Upload
phungtu
View
216
Download
0
Embed Size (px)
Citation preview
1
Critical Issues inCritical Issues inWireless Local Wireless Local &&
Wide Area SecurityWide Area Security
@ PISA Seminar
Ray HuntAssociate Professor (Networks and Security)
University of Canterbury, New [email protected]
www.cosc.canterbury.ac.nz/~ray
2
Key Wireless LAN Technologies
IEEE802.11b (11 Mbps) 2.4 GHz (Wi-Fi) (US)IEEE802.11a (54 Mbps) 5 GHz (US)
HiperLAN/2 (54 Mbps) 5GHz (Europe)
IEEE802.11g (54 Mbps) 2.4 GHz
IEEE802.16 Broadband Wireless Access Standard (Wireless MANs)
Bluetooth Wireless PAN (Personal Area Network) 2.4 GHz (= IEEE802.15) www.bluetooth.com
HomeRF (1.6 Mbps) 2.4 GHz www.homerf.org
3
Wireless LAN- Good Security Principles
4
How Security Breaches Occur
War drivingPassing by in cars, pedestrians
Attack software available on Internet to assist
GPS can assist in locating networks
Access to an insecure WLAN network is potentially much easier than to a fixed network
Without authentication and encryption, WLANs are extremely vulnerable
Anybody with shareware tools, WLAN card, antenna and GPS is capable of “war driving”
5
WLAN - Good Security Principles
Problems with bad WLAN architectureLocated behind firewall in trusted network
No authentication
Must consider security options:Infrastructure design to enhance security?
Open access or MAC restricted?
Implement WEP or not?
Problem with rogue WLANCan give access to trusted network as connection/installation as easy as connecting to a hub and without knowledge of administrator
6
WLAN - Good Security Principles
Wireless LAN - out of the boxEnable WEP (in spite of some issues)
Change default/identifiable SSID (Service Set Identifier) as network name not encrypted
Use products with dynamic key generation such as Lucent/Agere’s ORiNOCO AS-2000
Do not use MAC address Authentication - tools are readily available to sniff a MAC address
7
WLAN - Good Security Principles
Consider network (and above) options:DHCP or static IP
AuthenticationRADIUS, DIAMETER, EAP, SRP, LEAP
IEEE 802.1x
IPSec
VPNs and Encrypted tunnels
SSL/TLS
PKI and IKE key management
Digital Certificates
etc
8
WLAN Security
WLANs suffer from security problems
WEP (Wired Equivalent Privacy) has been partial fix, viz
Limited number of community encryption keysWhen one key compromised, entire system must be manually re-configured
Authentication is one-way only
No per-message integrity checksCan lead to session hijacking
…………see diagram ……...
9
WLAN Security
10
WLAN SecurityAuthentication of user, not device necessary
Adoption of IEEE 802.1x and EAP (Extensible Authentication “Transport” Protocol) - discussed later
Generation of new encryption key per session
Mutual authentication eliminates rogue access points
….. see diagram …...
