Re-evaluating the WPA2 Security Protocol

Slides:



Advertisements
Similar presentations
SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.
Advertisements

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
MIS Week 11 Site:
Wireless Attacks. Set up the APs Computer IP: Subnet Mask: Router IP address: –
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Wireless and Security CSCI 5857: Encoding and Encryption.
Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Wireless Networking Concepts By: Forrest Finkler Computer Science 484 Networking Concepts.
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
Protecting Privacy in WLAN with DoS Resistance using Client Puzzle Team 7 Yanisa Akkarawichai Rohan Shah CSC 774 – Advanced Network Security Prof. Peng.
Wireless Networking & Security Greg Stabler Spencer Smith.
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
.  TJX used WEP security  They lost 45 million customer records  They settled the lawsuits for $40.9 million.
The University of Bolton School of Business & Creative Technologies Wireless Networks - Security 1.
Lecture 24 Wireless Network Security
Distributed WPA Cracking CSCI Distributed Systems Spring 2011 University of Colorado Rodney Beede Ryan Kroiss Arpit Sud
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE /0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: Authors:
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
Chapter3 Wireless how safe it is NOT! By: Brett Hoff.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Module 48 (Wireless Hacking)
WiFi Troubleshooting & Performance Monitoring
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Advanced Penetration testing
Instructor Materials Chapter 6 Building a Home Network
Wireless Protocols WEP, WPA & WPA2.
Methods of Securing LANs
WEP & WPA Mandy Kershishnik.
Securing A Wireless Network
A Wireless LAN Security Protocol
Advanced Penetration testing
Security of a Local Area Network
Advanced Penetration testing
Extended Authentication Protocol (EAP) Vulnerabilities exploited through Rogue Access Points Stephen Cumella.
Advanced Penetration testing
Wireless LAN Security 4.3 Wireless LAN Security.
Hacking Wi-Fi Beyond Script Kiddie and WEP
Advanced Penetration testing
Advanced Penetration testing
Wireless Network Security
Network Security – Kerberos
Advanced Penetration testing
July 2002 Threat Model Tim Moore Tim Moore, Microsoft.
Breaking into Wi-Fi Networks
WLAN Security Antti Miettinen.
802.1X/ Issues Nancy Cam-Winget, Cisco Systems
11i PSK use in 11s: Consider Dangerous
Antti Miettinen (modified by JJ)
Security Issues with Wireless Protocols
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
Session MAC Address Solves Deadlocks
11i PSK use in 11s: Consider Dangerous
Advanced Penetration testing
Presentation transcript:

Re-evaluating the WPA2 Security Protocol Network Security (WPA—PSK): Just How Safe is Your Information over Wi-Fi? Re-evaluating the WPA2 Security Protocol Statement of Problem Materials and Methods Results Discussion A server, client, and attacking machine were used to perform this experiment. Software such as PineAP, Wireshark, Airbase, Aircrack-ng. Pyrit, and the Command Line were also used to launch the attack. Several dictionaries containing passphrases were utilized to crack the network passphrase. Procedure for attack: Snooping: 1) Run Wireshark to collect network packets. MAC Spoofing: 1) Change MAC address on attacking machine 2) Collect network packets with Wireshark. De-Authentication: 1) Create Data file to capture handshake 2) De-Authenticate client, handshake captured. 3)Import dictionary file into system. 4) Utilize Pyrit to crack passphrase from 4-way handshake Rogue Access Point (offline attack): 1) Create rogue access point 2) Create file to capture handshake 3) Repeat Steps 3 &4 of De-Authentication How resistant is the Wi-Fi Protected Access 2, Preshared Key (WPA2-PSK) security mechanism against common network attacks? De-Authentication attacks yielded a 100% success rate in obtaining the network passphrase. Rogue Access point yielded a 80% success rate in obtaining the network passphrase. MAC Spoofing did not yield any information Snooping yielded client information 100% of the time that was not previously known. Although WPA2-PSK has been considered the most secure mechanism available for protecting information on networks for nearly a decade, my data shows that this is no longer the case. At the conclusion of this study, it can be reasonably determined that WPA2-PSK is no longer safe for protecting sensitive information on a network. Through a series of experimental attacks, both the passphrase and client information that can lead to another more direct attack was obtained in a majority of the trails. Simply put, a security mechanism cannot be considered secure if certain attacks are able to bypass it on a majority of trials. The rogue access point has not been widely studied for penetration of the WPA2 network. However, my experiment resulted in an 80% success rate which suggests that the rogue access point attack is also effective in defeating the WPA2 security protocol. Introduction WPA2-PSK is currently the most advanced network security protocol available to encrypt and prevent unauthorized access to information on a small to moderate network. WPA2-PSK utilizes a hierarchy of encryption keys derived from a network passphrase and a series of authentication steps to secure information. It’s encryption is based off of the Advanced Encryption Standard (AES) which is extremely strong. However, certain minute flaws in the authentication sequence may allow the network to be compromised. In this experiment, a series of attacks will target the flaws within the WPA2-PSK’s authentication sequence. The amount of supposedly encrypted information gained will be subsequently recorded. My hypothesis is that WPA2-PSK will be effective against traffic snooping, MAC Spoofing, and Evil Twin Access Points, but may be ineffective against a client de-authentication attack. The independent variable is the type of the network attack, where the dependent variable is the amount of information gained. Figure 4: Average Time for Each Attack Figure 5: Success Rate of Obtaining Network Passphrase Future Implications It has been widely accepted in the IT Community that once a network passphrase is gained, several other additional pieces of information can be also be exploited. The network passphrase can be imported into a network traffic analyzer to decrypt encrypted client to station information exchange. It would be of interest to see what information can be obtained using this method. Due to the nature of the attack, no real solutions are obvious. The best way to prevent such an attack is to create a secure passphrase, and enable MAC filtering as these will make the network a less viable target. However, I believe that in the long term, a network manager can be created to detect De-authentication frames and alter network settings to prevent information from being exploited. The handshake can also be altered so that crucial information is not released to the attack. I plan to study these mechanisms and test the effectiveness of my proposed solutions in the future. Figure 2: Snooping Attack Results: Client Information shown Figure 1: Key Hierarchy for WPA2-PSK Encryption (Unicast Traffic) EAPOLMIC is used to preserve integrity during initial handshake. EAPOL is used to prevent unauthorized modification of user data Data Encryption/MIC is used for encrypting user data. Combined with random generated values and the Pairwise Master Key to produce a set of keys called the Pairwise Transient Key Derived in Phrase 1 from the Preshared Key (which includes network passphrase, SSID, n-iterations, and key length) Pairwise Master Key (256 bits) Pairwise Transient Key (384 bits) EAPOLMIC key (128 bits) EAPOLEncrkey (128bits) Data Encr /MIC key (128 bits) Figure 6: Diagram of WPA2 Authentication Phase Phase 1 Probe request. Open Authentication Request Association Request Phase 2 Message 2: EAPOLKey(SNonce,MIC) Message 4: EAPOLKey(Ready,MIC) Probe Response Open Authentication Response Association Response Message 1 EAPOLKey(ANonce) Message 2 EAPOLKey(SNonce.MIC) Figure 3: De-Authentication Results: Passphrase shown. Access Point (AP) Station (STA)