Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks *

Published byAusten Phillips Modified over 8 years ago

Similar presentations

Presentation on theme: "Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks *"— Presentation transcript:

1 Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks *

2 WiFi (In)Security – 2 st part Assembled from different sources: Walker, Lehembre Buttyan,... Produced by Mario Čagalj

3 3 Introduction: IEEE 802.11i We have seen that WEP is critically flawed IEEE 802.11i defined to properly secure wireless LANs (2004) Specifies robust security mechanisms for WLANs Defines Transition Security Network (TSN) Called WiFi-Protected Access (WPA) by WiFi-Alliance Based on “new” TKIP (that uses “old” RC4 like WEP) Backward compatibility (with old RC4-only hardware) IEEE 802.1X authentication framework More importantly defines a Robust Security Network (RSN) Called WiFi-Protected Access 2 (WPA2) by WiFi-Alliance Based on AES and optionally TKIP Also uses IEEE 802.1X authentication framework

4 4 Tranzicija prema IEEE 802.11i IEEE 802.11b WEP WPA IEEE 802.11i (WPA2) Tajnost podataka (enkripcija) WEP (RC4)TKIP (RC4) AES, (opcija TKIP) Integritet podatakaWEP (RC4) + CRCTKIP-MIC AES-MAC (opcija TKIP-MIC) Autentikacija i kontrola pristupa Shared Key Authentication IEEE 802.1X/EAP (+ EAP-TLS, LEAP…) IEEE 802.1X/EAP (+ EAP-TLS, LEAP…) TKIP: Temporal Key Integrity Protocol AES: Advanced Encryption Standard MIC: Message Integrity Code MAC: Message Authentication Code EAP: Extensible Authentication Protocol TLS: Transport Layer Security LEAP: Light EAP (Cisco)

5 5 Značajke IEEE 802.11i standarda Novine u IEEE 802.11i u usporedbi sa WEP-om Autentifikacija i kontrola pristupa zasnovana na IEEE 802.1X modelu Fleksibilan autentifikacijski okvir EAP (Extensible Authentication Protocol) Mogu se koristiti “dokazani” protokoli (npr., TLS) Autentifikacijski proces rezultira sesijskim tajnim ključem Različite funkcije koriste različite ključeve koji se izvode iz sesijskog ključa Enkripcijska funkcija značajno poboljšana (AES, TKIP) Zaštita integriteta poruka značajno poboljšana AES-MAC i TKIP-MIC

6 6 Autentifikacijski model IEEE 802.1X u WiFi Port-based Network Access Control ● Mobilni klijent zahtijeva pristup uslugama (želi se spojiti na mrežu) ● AP kontrolira pristup uslugama (kontrolirani port) ● Autentifikacijski server (AS) Mobilni klijent i AS se me đ usobno autentificiraju AS informira AP da može otvoriti kontrolirani port mobilnom klijentu Mobilni klijent AP LAN (Internet) Autentifikacijski server Kontroliran port Slobodan (otvoren) port

7 7 Operacijske faze IEEE 802.11i Mobilni klijent (M) Pristupna točka (AP) Autentikacijski server (AS) Otkrivanje sigurnosnih funkcionalnosti Distribucija PMK ključa (npr. putem RADIUS-a) Zaštita podataka (TKIP, CCMP/AES) Rezultat: M i AS -generiraju Master Key (MK) -izvedu Pairwise MK (PMK) 802.1X autentifikacija Rezultat: M i AP -provjere PMK -izvedu Paiwise Transient Key (PTK) -PTK vezan uz ovaj M i ovu AP 802.1X key management CCMP = Counter-Mode / Cipher Block Chaining Message Authentication Code Protocol based on AES block cipher

8 8 Operacijske faze IEEE 802.11i: kućne i ad hoc mreže Autentifikacijski server nije prisutan Autentifikacija zasnovana na dijeljenom ključu (Pre-Shared Key, PSK) Mobilni klijent (M) Pristupna točka (AP) PSK (umjesto PMK) Otkrivanje sigurnosnih funkcionalnosti IEEE 802.1X key management (Provjera PSK/PTK– “4-way” handshake) Zaštita podataka (TKIP, CCMP/AES)

