Security of Wireless Local Area Network (WLAN)

Transcription

1 Adrián Lachata, Štefan Pero Abstract. This paper deals with security of WLAN. This network uses standard IEEE We will explain cipher algorithm RC4 and communication between client and Access Point (AP) specially. We will describe WEP protocol and what is WPA. We will show which one is secure enough and which is easy to break. Keyword: Security of WLAN, RC4, WEP, WEP attacks, WPA, TKIP, 1 Introduction Wireless (WLAN) is very advanced today. You can wirelessly connect to the Internet almost everywhere, because it is very cheap and available for everyone. It used at home, in small office also in enterprises. And it brings hazards. For example security hazard. We must understand that, attacker doesn t need to be any IT expert to break into the most of currently used WLANs. Many people have skills and abilities to do it. So take a focus into safety of communication through air. 1.1 Plain communication As the name suggest, plain communication doesn t use any encryption whatsoever. It is similar just to plugging Ethernet cable into the hub. Most of today AP allow you to boost security a little by disabling SSID broadcast and using MAC filtering. It is effective against simple attacks, but every person with basic knowledge of network can get this very easy, as all packets in the air are plain and every one of them contains SSID of the WLAN and MAC and IP address user for communication. So it is very easy to set your client to emulate these and hence use desired WLAN. Plain communications is based just on the standard itself. This can be further extended by WEP, WPA, WPA2 and some other proprietary standards to secure WLAN a little more.

2 2 RC4 (Rivest Cipher 4) RC4 algorithm serves to encryption data that decryption takes for years within actual computing power. In cryptography, RC4 (or ARCFOUR) is the most widely-used software stream cipher. It was designed by Ron Rivest of RSA Security in RC4 was initially a trade secret, but in September 1994 a description of it was anonymously posted to the Cypherpunks mailing list. It was soon posted on many sites on the Internet. It has become part of some commonly used encryption protocols and standards, including WEP and WPA for wireless cards and SSL (Secure Sockets Layer). 2.1 Description RC4 generates a pseudorandom stream of bits (a keystream) which, for encryption, is combined with the plaintext using XOR. Decryption is performed the same way. To generate the keystream, the cipher makes use of a secret internal state which consists of two parts: 1. A permutation of all 256 possible bytes (denoted "S" below). 2. Two 8-bit index-pointers (denoted "i" and "j"). The permutation is initialized with a variable length key, typically between 40 and 256 bits, using the key-scheduling algorithm (KSA). Once this has been completed, the stream of bits is generated using the pseudo-random generation algorithm (PRGA) The key-scheduling algorithm (KSA) The key-scheduling algorithm is used to initialize the permutation in the array "S". "keylength" is defined as the number of bytes in the key and can be in the range 1 keylength 256, typically between 5 and 16, corresponding to a key length of bits. First, the array "S" is initialized to the identity permutation. S is then processed for 256 iterations in a similar way to the main PRGA algorithm, but also mixes in bytes of the key at the same time. for i from 0 to 255 S[i] := i endfor j := 0 for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap(s[i],s[j]) endfor The pseudo-random generation algorithm (PRGA) For as many iterations as are needed, the PRGA modifies the state and outputs a byte of the keystream. In each iteration, the PRGA increments i, adds the value of S pointed to by i to j, exchanges the values of S[i] and S[j], and then outputs the value of S at the location S[i] + S[j] (modulo 256). Each value of S is swapped at least once every 256 iterations. i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(s[i],s[j]) output S[(S[i] + S[j]) mod 256] endwhile 2

