사업명: 국가비밀문서 유통관리 기반구조...
TRANSCRIPT
NSRI
2
Agenda
• WLAN 개요
• WLAN 보안 취약점
– WEP
– 802.1x
– Summary
• WLAN 보안 Solutions
– TKIP
– Inner VPN
– Vendor
– Summary
NSRI
3
WLAN 개요
NSRI
4
Wireless LAN(1)
• IEEE 802.11 – 802.11, 802.11b, 802.11a, 802.11g
– IR(Infrared)
– SS(Spread Spectrum) • FHSS(Frequency Hopping SS)
• DSSS(Direct Sequence SS)
• OFDM(Orthogonal Frequency Modulation)
• WATM-WG(ATM Forum)
• SUPERLAN(WIN Forum)
• ETSI – HIPERLAN1
– HIPERLAN2
• Bluetooth
• MMAC-PC(Multimedia Mobile Access Communication)
• Home RF
NSRI
5
Wireless LANs(2)
Characteristics 802.11 802.11b 802.11a(g) HIPERLAN1/2
Modulation FHSS/DSSS(IR) DSSS OFDM OFDM
Carrier Freq. 2.4GHz 2.4GHz 5GHz(2.4) 5GHz
Max. Physical Rate 2Mbps 11Mbps 54Mbps(22) 54Mbps
Max. Data Rate(Layer 3) 1.2Mbps 5Mbps 32Mbps 32Mbps
MAC/Media Sharing CSMA/CA CSMA/CA CSMA/CA Central Resource Control/TDMA/TDD
Connectivity Connectionless Connectionless Connectionless Connection Oriented
Authentication No No No NAI/IEEE Addr./X.59
Encryption 40bit RC4 40bit RC4 40bit RC4 DES/T-DES
Fixed Network Support Ethernet Ethernet Ethernet Ethernet, IP, ATM, UMTS, PPP
Radio Link Quality Control No No No Link Adatation
NSRI
6
Wireless Network Architecture
Distribution System
AP (a)
Station (a1)
Server
Station (a2)
AP (b)
Station (b1)
Station (b2)
Ad-hoc
Station (ah1)
Station (ah2)
NSRI
7
Ad-Hoc Network
• No structure to the network
• No fixed points
• Communicate to every nodes
• Packet transmission order
Mobile Station
Mobile Station
Mobile Station
Mobile Station
Ad-HOC Network
NSRI
8
Ad-hoc Network(Bluetooth)
적용 방식
P2P Connection Multipoint Connection Personal Connected Bubble
활용 시기
2001 ~ 2003 ~ 2005 ~
상용 시스템
NSRI
9
Ad-hoc Network(HIPERLAN)
F F F
NF
NF NF
NF F : Forwarder NF : Non-Forwarder
NSRI
10
Infrastructure Network
• Fixed network access point
• Similar to cellular networks
NSRI
11
WLAN 보안 취약점
WEP
NSRI
12
무선 LAN 보안 기술
• 무선 LAN 위협
– 데이터 측면
• 서비스 이용자 : 같은 Hot Spot 지역에 위치한 다른 사용자들에게 자
신의 검색중의 정보 그대로 유출
– 네트워크 측면
• 동일 Hot Spot 지역에서 동일 AP를 통해 동시에 인터넷 접속 타인의
컴퓨터 환경 검색 가능
• 무선 LAN의 보안
– 데이터 보안 측면
• 스니퍼등을 통해서 무선랜 데이터 내용 자체를 몰래보는 행위를 방어
– 네트워크 보안 측면
• 승인된 사용자에게만 네트워크 접속을 허용
