Lecture 9: Wireless Security WEP/WPA. Course Admin

Transcription

1 Lecture 9: Wireless Security WEP/WPA CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Keith Ross, Amine Khalife and Tony Barnard Course Admin Mid-Term Exam Graded Solution provided To be distributed today HW2 Graded Solution provided To be distributed today 11/6/2013 Lecture 9 - Wireless Security 2 1

2 HW3 Course Admin Covers SSL/TLS (lecture 7) Due 11am on Nov 11 (Monday) Lab exercise involves capturing SSL/TLS packets using Wireshark Labs active this Friday 11/6/2013 Lecture 9 - Wireless Security 3 Travel Next Week I m traveling, presenting at a conference next week Bad news: Have to miss the lecture Good news: TA (Cooper) will present on my behalf Some interesting stuff on wireless security Important Your attendance is strongly encouraged 11/6/2013 Lecture 9 - Wireless Security 4 2

3 Outline WiFi Overview WiFi Security Threats WEP Wired Equivalence Privacy Including vulnerabilities WPA WiFi Protected Access 11/6/2013 Lecture 9 - Wireless Security 5 Security at different layers Application layer: PGP Transport layer: SSL Network layer: IPsec Link layer: WEP / i (WPA) WiFi Security Approach: HTTP/SMTP/IM TCP/UDP/ICMP IPsec WEP/WPA 6 3

4 Standards a 54 GHz Not interoperable with b Limited distance Cisco products: Aironet b 11 GHz Full speed up to 300 feet Coverage up to 1750 feet Cisco products: Aironet 340, 350, 1100, g 54 GHz Same range as b Backward-compatible with b Cisco products: Aironet 1100, Standards (Cont.) e QoS Dubbed Wireless MultiMedia (WMM) by Wi-Fi Alliance i Security Adds AES encryption Requires high cpu, new chips required TKIP is interim solution n (2009) up to 300Mbps 5Ghz and/or 2.4Ghz ~230ft range 8 4

5 Wireless Network Modes The wireless networks operate in two basic modes: 1. Infrastructure mode 2. Ad-hoc mode Infrastructure mode: each wireless client connects directly to a central device called Access Point (AP) no direct connection between wireless clients AP acts as a wireless hub that performs the connections and handles them between wireless clients 9 Wireless Network Modes (cont d) The hub handles: the clients authentication, Authorization link-level data security (access control and enabling data traffic encryption) Ad-hoc mode: Each wireless client connects directly with each other No central device managing the connections Rapid deployment of a temporal network where no infrastructures exist (advantage in case of disaster ) Each node must maintain its proper authentication list 10 5

6 LAN architecture BSS 1 AP Internet hub, switch or router AP wireless host communicates with base station base station = access point (AP) Basic Service Set (BSS) (aka cell ) in infrastructure mode contains: wireless hosts access point (AP): base station ad hoc mode: hosts only BSS 2 11 SSID Service Set Identification Identifies a particular wireless network A client must set the same SSID as the one in that particular AP Point to join the network Without SSID, the client won t be able to select and join a wireless network Hiding SSID is not a security measure because the wireless network in this case is not invisible It can be defeated by intruders by sniffing it from any probe signal containing it. 12 6

7 Beacon frames & association AP regularly sends beacon frame Includes SSID, beacon interval (often 0.1 sec) host: must associate with an AP scans channels, listening for beacon frames selects AP to associate with; initiates association protocol may perform authentication After association, host will typically run DHCP to get IP address in AP s subnet frame: addressing frame control duration address 1 address 2 address 3 seq control address 4 payload CRC Address 1: MAC address of wireless host or AP to receive this frame Address 2: MAC address of wireless host or AP transmitting this frame Address 3: MAC address of router interface to which AP is attached Address 4: used only in ad hoc mode 14 7

8 frame: addressing H1 R1 router Internet AP H1 MAC addr R1 MAC addr dest. address source address frame H1 MAC addr AP MAC addr R1 MAC addr address 1 address 2 address frame frame: addressing H1 R1 router Internet AP R1 MAC addr H1 MAC addr dest. address source address frame AP MAC addr H1 MAC addr R1 MAC addr address 1 address 2 address frame 16 8

