July 2002 Threat Model Tim Moore Tim Moore, Microsoft.

Slides:



Advertisements
Similar presentations
IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
Advertisements

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
1 MD5 Cracking One way hash. Used in online passwords and file verification.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
Protected Extensible Authentication Protocol
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.
WLAN What is WLAN? Physical vs. Wireless LAN
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Wireless and Security CSCI 5857: Encoding and Encryption.
Wireless Networking.
Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)
1 MAC Management. 2 Outline Introduction - Authentication, Association - Address filtering, Privacy - Power Management, Synchronization MAC Management.
WEP Protocol Weaknesses and Vulnerabilities
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Wireless security Wi–Fi (802.11) Security
Doc.: IEEE /109r1 Submission July 2002 J. Edney, H. Haverinen, J-P Honkanen, P. Orava, Nokia Slide 1 Temporary MAC Addresses for Anonymity Jon.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
History and Implementation of the IEEE 802 Security Architecture
1. Introduction In this presentation, we will review ,802.1x and give their drawbacks, and then we will propose the use of a central manager to replace.
Module 48 (Wireless Hacking)
Robust Security Network (RSN) Service of IEEE
Threat Modeling for Cloud Computing
History and Implementation of the IEEE 802 Security Architecture
Re-evaluating the WPA2 Security Protocol
Lecture 29 Security in IEEE Dr. Ghalib A. Shah
WEP & WPA Mandy Kershishnik.
802.1X and key interactions Tim Moore November 2001
Wireless LAN Security 4.3 Wireless LAN Security.
Coexistence of Legacy & RSN STAs in Public WLAN
Wireless Network Security
Use of EAPOL-Key messages during pre-auth
Stefan Rommer, Mats Näslund, András Méhes (Ericsson)
Integrity Check for Disassociate/Associate/Re-associate
Protocol Details John Bellardo UCSD.
Beacon Protection Date: Authors: July 2018 July 2018
Tim Moore, Microsoft Corporation Clint Chaplin, Symbol Technologies
doc.: IEEE /454r0 Bob Beach Symbol Technologies
Rekeying Protocol Fix Date: Authors: Month Year
Roaming timings and PMK lifetime
A Simplified Solution For Critical A-MPDU DoS Issues
Beacon Protection Date: Authors: July 2018 July 2018
Roaming timings and PMK lifetime
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
Session MAC Address Solves Deadlocks
Use of EAPOL-Key messages
Sept 2003 PMK “sharing” Tim Moore Tim Moore, Microsoft.
Roaming timings and PMK lifetime
Group Key Optimizations
IEs in 4-way handshake description
Site Report Conceptual Model
Comment Resolution Motions
Presentation transcript:

July 2002 Threat Model Tim Moore Tim Moore, Microsoft

Looked at 802.11 1999 and then RSN to fix 1999 issues Not complete July 2002 Focused on ESS Looked at 802.11 1999 and then RSN to fix 1999 issues Not complete Tim Moore, Microsoft

802.1X key management Station AP 802.11 MAC July 2002 Tim Moore, Microsoft

Threats Spoofing Tampering Repudiation Information Disclosure July 2002 Threats Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Tim Moore, Microsoft

Integrity and Privacy from RSN July 2002 Data message Spoofing Information Disclosure Tampering WEP! Integrity and Privacy from RSN MAC address spoof detection requires Pairwise keys Station bridging unicast traffic will be decrypted as a Group key Should this be allowed? As it allows spoofing of MAC addresses Tim Moore, Microsoft

July 2002 TKIP/AES If the IV is repeated with a particular key then it is easy to recover the key 4-way handshake and 48bit IV Tim Moore, Microsoft

Michael Counter measures make a DoS July 2002 Michael Counter measures make a DoS Snoop packet Destroy packet CRC Flip a bit Flip bits in ICV to correct Send packet RSN uses 1X to information AP in secure way Rate limit keying to limit affect on other stations until their keys are attacked. Tim Moore, Microsoft

Acks are generated very low in stack – below encryption/integrity July 2002 Ack message Need RA, more bit and Duration from frame to be acked If more is 0 then do not need duration Acks for data messages can cause data loss Destroy message and then send ack Timing is difficult to respond to a message with a valid ack especially for more=1 but could be done by random acks being sent for more=0 Acks are generated very low in stack – below encryption/integrity So protecting is hard Can detect acks received at wrong time Should have MIB to log this occurring Tim Moore, Microsoft