13
WEP Security Features
RC4 encryption
Uses 40 or 128 bit shared key
Encrypts payload while frame is “in the air”
Wired LANNot encrypted by WEP
Wireless LANEncrypted by WEP
Traffic flow
14
WEP Security Features
WEP (Wired Equivalent Privacy)
WEP has two main design goals:Protection from eavesdropping
Prevent unauthorized access
IEEE 802.11 defines mechanism for encrypting frames using WEP as follows:
a) A key is shared between all members of BSS
b) The encryption algorithm for WEP is RC4, used to generate key stream, which is XORed against plaintext to produce ciphertext
15
WEP Security Featuresc) The decryption algorithm for WEP is RC4 which is XORed
against ciphertext to reproduce plaintext
d) WEP appends 24-bit IV to the shared key; WEP uses this combined key + IV to generate RC4 key schedule. WEP selects new IV for every packet
e) Encapsulation transports IV and ciphertext from sender (encryptor) to receiver (decryptor)
f) WEP uses a CRC for integrity check of the frame. The CRC is computed over data payload and appended to frame before encryption. WEP encrypts CRC with rest of data payload
g) Authentication - one way client MAC address only
16
WEP Security Features
WEP was never intended to be complete end-to-end solution
Business policy will dictate if additional security mechanisms required such as:
access control, end-to-end encryption, password protection, authentication, VPNs, firewalls, etc
WECA believe many reported attacks are difficult to carry out
IEEE 802.11 working on extensions to WEP (IEEE 802.11e). See reference to ESN
17
WEP Protocol Encryption
X-OR
Keystream = RC4(iv,k)
Plaintext Message CRC
Transmitted Data
Ciphertextiv
k = key iv = Initialisation VectorRC4 = Rivest Cipher 4 Stream Cipher
18
WEP Protocol Decryption
X-OR
Keystream = RC4(iv,k)
Transmitted Data
Ciphertextiv
Plaintext Message CRC
k = key iv = Initialisation VectorRC4 = Rivest Cipher 4 Stream Cipher
WEP Symmetric Key Operation
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
The same symmetric (RC4) key is used to encrypt The same symmetric (RC4) key is used to encrypt and decrypt the dataand decrypt the data
Symmetric
Symmetric
KeyKeySymmetric
Symmetric
KeyKey
WEP Integrity Check Using CRC-32
MessageMessage CRCCRC--3232
MessageMessagePolynomialPolynomial
CRCCRC--3232
MatchMatch
Integrity check used to ensure packets not modified during transIntegrity check used to ensure packets not modified during transitit
21
WEP Security Weaknesses
Number of flaws discovered in WEP:Passive attacks to decrypt traffic using statistical analysis
Active attacks - inject new traffic from unauthorized stations based upon known plaintext
Active attacks to decrypt traffic based upon tricking the AP (Access Point)
Dictionary-building attacks. After analysis of about a days traffic, real-time automated decryption of all traffic is possible
Need for user/node Authentication (EAP/802.1X)
22
WEP Security Weaknesses
These attacks possible with inexpensive off-the-shelf equipment (opinion)
These attacks apply to both 40-bit and 128-bit versions of WEP
These also apply to any version of the IEEE 802.11 standards (802.11b in particular) that use WEP
IEEE is proposing an upgrade to WEP (WEP2 + AES) to rectify problems
23
WEP Security Weaknesses
Both IC (Integrity Check) & IV (Initialisation Vector) implementations have weaknesses:
IC using CRC-32 designed for detecting line errors, not as security mechanism, therefore has vulnerabilities (not a digital signature)
Use of a 24-bit IV guarantees reuse within 5 hours or less (operating with 1500 byte packets at 11 Mbps). Hence attacker has multiple ciphertexts encrypted with same key. See wep-faq.html for further details.
24
WEP Security EnhancementsWEP standard does not discuss how shared keys are established
Most installations use single key shared between all mobile stations & access points
More sophisticated key management disciplines (PKI + IKE) can be used to improve attack defense. Few commercial systems implement such systems yet
ESN (Enhanced Security Network) + AES cipher being designed to rectify deficiencies
WEP Symmetric Key Operation
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
The same symmetric (RC4) key is used to encrypt The same symmetric (RC4) key is used to encrypt and decrypt the dataand decrypt the data
Symmetric
Symmetric
KeyKeySymmetric
Symmetric
KeyKey
Symmetric Key
The AdvantagesSecure
Widely Used
Encrypted text is compact
Fast
The DisadvantagesComplex Administration
Requires Secret Key Sharing
No non-repudiation
Subject to interception
Asymmetric (Public/Private) Key Operation
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
What is encrypted with one key,What is encrypted with one key,can only be decrypted with the other key.can only be decrypted with the other key.
RSA is one example, Elliptic Curve is another.RSA is one example, Elliptic Curve is another.
