CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)

Slides:



Advertisements
Similar presentations
CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
Advertisements

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
IPsec Internet Headquarters Branch Office SA R1 R2
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Solutions for WEP Bracha Hod June 1, i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
WLAN What is WLAN? Physical vs. Wireless LAN
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Mobile and Wireless Communication Security By Jason Gratto.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Wireless and Security CSCI 5857: Encoding and Encryption.
Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized.
Wireless Networking.
Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.
Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)
IEEE i WPA2. IEEE i (WPA2) IEEE i, is an amendment to the standard specifying security mechanisms for wireless networks. The.
WEP Protocol Weaknesses and Vulnerabilities
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004
Lecture 24 Wireless Network Security
Security Standards. IEEE IEEE 802 committee for LAN standards IEEE formed in 1990’s – charter to develop a protocol & transmission specifications.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 24 “Wireless Network Security”.
Shambhu Upadhyaya Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)
Wireless security Wi–Fi (802.11) Security
802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Lecture 7 (Chapter 17) Wireless Network Security Prepared by Dr. Lamiaa M. Elshenawy 1.
EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Wireless Authentication Protocol Presented By: Tasmiah Tamzid Anannya Student Id:
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
History and Implementation of the IEEE 802 Security Architecture
1 /24 May Systems Architecture WPA / WPA 2(802.11i) Burghard Güther, Tim Hartmann
Module 48 (Wireless Hacking)
Robust Security Network (RSN) Service of IEEE
Message Authentication Code
History and Implementation of the IEEE 802 Security Architecture
Authentication and handoff protocols for wireless mesh networks
Wireless Protocols WEP, WPA & WPA2.
Lecture 29 Security in IEEE Dr. Ghalib A. Shah
We will talking about : What is WAP ? What is WAP2 ? Is there secure ?
WEP & WPA Mandy Kershishnik.
Chapter 24 Wireless Network Security
Securing Wireless LANs
Wireless LAN Security 4.3 Wireless LAN Security.
Mesh Security Proposal
IEEE i Dohwan Kim.
Wireless Network Security
CSE 4905 WiFi Security I WEP (Wired Equivalent Privacy)
Counter With Cipher Block Chaining-MAC
IT4833/6833 WiFi Security Building Blocks (I).
Presentation transcript:

CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)

Example 802.11 networks UConn-Secure My home network WPA2-enterprise Encryption: AES Authentication: EAP-PEAP (on a Windows laptop) My home network WPA2-personal Authentication: network security key

WPA and WPA2 WPA designed to work w/ legacy 802.11 hardware (that supports RC4) Uses Temporal Key Integrity Protocol (TKIP) WPA2 uses AES-CCMP (for confidentiality and integrity) currently considered secure (if implemented correctly) implements the mandatory elements of 802.11i 802.11i, also called Robust Security Network (RSN)

802.11i: improved security Overcome weaknesses in WEP Authentication and key management uses authentication server separate from access point Stronger encryption mechanisms Temporal Key Integrity Protocol (TKIP) AES-CCMP

802.11i: five phases Discovery Authentication Key management Protected data transfer Connection termination

802.11i: five phases of operation AP: access point STA: client station AS: Authentication server wired network 1 Discovery of security capabilities STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through” 2 3 STA derives Pairwise Master Key (PMK) AS derives same PMK, sends to AP STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity 4 Protected data transfer 5 Connection termination