9 frame (more) frame: frame control duration address 1 address 2 address 3 seq control address 4 payload CRC Protocol To From More Power More Type Subtype Retry WEP Rsvd version AP AP frag mgt data frame control field expanded: Type/subtype distinguishes beacon, association, ACK, RTS, CTS, etc frames. To/From AP defines meaning of address fields allows for fragmentation at the link layer allows stations to enter sleep mode Seq number identifies retransmitted frames (eg, when ACK lost) WEP = 1 if encryption is used 17 Primary Threats Unauthorized access Learn SSID and join the network Sniffing/Eavesdropping Easy since wireless traffic is broadcast in nature Session Hijacking Similar to wired session hijacking Evil Twin Attack Attacker fools the user into connecting to its own AP (rather than the starbucks AP, e.g.) 18 9

10 Unauthorized Access So easy to find the ID for a hidden network because the beacon broadcasting cannot be turned off Simply use a utility to show all the current networks: inssider NetStumbler Kismet Lec 19 tur Unauthorized Access Defense: Access control list Access control list Simplest security measure Filtering out unknown users Requires a list of authorized clients MAC addresses to be loaded in the AP Won t protect each wireless client nor the traffic confidentiality and integrity ===>vulnerable Defeated by MAC spoofing: ifconfig eth0 hw ether 00:01:02:03:04:05 (Linux) SMAC - KLC Consulting (Windows) MAC Makeup - H&C Works (Windows) 20 10

11 Sniffing Requires wireless card that supports raw monitoring mode (rfmon) Grabs all frames including management frames Tools: Dump packets using Wireshark; 21 Firewalled Networks with Wi-Fi (1) Firewall blocks traceroutes, Traffic sent by wireless hosts/aps not blocked by firewall Leaking of internal information Trudy can traceroute and port scan through AP Establish connections Attempt to overtake 22 11

12 Firewalled Networks with Wi-Fi (2) Move AP outside of firewall? Trudy can no longer tracetroute internal network via AP But Trudy still gets everything sent/received by wireless hosts 23 Firewalled Networks with Wi-Fi (3) Crypto at link layer between wireless hosts and AP Trudy doesn t hear anything Trudy can not port scan Wireless hosts can access internal services 24 12

13 Sniffing Encrypted traffic Suppose: Traffic encrypted with symmetric crypto Attacker can sniff but can t break crypto What s the damage? SSID, Mac addresses Manufacturers of cards from MAC addrs Count # of devices Traffic analysis: Size of packets Timing of messages Determine apps being used But cannot see anything really useful Attacker needs the keys, or break crypto Very hard 25 WEP - Wired Equivalent Privacy The original native security mechanism for WLAN provide security through a network Used to protect wireless communication from eavesdropping (confidentiality) Prevent unauthorized access to a wireless network (access control) Prevent tampering with transmitted messages Provide users with the equivalent level of privacy inbuilt in wireless networks. 13

14 WEP Feature Goals: Authentication AP only allows authorized stations to associate Data integrity Data received is the data sent Confidentiality Symmetric encryption 27 WEP Design Goals Symmetric key crypto Confidentiality Station authorization Data integrity Self synchronizing: each packet separately encrypted Given encrypted packet and key, can decrypt; can continue to decrypt packets when preceding packet was lost Unlike Cipher Block Chaining (CBC) in block ciphers Efficient Can be implemented in hardware or software 28 14

15 WEP Keys 40 bits or 104 bits Key distribution not covered in standard Configure manually: At home Small organization with tens of users Nightmare in company >100 users 29 WEP Procedures 1. Appends a 32-bit CRC checksum to each outgoing frame (INTEGRITY) 2. Encrypts the frame using RC4 stream cipher = 40-bit (standard) or 104-bit (Enhanced) message keys + a 24-bit IV random initialization vector (CONFIDENTIALITY). 3. The Initialization Vector (IV) and default key on the station access point are used to create a key stream 4. The key stream is then used to convert the plain text message into the WEP encrypted frame. 15

