3 Outline Wireless Threat Models IEEE 802.11i Attacks and Solutions Possible threats and their practicality in wireless networksIEEE iData Confidentiality & Integrity: CCMPMutual Authentication: RSNA Establishment ProcedureAvailability: not an original design objective, problematicAttacks and SolutionsOn Authentication: Security level rollback, reflection attackOn Availability: Michael countermeasure attack, RSN IE poisoning, 4-Way Handshake blockingFailure Recovery and improved iConclusions
4 Wireless Threats Passive Eavesdropping/Traffic Analysis Easy, most wireless NICs have promiscuous modeMessage Injection/Active EavesdroppingEasy, some techniques to gen. any packet with common NICMessage Deletion and InterceptionPossible, interfere packet reception with directional antennasMasquerading and Malicious APEasy, MAC address forgeable and s/w available (HostAP)Session HijackingMan-in-the-MiddleDenial-of-Service: cost related evaluationIn cryptography, a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims. The MITM attack is particularly applicable to the original Diffie- Hellman key exchange protocol, when used without authentication.Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.HTTP is stateless, so application designers had to develop a way to track the state between multiple connections from the same user, instead of requesting the user to authenticate upon each click in a Web application. A session is a series of interactions between two communication end points that occurs during the span of a single connection. When a user logs into an application a session is created on the server in order to maintain the state for other requests originating from the same user.Applications use sessions to store parameters which are relevant to the user. The session is kept "alive" on the server as long as the user is logged on to the system. The session is destroyed when the user logs-out from the system or after a predefined period of inactivity. When the session is destroyed, the user's data should also be deleted from the allocated memory space.
5 IEEE 802.11a/b/g WEP Weakness in WEP Key (IV (24) + shared key (40 or 104))Encryption algorithm: RC4Data integrity: ICV (Integrity Check Value), which is linear and un-keyed function of the message.Open system (no authentication)Shared key authentication (challenge response handshake)Weakness in WEPKey scheduling problem due to the short IV.Weak one direction authentication.No protection mechanism (such as timestamp, nonce) against replay attack.A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack.
6 WPA: a interim solution WPA (Wi-Fi protected Access)Data integrity:TKIP (Temporal Key Integrity Protocol) using key mixing function and IV space extension.A weak keyed MIC (Message Integrity Code) is introduced to improve the ICV.Monotonically increasing sequence number to prevent replay attacks.Two more authentication schemesPSK (Pre-Shared Key) to authenticate peers. Besides, based on PSK, 128 bit encryption key and 64 bit MIC key can be generated.IEEE 802.1X+EAP (Extensible Authentication Protocol) is stronger.A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack.
7 Is WPA good enough?It seems that WPA patches every vulnerabilities in WEP.Weakness is predestined since WPA wants to re-use the legacy hardware:TKIP’s key mixing function is not strong as expected.Whole security is broken for the duration of a Temporal Key if two per-packet keys with the same IV32.It is possible to find the MIC key given one per-packet key.802.1x still vulnerable to session hijacking and man-in-the-middle attack.Long term solution: IEEE iA replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack.
8 IEEE iRatified on June 24, 2004.Proposed to provide enhanced MAC layer security.Data confidentiality and integrityEncryption in Link LayerWEP: Wired Equivalent PrivacyTKIP: Temporal Key Integrity ProtocolCCMP: Counter-mode/CBC-MAC ProtocolMutual authenticationRSNA: Robust Security Network AssociationEAP-TLS/802.1X/RADIUSKey management: 4-Way handshake, Group key handshake, etc.Availabilitynot an original design objectiveSome real vulnerabilities existWhy not PHY layer or IP and above layer?It is hard to do it in PHY layer because it requires significant modifications of current PHY. Proposed solutions include proper antenna selecting and positioning, RF firewall architecture.IP and above layer makes network more complicated. More importantly, it beaks the fact that is for MAC and below layers. Practical question, station needs to gain partly access before any application layer authentication can be initiated.
9 RSNA Establishment Procedures Through these handshakes, the supplicant and the authenticator mutually authenticate each other and establish a secure session for data transmissions.
10 802.11i: Confidentiality & Integrity WEP, TKIP for backward compatibility (802.11a/b/g)CCMP: long-term solutionAES: 128-bit key, 128-bit block, Counter mode + CBC-MAC48-bit Packet Number for replay preventionUse the same key for both Encryption and MICCounter and init. vector not overlapbetter to use different key for different purposeMessage Integrity Code or MIC is used to refer to a cryptographic checksum used in the handshaking process.This is equivalent to what is often referred to as a MAC or Message Authentication Code. The acronym MAC stands for Media Access Control in networking.With a fresh key, i CCMP is believed secure for confidentiality and integrity !
11 802.11i: Mutual Authentication RSNA Establishment ProceduresNetwork and Security Capability DiscoveryOpen System Authentication and AssociationEAP/802.1X/RADIUS Authentication4-Way HandshakeGroup Key HandshakeSecure Data CommunicationsRSNA security analysis gives:can provide satisfactory authentication and key managementcould be problematic in Transient Security Networks (TSN)reflection attack could be possible if not implemented correctly
12 RSNA Conversations 4-Way Handshake Supplicant Auth/Assoc 802.1X UnBlockedPTK/GTKAuthenticator Auth/AssocAuthentica-tion Server (RADIUS)No KeyGroup Key HandshakeSupplicantAuth/Assoc802.1X UnBlockedNew GTKAuthenticator Auth/AssocAuthentica-tion Server (RADIUS)No KeyMSKSupplicantAuth/Assoc802.1X BlockedPMKAuthenticator Auth/AssocAuthentica-tion Server (RADIUS)No KeyData CommunicationSupplicantAuth/Assoc802.1X UnBlockedPTK/GTKAuthenticator Auth/AssocAuthentica-tion Server (RADIUS)No KeyEAP/802.1X/RADIUS AuthenticationSupplicantAuth/Assoc802.1X BlockedMSKAuthenticator Auth/AssocNo KeyAuthentica-tion Server (RADIUS)SupplicantUnAuth/UnAssoc802.1X BlockedNo KeySupplicantAuth/Assoc802.1X BlockedNo KeyAuthenticator Auth/AssocAuthentica-tion Server (RADIUS)AssociationAuthenticator UnAuth/UnAssoc802.1X BlockedNo KeyAuthentica-tion Server (RADIUS)No Key
13 Outline Wireless Threat Models IEEE 802.11i Attacks and Solutions On Authentication:1. Security level rollback2. reflection attackOn Availability:3. Michael countermeasure attack4. RSN IE poisoning5. 4-Way Handshake blockingFailure Recovery and improved iConclusions
15 Security Rollback: solutions Security Level Rollback AttackSimilar to general version-rollback attackDestroy the security since WEP is completely insecureNot a real vulnerability of i standard, but an implementation problem of TSNVery possible mistake for transparency requirementSolutionsAllow only RSNA connections: secure, but too strict for common network systems, where TSN is more convenientAdopt both, supplicant manually choose to deny or accept a connection, authenticator restrict pre-RSNA (WEP) connections to only insensitive data
17 Reflection Attack: Solutions Possible in ad hoc networksEach participant plays the role of both authenticator and supplicantViolate the mutual authentication conceptLess damage if strong confidentiality adoptedAdversary fool the peers to send packetsCannot decrypt the packet and generate responseSolutions:Restrict each participant to play only one role: ok for WLAN, but inappropriate for ad hoc networksEach participant play both roles, but under different PMK
18 802.11i: Availability Not an original design objective Physical Layer DoS attackInevitable but expensive and detectableNetwork and upper Layer DoS attackDepend on protocols, not our focusLink Layer DoS attackFlooding attack: could be detected and locatedSome Known DoS attacks on networksDoS attack on Michael countermeasure in TKIPRSN IE Poisoning/Spoofing4-Way Handshake Blocking
19 Known DoS attacks and Solutions DoS attacks on plain networksForge unprotected management frames, like Deauthentication/Disassociation frameExploit virtual carrier sense mechanism by forging unprotected control frames, like RTS/CTS etc.802.11i still has these problems, solutions could beAuthenticate management framesValidate virtual carrier sense in control framesDoS attacks on EAP messagesForge EAPOL-Start, EAPOL-Success, EAPOL-Logoff, EAPOL-Failure802.11i can eliminate these by simply ignoring them !Send more than 255 association request to exhaust the EAP identifier space (8 bits)Adopt separate EAP identifier counter for each association
