Wireless Network Security

Wireless Network Security
From CISSP wireless security section TWCERT/CC, Wireless Security White Paper Present by Allen CB Kuo 2018/11/24 Optimization LAB, Department of Information Management, NTU

Optimization LAB, Department of Information Management, NTU
Outline Wireless Network Wireless LAN Security WEP Wireless Vulnerabilities 802.1x Authentication IEEE i WPA & WPA2 Related News Optimization LAB, Department of Information Management, NTU 2018/11/24

Wireless Network WLAN WPAN WWAN Optimization LAB, Department of Information Management, NTU 2018/11/24

Wireless Network (cont’d)
WLAN基本特性 Optimization LAB, Department of Information Management, NTU 2018/11/24

IEEE Speed Band Tech Others 802.11 1 or 2 Mbps 2.4 GHz FHSS,DSSS,IR Use WEP 802.11a 54 Mbps 5 GHz FDM Only 6, 12, 24 Mbps support is mandatory 802.11b 11 Mbps DSSS Wi-Fi 802.11g 20~54 Mbps Compatible to b 簡介802.11x 系列 Optimization LAB, Department of Information Management, NTU 2018/11/24

Communication Mode Ad Hoc Mode (peer-to-peer) Infrastructure Mode (Access Point) Ad Hoc : 網內直接互相溝通，如果想要對外通訊，必須有一個成員擔任gateway的角色，提供routing Infrastructure:透過AP存取網路 Optimization LAB, Department of Information Management, NTU 2018/11/24

Wireless LAN Security Authentication Open System Authentication Closed System Authentication Shared-key Authentication Confidentiality WEP (Wired Equivalent Privacy) Integrity CRC checksum Optimization LAB, Department of Information Management, NTU 2018/11/24

Wireless Network Authentication
Optimization LAB, Department of Information Management, NTU 2018/11/24

Wireless Network Authentication (cont’d)
SSID (Service Set ID) An identification value programmed in the access point or group of access points to identify the local wireless subnet Configure to broadcast or not Do not use default SSID AP設定廣播SSID，任何client都可以存取AP 把broadcast SSID 功能關閉，就是closed system authentication 使用原廠預設値，讓別人很好猜 Optimization LAB, Department of Information Management, NTU 2018/11/24

Open System Authentication Beacon 裡面含有SSID Optimization LAB, Department of Information Management, NTU 2018/11/24

Detect Wireless Network Windows 無法分辨一樣的SSID，只會顯示訊號比較強的那個其他廠商的網卡管理軟體功能較強 Optimization LAB, Department of Information Management, NTU 2018/11/24

Closed System Authentication Broadcast SSID set to be disabled 可以利用sniffing去偵測closed system network Probe Request 裡面包含 SSID AP確認無誤，才允許連線 Optimization LAB, Department of Information Management, NTU 2018/11/24

關閉broadcast SSID Optimization LAB, Department of Information Management, NTU 2018/11/24

Add SSID client輸入SSID才可以連線 Optimization LAB, Department of Information Management, NTU 2018/11/24

Shared-key Authentication WEP Key WEP Key 利用WEP達成認證的效果使用者擁有與AP 一樣的WEP Key才能通過身分認證 Optimization LAB, Department of Information Management, NTU 2018/11/24

WEP 128bit Key Setting 設定 WEP 128bit Key，設定16進位的key 設定phrase Optimization LAB, Department of Information Management, NTU 2018/11/24

Wireless Security Systems
WPA WPA2 1999 2001 2003 2004 2005 各個標準提出的大概時間 IEEE i 很早就提出但是2004年才成熟 WEP 802.1x 802.11i Optimization LAB, Department of Information Management, NTU 2018/11/24

Wireless Network Confidentiality
WEP A symmetric cryptography system Implemented in the MAC Layer Key 40 bits or 104 bits secret key 24 bits initial vector (IV) Stream cipher RC4 algorithm XOR to encrypt and decrypt Optional IV 可視為random number Optimization LAB, Department of Information Management, NTU 2018/11/24

Wireless Network Confidentiality (cont’d)
WEP Encryption Process WEP的加密流程 IV+WEP Shared key => RC4 => Key Stream Optimization LAB, Department of Information Management, NTU 2018/11/24

WEP Encryption Client端使用WEP Optimization LAB, Department of Information Management, NTU 2018/11/24