16 Encrypted WEP frame encrypted IV Key ID data ICV MAC payload RC4 keystream XORed with plaintext 32 16

17 WEP Components Initialization Vector IV Dynamic 24-bit value Chosen randomly by the transmitter wireless network interface 16.7 million possible IVs (2 24 ) Shared Secret Key 40 bits long (5 ASCII characters) 104 bits long (13 ASCII characters) 33 WEP Components (cont d) RC4 algorithm consists of 2 main parts: 1. The Key Scheduling Algorithm (KSA): involves creating a scrambled state array This state array will now be used as input in the second phase, called the PRGA phase. 2. The Pseudo Random Generation Algorithm(PRGA): The state array from the KSA process is used here to generate a final key stream. Each byte of the key stream generated is then Xor ed with the corresponding plain text byte to produce the desired cipher text

18 WEP Components (cont d) ICV (Integrity Check Value)= CRC32 (cyclic redundancy check) integrity check XOR operation denoted as plain-text keystream= cipher-text cipher-text keystream= plain-text plain-text cipher-text= keystream How WEP works IV original unencrypted packet checksum key RC4 IV encrypted packet 18

19 Encryption Process Decryption Process 38 19

20 8.2.5 WEP Frame Body Expansion Recall from CS 334/534: CRC-32 Figure frame format 39 CRC-32 CRC-32 Figure 46 Construction of expanded WEP frame body 40 20

21 End-point authentication w/ nonce Nonce: number (R) used only once in-a-lifetime How: to prove Alice live, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key I am Alice R K (R) A-B Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice! 41 WEP Authentication Not all APs do it, even if WEP is being used. AP indicates if authentication is necessary in beacon frame. Done before association. authentication request AP nonce (128 bytes) nonce encrypted shared key success if decrypted value equals nonce 42 21

22 WEP is flawed Confidentiality problems Authentication problems Integrity problems 43 A Risk of Keystream Reuse IV, IV, P RC4(K, IV) P RC4(K, IV) If IV s repeat, confidentiality is at risk If we send two ciphertexts (C, C ) using the same IV, then the xor of plaintexts leaks (P P = C C ), which might reveal both plaintexts Lesson: If RC4 isn t used carefully, it becomes insecure 44 22

23 Problems with WEP confidentiality (2) IV reuse With 17 million IVs and 500 full-length frames/sec, collisions start after 7 hours Worse when multiple hosts start with IV=0 IV reuse: Trudy guesses some of Alice s plaintext d 1 d 2 d 3 d 4 Trudy sniffs: c i = d i k i IV Trudy computes keystream k i IV =c i d i Trudy knows encrypting keystream k 1 IV k 2 IV k 3 IV Next time IV is used, Trudy can decrypt! Worse: Weak Key Attack Mathematical, complicated, For certain key values (weak keys), disproportionate number of bits in first few bytes of the keystream are determined by just a few key bits. As the IV cycles, wait for weak keys Exploit weak keys to crack the key Effort is only linear in key size! Cracker script tool available 45 Keystream Reuse WEP didn t use RC4 carefully The problem: IV s frequently repeat The IV is often a counter that starts at zero Hence, rebooting causes IV reuse Also, there are only 16 million possible IV s, so after intercepting enough packets, there are sure to be repeats Attackers can eavesdrop on traffic An eavesdropper can decrypt intercepted ciphertexts even without knowing the key 46 23

24 WEP authentication problems Attacker sniffs nonce, m, sent by AP Attacker sniffs response sent by station: IV in clear Encrypted nonce, c Attacker calculates keystream ks = m c, which is the keystream for the IV. Attacker then requests access to channel, receives nonce m Attacker forms response c = ks m and IV Server decrypts, matches m and declares attacker authenticated! 47 Problems with Message Integrity ICV (Integrity Check Value) supposed to provide data integrity ICV is a hash/crc calculation But a flawed one. Can predict which bits in ICV change if you change single bit in data. Suppose attacker knows that flipping bit 3244 of plaintext data causes bits 2,7,23 of plaintext ICV to flip Suppose attacker intercepts a frame: In intercepted encrypted frame, attacker flips bit 3244 in data payload and ICV bits 2,7,23 Will ICV match after decryption at the receiver? After decryption, cleartext bit 3244 is flipped (stream cipher) Also after decryption, cleartext bits 2,7, 23 also flipped. So cleartext ICV will match up with data! 48 24

