Wireless LAN Security

Transcription

1 Wireless LAN Security Jie Gao April 24, Security of Wireless Networks Wireless networks are very common, both for organizations and individuals. Many laptop computers have wireless cards pre-installed for the buyer. The ability to enter a network while mobile has great benefits. However, wireless networking has many security issues. Crackers have found wireless networks relatively easy to break into, and even use wireless technology to crack into non-wireless networks. The risks to users of wireless technology have increased exponentially as the service has become more popular. There were relatively few dangers when wireless technology was first introduced. Crackers had not yet had time to latch on to the new technology and wireless was not commonly found in the work place. Currently, however, there are a great number of security risks associated with wireless technology. Security threats are growing in the wireless arena. Crackers have learned that there is much vulnerability in the current wireless protocols, encryption methods, and in the carelessness and ignorance that exists at the user and corporate IT level. Cracking methods have become much more sophisticated and innovative with wireless. Cracking has become much easier and more accessible with easy-to-use Windows-based and Linux-based tools being made available on the web at no charge. Wireless being used to crack into non-wireless networks. Some organizations that have no wireless access points installed do not feel that they need to address wireless security concerns. This is a common deceptive inference. In-Stat MDR and META Group have estimated that 95% of all corporate laptop computers that were planned to be purchased in 2005 were equipped with wireless. Issues can arise in a supposedly non-wireless organization when a wireless laptop is plugged into the corporate network. A cracker could sit out in the parking lot and break in through the wireless card on a laptop and gain access to the wired network. If no security measures are implemented at these access points, it is no different from providing a patch cable out the back door for crackers to plug into whenever they wish. 1.1 Types of unauthorized access Accidental Association. Unauthorized access to company wireless and wired networks can come from a number of different methods and intents. One of these methods is referred to as accidental association. This is when a user turns on their computer and it latches on to a wireless access point from a neighboring companys overlapping network. The user may not even know that this has occurred. However, this is a security breach in that proprietary company information is exposed and now there could exist a link from one company to the other. This is especially true if the laptop is also hooked to a wired network. Department of Computer Science, Stony Brook University, Stony Brook, NY 11794, USA, jgao@cs.sunysb.edu. 1

2 Malicious Association. Malicious associations are when wireless devices can be actively made by crackers to connect to a company network through their cracking laptop instead of a company access point (AP). These types of laptops are known as soft APs and are created when a cracker runs some software that makes his/her wireless network card look like a legitimate access point. Once the cracker has gained access, he/she can steal passwords, launch attacks on the wired network, or plant trojans. Since wireless networks operate in the Layer-2 world, Layer-3 protections such as network authentication and virtual private networks (VPNs) offer no protection. Wireless 802.1x authentications do help with protection but are still vulnerable to cracking. The idea behind this type of attack may not be to break into a VPN or other security measures. Most likely the cracker is just trying to take over the client at the Layer-2 level. Ad-Hoc Networks. Ad-hoc networks can pose a security threat. Ad-hoc networks are defined as peer to peer networks between wireless computers that do not have an access point in between them. While these types of networks usually have little security, encryption methods can be used to provide security. Non-Traditional Networks. Non-traditional networks such as personal network Bluetooth devices are not safe from cracking and should be regarded as a security risk. Even bar code scanners, handheld PDAs, and wireless printers and copiers should be secured. These non-traditional networks can be easily overlooked by IT personnel that have narrowly focused on laptops and APs. Identity Theft (MAC Spoofing). Identity theft (or MAC spoofing) occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges. Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network. However, a number of programs exist that have network sniffing capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the cracker desires, and the cracker can easily get around that hurdle. Man-In-The-Middle Attacks. A man-in-the-middle attack is one of the more sophisticated attacks that have been cleverly thought up by crackers. This attack revolves around the attacker enticing computers to log into his/her computer which is set up as a soft AP (Access Point). Once this is done, the cracker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent cracking computer to the real network. The cracker can then sniff the traffic for user names, passwords, credit card numbers...etc. One type of man-in-the-middle attack relies on security faults in challenge and handshake protocols. It is called a de-authentication attack. This attack forces AP-connected computers to drop their connections and reconnect with the crackers soft AP. Man-in-the-middle attacks are getting easier to pull off due to software such as LANjack and AirJack automating multiple steps of the process. What was once done by cutting edge crackers can now be done by script kiddies, less knowledgeable and skilled crackers sitting around public and private hotspots. Hotspots are particularly vulnerable to any attack since there is little to no security on these networks. Denial of Service. A Denial-of-Service attack (DoS) occurs when an attacker continually bombards a targeted AP (Access Point) or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. These cause legitimate users to not be able to 2