PublicPublic
KeyKey
Recipient’sRecipient’sPublicPublic
KeyKey
Recipient’sRecipient’sPrivatePrivate
KeyKey
PrivatePrivate
KeyKey
Public/Private Key
The AdvantagesSecure
No secret sharing
No prior relationship
Easier Administration
Supports non-repudiation
The DisadvantagesSlower than symmetric key
Encrypted text is larger than with symmetric version
The Combination
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
RandomRandom
Symmetric
Symmetric
KeyKey
Bob’sBob’s
PublicPublic
KeyKey
SecretSecretMessagMessageeoveroverWirelesWirelesssLANLAN
Encrypted
Encrypted
To:To:BobBob
““Digital Envelope”Digital Envelope”““Key Wrapping”Key Wrapping”
The Combination
Random
Random
SymmetricSymmetric
KeyKey
SecretSecretMessagMessageeoveroverWirelesWirelesssLANLAN
Encrypted
Encrypted
““Wrapped Key”Wrapped Key”
To:To:BobBob
““Digital Envelope”Digital Envelope”
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
Bob’sBob’s
PrivatePrivate
KeyKey
The Combination
You get the best of both worldsThe benefits of Symmetric Key
Speed
Compact Encrypted Text
The benefits of Public KeySimpler Key Management
Digital Signature
Non-Repudiation
Digital Signatures
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
““Hash Function”Hash Function”
DigestDigest DigestDigestEncryptedEncrypted
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
DigestDigestEncryptedEncrypted
Signer’s
Signer’s
PrivatePrivate
KeyKey
Digital Signatures““Hash Function”Hash Function”
Digest ‘Digest ‘
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
DigestDigestEncryptedEncrypted
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
DigestDigestEncryptedEncrypted DigestDigest
““match?”match?”
Signer’s
Signer’s
PublicPublic
KeyKey
How can you be sure that you get a real (and valid) public key?
X.509 Digital CertificateX.509 Digital Certificate
“I officially authorize the association“I officially authorize the association
between this particular User, and between this particular User, and
this particular Public Key”this particular Public Key”
X.509 Digital Certificates
SecretSecretMessageMessageoveroverWirelessWirelessLANLAN
DigestDigestEncryptedEncrypted
Name, Address,Name, Address,OrganisationOrganisation
Owner’sOwner’sPublic KeyPublic Key
CertificateCertificateValidity DatesValidity Dates
Certifying Authority’sCertifying Authority’sDigital SignatureDigital Signature
CertificateCertificate
All you need is the CA’s public key to verify theAll you need is the CA’s public key to verify thecertificate and extract the owner’s public keycertificate and extract the owner’s public key
36
Is WEP2 going to fix the problems?
WEP2 (= may be called TKIP) features:Increases size of IV space to 128 bitsKey may be changed periodically via IEEE 802.1x re-authentication to avoid stalenessNo keyed MIC (Message Integrity Check), i.e. no digital signature using keysNo authentication for reassociate, disassociateNo IV replay protectionUse of Kerberos for authentication within IEEE 802.1x
Analysis shows that although security has been improved, there are additional solutions
37
Wireless Vulnerabilities Addressed by Various Security Mechanisms
Attack WEPv1 WEPv2 + Kerberos-5 AES+Kerberos-5 AES + SRPUnintentional IV reuse X X XIntentional IV reuse X XRealtime decryption X X XKnown plaintext X XPartial known plaintext X XAuthentication forging X XDenial of ServiceDictionary attack X
• WEPv1• WEPv2• Kerberos-5• AES - Advanced Encryption Standard (Rijndael)• SRP - Secure Remote Password
38
WEP,VPNs, IDS, SniffersWEP and VPN can work together:
Carefully configured firewalls and tunnelsIPSec, IKE, Digital Certificates
Intrusion Detection and Monitoring Systems:Server - IIS, Real Secure IDS, Dragon, AirIDSAccess Point - SNMP traps, system logging
Wireless Network Sniffers:Sniffer (Sniffer Technologies - www.nai.com)NetStumbler - discover WLAN cards, APs, peer-to-peer infrastructure, etcAirSnort and WEPCrack - use captured traffic to recover crypto keys
39
EAP (Extensible Authentication Protocol)
40
WLAN Security with EAP
Extensible Authentication Protocol checklist:Does it provide for secure exchange of user information during authentication?
