Upload
arun-gupta
View
115
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Wireless Security
Guided By
Prof. Manik Lal Das Department of Information and Communication Technology
Dhirubhai Ambani Institute of Information and Communication Technology
Nov 2012
Prepared By : Harsh (200901193) Narendra Reddy (201111021) Swapnil Gupta (201111030) Arun Gupta (201111049) Payal Chaudhary Ravichndra Reddy (201111048) Anshul Agrawal (200901154)
Introduction In wireless networks, by far the most commonly deployed networking technology is Wired
Equivalent Privacy (WEP). The security limitations and exploits for WEP are many and have
been well publicized. What is less well known are the exploits and security flaws of its more
secure successor, Wi-Fi Protected Access (WPA). This protocol and its potential for exploit are
covered in this document.
Wi-Fi Protected Access (WPA) Overview Wi-Fi Protected Access (WPA) supports a strong encryption algorithm and user authentication.
The WPA standard employs Temporal Key Integrity Protocol (TKIP) with Rivest Cipher 4
(RC4) for encryption and Message Integrity Checking (MIC), using 128 bit keys that are
dynamically generated for encryption.
In an enterprise, keys are generated using the 802.1X authentication protocol with Extensible
Authentication Protocol (EAP). The 802.1X protocol, is a network access control method used
on both wired and wireless networks. The 802.1X protocol’s use of EAP, enables the support of
a variety of user credential types, including username/password, smart cards, secure IDs, or any
other type of user identification. Clients and Access Points (AP) authenticate against an
Authentication Dial-In User Service (RADIUS) server which validates client access to the
network, as well as, enabling connected clients to know they are talking to valid APs once they
are on the network.
In a home and small office environments, “pre-shared keys” (PSK) are used as the basis of
packet encryption.
In the WPA standard, if enterprise security is employed, a user supplies credentials to the
RADIUS server which authenticates the user, or if enterprise security is NOT employed, supplies
a manually entered PSK on the client device and Access Point. Once a user is authenticated, a
unique master or “pair-wise” key is created for the session. TKIP distributes the key to the client
and Access Point (AP), using the pair-wise key to generate unique data encryption keys to
encrypt every data packet that is sent during the session. TKIP is initialized with a 48-bit
initialization vector (IV) to prevent keys from being reused with any frequency. A Message
Integrity Check (MIC) is appended to every sent packet, preventing a “man in the middle”
alteration of packets by requiring both the sender and receiver to compute and compare the MIC,
assuming an attack and discarding the packet if the MIC doesn’t match.
In summary, the improvements in WPA over WEP are: the increase in key length from 40-bits to
128-bits; the increase length of the initialization vector (IV) for RC4 encryption from 24-bit to
48-bit; the use of a newly generated secret key for the encryption of each packet; Message
Integrity Checking (MIC); never using Master Keys directly, but rather deriving keys from the
master; and built in key management.
The table below summarizes the key attributes of WEP & WPA.
WEP WPA
Key size 40 bit 128 bit
Key State Static Dynamic
Central Key Management None RADIUS
Authentication WEP Key
Challenge
802.1X authentication
protocol with Extensible
Authentication Protocol
(EAP)
Encryption Scheme RC4 Temporal Key Integrity
Protocol (TKIP) with RC4
for encryption
Wi-Fi Protected Access (WPA) Attacks
Pre-Shared Key (PSK) Attacks
A pre-shared key (PSK) is a 256 bit number or a pass phrase 8 to 63 bytes long. Each Access
Point (AP), when configured in PSK mode, has a single PSK which is used to generate session
keys for each user connecting to the AP.
The PSK attacks are more relevant to home or small business users than large enterprises as
larger organizations are more likely to set up RADIUS servers for authentication, rather than
using PSK.
Pre-Shared Key (PSK) Monitoring Attack
The Pre-Shared Key (PSK) Monitoring attack is performed by the attacker, obtaining the basic
information communicated between the client and Access Point (AP), and then generating the
Pairwise Transient Key (PTK) for a session, using the already known PSK.
The attacker does this by passively listening as another client on the network connects to the
Access Point (AP). All necessary information for generating the PTK is readily available: client
and AP MAC addresses; 2 nonces from the 4-way handshake; and the selected cipher suite.
