CN8816: Network Security 1 Security in Wireless LAN 802.11i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

Slides:



Advertisements
Similar presentations
Chapter 07 Designing and Implementing Security for WLAN
Advertisements

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.
P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
IPsec Internet Headquarters Branch Office SA R1 R2
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE Wireless Local Area Networks (WLAN’s).
15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
Solutions for WEP Bracha Hod June 1, i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through.
WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.
1 IEEE i Overview v0.1 Summary by Uthman Baroudi Nancy Cam-Winget, Cisco Systems Tim Moore, Microsoft Dorothy Stanley, Agere Systems Jesse Walker,
WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
WLAN What is WLAN? Physical vs. Wireless LAN
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Mobile and Wireless Communication Security By Jason Gratto.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Wireless and Security CSCI 5857: Encoding and Encryption.
Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized.
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.
Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
WEP Protocol Weaknesses and Vulnerabilities
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Security in Wireless Networks IEEE i Presented by Sean Goggin March 1, 2005.
WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
WLANs & Security Standards (802.11) b - up to 11 Mbps, several hundred feet g - up to 54 Mbps, backward compatible, same frequency a.
Doc.: IEEE /551r0 Submission September 2002 Moore, Roshan, Cam-WingetSlide 1 TGi Frame Exchanges Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget.
IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004
Lecture 24 Wireless Network Security
National Institute of Science & Technology WIRELESS LAN SECURITY Swagat Sourav [1] Wireless LAN Security Presented By SWAGAT SOURAV Roll # EE
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Shambhu Upadhyaya Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)
Csci388 Wireless and Mobile Security – Key Hierarchies for WPA and RSN
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Wireless Authentication Protocol Presented By: Tasmiah Tamzid Anannya Student Id:
1 /24 May Systems Architecture WPA / WPA 2(802.11i) Burghard Güther, Tim Hartmann
Robust Security Network (RSN) Service of IEEE
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
Authentication and handoff protocols for wireless mesh networks
Wireless Protocols WEP, WPA & WPA2.
Lecture 29 Security in IEEE Dr. Ghalib A. Shah
WEP & WPA Mandy Kershishnik.
Wireless Network Security
Tim Moore Microsoft Pejman Roshan Nancy Cam-Winget Cisco Systems, Inc
Presentation transcript:

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network (RSN) Temporal Key Integrity protocol (TKIP) Counter Mode with CBC-MAC (CCMP) Key Management and Establishment Authentication Protocols

Security in Wireless LAN (802.11i) CN8816: Network Security2 1.Open System Authentication Establishing the IEEE association with no authentication STA AP STA Probe Request Probe Response Open System Authentication Request (STA Identity) Open System Authentication Response Association Request Association Response

Security in Wireless LAN (802.11i) CN8816: Network Security3 2. Wired Equivalent Privacy (WEP) WEP uses shared key authentication STA AP STA Probe Request & Probe Response Shared Key Authentication (1) (STA Identity) Shared Key Authentication (2) Challenge Association Request & Response Encrypted(Shared Key Authentication (3) Challenge) Shared Key Authentication (4) (Success/Failure)

Security in Wireless LAN (802.11i) CN8816: Network Security4 2. Wired Equivalent Privacy (WEP) WEP Encryption uses RC4 stream cipher RC4 PRNG + Concatenation CRC-32 IV Cipher Text Concatenation IV WEP KEY Plaintext SeedKey Stream Integrity Check Value (ICV) Message

Security in Wireless LAN (802.11i) CN8816: Network Security5 2. Wired Equivalent Privacy (WEP) Several major problems in WEP security The IV used to produce the RC4 stream is only 24-bit long The short IV field means that the same RC4 stream will be used to encrypt different texts – IV collision Statistical attacks can be used to recover the plaintexts due to IV collision The CRC-32 checksum can be easily manipulated to produce a valid integrity check value (ICV) for a false message

Security in Wireless LAN (802.11i) CN8816: Network Security6 3. Robust Security Network (RSN) i defines a set of features to establish a RSN association (RSNA) between stations (STAs) Enhanced data encapsulation mechanism CCMP Optional: TKIP Key management and establishment Four-way handshake and group-key handshake Enhanced authentication mechanism for STAs Pre-shared key (PSK); IEEE 802.1x/EAP methods

Security in Wireless LAN (802.11i) CN8816: Network Security7 3. Robust Security Network (RSN) Operational phases StationAccess point Authentication Server Security Capabilities Discovery 802.1x authenticationRADIUS/EAP 802.1x Key Management RADIUS-based Key Distribution Data Protection

