Wireless LANs and Privacy. Ido Dubrawsky Network Security Engineer Cisco Secure Consulting Services Cisco Systems, Inc. And

Transcription

1 Wireless LANs and Privacy Ido Dubrawsky Network Security Engineer Cisco Secure Consulting Services Cisco Systems, Inc. And Lance Hayden Business Development Manager Cisco Secure Consulting Services Cisco Systems, Inc. Abstract Wireless networks are a relatively new technology in the LAN market. Defined in the IEEE b standard, wireless LANs present a challenge to enterprise networks because of the poorly designed security set forth in the b standard. In the past year and a half several groups have identified significant weaknesses in the b security model. From replay attack susceptibility to outright access the Wired Equivalent Privacy (WEP) defined in b creates significant problems for wireless LANs. With the weak encryption and security defined in the IEEE standard, wireless LANs, when improperly deployed or administered, can provide a significant risk to those economic sectors which are particularly sensitive to privacy information leaking out of the network. These sectors include health-care, government, and banking in particular. Another area of concern stems from the fact that wireless networks are not governed by the same physical constraints as wired networks and the status of private information leaked into a public area has yet to be determined. Background Wireless LANs are defined by the 1997 IEEE b standard. This standard provides for an 11Mbps network in the unregulated 2.4GHz frequency ISM band (Industrial, Scientific, and Medical) band. Wireless networks provide customers the ability to network users without the network cabling. This allows users to roam about a building while remaining constantly connected to the network a significant convenience. Service providers have begun implementation of wireless networks in public places such as airports, hotel chains, and even the ubiquitous Starbucks coffee house. Similar to their wired counterparts, wireless networks use a collision avoidance technique to prevent two wireless devices to transmit at the same time. In order to provide a measure of security and privacy in wireless networks the IEEE b specification provides for an encryption scheme to prevent casual eavesdropping. This specification is termed the Wired Equivalent Privacy (WEP) and utilizes the RC4 encryption algorithm.

2 Growing Privacy Concerns The concept of privacy is an issue that is growing in the network and security fields, and represents an evolution of traditional data protection into a more contextual framework. Personal Information (PI) regarding individuals and groups predates electronic information systems, but with the advent of networking technologies, PI has come to be more widespread and more accessible for a variety of purposes. The Personal Information Record (PIR) represents the sum total of PI available for any particular individual or group, whether that information exists on an individual server, a corporate database, or locally within a personal computer, personal digital assistant, or cell phone. Protecting PI and individual PIR information from abuse and exploitation has become the focus of government and industry action. Several pieces of legislation, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the European Union Privacy Directive have sought to put controls around the collection, transmission, and dissemination of defined PI and PIR elements. In addition to formal legislation and regulation, industry best practices to prevent identity theft and unauthorized disclosure of PI have been developed and explored as a way to boost consumer confidence and create market differentiators in e-commerce transactions. The nature of wireless networking holds the potential of opening traditional closed network infrastructures for purposes of convenience and availability. However, in opening such network access, maintaining the privacy of information stored and transmitted over these networks represents a strong challenge to vendors, implementers, and governmental oversight agencies. Privacy today represents a fundamental due diligence issue for organizations. Existing legislation, regulation, and industry best practices do not recommend specific technologies at a granular level, nor are any particular technologies identified as being unsuitable for the protection of PI or PIR data within a networked infrastructure. However, it becomes incumbent upon the organization to identify, implement, and document their reasonable efforts to secure and protect all information entrusted to their care, including PI. WEP Overview A plaintext message is input into the WEP process and has a CRC-32 Integrity Check Value (ICV) over the message. This value is then concatenated to the end of the plaintext message. A 40-bit secret key, distributed through an out-of-band method, along with a 24-bit Initialization Vector (IV) is used as input to the Key Scheduling Algorithm of the RC4 algorithm. The output from the KSA is then input in to the Pseudo Random Number Generator (PRNG) of RC4 and a keystream is then output. This keystream is XOR ed with the plaintext message/icv combination to derive the ciphertext message. This message is then prepended with the IV used to derive the keystream and encapsulated within a data frame and transmitted. By prepending the IV to the ciphertext

