Advanced Security Issues in Wireless Networks



Similar documents
Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Wireless security. Any station within range of the RF receives data Two security mechanism

UNIK4250 Security in Distributed Systems University of Oslo Spring Part 7 Wireless Network Security

CS 356 Lecture 29 Wireless Security. Spring 2013

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

Chapter 6 CDMA/802.11i

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE i (WPA2)

chap18.wireless Network Security

Symm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2

WLAN Authentication and Data Privacy

Wireless Security for Mobile Computers

Lecture 2 Secure Wireless LAN

WIRELESS NETWORK SECURITY

Wi-Fi Client Device Security & HIPAA Compliance

CS549: Cryptography and Network Security

CSC574: Computer and Network Security

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

CS 336/536 Computer Network Security. Summer Term Wi-Fi Protected Access (WPA) compiled by Anthony Barnard

The Importance of Wireless Security

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

How To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)

Huawei WLAN Authentication and Encryption

Vulnerabilities of Wireless Security protocols (WEP and WPA2)

Chapter 2 Wireless Networking Basics

Security in IEEE WLANs

WiFi Security Assessments

IEEE Wireless LAN Security Overview

9 Simple steps to secure your Wi-Fi Network.

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

WIRELESS SECURITY IN (WI-FI ) NETWORKS

Self Help Guide IMPORTANT! Securing Your Wireless Network. This Guide refers to the following Products: Please read the following carefully; Synopsis:

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

Wireless LAN Security Mechanisms

WiFi Security: WEP, WPA, and WPA2

A DISCUSSION OF WIRELESS SECURITY TECHNOLOGIES

Wireless Networks. Welcome to Wireless

A COMPARITIVE ANALYSIS OF WIRELESS SECURITY PROTOCOLS (WEP and WPA2)

ALL Mbits Powerline WLAN N Access Point. User s Manual

COMPARISON OF WIRELESS SECURITY PROTOCOLS (WEP AND WPA2)

Wi-Fi Client Device Security and Compliance with PCI DSS

The next generation of knowledge and expertise Wireless Security Basics

Wireless Technology Seminar

Chapter 2 Configuring Your Wireless Network and Security Settings

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Wireless Networking Basics. NETGEAR, Inc Great America Parkway Santa Clara, CA USA

Certified Wireless Security Professional (CWSP) Course Overview

Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003

WLAN Access Security Technical White Paper. Issue 02. Date HUAWEI TECHNOLOGIES CO., LTD.

Question How do I access the router s web-based setup page? Answer

Wireless Local Area Network Security Obscurity Through Security

Setting up a WiFi Network (WLAN)

The following chart provides the breakdown of exam as to the weight of each section of the exam.

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

WLAN - Good Security Principles. WLAN - Good Security Principles. Example of War Driving in Hong Kong* WLAN - Good Security Principles

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

ClickShare Network Integration

How To Secure Wireless Networks

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Journal of Mobile, Embedded and Distributed Systems, vol. I, no. 1, 2009 ISSN

Vulnerabilities in WEP Christopher Hoffman Cryptography

Chapter 3 Safeguarding Your Network

Wireless Pre-Shared Key Cracking (WPA, WPA2)

WLAN Security. Giwhan Cho Distributed/Mobile Computing System Lab. Chonbuk National University

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

WIRELESS NETWORKING SECURITY

Network security, TKK, Nov

Authentication in WLAN

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter with RangeBooster. User Guide WIRELESS WMP54GR. Model No.

Methodology: Security plan for wireless networks. By: Stephen Blair Mandeville A. Summary

CCMP known-plain-text attack

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

Hole196 Vulnerability in WPA2

WiFi Security: Deploying WPA/WPA2/802.1X and EAP in the Enterprise

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter. User Guide WIRELESS WMP54G. Model No.

Chapter 2 Wireless Settings and Security

How To Secure A Wireless Network With A Wireless Device (Mb8000)

Optimizing Converged Cisco Networks (ONT)

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

STEP III: Enable the Wireless Network Card. STEP IV: Print out the Printer Settings pages to determine the IP Address

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Implementing Security for Wireless Networks

Recommended Wireless Local Area Network Architecture

A Division of Cisco Systems, Inc. Wireless A/G. USB Network Adapter. User Guide WIRELESS WUSB54AG. Model No.

