Upload
buithu
View
241
Download
5
Embed Size (px)
Citation preview
Wireless Vulnerability Management
©2008 AirTight Networks, Inc. All Rights Reserved.
Wireless Authentication and Encryption:A Primer
Presented by: Hemant Chaskar, PhD
Director of TechnologyAirTight Networks
Page 2 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Wireless Authentication and Encryption
WEP (Wired Equivalent Privacy) – First Generation
• One way shared key authentication
• RC4 encryption
• This is broken, still popular in home market due to its simplicity
• Also popular in retail (handheld scanners are not upgradable)
WPA (WiFi Protected Access) – Second Generation
• 802.1x authentication
• TKIP encryption (variant of WEP, but stronger)
802.11i (WPA2/RSN) – Third (Current) Generation
• 802.1x authentication
• AES CCMP encryption
Page 3 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Recall: Stages of Connection Establishment
1. DiscoveryClient discovers AP, requests connection.
AP asks Client to proves its identity. 2. Authentication
3. AssociationClient binds its identity
to AP.
Access Point (AP)Client
4. Encrypted DataStart communication.
Page 4 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
WEP Shared Key Authentication
Key K(40 bit string)
Key K(40 bit string)
Challenge text C (random string of 128 bytes)
Response R1Compute response R1 = f (C, K)
Compute response R2 = f (C, K)
Is R1 = R2? Result (Accept/Reject)
Authentication Request
R1 = R2 = T + Keystream (K, IV)
Note: This is one-way authentication. AP authenticates Client, but not vice versa.
Page 5 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
WEP Encryption
RC4 Key Stream Generator
(Key K | Initialization Vector IV)
XORPacket P Encrypted PIV
RC4 Key Stream Generator
XOR
(Key K | Initialization Vector IV)
Packet P
TRANSMITTER RECEIVER
WIRELESS CHANNEL
• Key K is statically programmed in transmitter and receiver
• IV is changed per packet
40 bit 24 bit
Hundreds of bits
Keystream Keystream
Called ``Stream cipher’’
Page 6 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Phases of Connection Establishment using WEP
AP Discovery (SSID, signal strength)
Association
WEP Shared Key Authentication
Open (No) Authentication
WEP Encrypted Data Communication
Step 1
Step 2
Step 3
Step 4
Page 7 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Weaknesses of WEP
IV Collision:
• Means two packets encrypted with same IV
– 24 bit IV can quickly wrap around under heavy traffic conditions
– Many cards/APs on reset start with IV = 0 and increment from there
• If mapping IV Keystream is known for one IV, another encrypted packet having same IV can be decoded
Message modification (Borisov et. al. UC Berkeley)
• Bits in the packet can be flipped in transit without notice of receiver
Lack of replay protection
WEP (key) cracking
• Observing certain number of encrypted packets, key K itself can be cracked
• WEP came to be known as Worst Ever Privacy!
Page 8 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
IV Collision: Creating IV Keystream Library
WEP Shared Key Authentication itself can help!• I see challenge C in plaintext and response R in ciphertext, where R =
C + Keystream • C + R = Keystream for IV seen in R• By sending spoofed deauths, attacker can also increase the frequency
at which authentications take place to build this library faster.
