Critical Issues in Wireless Local Wide Area Security · Critical Issues in Wireless Local & Wide Area Security @ PISA Seminar Ray Hunt ... Bluetooth Wireless PAN (Personal Area Network)

1

Critical Issues inCritical Issues inWireless Local Wireless Local &&

Wide Area SecurityWide Area Security

@ PISA Seminar

Ray HuntAssociate Professor (Networks and Security)

University of Canterbury, New [email protected]

www.cosc.canterbury.ac.nz/~ray

2

Key Wireless LAN Technologies

IEEE802.11b (11 Mbps) 2.4 GHz (Wi-Fi) (US)IEEE802.11a (54 Mbps) 5 GHz (US)

HiperLAN/2 (54 Mbps) 5GHz (Europe)

IEEE802.11g (54 Mbps) 2.4 GHz

IEEE802.16 Broadband Wireless Access Standard (Wireless MANs)

Bluetooth Wireless PAN (Personal Area Network) 2.4 GHz (= IEEE802.15) www.bluetooth.com

HomeRF (1.6 Mbps) 2.4 GHz www.homerf.org

3

Wireless LAN- Good Security Principles

4

How Security Breaches Occur

War drivingPassing by in cars, pedestrians

Attack software available on Internet to assist

GPS can assist in locating networks

Access to an insecure WLAN network is potentially much easier than to a fixed network

Without authentication and encryption, WLANs are extremely vulnerable

Anybody with shareware tools, WLAN card, antenna and GPS is capable of “war driving”

5

WLAN - Good Security Principles

Problems with bad WLAN architectureLocated behind firewall in trusted network

No authentication

Must consider security options:Infrastructure design to enhance security?

Open access or MAC restricted?

Implement WEP or not?

Problem with rogue WLANCan give access to trusted network as connection/installation as easy as connecting to a hub and without knowledge of administrator

6


Wireless LAN - out of the boxEnable WEP (in spite of some issues)

Change default/identifiable SSID (Service Set Identifier) as network name not encrypted

Use products with dynamic key generation such as Lucent/Agere’s ORiNOCO AS-2000

Do not use MAC address Authentication - tools are readily available to sniff a MAC address

7


Consider network (and above) options:DHCP or static IP

AuthenticationRADIUS, DIAMETER, EAP, SRP, LEAP

IEEE 802.1x

IPSec

VPNs and Encrypted tunnels

SSL/TLS

PKI and IKE key management

Digital Certificates

etc

8

WLAN Security

WLANs suffer from security problems

WEP (Wired Equivalent Privacy) has been partial fix, viz

Limited number of community encryption keysWhen one key compromised, entire system must be manually re-configured

Authentication is one-way only

No per-message integrity checksCan lead to session hijacking

…………see diagram ……...

9

WLAN Security

10

WLAN SecurityAuthentication of user, not device necessary

Adoption of IEEE 802.1x and EAP (Extensible Authentication “Transport” Protocol) - discussed later

Generation of new encryption key per session

Mutual authentication eliminates rogue access points

….. see diagram …...

11

WLAN Security

12

WEP (Wired Equivalent Privacy)

13

WEP Security Features

RC4 encryption

Uses 40 or 128 bit shared key

Encrypts payload while frame is “in the air”

Wired LANNot encrypted by WEP

Wireless LANEncrypted by WEP

Traffic flow

14


WEP (Wired Equivalent Privacy)

WEP has two main design goals:Protection from eavesdropping

Prevent unauthorized access

IEEE 802.11 defines mechanism for encrypting frames using WEP as follows:

a) A key is shared between all members of BSS

b) The encryption algorithm for WEP is RC4, used to generate key stream, which is XORed against plaintext to produce ciphertext