Wireless Network Integrity
WEP Integrity 用CRC checksum Optimization LAB, Department of Information Management, NTU 2018/11/24

Wireless Network Vulnerabilities

Wireless Network Vulnerabilities (cont’d)
War driving Sniffing WEP Attack 無線網路入侵步驟 => War driving, sniffing, WEP attack (From Hacker Exposed) Dos, session hijacking, 以及其他攻擊 Derek 會報告這邊只提無線網路特性相關攻擊 Optimization LAB, Department of Information Management, NTU 2018/11/24

War driving (War walking) A laptop + wireless adapter card + Tool Travel via car, bus, go around sniffing for WLANs Build up network names, signal strength, location, and IP War chalking Mark the location of the vulnerable wireless network with chalk 簡介War driving Optimization LAB, Department of Information Management, NTU 2018/11/24

NetStumbler 入侵無線網路的第一步，收集資訊 Optimization LAB, Department of Information Management, NTU 2018/11/24

WLAN Distribution in San Francisco 結合 NetStumbler跟 GPS Optimization LAB, Department of Information Management, NTU 2018/11/24

War chalking Optimization LAB, Department of Information Management, NTU 2018/11/24

Sniffing Packet analysis Traffic analysis Detail information AP setting Detect Closed Network 利用sinffing工具作進一步的分析封包 Optimization LAB, Department of Information Management, NTU 2018/11/24

Airopeek 詳細的封包資訊 Optimization LAB, Department of Information Management, NTU 2018/11/24

Airopeek 無線網路node關係圖，對於那些設定MAC ACL (access control list) 之AP 只要利用軟體修改自己的 AP 就可以連上去 Optimization LAB, Department of Information Management, NTU 2018/11/24

Air-Jack 取得 Probe Request 封包裡面的 SSID 或是取得 Probe Response裡面的 SSID 有些AP把Broad cast 關掉，先中斷他們的連線，趁他們重新連線的時候取得封包資訊工具: air-Jack, airopeek 除了攔截資訊，還可以做MITM、Dos Optimization LAB, Department of Information Management, NTU 2018/11/24

WEP Attack Brute Force Key stream repetition 24 bits IV is not long enough Dictionary Attack IV is known Map IV and key stream Optional Many installations never even activating it Lack of a key management protocol 描述WEP弱點 Optimization LAB, Department of Information Management, NTU 2018/11/24

WEP Encryption Process 得到充分的資訊後對於WEP的加密流程可以簡單的破解 Optimization LAB, Department of Information Management, NTU 2018/11/24

Shared Key Authentication Observe plain text challenge Repeated IV 關鍵:利用重複的IV弱點明文 Xor Key stream Xor 明文 = 密文 Xor 明文 Observe cipher text response XOR plain text with cipher text to get key stream XOR IP packet with key stream re-using IV Optimization LAB, Department of Information Management, NTU 2018/11/24

AirSnort 針對WEP的攻擊工具收集IV，建立辭典，破解WEP Key Optimization LAB, Department of Information Management, NTU 2018/11/24

802.1x Authentication An authentication standard for wired and wireless LANs Identify users before allowing to network Per-user dynamic encryption keys Port-based network access control 簡介 802.1x Optimization LAB, Department of Information Management, NTU 2018/11/24

802.1x Authentication (cont’d)
EAP Extensible Authentication Protocol A authentication protocol that supports multiple methods RADIUS Remote Authentication Dial In User Service RADIUS protocol RADIUS server EAP frequently used in wireless networks and Point-to-Point connections ,an authentication framework RADIUS server => 認證伺服器從家裡想要連上ISP業者，先透過RADIUS protocol 連到 RADIUS server 做認證 Optimization LAB, Department of Information Management, NTU 2018/11/24

企業的運用圖通過認證之前只能從 EAPOL連線通過認證之後才能正常連線 Optimization LAB, Department of Information Management, NTU 2018/11/24

簡單描述認證過程 Optimization LAB, Department of Information Management, NTU 2018/11/24

Flaws One way Authentication Client has no explicit means to authenticate the gateway or AP Speed issue Rouge AP put client at risk One way Authentication 防止不了 rouge ap 複雜的過程讓網路存取變慢連上rouge AP 有資料洩密地問題 Optimization LAB, Department of Information Management, NTU 2018/11/24

