
  
  • A bridge between wireless and wired networks
  • Composed of
    
    • Radio
    • Wired network interface (usually 802.3)
    • Bridging software
  • Aggregates access for multiple wireless stations to wired network.

Wirelees 802.11 modes
Infrastructure mode:

• Basic Service Set (BSS)
  
  • One access point
• Extended Service Set
  
  • Two or more BSSs forming a single subnet.
• Most corporate LANs in this mode.

Ad-Hoc Mode:

• Also called peer-to-peer.
• Independent Basic Service Set
• Set of 802.11 wireless stations that communicate directly without an access point.
  
  • Useful for quick & easy wireless networks.

802.11 Physical Layer
Originally three alternative physical layers:

• Two incompatible spread-spectrum radio in 2.4Ghz ISM band
  
  • Frequency Hopping Spread Spectrum (FHSS)
  • 75 channels
• Direct Sequence Spread Spectrum (DSSS)
  
  • 14 channels (11 channels in US)
• One diffuse infrared layer
• 802.11 speed
  
  • 1 Mbps or 2 Mbps.

802.11 Data Link Layer

• Layer 2 split into:
  
  • Logical Link Control (LLC).
  • Media Access Control (MAC).
• LLC - same 48-bit addresses as 802.3
• MAC - CSMA/CD not possible.
  
  • Can’t listen for collision while transmitting.
• CSMA/CA – Collision Avoidance.
  
  • Sender waits for clear air, waits random time, then sends data.
  • Receiver sends explicit ACK when data arrives intact.
  • Also handles interference.
  • But adds overhead.

RTS / CTS

• To handle hidden nodes
• Sending station sends
  
  • “Request to Send”
• Access point responds with
  
  • “Clear to Send”
  • All other stations hear this and delay any transmissions.
• Only used for larger pieces of data.
  
  • When retransmission may waste significant time.

802.11b

• 802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.
• DSSS as physical layer.
  
  • 11 channels (3 non-overlapping)
• Dynamic rate shifting.
  
  • Transparent to higher layers
  • Ideally 11 Mbps.
  • Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
    
    • Higher ranges.
    • Interference.
  • Shifts back up when possible.

• Maximum specified range 100 meters
• Average throughput of 4Mbps

Joining a BSS

• When 802.11 client enters range of one or more APs
  
  • APs send beacons.
  • AP beacon can include SSID.
  • AP chosen on signal strength and observed error rates.
  • After AP accepts client.
    
    • Client tunes to AP channel.
• Periodically, all channels surveyed.
  
  • To check for stronger or more reliable APs.
  • If found, re-associates with new AP.

Roaming and Channels

• Re-association with APs
  
  • Moving out of range.
  • High error rates.
  • High network traffic.
    
    • Allows load balancing.
• Each AP has a channel.
  
  • 14 partially overlapping channels.
  • Only three channels that have no overlap.
    
    • Best for multi cell coverage.

802.11a

• 802.11a ratified in 2001
• Supports up to 54Mbps in 5 Ghz range.
  
  • Higher frequency limits the range
  • Regulated frequency reduces interference from other devices

• 2 non-overlapping channels
• Usable range of 30 metres
• Average throughput of 30 Mbps
• Not backwards compatible

802.11g

• 802.11g ratified in 2002
• Supports up to 54Mbps in 2.4Ghz range.
  
  • Backwards compatible with 802.11b

• 3 non-overlapping channels
• Range similar to 802.11b
• Average throughput of 30 Mbps
• 802.11n due for November 2006
  
  • Aiming for maximum 200Mbps with average 100Mbps

Open System Authentication

• Service Set Identifier (SSID)
• Station must specify SSID to Access Point when requesting association.
• Multiple APs with same SSID form Extended Service Set.
• APs can broadcast their SSID.
• Some clients allow * as SSID.
  
  • Associates with strongest AP regardless of SSID.

MAC ACLs and SSID hiding

• Access points have Access Control Lists (ACL)
• ACL is list of allowed MAC addresses.
  