3 2.2 Security The RC4 fall short as secure cipher according to cryptographers standard. It is not recommended for use in any new applications. The keystream generated by RC4 is slightly biased in favour of certain sequences of bytes. The best attack based on this bias is due to Fluhrer and McGrew, which will distinguish the keystream from a random permutation given a gigabyte of output. 3 WEP (Wired Equivalent Privacy) Safety of Standard called WEP protocol defines set of instructions and rules for data security transmitted by air. WEP was created to provide Confidentiality, Integrity, and Authentication of packets. Confidentiality is provided from the encryption of the frame body. Integrity is maintained through the Integrity Check Algorithm (CRC) and Authentication is provided by the use of shared key that is only known by authorized users on the network. 3.1 Authentication Authentication is any process by which you verify that someone is who they claim they are. This usually involves a username and a password, but can include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints. Authentication is equivalent to showing your drivers license at the ticket counter at the airport Open System authentication Open System authentication is the simplest kind of authentication. Any device can join the network, assuming that the device SSID matches the access point SSID. In effect, no authentication (in the true sense of the term) occurs Shared Key authentication Shared Key authentication uses the following way. First WLAN client sends authentication request to the AP. The AP sends back clear-text challenge. he client has to encrypt the challenge text using the configured WEP key and RC4 cipher and send it back in another authentication request. The Access Point decrypts the material, and compares it with the clear-text it had sent. Depending on the success of this comparison, the Access Point sends back a positive or negative response. After authentication client will be associated with AP and WEP can be use for encrypting. At the first glance, Shared Key authentication seems to be more safer. However both of them are very weak for invader. If you can only use the WEP, it would be better use Open System with MAC filtering, it is more easy for packets traffic. Because WEP doesn t save you against attacker. 3.2 WEP encryption IV(24bits) WEP password (40 or 104 bits) RC4 Keystream (XOR) Plain text Cipher text 3 Picture 1: Basic WEP encryption: RC4 Keystream XORed with plain text.

4 Keeping key as the one affected element would be too dangerous. Thus, it uses randomly generated 24 bites called initialization vector (IV). It is advisable to change the IV for every packet. So we need IV for encryption which is generated and appended to WEP password to form the key to form keystream value for the RC4. WEP password usually is the same for long time (month or more). The output of the RC4 stream cipher is a Pseudo Random Sequence of bits. Generic packet is sent through a Cyclic Redundancy Check (CRC) to ensure the integrity of the frame as it is send over the network. The CRC algorithm has the ability to identify single bit errors. This creates Integrity Check Value (ICV). The frame body and ICV are appended together and XOR d with the output of the RC4 cipher. Then the WEP frame is assembled WEP decryption When receiver receives the packet he uses IV and order WEP password on correct creating of keystream from packet. Next he XORes cipher text and keystream that gain plain text and ICV. Consecutively will check the data integrity by received ICV and CRC. 3.3 WEP weaknesses The integrity check field is implemented as CRC checksum, which is part of the encrypted payload of the packet. However, CRC is linear, which means that it is possible to compute bit difference of two CRCs based on the bit difference of the messages over which they are taken. Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid. The IV in WEP is a 24-bit field, which is sent in the plain text part of a message. Such a small space of initialization vectors guarantees the reuse of the same key stream. The busy AP will exhaust the space of IVs after about 5 hours. This allows an attacker to collect two cipher texts that are encrypted with the same key stream and perform statistical attacks to recover the plaintext. Worse, when the same key is used by all mobile stations, there are even more chances of IV collision. 3.4 Attacks Passive Attack to Decrypt Traffic The first attack follows directly from the above observation. A passive eavesdropper can intercept all wireless traffic, until an IV collision occurs. By XORing two packets that use the same IV, the attacker obtains the XOR of the two plaintext messages. The resulting XOR can be used to infer data about the contents of the two messages. When such statistical analysis is inconclusive based on only two messages, the attacker can look for more collisions of the same IV. With only a small factor in the amount of time necessary, it is possible to recover a modest number of messages encrypted with the same key stream, and the success rate of statistical analysis grows quickly. An extension to this attack uses a host somewhere on the Internet to send traffic from the outside to a host on the wireless network installation. The contents of such traffic will be known to the attacker, yielding known plaintext. When the attacker intercepts the encrypted version of his message sent over , he will be able to decrypt all packets that use the same initialization vector Active Attack to Inject Traffic The following attack is also a direct consequence of the problems described in the previous section. Suppose an attacker knows the exact plaintext for one encrypted message. He can use this knowledge to construct correct encrypted packets. The procedure involves constructing a new message, calculating the CRC-32, and performing bit flips on the original encrypted message to change the plaintext to the new message. The basic property is that RC4(X) xor X xor Y = RC4(Y). This packet can now be sent to the access point or mobile station, and it will be accepted as a valid packet. 4