20 Michael Countermeasure TKIP Michael algorithm and countermeasuresMessage Integrity Code (MIC), provide 20-bit securityone successful forgery / 2 min., need countermeasuresCease communication for 60 sec. if two Michael MIC failures detected in one minute, re-key & deauthenticationLimit to one successful forgery / 6 monthCheck order: FCS < ICV < TSC < MICUpdate TSC unless MIC is validatedMACIV/KeyIDTKIP MPDU FormatExt. IVData/MSDUMICICVFCSEncryptedContains TSC
21 Michael DoS and Solutions DoS attack through MIC failuresIntercept a packet with valid TSC (possible)Modify packet and corresponding values of FCS, ICV (easy)Send modified packet twice in one minute (easy)MIC always invalid, TSC always validSolutionsWhen MIC failure, cease communication only, no re-keying and deauthenticationUpdate TSC before MIC is validatedWhat happens if modify TSC to extremely large number?Change TSC also change encryption key, wrong decryptionSome confidence on TKIP key schedule algorithmMitigation but not elimination
23 RSN IE Poisoning: Solutions Easy to launch the attackLegitimate participants unaware of itContinue message exchanges, waste resourcesAdversary have more time to repeat the attackSolutionsAuthenticate management framesDifficult to authenticate Beacon and Probe Response frameConfirm RSN IE as soon as possible (EAP-TLS)Necessary modifications on the standardRelax the condition of RSN IE confirmationIgnore insignificant bits, only confirm authentication suiteIf authentication suite modified, probably error at the beginning of associations
25 4-Way Blocking: Solutions Random-Drop Queue: not so effectiveAuthenticate Message 1Make use of the share PMK, but need to modify packet formatRe-use supplicant nonceSupplicant re-use SNonce, eliminate memory DoSPerformance degradation, more computations in the supplicantCombined solution:Supplicant re-use SNonceStore one entry of received ANonce and derived PTKIf ANonce in Message 3 matches the entry, use PTK directly; otherwise derive PTK from Message 3 and use itEliminate the attack, ensure performance in “friendly” scenarios, only minor modifications on the algorithm
26 Failure Recovery Important for large protocols like 802.11i Not affect protocol correctness, but efficiencyNot eliminate DoS vulnerabilities, but make DoS more difficult802.11i adopts a simple schemeWhenever failure, restart from the beginning, inefficient !TradeoffsDefensive DoS attack vs Captured DoS attackAssumptions on adversary’s capability and network scenarioA better failure recovery for iIf failure before 802.1X finishes, restart everythingOtherwise restart components from nearest pointchannel scanning time >> protocol execution time
27 Improved 802.11i Architecture Stage 1: Network and Security Capability DiscoveryStage 2: 802.1X Authentication(mutual authentication, shared secret, cipher suite)Stage 3: Secure Association (management frames protected)Stage 4: 4-Way Handshake(PMK confirmation, PTK derivation, and GTK distribution)Stage 5: Group Key HandshakeStage 6: Secure Data CommunicationsMichael MIC Failure or Other Security FailuresGroup Key Handshake Timout4-Way Handshake TimoutAssociation Failure802.1X Failure
28 Conclusions 802.11i provides Some implementation mistakes Satisfactory data confidentiality & integrity with CCMPSatisfactory mutual authentication & key managementSome implementation mistakesSecurity Level Rollback Attack in TSNReflection Attack on the 4-Way HandshakeAvailability is a problemSimple policies can make i robust to some known DoSPossible attack on Michael Countermeasures in TKIPRSN IE Poisoning/Spoofing4-Way Handshake BlockingInefficient failure recovery schemeImproved i
29 Highlight Our Findings ATTACKSSOLUTIONSsecurity rollbacksupplicant manually choose security; authenticator restrict pre-RSNA to only insensitive data.reflection attackeach participant plays the role of either authenti-cator or supplicant; if both, use different PMKs.attack on Michael countermeasurescease connections for a specific time instead of re-key and deauthentication; update TSC before MIC and after FCS, ICV are validated.RSN IE poisoningAuthenticate Beacon and Probe Response frame; Confirm RSN IE in an earlier stage;Relax the condition of RSN IE confirmation.4-way handshake blockingadopt random-drop queue, not so effective;authenticate Message 1, packet format modified;re-use supplicant nonce, eliminate memory DoS.