  • E.g. Allow access to:
  • 00:01:42:0E:12:1F
  • 00:01:42:F1:72:AE
  • 00:01:42:4F:E2:0
• But MAC addresses are sniffable and spoofable.
• AP Beacons without SSID
  
  • Essid_jack
    
    • sends deauthenticate frames to client
    • SSID then displayed when client sends reauthenticate frames

802.11 Wireless LAN
Three basic security services defined by IEEE for the WLAN environment:

• Authentication
  
  • provide a security service to verify the identity of communicating client stations
• Integrity
  
  • to ensure that messages are not modified in transit between the wireless clients and the access point in an active attack
• Confidentiality
  
  • to provide “privacy achieved by a wired network”

802.11 Authentication
802.11b Security Services
Two security services provided:

• Authentication
  
  • Shared Key Authentication
• Encryption
  
  • Wired Equivalence Privacy

Wired Equivalence Privacy

• Shared key between
  
  • Stations.
  • An Access Point.
• Extended Service Set
  
  • All Access Points will have same shared key.
• No key management
• Shared key entered manually into
  
  • Stations
  • Access points
  • Key management nightmare in large wireless LANs

RC4

• Ron’s Code number 4
  
  • Symmetric key encryption
  • RSA Security Inc.
  • Designed in 1987.
  • Trade secret until leak in 1994.
• RC4 can use key sizes from 1 bit to 2048 bits.
• RC4 generates a stream of pseudo random bits
  
  • XORed with plaintext to create ciphertext.

802.11 Confidentiality
WEP – Sending

• Compute Integrity Check Vector (ICV).
  
  • Provides integrity
  • 32 bit Cyclic Redundancy Check.
  • Appended to message to create plaintext.
  • Plaintext encrypted via RC4
• Plaintext encrypted via RC4
  
  • Provides confidentiality.
  • Plaintext XORed with long key stream of pseudo random bits.
  • Key stream is function of
    
    • 40-bit secret key
    • 24 bit initialisation vector
• Ciphertext is transmitted.

WEP – Receiving

• Ciphertext is received.
• Ciphertext decrypted via RC4
  
  • Ciphertext XORed with long key stream of pseudo random bits.
  • Key stream is function of
    
    • 40-bit secret key
    • 24 bit initialisation vector (IV)
• Check ICV
  
  • Separate ICV from message.
  • Compute ICV for message
  • Compare with received ICV

WEP Encryption

Shared Key Authentication

• When station requests association with Access Point
  
  • AP sends random number to station
  • Station encrypts random number
    
    • Uses RC4, 40 bit shared secret key & 24 bit IV
  • Encrypted random number sent to AP
  • AP decrypts received message
    
    • Uses RC4, 40 bit shared secret key & 24 bit IV
  • AP compares decrypted random number to transmitted random number
    
  
  

WEP Safeguards

• Shared secret key required for:
  
  • Associating with an access point.
  • Sending data.
  • Receiving data.
• Messages are encrypted.
  
  • Confidentiality.
• Messages have checksum.
  
  • Integrity.
• But management traffic still broadcast in clear containing SSID.
  

Initialization Vector

• V must be different for every message transmitted.
• 802.11 standard doesn’t specify how IV is calculated.
• Wireless cards use several methods
  
  • Some use a simple ascending counter for each message.
  • Some switch between alternate ascending and descending counters.
  • Some use a pseudo random IV generator.

Passive WEP attack

• If 24 bit IV is an ascending counter,
• If Access Point transmits at 11 Mbps,
• All IVs are exhausted in roughly 5 hours.
• Passive attack:
  
  • Attacker collects all traffic
  • Attacker could collect two messages:
    
    • Encrypted with same key and same IV
    • Statistical attacks to reveal plaintext
    • Plaintext XOR Ciphertext = Keystream

Active WEP attack

• If attacker knows plaintext and ciphertext pair
  
  • Keystream is known.
  • Attacker can create correctly encrypted messages.
  • Access Point is deceived into accepting messages.
• Bitflipping
  
  • Flip a bit in ciphertext
  • Bit difference in CRC-32 can be computed

Brute force key attack

• Capture ciphertext.
  