3 message WEP is self-synchronizing. The recipient station (whether it is a wireless client or an access point) takes the IV from the data frame, appends the shared secret key to the IV and uses it as input into the RC4 Key Scheduling Algorithm (KSA). The output of the KSA is then input into the PRNG to recreate the keystream used to encrypt the message. This keystream is then XOR ed with the ciphertext message to recover the plaintext message/icv combination. At this point a new CRC-32 ICV is calculated over the plaintext message alone and compared to the ICV sent. If the two match then the data has been successfully decrypted and the packet is forwarded on to the final terminus. Figure 1-3 show the WEP encryption process, decryption process, and packet format respectively. Initialization Vector (IV) Secret Key Seed PRNG Key Sequence IV Ciphertext Plaintext Integrity Algorithm (CRC-32) Plaintext/ICV Figure 1 WEP Encryption Process (source: 1997 IEEE b standard) Plaintext/ICV Initialization Vector (IV) Seed PRNG Key Sequence Plaintext Secret Key IV Ciphertext ICV Integrity Algorithm (CRC-32) Plaintext Figure 2 WEP Decryption Process

4 Figure 3 WEP Data Format WEP Shortcomings In 2000 and 2001 several research groups began publishing work detailing significant problems with the WEP specification as defined in the b standard. Among one of the first things noted by various groups was that the original specification of a 64-bit encryption key (40-bits for the shared secret, 24-bits for the IV) was insufficient. The standard was amended in 2000 to allow the use of 128-bit keys (104-bits reserved for the shared secret, 24-bits for the IV). One of the first researchers to publish his work was Jesse Walker of Intel. In his October 2000 paper submitted to the IEEE he noted that WEP was flawed regardless of the key size used. He pointed out that even with the larger keys proposed in the amendment to b an attacker would still be able to gain access to a network by extracting out the keystream used to encrypt traffic and use that keystream to encrypt his own traffic which would be accepted by the network.[walk00] In January of 2001 the Internet Security, Applications, Authentication, and Cryptography (ISAAC) group of the Computer Science department at the University of California at Berkeley released their findings detailing several problems with WEP s design as well as possible attacks that could be used against a wireless network. They noted that an attacker could also gain significant information about the wireless network through various attacks including one in which the attacker builds a dictionary of IV-RC4 keystream combinations and then uses IV-keystream combinations to decrypt data in real-time. However, perhaps the greatest problems with WEP originated with the work of Scott Fluhrer of Cisco Systems, Inc., Adi Shamir and Itsik Mantin of the Weizmann Institute in Israel. Their work uncovered two problems with the RC4 encryption algorithm: the first problem with RC4 was the discovery of large classes of weak keys in where a small part of the secret key determines a large number of bits in the Key Scheduling Algorithm output. The Key Scheduling Algorithm (KSA) of RC4 is responsible for taking as input the IV-secret key combination and outputting a seed to be used by the Pseudo Random Number Generator (PRNG) for generating the keystream to be used. The second

5 Ω Sun E N TE R PR IS E S D Su n weakness discovered is related to the first and also involves the KSA. Here Fluhrer, Mantin, and Shamir discovered that when the same secret key is used with numerous different exposed values, an attacker can re-derive the secret part by analyzing the initial word of the keystreams.[fms01] They noted that the concatenation of a secret key with an exposed part as input to the KSA is a common mode of operation of RC4 and is precisely how WEP uses RC4. Using this work another group consisting of John Ioannidis and Avi Rubin of AT&T Research Labs and Adam Stubblefield of Rice University developed a tool to implement just such an attack. At the time of the publication of their work they noted that the same type tool had been independently produced and released as AirSnort. Given these problems vendors began to look for some way to some way to fix WEP in the short term until the IEEE Task Group i (TGi) could provide a long-term, permanent solution. Many vendors settled on incorporating the Extensible Authentication Protocol (EAP) from the IEEE 802.lx standard. Using EAP, vendors could eliminate static secret keys and require that user authentication and not knowledge of a static key would drive access to the wireless LAN. Cisco Systems, Inc. incorporated EAP into their solution, but with a slight twist and called it LEAP (Lightweight Extensible Authentication Protocol). Using EAP/LEAP, a wireless user must first authenticate to a RADIUS server over an uncontrolled connection. This connection only allows authentication to occur, all other traffic is blocked. Once the user is authenticated the user is provided a dynamic WEP key and communication with the network then continues over a controlled connection. EAP/LEAP authentication is shown in Figure 4. Access Point supplicant EAPoL Start EAPoL EAP-Request/Identity Ethernet Access Blocked RADIUS-Access-Request RADIUS server RADIUS EAP-Response/Identity RADIUS-Access-Challenge EAP-Request EAP-Response (credentials) RADIUS-Access-Request EAP-Success RADIUS-Access-Accept Access Allowed Figure 4: EAP over LAN (EAPoL) Authentication Process

