WiFi Security Lecture 7 ssid
ssid
w bandwidth Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
1
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
2
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Six Reasons to Hack WiFi • it is fun • it gives anonymous access and an attacker is difficult to trace • illicit wifi access as a way to preserve privacy • technical reasons making it an attractive target • opportunistic cracking - why not to read my neighbour’s emails • rogue AP as an out-of-band network backdoor Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
3
Security mechanisms of WLAN • SSID – name of local network managed by an access point, all computers must know this name – reauthenticate and reassociate frames contain SSID
• MAC filtering – sniff the network and as soon as a client quits, use its MAC and IP address – you can also kick the user out – send a deassociate packet with AP’s forged address
• WEP – traffic encryption on link level Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
How WEP works • WEP – Wired Equivalent Privacy • based on RC4 stream cipher – no encryption, 40-bit key, 128-bit key
• stream cipher => data are xored with pseudorandom stream • key must be predistributed and it is hard to change it – do you remember the problems? • we need IV Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
4
How WEP works II • if a bit of ciphertext is flipped => the same bit is flipped in plaintext – integrity check – CRC-32 (linear function, easy to compute/recompute) we know bits in CRC to be flipped if bit n of a msg is flipped
• reusing the same pseudorandom stream – IV is used - 24bit – sent in plaintext, with max packet size is 1500B at 11Mbps => 5 hours to exhaust IV space – but e.g. Lucent card resets IV to 0 after each card reset Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Attacks on WEP • passive attack – as described on the previous slide
• active attack to inject traffic – attacker flips appropriate bits to change meaning of messages/data
• active attack from both ends – attackers guess packet headers – response is sent to a different machine unencrypted
• table-based attack – around 15 GB table needed to decrypt any packet Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
5
FMS attack • 2001 Scott Fluhrer, Itsik Mantin, Adi Shamir – some IVs set up RC4 cipher a way revealing key information in output bytes – first byte in the stream is generated using a byte from the secret key – invariance weakness allows use the output bytes to determine the most probably key bytes – the first output bytes are predictable: contain SNAP header – correct in 5-13% cases – we need 6-8 million packets, i.e. 2 hours
• improved FMS attack – just half a million packets needed – practical experience says that in some cases just 1/3 of the packets was needed to crack the key – even 128b Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
802.1x authentication • Cisco’s EAP-LEAP algorithm for authentication – similar problems to those of MS-CHAPv2 – AP sends a random 8 bit challenge – client uses MD4 to create 3 DES keys from her password – each key used to encrypt challenge – do you remember five nulls from MS-CHAP?
• man-in-the-middle attack still possible – even with RADIUS server Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
6
Attack Tools • encryption cracking tools – WEP crackers, traffic injection tools
• 802.11 frame-generating tools – to cause DoS attacks
• encrypted traffic injection tools – duplicating/replaying of recorded traffic
• access points management tools – mining information from access points Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
List of tools • WEP crackers – wepcrack, dweputils, wep_tools, wepattack, • traffic injection – reinj • 802.1x cracking – asleap-imp, leap, leapcrack • frame generating – airjack, file2air, libwlan, fakeAP, void11, wnet • encrypted traffic injection – wepwedgie • access point management – ap-utils Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
7
Attack planning • network footprinting – use google ☺, social engineering, collect all information you can get about the network • site survey considerations – antenna positions, warchalking, outdoor access points • attack timing • stealth network discovery • attacking selecting nodes Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
Security measures • authentication – RADIUS (rfc2138, 2139), LDAP, NoCat • wireless VPN – IPSec, PPTP, GRE, L2TP, alternative protocols: cIPe, OpenVPN, Vtun • wireless IDS systems – – – – – –
RF/physical layer events mngmt/control frame events 802.1x/EAP frame events WEP related connectivity, traffic flow other events
Kryptografie a informační zabezpečenost, © Daniel Cvrček, 2005
8