Embed Size (px)
Citation preview
Security of Wireless Protocols
Mati Vait
Univerity of Tartu
1 Introduction
Security in communication has been always a great concern. Different messagesare sent constantly over the network whether they are simple correspondencebetween ordinary people, enterprise data or government secrets which all needto be kept secret. Currently there are many protocols for wide range of wirelesscommunication e.g. GSM, EDGE, 3G, WiMax, WLAN . . .
This paper concentrates on the security of protocols in Wireless Local AreaNetworks (WLANs). Nowadays Wireless Protected Access (WPA) and it’s im-provement WPA2, which uses stronger primitives, are the most widespread so-lutions for wireless security. Wired Equivalent Privacy (WEP) is the predecessorof WPA and is considered to be deprecated however it still is in wide use.
The layout of this paper is following: section 2 contains preliminaries, it cov-ers briefly standards, WEP, sections 3 and 4 cover WPA and WPA2 respectivelyalong with their weaknesses and attacks. Section 5 lists attacks and vulnerabili-ties which are common for both WPA and WPA2.
2 Preliminaries
This sections gives background on history and standards behind WPA andWPA2. Different standards related to wireless communication and security arecovered. Wired Equivalent Privacy (WEP) is briefly described along with someof its vulnerabilities to the extent necessary for covering vulnerabilities of WPA.
2.1 Standards Overview
IEEE 802.11 [1] is a set of standards for wireless local area networks. It hasgone though several iterations since 1997, when it was first released. IEEE 802.11contains specifications for media access control and physical layer.
First official version of the IEEE 802.11 provided two modes of authentica-tion:
– Open System Authentication– Shared Key Authentication
In Open System Authentication mode no actual client authentication is per-formed, only two initial messages (request for authentication, response ”authen-ticated”) are exchanged before connection is established. Connections using thismode are not encrypted.
Shared System Authentication mode uses a set of pre-shared keys, mostcommoly still only one key, for authentication. During the authentication processthe knowledge of the common shared secret is proven only for the initiator. Inthis mode all communication after authentication is encrypted.
IEEE 802.11 specified Wired Protected Access (WEP) as the algorithm forproviding confidentiality in connections using Shared Key Authentication mode.
IEEE 802.11i is an amendment to the IEEE 802.11 standard. It was createdto provide better mechanisms for security in wireless networks after WEP hadbeen considered insecure.
IEEE 802.11i specifies Robust Security Network (RSN) as the replacementfor Shared Key Authentication and Open System Authentication. By definitionRSN consists of Robust Security Network Associations (RSNAs), which can beestablished only between devices supporting certain cryptographic primitivesused by WPA and WPA2.
RSN uses IEEE 802.1x port-based access control and Extensible AuthenticationProtocol (EAP) for secure and flexible authentication. Using 802.1x means thatauthentication can be done through various EAP-methods. However differentEAP methods will not be covered in this paper. For more on EAP methods see[15]. RSN consists of three parts:
– Station (STA). In this paper STA is a device which can connect to thewireless network.
– Access Point (AP). AP is STA which provides access to some network. Thereare situations, where two APs can be viewed as STA and AP in relation toeach other.
– Authentication Server (AS). AS is a server that manages authenticationinformation. AP can contain AS’s functionality. Connection between APand AS is always assumed to be secure. In reality this may not be so.
Two data confidentiality protocols are defined for RSNA: Transient Key In-tegrity Protocol (TKIP) and AES-based Counter CCM Protocol (CCMP).
TKIP was created to quickly improve security in wireless networks withoutneeding to replace the hardware. Only upgrade of the firmware or the driver wasneeded to enable it. That is the reason why TKIP reuses RC4 algorithm fromWEP. Michael Message Integrity Check (MIC) was added to improve messageintegrity.
RSNA specifies how secure connection is set up. This procedure consists offollowing phases:
1. Discovery and association2. Authentication3. Key generation and distribution
4. Secure data transfer.5. Connection termination.
During the first phase the AP broadcasts its IEEE 802.11i capabilities inBeacon frame or unassociated STA queries AP using Probe Request frame. AP’sreply contains information what kind of primitives are supported. As an alterna-tive, STA can monitor network for other STAs queries and use data from thoseresponses. STA associates with AP using ciphersuite chosen based on informa-tion from received frames.
