Wireless LAN SecurityAgendaBrief BackgroundWireless network componentsSecurity Challenges and SolutionsMore on WEPWEP Encryption and IntegrityWEP AuthenticationWEP – The “flawed” SolutionWEP – The “flawed” Solution (contd.)Slide 11Design ConstraintsEnhancing WLAN Security with WPASecurity Mechanisms in WPA - TKIPMore on TKIP802.1X/EAP ArchitectureWPA Modes of Operation - Pre-shared key vs. EnterpriseWPA modes of operation – Enterprise ModeWEP vs. WPAComparing WPA and 802.11iConclusionReferencesWireless LAN SecurityPresented by:Pallavi PriyadarshiniStudent ID 003503527AgendaBrief background on Wireless LANBasic security mechanisms in 802.11WEP VulnerabilitiesEnhancing wireless security with WPAComparing WEP and WPAConclusionBrief BackgroundA local area network (LAN) with no wiresSeveral Wireless LAN (WLAN) standards802.11 - 1-2 Mbps speed, 2.4Ghz band802.11b (Wi-Fi) – 11 Mbps speed, 2.4Ghz band802.11a (Wi-Fi) - 54 Mbps speed, 5Ghz band802.11g (Wi-Fi) – 54 Mbps speed, 2.4Ghz bandWireless network componentsSecurity Challenges and SolutionsChallengesBeyond any physical boundariesEncryption, Authentication and IntegrityBasic Security Mechanisms in 802.11Service Set ID (SSID) – Acts like a shared secret, but sent in clear.MAC Address Lists – Modifiable and also sent in clear. The WEP AlgorithmMore on WEPStands for Wired Equivalent PrivacyDesigned to encrypt data over radio wavesProvides 3 critical pieces of securityConfidentiality (Encryption)AuthenticationIntegrityUses RC4 encryption algorithmSymmetric key stream cipher64-bit shared RC4 keys, 40-bit WEP key, 24-bit plaintext Initialization Vector (IV)WEP Encryption and IntegrityIVSecret KeySeed PRNGXORIVCiphertextPlaintextCRC-32AlgorithmIntegrity Check valuePlaintextKeySequenceMessagePRNG – RC4 Pseudorandom number generation algorithmData payloadWEP Authentication2 levels of authentication“Open” : No authentication“Shared secret” : Station AStation BNonce NE(N, KA-B)Request for shared key auth.Authentication responseWEP – The “flawed” SolutionWeakness in key managementSingle key for all access points and client radiosStatic unless manually changedAuthentication and encryption keys are the sameShared key authentication failureNo knowledge of secret to gain network accessWEPPR=C P (where C, P are passively recorded)AttackerAPAuthentication requestChallenge R WEPPR RSuccessWEP – The “flawed” Solution (contd.)Weakness in EncryptionShort 24-bit IV, reuse mandatoryWeak per-packet key derivation - exposes RC4 protocol to weak key attacks. Given c1 and c2 with same IV, c1 c2= p1p2 [p1 S p2 S], leading to statistical attacks to recover plaintextsShort 40-bit encryption schemeNo forgery protectionUsing CRC-32 checksum possible to recompute matching ICV for changed data bitsGiven C= RC4(IV, key) <M, ICV(M)>, can find C’ that decrypts to M’=M+Δ such that C’= RC4(IV, key) <M’, ICV(M’)>WEP – The “flawed” Solution (contd.)No protection against replaysOptional, mostly not turned on by usersDesign ConstraintsWEP patches will rely entirely on software upgradeAccess points have little spare CPU capacity for new functionsEncryption functions are hard-wired in the access pointsEnhancing WLAN Security with WPAWPA - Wireless Protected AccessStrong, standards based, interoperable security for Wi-Fi Addresses all known weaknesses of WEPSubset of forthcoming IEEE 802.11i standard Designed to run as a software upgrade on most Wi-Fi certified products.Security Mechanisms in WPA - TKIPUses TKIP (Temporal Key Integrity Protocol) Encryption.Suite of algorithms wrapping WEPAdds 4 new algorithms to WEP:1. New cryptographic message integrity code (MIC) called Michael - to defeat forgeries2. New IV sequencing discipline - to remove replay attacks3. A re-keying mechanism – to provide fresh encryption and integrity keysMore on TKIP4. A per-packet key mixing function •Phase 1 (Eliminates same key use by all links) - Combines MAC address and temporal key. Input to S-box to produce intermediate key•Phase 2 (De-correlates IVs and per-packet keys) - Packet sequence number encrypted under the intermediate key using a fiestel cipher to produce 128-bit per packet key.TKIP leverages 802.1X/EAP framework for key management802.1X/EAP ArchitectureSupplicant(wireless client)Authenticator(AP)AuthenticationServer (RADIUS)EAP-startEAP-identity requestEAP-identity responseEAP success/rejectEAP success/rejectWPA Modes of Operation - Pre-shared key vs. EnterprisePre-shared Key Mode for home/SOHO usersDoes not require authentication server“Shared Secret” or password entered manually in the AP and wireless client. WPA takes over automatically.Only the clients with matching passwords are allowed to join the network.The password automatically kicks off the TKIP encryption process.Enterprise Mode for corporate usersRequires an authentication server like RADIUSCentralized management of user credentialsWPA modes of operation – Enterprise ModeWired Network ServicesInternetAuthentication serverAccess PointWEP vs. WPAWEP WPAEncryption Flawed Fixes all WEP flaws40-bit keys 128-bit keysStatic-same keys used by everyone on networkDynamic session keys. Per-user, per-session, per-packet keysManual distributionAutomatic DistributionAuthenticationFlawed, uses WEP key itselfStrong user authentication using 802.1X and EAPComparing WPA and 802.11i802.11i802.1XKey managementCipher & Authentication negotiationTKIPAESWPAConclusionWPA is not an ideal security protocol design…However, it is a dramatic improvement in Wi-Fi security.Has not been broken (yet).Protects the original hardware investment.If hardware constraint removed, a more robust security solution possible.Such a solution is being developed based on a even stronger cryptographic cipher - Advanced Encryption Standard (AES).References[1] Bruce Potter & Bob Fleck, “802.11 Security”, O-Reilly, December 2002[2]James larocca & Ruth larocca, “802.11 Demystified”, McGraw-Hill Telecom, 2002[3]Whitepaper on Wireless LAN Security on
View Full Document