Security in Wireless LAN (802.11i) CN8816: Network Security8 3. Robust Security Network (RSN) Discovery message exchange Probe Request Probe Response + RSN IE Open System Auth Open System (success) Association Requst + RSN IE Association Response (success) Station Access point

Security in Wireless LAN (802.11i) CN8816: Network Security9 3. Robust Security Network (RSN) Authentication Mutual authentication The AS and station derive a Master Key (MK) A Pairwise Master Key (PMK) is derived from MK The AS distributed PMK to the AP In PSK authentication, the authentication phase is skipped PMK = PSK

3. Robust Security Network (RSN) Key management and establishment PMK is sent to AP by AS Key management is performed between AP and the peer – four-way handshake The four-way handshake can also be used for mutual authentication between AP and the peer in PSK mode A set of keys are derived from PMK to protect group key exchange and data Group key exchange allows AP to distribute group key (for multicast) to the peer Security in Wireless LAN (802.11i) CN8816: Network Security10

Security in Wireless LAN (802.11i) CN8816: Network Security11 4. Temporal Key Integrity Protocol (TKIP) Optional IEEE802.11i protocol for data confidentiality and integrity TKIP is designed explicitly for implementation on WEP legacy hardware TKIP three new features: A cryptographic message integrity code (MIC) A new IV sequencing discipline The transmitter increments the sequence number with each packet it sends A per-packet key mixing function

Security in Wireless LAN (802.11i) CN8816: Network Security12 4. Temporal Key Integrity Protocol (TKIP) TKIP frame processing Phase 1 Key mixing Phase 2 Key mixing MICHAEL Fragmentation (if required) WEP Processing Temporal key Transmitter address MIC key Source & destination addresses, priority, and payload TTAK Frame payload + MIC WEP IV WEP secret key Clear text frames Encrypted and authenticated frames for transmission TSC2-TSC5 TSC0-TSC1 TSC0-TSC5 TKIP sequence counter (TSC)

Security in Wireless LAN (802.11i) CN8816: Network Security13 4. Temporal Key Integrity Protocol (TKIP) Defeating weak key attacks: key mixing Transforms a temporal key and packet sequence number into a per packet key and IV The key mixing function operates in two phases Phase 1: Different keys used by different links Phase 1 needs to be recomputed only once every 2 16 frames Phase 2: Different WEP key and IV per packet Phases 1 and 2 can be pre-computed

Security in Wireless LAN (802.11i) CN8816: Network Security14 3. Temporal Key Integrity Protocol (TKIP) Defeating replays: IV sequence enforcement TKIP uses the IV field as a packet sequence number The transmitter increments the sequence number with each packet it send A packet will be discarded if it arrives out of order A packet is out-of-order if its IV is the same or smaller than a previous correctly received packet Defeating forgeries: New MIC (Michael) MIC key is 64-bits security level of 20 bits

Security in Wireless LAN (802.11i) CN8816: Network Security15 4. Temporal Key Integrity Protocol (TKIP) TKIP encapsulation MAC Header IV/Key ID Extended IV Data MIC WEP ICV FCS Encrypted TSC1WEP Seed TSC0 Rsvd Ext IV Key ID TSC2TSC3TSC4TSC5

Security in Wireless LAN (802.11i) CN8816: Network Security16 5. Counter Mode with CBC-MAC (CCMP) Both encryption and MIC use AES Uses counter Mode (CTR) to encrypt the payload and MIC Uses CBC-MAC to compute a MIC on the plaintext header and the payload Both encryption and authentication use the same key Header PayloadMIC Encryption Authenticated

Security in Wireless LAN (802.11i) CN8816: Network Security17 5. Counter Mode with CBC-MAC (CCMP) CCMP data processing MAC headerData Additional authentication data Create nonce CCMP header CCM encryption MAC header CCMP header DataMICFCS Packet # Temporal key Key Id Plaintext frame A2

Security in Wireless LAN (802.11i) CN8816: Network Security18 5. Counter Mode with CBC-MAC (CCMP) Each message block has the size of 16 octets For CTR encryption, A i has the following format (i is the value of the counter field): For the CBC-MAC authentication, B 0 has the following format (length := size of the payload): FlagsNonce Counter FlagsNonce length

Security in Wireless LAN (802.11i) CN8816: Network Security19 5. Counter Mode with CBC-MAC (CCMP) CCM encryption E +... B1B1 BkBk 0 + E B k BNBN 0 + E HeaderPayloadMIC + + EEE B0B0 S1S1 SMSM S0S0 A1A1 AMAM A0A0... Encrypted payload Encrypted MIC

