PISA Seminar. Ray Hunt. Associate Professor (Networks ... IEEE802.16
Broadband Wireless Access Standard (Wireless. MANs). ▫ Bluetooth Wireless
PAN (Personal Area Network) 2.4 GHz (= IEEE802.15) ..... and Reporting.
Services. User.
Critical Issues in
Wireless Local & Wide Area Security @ PISA Seminar
Ray Hunt Associate Professor (Networks and Security) University of Canterbury, New Zealand
[email protected] www.cosc.canterbury.ac.nz/~ray
1
Key Wireless LAN Technologies IEEE802.11b (11 Mbps) 2.4 GHz (Wi-Fi) (US) IEEE802.11a (54 Mbps) 5 GHz (US) HiperLAN/2 (54 Mbps) 5GHz (Europe) IEEE802.11g (54 Mbps) 2.4 GHz IEEE802.16 Broadband Wireless Access Standard (Wireless MANs) Bluetooth Wireless PAN (Personal Area Network) 2.4 GHz (= IEEE802.15) www.bluetooth.com HomeRF (1.6 Mbps) 2.4 GHz www.homerf.org 2
Wireless LAN - Good Security Principles
3
How Security Breaches Occur War driving Passing by in cars, pedestrians Attack software available on Internet to assist GPS can assist in locating networks Access to an insecure WLAN network is potentially much easier than to a fixed network
Without authentication and encryption, WLANs are extremely vulnerable Anybody with shareware tools, WLAN card, antenna and GPS is capable of “war driving” 4
WLAN - Good Security Principles Problems with bad WLAN architecture Located behind firewall in trusted network No authentication
Must consider security options: Infrastructure design to enhance security? Open access or MAC restricted? Implement WEP or not?
Problem with rogue WLAN Can give access to trusted network as connection/installation as easy as connecting to a hub and without knowledge of administrator 5
WLAN - Good Security Principles Wireless LAN - out of the box Enable WEP (in spite of some issues) Change default/identifiable SSID (Service Set Identifier) as network name not encrypted Use products with dynamic key generation such as Lucent/Agere’s ORiNOCO AS-2000 Do not use MAC address Authentication - tools are readily available to sniff a MAC address
6
WLAN - Good Security Principles Consider network (and above) options: DHCP or static IP Authentication RADIUS, DIAMETER, EAP, SRP, LEAP
IEEE 802.1x IPSec VPNs and Encrypted tunnels SSL/TLS PKI and IKE key management Digital Certificates etc 7
WLAN Security WLANs suffer from security problems WEP (Wired Equivalent Privacy) has been partial fix, viz Limited number of community encryption keys When one key compromised, entire system must be manually re-configured
Authentication is one-way only No per-message integrity checks Can lead to session hijacking …………see diagram ……... 8
WLAN Security
9
WLAN Security Authentication of user, not device necessary Adoption of IEEE 802.1x and EAP (Extensible Authentication “Transport” Protocol) - discussed later Generation of new encryption key per session Mutual authentication eliminates rogue access points ….. see diagram …...
10
WLAN Security
11
WEP (Wired Equivalent Privacy)
12
WEP Security Features RC4 encryption Uses 40 or 128 bit shared key Encrypts payload while frame is “in the air”
Wireless LAN Encrypted by WEP
Wired LAN Not encrypted by WEP Traffic flow 13
WEP Security Features WEP (Wired Equivalent Privacy) WEP has two main design goals: Protection from eavesdropping Prevent unauthorized access
IEEE 802.11 defines mechanism for encrypting frames using WEP as follows: a) A key is shared between all members of BSS b) The encryption algorithm for WEP is RC4, used to generate key stream, which is XORed against plaintext to produce ciphertext 14
WEP Security Features c) The decryption algorithm for WEP is RC4 which is XORed against ciphertext to reproduce plaintext d) WEP appends 24-bit IV to the shared key; WEP uses this combined key + IV to generate RC4 key schedule. WEP selects new IV for every packet e) Encapsulation transports IV and ciphertext from sender (encryptor) to receiver (decryptor) f) WEP uses a CRC for integrity check of the frame. The CRC is computed over data payload and appended to frame before encryption. WEP encrypts CRC with rest of data payload g) Authentication - one way client MAC address only 15
WEP Security Features WEP was never intended to be complete end-toend solution Business policy will dictate if additional security mechanisms required such as: access control, end-to-end encryption, password protection, authentication, VPNs, firewalls, etc
