What are some basic facts of IEEE 802.11?
- Developed in 1997
- Speed up to 1,3 Gbit/s
- 2.4 and 5 GHz
- 3 modes: infrastructure, ad-hoc and mesh
What are some basic facts on WEP?
- Wired Equivalent Privacy (WEP)
- Optional Access Control
- Confidentiality: Encryption on MAC layer
- Integrity protection between mobile device and access point
- All security mechanisms totally broken and serious design flaws
What are the design flaws of WEP?
- Same key for all mobile devices in the network
- Same key for integrity protection, encryption and authentication
- No protection against replay attacks
How is user authentication done in WEP?
Optional:
Shared Key Authentication:
- AP generates 128 bit RAND
- Mobile device chooses initialization vector IV
- Computes stream cipher RC4( IV k) and performs xor with RAND
- Sends IV, Encrypted RAND back
How can the user authentication be attacked in WEP?
- Capture one handshake:
- Attacker knows RAND and response and can extract the keystream for the given IV
- Attacker uses the same IV for authentication and XORs with the new RAND
How is encryption and integrity protection done in WEP?
Shared secret k: 40-104 bit
IV: 24 bit
Key K = RC4( IV || k)
Integrity protection:
- Calculate CRC on Message and append
Encryption:
- XOR Message and CRC with K
- IV attached
Why is the integrity protection broken in WEP?
- Uses CRC-32, which is linear in respect to xor:
- Attacker can XOR message M:
M xor D || ICV(M) xor ICV(D) - CRC-32 is correct and receiver cannot detect modification
What is a known plaintext attack against WEP encryption?
- Retrieve Keystream from Message: M xor RC4(IV,k) xor M = RC4(K)
- Wait for IV to repeat and decrypt message
What is the problem with RC4 usage in WEP?
- IV are to small
- Reuse happens very often
- Shared secret k can be recovered using Fluhrer at. al. attack
What is specified in 802.11i?
WLAN security
pre-RSNA:
- WEP
RSNA:
- New AKA
- TKIP (WPA)
- CCMP (WPA2)
What is RSNA in the context of WLAN?
- Robust Security Network Association
- Standard included in 802.11i
- Include WPA and WPA2
- Defines common authentication and access control
- Pre-shared key or EAP authentication
What is difference between WPA and WPA2?
WPA = Wifi-Protected Access
WPA:
- TKIP: Still uses RC4 with wrapper
- Network cards could get patched from WEP
WPA2:
- CCMP: AES based encryption
What is access control realized in 802.11i?
- Port based access control
- Supplicant requests access to services
- If supplicant is not yet authenticated, authenticator blocks all traffic not directed to authentication server
Small networks:
- PSK: pre-shared key
- Authentication using 4-way handshake
- MD and AP agree on PMK (Pairwise Master Key)
Enterprise networks:
- MD and authentication server share credentials
- Authenticate each other and generate PMK
- Auth. server sends PMK to AP
- AP and MD do 4-way handshake
How is the PMK generated in small networks vs. in enterprise networks in 802.11i?
Pairwise Master Key (PMK)
Small networks: PMK = PSK
Enterprise: Generated by authentication server with the help of EAP
What is the result of the 4-way handshake in 802.11i?
The Pairwise Transient Key (PTK) is generated and exchanged
What keys are generated from PTK in 802.11i?
- Key Confirmation Key (KCK)
- Key Encryption Key (KEK)
- Transient Key (TK)
What is the 4-way handshake in 802.11i?
- AP and MD have PMK (Ether PSK or via EAP)
1. AP sends ANonce - MD calculates PTK = HMAC_PMK( ANonce, SNonce, Sup. MAC, AP MAC)
2. MD sends SNonce, MDs IE and Message Integrity Code (MIC) based on KCK - AP calculates PTK
3. AP sends ANonce, APs IE and MIC
4. MD acknowledges with MIC
What is EAP?
Extensible Authentication Protocol (EAP):
- Framework for authentication
- Can run directly on data link layer
- 4 message types: Request, Response, Success, Failure
- After initial identification, MD and auth. server exchange messages
- Different authentication methods possible
What are some EAP methods?
EAP-AKA: Based on USIM
EAP-TLS: Based on private/public key
EAP-TTLS: Based on username/ password
EAP-GPSK: Based on pre-shared key
What is TKIP in WLAN?
- Wrapper around WEP (Firmware update)
- RC4 based
- IV 48 bit
- Upper 32 bit used for per-packet key
- Lower 16 bit + dummy byte used for RC4
- 20 bit MIC using Michael algorithm
- Still keystream recovery possible
What is CCMP in WLAN?
Counter Mode CBC MAC Protocol (CCMP):
- Integrity: CBC MAC
- Encryption: Counter Mode 128-bit AES
How is the security algorithm negotiated in 802.11i?
- Negotiation over:
Pre-RSNA/ RNSA, TKIP/ CCMP, EAP/ PSK, which EAP method? - AP and MD exchange capabilities in RSNA IE’s
- AP send capabilities on Probe response
- MD sends IE in association request
- Repeated on 4-way handshake
How is mobility handled in 802.11i?
- New authentication with each AP
- Pre-authentication: MD initiates pre-authentication with new AP via old AP
- Use cached PMK: Check if key-id already exists
What are known attacks against WPA/WPA2?
- Bidding down to WEP: Pretend network only supports pre-RSNA in IE
- Reflection attack: If MD is supplicant and authenticator, replay messages
- RSN IE poisoning: Modify one AP IE, so later in the handshake it is rejected
- PSK Cracking: Capture handshake, use dictionary attack to crack PSK, by calculating KCK from PSK and verify with MIC on messages
- Key re-installation attack: Repeat second handshake message to reset CTR counter to 0
- User tracking with MAC address
- Evil twin attack
-
Chapter 1- Introduction3
-
Chapter 2 - GSM19
-
Chapter 3 - UMTS18
-
Chapter 4 - LTE16
-
Chapter 5 - 5G9
-
Chapter 6 - WLAN29
-
Chapter 7 - EAP7
-
Chapter 8 - Bluetooth22
-
Chapter 9 - Example for an Algebraic Attack on a Symmetric Stream Cipher2
-
Chapter 10 - CBC Mode padding oracle4
-
Chapter 11 - Bleichenbacher and Return of the Bleichenbacher Oracle Threat1
-
Chapter 12 - Practical Problems with DH3
-
Chapter 13 - Routing Security3
