Wireless Authentication and Encryption: A Primer Vulnerability Management ... Wireless Authentication and Encryption: A Primer ... on wireless authentication and encryption

Wireless Vulnerability Management

©2008 AirTight Networks, Inc. All Rights Reserved.

Wireless Authentication and Encryption:A Primer

Presented by: Hemant Chaskar, PhD

Director of TechnologyAirTight Networks

Page 2 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.

Wireless Authentication and Encryption

WEP (Wired Equivalent Privacy) – First Generation

• One way shared key authentication

• RC4 encryption

• This is broken, still popular in home market due to its simplicity

• Also popular in retail (handheld scanners are not upgradable)

WPA (WiFi Protected Access) – Second Generation

• 802.1x authentication

• TKIP encryption (variant of WEP, but stronger)

802.11i (WPA2/RSN) – Third (Current) Generation

• 802.1x authentication

• AES CCMP encryption


Recall: Stages of Connection Establishment

1. DiscoveryClient discovers AP, requests connection.

AP asks Client to proves its identity. 2. Authentication

3. AssociationClient binds its identity

to AP.

Access Point (AP)Client

4. Encrypted DataStart communication.


WEP Shared Key Authentication

Key K(40 bit string)

Key K(40 bit string)

Challenge text C (random string of 128 bytes)

Response R1Compute response R1 = f (C, K)

Compute response R2 = f (C, K)

Is R1 = R2? Result (Accept/Reject)

Authentication Request

R1 = R2 = T + Keystream (K, IV)

Note: This is one-way authentication. AP authenticates Client, but not vice versa.


WEP Encryption

RC4 Key Stream Generator

(Key K | Initialization Vector IV)

XORPacket P Encrypted PIV

RC4 Key Stream Generator

XOR

(Key K | Initialization Vector IV)

Packet P

TRANSMITTER RECEIVER

WIRELESS CHANNEL

• Key K is statically programmed in transmitter and receiver

• IV is changed per packet

40 bit 24 bit

Hundreds of bits

Keystream Keystream

Called ``Stream cipher’’


Phases of Connection Establishment using WEP

AP Discovery (SSID, signal strength)

Association


Open (No) Authentication

WEP Encrypted Data Communication

Step 1

Step 2

Step 3

Step 4


Weaknesses of WEP

IV Collision:

• Means two packets encrypted with same IV

– 24 bit IV can quickly wrap around under heavy traffic conditions

– Many cards/APs on reset start with IV = 0 and increment from there

• If mapping IV Keystream is known for one IV, another encrypted packet having same IV can be decoded

Message modification (Borisov et. al. UC Berkeley)

• Bits in the packet can be flipped in transit without notice of receiver

Lack of replay protection

WEP (key) cracking

• Observing certain number of encrypted packets, key K itself can be cracked

• WEP came to be known as Worst Ever Privacy!


IV Collision: Creating IV Keystream Library

WEP Shared Key Authentication itself can help!• I see challenge C in plaintext and response R in ciphertext, where R =

C + Keystream • C + R = Keystream for IV seen in R• By sending spoofed deauths, attacker can also increase the frequency

at which authentications take place to build this library faster.

Using this library attacker can connect to the network

• Successfully authenticate with the AP (only one data point needed for this)

• Send (small) packets through the AP

Using this library attacker can read/inject in others’ traffic

• Can read (parts) of packets of other Clients• Can inject (small) packets in other Client’s connection


Message Modification and Replays in WEP

Borisov, Goldberg and Wagner, 2000, UC Berkeley

• Attacker can capture packets on air and flip certain bits in it without violating the message checksum

• Used by some WEP key cracking attacks as helper

Replay attacks

• Simply capture and replay, it will go through

• Or capture, modify and replay


WEP (key) Cracking: FMS Attack

``Weaknesses in the key scheduling algorithm of RC4” , by S. Fluhrer, I. Martin, and A. Shamir, 2001

Key results from paper:• Certain values of IVs are called ``Weak IVs’’• If you can collect sufficient (60-100) packets encrypted with weak IVs, key K

can be cracked• The cracking complexity is linear in size of K (ideally for any good encryption

method complexity should be exponential in key size)Freely available tool called “aircrack” implements FMS attack• Passive mode

– Can take several days to collect packets• Active mode

– Can do in few minutes– Exploits lack of replay protection in WEP to expedite packet collection


WEP (key) Cracking: PTW Attack

Does not even require weak IVs to be present

Uses the fact that certain fields in the frames are well known (easily guessable) to perform key cracking

Has passive and active modes

PTW attack is implemented in freely available “aircrack-ng” tool


WEP (key) Cracking: Caffé Latte Attack

Can recover WEP keys from connection profiles of laptops even when they are not connected to AP

Exploits the fact that Window’s laptops actively seek to connect to preferred networks

Elicits WEP encrypted ARP responses from laptop to crack WEP key in few minutes

Caffé Latte vulnerability was discovered in 2007 by AirTight Networks’ security research team

http://www.airtightnetworks.com/home/resources/knowledge-center/caffe-latte.html


Evolution of “aircrack-ng”

Implementation of caffé latte attack

Implementation of “chaff” resistance

• Chaffing is aimed at confusing WEP cracking tools by injecting junk data in wireless traffic

• Several techniques have been discovered by security researchers to filter out chaff and then perform WEP cracking

Several improvements for replays to expedite encrypted packets collection to crack the WEP key


WPA: Stop-Gap Fix to WEP

Created by WiFi Alliance

• Note: IEEE standardizes WLAN protocols, WiFi Alliance (www.wifialliance.org) promotes market adoption of WLAN

