wifi security
play

WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) - PowerPoint PPT Presentation

Advanced Network Security WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise WPA3 Key reinstallaton aaacas 2 WiFi IEEE 802.11 standard Some terminology: Staton (STA) is a


  1. Advanced Network Security WiFi security Joeri de Ruiter

  2. Agenda ● WiFi security ● WPA(2) Personal ● Enterprise ● ● WPA3 ● Key reinstallaton aaacas 2

  3. WiFi IEEE 802.11 standard ● Some terminology: ● Staton (STA) is a device sith WiFi capability ● Access Point (AP) is a staton that other statons can connect to to get access to a ● netsora, also referred to as authentcator Supplicant, used to indicate the client shen authentcatng ● SSID (Service Set Identfer) is the name of the netsora ● MIC: Message Integrity Checa ● Prevents confusion sith MAC (Media Access Control) addresses – 3

  4. WiFi security Open netsoras ● Wireless Equivalent Privacy (WEP) ● WiFi Protected Access (WPA) ● Personal ● Enterprise ● Hidden netsoras and MAC address shitelists ● Does not provide real security ● 4

  5. WiFi security 5

  6. Open netsora security No encrypton on the trafc ● Also used for public hotspots sith captve portal ● Possible for an aaacaer to eavesdrop on all netsora trafc ● Typically anyone can connect to the netsora ● Possible to flter based on MAC address, but can easily be spoofed ● Evil tsin aaacas: a malicious access point pretend to be a preferred netsora ● of the user User sill connect to the aaacaer’s netsora, putng the aaacaer in a man-in-the- ● middle positon KARMA: special case of the evil tsin aaaca ● Observe probe requests by clients and pretend to be that netsora ● 6

  7. WEP security ● Cryptographic algorithm based on RC4 used to protect data trafc ● Broaen since a long tme ● Easy to craca and about as good as an open netsora ● Stop using it! 7

  8. WPA(2) security Data confdentality algorithms ● Temporary Key Integrity Protocol (TKIP) ● Uses same hardsare as WEP – Also included in WPA2 for bacasards compatbility – Counter Mode sith CBC-MAC Protocol (CCMP) ● Based on AES – Authentcaton methods Encrypton Authentcaton ● Pre-shared aey (PSK) WPA Personal TKIP PSK ● IEEE 802.1x authentcaton WPA Enterprise TKIP 802.1x ● Uses Extensible Authentcaton Protocol (EAP) – WPA2 Personal CCMP PSK WPA2 Enterprise CCMP 802.1x 8

  9. TKIP security ● Deprecated in the IEEE 802.11 standard ● Based on the RC4 stream cipher Knosn to have biases that can be exploited to breaa it ● ● Possible to inject and decrypt pacaets 1 Only taaes about an hour to perform the aaaca ● Relies on the generaton of identcal pacaets ● 1 All Your Biases Belong To Us: Breaaing RC4 in WPA-TKIP and TLS by Mathy Vanhoef and Frana Piessens, Usenix Security 2015 9

  10. Key hierarchy Pairsise master aey (PMK): secret aey shared betseen the client and access ● point Pairsise transient aey (PTK): a concatenaton of the follosing session aeys ● Key Confrmaton Key (KCK): used for message authentcaton in 4-say handshaae – Key Encrypton Key (KEK): used for encrypton of aeys – Temporal Key (TK): aey used for confdentality and integrity of the data – Group master aey (GMK): optonal aey used to derive GTK ● Group temporal aey (GTK): aey shared betseen all connected clients and ● the access point – Used for broadcast and multcast trafc 10

  11. WiFi connecton phases ● Discovery Find nearby netsoras ● Probe request Netsoras announce capabilites ● Probe response(security parameters) ● Authentcaton Authentcaton request Typically “Open” Authentcaton response ● ● (Re)Associaton Associaton request(security parameters) Associaton response Agreement on security algorithms ● ● Optonal: 802.1x authentcaton 802.1x authentcaton 4-say handshaae ● Optonal: 4-say handshaae Data ● Data exchange 11

  12. 4-say handshaae Based on a shared secret PMK ● Can be the pre-shared aey or the output of the 802.1x authentcaton ● Mutual authentcaton of user and access point ● Verify shether both anos PMK ● Also used for negotaton of fresh aeys ● Negotaton of Pairsise Transient Key (PTK) ● If a MIC (Message Integrity Code) is included, it is computed using the Key ● Confrmaton Key (KCK) If a aey is included, it is encrypted using the Key Encrypton Key (KEK) ● 12

  13. 4-say handshaae (simplifed) Supplicant Authentcator ANonce Derive PTK SNonce, MIC Derive PTK ANonce, MIC, Enc KEK (GTK) MIC Install PTK and GTK Install PTK Encrypted data frames 13