After the STA and AP have associated in the first phase, then STA andAS prove each other’s identity by using pre-shared keys or certificates(see [15]).In this stage AP forwards everything between STA and AS. After successfulauthentication the Authentication Server provides AP with keying material andno further communication between STA and AS is done.
In third phase the resulting keying material from the authentication is part ofthe input for the 4-Way Handshake which confirms correctness of Pairwise Mas-ter Keys (PMKs), checks liveness of the peers and generates Pairwise TransientKeys (PTKs) which are used for packet encryption.
Optional Group Key Handshake establishes Group Transient Key (GTK) forprotecting broadcast and multicast traffic. GTK is shared between AP and allassociated STA-s. Note that initial keying material generation is done betweenSTA and authentication server, all handshakes are run between STA and AP.
For secure data transfer in fourth phase PTKs and GTKs are used. At anypoint here either the AP or STA can re-initiate 4-way handshake to reset PTK orgroup key handshake to reset GTK. GTK must be reset when some authenticatedpeer leaves the network.
Fig. 1. Simplified 4-Way Handshake.
4-Way Handshake Figure 1 shows 4-way handshake which takes place afterauthentication. Preceeding and following elements have been omitted for the
sake of clarity. After successful authentication STA and AP have both receivedor generated their pairwise master keys which will not be directly used for en-cryption and decryption but will be used for deriving further keys.
4-Way Handshake starts when AP generates nonce ANonce and sends it tothe STA. After receiving ANonce, STA generates himself a nonce SNonce anduses both ANonce and SNonce to generate Pairwise Transient Key (PTK). STAsends SNonce and Message Integrity Check (MIC) to AP. MIC is calculated usingkey derived from PTK. AP checks received MIC and constructs his PTK. In thefollowing step AP generates a new Group Transient Key (GTK) or takes currentGTK, encrypts it and sends it to the STA. STA aknowledges and from here onAP and STA are connected until rekeying is done or dissasociation managementframes are sent. Note that either party can intitate rekeying and as a result new4-Way handshake is run.
IEEE 802.1x [11] is a framework for port-based access control and it encapsu-lates Extensible Authentication Protocol (EAP) packets during authentication.In IEEE 802.1x the client STA is called the supplicant and the AP, who is com-municating with AS, is called the authenticator. Between authenticator and ASeither RADIUS or DIAMETER protocols are used to forward EAP packets. Bothare intended to provide authentication, authorization and accounting frameworkfor network access control.
2.2 WEP
Wired Equivalent Privacy was created to provide Shared Key Authentication inIEEE 802.11 standard [2]. WEP was first broken by Fluhrer, Mantin and Shamir[6] in 2001. This part covers WEP only to the extent necessary for discussingvulnerabilities found in the WPA.
Architecture. WEP uses RC4 stream cipher for encryption and decryption.RC4 consists of Key Scheduling Algorithm (KSA) and Pseudo-Random Gener-ation Algorithm (PRGA). KSA is used with concatenated 24-bit InitializationVector (IV) and pre-shared key to initialize the state. PRGA uses that stateto generate the stream which will be used to XOR together with the plaintext.IEEE 802.11 does not specify the selection of IV. Each WEP packet containsCRC-32 Integrity Check Value (ICV) which is supposed to indicate communica-tion errors.
Encryption starts by initializing PRGA keystream with concatenated IV andpreshared key. ICV is calculated over the plaintext field and appended to theplaintext. The plaintext and ICV will be XOR-ed together with the keystreamfrom PRGA. IV will be sent as plaintext in front of the ciphertext.
Decryption starts by splitting IV and ciphertext. IV and preshared key areconcatenated and used to initialize KSA. Resulting keystream from PRGA isXOR-ed with cipertext to get the plaintext. ICV’ is extracted from the end ofthe plaintext and ICV” is calculated over the rest of the plaintext. Packet isaccepted iff ICV’ = ICV”.
Weaknesses and Attacks Over the years many weaknesses and attacks havebeen found for different parts of WEP.
