Advanced Network Security (2019-2020) WiFi security Harald Vranken 1
Agenda • Introduction to WiFi • Open WiFi networks • Home WiFi network • IEEE 802.11 – WEP – WPA/WPA2/WPA3 Personal/Enterprise – Eduroam – Attacks 2
Introduction to WiFi • IEEE 802.11 standard – Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications – Original version 1997; latest version 2016 (~3500 pages!) • Numerous amendments, eg. 802.11i Medium Access Control (MAC) Security Enhancements • Security certification programs by WiFi Alliance, eg. WPA2 and WPA3 – ensure that Wi-Fi products from multiple manufacturers work well together • Some terminology: – Station (STA): device with WiFi capability – Access Point (AP): station that other stations can connect to to get access to a network (also referred to as authenticator) – Supplicant: indicates client when authenticating – SSID (Service Set Identifier): name of the network – MIC (Message Integrity Check): is Message Authentication Code (MAC); to prevent confusion with Medium Access Control (MAC) 3
WiFi security Security of public WiFi hotspots across the world (2016) • Open access • Protected access – Wireless Equivalent Privacy (WEP) – WiFi Protected Access (WPA/WPA2/WPA3) Source: https://securelist.com/research-on-unsecured-wi-fi-networks-across-the-world/76733/ 4
Open networks • Public hotspots for free WiFi – May provide captive portal – May use pre-shared key (PSK) o PSK is announced publically (on paper/wall/…) o PSK is used in "4-way handshake" to derive encryption keys for bulk wireless data • No encryption of traffic – Attacker can eavesdrop on all network traffic – Also in case of PSK, because o PSK is known by everyone o Attacker can eavesdrop on 4-way handshake and derive encryption keys o In case attacker missed 4-way handshake, a forged "deauthenticate" can be issued that will cause client and AP to redo 4-way handshake 5
Open networks • New in WPA3 (2018): Opportunistic Wireless Encryption (OWE) – Specified in RFC 8110 – Intended to make eavesdropping a bit harder in public networks (open or with PSK) – Client and AP perform Diffie-Hellman key exchange to obtain shared key (instead of PSK) – Provides data encryption (but no authentication) 6
Open networks • Broken access control measures – Hidden network (security by obscurity; access requires knowing SSID) o Access point continuously sends beacon packets; may hide by not including SSID o Easy to eavesdrop on clients that have SSID (not only when client actually connects to network; client also constantly sends connection requests to ‘saved networks’ in order to improve connectivity) – Filter based on whitelist of MAC addresses o Client can easily spoof its MAC address 7
Open networks • Evil twin attack – Malicious access point pretends to be a preferred network of user – When user connects, attacker can sniff all traffic and act as man-in-the-middle • KARMA: special case of evil twin attack – Vulnerable client devices broadcast ‘preferred network list’ (PNL) containing SSIDs of access points to which client has previously connected – Malicious access point receives PNL and takes an SSID from PNL Dai Zovi, D. A., & Macaulay, S. A. (2005). Attacking Automatic Wireless Network Selection Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop, p. 365–372 • OWE offers no protection against evil twin attack 8
Wireless home network • WPS (Wi-Fi Protected Setup) – security specification certified by WiFi Alliance to create a secure wireless home network • Connect wireless device to AP by entering PIN on device – easily retrieved by brute-force attack due to vulnerabilities in WPS protocol • In case attacker has physical access to AP – PIN is written on AP – Connect wireless device to AP by pushing (virtual) button on device and AP 9
IEEE 802.11-1999 • WEP (Wired Equivalent Privacy) Authentication Data encryption • 4-step challenge–response handshake – Rivest Cipher 4 (RC4) stream cipher between client and access point – preshared WEP key • preshared WEP key 10
WEP security • Secret keys can be cracked in a few minutes using a basic laptop computer • Security is easy to crack and about as good as an open network • Stop using it! A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP) by A. Stubblefield, J. Ioannidis, and A. D. Rubin ACM Trans. Inf. Syst. Security, vol. 7, no. 2, pp. 319–332, May 2004 Breaking 104 bit WEP in less than 60 seconds by E. Tews, R.-P. Weinmann, and A. Pyshkin Information Security Applications, Lecture Notes in Computer Science, vol. 4867, pp. 188–202, 2007 11