  14. Key derivaton ANonce, MAC address A, SNonce, MAC address S KCK PTK PMK PRF KEK TK PRF (pseudo-random functon) is typically a SHA-based HMAC ● PTK is split into the KCK, the KEK and the TK ● 14

  15. WPA(2) Personal Uses pre-shared aey (PSK) for authentcaton ● Can be derived from an ASCII passsord using a aey derivaton functon ● (KDF): PSK = KDF(passsord, SSID) “Open” method used in the authentcaton phase ● Actual authentcaton taaes place in the 4-say handshaae ● PSK used directly as PMK in the 4-say handshaae ● 15

  16. WPA(2) Personal – Key derivaton ANonce, MAC address A, SSID SNonce, MAC address S KCK PTK PSK / PMK Passsord KDF PRF KEK TK 4-say handshaae Key derivaton for authentcaton based on passsord 16

  17. WPA(2) Personal - Aaacas Which informaton is available to a passive aaacaer that observes a ● successful connecton including the 4-say handshaae? SSID, MAC addresses, nonces ● Enough informaton to perform ofine brute-force aaacas ● For example, dictonary aaacas or rainbos table aaacas ● What is the problem sith rainbos tables? ● What can an aaacaer do once the PSK is anosn? ● Connect to the netsora ● Eavesdrop on other users ● If 4-say handshaae is observed, shich might be possible to force by sending a – deauthentcaton message to the client and access point Ofen WPA passsord is shared, for example, in cofee bars or restaurants... ● 17

  18. WPA(2) Enterprise ● Not alsays convenient (or secure) to share one aey/passsord sith all users ● Re-use existng credentals Usernames and passsords ● Certfcates ● ● Authentcaton using IEEE 802.1x ● For example, used in eduroam 18

  19. IEEE 802.1x ● Extensible Authentcaton Protocol (EAP) over LAN (EAPOL) ● Actual authentcaton done by authentcaton server Typically a RADIUS server (Remote Authentcaton Dial-In User ● Service) Anonymous identty used to select RADIUS server ● ● Common EAP methods used TLS ● PEAP ● TTLS ● ● Key provided by the authentcaton server to the client and access point 19

  20. EAP: TLS Mutual authentcaton betseen user and authentcaton server via TLS using ● certfcates Key management difcult ● All users need a public aey pair and corresponding certfcate ● Important to properly checa certfcates ● 20

  21. EAP: PEAP Protected Extensible Authentcaton Protocol (PEAP) ● Provides a protecton layer for legacy EAP methods (inner authentcaton ● method) In partcular MS-CHAPv2 ● TLS tunnel betseen user and authentcaton server ● Typically only server authentcaton ● MS-CHAPv2 can be used to authentcate using username/passsord ● combinaton Again, important to checa certfcate ● 21

  22. EAP: TTLS Tunnelled TLS (TTLS) ● Similar to PEAP: provide a TLS tunnel to use legacy authentcaton methods ● (inner authentcaton method) More fexible and alloss for more authentcaton methods ● Not only ones that have EAP support ● Once again, important to verify certfcates ● 22

  23. EAP-PEAP Authentcaton server Supplicant (RADIUS) Authentcator Anonymous identty (if confgured) 802.11 Associaton EAP: request identty EAP: identty RADIUS: Access request, identty EAP: Start EAP-PEAP RADIUS: Start EAP-PEAP Authentcaton and aey exchange inside TLS tunnel EAP: Success RADIUS: Access accepted, aey material 4-say handshaae 23

  24. eduroam Alloss users from one insttute to use the sireless netsora at another ● insttute Uses 801.2x authentcaton ● Explained in RFC 7593 ● Federated authentcaton: authentcaton delegated to home insttuton ● Routng based on domain (e.g. ru.nl in anonymous@ru.nl) ● EAP messages forsarded to home insttuton’s RADIUS server ● Similar system for governments: govroam ● 24

  25. eduroam hierarchy Confederaton top-level RADIUS Server (TLR) ● E.g. Europe or Asia and Pacifc region ● Federaton-Level RADIUS servers (FLRs) ● E.g. SURF for .nl ● Identty provider (IdP) ● E.g. Radboud University for ru.nl ● 25

  26. eduroam Source: haps:/ /sss.bsc.es/marenostrum/access-to-eduroam 26

  27. Issues sith PEAP and TTLS ● Who uses eduroam? ● Who confgured an anonymous identty? ● Who confgured a CA? ● Who confgured a hostname for the RADIUS server? 27

  28. Issues sith PEAP and TTLS If no anonymous identty is confgured, you are sending your real username in ● plaintext Most inner authentcaton methods are broaen ● MSCHAPv2 can easily be cracaed ● PAP (Passsord Authentcaton Protocol): plaintext username/passsord ● But this inner authentcaton is protected using a TLS tunnel, right? ● Hos do you checa the certfcate? ● 28

Recommend


More recommend