NSRI
13
무선 LAN 보안 기술
• 무선 LAN 국제 표준 IEEE 802.11 토대
• 무선 LAN에서의 AP와 단말간의 인증 및 암호화
• 무선 LAN의 MAC 계층에서 구현
• 상위계층에서의 보안은 응용에 따라 별도 구성
NSRI
14
무선 LAN 보안 기술
• 무선랜에서의 인증 방법
– SSID(Service Set ID)를 이용한 인증방법
– Open System 인증 방법
– Shared WEP Key 인증 방법
– EAP(Extensible Authentication Protocol) 인증 방법 (IEEE 802.1x)
– VPN (Virtual Private Network) 인증방법
• 무선랜에서의 암호 기법
– WEP : RC4 사용, 40비트
– WEP 2 : RC4 사용, 128비트
– TKIP : AES 128bit 블럭암호
NSRI
15
무선 LAN 인증 기법(#1)
• SSID를 이용한 인증
– 가장 간단한 방법(단순한 Text 형태로 전송)
– 인증방법이라기 보다는 네트워크 선택방법
SSIDa SSIDb
SSIDa
NSRI
16
무선 LAN 인증 기법(#2)
• Open System 인증 방법
– 무선랜 카드가 소유한 48비트 MAC 주소 이용
– 특정 MAC 주소 소유자만 접속 가능
– AP가 MAC 주소 리스트 보유
– 이동성이 없음
Authentication Request(Sqe #1)
Authentication Result(Sqe #1)
NSRI
17
무선 LAN 인증기법(#3)
• Shared WEP Key 공유 키 인증
– 공통적으로 가지고 있는 WEP 키 사용
– Challenge를 암호화한 결과값이 평문으로 전송
– Replay Attack에 대응방안 없음
Authentication Request(Sqe #1)
Authentication challenge(Sqe #2)
Authentication Response(Sqe #3)
Authentication Result (Sqe #4)
NSRI
18
WEP(Wired Equivalent Privacy)
• WEP의 개요
– 유선망과 동일한 수준의 비밀성을 제공하기 위한 Link Layer의
보안프로토콜
– IEEE 802.11에서 제안
– Prevent link-layer eavesdropping
– As secondary role WEP controls network access
– Uses RC4 stream cipher of RSA Data Security for encryption
– Key must shared by both the AP and stations
– Several vendors use 104bits keys
– Only a few have implemented WEP in H/W
– The MAC address are sent in the clear
– Key distribution/negotiation is not mentioned in the standard
NSRI
19
WEP(암복호화 과정)
Conc
Conc
Integrity Algorithm
PRNG Xor
WEP PRNG
Integrity Algorithm
ICV'=ICV
Mux
Xor
IV IV
k C
IV
k
C
P
P
WEP
ICV'
IV=24 bit, k=40 bit
IV(Initial Vector), ICV(Integrity Check Value)
NSRI
20
WEP(프레임 구조)
IV Plain Text ICV
RC4 encrypted
Message(Plain Text)
CRC
Keystream=RC4(iv,k)
XOR
ICV(Integrity Check Value)
NSRI
21
WEP Keys(802.11)
Header:Key3 EKey3(Data) Trailer
Header:Key1 EKey1(Data) Trailer
Key1:4329…
Key2:5346…
Key3:1064…
Key4:4590…
Key1:4329…
Key2:5346…
Key3:1064…
Key4:4590…
IV Message ICV
0~2304Byte 4Byte
IV Pad Key ID
24Bit 6Bit 2Bit
NSRI
22
WEP의 취약점(요약)
• The 802.11 standard does not specify how distribution of keys is to be accomplished.