ICV, which is included in ciphertext, do not actually provide informationwhether the packet has been tampered with or not. It indicates only transmissionerrors. Replaying packets is possible since WEP does not count packets.
One of the first results on RC4 was by A. Roos [9] who showed that thereexists a class of weak keys that determine a large number of bits in KSA-s output(first permutation).
KoreK’s chopchop attack [16, 17] is based on CRC-32 and repeatedly guess-ing the plaintext from the end of the packet byte-by-byte. Figuring out entireplaintext takes in average 128 and in worst case 256 tries per byte and can bedone at the network speed, since if the guessed byte is wrong then ICV failureis indicated and if correct, then timeout occurs.
Fixes for Vulnerabilities After WEP was proven insecure, different vendorstried to improve WEP on their own by increasing key length, changing keyscheduling and IV generation. However those solutions were not interoperablebetween equiptment made by different vendors. Still, as a result of this effort,many of those fixes made into WPA.
3 WPA
3.1 Architecture
TKIP was designed to use RC4 for encryption with stronger key-scheduling. MICwas included to provide better data integrity. Although TKIP reuses componentsfrom WEP, its inner workings are different. Differently from WEP, WPA usestwo different keys for encryption/decryption. Both keys, the MIC key and theencryption key, are derived from PTK. WPA uses 48-bit IV which is twice aslong as WEP used. IV is new for each packet, because it is used as a counter(TSC) and incremented IV = IV + 1 for each encryption.
Diagram 2 shows how encryption is done in WPA. WPA uses two differentkeys: the MIC key and the encryption key. Over the incoming MSDU (MACService Data Unit, the whole plaintext) is calculated one MIC value and thatis appended to the each fragment of the inital plaintext. Fragmentation is donein case when plaintext is too large for one packet. For each fragment an ICV(CRC32, remnant from WEP) is calculated and appended to the plaintext. Forinitializing RC4 keystream the encryption key is hashed with initialization vec-tor. Resulting keystream is XOR-ed together with plaintext fragments and IVis appended as plaintext.
WPA decryption goes exactly in the reverse order (see 3). Incoming fragmentsare assembled together and XOR-ed with the packet key derived from receivedIV and locally generated encryption key. ICV is extracted from each fragmentand ICV’ is calculated locally. Fragment is accepted only iff ICV = ICV’. Nextstep is to assemble all the plaintexts and extract MIC. Local MIC’ is calculated
Fig. 2. Packet encryption in WPA. [13]
and packet is accepted only iff MIC = MIC’. If MIC error is detected, then MICfailure report frame is sent. After two MIC errors in under 60 seconds will be a60 second delay and all of the PTKs and GTKs among every associated peersare renegotiated. If MIC error is not detected, then TCV value is updated to bethe largest of the received fragments IV.
3.2 Vulnerabilities and Attacks
Since WPA was designed to reuse components from WEP, some weak points stillremain.
Beck-Tews Attack [4] enables the attacker to decrypt traffic and send pack-ets with custom content to the supplicant. It depends on Quality of Service(QoS) features of WLAN. Multiple communication channels with different packetcounter values (TSCs) enable to lauch an attack that is similar to the chopchopattack on WEP and extract parts of the keystream. Differently from chopchopattack which is launched against the authenticator, Beck-Tews attack is tar-geted against the supplicant. However, Beck-Tews attack assumes that followingpreconditions are met:
– TKIP is used for communication– TKIP uses long rekeying interval - e.g. 3600 seconds– IPv4 protocol is used– range of addresses is known to the attacker– network supports IEEE 802.11e QoS features namely different channels for
data flows
Fig. 3. Packet decryption in WPA. [13]
– station is authenticated to network.
The original chopchop attack cannot be launched against TKIP becauseTKIP has countermeasures built in against it. TKIP uses IV as a counter andalso silently discards packet if the packet is received with an incorrect ICV. IfICV is correct but MIC check fails, then MIC failure report frame is sent toAP. When MIC verification fails twice in 60 seconds, then all connections areshut down and all keys (PTKs and GTKs) are renegotiated after 60 second pe-riod. This gives an opportunity for another DoS attack. When correct packet isreceived, then sequence counter (TSC) on according channel is updated. Whenreceived packed has lower value than current counter on the channel, then packetis discarded.
