Solutions for WEP Bracha Hod June 1, 2003 2 802.11i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through.

Slides:

Advertisements

Similar presentations

CN8816: Network Security 1 Security in Wireless LAN i Open System Authentication Security Wired Equivalent Privacy (WEP) Robust Security Network.

Advertisements

WLAN SECURITY TEAM NAME : Crypto_5 TEAM MEMBERS: Rajini Ananthoj Srimani Reddy Gatla Ishleen Kour Pallavi Murudkar Deepagandhi Vadivelu.

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.

P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.

IPsec Internet Headquarters Branch Office SA R1 R2

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.

Implementing Wireless LAN Security

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

OpenSig 2003: Panel Discussion on the Differences and Similarities of Wired vs. Wireless Security Russ Housley 9 October 2003.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID

Wired Equivalent Privacy (WEP)

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

IEEE Wireless Local Area Networks (WLAN’s).

15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

IWD2243 Wireless & Mobile Security Chapter 3 : Wireless LAN Security Prepared by : Zuraidy Adnan, FITM UNISEL1.

1 Wireless LAN Security Kim W. Tracy NEIU, University Computing

Michal Rapco 05, 2005 Security issues in Wireless LANs.

Mobile and Wireless Communication Security By Jason Gratto.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized.

Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)

Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.

IEEE i WPA2. IEEE i (WPA2) IEEE i, is an amendment to the standard specifying security mechanisms for wireless networks. The.

NSRI1 Security of Wireless LAN ’ Seongtaek Chee (NSRI)

WEP Protocol Weaknesses and Vulnerabilities

WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)

WEP Case Study Information Assurance Fall or Wi-Fi IEEE standard for wireless communication –Operates at the physical/data link layer –Operates.

WLANs & Security Standards (802.11) b - up to 11 Mbps, several hundred feet g - up to 54 Mbps, backward compatible, same frequency a.

IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004

Xiuzhen Cheng Xiuzhen Cheng Csci388 Wireless and Mobile Security – Temporal Key Integrity Protocol.

National Institute of Science & Technology WIRELESS LAN SECURITY Swagat Sourav [1] Wireless LAN Security Presented By SWAGAT SOURAV Roll # EE

Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

Shambhu Upadhyaya Security – Key Hierarchy Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 11)

WLAN Security Condensed Version. First generation wireless security Many WLANs used the Service Set Identifier (SSID) as a basic form of security. Some.

Wireless security Wi–Fi (802.11) Security

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

802.11b Security CSEP 590 TU Osama Mazahir. Introduction Packets are sent out into the air for anyone to receive Eavesdropping is a much larger concern.

Wireless Network Security CSIS 5857: Encoding and Encryption.

EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Wireless Authentication Protocol Presented By: Tasmiah Tamzid Anannya Student Id:

History and Implementation of the IEEE 802 Security Architecture

1 /24 May Systems Architecture WPA / WPA 2(802.11i) Burghard Güther, Tim Hartmann

1. Introduction In this presentation, we will review ,802.1x and give their drawbacks, and then we will propose the use of a central manager to replace.

CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)

History and Implementation of the IEEE 802 Security Architecture

Authentication and handoff protocols for wireless mesh networks

Wireless Protocols WEP, WPA & WPA2.

IEEE i Dohwan Kim.

CSE 4905 WiFi Security I WEP (Wired Equivalent Privacy)

IT4833/6833 WiFi Security Building Blocks (I).

Presentation transcript:

Solutions for WEP Bracha Hod June 1, 2003

i Task Group  Addresses WEP issues –No forgery protection –No protection against replays –Attack through weak keys –IV re-use  But has constraints –Needs a firmware patch: large market already –Access Points have cheap processor –Part is hardwired in the devices

3 Robust Secure Network  Interim solution –Use constrains –802.1x - authentication and key management –TKIP - data encapsulation  Longterm solution –Ignore constrains –802.1x - authentication and key management –AES - data encapsulation

802.1X

x Architecture  Allows choice of auth. methods using EAP –Chosen by peers at authentication time –Access point doesn’t care about EAP methods  Requires some authentication server –RADIUS is the de facto back-end protocol 802.1X (EAPoL) EAP-TLS EAP RADIUS UDP/IP

X Terminology  Port-based access control mechanism –Ports for passing data without authentication –Parts for passing data only after authentication Supplicant Authentication Server Authenticator Controlled port Uncontrolled port

x Model Supplicant Authentication Server Authenticator Authentication traffic Normal Data Port Status: EAP Identity Request Associate EAP Auth Response EAP Auth Request EAP Identity Response Radius802.1x EAP-Success

x Advantages  Standards-based  Flexible authentication  Scalable to large enterprise networks  Centrally managed  Roaming can be made as transparent as possible  Keys are dynamically generated and propagated

x Flaws  Possible attacks –Man-in-the-middle –Session hijacking –Denial-of-service attacks  Solutions –Strong mutual authentication by protocols like EAP-TLS, EAP-TTLS and EAP-PEAP which provide strong master-key in the end –The area of coverage of an access point is small enough that an attacker would have a substantial risk of discovery

