VARNOST V BREZICNIH OMREJIH Review of Wireless Security - PowerPoint PPT Presentation


PPT – VARNOST V BREZICNIH OMREJIH Review of Wireless Security PowerPoint presentation | free to view - id: 10c6f5-ZmU1Y


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

VARNOST V BREZICNIH OMREJIH Review of Wireless Security


Kismet. NetStumbler. Ministumbler. Antenna. GPS Unit. Rogue Access Point. detection ... Kismet ( Pocketwarrior ( ... – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 88
Provided by: krunok


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: VARNOST V BREZICNIH OMREJIH Review of Wireless Security

  • Kruno Kisicek, CISM
  • Februar, 2007

  • Introduction - Wireless Landscape (Wireless
    technologies, Architectural Models, Components,
    Security Framework,..
  • Comprehensive Review of 802.11(i) Wireless LAN
  • Review of GSM/UMTS Wireless Security
  • Review of WiMAX Wireless Security
  • Summary

Background Wireless Landscape
High-Speed Connectivity Hierarchy of Networks
Low Cost Complexity
Personal Area Network
Fixed Broadband Wireless (e.g.802.16) Cellular
Mobile Networks (e.g. GPRS,3G)
High Cost Complexity
Increasing Coverage Area
Background Wireless Technologies
WAN (Wide Area Network)
MAN (Metropolitan Area Network)
LAN (Local Area Network)
PAN (Personal Area Network)
Comparing Technologies
Potential Services
IEEE 802.11 Standards - Wireless Fidelity
IEEE 802.11 Network Components
  • IEEE 802.11 has two fundamental architectural
    components, as follows
  • Station (STA). A STA is a wireless endpoint
    device. Typical examples of STAs are laptop
    computers, personal digital assistants (PDA),
    mobile phones, and other consumer electronic
    devices with IEEE 802.11 capabilities.
  • Access Point (AP). An AP logically connects
    STAs with a distribution system (DS), which is
    typically an organizations wired infrastructure.
    APs can also logically connect wireless STAs with
    each other without accessing a distribution

IEEE 802.11 Architectural Models
Overview of IEEE 802.11 Security
  • The most common security objectives for WLANs are
    as follows
  • Confidentialityensure that communication cannot
    be read by unauthorized parties
  • Integritydetect any intentional or
    unintentional changes to data that occur in
  • Availabilityensure that devices and individuals
    can access a network and its resources whenever
  • Access Controlrestrict the rights of devices or
    individuals to access a network or resources
    within a network.

Major Threats against LAN Security
Taxonomy for Pre-RSN and RSN Security
802.11 Station Authentication
1. Client broadcasts a probe request frame on
every channel 2. Access points within range
respond with a probe response frame 3. The client
decides which access point (AP) is the best for
access and sends an authentication request 4.
The access point will send an authentication
reply 5. Upon successful authentication, the
client will send an association request frame
to the access point 6. The access point will
reply with an association response 7. The client
is now able to pass traffic to the access point
Probe Request Frame
Access Control and Authentication
  • The original IEEE 802.11 specification defines
    two means to validate the identities of wireless
    devices attempting to gain access to a WLAN
  • open system authentication and
  • shared key authentication.

Open system authentication
  • Open system authentication is effectively a null
    authentication mechanism that does not provide
    true identity verification. In practice, a STA is
    authenticated to an AP simply by providing the
    following information
  • Service Set Identifier (SSID) for the AP. The
    SSID is a name assigned to a WLAN it allows STAs
    to distinguish one WLAN from another. SSIDs are
    broadcast in plaintext in wireless
    communications, so an eavesdropper can easily
    learn the SSID for a WLAN.
  • Media Access Control (MAC) address for the STA.
    Many implementations of IEEE 802.11 allow
    administrators to specify a list of authorized
    MAC addresses the AP will permit devices with
    those MAC addresses only to use the WLAN. This is
    known as MAC address filtering. Unfortunately,
    almost all WLAN adapters allow applications to
    set the MAC address, so it is relatively trivial
    to spoof a MAC address, meaning attackers can
    gain unauthorized access easily.