• In practice, most installations use a single key
• Message Authentication : CRC-32 checksum
• www.isaac.cs.berkeley.edu/isaac/wep-faq.html (UC Berkeley) – Stateless Protocol : Key Stream Reuse
– Linear Checksum : integrity check
– IV reuse : IV space – 224 possibilities, Collision every 4s
– Encryption Oracle : Attack from Both Ends
– WEP Key Stored on the NIC
• WEP should not be counted on to provide strong link-level security end-to-end encryption Needed
NSRI
23
WEP의 취약점(IV Reused, Collision)
• 키수열 생성시 k, IV를 사용
• 키 수열 = RC4(k,IV)
• 암호문( C) = 키수열 xor 평문(P)
• 동일한 키 수열 사용 가능
• IV 선택에 대한 방법이 제시되어 있지 않음
– 일부 경우 IV는 초기화때마다 0으로 setting되며 매 패킷마다 1씩 증가
– 예) 11Mbps, 패킷당 1,500바이트 전송 경우 :
Collision : 1,500 * 8/( 11*10^6) * 2^24 = 18,000초 = 5시간
NSRI
24
WEP의 취약점(Linear Checsum)
• 메세지 변조 가능
– 무결성을 위하여 32비트 CRC checksum 기법 사용
– CRC는 Random 에러 검증용이며, 선형(linear) • 공격자는 A B로 송신하는 암호문 C와 IV값 획득
A (B) : (IV,C)
C = RC4(IV,k) (M||c(M))
• M’ = M 에 상응하는 C’ 생성(은 공격자에 의해 선정)
• 암호문( C ) 대신에 변조된 암호문(C’)을 B에게 전송
• B가 올바른 checksum을 가지고 변조된 평문(M’)을 수신하게 만듬
(A) B : (IV, C’)
• C’ = C (,c())라 하면, CRC는 선형이므로
C’ = C (,c( )) = RC4(IV,k) (M,c(M)) (,c( ))
= RC4(IV,k) ( M , c(M) c() )
= RC4(IV,k) ( M’, c(M ))
= RC4(IV,k) ( M’, c(M’))
NSRI
25
WEP의 취약점(Replay)
• Once sniffed, a WEP encrypted frame can be replayed again and again by an attacker
• This replayed frame will be decrypted and processed by STA & AP as the original one
• Specifically dangerous for stateless potocols(UDP:NFS,NTP….)
• Not only the original frame can be replayed, but it can be modified as well
NSRI
26
Leaking the WEP key
NSRI
27
IP Sec vs. 802.11
NSRI
28
WLAN 보안 취약점
802.1x
NSRI
29
IEEE 802.1x(1)
• Introduction
– Provide a means of authenticating and authorizing devices attached to a LAN port
– Provides an architectural framework on top of which one can use various authentication methods
• Purpose
– Specifies a protocol between devices desiring access to the bridged LAN and devices providing access to the bridged LAN.
– Specifies the requirements for a protocol between the Authenticator and an Authentication server (e.g. RADIUS).
– Specifies different levels of access control and the behavior of the port providing access to the bridged LAN.
– Specifies management operations via SNMP.
NSRI
30
802.1x(2)
• What 802.1X is not
– Purely a wireless standard – it applies to all IEEE 802 technologies (e.g. Ethernet First Mile applications)
– PPP over Ethernet (PPPOE) – only supports EAP authentication methods (no PAP or CHAP), packets are not encapsulated
– A cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc.
• But 802.1X can be used to derive keys for any cipher
– A single authentication method
• But 802.1X can support many authentication methods without changes to the AP or NIC firmware
NSRI
31
Definitions
• Authenticator
– The entity that requires the entity on the other end of the link to be authenticated.
• Supplicant
– The entity being authenticated by the Authenticator and desiring access to the services of the Authenticator.
• Port Access Entity (PAE)
– The Protocol entity associated with a port.May support functionality of Authenticator , Supplicant or both
• Authentication Server
– An entity providing authentication service to the Authenticator.Maybe co-located with Authenticator, but most likely an external server.
