IT-Sicherheit: Sicherheitsprotokolle. Wireless Security. (unter Benutzung von Material von Brian Lee und Takehiro Takahashi)

Transcription

1 IT-Sicherheit: Sicherheitsprotokolle Wireless Security (unter Benutzung von Material von Brian Lee und Takehiro Takahashi)

2 ! 61 ints 5 2 Po ss e c Ac 3 Built in Security Features!!!!!! Service Set Identifier (SSID) Differentiates one access point from another SSID is cast in beacon frames every few seconds. Beacon frames are in plain text! First layer of security Stealth Mode probe request 4

3 Do s and Don'ts for SSID s! Default SSID s are well known (Linksys AP s default to linksys, CISCO defaults to tsunami, etc) so change them immediately! Do change the settings on your AP so that it does not broadcast the SSID in the beacon frame! Why? 5 Hiding the SSID! As stated earlier, the SSID is by default broadcast every few seconds.! Turning it off makes it harder to figure out a wireless connection is there! Reading raw packets will reveal the SSID since even when using WEP, the SSID is in plain text! Increases deployment difficulty! Windows tends to get confused 6

4 MAC address filtering! MAC address filtering works by only allowing specific hardware to connect to the AP! Management on large networks unfeasible! Using a packet sniffer, one can very easily find a valid MAC address and modify their OS to use it, even if the data is encrypted! May be good for small networks that need to protect against accidental misuse only 7 Associating with the AP! Access points have two ways of initiating communication with a client! Shared Key or Open Key authentication! Open key allows anyone to start a conversation with the AP! Shared Key is supposed to add an extra layer of security by requiring authentication info as soon as one associates 8

5 How Shared Key AuthN works! Client begins by sending an association request to the AP! AP responds with a challenge text (unencrypted)! Client, using the proper WEP key, encrypts text and sends it back to the AP! If properly encrypted, AP allows communication with the client 9 Is Open or Shared Key more secure?! Ironically enough, Open key is the answer in short! Using passive sniffing, one can gather 2 of the three variables needed in Shared Key authentication: challenge text and the encrypted challenge text! Can be prompted by disassociation attack 10

6 Wired Equivalent Protocol (WEP)! Primary built security for protocol! Intended to make wireless as secure as a wired network! Provides Confidentiality, Integrity, and Authentication! Uses 40 bit RC4 encryption! Unfortunately, since ratification of the standard, this use of RC4 has been proven insecure, leaving the protocol wide open for attack 11 WEP Encryption 12

7 Problems with WEP! 1 static key! No encryption is strong if one key is used forever! Key length is short (40bits)! Brute forcing is possible! Using CRC32 in ICV! Bit flipping attack: CRC(msg XOR delta) = CRC(M) XOR CRC(delta)! bits cannot set or cleared, but could be flipped! No specification on key distribution! Lacks scalability! No protection against replay attack! Improper use of RC4! Protocol doesn t actually specify IV use! 2 existing attacks 13 Numerical Limitation Attack! IVs are only 24bit, and thus there are only 16,777,216 possible IVs! A busy network will repeat IVs often! By listening to the encrypted traffic and picking out the duplicate IVs, it is possible to obtain the clear text 14

8 FMS Attack -- weak IV attack --! Some IVs do not work well with RC4! Using a formula, one can take these weak IV and infer parts of the WEP key! 5 % chance of guessing correctly! Once again, passively monitoring the network for a few hours can be enough time to gather enough weak IVs to figure out the WEP key! 4M ~ 6M packets to decrypt 40bit WEP key! The time needed to deploy the attack is linearly proportional to the key length! 104bit key is only 2.6 times more secure than 40bits key! [Fluhrer, Mantin, Shamir 2001] 15 Conclusion: WEP! Confidentiality! FMS attack! Integrity! Bit-flipping attack! Authentication! Not really! WEP is flawed, and there is no simple solution to fix it! Attacks against WEP are passive and extremely difficult to detect NO MORE WEP 16

