1. Michal Rapco michal.rapco@anect.comMay, 05, 2005 Security issues in Wireless LANs

2. 2 Agenda Introduction IEEE 802.11 standard and its WEP method What makes wireless networks different Authentication of wireless network clients 802.1x and WEP – secure combination? On the way to stronger ciphering and data protection Key management Alternative ways for securing communication in wireless networks Identification of persisting weak points in wireless networks Questions

3. 3 Introduction Three phases in WLAN security: WLANs conforming to IEEE 802.11 security Proprietary and/or pre-standard IEEE 802.11i security mechanisms WLANs conforming to IEEE 802.11i security

4. 4 IEEE 802.11 standard and its WEP method Several security flaws : weak client authentication; absence of key management; serious flaws in WEP method ciphering; insufficient frame protection against modification; no protection against replay attacks. SW tools exploiting stated weaknesses are widely accessible

5. 5 What makes wireless networks different The main difference: a transport media (the radio waves) no exact physical borders - no well defined security perimeter; physical part of security can’t be applied; the radio network coverage can be larger than expected (determined often by technical equipment of possible attacker).

6. 6 Authentication of wireless network clients Adoption of the mechanism given by IEEE 802.1x and EAP (RFC2284 and 3748) IEEE 802.1x “controlled” and “uncontrolled” port philosophy suitable to control IEEE 802.11 client association Special consideration should be given to use of tunneled EAP methods Requirements on EAP method: allows for mutual authentication; contains a mechanism for cryptographic binding; contains specification how to derive necessary cryptographic material. Examples: EAP-TLS, PEAPv2, EAP-FAST Be aware of the fact that initial message sequence is transmitted in clear (User ID’s)

7. 7 802.1x and WEP – secure combination? Advantage of this combination: strong user authentication automatic generation of the keys and their periodic change Still not addressing all of the security flaws of WEP ciphering

8. 8 On the way to stronger ciphering and data protection There is a need to replace WEP method and IEEE 802.11 frame protection by some stronger mechanisms Replacement of WEP using the same HW platform: proprietary Cisco CKIP+CMIC; standard based TKIP. Replacement of WEP using a new HW platform: CCMP (CTR with CBC-MAC) with AES

9. 9 On the way to stronger ciphering and data protection (cont.) Cisco Key Integrity Protocol/Temporal Key Integrity Protocol – different approach to data ciphering while still using an WEP/RC4 hardware Proprietary CKIP: Construction of per-MPDU unique WEP seed using a hash function in one stage 24bit IV needs more often base WEP key change IV value used for anti-replay protection MIC – 4byte value calculated using a hash function Based on the early specification of TKIP Standard based TKIP: More sophisticated construction of per-MPDU unique WEP seed using a hash function in two stages 48bit TSC - anti-replay, practically avoids an IV collision problem MIC – 8byte value calculated using an algorithm called Michael

10. 10 On the way to stronger ciphering and data protection (cont.) CCMP – part of IEEE 802.11i specification Completely new, different approach to data protection in WLANs Though it can be run in SW, a new HW is recommended for performance reasons: Encryption – CCM (RFC 3610) with block cipher AES (128bit block length/128bit encryption key) Data integrity – CBC-MAC (8byte length) 48bits PN field – anti-replay protection

11. 11 Key management Cryptographic key hierarchy, use and generation Prerequisite - use of specific EAP method that ends with derivation of so-called AAA key AAA key can be used : directly as a WEP key (WEP/802.1x) it can be taken as an input for generation of the keys with different purposes in complex key hierarchy Proprietary Cisco CKM/ IEEE 802.11i standard

12. 12 Key management (cont.) Differences between CCKM and IEEE 802.11i : Though similar, the systems are not compatible Different keys used for unicast encryption and multicast/broadcast encryption + additional keys used for encryption keys derivation/exchange 4-way handshake (exchange of EAPOL-key messages) used to derive a unicast traffic encryption key 2-way handshake used to derive a multicast/broadcast traffic encryption key Additional keys derived in CCKM allowing for Fast Secure Roaming of wireless client

13. 13 Alternative ways for securing communication in WLANs Use of IPSec VPN technology without deploying any wireless security Makes sense in 802.11 LANs without TKIP/IEEE 802.11i security The main difference: IPSec VPN deploys the strong cryptographic mechanisms on L3 in comparison to IEEE 802.11i which deploys the comparable mechanisms on L2 Due to the lack of wireless security the additional issues need to be considered: need to protect all hosts by personal FW, antivirus programs and host IDS systems; need to protect the network infrastructure (APs, DHCP servers etc.); network design issues. IPSec VPN may be used as an additional security feature in TKIP based networks (although no known attack against TKIP has been reported except TKIP-PSK)

14. 14 Identification of persisting weak points in wireless networks Still susceptible to various DoS attacks against: transport medium (radio jamming); 802.11 MAC layer (unprotected 802.11 management and control frames, frame collisions etc.) Starting phases of EAP authentication Michael countermeasure DoS attacks do not compromise data integrity nor confidentiality in WLANs

15. 15 Questions ? Thank you for your attention!