1 wireless security update mark ciampa western kentucky university [email protected]
TRANSCRIPT
2
Oxymoron Government organization Same difference Pretty ugly Working vacation Tax return
3
Oxymoron Jumbo shrimp Adult male Act naturally Microsoft Works Wireless security
4
Wireless Advantages
Mobility Increased productivityEasier installationLess expensive installation
5
Wireless Disadvantages
Radio signal interference
Health risksSecurity
6
Wireless Security Vulnerabilities
Unauthorized users access the wireless network
Attackers view transmitted data Employees install rogue access
points Weaknesses in original IEEE 802.11
wireless security and new WPA
7
Wireless Attack Tools
NetStumbler – Discover wireless network
Airopeek & Airmagnet – Packet sniffers
Kismet & Airsnort – Break security
8
Wireless Security Attitudes
“It doesn’t matter if someone uses my wireless LAN”
“You can’t make a wireless LAN secure”
“I don’t know what to do”
9
Does Wireless Security Matter?
Get into any folder set with file sharing enabled
See wireless transmissions Access to network behind
firewall can inject malware Download harmful content
linked to unsuspecting owner
10
Does Wireless Security Matter?
Legal implications Security begins at home
11
Can Make Wireless Secure
Significant improvement wireless security
New IEEE wireless standard ratified
Common non-technical wireless security language now used
Vendors making wireless security easier
12
Wireless Security Update
Wireless security that doesn’t work and why
Wireless security that does work How to secure a home WLAN Contents of wireless curriculum How to secure an enterprise
WLAN
13
Wireless Security Update
WLAN Defenses That Do Not Work
14
Common WLAN Defenses
Encrypt transmissions (WEP) Hide my network (Disable
SSID beaconing) Restrict who can join my
network (MAC address filtering)
Use advanced security (WPA)*
15
WLAN Defenses That Don’t Work
Encrypt transmissions (WEP) Hide my network (Disable
SSID beaconing) Restrict who can join my
network (MAC address filtering)
Use advanced security (WPA)*
16
WEP Wired equivalent privacy (WEP)
intended to guard confidentiality of data through cryptography
WEP relies on a secret key that is “shared” between device and access point (AP)
Using same (shared) secret key to both encrypt and decrypt is private key cryptography or symmetric encryption
17
WEP Objectives
Efficient - Algorithm must be proficient enough to be implemented in either hardware or software
Exportable - Must meet the guidelines set by the U.S. Department of Commence so wireless device using WEP can be exported overseas
Optional - The implementation of WEP in wireless LANs is an optional feature
18
WEP Objectives
Reasonably strong - Security of the algorithm lies in the difficulty of determining the secret keys through attacks, which is related to the length of the secret key and the frequency of changing keys. WEP was to be “reasonably” strong in resisting attacks.
Self-synchronizing - Each packet must be separately encrypted (prevents a single lost packet from making subsequent packets indecipherable)
19
WEP Keys WEP keys must be a minimum
of 64 bits in length Most vendors add an option to
use a larger 128-bit WEP key for added security (a longer key is more difficult to break)
20
WEP Key Creation
64-bit WEP key created by entering 5 ASCII characters (5y7js) or 10 hexadecimal characters (456789ABCD)
128-bit WEP key created by entering 13 ASCII characters (98jui2wss35u4) or 26 hexadecimal characters (3344556677889900AABBCCDDEE)
Passphrase created by entering 16 ASCII characters (marchspringbreak)
21
How WEP Works1. Information has cyclic redundancy
check (CRC) checksum value calculated (WEP calls this integrity check value (ICV)) and appends it to end of text
2. WEP default shared secret key combined with initialization vector (IV), a 24-bit value that changes each time a packet is encrypted
22
How WEP Works
23
How WEP Works3. Default shared secret key and IV are
then entered into an RC4 pseudo-random number generator (PRNG) that creates a random number (output is keystream)
4. Text + ICV and keystream combined through exclusive OR (XOR) to create ciphertext
5. IV pre-pended to ciphertext
24
How WEP Works
25
WEP Won’t Work WEP creates a detectable pattern for
attackers (weak keys) Attacker who captures packets for
length of time can see the duplication and use it to crack the code
Weakness is with initialization vector (IV), 24-bit value that changes each time a packet is encrypted
26
WEP Won’t Work IV is 24-bit number = 16,777,216 possible
values “Expanded” WEP not increase IV AP transmitting at only 11 Mbps can send and
receive 700 packets each second Since different IV used for each packet IVs