25 Attacks on WEP WEP encrypted networks can be cracked in 10 minutes Goal is to collect enough IVs to be able to crack the key IV = Initialization Vector, plaintext appended to the key to avoid Repetition Injecting packets generates IVs Attacks on WEP Backtrack 5 (Released 1 st March 2012) Tutorial is available All required tools on a Linux bootable CD + laptop + wireless card 25

26 WEP cracking example 51 Summary of WEP flaws One common shared key If any device is stolen or compromised, must change shared key in all devices No key distribution mechanism Infeasible for large organization: approach doesn t scale Crypto is flawed Early 2001: Integrity and authentication attacks published August 2001 (weak-key attack): can deduce RC4 key after observing several million packets AirSnort application allows casual user to decrypt WEP traffic Crypto problems 24 bit IV to short Same key for encryption and message integrity ICV flawed, does not prevent adversarial modification of intercepted packets not a MAC Cryptanalytic attack allows eavesdroppers to learn key after observing several millions of packets 52 26

27 IEEE i Much stronger encryption TKIP (temporal key integrity protocol) stopgap But use RC4 for compatibility with existing WEP hardware Can also support standard crypto algo (CBC AED, CBC MAC, etc.) Extensible set of authentication mechanisms Employs 802.1X authentication Key distribution mechanism Typically public key cryptography RADIUS authentication server distributes different keys to each user also there s a less secure pre-shared key mode WPA: Wi-Fi Protected Access Pre-standard subset of i 53 IEEE 802i Phases of Operation preview i security is provided only over the wireless link within a BSS, not externally. Phase 1 - Discovery Phase 2 - Authentication Phase 3 - Key Generation and Distribution to STA and AP Phase 4 - Actual User Data Transfer Phase 5 - Connection Termination when Transfer Complete 11/6/2013 Lecture 9 - Wireless Security 54 27

28 Phase 1 Discovery The purpose of this phase is for STA and AP to establish (unsecure) contact and negotiate a set of security algorithms to be used in subsequent phases. STA and AP need to decide on: The methods to be used in phase 3 to perform mutual authentication of STA and AP and generate/distribute keys. Confidentiality and integrity algorithms to protect user data in phase 4 11/6/2013 Lecture 9 - Wireless Security 55 The discovery phase uses three message exchanges (CS334/534): Probe request/response (or observation of a beacon frame) APs advertize their capabilities (WEP, WPA, etc.) in Information Elements in their beacon frames and in their probe responses. Authentication request/response WEP Open System Authentication, for backward compatibility (provides no security) Association request/response STA chooses methods to be used from AP s menu (we will study the case that the station chooses WPA/TKIP) STA uses an Information Element in Association Request to inform AP 11/6/2013 Lecture 9 - Wireless Security 56 28

29 Phase 1 This is not Phase 2/3 Authentication! Figure 6.6 (upper) Phase 1 Discovery 57 Phase 2 - Authentication SOHO Mode A pre-shared key (PSK), is provided in advance to the station and AP by a method external to i In this case the lower half of figure 6.6 is bypassed (and was not shown in the previous slide). There are two methods for providing the PSK: the exact 256-bit number can be provided and used as PMK a passphrase can be adopted, keyed in by user and expanded to 256 bits by the system. In WPA SOHO mode STA and AP delay authenticating each other until phase 3, when they demonstrate that each knows information derived from the PSK. 11/6/2013 Lecture 9 - Wireless Security 58 29

30 Phase 3 Key Generation and Distribution In SOHO mode the PSK has already been shared, so no more distribution is needed and key generation can proceed. Next step in SOHO: The PSK is adopted to derive Pairwise Master Key (PMK) Figure 6.8 (upper) 59 The Pairwise Master Key is not used directly in any security operation. Instead, it will be used to derive a set of keys, the Pairwise Transient Key, to protect the link between AP and station. Protection is needed during two phases: in phase 3 - the handshake between station an AP (protocol called EAPOL ) in phase 4 - Passing user data during actual use of the link 11/6/2013 Lecture 9 - Wireless Security 60 30