TKIP

11 Temporal Key Integrity Protocol  Designed as a wrapper around WEP –Can be implemented in software –Reuses existing WEP hardware –Runs WEP as a sub-component  Components –Cryptographic message integrity code –Packet sequencing –Per-packet key mixing –Re-keying mechanism

12 MIC  Sender and receiver share 64-bit secret key  MIC = h (src MAC|dst MAC|frame body)K  If receivers computation matches the MIC sent, then message presumed authentic  If 2 forgeries in a second, then assume under attack (delete keys, disassociate, and reassociate) 8 byte MIC SADAPayload Michael Authentication Key

13 Packet Sequencing  Reuse 16-bits of WEP IV packet field for sequence number  Initialize seq# to 0 on new encryption key  Increment seq# by 1 on each packet  Discard any packet out of sequence Access Point Wireless Station HdrPacket n HdrPacket n + 1 HdrPacket n

14 Key Mixing  Phase 1: –Key_mix1(128-bit temporal key, 48-bit MAC) –128-bit result –Ensure unique key if clients share same temporal key  Phase 2: –Key_mix2(phase1 result,seq#) –The result is 128-bit per-packet key –Incrementing seq# ensure unique key for each packet  Keystream = RC4(128-bit per-packet key)

15 Key Mixing  The keys are 128-bit  The transmitter address is 48-bit  The sequence number is 16-bit Transmitter Address: 00-A0-C9-BA-4D-5F Temporal key Phase 1 Mixer Intermediate key Per-packet key Phase 2 Mixer Packet Sequence #

16 Rekeying  Key hierarchy –Master key Established via 802.1x or manually Used to securely communicate key encryption keys –Key encryption keys (2) Secure messages containing keying material for deriving temporal keys Key 1: encryption data 128-bit Key 2: data integrity 64-bit –Temporal keys (2) Key 1: encrypting data 128-bit Key 2: data integrity 64-bit

17 Putting The Pieces Together

18 Summery  Advantages –Fixes several issues in WEP –Companies having existing WEP-based equipment can upgrade to TKIP through relatively simple firmware patches  Disadvantages –Relies on the original security specifications –Not ideal solution  “We should all realize that TKIP is really a kludge. We are trying to make the best of a difficult situation, but TKIP should be phased out as soon as possible…”

AES

20 Requirements  Use encryption properly –In particular The protocol must never reuse nonces or IVs or other information used to randomize the encryption function  Defend against forgeries and replays –In particular, a design must never reuse keys  Protect the source and destination addresses from modification  Minimize the cost: –Minimize the number of cryptographic primitives used –Minimize the software expenses  Use the best practice cryptographic primitives

21 AES-based Encapsulations  Replaces RC4 with AES for encryption and integrity  Requires coprocessor, therefore new hardware deployment  AES –Symmetric key block cipher –Require sequence counter, 128-bit key  Two cryptographic modes: –AES-CCM (CCMP): Counter Mode with CBC-MAC –AES-OCB (WRAP): Offset Codebook

22 Counter Mode & CBC-MAC EKEK ctr 1 c1c1 m1m1 EKEK ctr 2 c2c2 m2m2 EKEK ctr 3 c3c3 m3m3 EKEK ctr n-1 c n-1 m n-1 EKEK ctr n cncn mnmn EKEK EKEK EKEK m n-1 EKEK mnmn cmcm IV c 0 =IV c j =E K (m j  c j-1 ) MAC=c m c j =E K (ctr j )  m j m1m1 m2m2

23 AES-CCM  Use CBC-MAC to compute a MIC on the MPDU + header fields  CTR mode to encrypt the payload and the MIC  The counter for encryption and the IV for MIC are made by concatenation of the sequence counter and header fields HeaderPayload Encrypted MIC Authenticated bit sequence counter AES key Seq CTR

24 OCB … Full tag   offset EKEK checksum   offset EKEK m1m1 c1c1 offset   L(0)   offset EKEK m2m2 c2c2 offset   L(1) EKEK mnmn cncn    L(-1) Pad Len(m n ) offset   L (ntz(n))   ossfet EKEK Nonce Offset   L  L L = E K (0)

25 AES-OCB  OCB provides both data privacy and data authenticity by a single AES-key and 28-bit sequence counter  The nonce of OCB is made by concatenation of the sequence counter and header fields HeaderPayload Encrypted MIC Authenticated bit sequence counter AES key Seq CTR

26 CCM vs. OCB  Security –OCB mode appears to be superior for data authentication  Performance –In hardware there are no difference –In software, AES-OCB enjoy about 2:1 performance advantage over AES-CCM  Patent situation –OCB has patent, while CCM doesn’t

27 Today & The Future  2000 – WEP –Better than no security  x–WEP –Fixes authentication issues for legacy equipment  i–TKIP –Fixes known encryption issues for legacy equipment  i-AES –Next generation security for future products

Thank You!