Advanced Network Security WiFi security Harald Vranken 1
Agenda • WiFi security • WEP • WPA(2) • WPA3 2
WiFi • IEEE 802.11 standard – Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications – original version 1997; latest version 2016 – ~3500 pages! • Some terminology: – Station (STA) is a device with WiFi capability – Access Point (AP) is a station that other stations can connect to to get access to a network, also referred to as authenticator – Supplicant, used to indicate the client when authenticating – SSID (Service Set Identifier) is the name of the network – MIC: Message Integrity Check (is in fact Message Authentication Code (MAC), but prevents confusion with MAC addresses) 3
WiFi security • Open networks • Security – Wireless Equivalent Privacy (WEP, 1999) – WiFi Protected Access (WPA, 2003) • Hidden networks and MAC address whitelists – Does not provide real security • WPA certification by the WiFi Alliance 4
WiFi security • Security of public WiFi hotspots across the world (2016) Source: https://securelist.com/research-on-unsecured-wi-fi-networks-across-the-world/76733/ 5
Open network security • No encryption of traffic – Also used for public hotspots with captive portal – Attacker can eavesdrop on all network traffic • Typically anyone can connect to the network – Possible to filter based on MAC address, but can easily be spoofed 6
Open network security • Evil twin attack – Malicious access point pretends to be a preferred network of user – When user connects, attacker can sniff all traffic and act as man-in-the-middle • KARMA: special case of evil twin attack – Vulnerable client devices broadcast ‘preferred network list’ (PNL), containing SSIDs of access points to which client has previously connected – Malicious access point receives PNL and takes an SSID from PNL Dai Zovi, D. A., & Macaulay, S. A. (2005). Attacking Automatic Wireless Network Selection Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop, p. 365–372 7
WEP security Authentication Data encryption • 4-step challenge–response handshake – Rivest Cipher 4 (RC4) stream cipher between client and access point – preshared WEP key • preshared WEP key 8
WEP security • Secret keys can be cracked in a few minutes using a basic laptop computer • Security is easy to crack and about as good as an open network • Stop using it! A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP) by A. Stubbleleld, J. Ioannidis, and A. D. Rubin ACM Trans. Inf. Syst. Security, vol. 7, no. 2, pp. 319–332, May 2004 Breaking 104 bit WEP in less than 60 seconds by E. Tews, R.-P. Weinmann, and A. Pyshkin Information Security Applications, Lecture Notes in Computer Science, vol. 4867, pp. 188–202, 2007 9
WPA(2) security: authentication • WPA(2) personal Authentication – Personal network WPA Personal PSK – Pre-shared key (PSK) WPA Enterprise 802.1x WPA2 Personal PSK • WPA(2) Enterprise WPA2 Enterprise 802.1x – Enterprise network – Authentication server – IEEE 802.1x authentication using Extensible Authentication Protocol (EAP) 10
WPA(2) security: data confidentiality Confidentiality WPA Personal TKIP • Temporary Key Integrity Protocol (TKIP) WPA Enterprise TKIP – As WEP, based on RC4 stream cipher WPA2 Personal CCMP – Also included in WPA2 for backwards compatibility WPA2 Enterprise CCMP – Deprecated in IEEE 802.11 standard – Known to have biases that can be exploited to break it – Possible to inject and decrypt packets – Attack only takes about an hour, relies on generation of identical packets All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS by Mathy Vanhoef and Frank Piessens, Usenix Security 2015 • Counter Mode Cipher-Block Chaining Message Authentication Code Protocol (CCMP) – Most widely-used – Based on AES CCMP/ GCMP • Galois/Counter Mode Protocol (GCMP) encryption – Being rolled out (WiGig) Construct CCMP/GCMP header 11
WPA(2) Authentication Confidentiality WPA Personal PSK TKIP WPA Enterprise 802.1x TKIP WPA2 Personal PSK CCMP WPA2 Enterprise 802.1x CCMP 12
WiFi connection phases • Discovery Probe request – Find nearby networks Probe response (security parameters) – Networks announce capabilities Authentication request • Authentication Authentication response – Typically ‘Open’ (designed for WEP) Association request(security parameters) • (Re)Association Association response – Cipher suites 802.1x authentication – Agreement on security algorithms 4-way handshake • Optional: 802.1x authentication Data • Optional: 4-way handshake – Mutual authentication • Data exchange 13
Keys • PMK (Pairwise Master Key): secret key shared between client and access point • PTK (Pairwise Transient Key): concatenation of the following session keys – KCK (Key Confirmation Key): used for message authentication in 4-way handshake – KEK (Key Encryption Key): used for encryption of keys – TK (Temporal Key): key used for confidentiality and integrity of the data • GMK (Group Master Key): optional key used to derive GTK • GTK (Group Temporal Key): key shared between all connected clients and access point, used for broadcast and multicast traffic 14
WPA(2) Personal Probe request Probe response (security parameters) • Uses pre-shared key (PSK) for authentication Authentication request • Can be derived from an ASCII password Authentication response using a key derivation function (KDF) Association request(security parameters) – PSK = KDF(password, SSID) Association response 802.1x authentication ANonce, MAC address A, SSID 4-way handshake SNonce, MAC address S KCK Data PSK/PMK PTK KEK Password KDF PRF TK 4-way handshake • ‘Open’ method used in authentication phase • Actual authentication takes place in the 4-way handshake • PSK used directly as PMK in the 4-way handshake 15
ANonce, MAC address A, WPA(2) Personal: Attacks SSID SNonce, MAC address S KCK PSK/PMK PTK KEK Password KDF PRF • Passive attacker can TK 1. obtain SSID, MAC addresses, nonces 4-way handshake 2. perform offline brute-force attack on password (eg. dictionary attack or rainbow table attack) 3. obtain PSK • Often WPA(2) password is shared, eg. in coffee bars or restaurants... • What can an attacker do once the PSK is known? – Connect to the network – Eavesdrop on other users, if 4-way handshake is observed (can be enforced by sending a deauthentication message to the client and access point) 16
WPA(2) Enterprise • Not always convenient (or secure) to share one key/password with all users • Re-use existing credentials – Usernames and passwords – Certificates • Authentication using IEEE 802.1x – Eg. used in eduroam 17
IEEE 802.1x • Extensible Authentication Protocol (EAP) over LAN (EAPOL) • Actual authentication done by authentication server – Typically a RADIUS server (Remote Authentication Dial-In User Service) • PMK provided by authentication server to client and access point • Common EAP (inner authentication) methods used EAPOL/RADIUS – TLS (Transport Layer Security) EAP – PEAP (Protected Extensible Authentication Protocol) – TTLS (Tunnelled TLS) TLS Authentication server Supplicant (client) Authenticator (AP) EAP inner (Identity provider) authentication method EAPOL RADIUS 18
EAP-TLS (Transport Layer Security) • Mutual authentication between client and authentication server via TLS using certificates • Key management difficult – All users need a public key pair and corresponding certificate • Important to properly check certificates Authentication server Supplicant (client) Authenticator (AP) (Identity provider) EAPOL RADIUS 19
EAP-PEAP (Protected Extensible Authentication Protocol) Anonymous identity (if configured) 802.11 Association EAP request: Identity EAP response: Identity RADIUS Access request: identity EAP Start: EAP-PEAP RADIUS Start: EAP-PEAP Authentication and key exchange inside TLS tunnel EAP Success RADIUS Access accepted: key material 4-way handshake 20
EAP-PEAP (Protected Extensible Authentication Protocol) • TLS tunnel between client and authentication server – Typically only server authentication • Provides a protection layer for legacy EAP methods (inner authentication method) – In particular MS-CHAPv2 (Microsoft Challenge-Handshake Authentication Protocol v2) (mutual authentication using username/password combination) • Again, important to check certificate 21
EAP-TTLS (Tunnelled TLS) • Similar to PEAP – provide a TLS tunnel to use legacy authentication methods (inner authentication method) • More flexible and allows for more authentication methods – Not only ones that have EAP support – Eg. PAP (Password Authentication Protocol) and MS-CHAPv2 • Once again, important to verify certificates 22
eduroam • Enables users to roam between participating institutes – RFC 7593 ‘The eduroam Architecture for Network Roaming’ • Authentication – 801.2x authentication – Users authenticate with the login data of their home institutes – Federated authentication: authentication delegated to home institute – Routing based on domain (eg. ru.nl in anonymous@ru.nl) • EAP messages forwarded to home institution’s RADIUS server • Similar system for governments: govroam 23
Recommend
More recommend