For launching attack, an attacker searches traffic for an encrypted ARP re-quest or response. From that packet attacker already knows most part of theARP plaintext, missing only 8 byte MIC, 4 byte ICV and the last byte of thesource and destination IP addresses assuming that the attacker knows the prefixfor the network.
The next step is to send custom packets on different QoS channel than theoriginal ARP packet was received because less used channels probably have lowerTSC values so packet sent there would be accepted or MIC check fail indicated.After sending a packet and receiving MIC failure report frame attacker has towait for 60 seconds until next packet could be sent. This trial-and-error proceduretakes in total 12-15 minutes to decrypt 12 unknown bytes of the ARP packet.After decrypting the packet the attacker knows MIC value and can calculate MICkey from the plaintext and the MIC value since the Michael MIC is invertible
[18]. Next step is to assemble falsifying packet by calculating the new MIC’and CRC-32 from the new plaintext and appending that to the plaintext. OldIV and keystream is used to encrypt that packet. Falsifying packet is sent onthe channel which has probably lower TSC value than the IV on the receivedpacket. Falsifying packet is accepted since IV and MIC values match with theones calculated from the plaintext and TSC’ on that channel is lower than theIV of the packet (since TSC is the value of the last IV sent on the channel).
For countermeasures authors Peck and Tews suggest to use shorter re-keyingtimes, disabling use of MIC failure report frame or using CCMP based WPA2instead.
Enhanced Message Falsification Attack on WPA by Toshihiro Ohigashiand Masakatu Morii [13] reduces running time of the attack from 12-15 minutesdown to about a minute on the best base. The authors apply Beck-Tews typeof an attack to the Man-In-The-Middle (MITM) attack so that would work forany WPA implementation regardless if it supports QoS features or not. MITMenables for the attacker to get larger TSC-s from the AP/STA than the STA/APknows by selectively relaying traffic. This way there is no need for multiplechannels provided by QoS and Beck-Tews attack can be launched on the samechannel.
The main complexity is in executing the MITM attack. However this couldbe achieved by the attacker impersonating as an AP selectively holding back orforwarding every message received.
Improvement in the running time can be achieved by making more assump-tions about plaintext contained in encrypted packet. However, this approach isprobabilistic, since, as authors point out in [13], that the probability of successis about 37%.
TKIP Michael Reset Attack is described by Beck in [5]. This attack is basedon Beck-Tews attack [4] and enables to continuously inject more and largerpackets. IEEE 802.11 allows to transmit packet in 16 frames so custom messagescan consist up to 16 frames and that is why up to 16 different keystream/IVpairs are needed.
Beck outlines two techniques for generating new keystreams which can beused to encrypt malicious packets which are concatenated with the original pack-ets. First method uses extracted keystreams from known plaintexts of encryptedpackets which are passively collected. In the paper Beck uses IPv4 and ARPpackets and Logical Link Control (LLC) prefix of the packets for getting initialparts of the keystream because both of them contain a lot of known values.From IP packets can be extracted up to 12 bytes. ARP packets provide evenmore keystream bytes. This method provides only limited number of keystreambytes and is timeconsuming due to the waiting delay of Beck-Tews attack. Forgedpackets can be up to 568 bytes [5] in length if ARP packets are used when notcounting space required for ICVs and MIC.
However a better solution exists. In the responses from Linux systems dif-ferent values in the TCP-RST packets and their IP headers can be guessed: ID,TTL, header length, flag=RST or deduced: sequence number, IP header check-sum, TCP packet checksum. This means that whole TCP-RST packet can beguessed under condition, that attacker knows an IP of some Linux system in thenetwork and 60 byte 1 keystream is generated. Another way to generate longerkeystreams is to use remote system send it the spoofed TCP-SYN. Final packetof the TCP handshake can be guessed by the attacker. This is the fastest wayto generate IV/keystream pairs with useful keystream lengths.
For creating packets with arbitrary length (up to 16 frames) magic wordshave to be calculated over the custom packet. Magic words are two 32bit wordsthat reset Michael MIC internal state into the value it had after the MichaelKey was set. When these magic words are placed between custom packet andthe original packet, then original keystream will still be valid since the internalstate of the MIC() will be reset after the custom packet and MIC value in theend will match the original one.
