Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 /24 May 2006 - 1 Systems Architecture WPA / WPA 2(802.11i) Burghard Güther, Tim Hartmann 12.06.2007.

Published byEmil Robbins Modified over 7 years ago

Similar presentations

Presentation on theme: "1 /24 May 2006 - 1 Systems Architecture WPA / WPA 2(802.11i) Burghard Güther, Tim Hartmann 12.06.2007."— Presentation transcript:

1 1 /24 May 2006 - 1 Systems Architecture http://sar.informatik.hu-berlin.de WPA / WPA 2(802.11i) Burghard Güther, Tim Hartmann 12.06.2007

2 2 /24 May 2006 - 2 Systems Architecture http://sar.informatik.hu-berlin.de Introduction  WEP is not sufficient - Weak key management (use and distribution) - Weak cryptography (affecting integrity and confidentiality) - Weak authentication (if any)  Networks and Ressources are not adequately protected in WEP based Wireless LANs

3 3 /24 May 2006 - 3 Systems Architecture http://sar.informatik.hu-berlin.de Introduction  RSN – defined in 802.11i – adresses those problems - Including changes for all of the above mentioned weaknesses - Important change regards the encryption algorithm, rising the need for new hardware  For backward compatibility TKIP (Temporal Key Integrity Protocol) was specified and became the base for WPA - Difference to RSN is keeping RC4 as cipher, but with altered utilization  WPA2 is based almost completely on RSN

4 4 /24 May 2006 - 4 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Overview  New Authentication Method - using EAP (Extensible Authentication Protocol) and - Four-Way Handshake  New Key Management - a Key Hierarchy is defined - Dynamic and Pre-Shared Keys are supported

5 5 /24 May 2006 - 5 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Authentication  Goals:  STA identity is confirmed, so only approved STAs gain access - How exactly User identities are checked is due to the chosen Method - Those could be Passwords, Smartcards, Tokens, so the Method has great impact on overall security  AP identity is confirmed, so «rogue» APs are avoided - Common method are Certificates  Session Key is installed in AP and STA to prevent later impersonation - Unlike in wired LANs, there is no physical connection

6 6 /24 May 2006 - 6 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Authentication  Method (based on modified 802.1X): - Three entities are defined - Supplicant wants access to the network, here the STA - Authenticator controls access by port based access control, here the AP - Authentication Server handles authorization, can be located outside the AP on a different machine  Security Policy is negotiated during Association with a Wireless LAN - Contains EAP Method Selection

7 7 /24 May 2006 - 7 Systems Architecture http://sar.informatik.hu-berlin.de Steps 4. and 5. may be repeated according to EAP Method Similarities WPA / WPA2 - Authentication AS (Auth.server)AP (Authenticator)STA (Supplicant) 1. EAPOL-Start (opt.) 2. EAPOL Request 3. EAPOL Response 3. RADIUS Access Request 4. RADUIS Access Challenge 4. EAP Request 5. RADIUS Access Request 5. EAP Response 6. RADUIS Access Accept 6. EAP Success 7. EAPOL Logoff (opt.)

8 8 /24 May 2006 - 8 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Authentication  All Authentication Communication goes over the uncontrolled port of the AP  The AP only mediates EAP Messages without interpreting them  EAPOL (EAP over LAN) is used between AP and STA  EAP over RADIUS is commonly used between AP and AS - Not mandatory in 802.11i

9 9 /24 May 2006 - 9 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Authentication  On EAP Success Message the Four Way Handshake is initialized  Security of the Channel between AP and AS is not part of the Standard, but required for RSN to be secure  EAP Methods is not specified, but variants utilizing TLS are common - In that case, the TLS Handshake is encapsulated in EAP Messages  Mutual Authentication must be guaranteed by the EAP Methods selected

10 10 /24 May 2006 - 10 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Authentication  Port is still closed, until completion of Four Way Handshake  In this phase Keys are generated for the Communictaion between STA and AP, using a Master Key STAAP EAPOL Key (MIC, Seq Nr.) Computes PTK EAPOL Key (Random 2, MIC Computes PTK Verify MIC EAPOL Key (Random 1) Verify MIC EAPOL Key (Ack, MIC) Controlled Port is unblocked

11 11 /24 May 2006 - 11 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Key Management  Top Level is the Pairwise Master Key - Can be pre-installed or delivered through EAP Authentication - Master Key means, it is used to derive actual Session Keys  Second Level is the Pairwise Transient Key - Consist of four Keys - Data encryption Key and Data integrity Key (identical in RSN) - Key encryption Key and Key integrity Key (used in 4-Way Handshake) - Input is PMK, MAC Address and Random Number of both participants

12 12 /24 May 2006 - 12 Systems Architecture http://sar.informatik.hu-berlin.de Similarities WPA / WPA2 - Key Management  Another Level is the Group Transient Key - Consist of only two Keys - Group encryption Key and Group Integrity Key - Transmitted to STAs during Group Key Handshake, secured with Key encryption Key - GK Handshakes can occur any time (necessary)