Constraints:

• No change to XOR based hardware encryption engine

• Something that will work with firmware upgrade to installed base of WLAN equipment


Connection Establishment using WPA


Association



WEP Like Encrypted Data Communication

802.1x (EAP) Authentication

802.1x or PSK

Dynamic Encryption Key Generation

Pre-shared Keys (PSK)

Addition of TKIP

Step 1

Step 2

Step 3

Step 4.1

Step 5

Step 4.2 Session specific


WPA: 802.1x Authentication Framework

Secure Enterprise LAN

``Authentication Server’’ (RADIUS)

AP1

AP2

AP3

AP4

Secure communication channels

APs are gatekeepers, called ``Autheticators’’

Database

Other systems

Wireless Clients, called ``Supplicants’’


Open Authentication

Association

EAP Identity Request

Open Controlled Port allowing only EAP messages to pass through.

EAP Success

Encrypted Data Exchange

EAPOL Logoff

EAP Identity Response RELAY

Authentication Method Handshake Identity Proof and Master Key Generation

Generate Master Key

Generate Master Key

Accept/Provide Master Key

Generate Transient Keys

EAPOL 4-Way HandshakeGenerate Transient Keys

Open Uncontrolled Port allowing data to pass through.

Wireless Link Wired LAN


Advantages of 802.1x

Freedom to choose authentication algorithm

• 802.1x is a bearer

• TLS, TTLS, LEAP, PEAP, GTC, MSCHAPv2, Kerberos, SIM, future algorithms can ride over 802.1x, only requirements being

– Support mutual authentication

– Support derivation of master keys

Ease of management of credentials in central authentication server

Ease of integration with other enterprise security systems (network authentication)

Authentication credentials are different for each device

Encryption keys are different for each session


PEAP Example

PEAP is one popular authentication method that can be supported over 802.1x (EAP) bearer

• PEAP: Protected EAP

• Supported in Windows XP, Windows Vista, Linux

• PEAP operates in 2 phases

Phase 1:

• Client authenticates the Authentication Server using TLS server certificate

• Builds encrypted tunnel between the Client and the Authentication Server

Phase 2:

• Another authentication method can be executed within this tunnel

• Commonly used is MSCHAPv2 which is two-way challenge/response password based authentication method


EAP Identity Request

Server Challenge

Response to Server Challenge / Client Challenge

Phas

e 2:

M

SCH

APv

2 in

TLS

tu

nnel

, aut

h C

lient

Success / Response to Client Challenge

. / Success

EAP Identity Response (userid@realm)

Open Authentication, Association, EAP Identity Request

Wireless Link Wired LAN

TLS Client Key Exchange (Encryption key Encrypted with public certificate)

EAP Identity Response (anonymous@realm)

RELAYTLS Client Hello (Rand1)

TLS Server Hello (Rand2, server public certificate)

Phas

e 1:

Est

. TL

S tu

nnel

, au

th s

erve

r

EAP Success Accept/Provide Master Key

EAPOL 4-Way Handshake


WPA: TKIP Encryption

TKIP uses longer IV (48 bit) – twice as much as WEP

Avoids Weak IVs

Prevents IV reuse for any given key

• IV always starts from 0 and counts upwards

Master key generated afresh for each connection attempt – unlike static WEP keys

• Transient keys generated from master key are used for encryption – refreshed at regular intervals

Builds in replay protection via windowing technique


TKIP Replay Protection

IV in TKIP also serves as sequence counter (TSC)

Basic idea: Reject packets with repeated TSC

For every IV received:

• If current IV > largest received IV so far, accept

• If current IV < largest – 15, reject (to allow burst ACK for 16 frames)

• If largest – 15 current IV < largest, reject if repeated, accept if not repeated

– Note: Retransmissions use the same IV as in original packet


WPA2/802.11i: Current State of the Art

Final word (as of now) on wireless authentication and encryption

Continues to use 802.1x as in WPA

• PEAP is still popular method

Uses encryption technique called AES (Advanced Encryption Standard), also called as CCMP

• This does require change to hardware encryption engine

• This is a block cipher (in contrast to WEP and TKIP which are stream ciphers)


Connection Establishment using WPA2/802.11i


Association



CCMP Encrypted Data Communication

802.1x (EAP) Authentication

802.1x or PSK

Dynamic Key Generation

Pre-shared Keys (PSK)

CCMP (Change in h/w encryption engine)

Step 1

Step 2

Step 3

Step 4.1

Step 5

Step 4.2 Session specific


PSK (Pre-Shared Key)

In addition to 802.1x (EAP), WPA and WPA2/802.11i support one more authentication method called PSK

In PSK,

• Master keys are pre-configured in Client and AP

• Encryption keys are derived using EAPOL 4-way handshake

• Authentication Server is not needed

• This is supported for home and SMB markets


Pairwise and Group Cipher Suites

Two encryption suites defined in WPA and 802.11i

• Pairwise Cipher Suite (PCS): Used to encrypt unicast communication over

wireless link between AP and Client

• Group Cipher Suite (GCS): Used to encrypt broadcast and multicast communication within the AP’s BSS

PCS encryption key is derived from master key using EAPOL 4-way handshake

• Different encryption keys (& methods) for different Clients in a BSS

GCS encryption key is delivered to Client by encrypting it with an encryption key derived from master key

• Same encryption key for all Clients in a BSS


Thank You

Questions? Contact Hemant Chaskar, PhD:

• [email protected]

mailto:[email protected]

Documents

Wireless Authentication and Encryption: A Primer Vulnerability Management ... Wireless Authentication and Encryption: A Primer ... on wireless authentication and encryption