VPN on Wireless Network
效果如同有線網路一樣，hacker無法透過無線網路任意存取企業內部網路 Optimization LAB, Department of Information Management, NTU 2018/11/24

Wireless Security Scope
簡介 i提出的概念跟Scope TKIP => 從WEP去變化，還是用RC4 MIC => MAC, hash function Optimization LAB, Department of Information Management, NTU 2018/11/24

IEEE i AES block cipher 802.1x authentication RSN (Robust Security Network ) Dynamically negotiate the authentication and encryption algorithms between wireless clients Ex: AES+802.1x Four-way handshake authentication AP needs to authenticate itself to client (STA) RSN : 提出認證與加密演算法組合的概念，不希望被鎖死 Optimization LAB, Department of Information Management, NTU 2018/11/24

IEEE i (cont’d) Four-way handshake Pairwise Transient key Attribute: PMK, AP nonce, STA nonce, MAC address F: hash function Number use once Message Integrity Code PMK (Pairwise Master Key) => 相當於shared secret key PTK部分資訊加入 hash function 產生 MIC Group Temporal Key Optimization LAB, Department of Information Management, NTU 2018/11/24

IEEE i (cont’d) PTK (Pairwise Transient Key) (KCK) - The key used to compute the MIC for EAPOL-Key packets. (KEK) - The key used to encrypt the EAPOL-Key packet and GTK. (TK) - The key used to encrypt the actual wireless traffic. Optimization LAB, Department of Information Management, NTU 2018/11/24

IEEE 802.11i (cont’d) Group Key Handshake 1. Leaving node STA AP STA
The GTK used in the network may need to be updated due to the expiry of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP. 2. NEW GTK (encrypt by PTK) 3. Acknowledge the GTK STA Optimization LAB, Department of Information Management, NTU 2018/11/24

WPA (Wi-Fi Protected Access)
Use with an 802.1X authentication server RC4 stream cipher 128bit key and 48bit (IV) Temporal Key Integrity Protocol (TKIP) Dynamically changes keys Michael algorithm is used for integrity Frame counter Prevents replay attacks AP sold before 2003 generally needed to be replaced WPA 提出的時候 i 還沒有完全成熟 WPA 是 i的implement 企業模式: each shared key is dynamic 個人模式: 每個人使用同一把 PSK Optimization LAB, Department of Information Management, NTU 2018/11/24

WPA 256bit Key Setting AP 端使用WPA Optimization LAB, Department of Information Management, NTU 2018/11/24

WPA (cont’d) Client 端使用WPA Optimization LAB, Department of Information Management, NTU 2018/11/24

WPA (cont’d) Implement i的概念 Optimization LAB, Department of Information Management, NTU 2018/11/24

WPA (cont’d) WPA 相關的 crack tool Optimization LAB, Department of Information Management, NTU 2018/11/24

WPA2 WPA2 is the certified form of IEEE i tested by the Wi-Fi Alliance Michael algorithm => CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol ) RC4 is replaced by AES Official support for WPA2 in Microsoft Windows XP was rolled out on the 1st of May 2005 更成熟的implement i Optimization LAB, Department of Information Management, NTU 2018/11/24

WPA2 (cont’d) Pre-authentication Allows a client to pre-authenticate with the access point toward which it is moving Optimization LAB, Department of Information Management, NTU 2018/11/24

WPA2 (cont’d) Optimization LAB, Department of Information Management, NTU 2018/11/24

WPA2 (cont’d) 可能的架構圖 Optimization LAB, Department of Information Management, NTU 2018/11/24

Related News 26/01/2005 Optimization LAB, Department of Information Management, NTU 2018/11/24

Related News (cont’d) 26/01/2005 Optimization LAB, Department of Information Management, NTU 2018/11/24

Related News (cont’d) Optimization LAB, Department of Information Management, NTU 2018/11/24

Q & A 2018/11/24 Optimization LAB, Department of Information Management, NTU

Thanks for your listening
2018/11/24 Optimization LAB, Department of Information Management, NTU

Wireless Network Security

Similar presentations

Presentation on theme: "Wireless Network Security"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Wireless Network Security

Similar presentations

Presentation on theme: "Wireless Network Security"— Presentation transcript:

Similar presentations

About project

Feedback