5 3.4.3 Active Attack from Both Ends The previous attack can be extended further to decrypt arbitrary traffic. In this case, the attacker makes a guess about not the contents, but rather the headers of a packet. This information is usually quite easy to obtain or guess; in particular, all that is necessary to guess is the destination IP address. Armed with this knowledge, the attacker can flip appropriate bits to transform the destination IP address to send the packet to a machine he controls, somewhere in the Internet, and transmit it using a rogue mobile station Table-based Attack The small space of possible initialization vectors allows an attacker to build a decryption table. Once he learns the plaintext for some packet, he can compute the RC4 key stream generated by the IV used. This key stream can be used to decrypt all other packets that use the same IV. Over time, perhaps using the techniques above, the attacker can build up a table of IVs and corresponding key streams. This table requires a fairly small amount of storage (~15GB); once it is built, the attacker can decrypt every packet that is sent over the wireless link. 4 Wi-Fi Protected Access (WPA) Wi-Fi Protected Access Wi-Fi Protected Access (WPA and WPA2) is a class of systems to secure wireless (Wi-Fi) computer networks. It was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP). 4.1 Features of WPA Security The following sections describe the features of WPA security WPA Authentication With , 802.1X authentication is optional. With WPA, 802.1X authentication is required. Authentication with WPA is a combination of open system and 802.1X authentication, which uses two phases: The first phase uses open system authentication and indicates to the wireless client that it can send frames to the wireless AP. The second phase uses 802.1X to perform a user-level authentication. For environments without a RADIUS infrastructure, WPA supports the use of a preshared key. For environments with a RADIUS infrastructure, WPA supports EAP and RADIUS WPA Key Management With 802.1X, rekeying of unicast encryption keys is optional. Additionally, and 802.1X provide no mechanism to change the global encryption key that is used for multicast and broadcast traffic. With WPA, rekeying of both unicast and global encryption keys is required. The Temporal Key Integrity Protocol (TKIP) changes the unicast encryption key for every frame and each change is synchronized between the wireless client and the wireless AP. For the global encryption key, WPA includes a facility for the wireless AP to advertise changes to the connected wireless clients. 5

6 4.1.3 Temporal Key Integrity Protocol (TKIP) For , WEP encryption is optional. For WPA, encryption using TKIP is required. TKIP replaces WEP with a new encryption algorithm that is stronger than the WEP algorithm, yet can be performed using the calculation facilities present on existing wireless hardware. TKIP also provides for: The verification of the security configuration after the encryption keys are determined. The synchronized changing of the unicast encryption key for each frame. The determination of a unique starting unicast encryption key for each preshared key authentication Michael With and WEP, data integrity is provided by a 32-bit ICV that is appended to the payload and encrypted with WEP. Although the ICV is encrypted, it is possible through cryptanalysis to change bits in the encrypted payload and update the encrypted ICV without being detected by the receiver. With WPA, a method known as Michael specifies a new algorithm that calculates an 8-byte message integrity code (MIC) with the calculation facilities available on existing wireless hardware. The MIC is placed between the data portion of the frame and the 4-byte ICV. The MIC field is encrypted along with the frame data and the ICV. Michael also provides replay protection. A new frame counter in the frame is used to prevent replay attacks AES Support WPA defines the use of AES as an additional optional replacement for WEP encryption. Because adding AES support through a firmware update might not be possible for existing wireless equipment, support for AES on wireless network adapters and wireless APs is not required Supporting a mixture of WPA and WEP wireless clients To support the gradual transition of a WEP-based wireless network to WPA, it is possible for a wireless AP to support both WEP and WPA clients at the same time. During the association, the wireless AP determines which clients are using WEP and which are using WPA. The disadvantage to supporting a mixture of WEP and WPA clients is that the global encryption key is not dynamic. All other security enhancements for WPA clients are preserved. 4.2 Changes Required to Support WPA WPA requires software changes to: Wireless APs. Wireless network adapters. Wireless client software. 6

