Beruflich Dokumente
Kultur Dokumente
11 (Wi-Fi) Security
Bheemarjuna Reddy Tamma
IIT HYDERABAD
Adapted from William Stallings textbook on Wireless Security, Kurose and Ross
textbook on Computer Networking and other Internet sources
Wireless Security
Concerns for wireless security are similar to those
found in Wired networks
Security requirements are the same:
Confidentiality, Integrity, Availability, Authenticity,
Accountability
Most significant source of risk is the underlying wireless
medium which is broadcast in nature
Key factors contributing to higher security risks
Broadcast Channel
Mobility
Limited Resources
Accessibility
802.11 LAN (Wi-Fi) architecture
Wireless host communicates
with base station
Internet
base station = access point (AP)
Basic Service Set (BSS) (aka
“cell”)
hub, switch Building block of IEEE
or router
802.11 WLAN
In infrastructure mode, BSS
BSS 1 contains:
Wireless hosts
AP
BSS 2
How does a STA join an existing BSS in Wi-Fi?
host: must associate with an AP
1) scans channels, listening for beacon frames containing AP’s
name (SSID) and MAC address
2) selects AP to be associated with
3) performs authentication and then associates with BSS
4) will typically run DHCP client to get IP address in AP’s subnet
Scanning
Active scanning (Probe-REQ/Probe-Response)
Passive scanning (listen for period beacons from APs)
Authentication with AP
Authentication REQ/Authentication Response
Only link level encryption of data, not end-to-end
Association with AP
Association REQ/Association Response
STA capabilities, PCF requirements, Power-saving mode, etc
DHCP (@AP, WLAN controller, or stand-alone server) 4
DORA (discover, offer, request and ACK)
How does a STA join an existing BSS?
Supplicant Authenticator
Eavesdropping
Man-in-the-middle (MITM) attacks
Malicious association to rogue
networks
Denial of Service (DoS)
Eavesdropping
Easy to intercept traffic, almost impossible to detect
By default, everything is transmitted in clear text
Usernames, passwords, content ...
No security offered by the transmission medium
Different tools available on Internet
Wireshark/Kismet
With the right equipment, it’s possible to eavesdrop
from few kilometers away
Affects Confidentiality of data exchanged
Countermeasures
Encryption and signal-hiding techniques
Denial of Service (DoS)
Frequency jamming
Not very technical, but works very well
Spoofed deauthentication / disassociation messages
can target one specific user
Spoofed MAC control packets
Evil Twin: Rogue APs on legitimate WLAN system
Only client side authentication
Black hole evil twin
Battery exhaustion
Attacks on higher levels
SYN Flooding
Ping of death
...
Wireless MITM Attack
1. Attacker spoofes a
disassociate message from
the victim
2. The victim starts to look
for a new access point,
and the attacker
advertises his own AP on
a different channel, using
the real AP’s MAC
address
3. The attacker connects to
the real AP using victim’s
MAC address
Affects Integrity
Wi-Fi Security Solutions
Wired Equivalent Privacy (WEP)
Wireless Protected Access (WPA)
IEEE 802.11i (WPA2)
WPA3 (coming this year!)
Wired Equivalent Privacy (WEP)
Original security solution offered by IEEE 802.11 standard
Uses RC4 encryption with pre-shared keys (40-bit or 104-
bit) and 24-bit Initialization Vectors (IV)
40-bit: 10 Hex chars or 5 ASCII chars
104-bit: 26 Hex chars or 13 ASCII chars
Key Key
stream stream
http://www.dartmouth.edu/~madory/RC4/wepexp.txt
Credits: https://asecuritysite.com/encryption/rc4_wep
802.11 Security (WEP)
http://www.dartmouth.edu/~madory/RC4/wepexp.txt
https://asecuritysite.com/encryption/rc4_wep
WLAN security mechanisms
Wireless Protected Access 2 (WPA2)
WPA2 is the Wi-Fi alliance name for the 802.11i amendment to the
IEEE standard, which is now part of 802.11-2012
Robust security network (RSN) = name of WPA2 in the standard
Uses 802.1X for access control
Uses EAP for authentication and key exchange, e.g., EAP-TLS
Confidentiality and integrity protocol: AES-CCMP
Historical: WPA
Used in the transition period before the 11i standard was finalized
and before AES support in NIC hardware
TKIP encryption = RC4 with frequently changing keys and other
enhancements
Security of TKIP and WPA is now considered broken; always
disable them in your (old) AP!