3 get on the network and may even cause the network to crash. These attacks rely on the abuse of protocols such as the Extensible Authentication Protocol (EAP). Network Injection. The final attack to be covered is the network injection attack. A cracker can make use of access points that are exposed to non-filtered network traffic. Specifically broadcast network traffic such as Spanning Tree (802.1D), OSPF, RIP, HSRP, etc. The cracker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices. In the rest of the note we will focus on two security protocols, the Wired Equivalent Privacy (WEP), which is known to be broken, and the improved version, Wi-Fi Protected Access (WPA). 2 Wired Equivalent Privacy (WEP) Wired Equivalent Privacy (WEP) is a scheme that is part of the IEEE wireless networking standard to secure IEEE wireless networks (also known as Wi-Fi networks). Because a wireless network broadcasts messages using radio, it is particularly susceptible to eavesdropping. WEP was intended to provide comparable confidentiality to a traditional wired network (in particular it does not protect users of the network from each other), hence the name. Several serious weaknesses were identified by cryptanalysts any WEP key can be cracked with readily available software in one minute or less and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE i standard (also known as WPA2) in Despite the weaknesses, WEP provides a level of security that can deter casual snooping. WEP uses the stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity. WEP uses a 40 bit key, which is concatenated to a 24-bit initialization vector (IV) to form the RC4 traffic key. A 128-bit WEP key and a 256-bit WEP system are available from some vendors. As with the above-mentioned system, 24 bits of that is for the I.V., leaving the rest bits for protection. A 256-bit WEP is typically entered as 58 Hexadecimal characters. (58 4 = 232 bits) + 24 I.V. bits = 256 bits of WEP protection. Key size is not the only major security limitation in WEP. Cracking a longer key requires interception of more packets, but there are active attacks that stimulate the necessary traffic. There are other weaknesses in WEP, including the possibility of IV collisions and altered packets, that are not helped at all by a longer key. 2.1 Vulnerabilities of WEP Stream ciphers, where plain text bits are combined with a cipher bit stream by an exclusive-or operation (xor), can be very secure if used properly. However they are vulnerable to attack if certain precautions are not followed: keys must never be used twice; valid encryption should never be relied on to indicate authenticity. Reused key attack. Stream ciphers are vulnerable to attack if the same key is used twice (depth of two) or more. Say we send messages A and B of the same length, both encrypted using same key, K. The stream cipher produces a string of bits C(K) the same length as the messages. The encrypted versions of the messages then are: E(A) = A C, 3