15

WEP Security Featuresc) The decryption algorithm for WEP is RC4 which is XORed

against ciphertext to reproduce plaintext

d) WEP appends 24-bit IV to the shared key; WEP uses this combined key + IV to generate RC4 key schedule. WEP selects new IV for every packet

e) Encapsulation transports IV and ciphertext from sender (encryptor) to receiver (decryptor)

f) WEP uses a CRC for integrity check of the frame. The CRC is computed over data payload and appended to frame before encryption. WEP encrypts CRC with rest of data payload

g) Authentication - one way client MAC address only

16


WEP was never intended to be complete end-to-end solution

Business policy will dictate if additional security mechanisms required such as:

access control, end-to-end encryption, password protection, authentication, VPNs, firewalls, etc

WECA believe many reported attacks are difficult to carry out

IEEE 802.11 working on extensions to WEP (IEEE 802.11e). See reference to ESN

17

WEP Protocol Encryption

X-OR

Keystream = RC4(iv,k)

Plaintext Message CRC

Transmitted Data

Ciphertextiv

k = key iv = Initialisation VectorRC4 = Rivest Cipher 4 Stream Cipher

18

WEP Protocol Decryption

X-OR

Keystream = RC4(iv,k)

Transmitted Data

Ciphertextiv

Plaintext Message CRC

k = key iv = Initialisation VectorRC4 = Rivest Cipher 4 Stream Cipher

WEP Symmetric Key Operation

SecretSecretMessageMessageoveroverWirelessWirelessLANLAN


The same symmetric (RC4) key is used to encrypt The same symmetric (RC4) key is used to encrypt and decrypt the dataand decrypt the data

Symmetric

Symmetric

KeyKeySymmetric

Symmetric

KeyKey

WEP Integrity Check Using CRC-32

MessageMessage CRCCRC--3232

MessageMessagePolynomialPolynomial

CRCCRC--3232

MatchMatch

Integrity check used to ensure packets not modified during transIntegrity check used to ensure packets not modified during transitit

21

WEP Security Weaknesses

Number of flaws discovered in WEP:Passive attacks to decrypt traffic using statistical analysis

Active attacks - inject new traffic from unauthorized stations based upon known plaintext

Active attacks to decrypt traffic based upon tricking the AP (Access Point)

Dictionary-building attacks. After analysis of about a days traffic, real-time automated decryption of all traffic is possible

Need for user/node Authentication (EAP/802.1X)

22


These attacks possible with inexpensive off-the-shelf equipment (opinion)

These attacks apply to both 40-bit and 128-bit versions of WEP

These also apply to any version of the IEEE 802.11 standards (802.11b in particular) that use WEP

IEEE is proposing an upgrade to WEP (WEP2 + AES) to rectify problems

23


Both IC (Integrity Check) & IV (Initialisation Vector) implementations have weaknesses:

IC using CRC-32 designed for detecting line errors, not as security mechanism, therefore has vulnerabilities (not a digital signature)

Use of a 24-bit IV guarantees reuse within 5 hours or less (operating with 1500 byte packets at 11 Mbps). Hence attacker has multiple ciphertexts encrypted with same key. See wep-faq.html for further details.

24

WEP Security EnhancementsWEP standard does not discuss how shared keys are established

Most installations use single key shared between all mobile stations & access points

More sophisticated key management disciplines (PKI + IKE) can be used to improve attack defense. Few commercial systems implement such systems yet

ESN (Enhanced Security Network) + AES cipher being designed to rectify deficiencies

WEP Symmetric Key Operation



The same symmetric (RC4) key is used to encrypt The same symmetric (RC4) key is used to encrypt and decrypt the dataand decrypt the data

Symmetric

Symmetric

KeyKeySymmetric

Symmetric

KeyKey

Symmetric Key

The AdvantagesSecure

Widely Used

Encrypted text is compact

Fast

The DisadvantagesComplex Administration

Requires Secret Key Sharing

No non-repudiation

Subject to interception

Asymmetric (Public/Private) Key Operation



What is encrypted with one key,What is encrypted with one key,can only be decrypted with the other key.can only be decrypted with the other key.