Open Authentication with Differing WEP Keys
Shared key authentication
  • As the name implies, shared key authentication is
    based on a secret cryptographic key known as a
    Wired Equivalent Privacy (WEP) key this key is
    shared by legitimate STAs and APs.

Shared key authentication
  • Shared key authentication is still weak because
  • AP is not authenticated to the STA, so there is
    no assurance that the STA is communicating with a
    legitimate AP
  • Challenge-response process can be compromised by
    methods such as man-in-the-middle attacks and
    off-line brute force or dictionary attacks.
  • All devices on a WLAN use the same WEP key or the
    same small set of keys
  • Does not specify any support for key management.

  • The WEP protocol, part of the IEEE 802.11
    standard, uses the RC4 stream cipher algorithm to
    encrypt wireless communications, which protects
    their contents from disclosure to eavesdroppers.
  • The standard for WEP specifies support for a
    40-bit WEP key only however, many vendors offer
    non-standard extensions to WEP that support key
    lengths of up to 104 bits.
  • WEP also uses a 24-bit value known as an
    initialization vector (IV) as a seed value for
    initializing the cryptographic key stream. For
    example, a 104-bit WEP key with a 24-bit IV
    becomes a 128-bit RC4 key.

WEP Encryption and Its Weaknesses
  • With ECB (Electronic Code Book) mode encryption,
    the same plain-text input always generates the
    same cipher-text output.
  • There are two encryption techniques to overcome
    this issue
  • Initialization vectors
  • Feedback modes
  • An initialization vector (IV) is used to alter
    the key stream. The IV is a numeric value that is
    concatenated to the base key before the key
    stream is generated. Every time the IV changes,
    so does the key stream.
  • Feedback modes are generally used with block
    ciphers, and the most common feedback mode is
    known as cipher block chaining (CBC) mode.

WEP Privacy Using RC4 Algorithm
  • Most attacks against WEP encryption have been
    based on IV-related vulnerabilities. For example,
    the IV portion of the RC4 key is sent in
    cleartext, which allows an eavesdropper that
    monitors and analyzes a relatively small amount
    of network traffic to recover the key by taking
    advantage of the IV value knowledge, the
    relatively small 24-bit IV key space, and a
    weakness in the way WEP implements the RC4

Vulnerability of Shared Key Authentication
Initialization Vector Replay Attacks
  • A known plain-text message is sent to an
    observable wireless LAN client (an e-mail
  • The network attacker will sniff the wireless LAN
    looking for the predicted cipher text
  • The network attacker will find the known frame
    and derive the key stream
  • The network attacker can grow the key stream
    using the same IV/WEP key pair as the observed
  • This attack is based on the knowledge that
    the IV and base WEP key can be reused or replayed
    repeatedly to generate a key stream large enough
    to subvert the network.

Initialization Vector Replay Attacks
  • The network attacker can build a frame one byte
    larger than the known key stream size an
    Internet Control Message Protocol (ICMP) echo
    frame is ideal because the access point solicits
    a response
  • The network attacker then augments the key stream
    by one byte
  • The additional byte is guessed because only 256
    possible values are possible
  • When the network attacker guesses the correct
    value, the expected response is received in this
    example, the ICMP echo reply message
  • The process is repeated until the desired key
    stream length is obtained

Bit-Flipping Attack
Bit-Flipping Attack
CBC Mode Block Cipher
WEP Cracking Tools
  • Airsnort (
  • WepAttack (
  • WEPCrack (
  • Weplab (
  • Aircrack (

Typical Security Incidents
  • Unauthorized association and snooping
  • Access Point Intrusion
  • Intrusion attempts (WLAN and Wired Network)
  • Loss of confidential data
  • Data Capture and Replay Attacks
  • Bandwidth Theft
  • Unauthorized Rogue Access Points
  • Wireless clients associate with wrong access
    point (Fake Access Points)

Step 1 Security Policy Review
  • Wireless LAN treated as external network
  • Approval for wireless infrastructure and clients
  • Security Architecture and Design Review
  • Access Point Configuration Standards
  • Authentication and Encryption Baseline
  • Logging, Monitoring, Intrusion Detection
  • Wireless Vulnerability Assessment

Step 2 Architecture Assessment
  • Security Architecture and Design
  • Network segmentation control (firewall)
  • Secure configuration of Access Points
  • VPN (IPsec or SSL)
  • Authentication of wireless clients
  • Encryption of wireless traffic
  • Logging, and monitoring wireless security logs

Step 3 Risk Assessment
  • Document Wireless Architecture,
    Components,Security Configuration
  • Threat Assessment
  • Vulnerability Assessment
  • Controls Assessment
  • Assess Risk
  • Control Recommendations

Vulnerability Assessment
  • Wireless Assessment Toolkit
  • Linux-based toolkits
  • Knoppix (
  • Nmap Nessus (testing from wired LAN)
  • Tools
  • Network Discovery
  • WEP/WPA Cracking Tools
  • Packet Capture Tools
  • Known exploit code

Network Discovery
  • Laptop / PDA
  • Wireless network card
  • Network Discovery Tools
  • Kismet
  • NetStumbler
  • Ministumbler
  • Antenna
  • GPS Unit

Rogue Access Pointdetection
  • Tools / Solutions
  • Airmagnet (
  • Retina WiFi Scanner (
  • Kismet (
  • Pocketwarrior (
  • WiFiFoFum (

Step 4 AP Configuration Review
  • Access Point Configuration
  • telnet, http, snmp
  • default authentication
  • SSID Configuration
  • Authentication Encryption Setup
  • Logging Enabled

Step 5 Authentication Encryption
  • WPA
  • Subset of 802.11i
  • ConfidentialityTKIP
  • Authentication - Per-user or Pre-shared key
  • Integrity Mechanisms
  • 802.11i (WPA2)
  • Addresses the main problems of WEP and Shared-Key
  • Temporal Key Integrity Protocol (TKIP)
  • Message Integrity Control Michael
  • AES Encryption replacement for RC4
  • 802.1x
  • Framework to control port access between devices,
    AP, and servers
  • Not specific to 802.11 networks
  • Uses dynamic keys instead of the WEP
    authentication static key

Wi-Fi Alliance Certification Programs
  • The Wi-Fi Alliance began conducting
    interoperability testing in April 2000 and has
    since awarded its Wi-Fi CERTIFIED label to over
    2,500 WLAN products. Product categories include
    access points and a wide variety of clients.
  • Three basic types of certifications radio
    standards, network security, and multimedia
    content support.
  • The Wi-Fi Alliance also manages a licensing
    program for Wi-Fi providers called Wi-Fi Zone.
    Organizations participating in the program agree
    to use Wi-Fi CERTIFIEDTM products only and adhere
    to certain service standards.

Wi-Fi Alliance
  • The Wi-Fi Alliance introduced WPA in early 2003
    to address serious vulnerabilities inherent in
    WEP, which was the only available IEEE 802.11
    security protection at that time. WPA is
    essentially a subset of IEEE 802.11i that
    provides a solution to WEPs major problems. To
    accomplish this protection, WPA leverages the
    following core security features from IEEE
  • IEEE 802.1X and EAP authentication
  • Key generation and distribution based on the IEEE
    802.11i 4-Way Handshake
  • TKIP mechanisms including
  • Encapsulation and decapsulation
  • Replay protection
  • Michael MIC integrity protection.

Brief Overview of IEEE 802.11i Security
  • IEEE 802.11i references the Extensible
    Authentication Protocol (EAP) standard, which is
    a means for providing mutual authentication
    between STAs and the WLAN infrastructure, as well
    as performing automatic cryptographic key
  • IEEE 802.11i also uses some techniques derived
    from the Internet Protocol Security (IPsec)
    standard, such as generating cryptographic
    checksums through hash message authentication
    codes (HMAC).

802.1X Layers
EAP SIMGSM SIM Authentication
802.1X Ports
  • 802.1X requires three entities
  • The supplicantResides on the wireless LAN
  • The authenticatorResides on the access point
  • The authentication serverResides on the RADIUS
  • IEEE 802.1X defines IEEE 802 encapsulation of EAP
  • EAP over LAN (EAPOL) messages

802.1X and EAP Message Flow
  • EAP supports a wide variety of authentication
    methods (rfc3748), also called EAP methods. These
    methods include authentication based on
    passwords, certificates, smart cards, and tokens.
  • EAP methods can also include combinations of
    authentication techniques, such as a certificate
    followed by a password, or the option of using
    either a smart card or a token.

