Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Transcription

1 Security (WEP, WPA\WPA2) 19/05/2009 Giulio Rossetti Unipi

2 Security Standard: WEP Wired Equivalent Privacy The packets are encrypted, before sent, with a Secret Key (40\128-bits lenghts) and the receiver can use the checksum to verify the integrity of the data. Pourpose: 1) reduce the possibility of eavesdropping 2) prevent unauthorized access to a wireless network (not covered in the standard)

3 WEP: Algorithm Keystream : Inizializzation Vector (IV - 24bit) combined with Secret Key (40\128bit) and processed by a PRNG IV: have the pourpose to make the keystream change during the transmission PRNG: Pseudo Random Number Generator (RC4 - encryption flows) Data Keystream Streamchiper Keystream Data XOR = XOR =

4 WEP Weaknesses 32-bits CRC is linear Every change of a single bit compute a linear change on the CRC. Keystream operate on individual bits of the packet, so, a change on a bit is reflected in a change of deterministic precise bit on the CRC. IV is only 24-bits Reuse of the same keystream is guaranteed. Example: An AP that sends 1500byte packets at 11Mbps exhaust IV's space in:.. and if is not enough *8/(11*106)*224 about s = 5 hours The standard does not require different IV for each packet!

5 WEP: Passive Attacks Initializzation Vector Collision A passive eavesdropper can intercept all wireless traffic, until an IV collision occurs. By XORing two packets that use the same IV, the attacker obtains the XOR of the two plaintext messages. The resulting XOR can be used to infer data about the contents of the two messages. The data collected can be used for statistical analysis. When the same key is used by all mobile stations there are even more chances of IV collision. Some common wireless card resets the IV to 0 each time a card is initialized, and increments the IV by 1 with each packet. This means that two cards inserted at roughly the same time will provide an abundance of IV collisions for an attacker.

6 WEP: Active Attacks Packet Injection: If an attacker knows the exact plaintext for one encrypted message he can use this knowledge to construct correct encrypted packets. This packet can be sent to the access point or mobile station, and it will be accepted as a valid packet. Not all the plaintext is required to be known, at least knowing the heading of a packet is sufficient to do a redirect to an host outside the wlan (in the internet) controlled by the attacker. The AP decrypt the packet and the receiver can obtain the plaintext. Decryption Table: The small space of possible initialization vectors allows an attacker to build a decryption table. Once he learns the plaintext for some packet, he can compute the RC4 key stream generated by the IV used. This key stream can be used to decrypt all other packets that use the same IV.

7 WEP: Conclusion The WEP protocol is vulnerable to attacks. The problem does not lie with the RC4 algorithm used by WEP but the way in which the encryption keys are managed and generated to be used as RC4 algorithm input. Due to the weaknesses found in WEP, new alternatives such as WPA (based on RC4 and TKIP) and WPA-2 (based on AES/CCMP) have emerged to reduce the lack-of security stigma of wireless networks.

8 WPA WPA: Wi-Fi Protected Access WPA implements the majority of the IEEE i standard, and was intended as an intermediate measure to take the place of WEP while i was prepared. With WPA were introduced: - Temporal Key Integrity Protocol (TKIP) - Pre-shared key mode (PSK, also known as Personal mode) - Extensible Authentication Protocol (EAP) Cryptographic algorithm used: - RC4 (the same as WEP).

9 PSK - EAP Pre-shared key In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. Such systems almost always use symmetric key cryptographic algorithms. Extensible Authentication Protocol EAP is an authentication framework, not a specific authentication mechanism, that provides some common functions and a negotiation of the desired authentication mechanism. EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate EAP messages within that protocol's messages.

10 WPA\WPA2: TKIP Temporal Key Integrity Protocol TKIP basically works by generating a sequence of WEP keys based on a master key, and re-keying periodically before enough volume of info could be captured to allow recovery of the WEP key. TKIP changes the Key every packets, which is quick enough to combat statistical methods to analyze the cipher. TKIP also adds into the picture the Message Integrity Code (MIC) the transmission s CRC, and ICV (Integrity Check Value) is checked: if the packet was tampered WPA will stop using the current keys and re-keys.

11 802.11i - WPA2 Draft standard was ratified on 24 June 2004 and supersedes WEP which was shown to have severe security weaknesses. WPA implemented a subset of i. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full i as WPA2, also called RSN (Robust Security Network) i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4 stream cipher. The i architecture contains the following components: 802.1X for authentication (entailing the use of EAP and an authentication server), RSN for keeping track of associations, AES-based CCMP to provide confidentiality, integrity and origin authentication.

12 802.1X 802.1X 802.1X is an IEEE Standard for Network Access Control that provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server. The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and an authentication server is generally a RADIUS database.

13 Breaking WPA\WPA2 Dictionary Weakness with WPA exists when the home version is used, which utilizes a shared pass phrase. If the user chooses a pass phrase that might be found in the dictionary and/or uses a pass phrase that is less then 21 characters, WPA can be cracked using a brute force dictionary attack. The solution is very simple: enter keys that are at least 80-bits long and random (10 hex bytes or 20 characters) although 96 to 128-bits is much better.

14 WPA\WPA2: Conclusion WPA and WPA-2 have two modes of operation in terms of authentication: Pre-shared key (PSK) IEEE 802.1x The PSK operation mode is aimed for small office/home office wireless networks which do not have authentication servers. The IEEE 802.1x operation mode (also known as WPA Enterprise mode) is aimed at Corporations having existing authentication server infrastructure, such a RADIUS servers; as could be expected, this mode of operation is harder to configure.