RSA is one example, Elliptic Curve is another.RSA is one example, Elliptic Curve is another.

PublicPublic

KeyKey

Recipient’sRecipient’sPublicPublic

KeyKey

Recipient’sRecipient’sPrivatePrivate

KeyKey

PrivatePrivate

KeyKey

Public/Private Key

The AdvantagesSecure

No secret sharing

No prior relationship

Easier Administration

Supports non-repudiation

The DisadvantagesSlower than symmetric key

Encrypted text is larger than with symmetric version

The Combination


RandomRandom

Symmetric

Symmetric

KeyKey

Bob’sBob’s

PublicPublic

KeyKey

SecretSecretMessagMessageeoveroverWirelesWirelesssLANLAN

Encrypted

Encrypted

To:To:BobBob

““Digital Envelope”Digital Envelope”““Key Wrapping”Key Wrapping”

The Combination

Random

Random

SymmetricSymmetric

KeyKey

SecretSecretMessagMessageeoveroverWirelesWirelesssLANLAN

Encrypted

Encrypted

““Wrapped Key”Wrapped Key”

To:To:BobBob

““Digital Envelope”Digital Envelope”


Bob’sBob’s

PrivatePrivate

KeyKey

The Combination

You get the best of both worldsThe benefits of Symmetric Key

Speed

Compact Encrypted Text

The benefits of Public KeySimpler Key Management

Digital Signature

Non-Repudiation

Digital Signatures


““Hash Function”Hash Function”

DigestDigest DigestDigestEncryptedEncrypted


DigestDigestEncryptedEncrypted

Signer’s

Signer’s

PrivatePrivate

KeyKey

Digital Signatures““Hash Function”Hash Function”

Digest ‘Digest ‘




DigestDigestEncryptedEncrypted DigestDigest

““match?”match?”

Signer’s

Signer’s

PublicPublic

KeyKey

How can you be sure that you get a real (and valid) public key?

X.509 Digital CertificateX.509 Digital Certificate

“I officially authorize the association“I officially authorize the association

between this particular User, and between this particular User, and

this particular Public Key”this particular Public Key”

X.509 Digital Certificates



Name, Address,Name, Address,OrganisationOrganisation

Owner’sOwner’sPublic KeyPublic Key

CertificateCertificateValidity DatesValidity Dates

Certifying Authority’sCertifying Authority’sDigital SignatureDigital Signature

CertificateCertificate

All you need is the CA’s public key to verify theAll you need is the CA’s public key to verify thecertificate and extract the owner’s public keycertificate and extract the owner’s public key

36

Is WEP2 going to fix the problems?

WEP2 (= may be called TKIP) features:Increases size of IV space to 128 bitsKey may be changed periodically via IEEE 802.1x re-authentication to avoid stalenessNo keyed MIC (Message Integrity Check), i.e. no digital signature using keysNo authentication for reassociate, disassociateNo IV replay protectionUse of Kerberos for authentication within IEEE 802.1x

Analysis shows that although security has been improved, there are additional solutions

37

Wireless Vulnerabilities Addressed by Various Security Mechanisms

Attack WEPv1 WEPv2 + Kerberos-5 AES+Kerberos-5 AES + SRPUnintentional IV reuse X X XIntentional IV reuse X XRealtime decryption X X XKnown plaintext X XPartial known plaintext X XAuthentication forging X XDenial of ServiceDictionary attack X

• WEPv1• WEPv2• Kerberos-5• AES - Advanced Encryption Standard (Rijndael)• SRP - Secure Remote Password

38

WEP,VPNs, IDS, SniffersWEP and VPN can work together:

Carefully configured firewalls and tunnelsIPSec, IKE, Digital Certificates

Intrusion Detection and Monitoring Systems:Server - IIS, Real Secure IDS, Dragon, AirIDSAccess Point - SNMP traps, system logging

Wireless Network Sniffers:Sniffer (Sniffer Technologies - www.nai.com)NetStumbler - discover WLAN cards, APs, peer-to-peer infrastructure, etcAirSnort and WEPCrack - use captured traffic to recover crypto keys

39

EAP (Extensible Authentication Protocol)

40

WLAN Security with EAP

Extensible Authentication Protocol checklist:Does it provide for secure exchange of user information during authentication?