Once the attacker has this set of information, he can generate the PTK which is a Keyed Hash
Message Authentication Code (HMAC), using the PTK (already known by the attacker), two
MAC addresses, and the two nonces from the first two packets of the 4-way handshake. At this
point, an attacker can decrypt any packets another user of the network may send.
Pre-Shared Key (PSK) Dictionary Attack
If the attacker does not know the Pre-Shared Key (PSK), they may perform the Pre-Shared Key
Dictionary attack to attempt to determine the key. For user selected pass phrases (PSK)s of less
than 20 characters, this type of attack is expected to be successful.
In this attack, the pass phrase can be determine, using a dictionary of common pass phrases and
then running them through a well known algorithm for generating Pairwise Master Key (PMK)s.
This algorithm concatenates the pass phrase, the SSID, and the SSID length into a single string
which is hashed 4096 times, generating the PMK. Due to the number of potential pass phrases
and the algorithms that must be performed, this attack must be performed off line. Once the
attacker has determined the PMK he may use it to generate Pairwise Transient Key (PTK) s for
individual sessions as described in the previous attack.
The solution for this attack is to use pass phrases of greater than 20 characters or using a
relatively shorter, random, hexadecimal key.
Rivest Cipher 4 (RC4) Attack
Although no specific attacks on Rivest Cipher 4 (RC4) in Wi-Fi Protected Access (WPA) have
been published, RC4 has several deficiencies in its security as a cipher which were discovered in
its usage for the Wired Equivalent Privacy (WEP) protocol.
One attack identified by Fluhrer and McGrew can separate out the keystream from the cipher
when provided a gigabyte of data. Although this is substantial network traffic, a passive listener,
on a relatively idle wireless network, could collect this data over time, or could collect this data
much more rapidly on an active network.
Another attack identified by Fluhrer, Mantin and Shamir found that the first few bytes of an
output keystream have patterns which allow for the detection of information about the encryption
key.
WPA has helped mitigate this by using a 48-bit initialization vector (IV) for RC4 rather than the
24-bit IV used in WEP; dynamically generating a new key for each packet; and throwing away
the initial portion of the keystream before using it for combination with the plain text.
Wi-Fi Protected Access (WPA) Protocol Shutdown Attack
In Wi-Fi Protected Access (WPA)’s quest for improved security, it exposed itself to Denial of
Service (DOS) vulnerability within its protocol. This vulnerability occurs because WPA will
shut down whenever it detects two attack packets (packet forgeries) from a client to an Access
Point (AP) within a 1 second window. In this case, two packets with invalid Message Integrity
Check (MIC)s. In the shutdown process, the AP will delete its keys and disconnect all clients,
wait a minute and then reconnect with the clients. This allows for malicious clients to sit on the
network, forging packets to the AP, shutting down service for users of the AP. With high
frequencies of these forged packets, it can cause the AP to be nearly perpetually unavailable and
thus unusable to clients.
The solution to this attack is to employ Access Control Lists (ACL)s for APs such that only valid
clients can access the APs services.
References 1. Weakness in Passphrase Choice in WPA Interface; By Glenn Fleishman, Robert Moskowitz.
2. Passphrase Flaw Exposed in WPA Wireless Security, TechNewsWorld; By Jay Lyman;
11/06/03 3:12 PM PT.
3. Wi-Fi Encryption Fix Not Perfect; By Elisa Batista, 11.15.02.
4. Wi-Fi Security: Are We There Yet?; December 5, 2005 11:42AM.
WPA2 :
WPA2 has replaced WPA. WPA2, which requires testing and certification by the Wi-Fi Alliance,
implements the mandatory elements of IEEE 802.11i. In particular, it introduces CCMP, a new AES-
based encryption mode with strong security. IEEE 802.11i-2004 or 802.11i, implemented as WPA2,
is an amendment to the original IEEE 802.11. The draft standard was ratified on 24 June 2004. This
standard specifies security mechanisms for wireless networks. It replaced the short Authentication
and privacy clause of the original standard with a detailed Security clause. In the process
it deprecated the broken WEP.