IEEE 802.11-2016 • Establishment Probe request – Discovery: find nearby networks by Probe response (security parameters) monitoring beacons or active probing Authentication request – Authentication: typically ‘Open’ Authentication response (included for WEP) Association request(security parameters) – Association: agreement on cipher suites Association response and security algorithms 802.1x EAP authentication • Optional: 802.1x EAP authentication 4-way handshake – Mutual authentication using EAP Data (Extensible Authentication Protocol) – Generation of PMK (shared secret key) • Optional: 4-way handshake – Confirmation that PMK is known – Exchange of session keys • Data exchange 12
WPA (WiFi Protected Access) Certified by WiFi Alliance • WPA (2003): based on subset of IEEE 802.11i draft • WPA2 (2004): based on IEEE 802.11i std. – Uses AES instead of RC4 and provides stronger authentication • WPA3 (WiFi Alliance, 2018): – Prevents eavesdropping and forging of unicast management action frames; prevents forging of multicast management action frames – Stronger cryptography (192-bit mode) o Authenticated encryption: 256-bit Galois/Counter Mode Protocol (GCMP-256) o Key derivation and confirmation: HMAC-SHA384 o Key establishment and authentication: Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve 13
WPA security: data confidentiality Confidentiality Personal/Enterprise WPA TKIP • TKIP (Temporary Key Integrity Protocol) WPA2 CCMP – As WEP, based on RC4 stream cipher WPA3 GCMP – Also included in WPA2 for backwards compatibility – Deprecated in IEEE 802.11-2016 standard – Known to have biases that can be exploited to break it – Possible to inject and decrypt packets – Attack only takes about an hour, relies on generation of identical packets All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS by Mathy Vanhoef and Frank Piessens, Usenix Security 2015 • CCMP (Counter Mode – Cipher Block Chaining Message Authentication Code Protocol) – Most widely-used – Based on AES CCMP/ GCMP • GCMP (Galois/Counter Mode Protocol) encryption – Being rolled out (WiGig) Construct CCMP/GCMP header 14
Authentication Personal Enterprise WPA security: authentication WPA PSK 802.1x • WPA personal WPA2 PSK 802.1x – Personal network WPA3 SAE 802.1x – WPA/WPA2: Pre-shared key (PSK) – WPA3: Simultaneous Authentication of Equals (SAE) • WPA Enterprise – Enterprise network – IEEE 802.1x authentication using Extensible Authentication Protocol (EAP) and Authentication server 15
‘Open’ method in authentication phase PSK (WPA/WPA2 Personal) • Authentication takes place in 4-way handshake • Uses pre-shared key (PSK) for authentication • PSK used directly as PMK in 4-way handshake Probe request Supplicant/station Authenticator/AP Probe response (security parameters) Authentication request ANonce Authentication response Association request(security parameters) Derive PTK SNonce, MIC Association response 802.1x EAP authentication Derive PTK ANonce, MIC, Enc KEK (GTK) 4-way handshake MIC Data Install PTK Install PTK Encrypted data frames 16
Supplicant/station Authenticator/AP Keys and 4-way handshake • Before starting 4-way handshake, client and ANonce access point share secret key PMK (Pairwise Master Key) Derive PTK • During 4-way handshake, client and access point SNonce, MIC derive a fresh session key PTK (Pairwise Transient Key) Derive PTK – Derived from PMK, ANonce, SNonce, ANonce, MIC, Enc KEK (GTK) and MAC addresses of client and access point MIC – Split into Install PTK Install PTK o KCK (Key Confirmation Key): for generating MIC Encrypted data frames o KEK (Key Encryption Key): for encryption of keys o TK (Temporal Key): for data confidentiality and integrity • Also group keys – GMK (Group Master Key) – GTK (Group Temporal Key): shared between all connected clients and access point, used for broadcast and multicast traffic 17
PSK attack • PMK is derived from an ASCII password using a key derivation function (KDF): PMK = KDF(password, SSID) • Passive attacker can 1. obtain SSID, MAC addresses, nonces, MIC (HMAC using KCK) 2. perform offline brute-force attack on password (eg. dictionary attack or rainbow table attack) 3. obtain PMK and PTK • Often password is shared, eg. in coffee bars or restaurants... • What can an attacker do once the PSK is known? – Connect to the network ANonce, SNonce, SSID MAC addresses – Eavesdrop on other users KCK PSK/PMK PTK KEK Password KDF PRF TK 4-way handshake 18
Recommend
More recommend