Lecture 3. WPA and i

802.1X AUTHENTICATION IN ACKSYS BRIDGES AND ACCESS POINTS

Chapter 10: Designing and Implementing Security for Wireless LANs Overview

Transcription:

Advanced Security Issues in Wireless Networks Seminar aus Netzwerke und Sicherheit Security Considerations in Interconnected Networks Alexander Krenhuber Andreas Niederschick 9. Januar 2009 Advanced Security Issues in Wireless Networks 1

1 WEP 2 WPA 3 Hacking WPA 4 Enterprise Mode 5 Rogue Access Points 6 End Advanced Security Issues in Wireless Networks 2

Short Overview of WEP Wired Equivalent Privacy (WEP) Uses RC4 stream cypher Pseudo Random Number Generator (PRNG) gets Key and Initialisation Vector (IV) as input Key Scheduling Algorithm (KSA) generates a keystream Every station in the Basic Service Set knows the key New IV for every message An integrity check value is concatenated to every message The message is XORed with the Keystream (permuation of numbers 0-255) Advanced Security Issues in Wireless Networks 3

WEP Encryption Advanced Security Issues in Wireless Networks 4

Attacks on WEP Early attack from Fluhrer, Shamir, Mantin FSM-Attack Encryption methodology is commonly known The first few bytes of a packet are easy to predict (e.g. TCP-Header) IV is transmitted unencrypted and therefore known as well KSA can be simulated for these known bytes Advanced Security Issues in Wireless Networks 5

Attacks on WEP If a few conditions hold, the next byte can be guessed (probability: 5%) 4.000.000 to 6.000.000 needed packets to recover the key at a 50% chance. Better attacks use more condititions KoreK attack needs about 70.000 packets PTW attack needs about 35.000 to 40.000 packets Key can be recovered in less than 1 minute Advanced Security Issues in Wireless Networks 6

Short Overview of WPA Wi-Fi Protected Access (WPA) New Security Standard IEEE 802.11i was delayed Wi-Fi Alliance originally named WECA (Wireless Ethernet Compatibility Alliance) approved on 31. Oktober 2002 WPA as subset of IEEE 802.11i Certified April 2003 Goals of WPA: Downwards compatibility (RC4 stream cipher) Dynamic keys through Temporal Key Integrity Protocol (TKIP) Data integrity by using a Message Integrity Check (MIC) Authentication via Pre-Shared Keys (PSK) or Extensible Authentication Protocol (EAP) Advanced Security Issues in Wireless Networks 7

Key Types Pre-Shared Key (PSK): 8-63 printable ASCII Zeichen (95 verschiedene) Pairwise Master Key (PMK): PMK = PBKDF2(PSK, SSID, SSID_Len, 4096, 256) Pairwise Transient Key (PTK): PTK = sha1_prf(pmk, PKM_Len, Pairwise key expansion, data, sizeof(data)) Key Confirmation Key (KCK): bind PMK to AP and client Key Encryption Key (KEK): encryption of group keys Session Key: key that encrypts the actual data Michael Key: encryption of the Message Integrity Check (MIC) Advanced Security Issues in Wireless Networks 8

Authentication mechanism - PSK aus Verbesserte WLAN Sicherheit mit WPA, EAP und 802.11i von Maximilian Riegel Advanced Security Issues in Wireless Networks 9

Weakness 1 Generate PMK: PMK = PBKDF2(PSK, SSID, SSID_Len, 4096, 256) 2 Generate PTK: PTK = sha1_prf(pmk, PKM_Len, Pairwise key expansion, data, sizeof(data)) where data is composed of: LowerMac, HigherMac, LowerNonce, HigherNonce MAC of client and AP (packet 3) AP nonce (packet 3) Client nonce (packet 2) 3 Generate the MIC: TKIP: MIC = hmac_md5(key, 16, data); AES: MIC = hmac_sha1(key, 16, data); 4 Compare computed MIC with captured MIC from packet 4 Advanced Security Issues in Wireless Networks 10

Brute Force Generating the MIC value is an exhaustive computing process Brute force attack are realy time consuming Only a dictionary attack make sense Around 100 keys/s Rainbow Tables: First described in 1980 by Martin Hellman Use precalculated data stored in memory to reduce time consuming crypto process Once generated a lookup is very performant Already effective used against MD5, LM, NTLM Hashes But WPA uses the SSID as salt, therefor for every existing SSID a rainbow table must be generated Fortunately many equal SSIDs http://www.wigle.net/gps/gps/main/ssidstats Around 20.000 keys/s Advanced Security Issues in Wireless Networks 11

Distributed Cracking Published in October 2008 by Russian security company Elcomsoft Password cracking suite called Distributed Password Recovery - use the power of Cuda enabled NVIDIA GFX Cards - up to 10.000 computing nodes with 64 cores / 4 GPUs A month before a similar program was posted in the Nvidia Cuda forum Pyrit - http://code.google.com/p/pyrit/ Around 2000 lines of code Both programs offer similar performance GeForce 8800GTS up to 7500Keys/s GeForce GTX 280 up to 11500Keys/s Advanced Security Issues in Wireless Networks 12

