WLAN and IEEE 802.11 Security

Agenda

 Intro to WLAN  Security mechanisms in IEEE 802.11

 Attacks on 802.11

 Summary

Wireless LAN Technologies

 WLAN technologies are becoming increasingly popular, and promise to be the platform for many future applications: – Home Entertainment Networking  Example WLAN/WPAN Technologies: – IEEE 802.11

– Bluetooth WLAN End User Forecast (millions)

IEEE 802.11 Wireless Networks

 Speeds of upto 54 Mb/s  Operating Range: 10-100m indoors, 300m outdoors  Power Output Limited to 1 Watt in U.S.

 Frequency Hopping (FHSS), Direct Sequence & Infrared (IrDA) (– Networks are NOT compatible with each other)  Uses unlicensed 2.4/5 GHz band (2.402-2.480 ,5 GHz)  Provide wireless Ethernet for wired networks

WLAN Components

More about WLAN

Modes of Operation  Ad Hoc mode (Independent Basic Service Set - IBSS)  Infrastructure mode (Basic Service Set - BSS)

Ad-Hoc mode

Client A Client B Client C

Laptop users wishing to share files could set up an ad-hoc network using 802.11 compatible NICs and share files without need for external media.

Infrastructure mode

In this mode the clients communicate via a central station called Access Point (AP) which acts as an ethernet bridge and forwards the communication onto the appropriate network, either the wired or the wireless network.

Client A Client B Access point

WLAN Security – Problem !!

There is no physical link between the nodes of a wireless network, the nodes transmit over the air and hence anyone within the radio range can eavesdrop on the communication. So conventional security measures that apply to a wired network do not work in this case. Internal network protected Wireless Access Point Valid User Access Only

Wireless Security of 802.11

 The IEEE 802.11 specification identified several services to provide a secure operating environment. The security services are provided largely by the Wired Equivalent Privacy (WEP) protocol to protect link-level data during wireless transmission between clients and access points. WEP does not provide end-to-end security, but only for the wireless portion of the connection

Basic security services defined by IEEE

    The three basic security services defined by IEEE for the WLAN environment are as follows:

Authentication

—A primary goal of WEP was to provide a security service to verify the identity of communicating client stations. This provides access control to the network by denying access to client stations that cannot authenticate properly. This service addresses the question, “Are only authorized persons allowed to gain access to my network?”

Confidentiality—

Confidentiality, or privacy, was a second goal of WEP. It was developed to provide “privacy achieved by a wired network.” The intent was to prevent information compromise from casual eavesdropping (passive attack). This service, in general, addresses the question, “Are only authorized persons allowed to view my data?”

Integrity

—Another goal of WEP was a security service developed to ensure that messages are not modified in transit between the wireless clients and the access point in an active attack. This service addresses the question, “Is the data coming into or exiting the network trustworthy—has it been tampered with?”

Authentication

  The IEEE 802.11 specification defines two means to “validate” wireless users attempting to gain access to a wired network: open-system authentication and shared-key authentication . One means, shared-key authentication, is based on Cryptography, and the other is not. The open-system authentication technique is not truly authentication; the access point accepts the mobile station without verifying the identity of the station. It should be noted also that the authentication is only one-way: only the mobile station is authenticated. The mobile station must trust that it is communicating to a real AP.

Privacy

 The 802.11 standard supports privacy (confidentiality) through the use of cryptographic techniques for the wireless interface. The WEP cryptographic technique for confidentiality also uses the RC4 symmetric key, stream cipher algorithm to generate a pseudo-random data sequence.

Integrity

 The IEEE 802.11 specification also outlines a means to provide data integrity for messages transmitted between wireless clients and access points. This security service was designed to reject any messages that had been changed by an active adversary “in the middle.” This technique uses a simple encrypted Cyclic Redundancy Check (CRC) approach.

IEEE 802.11 Basic Security Mechanisms

 Service Set Identifier (SSID)  MAC Address filtering  Wired Equivalent Privacy (WEP) protocol 802.11 products are shipped by the vendors with all security mechanisms disabled !!

Security Threats

 Network security attacks are typically divided into

passive

and

active

attacks. These two broad classes are then subdivided into other types of attacks.

