CS 336/536 Computer Network Security. Summer Term 2010. Wi-Fi Protected Access (WPA) compiled by Anthony Barnard



Similar documents
CS 356 Lecture 29 Wireless Security. Spring 2013

chap18.wireless Network Security

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

UNIK4250 Security in Distributed Systems University of Oslo Spring Part 7 Wireless Network Security

Chapter 6 CDMA/802.11i

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

CS549: Cryptography and Network Security

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

How To Secure Wireless Networks

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

Symm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2

Vulnerabilities of Wireless Security protocols (WEP and WPA2)

EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE i (WPA2)

Wireless security. Any station within range of the RF receives data Two security mechanism

Security in IEEE WLANs

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

A SURVEY OF WIRELESS NETWORK SECURITY PROTOCOLS

Wired Equivalent Privacy (WEP) versus Wi-Fi Protected Access (WPA)

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

WiFi Security: WEP, WPA, and WPA2

WLAN Access Security Technical White Paper. Issue 02. Date HUAWEI TECHNOLOGIES CO., LTD.

IEEE Wireless LAN Security Overview

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

Chapter 2 Wireless Networking Basics

NXC5500/2500. Application Note w Management Frame Protection. ZyXEL NXC Application Notes. Version 4.20 Edition 2, 02/2015

Journal of Mobile, Embedded and Distributed Systems, vol. I, no. 1, 2009 ISSN

A DISCUSSION OF WIRELESS SECURITY TECHNOLOGIES

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

MAC Layer Key Hierarchies and Establishment Procedures

COMPARISON OF WIRELESS SECURITY PROTOCOLS (WEP AND WPA2)

1. discovery phase 2. authentication and association phase 3. EAP/802.1x/RADIUS authentication 4. 4-way handshake 5. group key handshake 6.

Lecture 3. WPA and i

Certified Wireless Security Professional (CWSP) Course Overview

Your Wireless Network has No Clothes

Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003

WLAN Security. Giwhan Cho Distributed/Mobile Computing System Lab. Chonbuk National University

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

Wireless Network Security. Pat Wilbur Wireless Networks March 30, 2007

A COMPARITIVE ANALYSIS OF WIRELESS SECURITY PROTOCOLS (WEP and WPA2)

Advanced Security Issues in Wireless Networks

Analysis of Security Issues and Their Solutions in Wireless LAN 1 Shenam Chugh, 2 Dr.Kamal

Wireless Networks. Welcome to Wireless

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2002): 15 Wireless LAN Security 1 Dr.-Ing G.

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2003): 15 Wireless LAN Security 1. Dr.-Ing G.

WiFi Security: Deploying WPA/WPA2/802.1X and EAP in the Enterprise

WLAN w Technology

CCMP known-plain-text attack

Authentication in WLAN

Wireless Technology Seminar

Wireless Local Area Network Security Obscurity Through Security

WI-FI SECURITY: A LITERATURE REVIEW OF SECURITY IN WIRELESS NETWORK

Wireless Networking Basics. NETGEAR, Inc Great America Parkway Santa Clara, CA USA

The following chart provides the breakdown of exam as to the weight of each section of the exam.

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

Network security, TKK, Nov

Network Security Protocols

Wireless Security for Mobile Computers

Chapter 10: Designing and Implementing Security for Wireless LANs Overview

CSC574: Computer and Network Security

Self Help Guide IMPORTANT! Securing Your Wireless Network. This Guide refers to the following Products: Please read the following carefully; Synopsis:

Lecture 2 Secure Wireless LAN

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Huawei WLAN Authentication and Encryption

Distributed Systems Security

WIRELESS SECURITY IN (WI-FI ) NETWORKS

Vulnerabilities in WEP Christopher Hoffman Cryptography

ANALYSIS OF SECURITY PROTOCOLS FOR WIRELESS NETWORKS

Cryptanalysis of IEEE i TKIP

2. WLAN SECURITY MECHANISMS AND PROTOCOLS 1. INTRODUCTION

How To Understand The Power Of A Network On A Microsoft Ipa 2.5 (Ipa) (Ipam) (Networking) 2 (Ipom) 2(2

Wireless LAN Security Mechanisms

The Importance of Wireless Security

XIV. Title. 2.1 Schematics of the WEP Encryption in WEP technique Decryption in WEP technique Process of TKIP 25

WiFi Security Assessments

Netzwerksicherheit: Anwendungen

Wireless Pre-Shared Key Cracking (WPA, WPA2)

Network Security: WLAN Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Key Management (Distribution and Certification) (1)

WIRELESS NETWORK SECURITY

Wireless Security with Cyberoam

Wi-Fi Client Device Security & HIPAA Compliance

Wireless LAN Security I: WEP Overview and Tools

Wi-Fi Alliance Voice-Enterprise Certification: Standardized Fast Secure Roaming. Whitepaper

