Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks *

Published byFabian Hind Modified over 9 years ago

Similar presentations

Presentation on theme: "Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks *"— Presentation transcript:

1 Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks *

2 WiFi (In)Security – 2 st part: Vulnerabilities of WPA and WPA2 Assembled from different sources: Walker, Lehembre Buttyan,... Produced by Mario Čagalj

3 3 Introduction: IEEE 802.11i We have seen that WEP is critically flawed IEEE 802.11i defined to properly secure wireless LANs (2004) Specifies robust security mechanisms for WLANs Defines Transition Security Network (TSN) Called WiFi-Protected Access (WPA) by WiFi-Alliance Based on “new” TKIP (that uses “old” RC4 like WEP) Backward compatibility (with old RC4-only hardware) IEEE 802.1X authentication framework More importantly defines a Robust Security Network (RSN) Called WiFi-Protected Access 2 (WPA2) by WiFi-Alliance Based on AES and optionally TKIP Also uses IEEE 802.1X authentication framework

4 4 Tranzicija prema IEEE 802.11i IEEE 802.11b WEP WPA IEEE 802.11i (WPA2) Tajnost podataka (enkripcija) WEP (RC4)TKIP (RC4) AES, (opcija TKIP) Integritet podatakaWEP (RC4) + CRCTKIP-MIC AES-MAC (opcija TKIP-MIC) Autentikacija i kontrola pristupa Shared Key Authentication IEEE 802.1X/EAP (+ EAP-TLS, LEAP…) IEEE 802.1X/EAP (+ EAP-TLS, LEAP…) TKIP: Temporal Key Integrity Protocol AES: Advanced Encryption Standard MIC: Message Integrity Code MAC: Message Authentication Code EAP: Extensible Authentication Protocol TLS: Transport Layer Security LEAP: Light EAP (Cisco)

5 5 Autentifikacijski model IEEE 802.1X u WiFi Port-based Network Access Control ● Mobilni klijent zahtijeva pristup uslugama (želi se spojiti na mrežu) ● AP kontrolira pristup uslugama (kontrolirani port) ● Autentifikacijski server (AS) Mobilni klijent i AS se me đ usobno autentificiraju AS informira AP da može otvoriti kontrolirani port mobilnom klijentu Mobilni klijent AP LAN (Internet) Autentifikacijski server Kontroliran port Slobodan (otvoren) port

6 Vulnerabilities of home networks Assembled from different sources: Walker, Lehembre Buttyan,...

7 7 Operacijske faze IEEE 802.11i: kućne i ad hoc mreže Autentifikacijski server nije prisutan Autentifikacija zasnovana na dijeljenom ključu (Pre-Shared Key, PSK) Mobilni klijent (M) Pristupna točka (AP) PSK (umjesto PMK) Otkrivanje sigurnosnih funkcionalnosti IEEE 802.1X key management (Provjera PSK/PTK– “4-way” handshake) Zaštita podataka (TKIP, CCMP/AES)

8 8 Key derivation and distribution PTK (Pairwise Transient Key) – unique for this M and this AP Guillaume Lehembre, hakin9 6/2005

9 9 IEEE 802.11i: Pre-Shared Key (PSK) No explicit authentication! The IEEE 802.1X authentication exchange absent Usually a single pre-shared key for entire network Password-to-Key Mapping Uses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII password PMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256) Salt = SSID, so PSK different for different SSIDs 4096 is the number of hashes used in this process

10 10 4-Way Handshake (over a radio channel) Guillaume Lehembre, hakin9 6/2005 PTK PTK = EAPoL-PRF(PSK, ANonce | SNonce | AP MAC Addr | M’s MAC Addr)

11 11 Vulnerabilities of 4-way handshake (1/3) Affects both WPA and WPA2 Password-to-Key Mapping Uses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII password PMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256) Salt = SSID, so PSK different for different SSIDs 4096 is the number of hashes used in this process Password length between 8 and 63 printable ASCII characters Vulnerability The PTK used in 4-way handshake derived from PSK and PSK=f(PWD) 4-way handshake protected with PTK 4-way handshake messages transmited over a public radio channel

12 12 Vulnerabilities of 4-way handshake (2/3) The strenght of PTK relies on the PSK which effectively means on the strength of the password PWD Offline brute-force and dictionary attacks possible 1. attacker captures (records) 4-way handshake (only first 2 messages; why?) 2. attacker performs brute-force or dictionary attacks (at home) 1. guesses or reads from the dictionary the candidate PWD test 2. calculates PSK test = PBKDF2 (PWD test, SSID, SSIDlength, 4096, 256) PTK test = EAPoL-PRF(PSK test, ANonce | SNonce | AP MAC Addr | M’s MAC Addr) PTK test gives KCK test (used for message authentication in 4-way hand) MIC test = MAC(KCK test, public info) 3. if (MIC test ==MIC captured ) output PWD test as the password guess else go to 1.

13 13 Vulnerabilities of 4-way handshake (3/3) How to capture the 4-way handshake? 1. Enter the monitoring mode 2. Discover nearby networks and associated clients MAC addresses, WPA or WPA2, SSID 3. Disassociate clients to force them to run again 4-way handshake Use fake disassociation control packets (not protected by IEEE 802.11i) 4. Record the new 4-way handshake e.g., using Aireplay 5. Go home and launch a dictionary attack Aircrack

14 14 Attack complexity Depends on the entropy of passwords Weak passwords easy to crack Strong passwords E.g., a random passphrase of 13 characters (selected from the set of 95 permitted characters) gives 95 13 ≈ 2 85 Slow hashing algorithm (PBKDF2 involves many iteration of HMAC-SHA1) PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256) In practice PBKDF2 forces the attacker to iterate SHA1 16.000 times Increases the attacer’s cost (the time to test a single pwd) E.g., by slowing down the attacker by the factor of 3650 implies that the effort of 1 day increases to 3650 days (10 years) Unfortunatelly, people do not select 13 random characters!

15 15 Speeding up the dictionary attack Recall the dictionary attack 1. attacker captures (records) 4-way handshake 2. attacker performs dictionary attacks (at home) 1. reads from the dictionary the candidate PWD test 2. calculates PSK test = PBKDF2 (PWD test, SSID, SSIDlength, 4096, 256) PTK test = EAPoL-PRF(PSK test, ANonce | SNonce | AP MAC Addr | M’s MAC Addr) PTK test gives KCK test (used for message authentication in 4-way hand) MIC test = MAC(KCK test, public info) 3. if (MIC test ==MIC captured ) output PWD test as the password guess else go to 1. This part is slow

16 16 Speeding up the dictionary attack Pre-compute the slow part (before attacking) and re-use against many networks PSK test = PBKDF2 (PWD test, SSID, SSIDlength, 4096, 256) Observe, nothing specific about the current session Where can the attacker re-use the pre-computed data? With networks sharing the same SSID How much data the attacker has to store? It depends on the concrete attack implementation and targeted success probability E.g. 100.000.000 passwords of average length 10 chars (letters and numbers) -> 2 32 B i.e. about 4GB

17 17 Securing against the dictionary attacks To secure your network against these pre-computed dictionaries make sure that Your SSID is unique (does not appear in the existing tables) Your PWD is strong enough (sufficiently long and random :-)

18 Vulnerabilities of enterprise networks Assembled from different sources: Walker, Lehembre Buttyan,...

19 19 Autentifikacijski model IEEE 802.1X u WiFi Port-based Network Access Control ● Mobilni klijent zahtijeva pristup uslugama (želi se spojiti na mrežu) ● AP kontrolira pristup uslugama (kontrolirani port) ● Autentifikacijski server (AS) Mobilni klijent i AS se me đ usobno autentificiraju AS informira AP da može otvoriti kontrolirani port mobilnom klijentu Mobilni klijent AP LAN (Internet) Autentifikacijski server Kontroliran port Slobodan (otvoren) port

20 20 Operacijske faze IEEE 802.11i Mobilni klijent (M) Pristupna točka (AP) Autentikacijski server (AS) Otkrivanje sigurnosnih funkcionalnosti Distribucija PMK ključa (npr. putem RADIUS-a) Zaštita podataka (TKIP, CCMP/AES) Rezultat: M i AS -generiraju Master Key (MK) -izvedu Pairwise MK (PMK) 802.1X autentifikacija Rezultat: M i AP -provjere PMK -izvedu Paiwise Transient Key (PTK) -PTK vezan uz ovaj M i ovu AP 802.1X key management CCMP = Counter-Mode / Cipher Block Chaining Message Authentication Code Protocol based on AES block cipher

21 Tunneled TLS over Extensible Authentication Protocol (EAP-TTLS) Provides protection for initial authentication messages (plaintext passwords, e.g. PAP used by FESB) 21 Example: FESB WiFi (EAP-TTLS and PAP) Mobilni klijent (M) Pristupna točka (AP) Autentifikacijski server (AS) TTLS server Establishing an authentication TLS tunnel TLS protected authentication WLAN master session key Authentication Data traffic on secured link

22 Validation of the authentication server based on certificate validation Trusted issuing authority, matching certificate owner’s Common Name (CN) Many PEAP (EAP-TTLS) deployments fail to properly deploy Malicious authentication server gains access to inner authentication methods PEAP: MS-CHAPv2 TTLS: MS-CHAPv2, CHAP, PAP, etc. 22 Example: FESB WiFi (EAP-TTLS and PAP) Mobilni klijent (M) Pristupna točka (AP)TTLS server Establishing an authentication TLS tunnel with the rogue AuthSrv TLS protected inner authentication Record session controlled by the attacker (Rogue AP)

23 PEAP: Pwned Extensible Authentication Protocol by Joshua Wright and Brad Antoniewicz, ShmooCon 2008 23 How to set properly setup PEAP-like authentication methods

24 A standard that attempts to allow easy establishment of a secure wireless home network The standard allows four usage modes aimed at a home network user adding a new device to the network: PIN Method (e.g., enter the PIN on AP into the client) Push-Button-Method (a user simultaneously pushes a button on the AP and the client) Near-Field-Communication Method (bring the client close to the AP) USB Method In December 2011 researcher Stefan Viehböck reported a design and implementation flaw that makes brute-force attacks against PIN-based WPS feasible to perform on WPS-enabled Wi-Fi networks A successful attack on WPS allows unauthorized parties to gain access to the network The only effective workaround is to disable WPS Impossible on some APs 24 Wi-Fi Protected Setup (WPS) Insecurities (home nets again)

Download ppt "Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks *"

Similar presentations

CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.

Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
Security in IEEE 802.11 wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.

Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.
Implementing Wireless LAN Security

Implementing Wireless LAN Security
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

Similar presentations

Ads by Google