802.11i discovery & authentication

802.1X Access Control IEEE 802.11i makes use of another standard that was designed to provide access control functions for LANs. The standard is IEEE 802.1X, Port-Based Network Access Control. The authentication protocol that is used, the Extensible Authentication Protocol (EAP), is defined in the IEEE 802.1X standard. IEEE 802.1X uses the terms supplicant , authenticator , and authentication server . In the context of an 802.11 WLAN, the first two terms correspond to the wireless station and the AP. The AS is typically a separate device on the wired side of the network (i.e., accessible over the DS) but could also reside directly on the authenticator. Until the AS authenticates a supplicant (using an authentication protocol), the authenticator only passes control and authentication messages between the supplicant and the AS; the 802.1X control channel is unblocked, but the 802.11 data channel is blocked. Once a supplicant is authenticated and keys are provided, the authenticator can forward data from the supplicant, subject to predefined access control limitations for the supplicant to the network. Under these circumstances, the data channel is unblocked. As indicated in Figure 24.8 , 802.1X uses the concepts of controlled and uncontrolled ports. Ports are logical entities defined within the authenticator and refer to physical network connections. For a WLAN, the authenticator (the AP) may have only two physical ports: one connecting to the DS and one for wireless communication within its BSS. Each logical port is mapped to one of these two physical ports. An uncontrolled port allows the exchange of PDUs between the supplicant and the other AS, regardless of the authentication state of the supplicant. A controlled port allows the exchange of PDUs between a supplicant and other systems on the LAN only if the current state of the supplicant authorizes such an exchange. The 802.1X framework, with an upper-layer authentication protocol, fits nicely with a BSS architecture that includes a number of wireless stations and an AP. However, for an IBSS, there is no AP. For an IBSS, 802.11i provides a more complex solution that, in essence, involves pairwise authentication between stations on the IBSS.

EAP: extensible authentication protocol EAP: end-end client (mobile) to authentication server protocol EAP sent over separate “links” mobile-to-AP (EAP over LAN) AP to authentication server (RADIUS over UDP) EAP not defined in 802.11i wired network EAP TLS EAP EAP over LAN (EAPoL) RADIUS IEEE 802.11 UDP/IP

EAP methods for WLAN: goals Strong cryptographic protection of user credentials Mutual authentication Instead of one-way in WEP Client device also needs to authenticate AP Key derivation Allow dynamic keys to be derived later on

EAP methods Cryptographic methods are recommended EAP-TLS Based on TLS Require certificates on both client devices and AS EAP-TTLS and EAP-PEAP Outer authentication: authenticate AS to client Certificate based, only require certificates on APs Inner authentication: authenticate client to AS use existing authentication method over TLS tunnel Non-cryptographic methods Not suitable for WLAN Generic token card, EAP-MSCHAP, …

EAP-TLS EAP-TLS is not part of 802.11i; neither is any other specific authentication method But EAP-TLS is the de facto 802.11i authentication method Can meet all 802.11i requirements Other widely deployed methods do not EAP-TLS = TLS Handshake over EAP EAP-TLS defined by RFC 2716 TLS defined by RFC 2246 Always requires provisioning AS certificate on the STA Mutual authentication requires provisioning STA certificates

Discussion What authentication method is used between AP & AS Radius based? Rely certificate on an AP? How is the PMK communicated from AS to AP? TLS based?

802.11i key generation & distribution After authentication phase, AP and client have pairwise master key (PMK) Use 4-way handshake to confirm existence of the PMK confirm liveness of the peers Generate a fresh pairwise transient key (PTK) for each subsequent session …

The 4-way handshake A: access point, S: STA (client device, supplant) AA (SPA): MAC address of AP (STA) ANonce (SNonce): nonce from AP (STA) sn: sequence number, MIC: message integrity code PTK: generated using PMK, AA, SPA, ANonce, SNonce

The 4-way handshake (cont’d) AP sends STA a nonce (prevent replay attacks) STA sends AP a message including: supplant nonce, security parameter from the initial association, whole message protected by MIC; AP extracts SNounce, derives PTK PTK are now in place on both sides. Need to confirm the key. AP sends STA a message to confirm PTA STA confirms PTA

Data transfer Two protocols to protect data transfer TKIP – for legacy devices only CCMP – better security for new devices Two protocols instead of one due to politics