4 E(B) = B C, where XOR is performed bit by bit. Say an adversary has intercepted E(A) and E(B). He can easily compute: E(A) E(B). However xor is commutative and has the property that X X = 0 (self-inverse) so: E(A) E(B) = (A C) (B C) = A B C C = A B. In other words, if anyone intercepts two messages encrypted with the same key, they can recover A B, which is a form of running key cipher. Even if neither message is known, as long as both messages are in a natural language, such a cipher can often be broken by paper-and-pencil methods. John Tiltman accomplished this with the Lorenz cipher (TUNNY) in World War II. With an average personal computer, such ciphers can usually be broken in a matter of minutes. If one message is known, the solution is trivial. Another situation where recovery is trivial is if traffic-flow security measures have each stations sending a continuous stream of cipher bits, with null characters (e.g. LTRS in Baudot) being sent when there is no real traffic. This is common in military communications. In that case, and if the transmission channel is not fully loaded, there is a good likelihood that one of the cipher text streams will be just nulls. The NSA goes to great lengths to prevent keys being used twice. 1960sera encryption systems often included a punch card reader for loading keys. The mechanism would automatically cut the card in half when the card was removed, preventing its reuse. One way to avoid this problem is to use an initialization vector (IV), sent in the clear, that is combined with a secret master key to create a one-time key for the stream cipher. This is done in several common systems that use the popular stream cipher RC4, including Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and Ciphersaber. One of the many problems with WEP was that its IV was too short, 24 bits. This meant that there was a high likelihood that the same IV would be used twice if more than a few thousand packets were sent with the same master key (birthday paradox), subjecting the packets with duplicated IV to the key reuse attack. This problem was fixed in WPA by changing the master key frequently. Substitution attack. Suppose an adversary knows the exact content of all or part of one of our messages. As a part of a man in the middle attack, he can alter the content of the message without knowing the key, K. Say, for example, he knows a portion of the message contains the ASCII string $ He can change that to $ by xor ing that portion of the cipher text with the string: $ xor $ To see how this works, consider that the cipher text we send is just C(K) $ What he is creating is: C(K) $ $ $ = C(K) $ , which is what our cipher text would have been if $9500 were the correct amount. See also: malleability (cryptography). Substitution attacks are prevented by including message authentication code to increase the likelihood that tampering will be detected. 3 Wi-Fi Protected Access (WPA) Wi-Fi Protected Access (WPA and WPA2) is a class of systems to secure wireless (Wi-Fi) computer networks. It was created in response to several serious weaknesses researchers had found in the 4

5 previous system, Wired Equivalent Privacy (WEP). WPA implements the majority of the IEEE i standard, and was intended as an intermediate measure to take the place of WEP while i was prepared. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. WPA2 implements the full standard, but will not work with some older network cards. Both provide good security, with two significant issues: Data is encrypted using the RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV). One major improvement in WPA over WEP is the Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. When combined with the much larger IV, this defeats the well-known key recovery attacks on WEP. 3.1 Temporal key integrity protocol (TKIP) Temporal Key Integrity Protocol (TKIP), as defined by the IEEE i specification, addresses the encryption part of the wireless security equation. (A different part of i addresses the per-message integrity problem) TKIP was designed with a very difficult constraint in place: it had to operate on existing hardware, and therefore it could not require computationally advanced encryption. TKIP is a wrapper that goes around the existing WEP encryption. TKIP comprises the same encryption engine and RC4 algorithm defined for WEP. However, the key used for encryption in TKIP is 128 bits long. This solves the first problem of WEP: a too-short key length. An important part of TKIP is that it changes the key used for each packet. This is the Temporal part of the picture. The key is created by mixing together a combination of things, including a base key (called a Pairwise Transient Key in TKIP parlance), the MAC address of the transmitting station, and the serial number for the packet. The mixing operation is designed to put a minimum demand on the stations and access points, yet have enough cryptographic strength so that it cannot easily be broken. Each packet transmitted using TKIP has a unique 48-bit serial number that is incremented every time a new packet is transmitted and used both as the Initialization Vector and part of the key. Putting a sequence number into the key ensures that the key is different for every packet. This solves another problem of WEP, called collision attacks, which can occur when the same key is used for two different packets. With different keys, there are no collisions. Having the serial number of the packet also be the initialization vector helps to reduce yet another WEP problem, called replay attacks. Because a 48-bit sequence number will take thousands of years to repeat itself, no one can replay old packets from a wireless connection they will be detected as out of order because the sequence numbers won t be right. The last, and most important, piece that is mixed into the TKIP key is the base key. Without a way to generate unique base keys, TKIP would solve many of WEP s problems, but not its worst one: the constant reuse of a well-known key by everyone on the wireless LAN. To deal with this, TKIP generates the base key that is mixed into the per-packet key. Each time a wireless station associates to an access point, a new base key is created. This base key is built by hashing together a special session secret with some random numbers (called nonces) generated by the access point and the station as well as the MAC address of the access point and the station. With 802.1X authentication, the session secret is unique and transmitted securely to the station by the authentication server; when using TKIP with pre-shared keys, the session secret is the same for everyone and never changes hence the vulnerability of using TKIP with pre-shared keys. 5