9 9 Operational phases in IEEE 802.11i 1.Agreeing on the security policy 2.IEEE 802.1X authentication (absent in home nets) 3.Key derivation and distribution 4.Protecting data confidentiality and integrity

10 10 Operational phases in IEEE 802.11i (1/4) 1.Agreeing on the security policy between M and AP Security policy advertied in RSN IE (RSN Information Element) E.g., use PSK (Pre-Shared Key) or 802.1X (auth prot.), TKIP or CCMP/AES, etc. Guillaume Lehembre, hakin9 6/2005

11 11 Operational phases in IEEE 802.11i 1.Agreeing on the security policy 2.IEEE 802.1X authentication (absent in home nets) 3.Key derivation and distribution 4.Protecting data confidentiality and integrity

12 12 Operational phases in IEEE 802.11i (2/4) 2.IEEE 802.1X authentication Based on EAP (Extensible Authentication Protocol) and the specific authentication method agreed earlier (in the 1 st phase) Guillaume Lehembre, hakin9 6/2005

13 13 IEEE 802.1X authentication (2 nd phase) EAP (Extensible Authentication Protocol) [RFC 3748] carrier protocol designed to transport the messages of “real” authentication protocols (e.g., TLS) very simple, four types of messages: EAP request – carries messages from AS to M EAP response – carries messages from M to the AS EAP success – signals successful authentication EAP failure – signals authentication failure authenticator (AP) doesn’t understand what is inside the EAP messages, it recognizes only EAP success and failure EAP is not an authentication method itself

14 14 IEEE 802.1X authentication (2 nd phase) EAP (Extensible Authentication Protocol) End-to-end transport between M and AS AP proxies EAP between 802.1X and backend protocol between AP and AS (e.g. RADIUS) EAP-TLS EAP EAPoL (802.1X) 802.11 EAP over RADIUS RADIUS TCP/IP 802.3 ili drugi Mobilni klijentPristupna točka Autentifikacijski server RADIUS: Remote Authentication Dial In User Service within the scope of IEEE 802.11i

15 15 IEEE 802.1X authentication (2 nd phase) EAPoL (EAP over LAN) [802.1X] used to encapsulate EAP messages into LAN protocols (e.g., Ethernet) EAPoL is used to carry EAP messages between the M and the AP RADIUS (Remote Access Dial-In User Service) [RFC 2865-2869, RFC 2548] used to carry EAP messages between the AP and the auth server RADIUS is mandated by WPA and optional for RSN (WPA2) EAP-TLS EAP EAPoL (802.1X) 802.11 EAP over RADIUS RADIUS TCP/IP 802.3 ili drugi Mobilni klijentPristupna točka Autentifikacijski server

16 16 IEEE 802.1X authentication (2 nd phase) EAP in action APM auth server EAP Request (Identity) EAP Response (Identity) EAP Request 1 EAP Response 1 EAP Success EAP Request n EAP Response n... embedded auth. protocol EAPOL-Start encapsulated in EAPOL encapsulated in RADIUS

17 17 IEEE 802.1X authentication (2 nd phase) Examples of embedded authentication protocols EAP-TLS (TLS over EAP) only the TLS Handshake Protocol is used server and client authentication via certificates, generation of master secret TLS master secret becomes the session key PEAP (Protected EAP) phase 1: TLS Handshake without client authentication (only server’s certificate) phase 2: client authentication protected by the secure channel from phase 1 we will use it in our labs with WinSrv2008 EAP-TTLS (used for securing FESB WiFi) similar to PEAP (mainly different inner/client authentication) we will use it in our demos EAP-SIM, EAP-MD5, EAP-PSK and many others