The WPA2 includes several key features:
Encryption algorithms TKIP - in order to support legacy devices, the IEEE 802.11i chooses TKIP as one of the
encryption standards (similar with WPA). CCMP – IEEE 802.11i also includes another encryption protocol known as AES-CCMP.
AES stands for advanced encryption standard, which is a strong encryption algorithm; AES-CCMP requires extra hardware to be used.
Message Integrity – A strong data integrity algorithm (Michael Message Integrity Check) is applied (similar as in case of WPA).
Mutual Authentication – 802.11i uses 802.1x/EAP for user authentication (similar as in case of WPA).
Other security features - secure Independent Basic Service Set (IBSS), secure fast handoff (wireless device can move from one access point to a second access point without disrupting data transmission).
Roaming Support
The IEEE 802.11i defines two classes of security algorithms for IEEE 802.11 networks:
1) Algorithms for creating and using a Robust Security Network Association, called RSNA algorithms (TKIP, CCMP, RSNA establishment and termination procedures, including use of IEEE 802.1X authentication and Key management procedures).
2) Pre-RSNA algorithms (WEP authentication). A wireless station can simultaneously operate pre-RSNA and RSNA algorithms.
Implementation of TKIP is optional for an RSNA. The aim for TKIP was that the algorithm should
be compatible with the devices that supporting only WEP; only firmware upgrade is required to
support TKIP. RSNA devices should only use TKIP when communicating with devices that are
unable or are not configured to communicate using CCMP.
Authentication
Authentication in the WPA2 Personal mode, which does not require an authentication server, is
performed between the client and the AP generating a 256-bit PSK from a plain-text pass phrase
(from 8 to 63 characters). The PSK in conjunction with the Service Set Identifier and SSID length
form the mathematical basis for the PMK (Pair-wise Master Key) to be used later in key generation.
Authentication in the WPA2 Enterprise mode relies on the IEEE 802.1X authentication standard. The
major components are the supplicant (client) joining the network, the authenticator (the AP serves as
the authenticator) providing access control and the authentication server (RADIUS) making
authorization decisions. The authenticator (AP) divides each virtual port into two logical ports, one
for service and the other for authentication, making up the PAE (Port Access Entity). The
authentication PAE is always open to allow authentication frames through, while the service PAE is
only open upon successful authentication by the RADIUS server. The supplicant and the
authenticator communicate using Layer 2 EAPoL (EAP over LAN). The authenticator converts
EAPoL messages to RADIUS messages and then forwards them to the RADIUS server. The
authentication server (RADIUS), which must be compatible with the supplicant’s EAP types,
receives and processes the authentication request. Once the authentication process is complete the
supplicant and authenticator have a secret MK (Master Key) as shown in following figure.
.
Figure 1. 802.1X authentication
Encryption using CCMP (CTR with CBC-MAC Protocol) CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
provides confidentiality, authentication, integrity, and replay protection. CCMP combines CTR for
confidentiality and CBC-MAC (Cipher Block Chaining Message Authentication Code used for
constructing a message authentication code from a block cipher) for authentication and integrity. All
AES processing used within CCMP uses a 128-bit key and a 128-bit block size.
CCMP requires a fresh temporal key for every session. CCMP also requires a unique nonce
value for each frame protected by a given temporal key. CCMP uses a 48-bit packet number (PN) for
this purpose. Reuse of a PN with the same temporal key violates the security of the CCMP. CCMP
processing expands the original size of MPDU (Medium access control Protocol Data Unit), is the
unit of data exchanged between two peer MAC entities) by 16 octets, 8 octets for the CCMP header
field and 8 octets for the MIC field.
CCMP encrypts the payload of a plaintext MPDU and encapsulates the resulting cipher text,
which involves the following steps:
1) Increment the PN (which is a 48-bit) by a positive number for each MPDU. The PN shall never repeat for a series of encrypted MPDUs using the same temporal key.
2) Use the fields in the MPDU header to construct the additional authentication data (AAD) for CCM. The CCM algorithm provides integrity protection for the fields included in the AAD.
3) Construct the CCM Nonce block from the PN, A2, and the Priority field of the MPDU where A2 is MPDU Address 2. The Priority field has a reserved value set to 0.
