CS 336/536 Computer Network Security. Summer Term Wi-Fi Protected Access (WPA) compiled by Anthony Barnard

Transcription

1 CS 336/536 Computer Network Security Summer Term 2010 Wi-Fi Protected Access (WPA) compiled by Anthony Barnard

2 2 Wi-Fi Protected Access (WPA) These notes, intended to follow the previous handout IEEE Wired Equivalent Privacy (WEP), are a composite of section 6.2 of Network Security Essentials by William Stallings, 4 th edition, and some material from Real Security by Edney and Harbaugh and from Wireless Networks by Matthew Gast. Stallings begins section 6.2 by stating the reasons why wireless LANs are more vulnerable to attackers that are wired LANs. Radio waves do not usually respect walls, so passive eavesdropping by an external attacker (even listening while outside the building in the parking lot) is an obvious threat; more active threats have also been extensively described in the previous handout. The original (1999) IEEE specification, included in the previous handout, described the security system called Wired Equivalent Privacy (WEP) that you will see in lab session #4. However, as we have seen, WEP was soon shown to be very vulnerable. Unfortunately, by the time that the vulnerability was detected, large numbers of WiFi LANs had been implemented by people who believed that their networks were protected by WEP. Some form of rescue had to be undertaken. IEEE established Task Group i that included acknowledged security experts, such as Ron Rivest, who had been absent from the group that developed the 1999 standard. The limitations on the rescue were that legacy equipment, particularly the Access Points, had to be retained. This imposed three constraints on the rescue: software/firmware upgrades only - no chip replacement a typical AP of the time had only a few spare cycles available the RC4 encryption/decryption algorithm was embedded in a special purpose chip, so could not be changed. These constraints presented a formidable challenge to upgrading the security of wireless LANs. However, Task Group i quickly came up with WiFi Protected Access (WPA) as an interim measure towards the ultimate IEEE i, known as the Robust Security Network (RSN). WPA is available only for infrastructure networks. This was followed in 2004 by finalization of the RSN standard, which became known as WPA2, available in both infrastructure and ad-hoc networks. The full standard is complex, involving an authentication server (AS) implementing IEEE 801X and therefore appropriate only to an Enterprise environment (corporate, with significant security requirements). In a lesscritical situation, usually referred to as Small Office/Home Office (SOHO) mode, WPA is probably adequate and we shall therefore content ourselves with studying this.

3 Wi-Fi Protected Access (WPA) 3 [contact with Stallings section 6.2 will be shown thus: {Stallings page xxx} ] IEEE i Services {Stallings page 183} Authentication - mutual, of STA and AP Access control to admit only properly authenticated clients Privacy (confidentiality) and integrity of data messages IEEE i Phases of Operation {Stallings page 184} This security applies only to traffic within a BSS, that is, between a STA and its AP; it does not extend outside the BSS. There are five phases in i: Phase 1 - discovery STA finds AP and associates (covered in CS x34). STA and AP agree on algorithms and methods to be used. Phase 2 - Authentication STA and AP prove their identities to each other. In enterprise mode the Authentication Server is intimately involved here, but in SOHO mode it is effectively by-passed and we will not consider AS further. Phase 3 - Key generation and distribution. Phase 4 - Actual user data transfer. Phase 5 - Connection termination when transfer complete. Now let s look in more detail at the five phases.

4 4 Wi-Fi Protected Access (WPA) Phase 1 -Discovery Phase {Stallings page 186} The purpose of this phase is for STA and AP to establish (unsecure) contact and negotiate a set of security algorithms to be used in subsequent phases. STA and AP need to decide on: The authentication method to be used in phase 3 to perform mutual authentication of STA and AP and generate/distribute keys. We shall omit IEEE801X and use the simplest method, pre-shared key (PSK) in which the 256-bit key is provided to STA and AP in advance by some secure external method, usually manual. Confidentiality and integrity algorithms to protect user data in phase 4 We shall focus on using TKIP for this purpose. As covered in CS 334/534 and the previous handout, the discovery phase uses three exchanges: Probe request/response (or observation of a beacon frame) APs advertize their capabilities (WEP, WPA, etc.) in Information Elements in their beacon frames and in their probe responses. Authentication request/response (Open System, for backward compatibility) Association request/response - agreement on methods to be used, The STA s request, chosen from the menu offered by the AP, is contained in an information element in the STA s association request. Discovery Phase is shown in the upper half of figure 6.6:

5 Wi-Fi Protected Access (WPA) 5 Phase 2 - Authentication Phase {Stallings page 188} Since we re studying SOHO mode, not enterprise mode {Omit Stallings pages }, this phase is trivial. STA and AP are pre-loaded with the 256-bit pre-shared Key (PSK). In this case the phase 2 exchange shown in the lower half of fig 6.6 is bypassed. The lower half of Stallings page 188, all of page 189, and the top half of page 190 can be omitted, since they delve into the full-blown IEEE 802.1X enterprise-mode authentication The PSK can be supplied either as the actual 256 bits or as a passphrase (such as barnardjonesskjellum as used in ciswifi) that is expanded to the required length by a standard algorithm. In principle the PSK can be different for each STA-AP pair, but in practice most vendors use the same PSK for all STA. The idea is that the STA and AP are mutually authenticated if they can demonstrate to each other in the following phase that they each know the PSK. Phase 3 - Key Generation and Distribution Phase {Stallings pages } The top of the key hierarchy is the Pairwise Master Key (PMK). In Enterprise mode the PMK is obtained during an exchange with the Authentication Server, but in SOHO mode the PMK is derived directly from the PSK, which had previously been shared between STA and AP. Key generation must be completed before we can move on to phase 4 and transmit user data.

6 6 Wi-Fi Protected Access (WPA) As illustrated in the following figure, in SOHO mode the PSK immediately becomes the pairwise master key (PMK), that is, both AP and STA automatically have a copy of their shared PMK (page 192). However, since this will usually be the same for all stations, pairwise is a misnomer As we shall see, the operational keys are derived from this common source plus other input to make them unique to each STA-AP pair. Figure 6.8: The PMK will not be used directly in any cryptographic operation, but will be used to generate the set of operational keys, known as the pairwise transient key (PTK). This consists of two keys to be used between STA and AP in this phase (phase 3) and a two-component (integrity and encryption) key for the next phase (phase 4).

7 Wi-Fi Protected Access (WPA) 7 The three parts to the PTK are: {Stallings page 193} EAP over LAN (EAPOL) Key Confirmation Key (EAPOL-KCK) EAP is the Extensible Authentication Protocol here used over a LAN, hence EAPOL. The confirmation key is what we ve called the message integrity key. It is used to protect the integrity of the messages in phase 3 (below) EAPOL Key Encryption Key (EAPOL-KEK) This will be used to protect the confidentiality of the keys during the phase 3 exchanges. Temporal Keys (TK) The word temporal is used because the keys have a limited (temporary) lifetime, being regenerated every time the STA associates with the AP. The two halves of this will be used to protect integrity and confidentiality of the subsequent user traffic (phase 4). We shall omit group keys (two sections on page 193 and the lower part of fig 6.9)

8 8 Wi-Fi Protected Access (WPA) Computing the Pairwise Transient Key This section outlines the computation of the 512-bit PTK from the 256-bit PMK. The first objective is to make the PTK different for each station/ap pair, and this is accomplished by mixing in the MAC addresses of the two participants. These are readily available from the frame headers. The PTK is re-computed every time a station authenticates with an AP. The second objective is to avoid re-using an old PTK, and since neither the PMK nor the MAC addresses will change, there must be some further dynamic input to the PTK. Four-Way Handshake This further dynamic input is generated during the four-way handshake, which will now be described {Stallings page 193} The four-way handshake is described on Stallings page 193 and shown in the upper part of figure 6.9, which is the continuation of figure 6.6. In our case (SOHO) we enter the 4-way handshake with the STA having already sent (in phase 1, association request) a request to the AP (referred to in the standard as the authenticator (A), asking for activation of WPA/TKIP. Figure 6.9 (upper): Before the four-way handshake begins the STA, referred to as the supplicant (S), has randomly chosen a nonce (Nonce1).

9 Wi-Fi Protected Access (WPA) 9 Message 1: A to S: a nonce chosen by the authenticator (Nonce2) The supplicant S chooses a nonce (Nonce1) and receipt of Nonce2 gives S the last piece of information it needs to compute the 512-bit PTK, as shown in this figure: Computation of PTK from PMK The Pseudo-Random Generator (PRG) is based on HMAC-SHA-1; look back at Thomas figure 4-37 (SSL) to get the flavor of repeated hashing until you have enough keying material. Note on terminology: some authors (including Stallings) use Temporal Key to refer to the entire 256 bits, others use the term to apply only to the 128 bits used in phase 4 to protect data confidentiality. Message 2: S to A: Nonce1, together with a message integrity code (MIC) Nonce1 gives the authenticator the last piece of information it needs to compute the PTK, so key exchange is complete. This enables the authenticator to check the validity of the MIC. If correct, this proves that that the supplicant possesses the PMK and thereby authenticates the supplicant. As you see, in the four-way handshake each side has chosen a nonce, and both nonces have been mixed into the computation of the PTK. Message 3: A to S: message A able to turn on encryption. This message includes the MIC, so S can check that A knows PMK) Message 4: S to A: message S about to turn on encryption. After sending message 4, S activates encryption; on receipt of frame 4, A activates encryption. Key generation and activation is complete.

