Focus Assignment. Secure computer systems Fall WLAN Security

Transcription

1 Focus Assignment Secure computer systems Fall 2004 WLAN Security Anders Nistér Andreas Lundin Karl-Oskar Lundin Uppsala

2 Introduction Use of wireless networks has exploded in recent years, both in the home and business, with predictions of up to 80 million wireless local area networks in use by the year Wireless networks are inherently insecure, their traffic traveling across the airwaves letting anyone with a wireless receiver have access to data transmitted. Unfortunately most wireless networks (WLAN:s) are in use without any protection whatsoever, sending all data unencrypted. Talking about wireless computing quickly becomes a confusing exercise in acronyms. There are a plethora of standards with obscure names: , b, a, g, X, WEP, WPA, WPA2 and i. This paper will try to cover some of these and hopefully make clear some of the confusion. The prefix with accompanying letters (a, b, g, i, X) refer to actual standards concerned with different aspects of wireless LAN:s, including network speeds, frequency band allocation, service enhancements and extensions. Acronyms like WEP, WPA and WPA2 refer to actual implementations of security schemes for WLAN:s used in existing products, these are usually a mix of different standards put together. The players There are a number of standard bodies that cooperate when it comes to Wireless standards. The Institute of Electrical and Electronics Engineers (IEEE),the Wi-Fi Alliance (WFA) and the Internet Engineering Taskforce (IETF), and they all have slightly different areas of interest. The IEEE is the main body producing the actual standards and RFC:s, whilst the WFA:s main concern is certification of wireless products and enhancing interoperability between vendor products. The WFA has 200 member companies and have been certifying products since March The IETF is an open community working for the betterment of the internet in general. There are also alternative standards for WLAN:s, including HIPERLAN and HIPERLAN2 developed by the European Telecommunications Standards Institute (ETSI). HIPERLAN has better performance than , but has not been able to compete in actual market penetration, and is considered by some to be obsolete (this paper focuses on exclusively). Basic security in Some rudimentary protection and authentication is available for unencrypted wireless networks in the basic standard, but they provide no real security. These solutions include using MAC-address filtering, not broadcasting the network name (SSID), and adjusting the signal strength. MAC-address filtering provides a weak form of authentication by only allowing known MAC-addresses access to the network, however the MAC-addresses are sent as plaintext allowing any sniffer to easily pick up information about what addresses are valid, since spoofing MAC-addresses for your own network interface are trivial this form of authentication is easily broken. Every individual WLAN needs a unique network name to identify it, this is what is known as its server set id (SSID), these can be broadcast across the network, for easy identification. Optionally one could turn this feature off at the access point to try to keep the network name secret, not letting unauthorized users have access. However the SSID is sent in plaintext when clients associate with the network, making the SSID easily

3 sniffed, it is just a matter of time. Adjusting the coverage of the WLAN is an effective way of improving security, choosing not to broadcast network traffic to undesired locations. For this purpose there are a number of antennas one could choose, as well as using deflectors to focus or deflect signals. The most common setup on a network is usually the use of a dhcp server to dynamically allocate IP-addresses to clients as requested. This setup is probably not desirable for a smaller business or at home network, since the number of computers on such a network will probably be limited and easy to handle. A better choice would be to use pre-assigned static IP:s, whilst not stopping determined crackers from sniffing and assigning themselves a valid IP-address, combined with MAC-filtering and SSID secrecy it may deter more casual attacks and war driving. Wired Equivalent Privacy (WEP) The WEP algorithm was the first scheme proposed by the IEEE. It is based on an encryption algorithm concerned with data confidentiality over a wireless network, as well as rudimentary support for authentication and integrity checking. It relies on a preshared secret key that has to be shared between the wireless access point and the client/mobile station. WEP is built around the RC4 encryption algorithm, which is a stream cipher. A stream cipher expands a short secret key combined with a random initialization vector (IV) into a infinite pseudo-random key stream. Data from the sender is XOR:ed with the stream cipher to produce ciphertext that is sent over the network. The receiver then uses the same key to produce an identical stream cipher, XOR:ing the received ciphertext gets back the plaintext data. Due to poor implementation of the RC4 algorithm in WEP it provides very weak security. All stream ciphers are easily broken if the same key is used twice. The IV used in WEP is 24 bits and sent as plaintext. Such a short key length as 24 bits guarantees that we will reuse the same key within a short span of time. On a busy network a specific IV could be reused within just a few hours. Strangely the standard specifies that changing IV with each packet is optional. Many wireless cards also have a tendency to reset their IV to 0 and increment their IV by 1 for each IP packet. WEP also has support for authentication through either open system authentication or shared key authentication. Open system authentication, also the default authentication for the standard is essentially no authentication at all, anyone who requests authentication is authenticated. Shared key authentication works by a simple challenge response handshake to authenticate both access point and mobile unit, using the mutually shared secret. The initiator of authentication sends an authentication request, the receiver of this request then sends a plaintext randomly generated word. This word is then encrypted by the initiator and sent back to the receiver. The receiver then decrypts the message and checks that it is. If authentication succeeds, initiator and receiver switch roles and the procedure is repeated, thus achieving mutual authentication. Due to the unsafe nature of WEP discussed earlier an attacker can easily break shared key authentication by capturing the plaintext and encrypted random challenge and IV. This allows him to be able to calculate an authentication response without knowing the secret key. WEP supports integrity checking through as a CRC-32 checksum. A problem with this is that CRC-32 is linear, which means that it is possible to calculate the bit difference