7 4.2.1 Changes to wireless APs Wireless APs must have their firmware updated to support the following: The new WPA information element To advertise their capability to perform WPA, wireless APs send the beacon frame with a new WPA information element that contains the wireless AP's security configuration (encryption algorithms, and so on). The WPA two-phase authentication: Open system followed by 802.1X (EAP with RADIUS or WPA preshared key) TKIP Michael AES (optional) To upgrade your wireless APs to support WPA, you can obtain a WPA firmware update from your wireless AP vendor and upload it to your wireless APs Changes to wireless network adapters Wireless network adapters must have their firmware updated to support the following: The new WPA information element Wireless clients must be able to process the WPA information element in beacon frames and respond with a specific security configuration. The WPA two-phase authentication: Open system followed by 802.1X (EAP or WPA preshared key) TKIP Michael AES (optional) To upgrade your wireless network adapters to support WPA, you must upload a WPA firmware update to your wireless network adapter. For Windows wireless clients, you must obtain an updated network adapter driver that supports WPA. For wireless network adapter drivers that are compatible with Windows XP with Service Pack 2 (SP2), Windows XP with Service Pack 1 (SP1), and Windows Server 2003, the updated network adapter driver must be able to pass the adapter's WPA capabilities and security configuration to Windows Wireless Auto Configuration. Microsoft has worked with many wireless vendors to embed the WPA firmware update within the wireless adapter driver. Because of this, updating your Windows wireless client consists of simply obtaining the new WPA-compatible driver and installing it. The firmware is automatically updated when the wireless network adapter driver is loaded into Windows. 7

8 4.2.3 Changes to wireless client software Wireless client software must be updated to allow for the configuration of WPA authentication (including preshared key) and the new WPA encryption algorithms (TKIP and AES). You must obtain and install a new WPA-compliant configuration tool from your wireless network adapter vendor for wireless clients running the following: Windows 2000 Windows XP with SP2, Windows XP with SP1, and Windows Server 2003, and using a wireless network adapter that does not support the Wireless Auto Configuration WPA support is provided with Windows XP SP2. For wireless clients running Windows XP with SP1 or Windows Server 2003, and using a wireless network adapter that supports the Wireless Auto Configuration, you must obtain and install the WPA Wireless Security Update in Windows XP a free download from Microsoft. The WPA Wireless Security Update updates the wireless network configuration dialog boxes to support new WPA options. 4.3 WPA Encryption and Decryption Process WPA needs the following values to encrypt and integrity-protect a wireless data frame: The IV, which starts at 0 and increments for each subsequent frame The data encryption key (for unicast traffic) or the group encryption key (for multicast or broadcast traffic) The destination address (DA) and source address (SA) of the wireless frame The value of a Priority field, which is set to 0 and reserved for future purposes The data integrity key (for unicast traffic) or the group integrity key (for multicast or broadcast traffic) The following figure shows the WPA encryption process for a unicast data frame. 1. The IV, the DA, and the data encryption key are input into a WPA key mixing function, which calculates the per-packet encryption key. 2. The DA, SA, Priority, the data (the unencrypted payload), and the data integrity key are input into the Michael data integrity algorithm to produce the MIC. 3. The ICV is calculated from the CRC-32 checksum. 4. The IV and per-packet encryption key are input into the RC4 PRNG function to produce a key stream that is the same size as the data, the MIC, and the ICV. 5. The key stream is exclusively ORed (XORed) with the combination of the data, the MIC, and the ICV to produce the encrypted portion of the payload. 6. The IV is added to the encrypted portion of the payload in the IV and Extended IV fields, and the result is encapsulated with the header and trailer. 8

9 4.3.3 The following figure shows the WPA decryption process for a unicast data frame. The IV value is extracted from the IV and Extended IV fields in the frame payload and input along with the DA and data encryption key into the key mixing function, producing the per-packet encryption key. 1. The IV and the per-packet encryption key are input into the RC4 PRNG function to produce a key stream that is the same size as the encrypted data, MIC, and ICV. 2. The key stream is XORed with the encrypted data, MIC, and ICV to produce the unencrypted data, MIC, and ICV. 3. The ICV is calculated and compared to the value of the unencrypted ICV. If the ICV values do not match, the data is silently discarded. 4. The DA, SA, data, and the data integrity key are input into the Michael integrity algorithm to produce the MIC. 5. The calculated value of the MIC is compared to the value of the unencrypted MIC. If the MIC values do not match, the data is silently discarded. If the MIC values match, the data is passed to the upper networking layers for processing. 9

10 Refernces: