Wireless Security

1
Wireless Security
2
Wireless Security

• Wireless LAN protocols (IEEE 802.11)
• Wireless Application Protocol (WAP)
• Wireless site evaluation
• Wireless vulnerabilities
• Unauthorized base stations
• Sniffing
• Wireless security tools

3
Wired Equivalent Privacy (WEP)

• WEP aims to provide the same level of security as
  a wired system wide in the following areas
• Confidentiality
• Access control
• Integrity
• P plaintext, C cipher text, K encryption
  key, R received text
• R C xor K P xor K xor K P and so the
  plaintext can be recovered knowing the encrypted
  text and the keystream.

4
Wireless communication security

• 802.11b has certain security features available,
  but not a whole lot
• Service Set Identifier (SSID) are introduced to
  differentiate networks
• Access Point (AP) names are preset by equipment
  manufacturer. Linksys APs have the name
  linksys and Cisco APs have the name tsunami.
  Since these are well known, the user must reset
  the SSIDs just like a secure password
  (non-standard name with non-standard characters,
  non-guessable)
• APs broadcast SSIDs every few seconds in Beacon
  Frames form

5
Wireless communication security

• Two methods to establish connection with APs are
• Shared key authentication
• Open authentication
• In shared key authentication, client requests
  connection with AP. AP sends a challenge string
  in clear. Client encrypts using what is known as
  Wired Equivalent Privacy (WEP) method and sends
  the encrypted string back to the AP. AP knows
  what it is expecting as encrypted string. If the
  two match, then access to communicate is granted
  by the AP.

6
Wireless communication security

• Potential problem is that a hacker will get the
  original challenge string and the encrypted
  response from the client. Hacker can then try to
  break the encryption key. Once the key is
  broken, the WEP itself is compromised as all its
  communications can now be eavesdropped by the
  hacker.
• In spite of lack of security, the open connection
  is a preferred secure method for AP access. Use
  end-to-end encryption instead for security.

7
Wireless communication security

• WEP uses a 40-bit key and a separate 24-bit
  initialization vector (IV) with the 40-bit key.
  All 64 bits are used in the encryption. However,
  the IV is sent along with the encrypted text.
  The hacker will be able to see the encrypted text
  and the IV but not the original text.
• To break the WEP key one needs to try all
  combinations of the 40-bit key with the 24-bit
  IV. The 40-bit key gives nearly a billion
  combinations, and they are within reach of
  todays computing power to mount an exhaustive
  attack

8
Wireless communication security

• Lucent company has proposed a 128-bit key for
  WEP, known as WEP Plus
• The 128-key consists of a 104-bit encryption key
  and a 24-bit IV
• One solution proposed by the industry is to turn
  off the broadcast of SSID. This is being
  practiced now. Users type the SSID in when
  establishing contact with AP. Industry
  recommendation is not to change the SSID
  periodically.

9
Wireless communication security

• Another recommendation is to rotate the WEP key
  every few seconds. This was proposed by Cisco
  and is implemented by all vendors now. The idea
  is to use the previous WEP key and encrypt the
  new WEP key with it and transmit the new WEP key.
  The life of any WEP key is only a few seconds.
  Since the WEP key encryptions are sequential, any
  one who was not listening at the beginning of the
  session will not be able to break the WEP key
  easily.

10
Default WEP Keys

• The NetGear Access Point uses the following 4
  sequences as default keys
• 10 11 12 13 14
• 21 22 23 24 25
• 31 32 33 34 35
• 41 42 43 44 45
• It is recommended not to use the default WEP keys

11
Wired Equivalent Privacy (WEP)

• Suppose P1 and P2 are encrypted with the same
  keystream K
• Let C1 P1 xor K and C2 P2 xor K
• Then C1 xor C2 P1 xor K xor P2 xor K
• P1 xor P2
• 802.11 cards reset the IV counter to 0 for each
  new activation and increment by 1 for each packet
  transmission
• So initials values of IV become predictable, even
  if it is in encrypted format

12
WEP vulnerabilities

• Passive attack
• Attacker observes all wireless traffic until an
  Initial Vector (IV) collision occurs. By XORing
  two packets that use the same IV, the attacker
  obtains the XOR of the two plaintext messages.
  The resulting XOR can be used to infer data about
  the contents of the two messages

13
WEP vulnerabilities

• Active attack
• Attacker knows the plaintext of one encrypted
  message. Use this knowledge to construct the
  encrypted text and insert that instead
• WEP uses RC4 encryption. It is known that RC4(X)
  xor X xor Y RC4(Y) where X is known message and
  RC4(X) is its encrypted message using RC4

