Critical Issues in Wireless Local & Wide Area Security

Transcription

1 Critical Issues in Wireless Local & Wide Area PISA Seminar Ray Hunt Associate Professor (Networks and Security) University of Canterbury, New Zealand ray@cosc.canterbury.ac.nz 1 Key Wireless LAN Technologies IEEE802.11b (11 Mbps) 2.4 GHz (Wi-Fi) (US) IEEE802.11a (54 Mbps) 5 GHz (US) HiperLAN/2 (54 Mbps) 5GHz (Europe) IEEE802.11g (54 Mbps) 2.4 GHz IEEE Broadband Wireless Access Standard (Wireless MANs) Bluetooth Wireless PAN (Personal Area Network) 2.4 GHz (= IEEE802.15) HomeRF (1.6 Mbps) 2.4 GHz 2

2 Wireless LAN - Good Security Principles 3 How Security Breaches Occur War driving Passing by in cars, pedestrians Attack software available on Internet to assist GPS can assist in locating networks Access to an insecure WLAN network is potentially much easier than to a fixed network Without authentication and encryption, WLANs are extremely vulnerable Anybody with shareware tools, WLAN card, antenna and GPS is capable of war driving 4

3 WLAN - Good Security Principles Problems with bad WLAN architecture Located behind firewall in trusted network No authentication Must consider security options: Infrastructure design to enhance security? Open access or MAC restricted? Implement WEP or not? Problem with rogue WLAN Can give access to trusted network as connection/installation as easy as connecting to a hub and without knowledge of administrator 5 WLAN - Good Security Principles Wireless LAN - out of the box Enable WEP (in spite of some issues) Change default/identifiable SSID (Service Set Identifier) as network name not encrypted Use products with dynamic key generation such as Lucent/Agere s ORiNOCO AS-2000 Do not use MAC address Authentication - tools are readily available to sniff a MAC address 6

4 WLAN - Good Security Principles Consider network (and above) options: DHCP or static IP Authentication RADIUS, DIAMETER, EAP, SRP, LEAP IEEE 802.1x IPSec VPNs and Encrypted tunnels SSL/TLS PKI and IKE key management Digital Certificates etc 7 WLAN Security WLANs suffer from security problems WEP (Wired Equivalent Privacy) has been partial fix, viz Limited number of community encryption keys When one key compromised, entire system must be manually re-configured Authentication is one-way only No per-message integrity checks Can lead to session hijacking see diagram... 8

5 WLAN Security 9 WLAN Security Authentication of user, not device necessary Adoption of IEEE 802.1x and EAP (Extensible Authentication Transport Protocol) - discussed later Generation of new encryption key per session Mutual authentication eliminates rogue access points.. see diagram... 10

6 WLAN Security 11 WEP (Wired Equivalent Privacy) 12

7 WEP Security Features RC4 encryption Uses 40 or 128 bit shared key Encrypts payload while frame is in the air Wireless LAN Encrypted by WEP Wired LAN Not encrypted by WEP Traffic flow 13 WEP Security Features WEP (Wired Equivalent Privacy) WEP has two main design goals: Protection from eavesdropping Prevent unauthorized access IEEE defines mechanism for encrypting frames using WEP as follows: a) A key is shared between all members of BSS b) The encryption algorithm for WEP is RC4, used to generate key stream, which is XORed against plaintext to produce ciphertext 14

8 WEP Security Features c) The decryption algorithm for WEP is RC4 which is XORed against ciphertext to reproduce plaintext d) WEP appends 24-bit IV to the shared key; WEP uses this combined key + IV to generate RC4 key schedule. WEP selects new IV for every packet e) Encapsulation transports IV and ciphertext from sender (encryptor) to receiver (decryptor) f) WEP uses a CRC for integrity check of the frame. The CRC is computed over data payload and appended to frame before encryption. WEP encrypts CRC with rest of data payload g) Authentication - one way client MAC address only 15 WEP Security Features WEP was never intended to be complete end-toend solution Business policy will dictate if additional security mechanisms required such as: access control, end-to-end encryption, password protection, authentication, VPNs, firewalls, etc WECA believe many reported attacks are difficult to carry out IEEE working on extensions to WEP (IEEE e). See reference to ESN 16