Data transfer requirements Never send or receive unprotected packets Message origin authenticity — prevent forgeries Sequence packets — detect replays Avoid rekeying — 48 bit packet sequence number Protect source and destination addresses Use strong cryptographic primitives for both confidentiality and integrity Interoperate with proposed quality of service (QoS) enhancements (IEEE 802.11 TGe)

TKIP overview Designed as a wrapper around WEP Can be implemented in software Reuses existing WEP hardware Runs WEP as a sub-component Design of TKIP a challenging task Meets criteria for a good standard: everyone unhappy with it

TKIP design challenges Mask WEP’s weaknesses… Prevent data forgery Prevent replay attacks Prevent encryption misuse Prevent keystream reuse … On existing AP hardware 33 or 25 MHz ARM7 or i486 already running at 90% CPU utilization before TKIP Utilize existing WEP off-load hardware Software/firmware upgrade only Don’t unduly degrade performance

TKIP differences from WEP Key hierarchy and automatic key management Per-frame keying derive a unique RC4 key for each frame from master key Sequence number (mitigate replay attacks) New message integrity check (MIC) Cryptographic hash algorithm: Michael Countermeasures on MIC failures

TKIP IV and key mixing IV: 48 bits Reset to zero, increment by one for each frame Unique IV during lifetime of a key Also serves as sequence number Key mixing: unique keystream for each frame Include sender MAC address, temporal key, IV (sequence number) Two STAs that use the same IV will have different keystream

TKIP sequence number & replay protection Protect again replay reset packet sequence # to 0 on rekey increment sequence # by 1 on each packet drop any packet received out of sequence Access Point Wireless Station Hdr Packet n Hdr Packet n + 1 Hdr Packet n

TKIP data processing Encryption & integrity protection in same process Data transmission TKIP frame similar to WEP frame Reception

Discussion: TKIP vulnerabilities IV predictable, still in plaintext, problems? IV supposed to be distinct (in this context, so keystream for each frame for each STA distinct ), not need to be predictable …

Counter Mode-CBC MAC Protocol (CCMP) Long-term solution Based on AES block cipher instead of RC4 AES with 128-bit key and 128-bit blocks (or longer, 192, 256) Data confidentiality Encryption: counter mode of block cipher with AES Message integrity Cipher-block-chaining message authentication mode (CBC-MAC) CCMP is intended for newer IEEE 802.11 devices that are equipped with the hardware to support this scheme. As with TKIP, CCMP provides two services: • Message integrity : CCMP uses the cipher-block-chaining message authentication code (CBC-MAC), described in Chapter 12. • Data confidentiality : CCMP uses the CTR block cipher mode of operation with AES for encryption. CTR is described in Chapter 20. The same 128-bit AES key is used for both integrity and confidentiality. The scheme uses a 48-bit packet number to construct a nonce to prevent replay attacks.

CCMP data processing 48-bit packet number Similar as sequence number in TKIP Additional authentication data Protect frame header CCMP nonce Constructed using packet number & sender addr. CCMP header Data & MIC encrypted

CCMP frame Encrypted Header Payload MIC Authenticated Use CBC-MAC to compute a MIC on the plaintext header, length of the plaintext header, and the payload Use CTR mode to encrypt the payload Counter values 1, 2, 3, … Use CTR mode to encrypt the MIC Counter value 0

Comparison WEP TKIP CCMP Cipher RC4 RC4 AES Key Size 40 or 104 bits 128 bits 128 bits encryption, 64 bit auth Key Life 24-bit IV, wrap 48-bit IV 48-bit IV Packet Key Concat. Mixing Fnc Not Needed Integrity Data CRC-32 Michael CCM Header None Michael CCM Replay None Use IV Use IV Key Mgmt. None EAP-based EAP-based

Summary: Securing 802.11 WLAN WEP: completely broken Current standard: WPA2/802.11i Considered secure Authentication & key management CCMP TKIP: intermediate solution Backwards compatible with WEP

Remaining challenges Rogue APs Evil twin attacks Jamming attacks …

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.