18 Tunneled TLS over Extensible Authentication Protocol (EAP-TTLS) Provides protection for initial authentication messages (plaintext passwords, e.g. PAP used by FESB) 18 Example: FESB WiFi (EAP-TTLS and PAP) Mobilni klijent (M) Pristupna točka (AP) Autentifikacijski server (AS) TTLS server Establishing an authentication TLS tunnel TLS protected authentication WLAN master session key Authentication Data traffic on secured link

19 19 IEEE 802.1X authentication summary At the end of authentication: The AS and M have established a session The AS and M possess a mutually authenticated Master Key (derived from the concrete EAP method) Master Key represents decision to grant access based on authentication M and AS have derived PMK (Pairwise Master Key) PMK is an authorization token to enforce access control decision at AP AS has distributed PMK to an AP (hopefully, to the M’s AP)

20 20 Operational phases in IEEE 802.11i 1.Agreeing on the security policy 2.IEEE 802.1X authentication (absent in home nets) 3.Key derivation and distribution 4.Protecting data confidentiality and integrity

21 21 Operational phases in IEEE 802.11i (3/4) 3.Key derivation and distribution At this stage M and AP both hold PMK (Pairwise Master Key) They use it to derive a fresh PTK (Pairwise Transient Key) and GTK (Group Transient Key) Guillaume Lehembre, hakin9 6/2005

22 22 Key derivation and distribution (3 rd phase) PTK (Pairwise Transient Key) – unique for this M and this AP Guillaume Lehembre, hakin9 6/2005

23 23 Key derivation and distribution (3 rd phase) GTK (Group Transient Key) – for multicast, the same for all M’s Guillaume Lehembre, hakin9 6/2005

24 24 Key derivation and distribution (3 rd phase) 4-Way Handshake (radio channel) Guillaume Lehembre, hakin9 6/2005 PTK PTK = EAPoL-PRF(PMK, ANonce | SNonce | AP MAC Addr | M’s MAC Addr)

25 25 Key derivation and distribution (3 rd phase) Key Management Summary 4-Way Handshake Establishes a fresh pairwise key bound to M and AP for this session Proves liveness of peers Demonstrates there is no man-in-the-middle between PTK holders if there was no man-in-the-middle between PMK holders Synchronizes pairwise key use Provisions fresh group key GTK to all mobile stations (for multicast traffic)

26 26 Example: the 3 phases with PEAP + MS-CHAPv2

27 27 Operational phases in IEEE 802.11i 1.Agreeing on the security policy 2.IEEE 802.1X authentication (absent in home nets) 3.Key derivation and distribution 4.Protecting data confidentiality and integrity

28 28 Operational phases in IEEE 802.11i (4/4) 4.Protecting data confidentiality and integrity IEEE 802.11i defines 3 protocols to protect data TKIP (Temporal Key Integrity Protocol) for legacy (old RC4 devices) WPA CCMP (Counter Mode with CBC-MAC Protocol) uses AES manadatory in WPA2 WRAP (Wireless Robust Authenticated Protocol) uses AES and patent-protected authenticated-encryption method OCB optional in WPA2 Three protocols instead of one due to politics

29 29 Protecting data confidentiality and integrity (4 th phase) Data Transfer Requirements Never send or receive unprotected packets Message origin authenticity —prevent forgeries Sequence packets —detect replays Avoid rekeying —48 bit packet sequence number Protect source and destination addresses Use one strong cryptographic primitive for both confidentiality and integrity

30 30 Zaštita podataka TKIP-om TKIP - Temporal Key Integrity Protocol Radi sa starim hardverom (koji podržava RC4) Rješava sve sigurnosne probleme sa WEP protokolom, npr. Povećava inicijalizacijski vektor (ext v) na 48 bitova (WEP - 24 bita), da bi se izbjeglo ponavljanje istog init. vektora Novi mehanizam za zaštitu integriteta – Michael (Message Integrity Code) Inicijalizacijski vektor kao brojač služi za zaštitu od “replay” napada 802.11 hdrPodaciCRC  WEP-RC4(k,v) 802.11 hdrCRCvPodaci 802.11 hdr  TKIP-RC4(PTK,ext v) 802.11 hdrext v Podaci MICCRC WEP TKIP Podaci MICCRC

