Wireless Authentication and Encryption: A Primer

Transcription

1 Wireless Vulnerability Management Wireless Authentication and Encryption: A Primer Presented by: Hemant Chaskar, PhD Director of Technology AirTight Networks 2008 AirTight Networks, Inc. All Rights Reserved.

2 Wireless Authentication and Encryption WEP (Wired Equivalent Privacy) First Generation One way shared key authentication RC4 encryption This is broken, still popular in home market due to its simplicity Also popular in retail (handheld scanners are not upgradable) WPA (WiFi Protected Access) Second Generation 802.1x authentication TKIP encryption (variant of WEP, but stronger) i (WPA2/RSN) Third (Current) Generation 802.1x authentication AES CCMP encryption Page 2

3 Recall: Stages of Connection Establishment Client Access Point (AP) Client discovers AP, requests connection. 1. Discovery AP asks Client to proves its identity. 2. Authentication Client binds its identity to AP. 3. Association Start communication. 4. Encrypted Data Page 3

4 WEP Shared Key Authentication Key K (40 bit string) Authentication Request Key K (40 bit string) Compute response R2 = f (C, K) Is R1 = R2? Challenge text C (random string of 128 bytes) Response R1 Result (Accept/Reject) R1 = R2 = T + Keystream (K, IV) Compute response R1 = f (C, K) Note: This is one-way authentication. AP authenticates Client, but not vice versa. Page 4

5 WEP Encryption TRANSMITTER (Key K Initialization Vector IV) 40 bit 24 bit RECEIVER (Key K Initialization Vector IV) RC4 Key Stream Generator RC4 Key Stream Generator Hundreds of bits Keystream WIRELESS CHANNEL Keystream Packet P XOR IV Encrypted P XOR Packet P Called ``Stream cipher Key K is statically programmed in transmitter and receiver IV is changed per packet Page 5

6 Phases of Connection Establishment using WEP Step 4 WEP Encrypted Data Communication Step 3 Association Step 2 Open (No) Authentication WEP Shared Key Authentication Step 1 AP Discovery (SSID, signal strength) Page 6

7 Weaknesses of WEP IV Collision: Means two packets encrypted with same IV 24 bit IV can quickly wrap around under heavy traffic conditions Many cards/aps on reset start with IV = 0 and increment from there If mapping IV Keystream is known for one IV, another encrypted packet having same IV can be decoded Message modification (Borisov et. al. UC Berkeley) Bits in the packet can be flipped in transit without notice of receiver Lack of replay protection WEP (key) cracking Observing certain number of encrypted packets, key K itself can be cracked WEP came to be known as Worst Ever Privacy! Page 7

8 IV Collision: Creating IV Keystream Library WEP Shared Key Authentication itself can help! I see challenge C in plaintext and response R in ciphertext, where R = C + Keystream C + R = Keystream for IV seen in R By sending spoofed deauths, attacker can also increase the frequency at which authentications take place to build this library faster. Using this library attacker can connect to the network Successfully authenticate with the AP (only one data point needed for this) Send (small) packets through the AP Using this library attacker can read/inject in others traffic Can read (parts) of packets of other Clients Can inject (small) packets in other Client s connection Page 8

9 Message Modification and Replays in WEP Borisov, Goldberg and Wagner, 2000, UC Berkeley Attacker can capture packets on air and flip certain bits in it without violating the message checksum Used by some WEP key cracking attacks as helper Replay attacks Simply capture and replay, it will go through Or capture, modify and replay Page 9

10 WEP (key) Cracking: FMS Attack ``Weaknesses in the key scheduling algorithm of RC4, by S. Fluhrer, I. Martin, and A. Shamir, 2001 Key results from paper: Certain values of IVs are called ``Weak IVs If you can collect sufficient (60-100) packets encrypted with weak IVs, key K can be cracked The cracking complexity is linear in size of K (ideally for any good encryption method complexity should be exponential in key size) Freely available tool called aircrack implements FMS attack Passive mode Can take several days to collect packets Active mode Can do in few minutes Exploits lack of replay protection in WEP to expedite packet collection Page 10

11 WEP (key) Cracking: PTW Attack Does not even require weak IVs to be present Uses the fact that certain fields in the frames are well known (easily guessable) to perform key cracking Has passive and active modes PTW attack is implemented in freely available aircrack-ng tool Page 11

12 WEP (key) Cracking: Caffé Latte Attack Can recover WEP keys from connection profiles of laptops even when they are not connected to AP Exploits the fact that Window s laptops actively seek to connect to preferred networks Elicits WEP encrypted ARP responses from laptop to crack WEP key in few minutes Caffé Latte vulnerability was discovered in 2007 by AirTight Networks security research team Page 12

13 Evolution of aircrack-ng Implementation of caffé latte attack Implementation of chaff resistance Chaffing is aimed at confusing WEP cracking tools by injecting junk data in wireless traffic Several techniques have been discovered by security researchers to filter out chaff and then perform WEP cracking Several improvements for replays to expedite encrypted packets collection to crack the WEP key Page 13

14 WPA: Stop-Gap Fix to WEP Created by WiFi Alliance Note: IEEE standardizes WLAN protocols, WiFi Alliance ( promotes market adoption of WLAN Constraints: No change to XOR based hardware encryption engine Something that will work with firmware upgrade to installed base of WLAN equipment Page 14