Passive Attack

  

Passive Attack

—An attack in which an unauthorized party gains access to an asset and does not modify its content (i.e., eavesdropping). Passive attacks can be either eavesdropping or traffic analysis (sometimes called traffic flow analysis). These two passive attacks are described below.

Eavesdropping— The attacker monitors transmissions for message content. An example of this attack is a person listening into the transmissions on a LAN between two workstations or tuning into transmissions between a wireless handset and a base station.

Traffic analysis— The attacker, in a more subtle way, gains intelligence by monitoring the transmissions for patterns of communication. A considerable amount of information is contained in the flow of messages between communicating parties.

Active Attack

    

Active Attack

—An attack whereby an unauthorized party makes modifications to a message, data stream, or file. It is possible to detect this type of attack but it may not be preventable. Active attacks may take the form of one of four types (or combination thereof): masquerading, replay, message modification, and denial-of-service (DoS). Masquerading— The attacker impersonates an authorized user and thereby gains certain unauthorized privileges.

Replay

—The attacker monitors transmissions (passive attack) and retransmits messages as the legitimate user.

Message modification

—The attacker alters a legitimate message by deleting, adding to, changing, or reordering it.

Denial-of-service

—The attacker prevents or prohibits the normal use or management of communications facilities.

Technical Countermeasures

 Technical countermeasures involve the use of hardware and software solutions to help secure the wireless environment.

 Software countermeasures include proper AP configurations (i.e., the operational and security settings on an AP), software patches and upgrades, authentication, intrusion detection systems (IDS), and encryption.  Hardware solutions include smart cards, VPNs, public key infrastructure (PKI), and biometrics. It should be noted that hardware solutions, which generally have software components, are listed simply as hardware solutions.

Service Set Identifier (SSID) and their limits!

  Limits access by identifying the service area covered by the access points. AP periodically broadcasts SSID in a beacon.

 End station listens to these broadcasts and chooses an AP to associate with based upon its SSID.

 Use of SSID – weak form of security as beacon management frames on 802.11 WLAN are always sent in the clear.

 A hacker can use analysis tools (eg. AirMagnet, Netstumbler, AiroPeek) to identify SSID.

 Some vendors use default SSIDs which are pretty well known (eg. CISCO uses tsunami)

MAC Address Filtering

The system administrator can specify a list of MAC addresses that can communicate through an access point.

Advantage :

 Provides a little stronger security than SSID

Disadvantages :

 Increases Administrative overhead  Reduces Scalability  Determined hackers can still break it

Wired Equivalent Privacy (WEP)

 Designed to provide confidentiality to a wireless network similar to that of standard LANs.  WEP is essentially the RC4 symmetric key cryptographic algorithm (same key for encrypting and decrypting).

 Transmitting station concatenates 40 bit key with a 24 bit Initialization Vector (IV) to produce pseudorandom key stream.

 Plaintext is XORed with the pseudorandom key stream to produce ciphertext.

 Ciphertext is concatenated with IV and transmitted over the Wireless Medium.

 Receiving station reads the IV, concatenates it with the secret key to produce local copy of the pseudorandom key stream.

 Received ciphertext is XORed with the key stream generated to get back the plaintext.

WEP has its cost!

WEP – vulnerability to attack

 WEP has been broken! Walker (Oct 2000), Borisov et. al. (Jan 2001), Fluhrer-Mantin -Shamir (Aug 2001).

 Unsafe at any key size : Testing reveals WEP encapsulation remains insecure whether its key length is 1 bit or 1000 or any other size.

 More about this at: http://grouper.ieee.org/groups/802/11/Documents/DocumentHolder/0 362.zip

WEP Overview



1.

2.

3.

WEP relies on a shared key K between communicating parties

Checksum:

P={M,c(M)} For a message M, we calculate c(M). The plaintext is

Encryption:

The plaintext is encrypted using RC4. RC4 requires an initialization vector (IV) v, and the key K. Output is a stream of bits called the keystream. Encryption is XOR with P.

C  P  RC 4 ( v , K )

Transmission:

The IV and the ciphertext C are transmitted.