Does it permit mutual authentication of the client and network thus preventing intrusion?

Does it require dynamic encryption keys for user and session?

Does it support generation of new keys at set intervals?

Is it easy to implement and manage, e.g. EAP-TLS requires client-side certificates?

41

EAP (Extensible Authentication Protocol) – RFC 2284

Many basic protocols such as PAP, CHAP and WEP offer very limited securityEAP provides extensions to allow arbitrary authentication mechanisms to validate the connection (e.g. PPP, IEEE 802.11b, etc)EAP links to 3rd party “plug-in” authentication modules:

Token cards, Kerberos, PKI, S/Key ...SRP, LEAP, TLS ...

42

EAP (Extensible Authentication Protocol) – RFC 2284 contd ...

EAP is available with Windows 2000 & XP

Common EAP authentication types include:1. EAP-SRP (Secure Remote Password) – offers a

cryptographically strong “user” authentication mechanism suitable for negotiating secure connections and performing secure key exchange using a user-supplied password

2. MD5 (Message Digest 5) - Wireless CHAP

43

EAP (Extensible Authentication Protocol) – RFC 2284 contd ...3. LEAP (Lightweight EAP) – CISCO vendor-specific

authentication that provides mutual authentication and

dynamic WEP key generation

4. EAP-TLS (Transport Layer Security) offers full

authentication consistent with PKI public/private keys,

PKI and digital certificates.

RFC 2716 PPP EAP TLS Authentication Protocol

5. TTLS (Tunnelled Transport Layer Security) - requires

server, but not client certificate

44


45


Client ServerAccessPoint

1. Request ConnectionIEEE 802.1x [EAPoL]

2. Request IdentityIEEE 802.1x [EAPoL]

3. Client IdentityIEEE 802.1x [EAPoL]

4. Access Request [RADIUS]

5. Challenge + EAP Type [RADIUS]

6. Forwards challenge + EAP Type [EAPoL]

7. Negotiation [EAPoL]

8. Response Forwarded [RADIUS]

9. RADIUS Server Accepts [RADIUS]

10. Secure ConnectionEstablished

IEEE 802.11b Ethernet

46

AAA (Authentication, Authourisation, Accounting)

47

Authentication PrinciplesAAA - Authentication, Authourisation, Accounting

RADIUS - Remote Authentication Dial-in User Service

RADIUS - originally developed to manage dial-in access to Internet. Now being used to manage access control for other systems including Wireless LANs (Diameter)

Mobile users require access to resources over both fixed and mobile networks (must be transparent to user)

48

Authentication Principles

Access control authorizes who is allowed to enter network and which services can/cannot be accessed

Managing a single database of users that contains authentication (user name and credentials), as well as access policy and provisioning information, is an effective way to achieve authentication

49

AAA - Authentication Principles

Authentication – Validating a User’s IdentityAuthentication protocols operate between user and AAA server:

PAP, CHAP, RADIUS, DIAMETER, IEEE 802.1x, EAP

Network Access Server (NAS) acts as relay device

50

AAA - Authourisation Principles

Authourisation – What is user allowed to do?Controls access to network services & applications

Access policy can be applied on a per user, group, global, or location basis

Attributes from an access request can be checked for existence or for specific values

Other attributes, egg time-of-day or number of active sessions with same username can also be checked

Outcome of policy decisions can be sent back to access device as Access Reply attributes

51

AAA - Accounting Principles

Accounting – Collecting Usage DataData for each session is collected by access device and transmitted to AAA server