15 Connection Establishment using WPA Step 5 Step 4.2 Step 4.1 Step 3 WEP Like Encrypted Data Communication Dynamic Encryption Key Generation 802.1x (EAP) Authentication Association Pre-shared Keys (PSK) Addition of TKIP Session specific 802.1x or PSK Step 2 Open (No) Authentication WEP Shared Key Authentication Step 1 AP Discovery (SSID, signal strength) Page 15

16 WPA: 802.1x Authentication Framework Wireless Clients, called ``Supplicants APs are gatekeepers, called ``Autheticators AP2 Secure communication channels AP3 AP1 Secure Enterprise LAN Database Other systems ``Authentication Server (RADIUS) AP4 Page 16

17 Wireless Link Wired LAN Open Authentication Association EAP Identity Request Open Controlled Port allowing only EAP messages to pass through. EAP Identity Response RELAY Generate Master Key Authentication Method Handshake Identity Proof and Master Key Generation Generate Master Key EAP Success Accept/Provide Master Key Generate Transient Keys Page 17 EAPOL 4-Way Handshake Encrypted Data Exchange EAPOL Logoff Generate Transient Keys Open Uncontrolled Port allowing data to pass through.

18 Advantages of 802.1x Freedom to choose authentication algorithm 802.1x is a bearer TLS, TTLS, LEAP, PEAP, GTC, MSCHAPv2, Kerberos, SIM, future algorithms can ride over 802.1x, only requirements being Support mutual authentication Support derivation of master keys Ease of management of credentials in central authentication server Ease of integration with other enterprise security systems (network authentication) Authentication credentials are different for each device Encryption keys are different for each session Page 18

19 PEAP Example PEAP is one popular authentication method that can be supported over 802.1x (EAP) bearer PEAP: Protected EAP Supported in Windows XP, Windows Vista, Linux PEAP operates in 2 phases Phase 1: Client authenticates the Authentication Server using TLS server certificate Builds encrypted tunnel between the Client and the Authentication Server Phase 2: Another authentication method can be executed within this tunnel Commonly used is MSCHAPv2 which is two-way challenge/response password based authentication method Page 19

20 Wireless Link Wired LAN Open Authentication, Association, EAP Identity Request EAP Identity Response Phase 1: Est. TLS tunnel, auth server RELAY TLS Client Hello (Rand1) TLS Server Hello (Rand2, server public certificate) TLS Client Key Exchange (Encryption key Encrypted with public certificate) EAP Identity Request Phase 2: MSCHAPv2 in TLS tunnel, auth Client EAP Identity Response Server Challenge Response to Server Challenge / Client Challenge Success / Response to Client Challenge. / Success EAP Success Accept/Provide Master Key EAPOL 4-Way Handshake Page 20

21 WPA: TKIP Encryption TKIP uses longer IV (48 bit) twice as much as WEP Avoids Weak IVs Prevents IV reuse for any given key IV always starts from 0 and counts upwards Master key generated afresh for each connection attempt unlike static WEP keys Transient keys generated from master key are used for encryption refreshed at regular intervals Builds in replay protection via windowing technique Page 21

22 TKIP Replay Protection IV in TKIP also serves as sequence counter (TSC) Basic idea: Reject packets with repeated TSC For every IV received: If current IV > largest received IV so far, accept If current IV < largest 15, reject (to allow burst ACK for 16 frames) If largest 15 current IV < largest, reject if repeated, accept if not repeated Note: Retransmissions use the same IV as in original packet Page 22

23 WPA2/802.11i: Current State of the Art Final word (as of now) on wireless authentication and encryption Continues to use 802.1x as in WPA PEAP is still popular method Uses encryption technique called AES (Advanced Encryption Standard), also called as CCMP This does require change to hardware encryption engine This is a block cipher (in contrast to WEP and TKIP which are stream ciphers) Page 23

24 Connection Establishment using WPA2/802.11i Step 5 Step 4.2 Step 4.1 Step 3 CCMP Encrypted Data Communication Dynamic Key Generation 802.1x (EAP) Authentication Association Pre-shared Keys (PSK) CCMP (Change in h/w encryption engine) Session specific 802.1x or PSK Step 2 Open (No) Authentication WEP Shared Key Authentication Step 1 AP Discovery (SSID, signal strength) Page 24

25 PSK (Pre-Shared Key) In addition to 802.1x (EAP), WPA and WPA2/802.11i support one more authentication method called PSK In PSK, Master keys are pre-configured in Client and AP Encryption keys are derived using EAPOL 4-way handshake Authentication Server is not needed This is supported for home and SMB markets Page 25

26 Pairwise and Group Cipher Suites Two encryption suites defined in WPA and i Pairwise Cipher Suite (PCS): Used to encrypt unicast communication over wireless link between AP and Client Group Cipher Suite (GCS): Used to encrypt broadcast and multicast communication within the AP s BSS PCS encryption key is derived from master key using EAPOL 4-way handshake Different encryption keys (& methods) for different Clients in a BSS GCS encryption key is delivered to Client by encrypting it with an encryption key derived from master key Same encryption key for all Clients in a BSS Page 26

27 Thank You Questions? Contact Hemant Chaskar, PhD: Page 27