(Re-)Association request July 2002 (Re-)Association request Causes station to join DS implementations send level 2 message to setup bridges Pass data on/off DS Change capabilities to AP RSN IE Listen interval – DoS causes AP to lose data and disassociate station With RSN station should not join DS until 4-way handshake completes Data isn’t sent on/off DS because keys are not configured but also need to hold up level 2 bridge message Association allocates resources on AP APs need to limit resources used and recover resources if 4-way handshake doesn’t complete Tim Moore, Microsoft

July 2002 Note Draft 2.2 pre-auth has a problem in that 4-way handshake completes in pre-auth, anyone sending an association opened DS Fixed in 298r3 Tim Moore, Microsoft

RSN – 802.11 auth is open (i.e. no security) July 2002 Authentication Open – no auth Shared – dictionary attack RSN – 802.11 auth is open (i.e. no security) Currently do open to return 802.11 state machine to 1999 version but should we remove state 2 in RSN? Tim Moore, Microsoft

(Re-)Association response July 2002 (Re-)Association response Change station state Stations check they are in correct state Flood AP with association requests for different mac addresses – resource DoS If received when expecting then goes to correct state and real response is ignored If received after then ignored Limit resource usage, recover resources quickly if 802.1X key management doesn’t complete Tim Moore, Microsoft

Probe request Wastes bandwidth Gets info from AP July 2002 Tim Moore, Microsoft

Beacon/Probe response July 2002 Beacon/Probe response Change capabilities of AP Privacy bit RSN information element A rogue AP with different capabilities but same SSID Discloses information about ciphers etc that helps attacker Station select most secure capabilities of APs in range DoS by more secure AP RSN duplicate capabilities into 4-way handshake which is protected RSN requires Privacy bit to be set DoS attack by modifying 4-way handshake RSN requires a configuration option to disallow non-RSN associations. Tim Moore, Microsoft

Disassociation/De-authentication July 2002 Disassociation/De-authentication Deletes/changes state on AP Remove stations from AP and DS Nothing in RSN Sign Disassociation/De-authenticate messages Do not change 802.11 MAC state Re-authenticate 802.1X and let 1X delete MAC state Tim Moore, Microsoft

Log packets sent on request of a PS-Poll that didn’t get received July 2002 PS-Poll Used by station to get AP to send packets to station Causes packets to be dropped at the AP - Dos Log packets sent on request of a PS-Poll that didn’t get received Could be joined with ack spoofing to ack the data Tim Moore, Microsoft

RTS/CTS Contention free/ack ATIM July 2002 RTS/CTS Not looked at because normally threshold large Contention free/ack ATIM Tim Moore, Microsoft

Others Radio flood Interfere with packet CRC July 2002 Others Radio flood Can we detect this as radio noise and add MIB variables to log it? Interfere with packet CRC Detect packet errors – packets with bad CRCs or in particular with radio noise corrupting CRC Tim Moore, Microsoft

802.1X Flood EAPOL-Start messages Flood EAP Request/Identity July 2002 802.1X Flood EAPOL-Start messages DoS Authenticator Flood EAP Request/Identity Dos Supplicant EAP_SUCCESS Supplicant believes auth complete RSN uses Secure bit for key management complete RSN encrypts 1X with Pairwise key EAP_FAILURE DoS Tim Moore, Microsoft

EAP Request/Identity contains identity information July 2002 EAP_Logoff Encrypt 1X EAP Request/Identity contains identity information Change identity for DoS Read identity EAP scheme such as EAP_PEAP or EAP_TTLS Outer identity only needs NAI domain Tim Moore, Microsoft

EAP_Start, logoff and Notification can be tampered with July 2002 EAP_Start, logoff and Notification can be tampered with RSN encrypts 1X after 4-way handshake PEAP or TTLS will protect inner EAP Tim Moore, Microsoft

July 2002 PSK Bad pre-shared keys Tim Moore, Microsoft

4-way handshake Send message 1 with wrong ANonce July 2002 4-way handshake Send message 1 with wrong ANonce Implementation mustn’t change session change until message 3 Changing dest MAC address – DoS Tim Moore, Microsoft

Issues Association Disassociation/De-authenticate July 2002 Issues Association Sign association message Use 4-way handshake as network secure This is in draft 2.2 Disassociation/De-authenticate Sign disassociate Can’t sign de-authenticate because there are cases when you can’t Disassociation/De-authenticate force 802.1X reauth If valid disassociate/de-authenticate then 802.1X fails and removes state If spoofed disassociate/de-authenticate then 802.1X succeeds and state is not removed Note: Could be used to force 802.1X reauths using resources Tim Moore, Microsoft