Usage data may include:User Identities

Session Duration

Number of Packets, and Number of Bytes Transmitted

Accounting data may be used for:Billing

Capacity Planning

Trend Analysis

Security Analysis

Auditing

52

AAA Server Architecture

Central AAA Server

RADIUSProtocolServices

Analyzingand Reporting

Services

UserDirectoryServices

Billing &InvoicingServices

Policy-BasedManagementServices

UserDeveloped

Plug-in

53

AAA can offer Distributed Security

54

Example of Authentication using RrK and TKIP

Rapid reKeying (RrK) WEP: IEEE Draft Proposal, August 2001. Change WEP keys more rapidly that effective key discover attacks can be mounted

Support existing hardware and firmware implementations but needscapable software

802.1x client (XP) and 802.1x enabled servers

Use IEEE 802.1X protocol, with EAP-TLS and distribute keys securely at authentication or re-association

Enable periodic re-keying option of IEEE 802.1X

Settable from 1-15 minutes - or activity based

Source: Entrasys, May 2002

55

Example of Authentication using RrK and TKIP

TKIP (Temporal Key Integrity Protocol) [=WEP2]Can use 802.1x or a shared resource for key generation

Pro: 802.1x is not required

Con: Still needs new software on client and access servers

RrK and TKIP will probably both be offered as software only solutions late in 2002

802.1x EAP login RadiusAuthentication

RADIUS ServerProfile creation and distribution

Directory to Role

MatchingRole decoded and Priorities Applied802.1x EAP- RrK

LDAP/Directory

Access Point

SNMPv3

56

IEEE 802.1x

57

IEEE 802.1x Authentication

Synopsis:Defines generic framework for port-based MAC authentication (not user) and key distribution

Authenticates before giving access to network

Requires PKI certificate on each client

Requires central RADIUS server running EAP

EAP acts an “authenticator” (egg Ethernet switch or wireless AP) and authenticates a supplicant (Ethernet or Wireless NIC) by consulting an authentication server such as RADIUS or Kerberos

58


Synopsis contd:IEEE 802.1x - implemented with different EAP types

1. EAP-MD5 for Ethernet LANs (= CHAP)

2. EAP-TLS for IEEE 802.11b WLANs but supplicant and authenticator must be able to handle digital certificates - hence PKI/CA infrastructure required

3. EAP-SRP weaker (password) authentication

IEEE 802.1x provides “carrier” for secure delivery of session keys between supplicant and authenticator (this was omitted by WEP)

59


Products:Operating System:

Only Windows XP (and XP Pro) so far

Wireless card and AP vendors:Cisco, Agere/Lucent, Enterasys

EAP Authentication ServerIAS (Microsoft’s RADIUS in W2000), Steel-Belted RADIUS, Interlink,Cisco/LEAP

Cost:Deployment requires support on all APs and clients

More likely to be a corporate solution

60

Recent Developments in WEP

WEP2 (TKIP) in process of approval by IEEE128 bit encryption key

128 bit initialization vector (iv)

Backward compatibility with WEP

ESN (Enhanced Security Network) in process of being standardized. Includes:

WEP, WEP2 and a new encapsulation protocol using AES (128 bit) encryption with OCB mode

Dynamic association of key values

Uses Kerberos authentication mechanism

61

Recent Developments in WEP

ESN (Enhanced Security Network) development contd…..

Fast handover between APs without necessity to reauthenticate. Security profiles are forwarded between APs by IAPP (Inter-Access Point Protocol) = Equivalency Privacy

62

Security: The Layered Onion

VPN – Secure Access

Radius Authentication

40/128 bit WEP Encryption

802.11i AES

EthernetData

802.1x/EAP

Virtual Private Networks

RrK/TKIP

Access Control

Documents

Critical Issues in Wireless Local Wide Area Security · Critical Issues in Wireless Local & Wide Area Security @ PISA Seminar Ray Hunt ... Bluetooth Wireless PAN (Personal Area Network)