4 between CRC:s based on the differences between the messages from which they are calculated. This means that an attacker could modify data sent over WEP, and then calculate the changes needed in the CRC checksum to make the resulting data seem like it is valid. Wi-Fi Protected Access (WPA) Once it became clear that WEP was fatally flawed, the Wi-Fi alliance proposed a temporary solution in WPA as quick fix before the advent of WPA2 (802.11i). It is designed to be both forward and backwards compatible with other products. Usually an upgrade from WEP to WPA requires only a software or firmware upgrade, some manufacturers and vendors have chosen not to make it available on their devices, making the availability of WPA limited. Improvements over WEP include extended initialization vectors (48 bits), encryption key regeneration and redistribution including unique keys for each client avoiding the same key staying in use for weeks or months, message integrity check as well as improved possibilities for authentication using external solutions. VPN/IPSec Due to the poor security provided by WEP, and to a certain extent the interim WPA standard, many people choose to view WLAN standards very warily. This has lead to the recommendation of using IPSec and VPN tunnels over wireless LAN:s. VPN over IPSec provides a number of improvements over WEP/WPA, namely that it uses stronger encryption like AES and 3DES. A VPN tunnel is created by using the Internet Key Exchange (IKE) protocol. IKE is flexible and allows or use of either a preshared secret key or certificates. IKE also creates a public and private key pair to generate a symmetric encryption key. Keys are regenerated at intervals to renew the tunnels encryption. Breaking a VPN tunnel by listening in and man-in-the-middle attacks are much harder than for WEP since IPSec uses much longer keys than WEP, they have an approximate repeat rate of about 20 years. Other alternatives for VPN tunnels include SSL/TLS and ssh but these are more limited solution. A problem with current IPSec based VPN:s are that they are all proprietary and have poor interoperability, there is a IETF standard for VPN, but vendors have not implemented it. Conclusion The earlier stages of development in WLAN security studied by us, have shown similarities with the earlier stages in development in the internet in general, in that security issues seem to have been a very minor concern or afterthought. The early standards disregarded security or left it as an exercise to the people implementing actual products. With the advent of newer standards in 2004 (WPA2 a.k.a i), hopefully WLAN security will be improved.

5 References: Computer Security. Dieter Gollmann. John Wiley & Sons. Security of the WEP algorithm Nikita Borisov, Ian Goldberg and David Wagner. January Wireless security beyond WEP and WPA. Eric Peeters. May Wikipedia entry on Wikipedia entry on WPA Wikipedia entry on WEP Wikipedia entry on RC4 algorithm Minimizing WLAN security threat. Jim Geier. September Wireless LAN Security: A short History. Matthew Gast. April Security Beyond WEP. Jim Geier. June Evolution of WLAN security. Jim Burns, John Hill. April