9 Virtual Private Networking (VPN)! Deploying a secure VPN over a wireless network can greatly increase the security of your data! Idea behind this is to treat the wireless network the same as an insecure wired network (the Internet)! Docking network goes nowhere but to the VPN gateways 17 Perceived problems of VPN approach! Deployment Overhead! Performance does not scale with number of APs deployed! PC crypto speeds around 500 Mbit/s, highly parallelizable! Susceptible to denial of service (DOS) attacks! E.g., against DHCP/DNS in the docking network! PCs are vulnerable in the docking network! Susceptible to any attack against the specific VPN! Will be repaired quickly (VPNs do interface to the Internet!), if any! (PPTP with MSCHAPv2 is quite weak against dictionary attacks, though) 18

10 Back to L2 (network boundary) solutions! 802.1x! per-user authentication! Key distribution mechanism! WPA! Subset of i! 2 forms! 802.1x with EAP + TKIP (including MIC)! Pre-shared Key + TKIP (including MIC)! i RSN (Robust Security Network)! 802.1x with EAP + AES + CCM X authentication! 802.1X is a port-based, layer 2 (MAC address layer) authentication framework on IEEE 802 networks.! Not limited or specific to networks! Uses EAP for implementation! 802.1X is not an alternative to WEP, it works along with the protocol to manage authentication for WLAN clients! It also generates the short-term ( temporal ) keys for encryption and data protection 20

11 How authentication takes place! A client requests access to the AP! The AP asks for a set of credentials! The client sends the credentials to the AP which forwards them to authenticating server! The exact method for supplying credentials is not defined in 802.1X itself! Uses EAP over LAN (EAPOL) x authentication 22

12 Extensible Authentication Protocol (EAP)! 802.1X utilizes EAP for its authentication framework! flexible: one time passwords, certificates, smartcards, own eap protocol, etc! zero per packet overhead! cost efficient! 802.1X integrates well with other open standards such as RADIUS! RADIUS is the de-facto standard backend protocol for Network Access Server authentication 23 more benefits of choosing 802.1X! Software upgrade! Access points only need a firmware upgrade to enable 802.1X! On the client side, 802.1X can be enabled with an OS upgrade (or just an updated driver for the NIC)! Depending on the EAP you choose, you can have a very secure authentication scheme!! Proprietary versions of dynamic key management available 24

13 EAP-MD5! EAP-MD5 is a simple EAP protocol similar to CHAP! Uses an MD5 hash of a username, a server challenge and password that is sent to the RADIUS server! Vulnerable to dictionary attacks! Authenticates only one way! Man in the middle attack! No key generation 25 LEAP (Cisco Wireless)! Like MD5, it uses a Login/Password scheme that it sends to the RADIUS server! Each user gets a dynamically generated one time key upon login! Authenticates client to AP and vice versa! Can be used along with RADIUS session time out feature, to dynamically generate keys at set intervals! Only guaranteed to work with Cisco wireless clients! Broken ASLEAP by Joshua Wright! Dictionary attacks too easy 26

14 EAP-TLS! Instead of a username/password scheme, EAP-TLS uses certificate based authentication! Has dynamic one time key generation! Two way authentication! Uses TLS (Transport Layer Security) to pass the PKI (Public Key Infrastructure) information to RADIUS server! Compatible with many OS s! Harder to implement and deploy because keys/certificates for clients need to be generated 27 EAP-TTLS (Bob Funk) PEAP by Microsoft and Cisco! Very similar to EAP-TLS except that the client does not have to authenticate itself with the server using a certificate! In phase 1, a bogus identity can be used by the client (must be good enough to find the authentication server, though); only the server authenticates in this phase! In phase 2, the TLS protected channel can be used for a simple login/password based scheme (e.g., using MSCHAPv2)! Much easier to setup, does not necessarily require a PKI! PEAPv0 currently works natively with Windows XP SP1, but other platforms are starting to support it; EAP-TTLS is supported by much open source software 28

15 EAP Types MD5 Open / Proprietary Open Mutual Auth NO AuthN Client User/pass AuthN Server None Username in clear txt Yes TLS Open YES Certificate Certificate Yes TTLS Open YES User/pass Certificate No PEAP Open YES User/pass Certificate No LEAP Proprietary YES User/pass None Yes 29 WPA (Wi-Fi Protected Access)! Subset of i! Confidentiality! Fix flawed encryption mechanism! TKIP: Per-packet dynamic key mechanism! Authentication! 2 forms: Per-user based and Pre-shared key! Integrity! Upgradeability! Software / Firmware Upgrade 30