14
802.11i RSN security services
Access control: enforces the use of the
authentication function, routes the messages
properly, and facilitates key exchange
It can work with a variety of authentication protocols
Authentication: between a user and an
Authentication Server that provides mutual
authentication and generates temporary keys to be
used between the client and the AP over the wireless
link
Privacy with message integrity: MAC-level data
are encrypted along with a message integrity code
that ensures that the data has not been altered
Elements
of
IEEE 802.11i
Authentication and Key Management
Architecture
Out of scope of
802.11i standard
EAP-TLS
EAP
802.11 UDP/IP
17
802.1X stack and specifications
TLS (RFC5246)
EAP-TLS (RFC5216)
Server
Authentication
STA
EAPOL
RADIUS (RFC2865)
(IEEE 802.1X)
TCP/IP
18
RSN key hierarchy
*********** 802.1X
Two alternative ways to
Passphrase authentication
obtain keys:
!
802.1X authentication=
WPA2-EAP =
Pre-Shared Key PSK = Master Session Key
PBKDF2(Passphrase) MSK WPA2-Enterprise
Preshared key (PSK)
authentication = WPA2-
Pairwise Master Key PMK = PSK =
PSK or MSK WPA2-Personal
Home/small business
No AS in network
Pairwise Temporal Key PTK = No mutual auth
PRF(PMK,BSSID,MACaddrSTA,NAP,NSTA)
split
Key Confirmation Key KCK Key Encryption Key KEK Temporal Key TK
(for encrypting the (key material
group i.e. broadcast key) for session keys)
19
IEEE 802.1X
• IEEE Std 802.1X-2004
• Port based network access control mechanism offering authentication
services for 802 LAN attachments
• Originally intended for enabling and disabling physical ports on switches and
modem banks
• Also used in Ethernet switches and Wi-Fi APs
• Uses Extensible Authentication Protocol (EAP) to support many
authentication methods; usually EAP-TLS
• Encapsulation of Extensible Authentication Protocol (EAP) messages is
defined in 802.1X and known as EAP over 802 LANs (EAPOL)
• EAPOL operates at the network layer
• Defines two logical port entities at switch/AP
• Controlled port: To allow/prevent network traffic from/to the controlled port
• Uncontrolled port: To send/receive EAPOL frames
802.1X Access Control in 802.11i
(authenticator)
(Supplicant)
802.11i/802.1X architecture
Wired LAN
or Internet !
Supplicant Authenticator Authentication Server
(STA) (AP) (RADIUS Server)
• Supplicant wants to access the wired network via the AP, so it sends
Authentication credentials to Authentication Server (AS) with EAP
• AS authenticates the supplicant and ”tells” the AP whether access to
controlled ports should be allowed or not
• So, AP is simply a pass-through device during authentication process
• Authenticator (AP) then enables network access for the supplicant
after successful authentication
• E.g., IITH Wi-Fi and Eduroam services 23
EAP Encapsulation over EAPOL/Radius
Security capabilities
discovery
802.1X authentication
25
IEEE 802.11i Phases of Operation
IEEE
802.11i
Phases
of
Operation
Phases of
Operation
IEEE 802.11i
Key Hierarchies
Purpose of each phase (1/2)
Discovery
Determine promising parties with whom to communicate
AP advertises network security capabilities to STAs
802.1X authentication
Centralize network admission policy decisions at the AS
STA determines whether it does indeed want to
communicate
Mutually authenticate STA and AS/AP
Generate Master Key as a side effect of authentication
Use master key to generate session keys = authorization
token
30
Purpose of each phase (2/2)
RADIUS-based key distribution
Remote access dial-in user service (RADIUS), not part
of 11i, but is the de facto back-end protocol (RFC 2138)
Encapsulates EAP messages as a RADIUS attribute
RADIUS has its own security protocol based on shared
keys between the endpoints (AP and server)!
