Security Past, Present, and Future Chris Shutters, CISSP February 2004
What We Will Cover Introduction - What is ? Relationship Between and Wi-Fi Original Security Goals Original Security Original Vulnerabilities Tools How to Secure Original Current Security WPA Protocol Stack Future Security Final Thoughts
Introduction - What is ? A set of standards for wireless networking – Addresses LANs where devices Communicate over ‘airwaves’ (radio or infrared) Are within (relatively) close proximity to each other Wireless devices may communicate – Directly with each other (independent or ad-hoc networks) – Via an Access Point (AP) (infrastructure mode) Data rates – b: up to 11 Mbps (2.4 GHz frequency range) – a: up to 54 Mbps (5 GHz frequency range) – g: up to 54 Mbps (2.4 GHz frequency range)
Relationship Between and Wi-Fi is a series of standards produced by the IEEE – Specify technical details such as: Radio frequencies Modulation methods Protocol messages Wi-Fi is an alliance of major manufacturers – Focus is on interoperability testing – Interoperability is defined by a set of “gold standard” products – Products are tested and certified as Wi-Fi compliant
Original Security Goals Authorization – Verify that all mobile stations are authorized to access the network Privacy – Implement security such that there is no privacy difference between wireless and wired LANs – Maintain data privacy from all unauthorized stations
Original Security Two authentication methods available – Open system authentication Station 1 sends Service Set ID (SSID) to station 2 Station 2 accepts or rejects station 1 based on knowledge of SSID APs can be configured to accept the broadcast SSID – Thus allowing anyone to access the AP – Shared key authentication Stations respond to an authentication challenge from an AP or other device – AP sends a challenge to be encrypted by the station – Station encrypts the challenge with shared key – AP decrypts challenge and grants or denies authentication based on decryption results
Original Security (cont.) Wired Equivalent Privacy (WEP) – Encryption algorithm: RC4 (symmetric stream cipher) Requires shared key for all communicating stations – Key length: either 40 or 104 bits (plus 24 bit initialization vector [IV]) – Each data frame is encrypted separately with a different IV – Key management: not addressed by WEP key details – RC4 encryption key is constructed by appending IV to shared key 2 24 possible encryption keys for each shared key
Original Security (cont.)
Data integrity is protected with a Message Integrity Code (MIC) – The 32-bit Cyclic Redundancy Check (CRC-32) algorithm was chosen to implement the MIC Bad choice, as CRC-32 was originally designed to detect random changes to data, not to protect against malicious tampering An attacker can reliably change both the data and the CRC-32 value such that the CRC-32 matches the altered data
Original Vulnerabilities Traffic sniffing – Easier to perform on wireless than on traditional wired LANs – SSID is always sniffable when stations associate to an AP – If WEP is not being used Plaintext data frames can be sniffed – If WEP is being used Ciphertext data frames can be sniffed Accumulation of ciphertext data leads to many interesting attacks – For APs connected to other LANs Broadcast traffic should be available Vulnerable to ARP spoofing
Original Vulnerabilities (cont.) Insertion – connecting an unauthorized station into a Wireless LAN – Easy if WEP not being used Try broadcast SSID Sniff SSID and use it to gain access Request DHCP address If no DHCP, try a x address – If WEP is being used Can still do many things… Authentication problems – Currently, authentication only performed by SSID or WEP key Both of these methods may be sniffed and duplicated
Original Vulnerabilities (cont.) WEP problems – Inappropriate choice of encryption algorithm With stream ciphers, it is unsafe to ever reuse a key – Key management problems Because this issue is not addressed by , the shared key is rarely if ever changed – Keyspace problems Reuse of IVs is inevitable – For randomly-selected IVs: due to Birthday Paradox, it is 99% likely that at least one IV will be reused every 12,500 frames On a moderately loaded AP, keyspace will be exhausted in a few hours Capture of large amounts of frames can lead to compromise of shared key
Original Vulnerabilities (cont.) – Known plaintext attacks If the plaintext and corresponding ciphertext of a message can be obtained, the RC4 keystream for that IV can be recovered – As discussed before, the shared key authentication method does this for us! – Note: No knowledge of the shared key is required, except the fact that it hasn’t changed Once at least one RC4 keystream has been recovered, one can – Authenticate to the network – Insert messages into the network
Original Vulnerabilities (cont.) Often, attacker can inject known plaintext – HTTP requests – PING packets Known plaintext in a packet allows immediate recovery of the keystream for that particular IV! A Decryption Dictionary can be assembled – Table indexed by IV that contains recovered keystreams Approximately 23 GB required for 24 bit IVs Dictionary is the same size for 40 and 104 bit encryption! – When a new packet that uses a known IV is captured, just look up the keystream and decrypt the data! – Many implementations reset IVs to zero when initialized, and sequentially increment IVs In this case the dictionary won’t have to be very big to be able to decrypt a significant percentage of traffic
Original Vulnerabilities (cont.) Misconfiguration – Default SSID not changed – Broadcast SSID not disabled – Default passwords not changed – WEP not enabled
Tools NetStumbler ( – Windows application that sniffs for presence of wireless traffic – When it detects traffic, it logs MAC address SSID Manufacturer Channel WEP enabled (yes or no) Signal strength Signal to noise ratio – If you have GPS data available, it will also log coordinates
Tools (cont.) AiroPeek NX ( – Commercial sniffer and analyzer – Performs full decode of all traffic as well as higher- level network protocols
Tools (cont.)
