IT4833/6833 WiFi Security Building Blocks (I)
Data-oriented Wireless NWs & Security Objectives To understand data-oriented wireless and mobile networks and security systems: Data-oriented wireless networks Wireless LAN (WLAN, 802.11) World Interoperability for Microwave Access (WiMAX, 802.16) Bluetooth (IEEE 802.15) Security in WLAN Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA, WPA 2 – IEEE 802.11i) Summary Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security Key Establishment in 802.11 Rely on “pre-shared” keys between the mobile node or station (STA) and the Access Points (APs.) So, there is NO key establishment protocol being used. Problems Manual configuration of keys -> So, open to manual error. -> Can not be expected to choose a “strong” key. 802.11 allows each STA (and AP) in a Basic Service Set (BSS) to be configured with 4 different keys. -> 4 user groups finer control over reliable STA recognition In practice, use the same key across BSSs over the whole Extended Service Set (ESS.) -> Makes roaming easier and faster. More susceptible to compromise. Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security Anonymity in 802.11 802.11 – “IP”-based networks For a given IP address, it is very difficult to determine the identity of the subscriber, since IP addresses are dynamically assigned using protocols such as DHCP (Dynamic Host Configuration Protocol) NAT (Network Address Translation) creates two types of IP addresses (i.e., private IP address and global IP address) Private IP address NAT Globally valid IP address NOTE: In TWNs, the routing of a call is done using IMSI/TMSI (directly associated with the subscriber) Data-oriented Wireless NWs & Security
Open System Authentication “Default” Authentication Scheme Allows any and all station to join the network (no authentication). AP can enforce the use of “Shared Key Authentication (SKA) Data-oriented Wireless NWs & Security
Open System Authentication Data-oriented Wireless NWs & Security
Shared Key Authentication Based on “challenge-response” mechanism. Two groups of STAs group 1 : access allowed – shared a secret key with AP group 2 : access not allowed Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security Pre-Shared Key Data-oriented Wireless NWs & Security
Problems with 802.11 Authentication Authentication with shared key. No way for the AP to reliably determine the exact identity of STA (only checking a “group” of STAs) One-way Authentication STA can not authenticate Network Rouge APs can access virtually everything that the STA sends. Suffers all drawbacks that WEP suffers. Data-oriented Wireless NWs & Security
Pseudo Authentication Allows only stations which know the network’s SSID to join the network: poses minimal challenge since the SSID of the network is often transmitted in the clear without encryption. Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security MAC Address Filtering Allows stations with certain MAC addresses to join the network: not a very secure authentication scheme since most wireless access cards used by stations allow the user to change their MAC address via software; Data-oriented Wireless NWs & Security
WEP: Confidentiality in 802.11 Step 1: Calculate Integrity Check Value (ICV), 4 bytes ICV is the same as “Message Integrity Check” Step 2: Select a “master key” From one of the “four pre-shared secret keys” Step 3: Obtain a “key seed” - How? Select an IV, Concatenate it with the “master key” Step 4: Generate cipher-text Key seed is fed to an RC4 key generator The resulting key stream is XORed with MPDU + ICV (step 1) Step 5: A 4-byte header is appended to the encrypted packet 3-byte IV value 1-byte key-id (specifying one of four pre-shared secret keys being used as the “master key” WEP Packet MPDU: MAC Protocol Data Unit Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security Data Integrity in 802.11 To detect data modification How? Calculating ICV (Integrity Check Value) over the received data Comparing it with the ICV attached in the message ICV : CRC-32 (Cyclic Redundancy Check 32 bits) Not cryptographically computed -> Weak. Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security Problems in WEP Using a “stream cipher in synchronous mode” (RC4) for encrypting data packets Requires that “key generators” at the two communicating nodes MUST BE kept “synchronized” (Why? The loss of a single bit of a data stream causes the loss of ALL data following the lost bit!) In wireless environment, data loss is widespread. WEP’s approach: Apply encryption/decryption per packet basis. [Changing the problem: from the “session” level to the “packet” level] Require to use unique key for every packet. WEP key = {IV||master key}, 64 bits Per-packet key : simple concatenation of IV (24 bits) and master key (40 bits) Master Key: fixed (no change), every packet contains it! IV: to be sent in clear text Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security Loopholes in 802.11 Security Does not provide any key establishment mechanism WEP use synchronous stream cipher– difficult to perform synchronization during the entire session. Use per-packet key. (IC || preshared key)=weak key Limited key space. Changing the IV with each packet is optional, making key reuse highly probable. No support for STA to authenticate the network. Data-oriented Wireless NWs & Security