AS moves (not copies) session key (PMK) to STA’s AP
802.1X/EAP-Request Identity
802.1X/EAP-Response
Identity (EAP type specific)
RADIUS Access
Request/Identity
Derive Pairwise Master Key (PMK) Derive Pairwise Master Key (PMK)
802.1X/EAP-SUCCESS
802.1X RADIUS 32
33
Example –EAP-TLS (1/2)
STA
AP
AP-RADIUS Key AS
802.1X/EAP-Request Identity
RADIUS Access
802.1X/EAP-Request(TLS) Challenge/EAP-Request
35
Example – EAP-TLS (2/2) AS
STA AP
AP-RADIUS Key
RADIUS Accept/EAP-
802.1X/EAP-Success Success, PMK
36
Full WPA2 Authentication (EAP-TLS) & Key Exchange
!
Authentication-Response
Association-Request
EAP-TLS
Association-Response inside EAPOL EAP-TLS
inside RADIUS
EAP Request / Identity
EAP Response / Identity RADIUS-Access-Request
EAP-TLS Request (start) RADIUS-Access-Challenge
EAP-TLS Response ClientHello RADIUS-Access-Request
ServerHello, Certificate,
EAP-TLS Request ServerKeyExchange,
CertificateRequest, ServerHelloDone
RADIUS-Access-Challenge
Certificate, ClientKeyExchange,
EAP-TLS-Response CertificateVerify,
ChangeCipherSpec, Finished
RADIUS-Access-Request
EAP-TLS Request ChangeCipherSpec,
Finished RADIUS-Access-Challenge
EAP-TLS-Response (empty) RADIUS-Access-Request
EAP Success RADIUS-Access-Accept
EAPOL-Key (4-way handshake)
Key material from
EAPOL-Key (4-way handshake) TLS sent to AP
EAPOL-Key (4-way handshake)
EAPOL-Key (4-way handshake)
Authentication Summary
At the end of authentication
The AS and STA have established a session
The AS and STA possess a mutually
authenticated Master Key
Master Key represents decision to grant access based
on authentication
STA and AS have derived PMK
PMK is an authorization token to enforce access control
decision
AS has distributed PMK to an AP (hopefully, to the
STA’s AP!)
For data tx in 802.11i (WPA2)
WPA2-TKIP vs WPA2-AES encryption protocols
TKIP (Temporal Key Integrity Protocol) from WPA
AES (Advanced Encryption Standard) for WPA2
WPA2-Enterprise (uses 802.1X) vs WPA2-Personal (uses PSK)38
Both reply on AES-CCMP to encrypt data over the air
How does a STA join an existing BSS?
DHCP: DORA
39
IITH Wi-Fi
Cisco Aironet 3700 Series Access Points
• Dual-band 2.4 and 5 GHz with 802.11ac Wave 1 (draft std) support
• Servers 11a/b/g/n/ac STAs /w integrated radios
• Supports 20-, 40- and 80 MHz channels
• Max Tx Power of 23 dBm (200 mW)
• 4*4 MIMO with 3 spatial streams
• A-MSDU and A-MPDU aggregation, WMM (11e)
• 802.11 Dynamic Frequency Selection (DFS)
• PHY data rates up to 1.3 Gbps (80 MHz on 5 GHz)
• Data Sheet
Cisco 5508 WLAN Controller
• CAPWAP Architecture where APs are kept in light-weight (split-MAC) mode
• CAPWAP: Control and Provisioning of Wireless Access Points, IETF std
• Timing-dependent operations are generally managed locally on CAPWAP AP,
while more complex, less time-dependent operations are managed on the WLC
• Beacons, control and data frames, encryption by CAPWAP AP, rest by WLC
• Central configuration, management of APs & two-way (UDP) tunneling of traffic
b/w Controller and APs
• Load-balancing, interference management (DFS), Uninterrupted network access
when roaming, QoS, power control, etc
• Supports up to 500 APs and 7000 STAs
40
Data Sheet
IITH Wi-Fi
PEAP-Microsoft Challenge
Authentication Protocol
Version 2 (PEAP-
MSCHAPv2): TLS tunnel
43
https://mrncciew.com/2014/08/25/cwsp-eap-peap/
Hacking Wi-Fi Networks
Tools of the trade
Wireshark/TCPDUMP
Kismet
WEPCrack/AirSnort
AirCrack NG
CoWPAtty
NetStumbler
WiFuzz
Pyrit, Fern
Cain & Able
AirXploit
etc 44
Kismet
Kismet is a passive scanner for Linux
The software is advertised as being more than just a
wireless network detector.