AirSnort ( – Wireless LAN WEP key recovery program – Sniffs and stores traffic until key can be computed Typically requires capture of between five to ten million encrypted packets – Implements attack against RC4 Key Scheduling Algorithm Weakness ( This is commonly known as the FMS attack (for the initials of the discoverers of the attack) Looks for frames that were encrypted with “weak” RC4 keys (approximately 3,000 out of the 16+ million possible keys) Once approximately 2,000 “interesting” frames have been gathered, the key can be computed
Tools (cont.) Kismet ( – Linux program for sniffing wireless traffic – Will log the following information Networks found Captured packets in binary format (suitable for later replay and analysis) Cryptographically “weak” packets (like AirSnort) IP address blocks in use (via ARP and DHCP analysis) All Cisco products that announce themselves via Cisco Discovery Protocol (CDP)
How to Secure Original Place the WLAN in a DMZ and require VPN authentication for access to internal systems – Systems may still be individually attackable by rogue mobile stations Enable WEP Use 128 bit WEP encryption Change shared keys on a regular basis Change default SSID Don’t make SSID something obvious (company name, street address, etc) Disable acceptance of “broadcast SSID” Disable broadcasting of SSID Change default passwords on all equipment If possible, restrict access by MAC addresses Consider not using DHCP (statically assign addresses)
Current Security Wi-Fi Protected Access (WPA) is the current “state of the art” in security – Why? To specifically address WEP weaknesses in a timely manner Most existing equipment can implement WPA with a firmware update – First, use of the Temporal Key Integrity Protocol (TKIP) is specified CRC is replaced with a MIC called Michael – New algorithm – Compromise between security and ability to be implemented in current hardware – Can potentially be brute-forced However, countermeasures are implemented to detect and respond to brute-force attacks
Current Security (cont.) IV size increased from 24 to 48 bits – IVs mandated to be used in sequential order – IV rollover or reuse won’t happen for hundreds of years – IV is also used as a replay detector/preventer The secret key used to encrypt packets is changed for every packet, using Per-Packet Key Mixing – Static Master and Session keys exist, but they are not directly used to encrypt packets – Thus, the tactic of accumulating large amounts of ciphertext to attack a static secret key will no longer work Countermeasures – The countermeasure against a Michael brute-force attack is to halt all network traffic on the attacked device for one minute This limits attacker to one attempt per minute The network interruptions should (in theory) be noticed by network support personnel
Current Security (cont.) – Second, use of the Extensible Authentication Protocol (EAP) is specified This is a simple protocol, designed to transport arbitrary authentication information (originally designed for dialup) For communication between mobile station and AP, EAP over LAN (EAPOL) is used For communication between AP and authentication server, EAP over RADIUS is used – Third, use of the 802.1X protocol is specified 802.1X was designed to implement access control at the point where a user joins the network – Multiple lower-level protocols can implement 802.1X WPA specifies EAPOL as the 802.1X protocol used between mobile station and AP WPA specifies RADIUS as the 802.1X protocol used between AP and authentication server
Current Security (cont.) Please note that 802.1X has been shown to be vulnerable to man-in-the-middle and session hijacking attacks ( – Fourth, use of Transport Layer Security (TLS, the RFC standardized version of SSL) is specified TLS is transported over EAP It is utilized specifically for authentication This implies existence of a PKI infrastructure for managing keys and certificates – May be non-trivial to implement such an infrastructure – Fifth, specific methods of cryptographic key management are specified Each authenticated mobile station receives: – A pairwise key that is used to protect communications between it and the AP – A group key that is used to protect broadcast or multicast data
WPA Protocol Stack TLS over EAP (RFC2716) TLS (RFC2246) EAP (RFC2284) 802.1X EAPOL Security Communication Between Mobile Station and Access Point
WPA Protocol Stack (cont.) TLS over EAP (RFC2716) TLS (RFC2246) EAP (RFC2284) EAP over RADIUS (RFC2869) RADIUS (RFC2865) Security Communication Between Access Point and Authentication Server TCP/IP (or other)
Future Security The i standard is close to being finalized and published – WPA was designed to be upwardly compatible with i – i defines a Robust Security Network (RSN) RSN utilizes almost all of the protocols specified in WPA, but includes some additional changes/options First, use of the Advanced Encryption Standard (AES) is required, – This replaces RC4 – AES can not be implemented in the majority of existing hardware
Future Security (cont.) Second, the WPA MIC is replaced by Cipher Block Chaining – Message Authentication Code (CBC-MAC) – This is a new implementation of CBC-MAC using AES, but based upon previous implementations of CBC-MAC using other crypto algorithms Third, TKIP is replaced by Counter Mode – CBC-MAC Protocol, or CCMP (RFC 3610) – This is basically an implementation of a protocol similar to TKIP, only based on AES instead of RC4 – What RC4 is to TKIP, AES is to CCMP
Future Security (cont.) Fourth, multiple additional upper-layer authentication mechanisms (at the same layer as TLS) are specified – Kerberos V5 (RFC 1510) is a well-known, centralized authentication and authorization system – Protected EAP (PEAP) provides a way to do EAP negotiation while not exposing authentication tokens (e.g. passwords, password hashes, or identity credentials) to sniffing attacks Currently a draft internet standard ( pppext-eap-tls-eap-07.txt) – EAP-SIM is based on an authentication method used in cellular networks
Final Thoughts Original networks can be secured, but it is not easy WPA is a dramatic improvement over original security i will likely be even better, but implementation will almost assuredly require updated hardware Questions?