6 While the technical challenges of WEP are one problem with Wireless LANs other problems stem from the deployment of the wireless access points. As mentioned earlier, WLANs do not obey many of the same physical restrictions as their wired counterparts. Wireless networks can easily go well beyond the physical parameters of the buildings they are located in and because of that they provide many different enterprise customers with significant challenges. Because wireless traffic is predominantly limited by line-ofsight issues attackers need not be physically within the building much less near the target network in order to monitor traffic in the network. This poses significant problems to industries such as health-care and banking are looking for ways to deploy lower cost networks like wireless networks in their facilities. Privacy Threats Vulnerabilities and attacks such as those outlined above can represent a fundamental threat of disclosure for protected PI within a network. A privacy breach is defined as a disclosure of defined PI in violation of established restrictions on such disclosure. These restrictions may include governmental restrictions based upon legislation and regulation, self-imposed restrictions based upon an organization s established privacy and security policies, and de facto restrictions resulting from market perception of privacy and reasonable expectations of due diligence on the part of an organization entrusted with PI. To cite a specific example, proposed security regulations developed by the US Department of Health and Human Services under HIPAA require that any PI defined by HIPAA be encrypted for transmission across public or private networks. In the case of a health care organization implementing a wireless network infrastructure, care must be given to ensure that any personally identifiable health information accessible over the wireless network be protected with appropriate cryptographic controls. Similarly, the proposed regulations stipulate that authentication, access control, and logging mechanisms be in place around healthcare PI as well. The threat of interception or eavesdropping on a wireless implementation, or the use of a wireless network to compromise and gain access to other physical networks within an organization add a new dimension to securing these infrastructures. The repercussions of a privacy breach can quickly outpace repercussions for a security incident, and in fact a security incident in which PI is compromised can escalate into a privacy breach should that information be disclosed in violation of established restrictions. Regulatory penalties, as well as the very real threat of litigation on behalf of victims of privacy disclosures, can add a highly undesirable force multiplier effect should a system be compromised. Privacy Recommendations for Wireless Deployments Building privacy into a wireless deployment does not significantly differ from incorporating privacy into traditional network environments. Organizations with privacy

7 restrictions in place (governmental, self-imposed, or de facto) should review their privacy posture in relation to these restrictions and their business and risk models. Every networking technology carries with it security risks, and the contextual extension of these risks can develop into privacy vulnerabilities. However, a robust underlying security architecture is necessary for the real-world implementation of higher level privacy infrastructures. Wireless deployments should be incorporated into these security architectures and subject to the same controls and protections. Where specific regulations are involved, such as HIPAA, the organization should take care to ensure that all necessary or required controls exist to protect access to and dissemination of PI over the wireless network. In order to meet the necessary privacy requirements set out by governmental regulations or industry standards enterprises wishing to implement wireless technologies should ensure end-to-end encryption of traffic. Given the fact that the IEEE b implementation of privacy through WEP is insufficient the question remains as to how to address this deficiency. VPN solutions come to the forefront of potential solutions fairly quickly. By utilizing a VPN in all end-to-end communications between stations on the wireless network enterprises can, in fact, deploy wireless networks within their organizations. The implementation should meet the following three requirements: No communication between stations on a wireless network that does not traverse the VPN tunnel All devices on the wireless network should be hardened to prevent an attacker from breaking in to the device Strong authentication for all wireless clients using one-time passwords, token cards, or a public-key infrastructure By encrypting traffic within IPSec VPN tunnels, an attacker can compromise the WEP encryption and still not gain any benefit or cause any compromise of PI or any PIRs. Similarly, if the wireless clients are hardened against an attack the likelihood of a successful compromise of a host and subsequent compromise of any PI decreases. Wireless technologies can face inherent technical vulnerabilities when improperly deployed or administered. However, these technologies do not represent a specific threat to privacy any more than other technologies, and have not as yet been specifically addressed in existing legislation and regulation. Privacy represents a higher level, information flow discipline that extends to roles, definitions, collection, and disclosure of specifically defined, often industry specific, personal information. Wireless networks will simply serve as another avenue of access to this information. Understanding information flow across these infrastructures, combined with established restrictions on PI access, transmission, and dissemination, should drive any potential deployments of these new technologies.

8 [FLUH01] Scott Fluhrer, Itsik Mantin, and Adi Shamir, Weaknesses in the Key Scheduling Algorithm of RC4, Eighth Annual Workshop on Selected Areas in Cryptography, August [WALK00] Jesse Walker, Unsafe at any key size; An analysis of the WEP encapsulation, IEEE Document: /362, October 2000.