WNP-MPR-Sec 1 Wireless Networks and Protocols MAP-TELE Jaime Dias, Manuel Ricardo Faculdade de Engenharia da Universidade do Porto
WNP-MPR-Sec 2 Topics Scheduled for Today … ♦ Authentication and access control » Security – basic concepts » WLAN » 3GPP networks: GSM, GPRS, UMTS
WNP-MPR-Sec 3 SECURITY - BASIC CONCEPTS
WNP-MPR-Sec 4 Symmetric Cryptography ♦ Ex: RC4, AES 4
WNP-MPR-Sec 5 Digest/Hash ♦ Input » variable length message ♦ Output » a fixed-length bit string (the hash) ♦ Used to guarantee message integrity and source identification ♦ Ex: MD5, SHA1 5
WNP-MPR-Sec 6 Public Key Cryptography – Confidenciality 6
WNP-MPR-Sec 7 Public Key Cryptography - Authentication (digital signature) 7
WNP-MPR-Sec 8 Public Key Distribution Problem Ataque MIM: (8) Kpriv Alice [Kpub Alice [“Logo pelas 19h”]]=“ Logo pelas 19h ” (3) “ Logo pelas 20h ” (1) Kpub Alice (2) Kpub Carol Alice Carol Bob (7) Kpub Alice [“Logo pelas 19h”] (4) Kpub Carol [“Logo pelas 20h”] (5) Kpriv Carol [Kpub Carol [“Logo pelas 20h”]]=“ Logo pelas 20h ” (6) “ Logo pelas 20h ” è “ Logo pelas 19h ” O que a Alice julga ter acontecido: (4) Kpriv Alice [Kpub Alice [“Logo pelas 19h”]]=“ Logo pelas 19h ” (2) “ Logo pelas 19h ” (1) Kpub Alice Alice Bob (3) Kpub Alice [“ Logo pelas 19h ”] 8
WNP-MPR-Sec 9 Certification Authority 9
WNP-MPR-Sec 10 SSL/TLS ♦ SSL (Secure Socket Layer) – Developed by Netscape ♦ TLS 1.x (Transport Layer Security) – IETF ♦ Transparent to application protocols ♦ Server/client can authenticate using certificates ♦ But, due to certificate costs » Servers è authenticated by certificates » Clients è authenticated at the application layer (e.g. passwords) 10
WNP-MPR-Sec 11 SSL/TLS – Typical Procedure Client: » connects to a TLS-enabled server requesting secure connection presents a list of supported CipherSuites (ciphers, hash functions) » Server: » picks the strongest CipherSuite; notifies the client about the decision Server: » sends back its identification as a Digital Certificate » Certificate: [server name, server's public encryption key , trusted certificate authority (CA)] Client: » Contacts CA and verifies if certificate is authentic Client: » encrypts a random number (RN) with the server's public key (PbK) » sends it to server Server » Decrypts RN using its private key (PvK) Client Server: generate key material for encryption/decryption Client: authenticates near the server
WNP-MPR-Sec 12 802.11 SECURITY
WNP-MPR-Sec 13 802.11 Security ♦ “Minimum” security WEP (Wired Equivalent Privacy) ♦ Station authentication » Open mode è no authentication » Shared Mode – AP sends challenge è station returns the challenge encrypted with the WEP key ♦ Confidentiality è frames are encrypted with RC4 ♦ Integrity è CRC32 13
WNP-MPR-Sec 14 WEP - Encryption IV WEP Key SDU ICV WEP PRNG (crc32) (RC4) XOR Header IV Cryptogram FCS Frame 802.11 Keystream 14
WNP-MPR-Sec 15 WEP - Decryption IV WEP Key SDU ICV WEP PRNG (RC4) XOR Check values ICV Header IV Cryptogram FCS Frame 802.11 Keystream 15
WNP-MPR-Sec 16 WEP Vulnerabilities ♦ Same IV and WEP key same keystream » IV too short (24 bits) » No mechanism for WEP key update ♦ Same keystream: » SDU2 ⊕ SDU1 = cryptogram1 ⊕ cryptogram2 » If SDU1 is known (ICMP, TCP ack, …) then » SDU2 = cryptogram1 ⊕ cryptogram2 ⊕ SDU1 16
WNP-MPR-Sec 17 WEP Vulnerabilities (2) » RC4 key = IV (3 bytes) + WEP key (5 or 13 bytes) ♦ Weak IVs help breaking the WEP key » Weak IVs: i:ff:X ♦ Ex: Weak IVs for WEP keys of 40 bits » 3:ff:X, 4:ff:X, 5:ff:X, 6:ff:X, 7:ff:X 17
WNP-MPR-Sec 18 WEP Vulnerabilities (3) ♦ Integrity Check Value based on CRC32 (linear) ♦ WEP does not authenticate nor check the integrity of the frame header » Station can change the MAC address ♦ AP is not authenticated » Rogue AP ♦ WEP does not control the frame sequence » Replay attacks ♦ Same key for every station » Traffic can be eavesdropped or even changed by any station knowing the WEP key 18
WNP-MPR-Sec 19 WEP Vulnerabilities (4) ♦ Manufacturers put additional barriers » Authentication by SSID – Station monitors the medium and wait for another station to associate to see the SSID » Access control by MAC address – Station sees the MAC address of allowed stations and clone their address 19
WNP-MPR-Sec 20 802.1X – Access Control Before the Traffic 802.1X authentication Other traffic ( blocked ) After the Traffic 802.1X authentication Other traffic ( unblocked )