Using this library attacker can connect to the network
• Successfully authenticate with the AP (only one data point needed for this)
• Send (small) packets through the AP
Using this library attacker can read/inject in others’ traffic
• Can read (parts) of packets of other Clients• Can inject (small) packets in other Client’s connection
Page 9 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Message Modification and Replays in WEP
Borisov, Goldberg and Wagner, 2000, UC Berkeley
• Attacker can capture packets on air and flip certain bits in it without violating the message checksum
• Used by some WEP key cracking attacks as helper
Replay attacks
• Simply capture and replay, it will go through
• Or capture, modify and replay
Page 10 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
WEP (key) Cracking: FMS Attack
``Weaknesses in the key scheduling algorithm of RC4” , by S. Fluhrer, I. Martin, and A. Shamir, 2001
Key results from paper:• Certain values of IVs are called ``Weak IVs’’• If you can collect sufficient (60-100) packets encrypted with weak IVs, key K
can be cracked• The cracking complexity is linear in size of K (ideally for any good encryption
method complexity should be exponential in key size)Freely available tool called “aircrack” implements FMS attack• Passive mode
– Can take several days to collect packets• Active mode
– Can do in few minutes– Exploits lack of replay protection in WEP to expedite packet collection
Page 11 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
WEP (key) Cracking: PTW Attack
Does not even require weak IVs to be present
Uses the fact that certain fields in the frames are well known (easily guessable) to perform key cracking
Has passive and active modes
PTW attack is implemented in freely available “aircrack-ng” tool
Page 12 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
WEP (key) Cracking: Caffé Latte Attack
Can recover WEP keys from connection profiles of laptops even when they are not connected to AP
Exploits the fact that Window’s laptops actively seek to connect to preferred networks
Elicits WEP encrypted ARP responses from laptop to crack WEP key in few minutes
Caffé Latte vulnerability was discovered in 2007 by AirTight Networks’ security research team
Page 13 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Evolution of “aircrack-ng”
Implementation of caffé latte attack
Implementation of “chaff” resistance
• Chaffing is aimed at confusing WEP cracking tools by injecting junk data in wireless traffic
• Several techniques have been discovered by security researchers to filter out chaff and then perform WEP cracking
Several improvements for replays to expedite encrypted packets collection to crack the WEP key
Page 14 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
WPA: Stop-Gap Fix to WEP
Created by WiFi Alliance
• Note: IEEE standardizes WLAN protocols, WiFi Alliance (www.wifialliance.org) promotes market adoption of WLAN
Constraints:
• No change to XOR based hardware encryption engine
• Something that will work with firmware upgrade to installed base of WLAN equipment
Page 15 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Connection Establishment using WPA
AP Discovery (SSID, signal strength)
Association
WEP Shared Key Authentication
Open (No) Authentication
WEP Like Encrypted Data Communication
802.1x (EAP) Authentication
802.1x or PSK
Dynamic Encryption Key Generation
Pre-shared Keys (PSK)
Addition of TKIP
Step 1
Step 2
Step 3
Step 4.1
Step 5
Step 4.2 Session specific
Page 16 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
WPA: 802.1x Authentication Framework
Secure Enterprise LAN
``Authentication Server’’ (RADIUS)
AP1
AP2
AP3
AP4
Secure communication channels
APs are gatekeepers, called ``Autheticators’’
Database
Other systems
Wireless Clients, called ``Supplicants’’
Page 17 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Open Authentication
Association
EAP Identity Request
Open Controlled Port allowing only EAP messages to pass through.
EAP Success
Encrypted Data Exchange
EAPOL Logoff
EAP Identity Response RELAY
Authentication Method Handshake Identity Proof and Master Key Generation
Generate Master Key
Generate Master Key
Accept/Provide Master Key
Generate Transient Keys
EAPOL 4-Way HandshakeGenerate Transient Keys
Open Uncontrolled Port allowing data to pass through.