9 WEP Protocol Encryption Plaintext Message CRC X-OR Keystream = RC4(iv,k) iv Ciphertext Transmitted Data k = key iv = Initialisation Vector RC4 = Rivest Cipher 4 Stream Cipher 17 WEP Protocol Decryption X-OR iv Ciphertext Transmitted Data Keystream = RC4(iv,k) Plaintext Message CRC k = key iv = Initialisation Vector RC4 = Rivest Cipher 4 Stream Cipher 18

10 WEP Symmetric Key Operation Secret Message over Wireless LAN Symmetric Key Symmetric Key Secret Message over Wireless LAN The same symmetric (RC4) key is used to encrypt and decrypt the data WEP Integrity Check Using CRC-32 Message CRC-32 Match Message Polynomial CRC-32 Integrity check used to ensure packets not modified during transit

11 WEP Security Weaknesses Number of flaws discovered in WEP: Passive attacks to decrypt traffic using statistical analysis Active attacks - inject new traffic from unauthorized stations based upon known plaintext Active attacks to decrypt traffic based upon tricking the AP (Access Point) Dictionary-building attacks. After analysis of about a days traffic, real-time automated decryption of all traffic is possible Need for user/node Authentication (EAP/802.1X) 21 WEP Security Weaknesses These attacks possible with inexpensive off-theshelf equipment (opinion) These attacks apply to both 40-bit and 128-bit versions of WEP These also apply to any version of the IEEE standards (802.11b in particular) that use WEP IEEE is proposing an upgrade to WEP (WEP2 + AES) to rectify problems 22

12 WEP Security Weaknesses Both IC (Integrity Check) & IV (Initialisation Vector) implementations have weaknesses: IC using CRC-32 designed for detecting line errors, not as security mechanism, therefore has vulnerabilities (not a digital signature) Use of a 24-bit IV guarantees reuse within 5 hours or less (operating with 1500 byte packets at 11 Mbps). Hence attacker has multiple ciphertexts encrypted with same key. See wep-faq.html for further details. 23 WEP Security Enhancements WEP standard does not discuss how shared keys are established Most installations use single key shared between all mobile stations & access points More sophisticated key management disciplines (PKI + IKE) can be used to improve attack defense. Few commercial systems implement such systems yet ESN (Enhanced Security Network) + AES cipher being designed to rectify deficiencies 24

13 WEP Symmetric Key Operation Secret Message over Wireless LAN Symmetric Key Symmetric Key Secret Message over Wireless LAN The same symmetric (RC4) key is used to encrypt and decrypt the data Symmetric Key The Advantages Secure Widely Used Encrypted text is compact Fast The Disadvantages Complex Administration Requires Secret Key Sharing No non-repudiation Subject to interception

14 Asymmetric (Public/Private) Key Operation Recipient s Public Key Recipient s Private Key Secret Message over Wireless LAN Public Key Private Key Secret Message over Wireless LAN What is encrypted with one key, can only be decrypted with the other key. RSA is one example, Elliptic Curve is another. Public/Private Key The Advantages Secure No secret sharing No prior relationship Easier Administration Supports nonrepudiation The Disadvantages Slower than symmetric key Encrypted text is larger than with symmetric version

15 The Combination Secret Message over Wireless LAN Random Symmetric Key Secret Messag e over Wireles s LAN Encrypted Bob s Public Key To: Bob Key Wrapping Digital Envelope The Combination Digital Envelope To: Bob Secret Messag e over Wireles s LAN Encrypted Wrapped Key Bob s Private Key Random Symmetric Key Secret Message over Wireless LAN

16 The Combination You get the best of both worlds The benefits of Symmetric Key Speed Compact Encrypted Text The benefits of Public Key Simpler Key Management Digital Signature Non-Repudiation Digital Signatures Secret Message over Wireless LAN Secret Message over Wireless LAN Encrypted Digest Hash Function Digest Signer s Private Key Encrypted Digest

17 Digital Signatures Hash Function Secret Message over Wireless LAN Encrypted Digest Secret Message over Wireless LAN Encrypted Digest Signer s Public Key Digest match? Digest How can you be sure that you get a real (and valid) public key? X.509 Digital Certificate I officially authorize the association between this particular User, and this particular Public Key

