Presentation is loading. Please wait.

Presentation is loading. Please wait.

Solutions for WEP Bracha Hod June 1, 2003 2 802.11i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Solutions for WEP Bracha Hod June 1, 2003 2 802.11i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through."— Presentation transcript:

1

2 Solutions for WEP Bracha Hod June 1, 2003

3 2 802.11i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through weak keys –IV re-use  But has constraints –Needs a firmware patch: large market already –Access Points have cheap processor –Part is hardwired in the devices

4 3 Robust Secure Network  Interim solution –Use constrains –802.1x - authentication and key management –TKIP - data encapsulation  Longterm solution –Ignore constrains –802.1x - authentication and key management –AES - data encapsulation

5 802.1X

6 5 802.1x Architecture  Allows choice of auth. methods using EAP –Chosen by peers at authentication time –Access point doesn’t care about EAP methods  Requires some authentication server –RADIUS is the de facto back-end protocol 802.1X (EAPoL) 802.11 EAP-TLS EAP RADIUS UDP/IP

7 6 802.1X Terminology  Port-based access control mechanism –Ports for passing data without authentication –Parts for passing data only after authentication Supplicant Authentication Server Authenticator Controlled port Uncontrolled port

8 7 802.1x Model Supplicant Authentication Server Authenticator Authentication traffic Normal Data Port Status: EAP Identity Request Associate EAP Auth Response EAP Auth Request EAP Identity Response Radius802.1x EAP-Success

9 8 802.1x Advantages  Standards-based  Flexible authentication  Scalable to large enterprise networks  Centrally managed  Roaming can be made as transparent as possible  Keys are dynamically generated and propagated

10 9 802.1x Flaws  Possible attacks –Man-in-the-middle –Session hijacking –Denial-of-service attacks  Solutions –Strong mutual authentication by protocols like EAP-TLS, EAP-TTLS and EAP-PEAP which provide strong master-key in the end –The area of coverage of an access point is small enough that an attacker would have a substantial risk of discovery

11 TKIP

12 11 Temporal Key Integrity Protocol  Designed as a wrapper around WEP –Can be implemented in software –Reuses existing WEP hardware –Runs WEP as a sub-component  Components –Cryptographic message integrity code –Packet sequencing –Per-packet key mixing –Re-keying mechanism

13 12 MIC  Sender and receiver share 64-bit secret key  MIC = h (src MAC|dst MAC|frame body)K  If receivers computation matches the MIC sent, then message presumed authentic  If 2 forgeries in a second, then assume under attack (delete keys, disassociate, and reassociate) 8 byte MIC SADAPayload Michael Authentication Key

14 13 Packet Sequencing  Reuse 16-bits of WEP IV packet field for sequence number  Initialize seq# to 0 on new encryption key  Increment seq# by 1 on each packet  Discard any packet out of sequence Access Point Wireless Station HdrPacket n HdrPacket n + 1 HdrPacket n

15 14 Key Mixing  Phase 1: –Key_mix1(128-bit temporal key, 48-bit MAC) –128-bit result –Ensure unique key if clients share same temporal key  Phase 2: –Key_mix2(phase1 result,seq#) –The result is 128-bit per-packet key –Incrementing seq# ensure unique key for each packet  Keystream = RC4(128-bit per-packet key)

16 15 Key Mixing  The keys are 128-bit  The transmitter address is 48-bit  The sequence number is 16-bit Transmitter Address: 00-A0-C9-BA-4D-5F Temporal key Phase 1 Mixer Intermediate key Per-packet key Phase 2 Mixer Packet Sequence #

17 16 Rekeying  Key hierarchy –Master key Established via 802.1x or manually Used to securely communicate key encryption keys –Key encryption keys (2) Secure messages containing keying material for deriving temporal keys Key 1: encryption data 128-bit Key 2: data integrity 64-bit –Temporal keys (2) Key 1: encrypting data 128-bit Key 2: data integrity 64-bit

18 17 Putting The Pieces Together

19 18 Summery  Advantages –Fixes several issues in WEP –Companies having existing WEP-based equipment can upgrade to TKIP through relatively simple firmware patches  Disadvantages –Relies on the original 802.11 security specifications –Not ideal solution  “We should all realize that TKIP is really a kludge. We are trying to make the best of a difficult situation, but TKIP should be phased out as soon as possible…”

