Wireless Security
- IEEE ratified 802.11 in 1997.
- Also known as Wi-Fi.
- Wireless LAN at 1 Mbps & 2 Mbps.
- WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability.
- Now Wi-Fi Alliance
- 802.11 focuses on Layer 1 & Layer 2 of OSI model.
- Physical layer
- Data link layer
Two pieces of equipment defined:
- Wireless station
- A desktop or laptop PC or PDA with a wireless NIC.
- Access point
- A bridge between wireless and wired networks
- Composed of
- Radio
- Wired network interface (usually 802.3)
- Bridging software
- Aggregates access for multiple wireless stations to wired network.
Infrastructure mode:
- Basic Service Set (BSS)
- One access point
- Extended Service Set
- Two or more BSSs forming a single subnet.
- Most corporate LANs in this mode.
Ad-Hoc Mode:
- Also called peer-to-peer.
- Independent Basic Service Set
- Set of 802.11 wireless stations that communicate directly without an access point.
- Useful for quick & easy wireless networks.
802.11 Physical Layer
Originally three alternative physical layers:
- Two incompatible spread-spectrum radio in 2.4Ghz ISM band
- Frequency Hopping Spread Spectrum (FHSS)
- 75 channels
- Direct Sequence Spread Spectrum (DSSS)
- 14 channels (11 channels in US)
- One diffuse infrared layer
- 802.11 speed
- 1 Mbps or 2 Mbps.
- Layer 2 split into:
- Logical Link Control (LLC).
- Media Access Control (MAC).
- LLC - same 48-bit addresses as 802.3
- MAC - CSMA/CD not possible.
- Can’t listen for collision while transmitting.
- CSMA/CA – Collision Avoidance.
- Sender waits for clear air, waits random time, then sends data.
- Receiver sends explicit ACK when data arrives intact.
- Also handles interference.
- But adds overhead.
- To handle hidden nodes
- Sending station sends
- “Request to Send”
- Access point responds with
- “Clear to Send”
- All other stations hear this and delay any transmissions.
- Only used for larger pieces of data.
- When retransmission may waste significant time.
- 802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.
- DSSS as physical layer.
- 11 channels (3 non-overlapping)
- Dynamic rate shifting.
- Transparent to higher layers
- Ideally 11 Mbps.
- Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
- Higher ranges.
- Interference.
- Shifts back up when possible.
- Maximum specified range 100 meters
- Average throughput of 4Mbps
- When 802.11 client enters range of one or more APs
- APs send beacons.
- AP beacon can include SSID.
- AP chosen on signal strength and observed error rates.
- After AP accepts client.
- Client tunes to AP channel.
- Periodically, all channels surveyed.
- To check for stronger or more reliable APs.
- If found, re-associates with new AP.
- Re-association with APs
- Moving out of range.
- High error rates.
- High network traffic.
- Allows load balancing.
- Each AP has a channel.
- 14 partially overlapping channels.
- Only three channels that have no overlap.
- Best for multi cell coverage.
- 802.11a ratified in 2001
- Supports up to 54Mbps in 5 Ghz range.
- Higher frequency limits the range
- Regulated frequency reduces interference from other devices
- 2 non-overlapping channels
- Usable range of 30 metres
- Average throughput of 30 Mbps
- Not backwards compatible
- 802.11g ratified in 2002
- Supports up to 54Mbps in 2.4Ghz range.
- Backwards compatible with 802.11b
- 3 non-overlapping channels
- Range similar to 802.11b
- Average throughput of 30 Mbps
- 802.11n due for November 2006
- Aiming for maximum 200Mbps with average 100Mbps
- Service Set Identifier (SSID)
- Station must specify SSID to Access Point when requesting association.
- Multiple APs with same SSID form Extended Service Set.
- APs can broadcast their SSID.
- Some clients allow * as SSID.
- Associates with strongest AP regardless of SSID.
- Access points have Access Control Lists (ACL)
- ACL is list of allowed MAC addresses.
- E.g. Allow access to:
- 00:01:42:0E:12:1F
- 00:01:42:F1:72:AE
- 00:01:42:4F:E2:0
- But MAC addresses are sniffable and spoofable.
- AP Beacons without SSID
- Essid_jack
- sends deauthenticate frames to client
- SSID then displayed when client sends reauthenticate frames
- Essid_jack
Three basic security services defined by IEEE for the WLAN environment:
- Authentication
- provide a security service to verify the identity of communicating client stations
- Integrity
- to ensure that messages are not modified in transit between the wireless clients and the access point in an active attack
- Confidentiality
- to provide “privacy achieved by a wired network”
802.11b Security Services
Two security services provided:
- Authentication
- Shared Key Authentication
- Encryption
- Wired Equivalence Privacy
- Shared key between
- Stations.
- An Access Point.
- Extended Service Set
- All Access Points will have same shared key.
- No key management
- Shared key entered manually into
- Stations
- Access points
- Key management nightmare in large wireless LANs
- Ron’s Code number 4
- Symmetric key encryption
- RSA Security Inc.
- Designed in 1987.
- Trade secret until leak in 1994.
- RC4 can use key sizes from 1 bit to 2048 bits.
- RC4 generates a stream of pseudo random bits
- XORed with plaintext to create ciphertext.
WEP – Sending
- Compute Integrity Check Vector (ICV).
- Provides integrity
- 32 bit Cyclic Redundancy Check.
- Appended to message to create plaintext.