The Basics of Wireless Local Area Networks

Security in Wireless Local Area Network

How To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)

MOHAMMAD YASIN ARASHPOUR

THE IMPORTANCE OF CRYPTOGRAPHY STANDARD IN WIRELESS LOCAL AREA NETWORKING

Security protocols of existing wireless networks

Transcription:

CS 336/536 Computer Network Security Summer Term 2010 Wi-Fi Protected Access (WPA) compiled by Anthony Barnard

2 Wi-Fi Protected Access (WPA) These notes, intended to follow the previous handout IEEE802.11 Wired Equivalent Privacy (WEP), are a composite of section 6.2 of Network Security Essentials by William Stallings, 4 th edition, and some material from Real 802.11 Security by Edney and Harbaugh and from 802.11 Wireless Networks by Matthew Gast. Stallings begins section 6.2 by stating the reasons why wireless LANs are more vulnerable to attackers that are wired LANs. Radio waves do not usually respect walls, so passive eavesdropping by an external attacker (even listening while outside the building in the parking lot) is an obvious threat; more active threats have also been extensively described in the previous handout. The original (1999) IEEE 802.11 specification, included in the previous handout, described the security system called Wired Equivalent Privacy (WEP) that you will see in lab session #4. However, as we have seen, WEP was soon shown to be very vulnerable. Unfortunately, by the time that the vulnerability was detected, large numbers of WiFi LANs had been implemented by people who believed that their networks were protected by WEP. Some form of rescue had to be undertaken. IEEE established Task Group i that included acknowledged security experts, such as Ron Rivest, who had been absent from the group that developed the 1999 standard. The limitations on the rescue were that legacy equipment, particularly the Access Points, had to be retained. This imposed three constraints on the rescue: software/firmware upgrades only - no chip replacement a typical AP of the time had only a few spare cycles available the RC4 encryption/decryption algorithm was embedded in a special purpose chip, so could not be changed. These constraints presented a formidable challenge to upgrading the security of wireless LANs. However, Task Group i quickly came up with WiFi Protected Access (WPA) as an interim measure towards the ultimate IEEE 802.11i, known as the Robust Security Network (RSN). WPA is available only for infrastructure networks. This was followed in 2004 by finalization of the RSN standard, which became known as WPA2, available in both infrastructure and ad-hoc networks. The full standard is complex, involving an authentication server (AS) implementing IEEE 801X and therefore appropriate only to an Enterprise environment (corporate, with significant security requirements). In a lesscritical situation, usually referred to as Small Office/Home Office (SOHO) mode, WPA is probably adequate and we shall therefore content ourselves with studying this.

Wi-Fi Protected Access (WPA) 3 [contact with Stallings section 6.2 will be shown thus: {Stallings page xxx} ] IEEE 802.11i Services {Stallings page 183} Authentication - mutual, of STA and AP Access control to admit only properly authenticated clients Privacy (confidentiality) and integrity of data messages IEEE 802.11i Phases of Operation {Stallings page 184} This security applies only to traffic within a BSS, that is, between a STA and its AP; it does not extend outside the BSS. There are five phases in 802.11i: Phase 1 - discovery STA finds AP and associates (covered in CS x34). STA and AP agree on algorithms and methods to be used. Phase 2 - Authentication STA and AP prove their identities to each other. In enterprise mode the Authentication Server is intimately involved here, but in SOHO mode it is effectively by-passed and we will not consider AS further. Phase 3 - Key generation and distribution. Phase 4 - Actual user data transfer. Phase 5 - Connection termination when transfer complete. Now let s look in more detail at the five phases.

4 Wi-Fi Protected Access (WPA) Phase 1 -Discovery Phase {Stallings page 186} The purpose of this phase is for STA and AP to establish (unsecure) contact and negotiate a set of security algorithms to be used in subsequent phases. STA and AP need to decide on: The authentication method to be used in phase 3 to perform mutual authentication of STA and AP and generate/distribute keys. We shall omit IEEE801X and use the simplest method, pre-shared key (PSK) in which the 256-bit key is provided to STA and AP in advance by some secure external method, usually manual. Confidentiality and integrity algorithms to protect user data in phase 4 We shall focus on using TKIP for this purpose. As covered in CS 334/534 and the previous handout, the discovery phase uses three exchanges: Probe request/response (or observation of a beacon frame) APs advertize their capabilities (WEP, WPA, etc.) in Information Elements in their beacon frames and in their probe responses. Authentication request/response (Open System, for backward compatibility) Association request/response - agreement on methods to be used, The STA s request, chosen from the menu offered by the AP, is contained in an information element in the STA s association request. Discovery Phase is shown in the upper half of figure 6.6:

Wi-Fi Protected Access (WPA) 5 Phase 2 - Authentication Phase {Stallings page 188} Since we re studying SOHO mode, not enterprise mode {Omit Stallings pages 188-190}, this phase is trivial. STA and AP are pre-loaded with the 256-bit pre-shared Key (PSK). In this case the phase 2 exchange shown in the lower half of fig 6.6 is bypassed. The lower half of Stallings page 188, all of page 189, and the top half of page 190 can be omitted, since they delve into the full-blown IEEE 802.1X enterprise-mode authentication The PSK can be supplied either as the actual 256 bits or as a passphrase (such as barnardjonesskjellum as used in ciswifi) that is expanded to the required length by a standard algorithm. In principle the PSK can be different for each STA-AP pair, but in practice most vendors use the same PSK for all STA. The idea is that the STA and AP are mutually authenticated if they can demonstrate to each other in the following phase that they each know the PSK. Phase 3 - Key Generation and Distribution Phase {Stallings pages 190-194} The top of the key hierarchy is the Pairwise Master Key (PMK). In Enterprise mode the PMK is obtained during an exchange with the Authentication Server, but in SOHO mode the PMK is derived directly from the PSK, which had previously been shared between STA and AP. Key generation must be completed before we can move on to phase 4 and transmit user data.

6 Wi-Fi Protected Access (WPA) As illustrated in the following figure, in SOHO mode the PSK immediately becomes the pairwise master key (PMK), that is, both AP and STA automatically have a copy of their shared PMK (page 192). However, since this will usually be the same for all stations, pairwise is a misnomer As we shall see, the operational keys are derived from this common source plus other input to make them unique to each STA-AP pair. Figure 6.8: The PMK will not be used directly in any cryptographic operation, but will be used to generate the set of operational keys, known as the pairwise transient key (PTK). This consists of two keys to be used between STA and AP in this phase (phase 3) and a two-component (integrity and encryption) key for the next phase (phase 4).

Wi-Fi Protected Access (WPA) 7 The three parts to the PTK are: {Stallings page 193} EAP over LAN (EAPOL) Key Confirmation Key (EAPOL-KCK) EAP is the Extensible Authentication Protocol here used over a LAN, hence EAPOL. The confirmation key is what we ve called the message integrity key. It is used to protect the integrity of the messages in phase 3 (below) EAPOL Key Encryption Key (EAPOL-KEK) This will be used to protect the confidentiality of the keys during the phase 3 exchanges. Temporal Keys (TK) The word temporal is used because the keys have a limited (temporary) lifetime, being regenerated every time the STA associates with the AP. The two halves of this will be used to protect integrity and confidentiality of the subsequent user traffic (phase 4). We shall omit group keys (two sections on page 193 and the lower part of fig 6.9)

8 Wi-Fi Protected Access (WPA) Computing the Pairwise Transient Key This section outlines the computation of the 512-bit PTK from the 256-bit PMK. The first objective is to make the PTK different for each station/ap pair, and this is accomplished by mixing in the MAC addresses of the two participants. These are readily available from the 802.11 frame headers. The PTK is re-computed every time a station authenticates with an AP. The second objective is to avoid re-using an old PTK, and since neither the PMK nor the MAC addresses will change, there must be some further dynamic input to the PTK. Four-Way Handshake This further dynamic input is generated during the four-way handshake, which will now be described {Stallings page 193} The four-way handshake is described on Stallings page 193 and shown in the upper part of figure 6.9, which is the continuation of figure 6.6. In our case (SOHO) we enter the 4-way handshake with the STA having already sent (in phase 1, association request) a request to the AP (referred to in the standard as the authenticator (A), asking for activation of WPA/TKIP. Figure 6.9 (upper): Before the four-way handshake begins the STA, referred to as the supplicant (S), has randomly chosen a nonce (Nonce1).

Wi-Fi Protected Access (WPA) 9 Message 1: A to S: a nonce chosen by the authenticator (Nonce2) The supplicant S chooses a nonce (Nonce1) and receipt of Nonce2 gives S the last piece of information it needs to compute the 512-bit PTK, as shown in this figure: Computation of PTK from PMK The Pseudo-Random Generator (PRG) is based on HMAC-SHA-1; look back at Thomas figure 4-37 (SSL) to get the flavor of repeated hashing until you have enough keying material. Note on terminology: some authors (including Stallings) use Temporal Key to refer to the entire 256 bits, others use the term to apply only to the 128 bits used in phase 4 to protect data confidentiality. Message 2: S to A: Nonce1, together with a message integrity code (MIC) Nonce1 gives the authenticator the last piece of information it needs to compute the PTK, so key exchange is complete. This enables the authenticator to check the validity of the MIC. If correct, this proves that that the supplicant possesses the PMK and thereby authenticates the supplicant. As you see, in the four-way handshake each side has chosen a nonce, and both nonces have been mixed into the computation of the PTK. Message 3: A to S: message A able to turn on encryption. This message includes the MIC, so S can check that A knows PMK) Message 4: S to A: message S about to turn on encryption. After sending message 4, S activates encryption; on receipt of frame 4, A activates encryption. Key generation and activation is complete.