start repeating in less than 7 hours Ways to reduce time needed to minutes Some WLANs always start with the same IV
after the system is restarted and then follow the same sequence of incrementing IVs
27
WEP Won’t Work RC4 uses a pseudo-random number
generator (PRNG) to create keystream PRNG does not create true random
number but what appears to be (pseudo) random number
First 256 bytes of the RC4 cipher can be determined by bytes in the key itself
RC4 cipher is not considered the most effective cipher for the task
28
WLAN Defenses That Don’t Work
Encrypt transmissions (WEP) Hide my network (Disable
SSID beaconing) Restrict who can join my
network (MAC address filtering)
Use advanced security (WPA)*
29
SSID Beaconing Service Set Identifier (SSID) is
“beaconed” from AP Provides information to wireless
devices wanting to join network Beaconing SSID is default mode Some users disable SSID beaconing
so network not appear on Windows list of available wireless networks
30
Disable SSID Beaconing
31
Disable SSID Beaconing Won’t
Work SSID is initially transmitted in
cleartext when device negotiating with AP
Attacker only has to watch for any authorized device to negotiate
If attacker cannot capture initial negotiation process can force one to occur
32
Force Renegotiation
33
Disable SSID Beaconing Won’t
Work If SSID suppressed from beacon
frames, still transmitted in other management frames sent by the AP Windows can’t see it Netstumbler can see it
Many users do not change default SSID and these well known; an attacker can try default SSIDs until a connection is accepted
34
Disable SSID Beaconing Won’t
Work Steps to manually enter SSID on
wireless device that not receive beaconed SSID are inconvenient
Turning off SSID beaconing prevents wireless devices from freely roaming from one wireless network to another
Many access points prohibit or discourage turning off SSID beaconing
35
Discourage Turning Off SSID Beaconing
36
Disable SSID Beaconing Won’t
Work Not uncommon to detect multiple
wireless signals at home or work May received signal with broadcast
SSID and signal where broadcast SSID turned off
If using Windows XP the device will always connect to the access point that is broadcasting its SSID
37
WLAN Defenses That Don’t Work
Encrypt transmissions (WEP) Hide my network (Disable
SSID beaconing) Restrict who can join my
network (MAC address filtering)
Use advanced security (WPA)*
38
MAC Address Filtering
Access control - Intended to limit a user’s admission to the AP (only those authorized able to become part of wireless LAN)
Most common type of access control is Media Access Control (MAC) address filtering (not part IEEE standard)
MAC address is unique 48-bit number “burned” into the network interface card adapter when manufactured
39
MAC Address
40
MAC Address
41
MAC Address Filtering
Access to the wireless network can be restricted by entering the MAC address of approved or denied devices
Once the MAC addresses are entered, only specific devices can be authenticated based on MAC address
42
MAC Address Filtering
43
MAC Filtering
44
MAC Address Filtering Won’t Work
MAC addresses initially exchanged in cleartext between device and access point
MAC address can be “spoofed” Some wireless NICs allow for a
substitute MAC address to be used Programs available that allow users to
spoof MAC address
45
MAC Address Filtering Won’t
Work
46
WLAN Defenses That Don’t Work
Encrypt transmissions (WEP) Hide my network (Disable
SSID beaconing) Restrict who can join my
network (MAC address filtering)
Use advanced security (WPA)*
47
WPA Won’t Work* Wi-Fi Protected Access (WPA) Intended to provide enhanced
security using older wireless equipment
Must enter same passphrase on access point and wireless device
Passphrases less than 20 characters subject to offline dictionary attacks
48
Wireless Security Update
Wireless Security Solutions
49
802.11i By IEEE organization Designed specifically
address WLAN vulnerabilities
Ratified June 2004
50
Common Security Models
By Wi-Fi organization Personal Security Model
WPA – Personal WPA2 - Personal
Enterprise Security Model WPA - Enterprise WPA2 - Enterprise
51
Wireless Security Update
Personal Security Model - WPA
52
Personal Security Model
Designed for single users or small office home office (SOHO) settings of < 10 devices and authentication server unavailable
Personal security model has 2 options WPA – Legacy hardware WPA2 – Newer hardware
53
Wi-Fi Protected Access (WPA)
Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA) in October 2003
Subset of 802.11i Addresses encryption &
authentication Designed to enhance security on
older WLAN devices
54
Temporal Key Integrity
