Wireless SecurityWireless NetworksStandards802.11 BasicsThe Big ThreeSlide 6Slide 7802.11 Security Mechanism802.11 AuthenticationState 1State 2State 3Wired Equivalent PrivacyWEP EncryptionPowerPoint PresentationGood Guy vs Bad GuyHow to make your wireless network secure?SSID Weakness!SSID MapNetwork StumblerSlide 21MAC WeaknessSlide 23WEP WeaknessWEP ConclusionWPA (Wi-Fi Protected Access)802.11iReferencesWireless SecurityChi-Shu Ho, Raymond Chi CS265Cryptography and Computer SecuritySJSUNovember 18, 2003Wireless NetworksAccording to PC Magazine, 14 million American household equipped with PC based data networks by end of 200340% are wireless networksGrowing in popularity due to –Convenience compare to traditional wired networks–price cuts of wireless networking components, full setup for under $200Commercial establishments offering wireless access as ways to attract customers.They are everywhere! Parents have filed lawsuits against some (elementary) schools for putting up wireless access points!StandardsIEEE formed 802 working group in 1980s–Researchers, academics, and industrial professionals working toward the development of an industry standardAdopted 802 standard as the ground level networking standard in 1990.–802.3 for Ethernet networking–802.11 for wireless networking in 1997Incremental enhancements of 802.11–802.11a, 802.11b, 802.11.g802.11 BasicsOperating FrequencyUS: 2.4000-2.4835GhzEurope: 2.4000-2.4845GhzJapan: 2.471-2.497GhzFrance: 2.4465-2.4835GhzSpain: 2.445-2.475GhzTransfer Rate: 1.2mbpsMechanism:Direct Sequence Spread Spectrum (DSSS)http://www.pcwebopedia.com/TERM/D/DSSS.htmlFrequency Hopped Spread Spectrum (FHSS)http://www.pcwebopedia.com/TERM/F/FHSS.htmlThe Big Three802.11b–A Great Leap Forward•First major revision of 802.11, approved in 1999–Frequency: 2.4Ghz–Transfer Rate (theoretical): 1, 2, 5.5, 11Mbps–Transfer Rate (throughput): 4Mbps (average)–Mechanism: Direct Sequence Spread Spectrum (DSSS)–Channels Available: 11 (3 non-overlapping)–Maximum Range: 175ft (average) –Pros: Cost, Range–Cons: 2.4Ghz is unlicensed, overcrowded, microwave oven, cordless phone, bluetooth device…The Big Three802.11a–Faster and Faster•Approved and ratified by IEEE in in 2001–Frequency: 5.8Ghz–Transfer Rate (theoretical): up to 54Mbps–Transfer Rate (throughput): 20-30Mbps (average)–Mechanism: Orthogonal Frequency Division Multiplexing (OFDM)–Channels Available: 12 (all non-overlapping)–Maximum Range: 80ft (average) –Pros: increased data rate, less interference–Cons: short range, lack of backward compatibility with 802.11bThe Big Three802.11g–New Guy on the Block–Frequency: 2.4Ghz–Transfer Rate (theoretical): up to 54Mbps–Transfer Rate (throughput): 20-30Mbps (average)–Mechanism: Complimentary Code Keying (CCK), backward compatible with DSSS–Channels Available: 3 (1, 6, 11)–Maximum Range: 175ft (average) –Pros: compatible with 802.11b, speed –Cons: relatively new802.11 Security MechanismAuthentication–Between stations and access points (AP)Data Encryption–Wired Equivalent Privacy (WEP)802.11 AuthenticationAd-Hoc Mode–Direct station to station connectionInfrastructure Mode–Connection through Access Point (AP)–Process of finding an access point and establish connection has the following 3 states•1: Unauthenticated and unassociated•2: Authenticated and unassociated•3: Authenticated and associatedState 1Unauthenticated and unassociatedIn this state when a wireless station is searching for an access point.Finds AP by–Listen for AP’s beacon management frame–Knowing AP’s Service Set Identifiers (SSID)•Sending out probe request to locate desired access pointState 2Authenticated and unassociatedAfter station finds AP, a series of message is exchanged to authenticate each other’s identityOpen System Authentication–Station sends message, AP determines whether to grant access or notShared key Authentication–Uses WEP to determine if a station has access authentication–AP and station shares a secret key–AP sends a 128bit generated challenge text–Station encrypts and sends data back to AP–Grant access if AP can decrypt it using the shared keyState 3Authenticated and associatedAfter both parties have been authenticated, the station is in state 2.It then sends an association request, and AP accepts the request.Useful for roamingWired Equivalent PrivacyEncryption standard defined by the IEEE 802.11 StandardUses a shared secret key for both encryption and decryptionDistribution of shared secret key to stations is not standardized.Based on RC4 stream cipherhas built-in defense against known attacksInitialization Vector (24-bit) concatenated with 40-bit shared secret key to produce different RC4 key for each packetIntegrity Check (IC) field to protect contentWEP EncryptionWEP FrameIV Data IC802.11 HeaderWEP Only Protects DATANotPhysical Layer TransmissionsGood Guy vs Bad GuyHow to make your wireless network secure?SSID–Configure AP not to broadcast SSID, station has to know SSID in advance to connect.SSID Weakness!SSID is sent across the wireless network in plaintext!–Not difficult to configure off the shelf equipment to sniff for wireless trafficImposter Access point can easily be set up–How do you know you’ve connected to the right AP?SSID MapNetwork StumblerHow to make your wireless network secure?Access Control Lists–Base on MAC address–Configure AP to only allow connection from ‘trusted’ stations with the right MAC address–Most vendors support this, although not in the standardMAC WeaknessMAC address can be sniffed by an attacker because they are again sent in the clear!MAC addresses can be easily changed via software (no guarantee of uniqueness!)How to make your wireless network secure?Use WEP encryption/decryption as authentication mechanismUse WEP to encrypt data transmitted to guard against eavesdroppingWEP WeaknessWAP’s security mechanism not implemented correctly!!!IC field is to protect data integrity, but CRC-32 is linear (flipping a bit in the message causes a set number of bits to flip in the IC)!IV is 24-bit, too short! Easily capture ciphertext with the same IV. Same IV => same encryption key => attacker can obtain multiple key/ciphertext pair for statistical analysis.Secret Key is too
View Full Document