4) Place the new PN and the key identifier into the 8-octet CCMP header. 5) Use the temporal key, AAD, nonce, and MPDU data to form the cipher text and MIC. This
step is known as CCM originator processing: The CCM originator processing provides authentication and integrity of the frame body and the AAD as well as confidentiality of the frame body. The output from the CCM originator processing consists of the encrypted data and 8 additional octets of encrypted MIC.
6) Form the encrypted MPDU by combining the original MPDU header, the CCMP header, the encrypted data and MIC.
The CCMP encryption process is illustrated in following figure.
Figure 2. CCMP encryption process
CCMP decrypts the payload of a cipher text MPDU and decapsulates a plaintext MPDU using the
following steps:
I. The encrypted MPDU is parsed to construct the AAD and nonce values.
II. The AAD is formed from the MPDU header of the encrypted MPDU. III. The nonce value is constructed from the A2, PN, and Priority Octet fields (reserved and set
to 0).
IV. The MIC is extracted for use in the CCM integrity checking. V. The CCM recipient processing uses the temporal key, AAD, nonce, MIC, and MPDU cipher
text data to recover the MPDU plaintext data as well as to check the integrity of the AAD and MPDU plaintext data.
The decryption processing prevents replay of MPDUs by validating that the PN in the MPDU is greater than the replay counter maintained for the session . The CCMP decryption process is illustrated in following figure.
Figure 2. CCMP decryption process
Benefits of WPA2
WPA2 (along with WPA) resolved vulnerabilities of WEP to “hacker attacks such as ‘man-in-the-
middle’, authentication forging, replay, key collision, weak keys, packet forging, and ‘brute–
force/dictionary’ attacks”[4]. By using government grade AES encryption and 802.1X/EAP
authentication WPA2 further enhances the improvements of WPA using TKIP encryption and
802.1X/EAP authentication over WEP’s imperfect encryption key implementation and its lack of
authentication. AES has no known attacks and the current analysis indicates that it takes 2120
operations to break an AES key. In addition to the encryption benefits, WPA2 also adds two
enhancements to support fast roaming of wireless clients moving between wireless AP’s.
PMK caching support – allows for reconnections to AP’s that the client has recently been connected without the need to re-authenticate.
Pre-authentication support – allows a client to pre-authenticate with an AP towards which it is moving while still maintaining a connection to the AP it’s moving away from.
PMK caching support and Pre-authentication support enable WPA2 to reduce the roaming time from
over a second to less than 1/10th of a second.
Attacks found on WPA2 Like all Wi-Fi security standard, the WPA2 can’t stand in front of the physical layer attacks like : RF jamming, Data flooding, Access points failure. Unprotected Management frames can also cause the following attacks :
They provide an attacker the means to discover the layout of the network, pinpoint the location of devices therefore allowing for more successful DoS attacks against a network.
Deauthentication – After an IEEE 802.11 client selected an AP for communication, it must first authenticate itself to the AP before starting further communication and to do this it has to send authentication request. But unfortunately, this management frame is not authenticated using any algorithm. Consequently, the attacker can spoof this frame, either pretending to be the access point or the client. In response, the access point or client will exit the authenticated state and will refuse all further frames until authentication is reestablished. By repeating the attack persistently, a client can not access to WLAN at all.
Disassociation – A very similar vulnerability like forged deauthentication may be found in the association management frame which occurs after authentication according to the state machine . Since a client may be authenticated with multiple APs at the same time, therefore, the IEEE 802.11 provides a special association management frame to allow the client and AP to agree which AP is better for which client. IEEE 802.11 provides a disassociation management frame similar to the deauthentication described earlier. The vulnerability in disassociation frames is like deauthentication because this management frame also is not protected in WLAN.
Denial of Service (DoS) Attack – In this attack, the intruder sends a continually stream of different kinds of management frames to the WLAN. An attacker can spoof MAC address of AP or client and flood the WLAN with different kinds of forgery deauthentication, disassociation, association, authentication or bacon management frames by using both directions of the communication. In this case the WLAN overloads and will be unusable for even legitimate users.