Protocol (TKIP) WPA replaces WEP with new encryption
Temporal Key Integrity Protocol (TKIP)
TKIP uses 128-bit per-packet key (dynamically generates a new key for each packet and prevents collisions)
TKIP distributes key to client and AP, setting up automated key hierarchy and management system
TKIP dynamically generates unique keys to encrypt every data packet
55
TKIP Encryption TKIP strong substitution WEP encryption Instead of replacing WEP engine TKIP
designed to fit into the existing WEP procedure with a minimal amount of change
Device starts with 2 keys, a 128-bit encryption key (temporal key) and 64-bit MIC
56
TKIP Encryption1. Temporal key XORed with sender’s MAC
address to create an intermediate Value 1
2. Value 1 then mixed with a sequence number to produce Value 2 (the per-packet key) and then entered into the (PRNG), just as with normal WEP
3. Sender’s MAC address and receiver’s MAC address are all run through a MIC function and creates text with MIC key appended; value is then XORed with keystream to create ciphertext
57
TKIP Encryption
58
TKIP Key Mixing
WEP constructs a per-packet RC4 key by concatenating a key and packet IV
TKIP per-packet key construction (TKIP key mixing) substitutes temporary (temporal) key for WEP base key and constructs a per-packet key that changes with each packet
Temporal keys have fixed lifetime and are replaced frequently
59
IV Sequencing
TKIP reuses the WEP IV field as a sequence number for each packet
Both the transmitter and receiver initialize the packet sequence space to zero whenever new TKIP keys are set, and the transmitter increments the sequence number with each packet it sends
Length of the sequence number (IV) has been doubled, from 24 bits to 48 bits.
60
Message IntegrityCheck (MIC)
WPA replaces Cyclic Redundancy Check (CRC) with Message Integrity Check (MIC), designed to prevent an attacker from altering packets
Attacker can modify a packet and the CRC, making it appear that the packet contents were the original
Receiver and transmitter each compute and then compare the MIC
If not match, the data is assumed to have been tampered with and the packet is dropped
Optional countermeasure all clients are de-authenticated and new associations are prevented for one minute if MIC error occurs
61
Pre-Shared Key (PSK) Authentication
WPA authentication can be accomplished by either authentication server or pre-shared key (PSK)
Passphrase (the PSK) is manually entered to generate encryption key on AP and devices in advance
PSK not used for encryption but instead serves as the starting point (seed) for generating the encryption keys
Disadvantage of key management: key must be created and entered in any device (“shared”) prior to (“pre”) communicating
62
Wi-Fi Protected Access (WPA)
Designed to enhance security on older WLAN devices
Should only be used if devices cannot support WPA2
63
Personal Security Model
64
Wireless Security Update
Personal Security Model – WPA2
65
Wi-Fi Protected Access 2 (WPA2)
Wi-Fi Alliance introduced Wi-Fi Protected Access 2 (WPA2) in September 2004
WPA2 based on the final IEEE 802.11i WPA2 uses AES for data encryption and
supports authentication server or PSK technology
WPA2 allows both AES and TKIP clients to operate in the same WLAN; IEEE 802.11i only recognizes AES
66
AES AES algorithm processes blocks of 128 bits,
yet the length of the cipher keys and number of rounds can vary, depending upon the level of security that is required
Available key lengths are of 128, 192 and 256 bits, and the number of available rounds are 10, 12, and 14
Only the 128-bit key and 128-bit block are mandatory for WPA2
It is recommended that AES encryption and decryption be performed in hardware because of the computationally intensive nature of AES
67
AES Security
68
Personal Security Model
69
Wireless Security Update
How To Make a Home Wireless LAN
Secure
70
Steps Protect Personal Wireless
Install Microsoft Hot Fix (KB893357) Turn on WPA2
On older equipment use WPA MUST use 20+ character WPA passphrase
Turn on wireless VLAN If want to deter “casual” users
Use MAC address filtering Use unidentifiable SSID Turn off SSID beaconing
71
Set WPA2 on AP
72
Set WPA2 on AP
73
Set WPA2 on Device
74
Show WPA2
75
Turn on VLAN
76
Secure Easy Setup
Collaboration between Linksys and Broadcom Activate WPA security “at the push of a button” Automatically configures custom SSID and
enables WPA dynamic key encryption settings No need to manually enter a passphrase or key Two step process
Push the SES button on access point Click the START SES button on client
To add more wireless devices to network simply push the button on the router again to repeat process
77
Secure Easy Setup
78
Wireless Security Update
