Wireless Robust Security Networks: Keeping the Bad Guys Out with 802.11i (WPA2)

Wireless Robust Security Networks: Keeping the Bad Guys Out with 802.11i (WPA2) SUNY Technology Conference June 21, 2011 Bill Kramp FLCC Network Administrator Copyright 2011 William D. Kramp All Rights Reserved

What is a robust security network (RSN)? What is involved in deploying WPA2? What are the support issues with WPA2? Wireless Security Questions

Enforce authorized access to network Protect against downgrade attacks Data protection Confidentiality Data integrity Data origin authentication Replay protection Hardjono & Dondeti (2005) RSN (802.11i) Security Goals

Basic Wireless Terms Description of EAP and EAP-Methods 802.1x 802.11 Phases Deploying WPA2 Support issues Best practices for deployment Agenda

WEP - Wired Encryption Protocol WPA - WiFi Protected Access WPA2 - WiFi Protected Access 2 TKIP - Temporal Key Integrity Protocol AES - Advanced Encryption Standard CCMP - Counter Mode with Cipher Block Chaining MAC Protocol EAP EAPOL EAP-Methods Terms

Remote Authentication Dial In User Service Developed for MODEM pools back in the day. RADIUS

Extensible Authentication Protocol (EAP) A Point to Point Protocol (PPP) RFC 2284 added authentication to PPP EAP

Must be supported by Radius server 40+ methods available TLS MS-CHAPv2 PEAP LEAP FAST SIM 802.11i requires mutual authentication EAP-Methods

Developed by IEEE EAP over LAN (EAPOL) Allowed EAP and Radius to be used Point-to-Point communication only Encapsulates EAP packets for 802.1 802.1x protocol

Blocks all inbound and outbound traffic until after authentication is passed Exceptions to rule: Outbound to wireless device: Wake-on-LAN magic packets Inbound from wireless device: EAPOL packet type 4 SNMP notification (Encapsulated ASF Alert) Uses IEEE 802.1D to accomplish this Network aspects of 802.1x

RSN Phases

Robust Security Network (802.11i) Phases: 1. Discovery 2. Authentication 3. Key Generation and Distribution 4. Protected Data Transfer 5. Connection Termination Authentication and Association

AP Beacons AP Probe Responses Beacon and Probe Responses provide: Cipher suites: WEP TKIP CCMP (AES) Authentication mechanisms: 802.1x Phase 1 - Discovery

STA (laptop) and AS (Authentication Server) prove identities using EAP. AP blocks network traffic (802.1x) AP forwards traffic between STA and AS Master Session Key (MSK) established MSK key used to generate subsequent keys Phase 2: Authentication

Cryptographic keys generated Keys placed on STA and AP Frames exchanged only between AP and STA Phase 3: Key Generation and Distribution

Frames with encapsulated traffic between STA and AP Only frame traffic encrypted Traffic forwarded between AP and wired network Wired traffic not encrypted Phase 4: Protected Data Transfer

Secure connection torn down 802.1x port blocking enabled Phase 5: Connection Termination

RSN Phases of Operation

Easiest: itouch, ipad, iphone Moderate effort: Microsoft, especially Vista A lot of people don t update OS Most difficult: Apple Laptops Impossible: Windows 95 laptops Difficulty Deploying WPA2 Enterprise by Platform/OS

Deploying WPA2 With Machine Authentication

Wireless device must have been joined to the Windows domain over physical network first. Keys for Radius certificates installed on wireless devices. Configuring WPA2 Step 1

SSID has been added. Select Connect automatically when network is in range. Click the Security tab Configuring WPA2 Step 2

Set security type to WPA2-Enterprise Set encryption type to AES Select network authentication based on your authentication server Click Settings button Remember my credentials is dependent on policies. Configuring WPA2 Step 3

Select Validate server certificate Connect to these servers should be checked, and the radius servers listed. Select only the Trusted Root Cert Authorities needed. Select Do not prompt user to authorize new servers. Select inner Auth Method Click Configure button Configuring WPA2 Step 4

Select to use the Windows domain credentials. Click OK Then click OK for the Protected EAP Properties window. Configuring WPA2 Step 5

Click the Advanced settings button Configuring WPA2 Step 6

Select Specify authentication mode Select proper mode Click OK buttons Configuring WPA2 Step 7

Device should first join to the domain with Machine credentials, then use the Windows domain credentials to authenticate. WPA2 Machine Authentication

Possible causes: No DHCP address: Out of leases DHCP forwarding failure User exceeded failed logins attempts Radius Failure: Server spacing out Bad radius shared key AD problem Machine Auth password expired Curse of Domain Not Found With WPA2 Machine Authentication

Update Operating System Latest wireless drivers: Windows, Linux, OS X Use Windows to manage wireless adapter Place wireless network at top of stack Use good passwords Notify users about change in advance Make people available to help convert Best Practices Deploying WPA2 Enterprise

Vulnerability found on the last line of page 196 for the IEEE 802.11 (2007) Standard AES not compromised Wireless device has to be authenticated Uses shared Group Temporal Key (GTK) GTK intended for use by AP only ARP spoofing for MITM could occur WPA2 Hole 196 Vulnerability

Removing IT Staff cred s from user laptops 1. Click Start, and then click Run. 2. In the Open box, type regedit, and then click OK. 3. Locate and then click the following registry key: HKEY_CURRENT_USER\Software\Mi crosoft\eapol\usereapinfo 4. On the Edit menu, click Delete. Clearing Cached Credentials

Beaver, K., Davis, P.T., (2005). Hacking Wireless Networks for Dummies. Wiley Publishing, Inc.: Hoboken, NJ. Hardjono, T., Dondeti, L.R. (2005). Security in Wireless LANs and MANs. Artech House, Inc: Norwood, MA. Resources