Kismet is also a sniffer and an intrusion detection system
Wireshark- and Tcpdump-compatible data logging
Compatible with AirSnort and AirCrack
Network IP range detection
Detection of hidden network SSIDs
Graphical mapping of networks
Manufacturer and model identification of APs and clients
Detection of known default AP configurations
Kismet can be used to conduct wardriving, but it can also
be used to detect rogue APs on a company’s network
Other tools
AirSnort was the first widely used WEP-cracking
program and woke up nonbelievers who thought
WEP was enough protection for Wi-Fi!
AirCrack-NG is the tool most hackers use to access
WEP/WPA2-PSK WLANs
airmon-ng
airodump-ng
aireplay-ng
aircrack-ng
WPA2-PSK Offline Dictionary Attack
Access Point
PTK=PRF{PMK,AA||SA||Anonce||Snonce}
{SPA, SNonce, n, msg2, MICPTK(SNonce, n, msg2)}
Install PTK,
Last Seen = n+1 {SPA, n+1, msg4, MICPTK(n+1, msg4)}
Install PTK,
The MIC is calculated using HMAC_MD5, which takes Counter = n+2
its input from the KCK Key within the PTK.
KRACK: Key Reinstallation Attacks
on WPA2
Discovered by Mathy Vanhoef, KU Leuven in 2017
Kind of weakness/ambiguity in .11i std, so affects vary
across OS implementations
So, any device with Wi-Fi radio is most likely affected
Linux and Android 6.0 or higher are highly vulnerable
All data from victim can be decrypted
Main attack is against the 4-way handshake of the
WPA2 protocol
Both WPA2-Personal and WPA2-Enterprise
It does not recover passphrase of Wi-Fi network
Also do not recover (any parts of) the fresh encryption key that is
negotiated during the 4-way handshake.
KRACK: WPA2 Attacks (Videos)
KRACK
https://www.youtube.com/watch?v=Oh4WURZoR98
https://blog.mojonetworks.com/wpa2-vulnerability
YouTube Playlist on WPA2 Attacks
https://www.youtube.com/watch?v=fOgJswt7nAc
WPA3: OWE
OWE: Opportunistic Wireless Encryption for
Open SSIDs
IETF RFC 8110
Encryption w/o authentication like HTTPS browsing
Meant for open/public APs
Diffie Hellman key exchange, does n’t require any certs
OWE handshake using Re(association) REQ/RES negotiates a
new PMK b/w STA and AP
Not a replacement for any of existing auth methods
Does not offer AUTH (both client-side and AP-side)
Sol for client-side AUTH: Captive portal
No sol for server-side AUTH
• Honeypots and Evil Twins can still be setup
WPA3: Dragonfly
Dragonfly: Offline Dictionary Attack
Resistance for PSK Passwords
Even when users choose weak passwords
IRTF RFC 7664 and Section 12.4 (SAE) of IEEE 802.11 Std
• Simultaneous Authentication of Equals (SAE)
It uses Diffie Hellman key exchange to facilitate both
the encryption key generation and mutual AUTH
SAE handshake to derive a fresh PMK at STA and AP after
mutual AUTH
PMK is used to get PTK by doing 4-way handshake as usual
Forward secrecy: Even if passphrase is leaked at a
later point in time, it still cannot be used to decrypt
the eavesdropped packets from the past
Counter Measures for Wireless Attacks
Many countermeasure, such as using certificates on all
wireless devices, are time consuming and costly
Be sure wireless users are authenticated before being
able to access any network resources
Deploy honeypots which are hosts or networks available
to the public that entice hackers to attack them instead of
a company’s real network
To make it more difficult for wardrivers to discover your
WLAN, you can use Black Alchemy Fake AP (available
free at ww.blackalchemy.to/project/fakeap/).
As its name implies, creates fake APs, which keeps war-drivers
so busy trying to connect to nonexistent wireless networks that
they don’t have time to discover your legitimate AP.
Wireless Security Techniques
allow only specific
Use 802.1x based
computers to
Auth & Protected
access your
Mgmt Frames
wireless network
change the
turn off identifier
identifier on your
broadcasting, apply
router from the
patches ASAP
default
References
Keys
for Data
Confidentialit
y and
Integrity
Protocols
Temporal Key Integrity Protocol
(TKIP)
• designed to require only software changes to devices that are
implemented with the older wireless LAN security approach called
WEP
• provides two
services:
message data
integrity confidentiality
Message Data
integrity confidentiality