16 WPA Steps! Confirmation of association capability! 802.1x authentication and PMK creation! 4way handshake and PTK installation! Group key (GTK) installation! Encryption using TKIP x Authentication + PMK Pairwise master key:! Authentication process uses secure channel! PMK generation can be piggy-backed on that! PMK is a seed for temporal WEP key generation in the next phase! PMK is generated based on the user authentication result 32

17 802.1x Authentication + PMK 33 4 Way Handshake and PTK! Do not directly use PMK for crypto! Generate pairwise transient key PTK (512 bits) from PMK and nonces! splits in 4 ways, 128 bits each:! Data encryption, data integrity, EAPOL-Key encryption, EAPOL-Key integrity! Part of PTK is used to generate the encryption key (WEP equivalent) in the next phase 34

18 Situation after EAP success! Supplicant (station) and authentication server are happy about each other, share PMK! Authentication server sends authenticator (AP) the PMK! Now, supplicant and authenticator have to prove to each other they do know the PMK! This handshake also generates the PTK: Anonce (authenticator nonce) and Snonce (supplicant nonce) add freshness to the PTK 35 4 Way Handshake and PTK 36

19 4 Way Handshake and PTK 37 Group Key! Problem: Broadcasts (AP to Stations) cannot use pairwise keys! Broadcast packets from Stations are actually unicast to APs first -- can use PTK for this leg! Separate group transient key (GTK)! Sent after pairwise secure connection is established! Needs to be re-keyed after each disassociation!! WEP Key-ID field recycled to allow seamless transition 38

20 TKIP (Temporal Key Integrity Protocol)! Problem: old hardware may not be powerful enough for AES-CCMP; need to continue using RC4 TKIP:! Expands IV space (24 " 48bits)! IV sequence is specified! TSC (TKIP sequence counter) protects against replay! Per-packet Mixing Function creates the 40-bit (104-bit) part! Allows working with legacy hardware expecting structure! Mix in MAC address to minimize IV reuse between systems! MIC: Michael! Very cheap integrity checker for MAC addresses and data 39 The MIC tradeoff! Most good message integrity checks are too expensive! Michael is fast and cheap! But only limited resilience! Adds to WEP ICV (CRC), which is still applied at MPDU level! Michael is done at the MSDU level! Attacks would require millions of packets! Countermeasures (60-second blackout) once an attack is detected! Creates age-old DoS problem! There are easier ways to do wireless DoS, though 40

21 WPA-PSK! For home / SOHO use! Removes 802.1X authentication! Pre-shared Key ( PSK ) is computed from pass phrase via password-based key derivation function PBKDF2 (RFC2898)! Use this as the PMK! WPA-PSK = Pre-shared Key + TKIP! Weak against passive dictionary attack! Choose long, complex PSKs! Still much better than WEP i! The long-awaited security standard for wireless, ratified in June 2004! Better encryption: AES-CCMP! Key-caching! Pre-authentication! Hardware manufactured before 2002 is likely to be unsupported: too weak 42

22 Key-Caching! Skips re-entering of the user credential by storing the host information on the network Pre-authentication! Allows client to become authenticated with an AP before moving to it! Useful in encrypted VoIP over Wi-Fi " Fast Roaming 43 Things to keep in mind while deploying WLAN! Hide SSID! Do NOT use WEP! Use WPA with 802.1x if possible! Or at least use WPA with a very complex pre-shared key! Or use VPNs 44

23 Take-away messages! If you compromise on security, your security will be compromised! Do get a security review early in the process! Distributing security critical functions into zillions of nonupgradeable hardware devices will create a problem! With sufficient thrust, pigs fly just fine! However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. [RFC 1925: Fundamental truths of networking, 1 April 1996] 45 Nächste Termine Mo, Uhr: Übung Do, Uhr: Sicherheitsmanagement Übungsblatt 10 bald auf Stud.IP, s.: 46