10 10 Wi-Fi Protected Access (WPA) Phase 4 - Protected Data Transfer Phase {Stallings pages } We have chosen to study the Temporal Key Integrity Protocol (TKIP), which was designed to require only software/firmware changes to devices designed to run the original security protocol WEP {Omit CCMP - Stallings page 195}. Relative to /WEP, TKIP s new features are: Message integrity The usual Ethernet CRC having been shown to be inadequate to defeat forgeries, it was necessary for TKIP to introduce a cryptographic message integrity code (MIC) (Stallings chapter 3), to replace the inner CRC after the data field in the MAC frame. Since APs of the early 2000s were not sufficiently powerful to run HMAC, a new, simpler, algorithm called Michael was invented. The input to Michael is a 64-bit slice of the Temporal Key (a different slice in the two directions), plus the STA and AP MAC addresses, plus (of course) the data to be protected. Data Confidentiality The data in the frame, plus the MIC, are encrypted with RC4 using half (128 bits) of the Temporal Key, truncated to 104 bits. Additional protection is provided by: A new IV sequencing discipline, to remove replay attacks from the attacker s arsenal; the IV is expanded to 48 bits and is incremented monotonically (recall that in WEP there was no official requirement to increment the IV, so attackers could simply replay a previous frame). A per-packet key mixing function. The first design goal is to produce the final data-encryption key (the input seed to the RC4 PRG), that is different for the two directions of transmission (to and from the AP). The second design goal is to prevent generation of the weak keys identified by Fluhrer (see previous handout) and also produce an RC4 seed that is different for each successive packet. This key mixing process is shown in the figure opposite.

11 Wi-Fi Protected Access (WPA) 11 Phase 1 combines the 802 MAC address of the packet transmitter (AP or STA), the high-order 32 bits of the expanded IV, and the temporal key (TK for encryption, from phase 3) by XORing each of their bytes to index into a substitution table ( S-box ), to produce an 80-bit intermediate key. Since both the 64-bit temporal key and the transmitter MAC address are different in the two directions the intermediate keys are very unpredictable satisfying the first design goal. The Phase 1 intermediate key needs to be re-computed only when the low-order 16 bits of the IV wrap around, or when the temporal key is updated, so most implementations cache the Phase 1 result as a performance optimization. Phase 2 copies the low-order 16 bits of the IV into the high-order 24 bits of the RC4 seed, the 8 most significant bits of the counter into both the first and second bytes of the field, and the least significant counter bits to the third byte of the field. Phase 2 then masks off the most significant bit of the second byte to prevent the key concatenation from producing one of the known RC4 weak keys (Fluhrer attack, which required the second byte of the WEP IV to be 0xFF). The 16 low-order IV bits are also input, along with the intermediate key, into phase 2 key mixing, which produces the 104 bits needed to complete the 128-bit RC4 seed. An important point is that an encryption engine (the chip that increments RC4) that ran WEP does not need to be changed in any way to run WPA, since it still gets 128 bits as its input key. This satisfies the goal of preserving legacy equipment.

12 12 Wi-Fi Protected Access (WPA) You can see that WPA has introduced substantial additional sophistication to WEP. The WPA operational keys are forced to be different for each STA-AP pair (by mixing in the two MAC addresses), different each time a particular STA associates with a particular AP (by choosing the two different random nonces), different for each direction of travel (to or from the AP) and different for each packet in a flow (by mixing in the monotonically-increasing IV). The hackers will have a much harder time than with WEP! However: Weakness in Passphrase Choice in WPA Interface By Robert Moskowitz (Paper dated November 04, 2003) The Known-PSK attack by Stations within the ESS The normal practice is to have a single PSK/PMK for all stations and APs within an ESS. Therefore, to generate the PTK used by any station/ap pair, a station within the ESS that wishes to spy on its brothers needs to learn only the two MAC addresses and nonces. All of this is available in the initial exchange of messages (the 4-Way Handshake). Any device can passively listen for these frames for a STA-AP pair and then generate the PTK for that pair. Thus even though each unicast station/ap pairing in the ESS has unique keys (PTK) there is nothing private about these keys to any other device in the ESS, since they all have the same PMK. \cs\cs437\lecture\lecture_u10\handouts\guide to WPA.doc