Does it permit mutual authentication of the client and network thus preventing intrusion?
Does it require dynamic encryption keys for user and session?
Does it support generation of new keys at set intervals?
Is it easy to implement and manage, e.g. EAP-TLS requires client-side certificates?
41
EAP (Extensible Authentication Protocol) – RFC 2284
Many basic protocols such as PAP, CHAP and WEP offer very limited securityEAP provides extensions to allow arbitrary authentication mechanisms to validate the connection (e.g. PPP, IEEE 802.11b, etc)EAP links to 3rd party “plug-in” authentication modules:
Token cards, Kerberos, PKI, S/Key ...SRP, LEAP, TLS ...
42
EAP (Extensible Authentication Protocol) – RFC 2284 contd ...
EAP is available with Windows 2000 & XP
Common EAP authentication types include:1. EAP-SRP (Secure Remote Password) – offers a
cryptographically strong “user” authentication mechanism suitable for negotiating secure connections and performing secure key exchange using a user-supplied password
2. MD5 (Message Digest 5) - Wireless CHAP
43
EAP (Extensible Authentication Protocol) – RFC 2284 contd ...3. LEAP (Lightweight EAP) – CISCO vendor-specific
authentication that provides mutual authentication and
dynamic WEP key generation
4. EAP-TLS (Transport Layer Security) offers full
authentication consistent with PKI public/private keys,
PKI and digital certificates.
RFC 2716 PPP EAP TLS Authentication Protocol
5. TTLS (Tunnelled Transport Layer Security) - requires
server, but not client certificate
44
WLAN Security with EAP
45
WLAN Security with EAP
Client ServerAccessPoint
1. Request ConnectionIEEE 802.1x [EAPoL]
2. Request IdentityIEEE 802.1x [EAPoL]
3. Client IdentityIEEE 802.1x [EAPoL]
4. Access Request [RADIUS]
5. Challenge + EAP Type [RADIUS]
6. Forwards challenge + EAP Type [EAPoL]
7. Negotiation [EAPoL]
8. Response Forwarded [RADIUS]
9. RADIUS Server Accepts [RADIUS]
10. Secure ConnectionEstablished
IEEE 802.11b Ethernet
46
AAA (Authentication, Authourisation, Accounting)
47
Authentication PrinciplesAAA - Authentication, Authourisation, Accounting
RADIUS - Remote Authentication Dial-in User Service
RADIUS - originally developed to manage dial-in access to Internet. Now being used to manage access control for other systems including Wireless LANs (Diameter)
Mobile users require access to resources over both fixed and mobile networks (must be transparent to user)
48
Authentication Principles
Access control authorizes who is allowed to enter network and which services can/cannot be accessed
Managing a single database of users that contains authentication (user name and credentials), as well as access policy and provisioning information, is an effective way to achieve authentication
49
AAA - Authentication Principles
Authentication – Validating a User’s IdentityAuthentication protocols operate between user and AAA server:
PAP, CHAP, RADIUS, DIAMETER, IEEE 802.1x, EAP
Network Access Server (NAS) acts as relay device
50
AAA - Authourisation Principles
Authourisation – What is user allowed to do?Controls access to network services & applications
Access policy can be applied on a per user, group, global, or location basis
Attributes from an access request can be checked for existence or for specific values
Other attributes, egg time-of-day or number of active sessions with same username can also be checked
Outcome of policy decisions can be sent back to access device as Access Reply attributes
51
AAA - Accounting Principles
Accounting – Collecting Usage DataData for each session is collected by access device and transmitted to AAA server