Contents of Wireless Curriculum
79
Wireless Curriculum CompTIA dropped proposed
Wireless+ certification Most popular wireless certifications
from CWNA (Planet3) Wireless# Certified Wireless Network Administrator Certified Network Security Professional
80
Course Technology Wireless Textbooks
Guide to Wireless Communications 2ed (Wireless#) – May 2006
CWNA Guide to Wireless LANs 2ed (CWNA) – August 2005
CWSP Guide to Wireless Security 1st (CWSP) – August 2006
81
Wireless Security Update
Enterprise Security Model – WPA &
WPA2
82
Enterprise Security Model
Designed for medium to large-size organizations such as businesses, government agencies, and universities with authentication server
The personal security model has 2 options: WPA & WPA2 (older equipment may be forced to implement WPA, while newer equipment can support WPA2)
83
802.1x IEEE 802.11i authentication and key
management uses IEEE 802.1x (originally developed for wired networks)
802.1x port security (device requests access to network prevented from receiving any traffic until its identity can be verified)
802.1x blocks all traffic on port-by-port basis until the client is authenticated using credentials stored on authentication server
84
802.1x Authentication
The supplicant is device which requires secure network access and sends request to an authenticator that serves as an intermediary device (authenticator can be an access point on a wireless network or a switch on a wired network)
The authenticator sends request from supplicant to authentication server, which accepts/rejects the supplicant’s request and sends that information back to the authenticator, which in turn grants or denies access to the supplicant
Strength of the 802.1x protocol is that supplicant never has direct communication with authentication server
85
802.1x1. Device requests from AP permission to join
WLAN 2. AP asks device to verify its identity3. Device sends identity information to AP,
which passes encrypted information to authentication server
4. Authentication server verifies/rejects client’s identity and returns information to AP
5. Approved client now join the network
86
802.1x
87
802.1x Supplicant Supplicant, required on the wireless device,
is software that is installed on the client to implement the IEEE 802.1x protocol framework
Supplicant software may be included in client operating system, integrated into device drivers, or installed as third-party “standalone” software
Some vendors of wireless NICs supply supplicant with their cards
88
Authentication Server
Authentication server stores the list of the names and credentials of authorized users
Wireless user credentials may also be stored in an external database, such as Structured Query Language (SQL), Lightweight Directory Access Protocol (LDAP), or Microsoft Active Directory
Typically a Remote Authentication Dial-In User Service (RADIUS) server is used
89
RADIUS Request is first sent to authenticator, which
relays the information (username, password, type of connection) to RADIUS server
Server first determines if AP itself is permitted to send requests
RADIUS server attempts to find the user’s name in its database
Then applies the password to decide whether access should be granted to this user
90
Encryption Once authenticated by IEEE 802.1x
same protocol next provides the wireless device a unique encryption key called the MK
From single key all the necessary encryption keys for encrypted communication can then be created
Keys can also be changed during a session
91
Encryption Eliminates difficulties and potential
dangers associated with PSK Each user has a unique key Keys remain strong and require no
management Adding additional APs only requires
that the newly installed APs connect to the existing authentication server
92
Extensible Authentication Protocol (EAP)
EAP-Transport Layer Security (EAP-TLS) - Requires the use of certificates to validate a supplicant and supported by Microsoft and included in Microsoft Windows XP and Windows Server 2003
Lightweight EAP (LEAP) - Propriety standard supported by Cisco; LEAP provides authentication based on the Windows username and password logon (certificates are not required)
EAP-TunneledTLS (EAP-TTLS) - Supports advanced authentication methods such as using tokens
Protected EAP (PEAP) - Uses certificates similar to Secure Sockets Layer (SSL) with Web browsers; supplicant presents a certificate to the authentication server (via the authenticator) but does not require a certificate from the server in return
Flexible Authentication via Secure Tunneling (FAST) - Most recent variation; can set up a tunnel without checking digital certificates and also support tokens
93
Enterprise Security Model