July 2002 Threat Model Tim Moore Tim Moore, Microsoft
Looked at 802.11 1999 and then RSN to fix 1999 issues Not complete July 2002 Focused on ESS Looked at 802.11 1999 and then RSN to fix 1999 issues Not complete Tim Moore, Microsoft
802.1X key management Station AP 802.11 MAC July 2002 Tim Moore, Microsoft
Threats Spoofing Tampering Repudiation Information Disclosure July 2002 Threats Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Tim Moore, Microsoft
Integrity and Privacy from RSN July 2002 Data message Spoofing Information Disclosure Tampering WEP! Integrity and Privacy from RSN MAC address spoof detection requires Pairwise keys Station bridging unicast traffic will be decrypted as a Group key Should this be allowed? As it allows spoofing of MAC addresses Tim Moore, Microsoft
July 2002 TKIP/AES If the IV is repeated with a particular key then it is easy to recover the key 4-way handshake and 48bit IV Tim Moore, Microsoft
Michael Counter measures make a DoS July 2002 Michael Counter measures make a DoS Snoop packet Destroy packet CRC Flip a bit Flip bits in ICV to correct Send packet RSN uses 1X to information AP in secure way Rate limit keying to limit affect on other stations until their keys are attacked. Tim Moore, Microsoft
Acks are generated very low in stack – below encryption/integrity July 2002 Ack message Need RA, more bit and Duration from frame to be acked If more is 0 then do not need duration Acks for data messages can cause data loss Destroy message and then send ack Timing is difficult to respond to a message with a valid ack especially for more=1 but could be done by random acks being sent for more=0 Acks are generated very low in stack – below encryption/integrity So protecting is hard Can detect acks received at wrong time Should have MIB to log this occurring Tim Moore, Microsoft
(Re-)Association request July 2002 (Re-)Association request Causes station to join DS implementations send level 2 message to setup bridges Pass data on/off DS Change capabilities to AP RSN IE Listen interval – DoS causes AP to lose data and disassociate station With RSN station should not join DS until 4-way handshake completes Data isn’t sent on/off DS because keys are not configured but also need to hold up level 2 bridge message Association allocates resources on AP APs need to limit resources used and recover resources if 4-way handshake doesn’t complete Tim Moore, Microsoft
July 2002 Note Draft 2.2 pre-auth has a problem in that 4-way handshake completes in pre-auth, anyone sending an association opened DS Fixed in 298r3 Tim Moore, Microsoft
RSN – 802.11 auth is open (i.e. no security) July 2002 Authentication Open – no auth Shared – dictionary attack RSN – 802.11 auth is open (i.e. no security) Currently do open to return 802.11 state machine to 1999 version but should we remove state 2 in RSN? Tim Moore, Microsoft
(Re-)Association response July 2002 (Re-)Association response Change station state Stations check they are in correct state Flood AP with association requests for different mac addresses – resource DoS If received when expecting then goes to correct state and real response is ignored If received after then ignored Limit resource usage, recover resources quickly if 802.1X key management doesn’t complete Tim Moore, Microsoft
Probe request Wastes bandwidth Gets info from AP July 2002 Tim Moore, Microsoft
Beacon/Probe response July 2002 Beacon/Probe response Change capabilities of AP Privacy bit RSN information element A rogue AP with different capabilities but same SSID Discloses information about ciphers etc that helps attacker Station select most secure capabilities of APs in range DoS by more secure AP RSN duplicate capabilities into 4-way handshake which is protected RSN requires Privacy bit to be set DoS attack by modifying 4-way handshake RSN requires a configuration option to disallow non-RSN associations. Tim Moore, Microsoft
Disassociation/De-authentication July 2002 Disassociation/De-authentication Deletes/changes state on AP Remove stations from AP and DS Nothing in RSN Sign Disassociation/De-authenticate messages Do not change 802.11 MAC state Re-authenticate 802.1X and let 1X delete MAC state Tim Moore, Microsoft
Log packets sent on request of a PS-Poll that didn’t get received July 2002 PS-Poll Used by station to get AP to send packets to station Causes packets to be dropped at the AP - Dos Log packets sent on request of a PS-Poll that didn’t get received Could be joined with ack spoofing to ack the data Tim Moore, Microsoft
RTS/CTS Contention free/ack ATIM July 2002 RTS/CTS Not looked at because normally threshold large Contention free/ack ATIM Tim Moore, Microsoft
Others Radio flood Interfere with packet CRC July 2002 Others Radio flood Can we detect this as radio noise and add MIB variables to log it? Interfere with packet CRC Detect packet errors – packets with bad CRCs or in particular with radio noise corrupting CRC Tim Moore, Microsoft
802.1X Flood EAPOL-Start messages Flood EAP Request/Identity July 2002 802.1X Flood EAPOL-Start messages DoS Authenticator Flood EAP Request/Identity Dos Supplicant EAP_SUCCESS Supplicant believes auth complete RSN uses Secure bit for key management complete RSN encrypts 1X with Pairwise key EAP_FAILURE DoS Tim Moore, Microsoft
EAP Request/Identity contains identity information July 2002 EAP_Logoff Encrypt 1X EAP Request/Identity contains identity information Change identity for DoS Read identity EAP scheme such as EAP_PEAP or EAP_TTLS Outer identity only needs NAI domain Tim Moore, Microsoft
EAP_Start, logoff and Notification can be tampered with July 2002 EAP_Start, logoff and Notification can be tampered with RSN encrypts 1X after 4-way handshake PEAP or TTLS will protect inner EAP Tim Moore, Microsoft
July 2002 PSK Bad pre-shared keys Tim Moore, Microsoft
4-way handshake Send message 1 with wrong ANonce July 2002 4-way handshake Send message 1 with wrong ANonce Implementation mustn’t change session change until message 3 Changing dest MAC address – DoS Tim Moore, Microsoft
Issues Association Disassociation/De-authenticate July 2002 Issues Association Sign association message Use 4-way handshake as network secure This is in draft 2.2 Disassociation/De-authenticate Sign disassociate Can’t sign de-authenticate because there are cases when you can’t Disassociation/De-authenticate force 802.1X reauth If valid disassociate/de-authenticate then 802.1X fails and removes state If spoofed disassociate/de-authenticate then 802.1X succeeds and state is not removed Note: Could be used to force 802.1X reauths using resources Tim Moore, Microsoft