31 31 TKIP dizajn Pairwise Transient Key (PTK) je dug 512 bitova Enkripcijski ključ = PTK bitovi 256-383 (128 bitova) Autentifikacijski ključ = PTK bitovi 384-511 (128 bitova) Message Integrity Code (8 bytes) Zaštita od “replay” napada Za svaki paket inicijalizacijski vektor se inkrementira ( + 1 ) Odbacuje se paket koji je primljen izvan sekvence (…, n, n+1, n, …) Miješanje enkripcijskog ključa – rješavanje “slabih” RC4 ključeva Autentifikacijski ključ Michael algoritam MAC Adresa Izvora MAC Adresa Odredišta PodaciMIC

32 32 Protecting data with CCMP Based on AES in CCM mode Counter Mode Encryption with CBC-MAC (Whiting, Ferguson and Housley) Counter Mode Encryption: Decription: CBC-MAC E E PiPi CiCi K + (n) counter + i (n) E E CiCi PiPi K + counter + i (n) E E m1m1 K + E E m2m2 K + E E m3m3 K + E E mNmN MAC = C N K + IV C N-1 …

33 33 CCM Mode Overview Use CBC-MAC to compute a MIC (Message Integrity Code) on the plaintext header, length of the plaintext header, and the payload Use CTR mode to encrypt the payload Counter values 1, 2, 3, … Use CTR mode to encrypt the MIC Counter value 0

34 34 Protecting data with CCMP

35 35 Protecting data with CCMP CCM provides authenticity and privacy A CBC-MAC of the plaintext is appended to the plaintext to form an encoded plaintext The encoded plaintext is encrypted in CTR mode CCM is packet oriented CCM can leave any number of initial blocks of the plaintext unencrypted CCM has a high security level It is provably secure

36 36 IEEE 802.11i: Pre-Shared Key (PSK) Autentifikacijski server nije prisutan (npr. kućne i ad hoc mreže) Autentifikacija zasnovana na dijeljenom ključu (Pre-Shared Key, PSK) Mobilni klijent (M) Pristupna točka (AP) PSK (umjesto PMK) Otkrivanje sigurnosnih funkcionalnosti IEEE 802.1X key management (Provjera PSK/PTK– “4-way” handshake) Zaštita podataka (TKIP, CCMP/AES)

37 37 IEEE 802.11i: Pre-Shared Key (PSK) No explicit authentication! The IEEE 802.1X authentication exchange absent Can have a single pre-shared key for entire network (insecure)… …or one per STA pair (secure) Password-to-Key Mapping Uses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII password PMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256) Salt = SSID, so PSK different for different SSIDs 4096 is the number of hashes used in this process

38 38 Next time Vulnerabilities of WPA, WPA2, IEEE 802.1X

Download ppt "Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks *"

Similar presentations

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Chapter 07 Designing and Implementing Security for WLAN

Chapter 07 Designing and Implementing Security for WLAN
CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.
Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks *

Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks *
WLAN SECURITY TEAM NAME : Crypto_5 TEAM MEMBERS: Rajini Ananthoj Srimani Reddy Gatla Ishleen Kour Pallavi Murudkar Deepagandhi Vadivelu.

WLAN SECURITY TEAM NAME : Crypto_5 TEAM MEMBERS: Rajini Ananthoj Srimani Reddy Gatla Ishleen Kour Pallavi Murudkar Deepagandhi Vadivelu.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.

Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.
P1451.5 Security Survey and Recommendations By: Ryon Coleman October 16, 2003.

P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
IPsec Internet Headquarters Branch Office SA R1 R2

IPsec Internet Headquarters Branch Office SA R1 R2
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
Implementing Wireless LAN Security

Implementing Wireless LAN Security
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

Similar presentations

Ads by Google