WNP-MPR-Sec 21 EAP – Extensible Authentication Protocol Token AKA/ TLS Methods SIM Card » Encapsulates authentication » Runs over any link layer EAP but thought for PPP » Messages PPP 802.3 802.11 Links Requests , Responses bytes 1 1 2 1 variable Code | Identifier | Length | Type | Type-Data EAP Identity Request EAP Identity Response EAP Auth Request STA EAP Auth Response Authenticator EAP-Success
WNP-MPR-Sec 22 802.1X with Radius 22
WNP-MPR-Sec 23 Dynamic WEP ♦ Uses 802.1X ♦ User authentication » Support of multiple authentication methods » Centralized database with users’ credentials, independent of APs ♦ Enables also AP authentication ♦ Authenticaton keys ≠ encryption keys ♦ Periodic update of WEP keys 23
WNP-MPR-Sec 24 Dynamic WEP (2) 1. Authentication through an 802.1X EAP method 2. Generation of MPPE key 2. Generation of MPPE key (Microsoft Point-to-Point Encryption) 6. Station decrypts the WEP 4. Generation of WEP key key with the MPPE key 5. AP encrypts the WEP key with the MPPE key and sends it over EAPOL-KEY 3. MPPE key encrypted with RADIUS key 7. Station applies the WEP 8. AP applies the WEP key key 9. 802.11 data frames are unblocked and encrypted with WEP 24
WNP-MPR-Sec 25 802.11i ♦ WEP failure IEEE 802.11i ♦ Authentication/Access Control » Pre-shared key (PSK) » With Authentication Server , using 802.1X ♦ Key Management » Temporary Keys » Authentication keys ≠ Encryption keys ♦ Data encryption » CCMP (Counter mode Cipher block Chaining MAC protocol) – Based on the AES cipher algorithm » TKIP (Temporal Key Integrity Protocol) – Based on the RC4 cipher algorithm (same as WEP) ♦ Infraestructured and ad-hoc modes 25
WNP-MPR-Sec 26 Wi-Fi Protected Access ♦ WPA » Based on Draft 3.0 of 802.11i (2002) » Short term solution for legacy equipments » No support for CCMP nor ad-hoc mode » TKIP reuses the WEP HW (RC4 cipher algorithm) – Firmware upgrade ♦ WPA2 » Supports 802.11i » Long term solution 26
WNP-MPR-Sec 27 Authentication methods (802.1X) ♦ Requires Authentication Server ♦ Most popular Wi-Fi authentication methods » EAP-TLS » EAP-TTLS » PEAP 27
WNP-MPR-Sec 28 EAP-TLS ♦ Uses TLS to authenticate both server and user through certificates ♦ Mandatory in WPA ♦ Cons: » Certificates are expensive » User identity goes in clear in the user’s certificate TLS (authentication of server and user) EAP RADIUS 802.1X (EAPoL) UDP/IP 802.11 ST AP AS 28
WNP-MPR-Sec 29 Tunneled authentication ♦ Two phase authentication » TLS tunnel authenticates the Authentication Server » User is autenticated over the TLS tunel – Support of weaker methods for user’s authentication – Certificates are optional – User’s identity goes encrypted ♦ EAP-TTLS, PEAP 29
WNP-MPR-Sec 30 EAP-TTLS MS-CHAP ♦ EAP- Tunneled TLS PAP, CHAP, EAP, … (User authentication) TLS (Server authentication) EAP RADIUS 802.1X (EAPoL) UDP/IP 802.11 ST AP AS 30
WNP-MPR-Sec 31 PEAP ♦ Protected Extensible Authentication Protocol ♦ v0 Microsoft, v1 Cisco ♦ PEAPv0/EAP-MSCHAPv2 – the most popular MSCHAPv2, TLS, … (user authentication) EAP TLS (server authentication) EAP RADIUS 802.1X (EAPoL) UDP/IP ST 802.11 AP AS 31
WNP-MPR-Sec 32 Key Management ♦ Master Key (MK) generated by Authentication Server ♦ Pairwise Master Key (PMK) generated from MK ♦ PMK sent to the AP through the AAA protocol (RADIUS) ♦ Generation of the Pairwise Transient Key (PTK) through the 4-way handshake ♦ Group key handshake (GTK) Group key handshake generated by the AP and sent though the Group key 32 handshake
WNP-MPR-Sec 33 Key Management (2) Encrypted with PTK PTK = Hash(PMK, Anonce, Snonce, MACaddr STA , MACaddr AP ) 33
WNP-MPR-Sec 34 TKIP Key Encryption generation » Diminui correlação entre a keystream e a chave de cifragem 34
WNP-MPR-Sec 35 Data frames – WEP, TKIP, and CCMP Encrypted Authenticated 802.11 Header ICV IV / KeyID Data 4 octets 4octets >=0 octets Encrypted Authenticated Authenticated 802.11 Header IV / KeyID Extented IV ICV Data MIC 4octets 4 octets 4 octets >=0 octets 8 octets Encrypted Authenticated Authenticated IV / KeyID Extented IV MIC 802.11 Header Data 4octets 4 octets 8 octets >=0 octets 35
WNP-MPR-Sec 36 Integridade das mensagens ♦ ICV = CRC32 not really a signature ♦ MIC signature/hash 36
WNP-MPR-Sec 37 GSM
Recommend
More recommend