Message CRC v RC4(v,K) Ciphertext Transmit

WEP Security Goals

 WEP had three main security goals: – Confidentiality: Prevent eavesdropping – Access Control: Prevent inappropriate use of 802.11 network, such as facilitate dropping of not-authorized packets – Data Integrity: Ensure that messages are not altered or tampered with in transit  The basic WEP standard uses a 40-bit key (with 24bit IV)  Additionally, many implementations allow for 104-bit key (with 24bit IV)  None of the three goals are provided in WEP due to serious security design flaws and the fact that it is easy to eavesdrop on WLAN

WEP (Vernam) Key Stream Reuse

 Vernam-style stream ciphers are susceptible to attacks when same IV and key are reused: C C 2 C 1 1  P 1  RC 4 ( v , K )  P 2  C 2  RC 4 ( v , K )  P 1  P 1   RC 4 ( v , P 2 K )  P 2  RC 4 ( v , K )  Particularly weak to known plaintext attack: If P 1 easy to find (as is RC4).

is known, then P 2 is – This might occur when contextual information gives P 1 level or network-level information reveals information) (e.g. application  Even so, there are techniques to recover P 1 known (frequency analysis, crib dragging) and P 2 when just ( – Example, look for two texts that XOR to same value P 1 XOR P 2 ) is

WEP’s Proposed Fix

  WEP’s engineers were aware (it seems??) of this weakness and required a per-packet IV strategy to vary key stream generation Problems: – Keys, K, typically stay fixed and so eventual reuse of IV means eventual repetition of keystream!!

– IVs are transmitted in the clear, so its trivial to detect IV reuse – Many cards set IV to 0 at startup and increment IV sequentially from there – Even so, the IV is only 24 bits!

   Calculation: Suppose you send 1500 byte packets at 5Mbps, then 2 24 IVs will be used up in 11.2 hours! possible Even worse: we should expect to see atleast one collision after 5000 packets are sent!

Thus, we will see the same IV again… and again…

WEP Decryption Dictionaries

 Once a plaintext is known for an IV collision, the adversary can obtain the key stream for

that specific

IV!

 The adversary can gather the keystream for each IV collision he observes – As he does so, it becomes progressively easier to decrypt future messages (and he will get improved context information!) – The adversary can build a dictionary of (IV, keystream)  This dictionary attack is effective regardless of keysize as it only depends on IV size!

WEP Weakness in Message Authentication

 The checksum used by WEP is CRC-32, which is not a cryptographic checksum (MAC) – Purpose of checksum is to see if noise modified the message, not to prevent “malicious” and intelligent modifications   Property of CRC: The checksum is a linear function of the message c ( x  y )  c ( x )  c ( y ) This property allows one to make controlled modifications to a ciphertext without disrupting the checksum: – Suppose ciphertext C is: C  RC 4 ( v , K )  { M , c ( M )} – We can make a new ciphertext C’ that corresponds to an M’ of our choosing – Then we can spoof the source by: A  B: {v,C’}

WEP: Spoofing the Source

   Our goal: Produce an M’=M+ corresponding ciphertext C’) d , and a corresponding checksum that will pass checksum test. (Hence, we will need to make a plaintext P’={M’,c(M’)} and a Start by choosing our own d value, and calculate checksum.

Observe: C '  C  { d , c ( d )}  RC 4 ( v , K )  { M , c ( M )}  { d , c ( d )}  RC 4 ( v , K )  { M  d , c ( M )  c ( d )}  RC 4 ( v , K )  { M ' , c ( M  d )}  RC 4 ( v , K )  { M ' , c ( M ' )}   Thus, we have produced a new plaintext of our choosing and made a corresponding ciphertext C’ Does not require knowledge of M, actually, we can choose d to flip bits!

WEP Message Injection (No Access Control!)

  Property: The WEP checksum is an unkeyed function of the message.

If attacker can obtain an entire plaintext corresponding to a frame, he will then be able to inject arbitrary traffic into the network (for same IV): 1.

2.

Get RC4(v,K) For any message M’ form C '  RC 4 ( v , K )  { M ' , c ( M ' )}   Why did this work? c(M) only depended on M and not on any key!!!