18 X.509 Digital Certificates Secret Message over Wireless LAN Encrypted Digest Certificate Name, Address, Organisation Owner s Public Key Certificate Validity Dates Certifying Authority s Digital Signature All you need is the CA s public key to verify the certificate and extract the owner s public key Is WEP2 going to fix the problems? WEP2 (= may be called TKIP) features: Increases size of IV space to 128 bits Key may be changed periodically via IEEE 802.1x reauthentication to avoid staleness No keyed MIC (Message Integrity Check), i.e. no digital signature using keys No authentication for reassociate, disassociate No IV replay protection Use of Kerberos for authentication within IEEE 802.1x Analysis shows that although security has been improved, there are additional solutions 36

19 Wireless Vulnerabilities Addressed by Various Security Mechanisms WEPv1 WEPv2 Kerberos-5 AES - Advanced Encryption Standard (Rijndael) SRP - Secure Remote Password Attack WEPv1 WEPv2 + Kerberos-5 AES+Kerberos-5 AES + SRP Unintentional IV reuse X X X Intentional IV reuse X X Realtime decryption X X X Known plaintext X X Partial known plaintext X X Authentication forging X X Denial of Service Dictionary attack X 37 WEP,VPNs, IDS, Sniffers WEP and VPN can work together: Carefully configured firewalls and tunnels IPSec, IKE, Digital Certificates Intrusion Detection and Monitoring Systems: Server - IIS, Real Secure IDS, Dragon, AirIDS Access Point - SNMP traps, system logging Wireless Network Sniffers: Sniffer (Sniffer Technologies - NetStumbler - discover WLAN cards, APs, peer-to-peer infrastructure, etc AirSnort and WEPCrack - use captured traffic to recover crypto keys 38

20 EAP (Extensible Authentication Protocol) 39 WLAN Security with EAP Extensible Authentication Protocol checklist: Does it provide for secure exchange of user information during authentication? Does it permit mutual authentication of the client and network thus preventing intrusion? Does it require dynamic encryption keys for user and session? Does it support generation of new keys at set intervals? Is it easy to implement and manage, e.g. EAP-TLS requires client-side certificates? 40

21 EAP (Extensible Authentication Protocol) RFC 2284 Many basic protocols such as PAP, CHAP and WEP offer very limited security EAP provides extensions to allow arbitrary authentication mechanisms to validate the connection (e.g. PPP, IEEE b, etc) EAP links to 3rd party plug-in authentication modules: Token cards, Kerberos, PKI, S/Key... SRP, LEAP, TLS EAP (Extensible Authentication Protocol) RFC 2284 contd... EAP is available with Windows 2000 & XP Common EAP authentication types include: 1. EAP-SRP (Secure Remote Password) offers a cryptographically strong user authentication mechanism suitable for negotiating secure connections and performing secure key exchange using a usersupplied password 2. MD5 (Message Digest 5) - Wireless CHAP 42

22 EAP (Extensible Authentication Protocol) RFC 2284 contd LEAP (Lightweight EAP) CISCO vendor-specific authentication that provides mutual authentication and dynamic WEP key generation 4. EAP-TLS (Transport Layer Security) offers full authentication consistent with PKI public/private keys, PKI and digital certificates. RFC 2716 PPP EAP TLS Authentication Protocol 5. TTLS (Tunnelled Transport Layer Security) - requires server, but not client certificate 43 WLAN Security with EAP 44

23 WLAN Security with EAP 7. Negotiation [EAPoL] 10. Secure Connection Established 6. Forwards challenge + EAP Type [EAPoL] 9. RADIUS Server Accepts [RADIUS] 3. Client Identity IEEE 802.1x [EAPoL] 2. Request Identity IEEE 802.1x [EAPoL] 1. Request Connection IEEE 802.1x [EAPoL] 8. Response Forwarded [RADIUS] 5. Challenge + EAP Type [RADIUS] 4. Access Request [RADIUS] Client IEEE b Access Point Ethernet Server 45 AAA (Authentication, Authourisation, Accounting) 46

24 Authentication Principles AAA - Authentication, Authourisation, Accounting RADIUS - Remote Authentication Dial-in User Service RADIUS - originally developed to manage dial-in access to Internet. Now being used to manage access control for other systems including Wireless LANs ( Diameter) Mobile users require access to resources over both fixed and mobile networks (must be transparent to user) 47 Authentication Principles Access control authorizes who is allowed to enter network and which services can/cannot be accessed Managing a single database of users that contains authentication (user name and credentials), as well as access policy and provisioning information, is an effective way to achieve authentication 48