14
WEP vulnerabilities

• WEP uses CRC-32 for error check. However, CRC is
  designed to catch random errors and not malicious
  errors inserted by hackers. So, CRC-32 is not
  effective in WEP as a security mechanism

15
802.11 Standards

• IEEE 802.11 standard for Wireless LAN was
  released in 1990
• Standard calls for
• Infrared transmission
• Spread spectrum transmission
• Frequency hopping
• Direct sequence
• Data rate was set at 1 Mbps

16
802.11 Standards

• 802.11a was set for 5GHz band at 54 Mbps over a
  300 feet distance. Standard approved in 1999 but
  did not come to market first
• 802.11b was set for 2.4GHz band at 11 Mbps over a
  90 feet distance. Standard approved in 1999 and
  came to market first
• 802.11g was set for 2.54GHz band at 54 Mbps over
  a 150 feet distance. Standard approved in 2002
  and is currently in market

17
802.11 Standards

• 802.11h was a modification of 802.11g standard
  for compatibility with European WLANs (HiperLAN).
  This standard has not been approved yet.
• 802.11i has been proposed to fix the security
  flaws in existing 802.11 standards. This is
  still in draft form.
• 802.11j is currently being developed as a global
  standard in the 5GHz band for interoperability
  with 802.11a

18
Wireless Application Protocol (WAP)

• WAP is an open, global protocol designed to
  deliver information to portable devices such as
  cell phones and PDAs
• WAP Forum was formed by Motorola, Ericsson, and
  Nokia
• WAP 1.0 dealt with Wireless Application Protocol
  (WAP) which is HTML-lite
• WAP communications go through a WAP gateway to
  the internet and back

19
Wireless Application Protocol (WAP)

• WAP 2.0 was released in 2002
• WAP 2.0 uses Wireless TLS (upgraded SSL)
• WTLS is used for authentication
• Since devices move from one location to another,
  in WTLS a session exists over many connections.
  This way the security parameters are negotiated
  per session and held for the duration of the
  session.
• WTLS will be enhanced with the introduction of
  Smart Card security

20
Wireless Site Survey

• Needs assessment of network users
• Knowing the number of users on the WLAN
• Site blueprint
• Since radio waves do not penetrate all types of
  material, knowing the details of the structure is
  essential
• Certain building materials reflect signals
• Concrete, marble, brick, and water are difficult
  to work with while dealing with WLAN

21
Wireless Site Survey

• Site walk-through
• Helps identify other devices that operate in the
  same frequency band such as the ISM band
• Identify power outlets to place the wired portion
  of the wireless LAN
• Identify Access Point (AP) locations
• Verify that AP locations will be able to cover
  the entire site

22
Wireless Security Tools

• Blue Socket
• Provides a wireless gateway solution for security
  and QoS for 802.11b and Bluetooth
• EcuTel
• Provides VPN security
• Enables roaming from LAN to WLAN
• NetMotion Wireless
• Provides VPN security

23
Wireless Security Threats

• AirSnort recovers encryption keys by passively
  monitoring transmissions
• Works with 40 or 128 bit encryption keys
• WEPCrack cracks WEP encryption keys
• Network Stumbler provides scans of SSID, AP, and
  MAC addresses every second
• RealSecure
• BlackICE

24
References

• Wireless security http//www.arstechnica.com/paedi
  a/w/wireless/security-1.html
• Wireless security audit http//www.research.ibm.co
  m/gsal/wsa/
• Wireless LAN security http//www.iss.net/wireless/
  WLAN_FAQ.php

25
References

• WLAN security http//www.netmotionwireless.com/res
  ource/whitepapers/netmotion_security.asp
• AirSnort software http//freshmeat.net/projects/a
  irsnort/
• WEPCrack software http//sourceforge.net/projects
  /wepcrack
• Network Stumbler software http//www.netstumbler.
  com/

26
References

• WEP Security http//www.isaac.cs.berkeley.edu/isa
  ac/wep-faq.html
• WAP http//www.wapforum.org

27
Security Scenario to Solve

• WLAN design involves several security assessments
  and location of Access Points. Assume that you
  have an open office space with 8000 square feet
  which is partitioned with portable walls that are
  6 feet tall. Portable walls are metal frames
  with a fabric spread. Identify parameters that
  you need to work with designing APs and the data
  rates that can be supported by these APS.
  Identify the manufacturers of APs, cost, and the
  level of security each system provides. Identify
  at least three such systems for consideration.