31 In both phases separate keys are needed for integrity and encryption, so the total number of keys needed is four: EAPOL-key Confirmation key (KCK) (Integrity) EAPOL-key Encryption key (KEK) Data Integrity Key (part of Temporal Key) Data Encryption Key (part of Temporal Key) PSK 11/6/2013 Figure 6.8 (middle) 61 Computation of the PTK from the PMK The PTK is re-computed every time a station associates with an AP. We want the PTK to be different for each STA-AP pair and different each time a STA associates with an AP (so as not to re-use old keys) Four-way handshake: TKIP/WPA uses a four-way handshake during establishment of the association relationship between an AP and a station 11/6/2013 Lecture 9 - Wireless Security 62 31

32 We can force the PTK to be different for each STA-AP pair by mixing their MAC addresses into the computation of the PTK. But since these do not change between associations, there must also be some dynamic input to the PTK - nonces. Recall that in the discovery phase the STA sent its association request to the AP, including the selection of WPA/TKIP for security. For later use, we can think of the STA randomly generating a nonce (Nonce1) at that point, but not transmitting it. 11/6/2013 Lecture 9 - Wireless Security 63 Four-Way Handshake Frame 1: AP to STA: a nonce chosen by the AP (Nonce2) Nonce2 gives the STA the last piece of information it needs to compute the 512-bit PTK: SHA hash Computation of PTK from PMK 11/6/2013 Lecture 9 - Wireless Security 64 32

33 Four-Way Handshake - continued Frame 2: STA to AP: Nonce1, together with a message integrity code (MIC) (standard HMAC-SHA, since done only during handshake) Nonce1 gives the AP the last piece of information it needs to compute the PTK, so key exchange is complete. This enables the AP to check the validity of the MIC. If correct, this proves that that the STA possesses the PMK and authenticates the STA. Each side has chosen a nonce, and both nonces have been mixed into the computation of the PTK, so PTK is unique to each AP-STA pair and to each association session. 11/6/2013 Lecture 9 - Wireless Security 65 Four-Way Handshake - continued Frame 3: AP to STA: message AP able to turn on encryption (includes MIC, so STA can check that AP knows PMK) Frame 4: STA to AP: message STA about to turn on encryption After sending frame 4, STA activates encryption; on receipt of frame 4, AP activates encryption. At this point Phase 3 is complete we have authenticated the STA and the AP, using the EAPOL keys, and have generated the 256-bit Temporal Key for use in phase 4. We can proceed to phase 4 secure transmission of user data. TKIP stands for Temporal Key Integrity Protocol ( temporal = temporary - only for this association session) 11/6/2013 Lecture 9 - Wireless Security 66 33

34 TKIP: Changes from WEP Message integrity scheme that works IV length increased Rules for how the IV values are selected Use IV as a replay counter Generates different message integrity key and encryption key from master key Hierarchy of keys derived from master key Secret part of encryption key changed in every packet. Much more complicated than WEP! 67 TKIP: Message integrity Uses message authentication code (MAC); called a MIC in parlance Different key from encryption key Source and destination MAC addresses appended to data before hashing Before hashing, key is combined with data with exclusive ors (not just a concatenation) Computationally efficient 68 34

35 TKIP: IV Selection and Use IV is 56 bits 10,000 short packets/sec WEP IV: recycle in less than 30 min TKIP IV: 900 years Must still avoid two devices separately using same key IV acts as a sequence counter Starts at 0, increments by 1 But two stations starting up use different keys: MAC address is incorporated in key security summary SSID and access control lists provide minimal security no encryption/authentication WEP provides encryption, but is easily broken Emerging protocol: i Back-end authentication server Public-key cryptography for authentication and master key distribution TKIP: Strong symmetric crypto techniques Support for strong crypto 70 35

36 Further Reading Real Security by Jon Edney and William Arbaugh Stallings chapter 7 Intercepting Mobile Communications: The Insecurity of Borisov et al.,