Security in Wireless LAN (802.11i) CN8816: Network Security20 6. Key Management and Establishment 802.1x key management Use RADIUS to push PMK from AS to AP Use PMK and 4-way Handshake To derive, bind, and verify PTK Use Group Key Handshake to send GTK from AP to station

Security in Wireless LAN (802.11i) CN8816: Network Security21 6. Key Management and Establishment 4-Way Handshake EAPoL-Key( ANonce … ) PTK=EAPoL-PRF(PMK, ANonce | SNonce | AP MAC Addr | STA MAC Addr) EAPoL-Key(SNonce, MIC, STA RSN IE) Derive PTK EAPoL-Key(ANonce, MIC, AP RSN IE, encrypted(GTK)) EAPoL-Key(Unicast, MIC) Install TK

Security in Wireless LAN (802.11i) CN8816: Network Security22 6. Key Management and Establishment PTK := KCK | KEK | TK KCK used to authenticate Messages 2, 3, and 4 KEK unused by 4-way handshake – used for the encryption of group key TK installed after Message 4 – used for data encryption The discovery RSN IE exchange from alteration protected by the MIC in Messages 2 and 3 The MIC carried in the messages are also used for mutual authentication

Security in Wireless LAN (802.11i) CN8816: Network Security23 6. Key Management and Establishment Group Key Handshake Pick random GNonce Encrypt GTK with KEK EAPoL-Key(MIC, encrypted(GTK)) Decrypt GTK EAPoL-Key(MIC) Unblocked data traffic

Security in Wireless LAN (802.11i) CN8816: Network Security24 7. Authentication protocols Authentication overview 802.1x/EAP-Request Identity 802.1x/EAP-Response Identity (EAP type specific) RADIUS Access Request/Identity EAP type specific mutual authentication (e.g. EAP_TLS) Derive Pairwise Master key (PMK) RADIUS Accept (with PMK) 802.1x/EAP-Success

Security in Wireless LAN (802.11i) CN8816: Network Security25 7. Authentication Protocols Authentication components StationAccess point Authentication Server Authentication Method (e.g. EAP-TLS) 802.1x (EAPoL) EAP RADIUS UDP/IP

7. Authentication Protocols LEAP Simple – neither server certificate or peer certificates is required CHAP is used for mutual authentication The user’s password is the shared secret Session key is derived from the shared secret, the challenges and the challenge responses Susceptible to the dictionary attack Security in Wireless LAN (802.11i) CN8816: Network Security26

EAP authentication: general approach Used TLS to setup a secure tunnel Inner authentication method is used for further authentication 7. Authentication Protocols Security in Wireless LAN (802.11i) CN8816: Network Security27 IEEE 802.1x /EAP RADIUS /EAP TLS [Inner EAP Authentication] PMK = function of (nonces, {DH secret/session key}) master secret

7. Authentication Protocols EAP-TLS Both peer and AS authenticate each other using certificates in the TLS phase Inner authentication may be used for user authentication Security in Wireless LAN (802.11i) CN8816: Network Security28 IEEE 802.1x /EAP RADIUS /EAP TLS [user/pwd, MD5 challenge, TLS, …] master_secret master_secret = PRF(pre_master_secret, “ master secret”, nonces) PMK = PRF(master_secret, “client EAP encryption”, nonces)

7. Authentication Protocols PEAP At the TLS phase, server is authenticated based on the server’s certificate – no peer authentication Peer authentication is done at the inner authentication EAP-MS-CHAPV2 is the most popular inner authentication method – it provides mutual authentication plus key generation The PMK generated is based on both the TLS master_secret and the master_session_key (MSK) Security in Wireless LAN (802.11i) CN8816: Network Security29

7. Authentication Protocols EAP-FAST Two methods for setting up TLS tunnel Server certificate Protected Access Credential (PAC) PAC components: Shared secret – used to derive TLS master secret opaque element – presented by the peer to the AS Contains shared secret and peer identity Protected with cryptographic keys and algorithm other information – identity of the PAC issuer, secret lifetime … Security in Wireless LAN (802.11i) CN8816: Network Security30

7. Authentication Protocols TLS tunnel using PAC Security in Wireless LAN (802.11i) CN8816: Network Security31 IEEE 802.1x /EAP RADIUS /EAP [Inner Authentication] PAC-key PAC-opaque ClientHello, PAC-opaque DE(PAC-opaque) = (PAC-key, peer ID,...) ServerHello, ChangeCipherSuite, Finished ChangeCipherSuite, Finished master_secret master_secret = PRF(PAC-key, “PAC to master secret label hash”, nonces) PMK = function of (master_secret, MSK) MSk