- Plaintext encrypted via RC4
- Plaintext encrypted via RC4
- Provides confidentiality.
- Plaintext XORed with long key stream of pseudo random bits.
- Key stream is function of
- 40-bit secret key
- 24 bit initialisation vector
- Ciphertext is transmitted.
- Ciphertext is received.
- Ciphertext decrypted via RC4
- Ciphertext XORed with long key stream of pseudo random bits.
- Key stream is function of
- 40-bit secret key
- 24 bit initialisation vector (IV)
- Check ICV
- Separate ICV from message.
- Compute ICV for message
- Compare with received ICV
WEP Encryption
Shared Key Authentication
- When station requests association with Access Point
- AP sends random number to station
- Station encrypts random number
- Uses RC4, 40 bit shared secret key & 24 bit IV
- Encrypted random number sent to AP
- AP decrypts received message
- Uses RC4, 40 bit shared secret key & 24 bit IV
- AP compares decrypted random number to transmitted random number
- Shared secret key required for:
- Associating with an access point.
- Sending data.
- Receiving data.
- Messages are encrypted.
- Confidentiality.
- Messages have checksum.
- Integrity.
- But management traffic still broadcast in clear containing SSID.
- V must be different for every message transmitted.
- 802.11 standard doesn’t specify how IV is calculated.
- Wireless cards use several methods
- Some use a simple ascending counter for each message.
- Some switch between alternate ascending and descending counters.
- Some use a pseudo random IV generator.
- If 24 bit IV is an ascending counter,
- If Access Point transmits at 11 Mbps,
- All IVs are exhausted in roughly 5 hours.
- Passive attack:
- Attacker collects all traffic
- Attacker could collect two messages:
- Encrypted with same key and same IV
- Statistical attacks to reveal plaintext
- Plaintext XOR Ciphertext = Keystream
- If attacker knows plaintext and ciphertext pair
- Keystream is known.
- Attacker can create correctly encrypted messages.
- Access Point is deceived into accepting messages.
- Bitflipping
- Flip a bit in ciphertext
- Bit difference in CRC-32 can be computed
- Capture ciphertext.
- IV is included in message.
- Search all 240 possible secret keys.
- 1,099,511,627,776 keys
- ~170 days on a modern laptop
- Find which key decrypts ciphertext to plaintext.
- First tool to demonstrate attack using IV weakness.
- Open source, Anton Rager.
- Three components
- Weaker IV generator.
- Search sniffer output for weaker IVs & record 1st byte.
- Cracker to combine weaker IVs and selected 1st bytes.
- Cumbersome.
- Automated tool
- Cypher42, Minnesota, USA.
- Does it all!
- Sniffs
- Searches for weaker IVs
- Records encrypted data
- Until key is derived.
- 100 Mb to 1 Gb of transmitted data.
3 to 4 hours on a very busy WLAN.
- FMS described a simple method to find weak IVs
- Many manufacturers avoid those IVs after 2002
- Therefore Airsnort and others may not work on recent hardware
- However David Hulton aka h1kari
- Properly implemented FMS attack which shows many more weak IVs
- Identified IVs that leak into second byte of key stream.
- Second byte of SNAP header is also 0xAA
- So attack still works on recent hardware
- And is faster on older hardware
- Dwepcrack, weplab, aircrack
- Security Policy & Architecture Design
- Treat as untrusted LAN
- Discover unauthorised use
- Access point audits
- Station protection
- Access point location
- Antenna design
- Define use of wireless network
- What is allowed
- What is not allowed
- Holistic architecture and implementation
- Consider all threats.
- Design entire architecture
- Search for unauthorised access points, ad-hoc networks or clients.
- Port scanning
- For unknown SNMP agents.
- For unknown web or telnet interfaces.
- Warwalking!
- Sniff 802.11 packets
- Identify IP addresses
- Detect signal strength
- But may sniff your neighbours
- Wireless Intrusion Detection
- AirMagnet, AirDefense, Trapeze, Aruba,…
- Review security of access points.
- Are passwords and community strings secure?
- Use Firewalls & router ACLs
- Limit use of access point administration interfaces.
- Standard access point config:
- SSID
- WEP keys
- Community string & password policy
- Wi-Fi Protected Access
- Works with 802.11b, a and g
- “Fixes” WEP’s problems
- Existing hardware can be used
- 802.1x user-level authentication
- TKIP
- RC4 session-based dynamic encryption keys
- Per-packet key derivation
- Unicast and broadcast key management
- New 48 bit IV with new sequencing method
- Michael 8 byte message integrity code (MIC)
- Optional AES support to replace RC4
- 802.1x is a general purpose network access control mechanism
- WPA has two modes
- Pre-shared mode, uses pre-shared keys
- Enterprise mode, uses Extensible Authentication Protocol (EAP) with a RADIUS server making the authentication decision
- EAP is a transport for authentication, not authentication itself
- EAP allows arbitrary authentication methods
- WAP is used on small, handheld devices like cell phones for out-of-the-office connectivity
- Designers created WTLS (Wireless Transport Layer Security) as a method to ensure privacy of the data because it was being broadcast
- 802.11 does not allow physical control of the transport mechanism
- Transmission of all network data wirelessly transmits frames to all wireless machines, not just a single client
- Poor authentication. The SSID is broadcast to anyone listening
- Flawed implementation of the RC4 encryption algorithm makes even encrypted traffic subject to interception and decryption
- WEP is used to encrypt wireless communications in an 802.11 environment and S/MIME for email