NSRI
32
802.1X Topologies
Authenticator/EtherNAS (e.g. Access Point or
Bridge)
Supplicant
Enterprise or ISP Network
Semi-Public Network / Enterprise Edge
AuthenticationServer
RADIUS
PAE
PAE
EtherCPE
Supplicant Non-802.1X
NSRI
33
EAP
• The Extensible Authentication Protocol (RFC 2284) – General protocol supporting multiple authentication methods – Provides a flexible link layer security framework – Simple encapsulation protocol – Few link layer assumptions
• Can run over any link layer (PPP, 802, etc.) • Does not assume physically secure link
– Methods provide security services
• Assumes no re-ordering • Can run over lossy or lossless media
– Retransmission responsibility of authenticator (not needed for 802.1X or 802.11)
• EAP methods based on IETF standards – Transport Level Security (TLS) (supported in Windows 2000) – Secure Remote Password (SRP) – GSS_API (including Kerberos)
NSRI
34
Ethernet Client
Switch
Radius Server
IEEE 802.1X Conversation
EAPOL-Start
EAP-Response/Identity
Radius-Access-Challenge
EAP-Response (credentials)
Access blocked
Port connect
Radius-Access-Accept
EAP-Request/Identity
EAP-Request
Access allowed
EAP-Success
Radius-Access-Request
Radius-Access-Request
RADIUS EAPOL
NSRI
35
Ethernet
Access Point
Radius Server
802.1X On 802.11
EAPOW-Start
EAP-Response/Identity
EAP Request (TLS Start)
EAP-Response(TLSClient_hello)
Access blocked
Association
EAP Success(TLS Session Key)
EAP-Request/Identity
EAP-Request(TLS Start)
EAP Response/Identity
EAP Response(TLS Client _Hello)
RADIUS
EAPOW
Station
Wireless
802.11 802.11 Associate-Request
EAP-Success (TLS Session Key)
Network AccessEnabled EAPOW-Key (WEP)
802.11 Associate-Response
WEP set in PC Card via NDIS OIDs
NSRI
36
802.1X authentication in 802.11
• IEEE 802.1X authentication occurs after 802.11 association or reassociation
– Association/Reassociation serves as “port up” within 802.1X state machine
– Prior to authentication, access point filters all non-802.1X traffic from client
– If 802.1X authentication succeeds, access point removes the filter
• 802.1X messages sent to destination MAC address
– Client, Access Point MAC addresses known after 802.11 association
• No need to use 802.1X multicast MAC address in EAP-Start, EAP-Request/Identity messages
– Prior to 802.1X authentication, access point only accepts packets with source = Client and Ethertype = EAPOL
NSRI
37
Advantages of IEEE 802.1X
• Open standards based
– Leverages existing standards: EAP (RFC 2284), RADIUS (RFC 2865, 2866, 2867, 2868, 2869)
– Enables interoperable user identification, centralized authentication, key management
– Enables automated provisioning of LAN connectivity
• User-based identification
– Identification based on Network Access Identifier (RFC 2486) enables support for roaming access in public spaces (RFC 2607).
– Enables a new class of wireless Internet Access
• Dynamic key management
– Improved security for wireless (802.11) installations
NSRI
38
Vulnerabilities of 802.1x
• Absence of Mutual Authentication
– Perform only a one-way authentication
– Expose the supplicant to potential Man–in-Middle attack
• The Man-IN-Middle setup for the attack
Typically 802.3
Supplicant
AP Authentication
server
802.11
802.11
NSRI
39
Vulnerability of 802.1x
• EAP Success Message MIM Attack
– Unconditional transfer to the Authenticated state irrespective of the current state,
– Cause the interface to provide network connectivity
– Adversary can get all network traffic from the supplicant
NSRI
40
Vulnerability of 802.1x
• Session Hijacking
EAP Request
EAP Response
EAP Success
Access Point Legitimate Supplicant
Supplicant Authenticated
802.11 MAC Disassociate Adversary spoofs