Just as in Beck-Tews attack, this new constructed packet has to be sent onchannel which has lower TSC than the current IV.
Fixes: Beck suggests in [5] to use CCMP based WPA2 instead. If that is notpossible then disabling QoS features and reducing re-keying time to somewherearound 120s can avoid this attack.
4 WPA2
4.1 Architecture
Fig. 4. Packet encryption in WPA2 [14]
1 LLC + IP + TCP + MIC + ICV = 8 + 20 + 20 + 8 + 4 = 60 bytes
Fig. 5. Packet decryption in WPA2 [14]
WPA2 uses CCMP for providing data encryption and integrity. CCMP con-sists of Advanced Ecryption Standard (AES), which is run in Counter (CTR)mode for data encryption and in Cipher-Block-Cipher (CBC) mode for produc-ing message authentication code (MIC). Encryption is shown in 4. AdditionalAuthentication Data (AAD) which is constructed from MAC header fields isused to provide integrity of the MAC header. A fresh nonce is constructed fromincremented packet number and MPDU’s A2 field, which contains destinationaddress, and the priority field (currently fixed as 0). Decryption is shown in 5and is done in exactly in the reverse order. Except in the end there is also replaycheck which uses Packet Number (PN).
4.2 Vulnerabilities and Attacks
Currently WPA2 does not have many known vulnerabilities for its cryptographicprimitives. AES and CCMP (and CCM) have been scrutinized over the years bymany researchers. In 2006 was published [14], which presented a theoretical TimeMemory Trade-off (TMTO) pre-computation attack on CTR mode of CCMPand concluded that CCMP does not use keys stong enough. Although multipleimprovements were suggested by the authors, none of them were accepted.
Complexity of the CCM can be considered somewhat vulnerability, since itsspecification is full of subleties as Rogaway and Wagner argue in [10].
A Critique of CCM consists of multiple parts. Authors Rogaway and Wagnerpoint out that CCM has efficiency, complexity, parametrization issues and otherhidden subleties, which all could be improved upon. One of the efficiency issuesis that CCM is not on-line which means that it can only process data of knownlength. This increases the requirements for resources. Also the additional data(header) cannot be preprocessed. Since that data is most likely to remain un-changed for some period of time, then this kind of reprocessing wastes resources.
In the authors opinion showing out the length-of-the-message-length is inappro-priate. Choice of lengths of the nonces is also done badly since minimum lengthof 56 bits is not acceptable for random nonce.
5 Vulnerabilities and Attacks in WPA and WPA2
Dictionary attack on weak PSK-s. In RSNA the master session keys (MSK)are generated directly from preshared keys or keying material from 802.1x/EAPauthentication. Using preshared keys requires users to use stronger secrets orotherwise the network is vulnerable to the dictionary attack. This attack is thestrongest type of attack currently on WPA/WPA2, because in the case of success,it will open network to the attacker. However mounting this attack against anysystem means doing exhaustive search that is too time-consuming.
Denial of Service attack in 4-way handshake. He and Mitchell analyzedin [7] 4-way handshake. They found that it was susceptible to DoS attack on thesupplicants side.
The idea of the attack was for the attacker to initiate a new 4-way handshakewith the supplicant in the middle of the ongoing 4-way handshake which causesthe supplicant to derive a new PTK’. Since PTK on the authenticator does notmatch PTK’ on the supplicant, the supplicant drops all the received packetsfrom the honest authenticator until a new handshake is initiated.
There exist some solutions for this type of an attack. He and Mitchell givethree possible fixes in [7], however, as they argued, none of them independentlycan provide full protection.
– Random-Drop Queue is a queue on the supplicant for storing different noncesand MIC-s received from the authenticator. An attacker can send differentfirst messages of the 4-way handshake, everything is stored in the queuewhere some entries are dropped randomly after some period of time. Whenthird message is received from authenticator, nonces and MIC are checkedagainst the queue. Blocking is possible in case when correct ANonce andMIC from authenticator gets dropped from the queue.