25 AAA - Authentication Principles Authentication Validating a User s Identity Authentication protocols operate between user and AAA server: PAP, CHAP, RADIUS, DIAMETER, IEEE 802.1x, EAP Network Access Server (NAS) acts as relay device 49 AAA - Authourisation Principles Authourisation What is user allowed to do? Controls access to network services & applications Access policy can be applied on a per user, group, global, or location basis Attributes from an access request can be checked for existence or for specific values Other attributes, egg time-of-day or number of active sessions with same username can also be checked Outcome of policy decisions can be sent back to access device as Access Reply attributes 50

26 AAA - Accounting Principles Accounting Collecting Usage Data Data for each session is collected by access device and transmitted to AAA server Usage data may include: User Identities Session Duration Number of Packets, and Number of Bytes Transmitted Accounting data may be used for: Billing Capacity Planning Trend Analysis Security Analysis Auditing 51 AAA Server Architecture Billing & Invoicing Services User Developed Plug-in User Directory Services Central AAA Server RADIUS Protocol Services Policy-Based Management Services Analyzing and Reporting Services 52

27 AAA can offer Distributed Security 53 Example of Authentication using RrK and TKIP Rapid rekeying (RrK) WEP: IEEE Draft Proposal, August Change WEP keys more rapidly that effective key discover attacks can be mounted Support existing hardware and firmware implementations but needs capable software 802.1x client (XP) and 802.1x enabled servers Use IEEE 802.1X protocol, with EAP-TLS and distribute keys securely at authentication or re-association Enable periodic re-keying option of IEEE 802.1X Settable from 1-15 minutes - or activity based Source: Entrasys, May

28 Example of Authentication using RrK and TKIP 802.1x EAP- RrK Access Point Role decoded and Priorities Applied Directory to Role Matching 802.1x EAP login SNMPv3 Radius Authentication LDAP/Directory Profile creation and distribution RADIUS Server TKIP (Temporal Key Integrity Protocol) [=WEP2] Can use 802.1x or a shared resource for key generation Pro: 802.1x is not required Con: Still needs new software on client and access servers RrK and TKIP will probably both be offered as software only solutions late in IEEE 802.1x 56

29 Synopsis: IEEE 802.1x Authentication Defines generic framework for port-based MAC authentication (not user) and key distribution Authenticates before giving access to network Requires PKI certificate on each client Requires central RADIUS server running EAP EAP acts an authenticator (egg Ethernet switch or wireless AP) and authenticates a supplicant (Ethernet or Wireless NIC) by consulting an authentication server such as RADIUS or Kerberos 57 IEEE 802.1x Authentication Synopsis contd: IEEE 802.1x - implemented with different EAP types 1. EAP-MD5 for Ethernet LANs (= CHAP) 2. EAP-TLS for IEEE b WLANs but supplicant and authenticator must be able to handle digital certificates - hence PKI/CA infrastructure required 3. EAP-SRP weaker (password) authentication IEEE 802.1x provides carrier for secure delivery of session keys between supplicant and authenticator (this was omitted by WEP) 58

30 IEEE 802.1x Authentication Products: Operating System: Only Windows XP (and XP Pro) so far Wireless card and AP vendors: Cisco, Agere/Lucent, Enterasys EAP Authentication Server Cost: IAS (Microsoft s RADIUS in W2000), Steel-Belted RADIUS, Interlink, Cisco/LEAP Deployment requires support on all APs and clients More likely to be a corporate solution 59 Recent Developments in WEP WEP2 (TKIP) in process of approval by IEEE 128 bit encryption key 128 bit initialization vector (iv) Backward compatibility with WEP ESN (Enhanced Security Network) in process of being standardized. Includes: WEP, WEP2 and a new encapsulation protocol using AES (128 bit) encryption with OCB mode Dynamic association of key values Uses Kerberos authentication mechanism 60

31 Recent Developments in WEP ESN (Enhanced Security Network) development contd.. Fast handover between APs without necessity to reauthenticate. Security profiles are forwarded between APs by IAPP (Inter-Access Point Protocol) = Equivalency Privacy 61 Security: The Layered Onion 802.1x/EAP Radius Authentication 40/128 bit WEP Encryption VPN Secure Access Virtual Private Networks Ethernet Data i AES RrK/TKIP Access Control 62