WECA believe many reported attacks are difficult to carry out IEEE 802.11 working on extensions to WEP (IEEE 802.11e). See reference to ESN 16
WEP Protocol Encryption Plaintext Message
CRC
X-OR Keystream = RC4(iv,k)
iv
Ciphertext
Transmitted Data k = key iv = Initialisation Vector RC4 = Rivest Cipher 4 Stream Cipher
17
WEP Protocol Decryption iv X-OR
Ciphertext Transmitted Data Keystream = RC4(iv,k)
Plaintext Message k = key iv = Initialisation Vector RC4 = Rivest Cipher 4 Stream Cipher
CRC
18
WEP Symmetric Key Operation Secret Message over Wireless LAN
tri c me Sym Ke y
tri c me Sym Ke y
Secret Message over Wireless LAN
The same symmetric (RC4) key is used to encrypt and decrypt the data
WEP Integrity Check Using CRC-32
Message
Message
CRC-32
Polynomial
Match
CRC-32
Integrity check used to ensure packets not modified during transit
WEP Security Weaknesses Number of flaws discovered in WEP: Passive attacks to decrypt traffic using statistical analysis Active attacks - inject new traffic from unauthorized stations based upon known plaintext Active attacks to decrypt traffic based upon tricking the AP (Access Point) Dictionary-building attacks. After analysis of about a days traffic, real-time automated decryption of all traffic is possible Need for user/node Authentication (EAP/802.1X)
21
WEP Security Weaknesses These attacks possible with inexpensive off-theshelf equipment (opinion) These attacks apply to both 40-bit and 128-bit versions of WEP These also apply to any version of the IEEE 802.11 standards (802.11b in particular) that use WEP IEEE is proposing an upgrade to WEP (WEP2 + AES) to rectify problems 22
WEP Security Weaknesses Both IC (Integrity Check) & IV (Initialisation Vector) implementations have weaknesses: IC using CRC-32 designed for detecting line errors, not as security mechanism, therefore has vulnerabilities (not a digital signature) Use of a 24-bit IV guarantees reuse within 5 hours or less (operating with 1500 byte packets at 11 Mbps). Hence attacker has multiple ciphertexts encrypted with same key. See wep-faq.html for further details. 23
WEP Security Enhancements WEP standard does not discuss how shared keys are established Most installations use single key shared between all mobile stations & access points More sophisticated key management disciplines (PKI + IKE) can be used to improve attack defense. Few commercial systems implement such systems yet ESN (Enhanced Security Network) + AES cipher being designed to rectify deficiencies 24
WEP Symmetric Key Operation Secret Message over Wireless LAN
tri c me Sym Ke y
tri c me Sym Ke y
Secret Message over Wireless LAN
The same symmetric (RC4) key is used to encrypt and decrypt the data
Symmetric Key The Advantages Secure Widely Used Encrypted text is compact Fast
The Disadvantages Complex Administration Requires Secret Key Sharing No non-repudiation Subject to interception
Asymmetric (Public/Private) Key Operation Recipient’s Public Key Secret Message over Wireless LAN
Recipient’s Private Key
lic Pubey K
ate Privey K
Secret Message over Wireless LAN
What is encrypted with one key, can only be decrypted with the other key. RSA is one example, Elliptic Curve is another.
Public/Private Key The Advantages
Secure No secret sharing No prior relationship Easier Administration Supports nonrepudiation
The Disadvantages Slower than symmetric key Encrypted text is larger than with symmetric version
The Combination Secret Message over Wireless LAN
dom Ran metric
Secret Messag d e e ypt r c Enover Wireles s LAN
Sym ey K
’s Bob lic Pub
To: Bob
Ke y
“Key Wrapping”
“Digital Envelope”
The Combination “Digital Envelope”
Secret Messag d e e ypt r c Enover Wireles s LAN
To: Bob
dom Ran etric
“Wrapped Key”
’s Bob ate v i Pr Ke y
m Sym ey K
Secret Message over Wireless LAN
The Combination You get the best of both worlds The benefits of Symmetric Key Speed Compact Encrypted Text
The benefits of Public Key Simpler Key Management Digital Signature Non-Repudiation
Digital Signatures Secret Message over Wireless LAN
Secret Message over Wireless LAN
Encrypted Digest
“Hash Function”
Digest
’s ner Sig ate Privey K
Encrypted Digest
Digital Signatures “Hash Function”
Secret Message over Wireless LAN
Encrypted Digest
Secret Message over Wireless LAN
Digest ‘
“match?”
Encrypted Digest
’s ner Sig lic Pub Ke y
Digest
How can you be sure that you get a real (and valid) public key? X.509 Digital Certificate n “I officially authorize the associatio between this particular User, and this particular Public Key”
X.509 Digital Certificates Secret Message over Wireless LAN
Encrypted Digest Certificate
Name, Address, Organisation Owner’s Public Key Certificate Validity Dates Certifying Authority’s Digital Signature
All you need is the CA’s public key to verify the certificate and extract the owner’s public key
Is WEP2 going to fix the problems? WEP2 (= may be called TKIP) features: Increases size of IV space to 128 bits Key may be changed periodically via IEEE 802.1x reauthentication to avoid staleness No keyed MIC (Message Integrity Check), i.e. no digital signature using keys No authentication for reassociate, disassociate No IV replay protection Use of Kerberos for authentication within IEEE 802.1x
Analysis shows that although security has been improved, there are additional solutions 36
Wireless Vulnerabilities Addressed by Various Security Mechanisms • WEPv1
• WEPv2 • Kerberos-5 • AES - Advanced Encryption Standard (Rijndael) • SRP - Secure Remote Password Attack Unintentional IV reuse Intentional IV reuse Realtime decryption Known plaintext Partial known plaintext Authentication forging Denial of Service Dictionary attack
WEPv1
WEPv2 + Kerberos-5 X X
AES+Kerberos-5 X X X X X X
AES + SRP X X X X X X X 37
WEP,VPNs, IDS, Sniffers WEP and VPN can work together: Carefully configured firewalls and tunnels IPSec, IKE, Digital Certificates
Intrusion Detection and Monitoring Systems: Server - IIS, Real Secure IDS, Dragon, AirIDS Access Point - SNMP traps, system logging
Wireless Network Sniffers: Sniffer (Sniffer Technologies - www.nai.com) NetStumbler - discover WLAN cards, APs, peer-to-peer infrastructure, etc AirSnort and WEPCrack - use captured traffic to recover crypto keys 38
EAP (Extensible Authentication Protocol)
39
WLAN Security with EAP Extensible Authentication Protocol checklist: Does it provide for secure exchange of user information during authentication? Does it permit mutual authentication of the client and network thus preventing intrusion? Does it require dynamic encryption keys for user and session? Does it support generation of new keys at set intervals? Is it easy to implement and manage, e.g. EAP-TLS requires client-side certificates? 40
EAP (Extensible Authentication Protocol) – RFC 2284 Many basic protocols such as PAP, CHAP and WEP offer very limited security EAP provides extensions to allow arbitrary authentication mechanisms to validate the connection (e.g. PPP, IEEE 802.11b, etc) EAP links to 3rd party “plug-in” authentication modules: Token cards, Kerberos, PKI, S/Key ... SRP, LEAP, TLS ... 41
EAP (Extensible Authentication Protocol) – RFC 2284 contd ... EAP is available with Windows 2000 & XP Common EAP authentication types include: 1. EAP-SRP (Secure Remote Password) – offers a cryptographically strong “user” authentication mechanism suitable for negotiating secure connections and performing secure key exchange using a usersupplied password 2. MD5 (Message Digest 5) - Wireless CHAP 42
EAP (Extensible Authentication Protocol) – RFC 2284 contd ... 3. LEAP (Lightweight EAP) – CISCO vendor-specific authentication that provides mutual authentication and dynamic WEP key generation 4. EAP-TLS (Transport Layer Security) offers full authentication consistent with PKI public/private keys, PKI and digital certificates. RFC 2716 PPP EAP TLS Authentication Protocol 5. TTLS (Tunnelled Transport Layer Security) - requires server, but not client certificate 43
WLAN Security with EAP
44
WLAN Security with EAP 10. Secure Connection Established
7. Negotiation [EAPoL] 6. Forwards challenge + EAP Type [EAPoL]
9. RADIUS Server Accepts [RADIUS]
3. Client Identity IEEE 802.1x [EAPoL]
8. Response Forwarded [RADIUS]
2. Request Identity IEEE 802.1x [EAPoL]
5. Challenge + EAP Type [RADIUS]
1. Request Connection IEEE 802.1x [EAPoL]
4. Access Request [RADIUS]
IEEE 802.11b Client
Access Point
Ethernet
45
Server
AAA (Authentication, Authourisation, Accounting)
46
Authentication Principles AAA - Authentication, Authourisation, Accounting RADIUS - Remote Authentication Dial-in User Service RADIUS - originally developed to manage dial-in access to Internet. Now being used to manage access control for other systems including Wireless LANs (Æ Diameter) Mobile users require access to resources over both fixed and mobile networks (must be transparent to user)
47