WEP Confidentiality Issues First, the IV size at 24 bits was too short – key space is only 16,777,216; Second, WEP did not specify how to select an IV for each packet; Third, WEP did not even make it mandatory to vary the IV on a per-packet basis — this means WEP explicitly allowed reuse of per-packet keys. Fourth, there was no mechanism to ensure that the IV was unique on a per station basis -- thus making a collision even more likely. Finally, simply concatenating the IV with the pre-shared key to obtain a per-packet key is cryptographically unsecure, making WEP vulnerable to attacks. Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security Problems in WEP (2/2) IV reuse -> chance of duplicate IV Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security WPA Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security WPA IEEE Task group : 802.11i security standard Use AES as default mode WPA2 Not backward compatible Wi-Fi Alliance (major 802.11 vendors) Aim to ensure product interoperability To improve the security of 802.11 network without requiring a hardware upgrade. Temporal key Integrity Protocol (TKIP) – known as WAP Include the key management and the authentication architecture(802.1X) specified in 802.11i. WPA: TKIP (confidentiality), MICHAEL (integrity) WPA2: AES (confidentiality, integrity) Data-oriented Wireless NWs & Security
Temporal Key Integrity Protocol TKIP was designed to provide backward compatibility with WEP; Has to operate with WEP hardware, which is dedicated to WEP implementation since software implementations of WEP are too slow. To be precise, the WEP encryption process is implemented in hardware. One of the most severe constraints for TKIP designers was that the hardware engine cannot be changed. Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security Key Hierarchy in 802.11 WEP: 2-tier Key Hierarchy WPA: 3-tier Key Hierarchy PMK (Pair-wise Master Key): Two ways (1) using 802.1X – usually for “enterprise” (2) without using 802.1X (via manual administration) – usually for “home” PTK (Pair-wise Transient Keys): a set of “session keys” (4 of them) At the beginning of new session (STA <-> AP) Edward Jung Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security PMK PTK Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security PTK Per-Packet Key Goal: To obtain the per-packet key Key Idea: Key Mixing in 2 separate phases Phase 1: the session data encryption key is “combined” with the high order of 32 bit of the IV and the MAC address Phase 2: output of phase 1 is “combined” with the lower order 16 bits of the IV and fed to phase 2 (to generate the 104-bit per packet key). Note: (1) The key-mixing function makes it very hard for an eavesdropper to correlate the IV and the per-packet key used to encrypt the packet. Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security PTK Per-Packet Key Data-oriented Wireless NWs & Security
WPA Confidentiality Improvements TKIP doubles the IV size from 24 bits to 48 bits – increasing the time to key collision from a few hours to a few hundred years; Using the per-packet key mixing function (much more complicated) instead of simply concatenating the IV to the master key to generate the per-packet key increases the effective IV size (and hence improves on WEP security) while still being compatible with existing WEP hardware. Data-oriented Wireless NWs & Security
Why should the same key not be used? When used with frequency analysis technique, it is often enough to get enough information about the two plaintext. If P1 (one of plaintext) is known, P2 can be calculated easily. WAP Key Space: 64bit key 40bit is fixed, 24bit IV 224 key space. 1500 byte-packet @ 11Mbps : {(1500*8) * 224 } / 11*106 = 5.08 hr Edward Jung Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security WPA Integrity Using MICHAEL protocol -- not computation intensive so that it can be used on existing WEP hardware which has very little computation power. However, it is not cryptographically secure; If a TKIP implementation detects two failed forgeries in one second, the STA assumes that it is under attack and as a countermeasure deletes its keys, disassociates, waits for a minute and then re-associates. IV can also be used as a TKIP Sequence Counter (TSC) – avoid replay attack to which WEP was susceptible. Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security TKIP Overall Picture Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security WAP vs. WEP Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security WAP vs. WEP Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security WPA2 (IEEE 802.11i) Edward Jung Data-oriented Wireless NWs & Security
Key Establishment & Authentication Key-establishment and the key hierarchy architecture WPA and WPA2 are almost identical WPA2 use the same key for encryption and integrity protection. Authentication Identical with WPA. Pre-shared or 802.1X. Edward Jung Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security AES Edward Jung Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security Confidentiality AES counter mode Ci = Mi XOR EK( i ) Security lies on the counter. Counter value should not be repeated with same key, the system is secure. - fresh key for every session. Edward Jung Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security Integrity AES CBC-MAC protocol. AES-CCMP(counter-mode CBMC-MAC) Edward Jung Data-oriented Wireless NWs & Security
Confidentiality + Integrity Edward Jung Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security WPA2 Overall Picture Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security WEP vs WAP vs WPA2 Data-oriented Wireless NWs & Security
Data-oriented Wireless NWs & Security WEP vs WAP vs WPA2 Data-oriented Wireless NWs & Security