Usage data may include:User Identities
Session Duration
Number of Packets, and Number of Bytes Transmitted
Accounting data may be used for:Billing
Capacity Planning
Trend Analysis
Security Analysis
Auditing
52
AAA Server Architecture
Central AAA Server
RADIUSProtocolServices
Analyzingand Reporting
Services
UserDirectoryServices
Billing &InvoicingServices
Policy-BasedManagementServices
UserDeveloped
Plug-in
53
AAA can offer Distributed Security
54
Example of Authentication using RrK and TKIP
Rapid reKeying (RrK) WEP: IEEE Draft Proposal, August 2001. Change WEP keys more rapidly that effective key discover attacks can be mounted
Support existing hardware and firmware implementations but needscapable software
802.1x client (XP) and 802.1x enabled servers
Use IEEE 802.1X protocol, with EAP-TLS and distribute keys securely at authentication or re-association
Enable periodic re-keying option of IEEE 802.1X
Settable from 1-15 minutes - or activity based
Source: Entrasys, May 2002
55
Example of Authentication using RrK and TKIP
TKIP (Temporal Key Integrity Protocol) [=WEP2]Can use 802.1x or a shared resource for key generation
Pro: 802.1x is not required
Con: Still needs new software on client and access servers
RrK and TKIP will probably both be offered as software only solutions late in 2002
802.1x EAP login RadiusAuthentication
RADIUS ServerProfile creation and distribution
Directory to Role
MatchingRole decoded and Priorities Applied802.1x EAP- RrK
LDAP/Directory
Access Point
SNMPv3
56
IEEE 802.1x
57
IEEE 802.1x Authentication
Synopsis:Defines generic framework for port-based MAC authentication (not user) and key distribution
Authenticates before giving access to network
Requires PKI certificate on each client
Requires central RADIUS server running EAP
EAP acts an “authenticator” (egg Ethernet switch or wireless AP) and authenticates a supplicant (Ethernet or Wireless NIC) by consulting an authentication server such as RADIUS or Kerberos
58
IEEE 802.1x Authentication
Synopsis contd:IEEE 802.1x - implemented with different EAP types
1. EAP-MD5 for Ethernet LANs (= CHAP)
2. EAP-TLS for IEEE 802.11b WLANs but supplicant and authenticator must be able to handle digital certificates - hence PKI/CA infrastructure required
3. EAP-SRP weaker (password) authentication
IEEE 802.1x provides “carrier” for secure delivery of session keys between supplicant and authenticator (this was omitted by WEP)
59
IEEE 802.1x Authentication
Products:Operating System:
Only Windows XP (and XP Pro) so far
Wireless card and AP vendors:Cisco, Agere/Lucent, Enterasys
EAP Authentication ServerIAS (Microsoft’s RADIUS in W2000), Steel-Belted RADIUS, Interlink,Cisco/LEAP
Cost:Deployment requires support on all APs and clients
More likely to be a corporate solution
60
Recent Developments in WEP
WEP2 (TKIP) in process of approval by IEEE128 bit encryption key
128 bit initialization vector (iv)
Backward compatibility with WEP
ESN (Enhanced Security Network) in process of being standardized. Includes:
WEP, WEP2 and a new encapsulation protocol using AES (128 bit) encryption with OCB mode
Dynamic association of key values
Uses Kerberos authentication mechanism
61
Recent Developments in WEP
ESN (Enhanced Security Network) development contd…..
Fast handover between APs without necessity to reauthenticate. Security profiles are forwarded between APs by IAPP (Inter-Access Point Protocol) = Equivalency Privacy
62
Security: The Layered Onion
VPN – Secure Access
Radius Authentication
40/128 bit WEP Encryption
802.11i AES
EthernetData
802.1x/EAP
Virtual Private Networks
RrK/TKIP
Access Control