Wireless Link Wired LAN
Page 18 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Advantages of 802.1x
Freedom to choose authentication algorithm
• 802.1x is a bearer
• TLS, TTLS, LEAP, PEAP, GTC, MSCHAPv2, Kerberos, SIM, future algorithms can ride over 802.1x, only requirements being
– Support mutual authentication
– Support derivation of master keys
Ease of management of credentials in central authentication server
Ease of integration with other enterprise security systems (network authentication)
Authentication credentials are different for each device
Encryption keys are different for each session
Page 19 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
PEAP Example
PEAP is one popular authentication method that can be supported over 802.1x (EAP) bearer
• PEAP: Protected EAP
• Supported in Windows XP, Windows Vista, Linux
• PEAP operates in 2 phases
Phase 1:
• Client authenticates the Authentication Server using TLS server certificate
• Builds encrypted tunnel between the Client and the Authentication Server
Phase 2:
• Another authentication method can be executed within this tunnel
• Commonly used is MSCHAPv2 which is two-way challenge/response password based authentication method
Page 20 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
EAP Identity Request
Server Challenge
Response to Server Challenge / Client Challenge
Phas
e 2:
M
SCH
APv
2 in
TLS
tu
nnel
, aut
h C
lient
Success / Response to Client Challenge
. / Success
EAP Identity Response (userid@realm)
Open Authentication, Association, EAP Identity Request
Wireless Link Wired LAN
TLS Client Key Exchange (Encryption key Encrypted with public certificate)
EAP Identity Response (anonymous@realm)
RELAYTLS Client Hello (Rand1)
TLS Server Hello (Rand2, server public certificate)
Phas
e 1:
Est
. TL
S tu
nnel
, au
th s
erve
r
EAP Success Accept/Provide Master Key
EAPOL 4-Way Handshake
Page 21 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
WPA: TKIP Encryption
TKIP uses longer IV (48 bit) – twice as much as WEP
Avoids Weak IVs
Prevents IV reuse for any given key
• IV always starts from 0 and counts upwards
Master key generated afresh for each connection attempt – unlike static WEP keys
• Transient keys generated from master key are used for encryption – refreshed at regular intervals
Builds in replay protection via windowing technique
Page 22 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
TKIP Replay Protection
IV in TKIP also serves as sequence counter (TSC)
Basic idea: Reject packets with repeated TSC
For every IV received:
• If current IV > largest received IV so far, accept
• If current IV < largest – 15, reject (to allow burst ACK for 16 frames)
• If largest – 15 current IV < largest, reject if repeated, accept if not repeated
– Note: Retransmissions use the same IV as in original packet
Page 23 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
WPA2/802.11i: Current State of the Art
Final word (as of now) on wireless authentication and encryption
Continues to use 802.1x as in WPA
• PEAP is still popular method
Uses encryption technique called AES (Advanced Encryption Standard), also called as CCMP
• This does require change to hardware encryption engine
• This is a block cipher (in contrast to WEP and TKIP which are stream ciphers)
Page 24 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Connection Establishment using WPA2/802.11i
AP Discovery (SSID, signal strength)
Association
WEP Shared Key Authentication
Open (No) Authentication
CCMP Encrypted Data Communication
802.1x (EAP) Authentication
802.1x or PSK
Dynamic Key Generation
Pre-shared Keys (PSK)
CCMP (Change in h/w encryption engine)
Step 1
Step 2
Step 3
Step 4.1
Step 5
Step 4.2 Session specific
Page 25 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
PSK (Pre-Shared Key)
In addition to 802.1x (EAP), WPA and WPA2/802.11i support one more authentication method called PSK
In PSK,
• Master keys are pre-configured in Client and AP
• Encryption keys are derived using EAPOL 4-way handshake
• Authentication Server is not needed
• This is supported for home and SMB markets
Page 26 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Pairwise and Group Cipher Suites
Two encryption suites defined in WPA and 802.11i
• Pairwise Cipher Suite (PCS): Used to encrypt unicast communication over
wireless link between AP and Client
• Group Cipher Suite (GCS): Used to encrypt broadcast and multicast communication within the AP’s BSS
PCS encryption key is derived from master key using EAPOL 4-way handshake
• Different encryption keys (& methods) for different Clients in a BSS
GCS encryption key is delivered to Client by encrypting it with an encryption key derived from master key
• Same encryption key for all Clients in a BSS
Page 27 Wireless Vulnerability Management ©2008 AirTight Networks, Inc. All Rights Reserved.
Thank You
Questions? Contact Hemant Chaskar, PhD: