CS 356 Lecture 29 Wireless Security Spring 2013
Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database Security (skipped) Chapter 6 Malicious Software Networking Basics (not in book) Chapter 7 Denial of Service Chapter 8 Intrusion Detection Chapter 9 Firewalls and Intrusion Prevention Chapter 10 Buffer Overflow Chapter 11 Software Security Chapter 12 OS Security Chapter 22 Internet Security Protocols Chapter 23 Internet Authentication Applications Chapter 24 Wireless Security
Chapter 24 Wireless Network Security
Wireless Security Overview concerns for wireless security are similar to those found in a wired environment security requirements are the same: confidentiality, integrity, availability, authenticity, accountability most significant source of risk is the underlying communications medium
Wireless Networking Components Endpoint Access point Figure 24.1 Wireless Networking Components
Wireless Network Threats accidental association malicious association ad hoc networks nontraditional networks identity theft (MAC spoofing) man-in-the middle attacks denial of service (DoS) network injection
Securing Wireless Transmissions principal threats are eavesdropping, altering or inserting messages, and disruption countermeasures for eavesdropping: signal-hiding techniques encryption the use of encryption and authentication protocols is the standard method of countering attempts to alter or insert transmissions
Securing Wireless Networks the main threat involving wireless access points is unauthorized access to the network principal approach for preventing such access is the IEEE 802.1X standard for port-based network access control the standard provides an authentication mechanism for devices wishing to attach to a LAN or wireless network use of 802.1X can prevent rogue access points and other unauthorized devices from becoming insecure backdoors
Wireless Network Security Techniques use encryption allow only specific computers to access your wireless network use anti-virus and anti-spyware software and a firewall change your router s pre-set password for administration turn off identifier broadcasting change the identifier on your router from the default
IEEE 802.11 Terminology
Wireless Fidelity (Wi-Fi) Alliance 802.11b first 802.11 standard to gain broad industry acceptance Wireless Ethernet Compatibility Alliance (WECA) industry consortium formed in 1999 to address the concern of products from different vendors successfully interoperating later renamed the Wi-Fi Alliance term used for certified 802.11b products is Wi-Fi has been extended to 802.11g products Wi-Fi Protected Access (WPA) Wi-Fi Alliance certification procedures for IEEE802.11 security standards WPA2 incorporates all of the features of the IEEE802.11i WLAN security specification
IEEE 802 Protocol Architecture General IEEE 802 functions Specific IEEE 802.11 functions Logical Link Control Flow control Error control Medium Access Control Physical Assemble data into frame Addressing Error detection Medium access Encoding/decoding of signals Bit transmission/ reception Transmission medium Reliable data delivery Wireless access control protocols Frequency band definition Wireless signal encoding Figure 24.2 IEEE 802.11 Protocol Stack
General IEEE 802 MPDU Format MAC Control Destination MAC Address Source MAC Address MAC Service Data Unit (MSDU) CRC MAC header MAC trailer Figure 24.3 General IEEE 802 MPDU Format
Distribution System STA 2 AP 1 Basic Service Set (BSS) STA4 STA 1 AP 2 Basic Service Set (BSS) STA 6 STA 7 STA 8 IEEE 802.11 Extended Service Set STA 3 Figure 24.4 IEEE 802.11 Extended Service Set
IEEE 802.11 Services
Distribution of Messages Within a DS the two services involved with the distribution of messages within a DS are: distribution integration distribution the primary service used by stations to exchange MPDUs when the MPDUs must traverse the DS to get from a station in one BSS to a station in another BSS integration enables transfer of data between a station on an IEEE 802.11 LAN and a station on an integrated IEEE 802x LAN service enables transfer of data between a station on an IEEE 802.11 LAN and a station on an integrated IEEE 802.x LAN
Association-Related Services transition types, based on mobility: no transition a station of this type is either stationary or moves only within the direct communication range of the communicating stations of a single BSS BSS transition station movement from one BSS to another BSS within the same ESS; delivery of data to the station requires that the addressing capability be able to recognize the new location of the station ESS transition station movement from a BSS in one ESS to a BSS within another ESS; maintenance of upper-layer connections supported by 802.11 cannot be guaranteed
Services association establishes an initial association between a station and an AP reassociation disassociation enables an established association to be transferred from one AP to another, allowing a mobile station to move from one BSS to another a notification from either a station or an AP that an existing association is terminated
Wireless LAN Security Wired Equivalent Privacy (WEP) algorithm 802.11 privacy Wi-Fi Protected Access (WPA) set of security mechanisms that eliminates most 802.11 security issues and was based on the current state of the 802.11i standard Robust Security Network (RSN) final form of the 802.11i standard Wi-Fi Alliance certifies vendors in compliance with the full 802.11i specification under the WPA2 program
Robust Security Network (RSN) Services Access Control Authentication and Key Generation Confidentiality, Data Origin Authentication and Integrity and Replay Protection Protocols IEEE 802.1 Port-based Access Control Extensible Authentication Protocol (EAP) TKIP CCMP Elements of (a) Services and Protocols Robust Security Network (RSN) IEEE 802.11i Services Confidentiality Integrity and Data Origin Authentication Key Generation Algorithms TKIP (RC4) CCM (AES- CTR) NIST Key Wrap HMAC- SHA-1 HMAC- MD5 TKIP (Michael MIC) CCM (AES- CBC- MAC) HMAC- SHA-1 RFC 1750 (b) Cryptographic Algorithms CBC-MAC = Cipher Block Block Chaining Message Authentication Code (MAC) CCM = Counter Mode with Cipher Block Chaining Message Authentication Code CCMP = Counter Mode with Cipher Block Chaining MAC Protocol TKIP = Temporal Key Integrity Protocol Figure 24.5 Elements of IEEE 802.11i
STA AP AS End Station Phase 1 - Discovery Phase 2 - Authentication Phase 3 - Key Management Phase 4 - Protected Data Transfer IEEE 802.11i Phases of Operation Phase 5 - Connection Termination Figure 24.6 IEEE 802.11i Phases of Operation
STA AP AS Station sends a request to join network Station sends a request to perform null authentication Station sends a request to associate with AP with security parameters Probe request Probe response Open system authentication request Open system authentication response Association request Association response Station sets selected security parameters 802.1X controlled port blocked 802.1x EAP request 802.1x EAP response AP sends possible security parameter (security capabilties set per the security policy) AP performs null authentication AP sends the associated security parameters Access request (EAP request) Extensible Authentication Protocol Exchange IEEE 802.11i Phases of 802.1x EAP success 802.1X controlled port blocked Accept/EAP-success key material Operation Figure 24.7 IEEE 802.11i Phases of Operation: Capability Discovery, Authentication, and Association
Uncontrolled port Access point Authentication server 802.1X Access Station Controlled port Controlled port Control To other wireless stations on this BSS To DS Figure 24.8 802.1X Access Control
MPDU Exchange authentication phase consists of three phases: connect to AS the STA sends a request to its AP that it has an association with for connection to the AS; the AP acknowledges this request and sends an access request to the AS EAP exchange authenticates the STA and AS to each other secure key delivery once authentication is established, the AS generates a master session key and sends it to the STA
Out-of-band path PSK Pre-shared key 256 bits User-defined cryptoid EAP method path AAAK or MSK AAA key!"#$%&'() EAP authentication Legend No modification Possible truncation PRF (pseudo-random function) using HMAC-SHA-1 PTK 384 bits (CCMP) 512 bits (TKIP) PMK Pairwise master key 256 bits Pairwise transient key following EAP authentication or PSK During 4-way handshake IEEE 802.11i KCK KEK TK EAPOL key confirmation key EAPOL key encryption key Temporal key 128 bits 128 bits 128 bits (CCMP) 256 bits (TKIP) These keys are components of the PTK (a) Pairwise key hierarchy GMK (generated by AS) 256 bits Changes periodically or if compromised GTK Group master key Group temporal key Key Hierarchies 40 bits, 104 bits (WEP) 128 bits (CCMP) 256 bits (TKIP) Changes based on policy (disassociation, deauthentication) (b) Group key hierarchy Figure 24.9 IEEE 802.11i Key Hierarchies
IEEE 802.11i Keys for Data Confidentiality and Integrity Protocols
STA AP Message 2 delivers another nonce to the AP so that it can also generate the PTK. It demonstrates to the AP that the STA is alive, ensures that the PTK is fresh (new) and that there is no man-in-the-middle Message 4 serves as an acknowledgement to Message 3. It serves no cryptographic function. This message also ensures the reliable start of the group key handshake. AP s 802.1X controlled port blocked Message 1 EAPOL-key (Anonce, Unicast) Message 2 EAPOL-key (Snonce, Unicast, MIC) Message 3 EAPOL-key (Install PTK, Unicast, MIC) Message 4 EAPOL-key (Unicast, MIC) AP s 802.1X controlled port unblocked for unicast traffic Message 1 delivers a nonce to the STA so that it can generate the PTK. Message 3 demonstrates to the STA that the authenticator is alive, ensures that the PTK is fresh (new) and that there is no man-in-the-middle. Phases of Operation The STA decrypts the GTK and installs it for use. Message 2 is delivered to the AP. This frame serves only as an acknowledgment to the AP. Message 1 EAPOL-key (GTK, MIC) Message 2 EAPOL-key (MIC) Message 1 delivers a new GTK to the STA. The GTK is encrypted before it is sent and the entire message is integrity protected The AP installs the GTK. Figure 24.10 IEEE 802.11i Phases of Operation: Four-Way Handshake and Group Key Handshake
Temporal Key Integrity Protocol (TKIP) designed to require only software changes to devices that are implemented with the older wireless LAN security approach called WEP provides two services: message integrity adds a message integrity code to the 802.11 MAC frame after the data field data confidentiality provided by encrypting the MPDU
A 0 B i + 1 Pseudorandom Function K HMAC-SHA-1 R = HMAC-SHA-1(K, A 0 B i) Figure 24.11 IEEE 802.11i Pseudorandom Function
Summary wireless security overview wireless network threats wireless security measure IEEE 802.11 wireless LAN overview Wi-Fi alliance IEEE 802 protocol architecture IEEE 802.11 network components and architectural model IEEE 802.11 services l IEEE 802.11i l IEEE 802.11i Services l IEEE 802.11i Phases of Operation l Discovery Phase l Authentication Phase l Key Management Phase l Protected Data Transfer Phase l the IEEE 802.11i Pseudorandom Function