(Note: An adversary can easily masquerade as an AP since there are no mechanisms to prevent IV reuse at the AP-level!)

Other Security Problems of 802.11

 Easy Access  "Rogue" Access Points  Unauthorized Use of Service  Traffic Analysis and Eavesdropping  Higher Level Attacks

Drive By Hacking (War Driving)

Less than 1500ft *

PalmPilot Mobile Phone

If the distance from the Access Point to the street outside is 1500 feet or less, then a Intruder could also get access – while sitting outside

WarWalking

WarChalking

 Jika di depan rumah tiba-tiba terlihat tanda-tanda ini, artinya seorang "warrior" barusan lewat. Bila Anda sempat bertemu dengan orangnya jangan lupa menjitak kepalanya karena telah mengotori rumah Anda !

War-driving expeditions

In one 30-minute journey using the Pringles can antenna, witnessed by BBC News Online, the security company I-SEC managed to find and gain information about almost 60 wireless networks.

War Chalking

 Practice of marking a series of symbols on sidewalks and walls to indicate nearby wireless access. That way, other computer users can pop open their laptops and connect to the Internet wirelessly.

What are the major security risks to 802.11b?

 Insertion Attacks (Intrusions!)  Interception and monitoring wireless traffic  Misconfiguration  Jamming  Client to Client Attacks (Intrusions also!)

Packet Sniffing

Jamming (Denial of Service)

 Broadcast radio signals at the same frequency as the wireless Ethernet transmitters - 2.4 GHz  To jam, you just need to broadcast a radio signal at the same frequency but at a higher power.  Waveform Generators  Microwave

Replay Attack

Good guy Alice Good guy Bob Authorized WEP Communications Eavesdrop and Record Play back selections Bad guy Eve

Measures to strengthen WLAN security

Recommendations

 Wireless LAN related Configuration Enable WEP, use 128bit key*   Using the encryption technologies Disable SSID Broadcasts  Change default Access Point Name      Choose complex admin password Apply Filtering Use MAC (hardware) address to restrict access The Use of 802.1x

Enable firewall function

Other proposed countermeasures

       Adopt personal identification system for physical access control.

Disable file and directory sharing on PCs.

Ensure that sensitive files are password protected and encrypted.

Turn off all unnecessary services on the AP.

If practical, power off the AP(s) when not in use.

If the AP supports logging, turn it on and review the logs regularly.

Secure AP configuration as follows: – Choose robust password to ensure a higher level of security.

– Use 128-bit encryption.

– Create MAC ACLs and enable checking in APs.

– Change SSID from default setting and suppress its broadcast.

– Change WEP keys from default settings.

– Disable remote SNMP.

 Conduct site survey and strategically place wireless APs.

 Deploy VPN overlay (gateway and client) with integral firewall.

 Establish comprehensive security policies regarding use of wireless devices.

 Deploy personal firewalls and antivirus software on the wireless clients.

 Investigate 802.11 products with best long-term wireless security strategy and longevity in marketplace.

 Select products with SNMPv3 (or other encrypted management capabilities) on the APs and the integrated firewall-VPN device.

Wireless Network tools

   MAC Spoofing  http://aspoof.sourceforge.net/   http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp

http://www.klcconsulting.net/smac/ WEP Cracking tools    

http://www.backtrack-linux.org/ http://www.remote-exploit.org/articles/backtrack/index.html

http://wepattack.sourceforge.net/ http://wepcrack.sourceforge.net/

Wireless Analysers 

http://www.kismetwireless.net/



http://www.netstumbler.com/

Wireless Network Security

Major Papers on 802.11 Security

 Intercepting Mobile Communications: The Insecurity of 802.11(Borisov, Goldberg, and Wagner 2001)  Your 802.11 Wireless Network Has No Clothes (Arbaugh, Shankar, and Wan 2001)  Weaknesses in the Key Scheduling Algorithm of RC4(Fluhrer, Mantin, and Shamir 2001)  The IEEE 802.11b Security Problem, Part 1 (Joseph Williams,2001 IEEE)  An IEEE 802.11 Wireless LAN Security White Paper (Jason S. King, 2001)