  • IV is included in message.
• Search all 240 possible secret keys.
  
  • 1,099,511,627,776 keys
  • ~170 days on a modern laptop
• Find which key decrypts ciphertext to plaintext.

Wepcrack

• First tool to demonstrate attack using IV weakness.
  
  • Open source, Anton Rager.
• Three components
  
  • Weaker IV generator.
  • Search sniffer output for weaker IVs & record 1st byte.
  • Cracker to combine weaker IVs and selected 1st bytes.
• Cumbersome.

Airsnort

• Automated tool
  
  • Cypher42, Minnesota, USA.
  • Does it all!
  • Sniffs
  • Searches for weaker IVs
  • Records encrypted data
  • Until key is derived.
• 100 Mb to 1 Gb of transmitted data.
  3 to 4 hours on a very busy WLAN.
  

Avoid the weak IVs

• FMS described a simple method to find weak IVs
  
  • Many manufacturers avoid those IVs after 2002
  • Therefore Airsnort and others may not work on recent hardware
• However David Hulton aka h1kari
  
  • Properly implemented FMS attack which shows many more weak IVs
  • Identified IVs that leak into second byte of key stream.
  • Second byte of SNAP header is also 0xAA
  • So attack still works on recent hardware
  • And is faster on older hardware
  • Dwepcrack, weplab, aircrack

802.11 safeguards

• Security Policy & Architecture Design
• Treat as untrusted LAN
• Discover unauthorised use
• Access point audits
• Station protection
• Access point location
• Antenna design

Security Policy & Architecture

• Define use of wireless network
  
  • What is allowed
  • What is not allowed
• Holistic architecture and implementation
  
  • Consider all threats.
  • Design entire architecture

Discover unauthorized use

• Search for unauthorised access points, ad-hoc networks or clients.
• Port scanning
  
  • For unknown SNMP agents.
  • For unknown web or telnet interfaces.
• Warwalking!
  
  • Sniff 802.11 packets
  • Identify IP addresses
  • Detect signal strength
  • But may sniff your neighbours
• Wireless Intrusion Detection
  
  • AirMagnet, AirDefense, Trapeze, Aruba,…

Access point audits

• Review security of access points.
• Are passwords and community strings secure?
• Use Firewalls & router ACLs
  
  • Limit use of access point administration interfaces.
• Standard access point config:
  
  • SSID
  • WEP keys
  • Community string & password policy

WPA

• Wi-Fi Protected Access
  
  • Works with 802.11b, a and g

• “Fixes” WEP’s problems
• Existing hardware can be used
• 802.1x user-level authentication
• TKIP
  
  • RC4 session-based dynamic encryption keys
  • Per-packet key derivation
  • Unicast and broadcast key management
  • New 48 bit IV with new sequencing method
  • Michael 8 byte message integrity code (MIC)
• Optional AES support to replace RC4

WPA and 802.1x

• 802.1x is a general purpose network access control mechanism
• WPA has two modes
  
  • Pre-shared mode, uses pre-shared keys
  • Enterprise mode, uses Extensible Authentication Protocol (EAP) with a RADIUS server making the authentication decision
  • EAP is a transport for authentication, not authentication itself
  • EAP allows arbitrary authentication methods

SUMMARY

• WAP is used on small, handheld devices like cell phones for out-of-the-office connectivity
• Designers created WTLS (Wireless Transport Layer Security) as a method to ensure privacy of the data because it was being broadcast
• 802.11 does not allow physical control of the transport mechanism
• Transmission of all network data wirelessly transmits frames to all wireless machines, not just a single client
• Poor authentication. The SSID is broadcast to anyone listening
• Flawed implementation of the RC4 encryption algorithm makes even encrypted traffic subject to interception and decryption
• WEP is used to encrypt wireless communications in an 802.11 environment and S/MIME for email