– Authenticate the first message of 4-way handshake. An existing commonsecret between the authenticator and supplicant would be used to add MICto message 1. That secret could be for an example cached PMK from earliertime which could be used with some predetermined nonces to derive PTK.However this type of fix is still vulnerable to replay attacks because of thePMK is retained for a long time. By default 3600 seconds.
– Reuse of SNonces on the supplicants side. This solution makes the suppli-cant stateless, only supplicants nonce is reused until the 4-way handshake iscomplete.
Hole-196 is a vulnerability found in the very IEEE 802.11i standard [1]. It gotits name by the page 196, on which it was found. On the page 196 the standardsays in short that pairwise key-hierarchy authenticates all the unicast trafficbut group key-hierarchy does not authenticate broadcast and multicast traffic.Standard [1] states that AP encrypts multicast traffic with GTK and all receivingSTA-s decrypt it with their copy of GTK. However it is not said explicitly thatany of the authenticated STA-s can not encrypt and send broadcast/multicastmessages pretending to be the AP.
Hole-196 could be exploited only in insider-attack in which the attacker is al-ready associated and authenticated to the network. That means that he has gotan instance of Group Temporal Key (GTK) which is shared by all the authenti-cated STA-s. In AirTight Networks’ [8] the main concern about Hole-196 is ARPspoofing, which can lead to ohter attacks e.g. MITM, DoS, which in best casecould result in bad connection or in worst case loss of important (and valuable)data. They provide multiple solutions: client isolation, turning off broadcast traf-fic, installing ARP poisoning detection software, but conclude that the standardis faulty on that part and vendors should stop using broadcast traffic alltogether.
6 Conclusion
This paper covered bigger security results on the security of WPA and WPA2.Common threats for both of the protocols can be avoided by using the samemethods: disabling QoS, using short rekeying periods and client isolation. As aconclusion WPA2 seems more secure at the moment since currently it has provento be stronger than its predecessors.
References
1. IEEE: IEEE Std 802.11-2007. New York, NY, USA, (2007)2. IEEE: IEEE Std 802.11-1997. New York, NY, USA, (1997)3. IEEE: IEEE Std 802.11i-2004. New York, NY, USA, (2004)4. Beck, M.,Tews, E.: Practical attacks against WEP and WPA. http://dl.
aircrack-ng.org/breakingwepandwpa.pdf (2008)5. Beck, M.: Enhanced TKIP Michael Attacks. (2010)6. Fluhrer, S., Mantin I., Shamir A.: Weaknesses in the Key Scheduling Algorithm of
RC4. Selected Areas in Cryptography, Volume 2259/2001, 1-24. (2001)7. Changhua He, Mitchell, J.C.: Analysis of the 802.11i 4-Way Handshake. (2004)8. AirTight Networks: WPA2 Hole196 Vulnerability. http://www.airtightnetworks.
com/wpa2-hole196
9. Roos, A.:A Class of Weak Keys in the RC4 Stream Cipher. PreliminaryDraft,Vironix Software Laboratories (1995)
10. Rogaway, P, Wagner, D.: A Critique of CCM. (2003)11. IETF: DIAMETER. Proposed Standard, http://tools.ietf.org/html/rfc3588.
(September 2003)12. IETF: RADIUS. Draft Standard, http://tools.ietf.org/html/rfc2865. (2000)13. Toshihiro Ohigashi, Masakatu Morii. A practical message falsification attack on
WPA. (2008)
14. M. Junaid, Mufti, M., Ilyas, M.U.: Vulnerabilities of IEEE 802.11i Wireless LANCCMP Protocol. (2006)
15. Dantu, R., Clothier, G., Atri, A.:EAP methods for wireless networks. ComputerStandards & Interfaces Volume 29, Issue 3, March 2007, Pages 289-301 (2006)
16. KoreK: Chopchop (experimental WEP attacks). http://www.netstumbler.org/
showthread.php?t=12489. (2004)17. Tews, E.: Attacks on the wep protocol. Cryptology ePrint Archive, Report
2007/471, 2007. http://eprint.iacr.org/. (2007)18. Wool, A.:A Note on the Fragility of the Michael Message Integrity Code.
IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 3, NO. 5.(September 2004)