10 Wi-Fi Protected Access (WPA) Phase 4 - Protected Data Transfer Phase {Stallings pages194-195} We have chosen to study the Temporal Key Integrity Protocol (TKIP), which was designed to require only software/firmware changes to devices designed to run the original security protocol WEP {Omit CCMP - Stallings page 195}. Relative to 802.11/WEP, TKIP s new features are: Message integrity The usual Ethernet CRC having been shown to be inadequate to defeat forgeries, it was necessary for TKIP to introduce a cryptographic message integrity code (MIC) (Stallings chapter 3), to replace the inner CRC after the data field in the 802.11 MAC frame. Since APs of the early 2000s were not sufficiently powerful to run HMAC, a new, simpler, algorithm called Michael was invented. The input to Michael is a 64-bit slice of the Temporal Key (a different slice in the two directions), plus the STA and AP MAC addresses, plus (of course) the data to be protected. Data Confidentiality The data in the frame, plus the MIC, are encrypted with RC4 using half (128 bits) of the Temporal Key, truncated to 104 bits. Additional protection is provided by: A new IV sequencing discipline, to remove replay attacks from the attacker s arsenal; the IV is expanded to 48 bits and is incremented monotonically (recall that in WEP there was no official requirement to increment the IV, so attackers could simply replay a previous frame). A per-packet key mixing function. The first design goal is to produce the final data-encryption key (the input seed to the RC4 PRG), that is different for the two directions of transmission (to and from the AP). The second design goal is to prevent generation of the weak keys identified by Fluhrer (see previous handout) and also produce an RC4 seed that is different for each successive packet. This key mixing process is shown in the figure opposite.

Wi-Fi Protected Access (WPA) 11 Phase 1 combines the 802 MAC address of the packet transmitter (AP or STA), the high-order 32 bits of the expanded IV, and the temporal key (TK for encryption, from phase 3) by XORing each of their bytes to index into a substitution table ( S-box ), to produce an 80-bit intermediate key. Since both the 64-bit temporal key and the transmitter MAC address are different in the two directions the intermediate keys are very unpredictable satisfying the first design goal. The Phase 1 intermediate key needs to be re-computed only when the low-order 16 bits of the IV wrap around, or when the temporal key is updated, so most implementations cache the Phase 1 result as a performance optimization. Phase 2 copies the low-order 16 bits of the IV into the high-order 24 bits of the RC4 seed, the 8 most significant bits of the counter into both the first and second bytes of the field, and the least significant counter bits to the third byte of the field. Phase 2 then masks off the most significant bit of the second byte to prevent the key concatenation from producing one of the known RC4 weak keys (Fluhrer attack, which required the second byte of the WEP IV to be 0xFF). The 16 low-order IV bits are also input, along with the intermediate key, into phase 2 key mixing, which produces the 104 bits needed to complete the 128-bit RC4 seed. An important point is that an encryption engine (the chip that increments RC4) that ran WEP does not need to be changed in any way to run WPA, since it still gets 128 bits as its input key. This satisfies the goal of preserving legacy equipment.

12 Wi-Fi Protected Access (WPA) You can see that WPA has introduced substantial additional sophistication to WEP. The WPA operational keys are forced to be different for each STA-AP pair (by mixing in the two MAC addresses), different each time a particular STA associates with a particular AP (by choosing the two different random nonces), different for each direction of travel (to or from the AP) and different for each packet in a flow (by mixing in the monotonically-increasing IV). The hackers will have a much harder time than with WEP! However: Weakness in Passphrase Choice in WPA Interface By Robert Moskowitz (Paper dated November 04, 2003) The Known-PSK attack by Stations within the ESS The normal practice is to have a single PSK/PMK for all stations and APs within an ESS. Therefore, to generate the PTK used by any station/ap pair, a station within the ESS that wishes to spy on its brothers needs to learn only the two MAC addresses and nonces. All of this is available in the initial exchange of messages (the 4-Way Handshake). Any device can passively listen for these frames for a STA-AP pair and then generate the PTK for that pair. Thus even though each unicast station/ap pairing in the ESS has unique keys (PTK) there is nothing private about these keys to any other device in the ESS, since they all have the same PMK. \cs\cs437\lecture\lecture_u10\handouts\guide to WPA.doc

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information