EAP methods
  • The current WPA/WPA2 certified EAP methods are
  • EAP-TLS (originally certified protocol)

Pairwise Key Hierarchy
Summary of Data Confidentiality and Integrity
The EAP Cisco Authentication Algorithm
  • Mutual Authentication
  • User-Based Authentication
  • Dynamic WEP Keys
  • Data Privacy with TKIP
  • A message integrity check (MIC) function on all
    WEP-encrypted data frames
  • Initialization vector/base key reuseThe MIC adds
    a sequence number field to the wireless frame.
    The access point will drop frames received out of
  • Frame tampering/bit flippingThe MIC feature adds
    a MIC field to the wireless frame. The MIC field
    provides a frame integrity check not vulnerable
    to the same mathematical shortcomings as the ICV.
  • Per-packet keying on all WEP-encrypted data

Per-packet keying
Cisco LEAP - password-based algorithm.
EAP-TLS Authentication Process
EAP Transport Layer Security
  • TLS comprises three protocols
  • Handshake protocolThe handshake protocol
    negotiates the parameters for the SSL session.
    The SSL client and server negotiate the protocol
    version, encryption algorithms, authenticate each
    another, and derive encryption keys.
  • Record protocolThe record protocol facilitates
    encrypted exchanges between the SSL client and
    the server. The negotiated encryption scheme and
    encryption keys are used to provide a secure
    tunnel for application data between the SSL
  • Alert protocolThe alert protocol is the
    mechanism used to notify the SSL client or server
    of errors as well as session termination.

Protected EAP
  • Protected EAP (PEAP), is EAP authentication type
    that is designed to allow hybrid authentication.
  • PEAP employs server-side PKI authentication. For
    client-side authentication, PEAP can use any
    other EAP authentication type.
  • Because PEAP establishes a secure tunnel via
    server-side authentication, non-mutually
    authenticating EAP types can be used for
    client-side authentication, such as EAP generic
    token card (GTC) for one-time passwords (OTP),
    and EAP MD5 for password based authentication.
  • PEAP is based on server-side EAP-TLS, and it
    addresses the manageability and scalability
    shortcomings of EAP-TLS.
  • Organizations can avoid the issues associated
    with installing digital certificates on every
    client machine as required by EAP-TLS and select
    the method of client authentication that best
    suits them.

Protected EAP
EAP SIM Architecture
  • EAP SIM authentication is based on the
    authentication and encryption algorithms stored
    on the Global System for Mobile
  • Communications (GSM) SIM, which is a Smartcard
    designed according to the specific requirements
    detailed in the GSM
  • standards.
  • GSM authentication is based on a
    challenge-response mechanism and employs a shared
    secret key, Ki, which is stored on the SIM and
    otherwise known only to the GSM operators
    Authentication Center (AuC).
  • When a GSM SIM is given a 128-bit random
    number (RAND) as a challenge, it calculates a
    32-bit response (SRES) and a 64-bit encryption
    key (Kc) using an operator-specific confidential
    algorithm. In GSM systems, Kc is used to encrypt
    mobile phone conversations over the air

EAP SIM Authentication
UMTS system architecture (R99)

UMTS and GSM Security objectives
  • Problems with GSM Security
  • Weak authentication and encryption algorithms
    (COMP128has a weakness allowing user
    impersonation A5 can bebroken to revealthe
    cipher key)
  • Short key length (32 bits)
  • No data integrity (allows certain denial of
    service attacks)
  • No network authentication (false base station
    attack possible)
  • Limited encryption scope (Encryption terminated
    at the base station, in clear on microwave
  • Insecure key transmission (Cipher keys and
    authenticationparameters are transmitted in
    clear between and withinnetworks)

3G Security Features
  • Mutual Authentication
  • The mobile user and the serving network
    authenticate each other
  • Data Integrity
  • Signaling messages between the mobile station and
    RNC protected by integrity code
  • Network to Network Security
  • Secure communication between serving networks.
    IPsec suggested
  • Wider Security Scope
  • Security is based within the RNC rather than the
    base station
  • Secure IMSI (International Mobile Subscriber
    Identity) Usage
  • The user is assigned a temporary IMSI by the
    serving network