Distributed Cracking Using one 8800GTS Numeric Alpha Alpha Numeric Alpha Numeric Printable days (10) (26) single (36) case (62) ASCII (96) 8 0.077 161 2176 168472 5566277 9 0.77 4189 2144989 - - Using 10.000 8800GTS Numeric Alpha Alpha Numeric Alpha Numeric Printable days (10) (26) single (36) case (62) ASCII (96) 8 0 0.02 0.2 17 556 9 0 0.42 7.8 1044 53436 10 0 11 282 64760 5129881 11 0.007 283 10156 4015166 - Very popular 16 numeric symbols computing time is around 2 years 14+ Alpha Numeric case sense symbols can be considered as safe for a while Advanced Security Issues in Wireless Networks 13

Key Exporting Brute force can be really time consuming Why not export the PSK from a connected client Easy target and much less effort to hack - Buffer Overflows - Spyware - Trojan - Rainbow tables :) Key is stored in known places: Vista: C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces XP: HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces 2000: HKLM\SYSTEM\CurContSet\Control\Class\Adapter_ID_Number Linux: in some wpa_supplicant config file Advanced Security Issues in Wireless Networks 14

WPA Enterprise All WPA features but... Central Authentication management EAP General protocol for host or user identification Only defines message formats In 802.1X the encapsulation is called EAPOL, EAP over LANs Different types: EAP-TLS EAP-TTLS/MSCHAPv2 PEAP... Authentication Authenticator: by Certificate Supplicant: by Certificate (EAP-TLS) by Username and Password (EAP-TTLS, PEAP) Advanced Security Issues in Wireless Networks 15

Authentication mechanism - Enterprise aus Verbesserte WLAN Sicherheit mit WPA, EAP und 802.11i von Maximilian Riegel Advanced Security Issues in Wireless Networks 16

Other Attacks Man in the Middle chopchop on WPA TKIP Denial of Service Domain Login Cracking 802.1X EAP Replay 802.1X RADIUS Replay 802.1X LEAP Cracking Advanced Security Issues in Wireless Networks 17

Rogue Access Points Hardware is getting cheaper APs are easy to operate Therefore the chance of illegal access to wireless networks increases Rogue Access Points (RAPs) have to be kept in mind Advanced Security Issues in Wireless Networks 18

Categories of RAP Open APs Officially used APs which are poorly configured and therefore might be exploited by attackers Backdoor APs Installed by an employee or an attacker Can be very harmfull because backdoor APs are connected to the wired network of an organisation Advanced Security Issues in Wireless Networks 19

Categories of RAP Fake APs Installed by an attacker Can be used to retrieve data like passwords or set up a man-in-the-middle attack Can be located inside or outside an organisation Fake APs often use the same security configurations like official APs to complicate detection Advanced Security Issues in Wireless Networks 20

Detecting RAP Staff equiped with an antenna and software like Netstumbler walks through an organisation Takes much time and RAPs can be deactivated while the scanning takes place Placing sensors in the organisations area Can be administered from a central point Both methods need hardware to listen on different frequencies due to the possible usage of different standards Advanced Security Issues in Wireless Networks 21

Detecting RAP Querie Routers and Switches for allowed MAC-adresses Only known computers are allowed to communicate MAC-adresses can be spoofed easily Differences of temporal traffic characteristics Assumption: wired and wireless communication has divergent spreading of packets Therefore wireless APs can be detected in wired networks Advanced Security Issues in Wireless Networks 22

Performance Influence How do secure methods influence data transmission performance? Test setup: - Lenovo T61 as Client - Linksys WRT54GS running OpenWRT as AP - Intel 4965AGN, Nec Aterm WL54AG, Netgear WG511 - Distance: 5 meters including one brick wall - Performance measured using iperf with 100MBit/s Ethernet client Intel 4965AGN Nec WL54AG Netgear WG511 Open 27206 21004 21213 WEP 128Bit 25093 20617 20178 WPA TKIP 22975 18209 19532 WPA AES 26886 20442 21293 WPA2 AES 26623 na na Advanced Security Issues in Wireless Networks 23

Tips Do use WPA/ WPA2 AES If possible do use Enterprise Mode If PSK is your choice do use random 63 character passwords Passwords should not be derived from a known word Sentences might seem safe because of their length, but are likely to be weak Secure your clients and APs Advanced Security Issues in Wireless Networks 24

Q & A Advanced Security Issues in Wireless Networks 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information