Authentication Principles Access control authorizes who is allowed to enter network and which services can/cannot be accessed Managing a single database of users that contains authentication (user name and credentials), as well as access policy and provisioning information, is an effective way to achieve authentication
48
AAA - Authentication Principles Authentication – Validating a User’s Identity Authentication protocols operate between user and AAA server: PAP, CHAP, RADIUS, DIAMETER, IEEE 802.1x, EAP
Network Access Server (NAS) acts as relay device
49
AAA - Authourisation Principles Authourisation – What is user allowed to do? Controls access to network services & applications Access policy can be applied on a per user, group, global, or location basis Attributes from an access request can be checked for existence or for specific values Other attributes, egg time-of-day or number of active sessions with same username can also be checked Outcome of policy decisions can be sent back to access device as Access Reply attributes 50
AAA - Accounting Principles Accounting – Collecting Usage Data Data for each session is collected by access device and transmitted to AAA server Usage data may include: User Identities Session Duration Number of Packets, and Number of Bytes Transmitted
Accounting data may be used for: Billing Capacity Planning Trend Analysis Security Analysis Auditing 51
AAA Server Architecture Billing & Invoicing Services
User Developed Plug-in
User Directory Services
Central AAA Server
RADIUS Protocol Services
Policy-Based Management Services
Analyzing and Reporting Services 52
AAA can offer Distributed Security
53
Example of Authentication using RrK and TKIP Rapid reKeying (RrK) WEP: IEEE Draft Proposal, August 2001. Change WEP keys more rapidly that effective key discover attacks can be mounted Support existing hardware and firmware implementations but needs capable software 802.1x client (XP) and 802.1x enabled servers Use IEEE 802.1X protocol, with EAP-TLS and distribute keys securely at authentication or re-association Enable periodic re-keying option of IEEE 802.1X Settable from 1-15 minutes - or activity based
Source: Entrasys, May 2002
54
Example of Authentication using RrK and TKIP Role decoded and Priorities Applied
802.1x EAP- RrK
Directory to Role Matching
Access Point 802.1x EAP login
SNMPv3
Radius Authentication LDAP/Directory
Profile creation and distribution
RADIUS Server
TKIP (Temporal Key Integrity Protocol) [=WEP2] Can use 802.1x or a shared resource for key generation Pro: 802.1x is not required Con: Still needs new software on client and access servers RrK and TKIP will probably both be offered as software only solutions late in 2002 55
IEEE 802.1x
56
IEEE 802.1x Authentication Synopsis: Defines generic framework for port-based MAC authentication (not user) and key distribution Authenticates before giving access to network Requires PKI certificate on each client Requires central RADIUS server running EAP EAP acts an “authenticator” (egg Ethernet switch or wireless AP) and authenticates a supplicant (Ethernet or Wireless NIC) by consulting an authentication server such as RADIUS or Kerberos 57
IEEE 802.1x Authentication Synopsis contd: IEEE 802.1x - implemented with different EAP types 1. EAP-MD5 for Ethernet LANs (= CHAP) 2. EAP-TLS for IEEE 802.11b WLANs but supplicant and authenticator must be able to handle digital certificates - hence PKI/CA infrastructure required 3. EAP-SRP weaker (password) authentication
IEEE 802.1x provides “carrier” for secure delivery of session keys between supplicant and authenticator (this was omitted by WEP)
58
IEEE 802.1x Authentication Products: Operating System: Only Windows XP (and XP Pro) so far
Wireless card and AP vendors: Cisco, Agere/Lucent, Enterasys
EAP Authentication Server IAS (Microsoft’s RADIUS in W2000), Steel-Belted RADIUS, Interlink, Cisco/LEAP
Cost: Deployment requires support on all APs and clients More likely to be a corporate solution 59
Recent Developments in WEP WEP2 (TKIP) in process of approval by IEEE 128 bit encryption key 128 bit initialization vector (iv) Backward compatibility with WEP
ESN (Enhanced Security Network) in process of being standardized. Includes: WEP, WEP2 and a new encapsulation protocol using AES (128 bit) encryption with OCB mode Dynamic association of key values Uses Kerberos authentication mechanism 60
Recent Developments in WEP ESN (Enhanced Security Network) development contd….. Fast handover between APs without necessity to reauthenticate. Security profiles are forwarded between APs by IAPP (Inter-Access Point Protocol) = Equivalency Privacy
61
Security: The Layered Onion 802.1x/EAP Radius Authentication 40/128 bit WEP Encryption VPN – Secure Access Virtual Private Networks
Ethernet Data
802.11i AES RrK/TKIP Access Control 62