APs MAC address
Network Traffic
Adversary
NSRI
41
Proposed Solutions
• Per-packet authenticity and integrity
– Session hijack attack
• Lack of authenticity in management frame
– Add of integrity of data frame
• When Confidentiality is used
• Authenticity and Integrity of EAPOL messages
– Mim attack : The lack of authenticity of 802.1x messages
NSRI
42
Vendors Supporting 802.1X
• Microsoft, AirWave, Compaq, Dell, IBM, Intel, HP, Symbol, Toshiba, Telson, Wayport – http://www.microsoft.com/presspass/press/2001/Mar01/03-
26XPWirelessPR.asp • 3Com
– http://emea.3com.com/news/news01/mar26.html • Agere
– http://www.networkmagazine.com/article/COM20010629S0009 – http://www.lucent.com/micro/NEWS/PRESS2001/080801a.html
• Enterasys – http://www.dialelectronics.com.au/articles/c4/0c0023c4.asp – http://www.computingsa.co.za/2001/03/26/News/new07.htm
• Intersil – http://www.intersil.com/pressroom/20010403_802_1xWindows_XPFINA
L_English.asp • Cisco
– Catalyst switches • http://www.redcorp.com/products/09084608.asp
– 802.11 access points • http://www.security-informer.com/english/crd_security_495312.html • http://cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.pdf
NSRI
43
Cisco Mutual Authendication
NSRI
44
WLAN 보안 취약점
Summary
NSRI
45
Summary
• 802.11 Security doesn’t meet any of its security objectives today • 802..11 Tge is working to replace
– Authentication scheme using 802.1x and kerberos – Encryption scheme using AES in OCB mode
• Some Hints – Always possible to setup IPsec/VPN – 128비트 블록암호를 사용 – 기밀성과 무결성을 동시에 해결 가능한 방법 – IV 재 사용 금지 : 메시지 키 개념 도입 – CRC checksum 메시지 인증을 위한 MAC 추가(블록암호) – 인증 프로토콜 재 설계 (replay attack 강한 프로토콜) – 비밀키 기반 인증 방식인 Kerberos 방식등 – 키 설정 방법 및 IV 발생방법등에 대한 구체적 방법
• 단기미봉책 – 키관리방안, IPSec, Firewall 등
• 업체의 제품 – 신뢰성 검증 미흡 – 대부분 단기 미봉책
• 좀더 심도있는 보안 연구 필요
NSRI
46
Sniffing 802.11
NSRI
47
WLAN 보안 Solution
TKIP
NSRI
48
Encryption Process
MIC Key TKIP sequence counter(s)
SA + DA +
Plaintext MSDU
Data
Ciphertext
MPDU(s)
WEP
Encapsulation
MIC
TTAK Key
Plaintext
MSDU +
MIC Fragment(s)
Phase 2
key mixing
Plaintext
MPDU(s)
WEP seed(s)
(represented as
WEP IV + RC4
key)
Phase 1
key mixing TA
Temporal
Key
NSRI
49
Decryption Process
MIC Key
WEP IV
Plaintext
MSDU
Ciphertext
MPDU
WEP
Decapsulation
Michael
TTAK Key
SA + DA +
Plaintext
MSDU
Reassemble
Key mixing
Plaintext
MPDU
WEP Seed
Phase 1
key mixing
TA
Temporal
Key
TKIP sequence counter
Unmix IV
In-sequence
MPDU
Out-of-sequence
MPDU
MIC
MIC
MIC =
MIC?
MPDU with failed
WEP ICV
MSDU with failed
TKIP MIC
Countermeasures
NSRI
50
WLAN 보안 Solution
VPN
NSRI
51
Inner VPN 개념
각종 서버
XecureVPN
Gateway
XecureVPN
AP
이동 단말기
(1) AP내부에 VPN 구현
(2) VPN Gateway활용
유선구간
무선구간
NSRI
52
Inner VPN
NSRI
53
WLAN 보안 Solution
Vendor
NSRI
54
Cisco’s Solution
• Mutual authentication – By Lightweight & Efficient Application Protocol-LEAP – Between a wireless client and a backend RADIUS
• Secure Key Derivation – Mutual challenge and one-way hashes
• Dynamic WEP keys – Dynamic per-user, per-session WEP key – Unique session key per users
• Reauthentication Policies – RADIUS server ACS2000 – Reauthentication more open – Get new session keys
• IV Changes – A per-packet basis
• Use other security solutions – VPN, Firewall
NSRI
55
3COM’s Solutions
• Layer 3 VPN solutions
– RADIUS-based authentication & authorization
– 128bits Dynamic session Key
• WEP에 근간을 둔 보안이 아니라 클라이언트와 라우터간의
VPN을 수행함으로써 WLAN의 보안을 처리
NSRI
56
NoWiresNeeded’s Solution
• AirLockTM Security Software
• Automated key exchange
• Encryption : RC4 and 128bit key
• Key agreement : Diffie-Hellman key agreement
• Authentication : public key mechanism, using 1024bit keys
• Also, supports IEEE standard WEP 40
NSRI
57
감사합니다.