13 13 /24 May 2006 - 13 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - Overview  TKIP with RC4 Cipher - Integrity protection by Michael MIC (Message Integrity Code) - Replay protection by enforcing sequenced Initialization Vectors - Confidentiality by different use of RC4 - Countermeasures when detecting attacks  RSN with AES-CCMP - Advanced Encryption Standard - Counter Mode Encryption (CTR) - Cipher Block Chaining Message Authentication Code (CBC-MAC) - Used for integrity, authentication and confidentiality - Replay protection by using sequence numbers during MAC computation

14 14 /24 May 2006 - 14 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - TKIP  Michael Integrity Protection - Solution without the need for hardware upgrades - Integrity protection by encryption with MIC key - MIC computed over user data, source and destination adresses and priority bits  Monotonically increasing TKIP Seqence Counter (TSC) (=IV) - IV length increased from 24bit to 48bit  Cryptographic key-mixing process for new key for every frame: create dynamic WEP key from TK and TSC - Avoid weak keys by TKIP Mix - User frame, 64bit-MIC, transmitter adress encrypted with per-frame key

15 15 /24 May 2006 - 15 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - TKIP  Different Key for every Message with 48 bit IV Image taken from SeCoWiNetV1.4.pdf [2]

16 16 /24 May 2006 - 16 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - TKIP  Combined with countermeasures, executed after a failure of the Integrity Check: - Logging Security Event - Second failure within 60s disables reception for another 60s, even not allowing new Associations with TKIP - Changing PTK and GTK through reinvoking authentication with 4-Way Handshake

17 17 /24 May 2006 - 17 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP  AES is a block cipher  Insertion on block ciphers  Criteria: - Completeness, every bit of output block depends on each bit of input block and each bit of the key - Avalanche effect, change of 1 bit in input block leads to changing of each output bit with probability ½ (same for key) - Statistical independence, between output and input block  AES uses a number of simple operations two produce a complex output - This includes bit substitutions with lookup tables, permutations and «adding» the key which includes modulo operations - Sequence of those simple operations is repeated multiple times - Each sequence updates an internal state

18 18 /24 May 2006 - 18 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP  AES Operational Modes (1) - Cipher Block Chaining (CBC) - Every Plaintext Block is XORed to the preceding Ciphertext Block before encryption, uses an IV for the 1st Block - Thus two identical Plaintext Blocks will generate different Ciphertext - Each Cipher Block is dependent on all preceding Plaintext Blocks - CBC can be used as MAC (CBC-MAC) Image taken from http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation [4]

19 19 /24 May 2006 - 19 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP  AES Operational Modes (2) - Counter Mode (CTR) - Converts a Block Cipher into a Stream Cipher - Generates Keystream Blocks by encrypting values of an internal state and a nonce - Internal state is a Counter, that is incremented in each iteration Image taken from http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation [4]

20 20 /24 May 2006 - 20 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP CCM - Combines CBC-MAC (integrity and authentication) and CTR (confidentiality) – both encryption and MIC as result - Takes as input 128 bit TK, 48 bit Packet Number and some Data from the frame header - PN is used as counter (to prevent replay attacks) and with header information as nonce - Header forms additional input for CCM called AAD - => Nonce, AAD and plaintext data + key as input for CCM - Ensures confidentiality of data and integrity of data and header - Combines both to encrypt and produce a MIC simultaneously => same key for encryption and integrity protection - AES obviates the need for per-packet key - CCM header consist of identifier for TK and PN

21 21 /24 May 2006 - 21 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP  AES CCMP Image taken from SP800-97.pdf [3]

22 22 /24 May 2006 - 22 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP  Characteristics:

23 23 /24 May 2006 - 23 Systems Architecture http://sar.informatik.hu-berlin.de Differences WPA / WPA2 - AES CCMP  Security Vulnerability: « Replay detection », « impersonation detection » and «weak keys » are most important for attacks against WEP.

24 24 /24 May 2006 - 24 Systems Architecture http://sar.informatik.hu-berlin.de References [1] Breaking 104 bit WEP in less than 60 seconds (2007), Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin [2] Security and Cooperation in Wireless Networks, Thwarting Malicious and Selfish Behavior in the Age of Ubiquitous Computing, by Levente Buttyan (BME) and Jean-Pierre Hubaux (EPFL) [3] NIST Special Publication 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, Sheila Frankel, Bernard Eydt, Les Owens, Karen Scarfone [4] http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation, Wikipedia, 11. Juni 2007

Download ppt "1 /24 May 2006 - 1 Systems Architecture WPA / WPA 2(802.11i) Burghard Güther, Tim Hartmann 12.06.2007."

Similar presentations

Chapter 07 Designing and Implementing Security for WLAN

Chapter 07 Designing and Implementing Security for WLAN
CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.

Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.
P1451.5 Security Survey and Recommendations By: Ryon Coleman October 16, 2003.

P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
IPsec Internet Headquarters Branch Office SA R1 R2

IPsec Internet Headquarters Branch Office SA R1 R2
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Solutions for WEP Bracha Hod June 1, 2003 2 802.11i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through.

Solutions for WEP Bracha Hod June 1, i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
WLAN security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

Similar presentations

Ads by Google