Presentation on theme: "802.1x What it is, How its broken, and How to fix it. Bruce Potter The Shmoo Group"— Presentation transcript:
802.1x What it is, How its broken, and How to fix it. Bruce Potter The Shmoo Group
Why Wireless? No cable plant –Lower cost (initially… TCO may be higher) –Rapid deployment Enhanced mobility Ad hoc relationships Many different requirements
Why Not Wireless No physical security Low throughput Unregulated, noisy bands
802.11, b, etc. IEEE standard – based on well known Ethernet standards – FHSS or DSSS, WEP, 2.4 GHz, Infrastructure (BSS) or Ad-Hoc (iBSS) –Limited to 2Mb/s due to FCC limits on dwell times per frequency hop b – DSSS only, WEP, 2.4 GHz, Infrastructure or Ad-Hoc –Up to 11Mb/s –Also known as Wi-Fi a and g
An Association Associations are a basic part of Client Requests authentication AP responds with auth type (Open/WEP) Authentication is performed If successful, then Association is requested and granted SSID is sent in the clear, so not advertising SSID is NOT a valid security mechanism
General Principles Deal with the basics –Integrity Protecting your packets from modification by other parties –Confidentiality Keeping eavesdroppers within range from gaining useful information Keeping unauthorized users off the network –Free Internet! –Risks to both internal and external network –Availability Low level DoS is hard to prevent Like any other environment, there are no silver bullets
WEP In a Nutshell 40 bits of security == 64 bits of marketing spam. 104 bits of security == 128 bits of marketing spam
Thoughts on WEP Key management beyond a handful of people is impossible –Too much trust –Difficult administration –Key lifetime can get very short in an enterprise No authentication for management frames No per packet auth False Advertising!!!
What is Lacking? Scalability –Many clients –Large networks Protection for all parties Eliminate invalid trust assumptions
802.1x Port based authentication for all IEEE 802 networks (layer 2 authentication) Originally for Campus networks Extended for wireless Allows for unified AAA services Provides means for key transport
EAP Extensible Authentication Protocol Originally designed for PPP –Shoehorned into 802.1x Switch/Access point is a pass through for EAP traffic. New authentication mechanisms do not require infrastructure upgrades LEAP – Ciscos Lightweight EAP –Password based and (relatively) widely available De facto mechanism between AS and AServ is RADIUS
EAP Methods EAP-TLS: Uses certs! If implemented properly, solves many problems TTLS – Tunneled TLS. Allows encapsulation of other auth mechanisms. –machine authd by TLS, person by the tunneled protocol PEAP – IETF Draft –Like TTLS but with another EAP method encapsulated TLS/TTLS and others require certs –We all have a PKI setup, right? and use it properly and regularly?
Whats Right Protection of the infrastructure Authentication mechanism can –change as needed –address flaws in existing wireless security Lightweight –No encapsulation, no per packet overhead… simply periodic authentication transactions
Whats Right In controlled environment, risks can be mitigated by higher level protocols –VPN/SSL/SSH NOTE: exchange of WEP key material is not part of 802.1x specification –Remember: designed for wired campus networks
Whats Right Association happens BEFORE 802.1x transaction. –Good: If 802.1x session is protected by default WEP key then the attacker must first compromise the WEP key to make use of 802.1x vulns –Bad: Key management anyone? Just how does the default key get there?
Whats Wrong –First Open source supplicant –First holes in 802.1x One way authentication –Less of a concern in LAN environment Traffic Interception Session Highjacking
Whats Wrong – Technical One way Authentication –Gateway authenticates the client –Client has no explicit means to authenticate the Gateway –Rouge gateways put client at risk Remember – the loudest access point wins Still no Authentication of management frames (assoc/deassoc/beacons/etc…)
Whats Wrong - Technical MITM –Send Authentication Successful to client –Client associates with malicious AP Hijacking –Send deassociation message to client… AP is in the dark –Change MAC to client and have live connection
Whats Wrong – Technical RADIUS uses shared secret with the Authenticator –Same issue as WEP, but on a more reasonable scale Authentication after association presents roaming problems –Authentication takes a non-trivial amount of time… can disrupt data in transit Failure of RADIUS server == failure of network –Many AP implementations dont allow multiple RADIUS servers –Most RADIUS server failover is non-transparent
Whats Wrong – touchy feely They forgot about the client (trust assumptions) –Everyone is ask risk –Everyone is a threat –Lack of physical security requires encrypted channel to secure 802.1x Wired port is not the same as wireless port Protocol designed to not require hardware replacement –Leads to less than stellar solution, esp WRT authentication of management frames.
Whats Wrong – touchy feely Extensibility leads to complexity –Complexity leads to mistakes in implementation –Read the MS Guide on create EAP methods as an example. Multivendor support is difficult Using a shoehorn to force protocols to work together leads to problems
Why Did it Go Wrong? 802.1x – Designed for Campus networks EAP – Designed for PPP NEITHER designed with wireless threat model in mind Lesson: Dont apply old protocols to new problems without understanding the risk.
Where Are We Today? Several 802.1x implementations available –Windows XP (not PocketPC 2002) –Open1x.org EAP implementations –Windows IAS –FreeRADIUS – MD5 and TLS –Cisco –Other RADIUS servers
Where Are We Today? 802.1x capable Access Points –Cisco –Lucent RG1000/RG1100 can be hacked with AP500 firmware to become 1x capable Some drawbacks –OS authenticator from open1x.org –others
Whats Next Integration of existing solutions to raise the bar Limited 802.1x implementations i (Task Group I – Security) –On track… the right track –Mutual auth, per packet auth –802.1x a part of
Whats Next WEP has the right idea End to End Solutions ala SSL, SSH, IPSec –Not likely
Temporal Key Integrity Protocol Fast Packet Keying Packet MAC Dynamic Rekeying Key distribution via 802.1x 3Q product deployment Still RC4 based to be backward compatible AES with 802.1x keying in the distant future