20 AES

21 20 Requirements  Use encryption properly –In particular The protocol must never reuse nonces or IVs or other information used to randomize the encryption function  Defend against forgeries and replays –In particular, a design must never reuse keys  Protect the source and destination addresses from modification  Minimize the cost: –Minimize the number of cryptographic primitives used –Minimize the software expenses  Use the best practice cryptographic primitives

22 21 AES-based Encapsulations  Replaces RC4 with AES for encryption and integrity  Requires coprocessor, therefore new hardware deployment  AES –Symmetric key block cipher –Require sequence counter, 128-bit key  Two cryptographic modes: –AES-CCM (CCMP): Counter Mode with CBC-MAC –AES-OCB (WRAP): Offset Codebook

23 22 Counter Mode & CBC-MAC EKEK ctr 1 c1c1 m1m1 EKEK ctr 2 c2c2 m2m2 EKEK ctr 3 c3c3 m3m3 EKEK ctr n-1 c n-1 m n-1 EKEK ctr n cncn mnmn EKEK EKEK EKEK m n-1 EKEK mnmn cmcm IV c 0 =IV c j =E K (m j  c j-1 ) MAC=c m c j =E K (ctr j )  m j m1m1 m2m2

24 23 AES-CCM  Use CBC-MAC to compute a MIC on the MPDU + header fields  CTR mode to encrypt the payload and the MIC  The counter for encryption and the IV for MIC are made by concatenation of the sequence counter and header fields HeaderPayload Encrypted MIC Authenticated 010000111010101 48-bit sequence counter AES key Seq CTR

25 24 OCB … Full tag   offset EKEK checksum   offset EKEK m1m1 c1c1 offset   L(0)   offset EKEK m2m2 c2c2 offset   L(1) EKEK mnmn cncn    L(-1) Pad Len(m n ) offset   L (ntz(n))   ossfet EKEK Nonce Offset   L  L L = E K (0)

26 25 AES-OCB  OCB provides both data privacy and data authenticity by a single AES-key and 28-bit sequence counter  The nonce of OCB is made by concatenation of the sequence counter and header fields HeaderPayload Encrypted MIC Authenticated 010000111010101 28-bit sequence counter AES key Seq CTR

27 26 CCM vs. OCB  Security –OCB mode appears to be superior for data authentication  Performance –In hardware there are no difference –In software, AES-OCB enjoy about 2:1 performance advantage over AES-CCM  Patent situation –OCB has patent, while CCM doesn’t

28 27 Today & The Future  2000 – WEP –Better than no security  2001-2002 - 802.1x–WEP –Fixes authentication issues for legacy equipment  2002-2003 - 802.11i–TKIP –Fixes known encryption issues for legacy equipment  2003-2004 - 802.11i-AES –Next generation security for future products

29 Thank You!

Download ppt "Solutions for WEP Bracha Hod June 1, 2003 2 802.11i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through."

Similar presentations

CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
WLAN SECURITY TEAM NAME : Crypto_5 TEAM MEMBERS: Rajini Ananthoj Srimani Reddy Gatla Ishleen Kour Pallavi Murudkar Deepagandhi Vadivelu.

WLAN SECURITY TEAM NAME : Crypto_5 TEAM MEMBERS: Rajini Ananthoj Srimani Reddy Gatla Ishleen Kour Pallavi Murudkar Deepagandhi Vadivelu.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.

Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.
P1451.5 Security Survey and Recommendations By: Ryon Coleman October 16, 2003.

P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
IPsec Internet Headquarters Branch Office SA R1 R2

IPsec Internet Headquarters Branch Office SA R1 R2
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
Implementing Wireless LAN Security

Implementing Wireless LAN Security
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
OpenSig 2003: Panel Discussion on the Differences and Similarities of Wired vs. Wireless Security Russ Housley 9 October 2003.

OpenSig 2003: Panel Discussion on the Differences and Similarities of Wired vs. Wireless Security Russ Housley 9 October 2003.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Similar presentations

Ads by Google