Wifi- Protected Setup (WPS):
Introduction:
“Wi-Fi Protected Setup™ is an optional certification program from the Wi-Fi Alliance
that is designed to ease the task of setting up and configuring security on wireless local area
networks. Introduced by the Wi-Fi Alliance in early 2007, the program provides an industry-
wide set of network setup solutions for homes and small office (SOHO) environments.
Wi-Fi Protected Setup enables typical users who possess little understanding of traditional Wi-Fi
configuration and security settings to automatically configure new wireless networks, add new
devices and enable security. More than 200 products have been Wi-Fi CERTIFIED™ for Wi-Fi
Protected Setup since the program was launched (sic!) in January 2007.”
The Wi-Fi Simple Configuration Specification (WSC) is the underlying technology for the Wi-Fi
Protected Setup certification.
Almost all major vendors (including Cisco/Linksys, Netgear, D-Link, Belkin, Buffalo, ZyXEL
and Technicolor) have WPS-certified devices, other vendors (eg. TP-Link) ship devices with
WPS-support which are not WPS-certified.
Terminology:
The enrollee is a new device that does not have the settings for the wireless network.
The registrar provides wireless settings to the enrollee.
The access point provides normal wireless network hosting and also proxies messages
between the enrollee and the registrar.
Methods of Connection:
Push Button Configuration Method.
PIN Based Method.
1. Push Button Configuration Method:
The user has to push a button, either an actual or virtual one, on both the Access Point
and the new wireless client device. PBC on the AP will only be active until authentication has
succeeded or timeout after two minutes.
Fig(1): PBC Method
Security Considerations:
PBC protects against eavesdropping attacks and takes measures to prevent a device from
joining a network that was not selected by the device owner. The absence of
authentication, however, means that PBC does not protect against active attack
It is also possible for an active attacker to gain access to the end user’s WLAN. If, for
example, the end user presses the Registrar button first, the attacker has an opportunity to
connect to the AP before the intended Enrollee’s button is pressed.
2. PIN Method:
With the PIN method, a PIN is provided for each device that will join the network. A
fixed label or sticker may be placed on a device to identify the PIN for the user. The PIN
is used to ensure that the device that the user intends to add to the network is the one that
is added, preventing accidental or malicious attempts of others to add unintended devices
to the network.
After PIN has taken from user following Registration protocol will run
between Enrolle and Registrar. In registration there are two types of registration
Enrollee registration to the AP/Registrar
Registrar registration to the AP.
In The below flow Enrollee(AP) registers with the External Registrar.
Fig(2): Registration process in WPS
Brute-Force Attack on PIN method:
If a fixed, label-based password
is used, this protocol is vulnerable to a brute
force or dictionary attack on the password
by an active attacker posing as an Enrollee.
Susceptibility to this attack will depend
upon the length of the device password. To
perform the attack, the active attacker can
induce the Registrar to perform the Diffie-
Hellman exchange with it and send R-Hash1
and ENC(R-S1) in M4. Given this reality,
the attacker can discover PSK1 by brute-
force calculation if the first half of the
device password is relatively short. By
running a second round of the protocol with
the same password, the attacker can discover
the rest of the device password (provided
that the password is relatively short).
Fig(3):Brute force attack for PIN method
Set-up Configuration Comparision:
Fig(4): Setup Comparision between different methods
Advantages of WPS:
WPS automatically configures the wireless network.
There is no need to know the SSID and passphrase to connect to the wireless network.
The key is randomly generated and less predictable minimizing the risk of network
intrusion.
Eliminates the need to enter complicated hexadecimal passphrase.
WPS introduce Extensible Authentication Protocol (EAP) in WPA2 encryption that
allows secure transmission of sensitive information.
Disadvantages of WPS:
Devices without WPS certification is not able to take advantage of the enhanced security
provided by WPS.
Non WPS devices will require the user to enter the long hexadecimal passphrase
manually.
WPS does not supports "Ad Hoc" connection that allows devices to communicate directly
with each other. All connections must go through the AP.
References:
[1] http://gpl.back2roots.org/source/puma5/netgear/CG32001TDNDS_GPL/ap/apps/wpa2/or
iginal/Wi-Fi%20Protected%20Setup%20Specification%201.0h.pdf
[2] http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
[3] http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
[4] http://ebookbrowse.com/wfa-wi-fi-protected-setup-faq-pdf-d24509285