Wireless Local Area. Network Security

Transcription

1 Wireless Local Area Network Security HONORS PROJECT CIS 345/ Section 131 Spring 2005 Mentor: Prof. C.S. Rani

2 The first part of this research paper will answer questions such as: what is wireless, how wireless works, and how does a basic WLAN (Wireless Local Area Network) look like. The second part will discuss in detail about the WLAN security. PART I Wireless In general the term wireless refers to any means of communication which occur without wires. The following terms (some of them referring also to technologies) are synonymous with the word wireless: PCS (Personal Communication Systems), WAP (Wireless Application Protocol), WTLS (Wireless Transport Layer Security, which is similar to SSL Secure Socket Layer for web traffic), WML (Wireless Markup Language, a lightweight markup language similar to HTML, but designed for small screens with low bandwidth use), b (IEEE standard), Wi-Fi (Wireless Fidelity), HomeRF (Home Radio Frequency), Bluetooth. ([1] p. 4) How wireless works In order to know how wireless works, we have to know how the data is represented and how the wireless signals are used to transmit data. The digital data for wireless communication is represented the same way as in a standard computer. Because computers and the data transmission equipment are made of 2

3 electrical devices, and the electricity has two states (0 OFF, 1 - ON), all these electrical devices use the binary number system (0, 1). 1 0 Any number can be represented in binary using the digits of 0 and 1. These digits are known as bits (BInary digits). A group of eight binary digits form a byte. Also, any character (letters, digits, punctuation) can be uniquely represented as a binary number, according to one coding scheme called ASCII (American Standard Code for Information Interchange). For example, upper case letter A has been assigned number 65 (which in binary is ), sign has been assigned number 63 (which in binary is ), the arithmetic number 6 has been assigned number 54 (which in binary is ), and so on. But how is this data sent? If we re using wires, we can transmit data using copper wires or fiber optic cable. Unlike wired connections, wireless data travels on waves. All forms of electromagnetic energy, from gamma rays to radio waves (Figure 1, [4]), travel through space at the speed of light and they don t require any special medium for movement. ([2] p. 31) 3

4 Figure 1 Electromagnetic spectrum There are two basic types of waves by which wireless signals are sent and received: infrared light and radio waves. The infrared wireless systems have several advantages. Infrared light never interferes with other communication signals nor is it affected by other signals. Also, the signals cannot be intercepted by outsiders because the infrared red light cannot penetrate walls. On the other hand it has serious limitations: lack of mobility (all the time the mobile devices have to be aligned), range of coverage (interference has to be avoided), and speed of transmission (the highest data rate is 4 Mbps). The radio waves provide the most common and effective means of wireless communications today. They overcome the distance limitations of infrared light. The data is transmitted as an analog or digital signal. 4

5 The analog signal (as shown in Figure 2) is a continuous signal with no breaks in it; that is no individual element of an analog signal can be uniquely identified from another element of the signal. ([2] p. 39) Figure 2 Analog signal The digital signal (Figure 3) is a discrete signal; that is, it has numerous starts and stops throughout the signal stream. Computers operate using digital signals, so any kind of data (images, video, audio) has to be converted to a digital format before storing it in the computer. Figure 3 Digital signal A basic Wireless Local Area Network (WLAN) Now that we know what wireless is and how it works, let s take a look at what a basic WLAN is composed of. A basic WLAN consists of two or more computers connected via a wireless link. 5

6 Figure 4 Link between two computers via electromagnetic spectra The link between two computers consists of a connection via electromagnetic spectra traveling over the air in which data is transmitted (see Figure 4, [6]). As shown in Figure 5 ([5]), the computers in a wireless network require NICs (Network Interface Cards) that establish the wireless connection (transmission and reception of information between networked computers). Figure 5 Wireless network 6

7 Also, in a wireless network an Access Point (AP) is needed. An AP is a centralized device that normally has no computer physically attached to it. The AP controls the traffic in the wireless medium: all traffic between the communicating computers must go through the access point. For a wireless network to be successful, it must be reliable, secure, fast and easy to deploy. But, the most important task is to secure the network, starting with individual stations, and continuing with access points and gateways. PART II Security is the most debated topic in wireless LAN community. Wireless LAN can expose secret corporate data and resources to hackers. To protect a wireless LAN from hackers and other adversaries, it should always be operated in encrypted and authenticated mode. ([3] p. 81) In order to discuss about encryption and authentication, we should explain first what standards and WEP (Wired Equivalent Privacy) are. In 1999 the IEEE (Institute of Electrical and Electronics Engineering) completed and approved the standard known as b, and WLANs were born. WLAN networks exist in either infrastructure or ad-hoc mode. Ad-hoc networks have multiple wireless clients talking to each other as peers to share data among themselves without the aid of a central Access Point (AP). An infrastructure WLAN consists of several clients talking to this central device called AP, which is usually connected to a wired network (such as 7

8 Internet, a corporate network, a home LAN). Because the most common implementation requiring security is infrastructure mode, this part will focus on securing stations and APs. WEP Interception of radio communications has been a problem for as long as radios have been used to transmit sensitive information. Since radio transmissions travel in unsecured areas, interception of these radio signals by an attacker is a real threat. In order to protect the data from eavesdroppers, various forms of encryptions have been used to scramble data (more or less successful). ([1] p. 13) The goal of WEP is to make WLAN communication as secure as wired LAN data transmission would be. WEP provides two critical pieces to the wireless security architecture: authentication and confidentiality. WEP uses a shared key mechanism with a symmetric cipher called RC4. The key that a client is using for authentication of the data stream must be the same key as that of the AP. The standard specifies a 40- bit key as shown in Figure 6 ([8]). However, most vendors have also implemented a 104- bit key for greater security. Authentication Authentication is the process that verifies that the user has permission to access the network. Authentication is critical with WLANs because of the open nature of a wireless network (anyone within the range of the network could attempt to break into the WLAN over radio waves). ([2] p. 251) 8

9 Figure standard with a 40-bit key When a station associates with an AP, the station must authenticate itself to the AP. When the association occurs, the station and AP exchange the type of authentication they will accept. If the authentication type is specified as open (see Figure 6), then there is actually no authentication. The AP and the station identify themselves to each other and the association is complete. On the other hand, the devices may also select the shared secret authentication mechanism. Station A will send a nonce (random number) to station B. Station B encrypts (encryption will be discussed later in this paper) the random number using WEP and sends the result to station A. Station A decrypts the packet and verifies the decrypted payload equals the nonce it sent to station B. If the numbers match, then station A will notify station B that the authentication was successful and the association is formed. 9

10 Each WLAN client can be given the Service Set Identifier (SSID) of the network. This value is transmitted to the access point when the client is negotiating with it for the permission to connect to the network. Only those clients that know the SSID are then authenticated as valid users and are allowed to connect to the network. SSIDs provide only a rudimentary level of security because they apply only to devices, not individual users, and because SSIDs themselves are not well secured. ([2] p. 251) A wireless client can be given the SSID in two different ways: first, the SSID can be manually entered into the wireless device (and then whoever has access to that device can see the SSID and distribute it); secondly (even less secure), is when APs freely advertise the SSID to any mobile device that comes into the range of the AP. The default setting on most APs is to freely broadcast SSIDs (for example, Linksys APs have the SSID set to linksys, Cisco APs have the SSID set to tsunami ). Encryption There are several problems with the WEP in its b form. The main problem with WEP is that the RC4 stream cipher used to encrypt data has been proved insecure. There are multiple attacks on the RC4 cipher because of its weak encryption mechanism. RC4 combines the 40-bit WEP key with a 24-bit random number known as Initialization Vector (IV) to encrypt data. The packet is sent over radio waves containing the IV followed by the encrypted data (see Figure 7, [10]). 10

11 Figure 7 Encrypted packet The first attack uses a simple numerical limitation of the IV to figure out the WEP key. Because the IV is only 24 bits long, there are 2 24 = 16,777,216 possible values for the IV. It may seem a large number of values, but on a heavily used network and with the new technology (faster computers) it takes only a couple of hours before the attacker figures out how to crack the code: the RC4 mechanism, eventually, is going to pick the same IVs over and over again; the attacker is listening to the encrypted traffic and picks up the repeating IVs out of the data stream, until enough data can be gathered in order to crack the WEP key. ([7]) The second attack, based on IV, centers around on what are known as Weak IVs. The encryption of a piece of data begins with RC4 choosing a random 24-bit number, and then combining that number with the WEP key to encrypt the data. Some numbers in the range of 0 to do not work well in the RC4 encryption mechanism. These Weak IVs together with the WEP key are passed into mathematical functions which can reveal part of the WEP key. By capturing massive number of packets, an attacker can pick out enough Weak IVs to reveal the WEP key and compromise the network security. ([7]) 11

12 Data encryption requires the use of mathematical keys to both encrypt and decrypt messages. These keys have a numerical value that is used by an algorithm to scramble information and make it readable only to those senders and receivers who have the corresponding decryption key. There are two types of keys. Public key cryptography uses matched public and private keys for encryption and decryption. One key is used to encrypt the message and a different key is used to decrypt it. The public key can be distributed without damaging the private key. Shared key cryptography uses the same key to encrypt and decrypt the message. The key must be kept secret in order to maintain the confidentiality of the data. The AP and each client can have up to four shared keys. Each key must be manually entered and must correspond to the same key position in each of other devices. In Figure 8 ([2] p. 253), the AP and Client 1 each have four keys defined. The AP can encrypt a message with Key A and send it to Client 1. Because Client 1 s key and AP s key matches, Client 1 can have access to the information (it can decipher the message). A message cannot be sent from AP to Client 2 because Client 2 is encrypted with Key D, which does not match AP s Key D. ([2] p. 252) Keeping the key secure does not make the encryption necessarily stronger; the length of the key contributes to a stronger encryption, because a longer key is more difficult to break (for example, keys that are 56-bit long can be broken in few hours using the today s powerful computers). 12

13 Client 1 Encrypted with Key - A Key - A Sus9an Key B Bri7n Key C 1Greg6 Key - D 2Be5n Decrypts message with Key - A Access Point Client 2 Encrypted with Key - D Key - A Sus9an Key B 3Dea4n Key C Ch8ck Key - D 7Jo4e Key - A Key B Key C Key - D Sus9an Rog6r [Blank] 7Pav97 Cannot decrypt message with Key - D Figure 8 Shared key cryptography Because of the limitations of IEEE WLAN security, enhanced security measures are needed in order to make the WLAN more secure. The next section will explore the types of attacks against WLAN and what can be done to prevent them. WLAN Attacks ([2] p. 254): Hardware theft a wireless device may contain information to assist someone in breaking into the network (for example, SSID and WEP keys can be discovered and the attacker can gain access to the network); Access point impersonation clients authenticate to APs, but APs don t authenticate to clients. An AP can be set up and force clients to authenticate with it; Passive monitoring data transmission can be monitored to acquire information such as the addresses of APs and wireless clients, time of association 13

14 and disassociation with the network, etc. Over time a profile can be built based on statistical analysis that may provide assistance to unauthorized users trying to break into the network. In other cases it is possible to determine the contents of transmission itself; Denial of service (DoS) because the messages to associate or disassociate from the WLAN are not encrypted, these can be intercepted and data collected from them. An unauthorized user can use this information to flood the network with transmissions and deny others access to the AP; In order to increase the security of IEEE 802 WLANs, IEEE is working on what is called IEEE 802.1x. This allows WLANs to centralize the authentication of wireless clients. The 802.1x uses a protocol known as Extensible Authentication Protocol (EAP). EAP allows a client to negotiate authentication protocols with a separate authentication server. The 802.1x also makes use of Remote Authentication Dial-In User Service (RADIUS). The 802.1x suggests that the authentication should be made as follows (as shown in Figure 9, [2] p. 255): A user on a wireless device connects to the AP and enters a username and password; The AP requests authentication of that user by sending the information to a RADIUS server on the wired network; The RADIUS server reviews the request and can accept, reject, or further challenge the request. If it accepts the request, the RADIUS server sends the security 14

15 keys and other data for the wireless client to the AP so that it can establish a secure connection with the client; 3 Access point Accepts and provides keys 1 Username + Password 2 Requests authentication Wireless Client RADIUS Server Figure 9 Authentication made with the use of RADIUS In order to make the network even more secure, an AP should have a list of approved users, which is a list of each user s MAC (Media Access Control) address. The MAC is a unique 48-bit number burned into the NIC (Network Interface Card) when this is manufactured. This list of approved MAC addresses can be entered into the access control list and the access is granted only to those users for which the AP finds a matching MAC address (Figure 10, [2] p. 256). 15

16 CAN JOIN Access Point Client 1 MAC REJECTED Client 2 MAC Access Control List Figure 10 authentication made using MAC addresses If WLAN data requires a higher level of security, the experts suggest the following solutions ([2] p. 256): Use a Virtual Private Network (VPN). A VPN is secure, encrypted connection between two points. Reduce the amount of transmission power used in WLAN. This will decrease the distance that the radio waves can travel, thus limiting the range in which hackers can pick up the signals. Customize the WLAN security settings, never leave them set on default options. Use a 128-bit WEP key, which is much harder to break than 40-bit keys; 16

17 In order to protect your network (or your company s) against malicious attackers, it s better to know what the frequency of the attacks is and when do these attacks occur. Figure 11 ([14]) and Figure 12 ([14]) show that the most attacks occur at the begging of the weekend (Friday evening) when most of the companies end their activities and the working personnel is minimum. Figure 11 Attack counts in a 24-hour period Figure 12 Attack counts during a 7-day period Further I will present some of the most popular encryption algorithms and a short description of each one ([11]): RSA: Implementation of the RSA algorithm was made possible by three mathematicians, Ron Rivest, Adi Shamir and Len Adleman in 1977, right after the idea 17

18 of public key system was proposed. To honor them, the method was referred as the RSA scheme: Rivest, Shamir, Adleman. The system uses a public and a private key, and it starts with two large prime numbers which then are multiplied together. RSA is the most popular method for public key encryption and digital signatures. DES/3DES: The Data Encryption Standard (DES) was developed by U.S. government in 1977 as an official standard for the Automatic Teller Machine (ATM) PIN. It is also used in UNIX password encryption. DES is a block cipher with 64-bit block size that uses 56-bit keys. Considering the new technology, the specialists considered that DES is no longer secure and it was developed a new method, called Triple DES (3DES), which encrypts data three times, reaching e key size of bits. IDEA: International Data Encryption Algorithm (IDEA) was developed in Switzerland by Dr. X. Lai and Prof. J. Massey in early 90s to replace the DES standard. It uses a 128- bit key and is very difficult to break because of the length of the key. It s a fast algorithm and it was implemented in hardware chipsets, which made it even faster. BLOWFISH: Blowfish is a symmetric block cipher (just like DES or IDEA) and it takes a variable-length key between 32 and 448 bits. It was designed by Bruce Schneier in

19 as an alternative to existing algorithms. It has been proved as a strong encryption algorithm, after being analyzed considerably. SEAL: Software-Optimized Encryption Algorithm (SEAL) was designed in 1993 by Rogaway and Coppersmith. It is a stream-cipher, which means the data to be encrypted is continuously encrypted. Stream-ciphers are much faster than block-ciphers, but have a longer initialization phase, during which a large set of tables is created using the Secure Hash Algorithm. It uses 160-bit key and is considered very safe. RC4: RC4 is invented by Ron Rivest, one of the co-inventors of RSA scheme. It uses a key size up to 2048 bits (256 bytes). It creates a stream of random bytes and then XORs those bytes with the text ( XOR is a logical operation, and has its value set to TRUE when both operands are different: e.g. 0 XOR 0 = 0, 0 XOR 1 = 1, 1 XOR 0 = 1, and 1 XOR 1 = 0). It is useful for situations when a new key is needed for each message. After knowing the basics of these algorithms, I will describe in detail one of them and that is the RSA algorithm. The RSA algorithm consists in three parts: the key generation, encryption, and decryption ([12]). RSA Key Generation: We select two prime numbers and do their product. Let p=5 and q=7. 19

20 The product is n = p*q = 5*7 =35. We choose f(n) = (p-1)*(q-1) = 4*6 = 24. We select an integer e arbitrary such that e is less than (p-1)*(q-1) and relatively prime to it. Let e=5. We solve the congruence ed 1 (mod ((p-1)*(q-1))) (or the inverse of e % f(n)=1). That is, e*d % 24 = 1. 5d 24 q 1 5d 24q 1 24q 1 d 5 The numbers d and q have to be integers (24q+1) has to be divisible by 5 for q = 1 we have a solution which is an integer number: d 24q Now that we have e and d we are going to form the public and private keys: the public key is the pair (e,n) = (5,35), and the private key is the pair (d,n) = (5,35). RSA Encryption: First we need the public key of the person to whom we want to send the message: (e,n) = (5,35). Next we need the message (for simplicity we used only one letter; in real world applications letters are always encrypted in blocks), so we pick letter C to cipher. Before encrypting the letter we have to encode it as a number. For the purpose of this 20

21 example we will just pick the letter s index from the alphabet. Let m represent this number: m = 3. To encrypt we use the formula m = m e mod n, where m represents the encrypted value (or the encrypted message): m = m e mod n = 3 5 mod 35 = 33. The value of m is sent to the receiver. RSA Decryption First we need the private key of the person who received the encrypted message: (d,n) = (5,65). Next we need the encrypted message: m =33. To decrypt this message we use the formula m = m d mod n = 33 5 mod 35 = 3. m encoded as a letter represents the third letter of the alphabet, C, which means the message was decrypted successfully; Overall, the above algorithms and the detailed description of the RSA mechanism point out one important thing: the longer the key s length, the stronger the encryption is; as the key length increases the number of combinations that must be tried to break an encrypted message increases exponentially. For example, to crack a 40-bit key by an individual with minimal budget and a regular computer it takes one week, while cracking 56-bit key wouldn t be possible in a lifetime. Using hardware specifically designed for encryption/decryption (such as Field Programmable Gate Arrays FPGA), an individual could break a 40-bit encryption in 5 hours, while trying to break a 56-bit encryption with 21

22 the same equipment will take 38 years. Recent studies show that the key length should be at least 90 bits in order to ensure security for the next 20 years ([13]). 22

23 References: [1] Security, Potter, Bruce and Fleck, Bob, O Reilly & Associates, Sebastopol, CA, 2002 [2] Guide to Wireless Communication, Ciampa, Mark, Thomson Learning, Boston, MA, 2002 [3] Building Secure Wireless Networks with , Khan, Jahanzeb & Khwaja, Anis, Wiley Publishing, Inc, 2003 [4] [5] [6] [7] [8] [9] papers/paranoia_files/image010.jpg [10] [11] [12] [13] [14] 23