3G Security Features
  • User Mobile Station Authentication
  • The user and the mobile station share a secret
    key, PIN
  • Secure Services
  • Protect against misuse of services provided by
    the home network and the serving network
  • Secure Applications
  • Provide security for applications resident on
    mobile station
  • Fraud Detection
  • Mechanisms to combating fraud in roaming
  • Flexibility
  • Security features can be extended and enhanced as
    required by new threats and services

3G Security Features
  • Visibility and Configurability
  • Users are notified whether security is on and
    what level of security is available
  • Multiple Cipher and Integrity Algorithms
  • The user and the network negotiate and agree on
    chipher and integrity algorithms. At least one
    encryption algorithm exported on world-wide
    basis (KASUMI)
  • Lawful Interception
  • Mechanisms to provide authorized agencies with
    certain information about subscribers
  • GSM Compatibility
  • GSM subscribers roaming in 3G network are
    supported by GSM security context (vulnerable to
    false base station)

Authentication and Key Agreement
  • Signaling and user data protected from
    eavesdropping. Secret key, block cipher algorithm
    (KASUMI) uses 128 bit cipher key.
  • At the mobile station and RNC (radio network

Integrity Check
  • Integrity and authentication of origin of
    signalling data provided. The integrity algorithm
    (KASUMI) uses 128 bit key and generates 64 bit
    message authentication code.
  • At the mobile station and RNC (radio network

WiMAX Overview
  • Complement the existing last mile wired networks
    (i.e. xDSL, cable modem)
  • Fast deployment, cost saving
  • High speed data, voice and video services
  • Fixed BWA, Mobile BWA

WiMAX Applications
Benefits of WiMAX
  • Speed
  • Faster than broadband service
  • Wireless
  • Not having to lay cables reduces cost
  • Easier to extend to suburban and rural areas
  • Broad coverage
  • Much wider coverage than WiFi hotspots

Security Issues
  • Provides subscribers with privacy across the
    fixed broadband wireless network
  • Protect against unauthorized access to the data
    transport services
  • Encrypt the associated service flows across the
  • Implemented by encrypting connections between SS
    and BS
  • Security mechanisms
  • Authentication
  • Access control
  • Message encryption
  • Message modification detection (Integrity)
  • Message replay protection
  • Key management
  • Key generation, key transport, key protection,
    Key derivation, Key usage

Security Association
  • Data SA
  • 16-bit SA identifier
  • Cipher to protect data DES-CBC
  • 2 TEK
  • TEK key identifier (2-bit)
  • TEK lifetime
  • 64-bit IV
  • Authorization SA
  • X.509 certificate ? SS
  • 160-bit authorization key (AK)
  • 4-bit AK identification tag
  • Lifetime of AK
  • KEK for distribution of TEK
  • Truncate-128(SHA1(((AK 044) xor 5364)
  • Downlink HMAC key
  • SHA1((AK044) xor 3A64)
  • Uplink HMAC key
  • SHA1((AK044) xor 5C64)
  • A list of authorized data SAs

IEEE 802.16 Security Process
SS ?BS Cert(Manufacturer(SS)) SS ?BS Cert(SS)
Capabilities SAID BS ?SS RSA-Encrypt(PubKey(SS)
, AK) Lifetime SeqNo SAIDList
Key Derivation
  • KEK Truncate-128(SHA1(((AK 044) xor 5364)
  • Downlink HMAC key SHA1((AK044) xor 3A64)
  • Uplink HMAC key SHA1((AK044) xor 5C64)

Data Key Exchange
Data Key Exchange
  • Traffic Encryption Key (TEK)
  • TEK is generated by BS randomly
  • TEK is encrypted with
  • Triple-DES (use 128 bits KEK)
  • RSA (use SSs public key)
  • AES (use 128 bits KEK)
  • Key Exchange message is authenticated by
    HMAC-SHA1 (provides Message Integrity and AK

Data Encryption
Data Encryption
  • Encrypt only data message not management message
  • DES in CBC Mode
  • 56 bit DES key (TEK)
  • No Message Integrity Detection
  • No Replay Protection

Key Management
  • Message 1
  • BS ?SS SeqNo SAID HMAC(1)
  • Message 2
  • SS ?BS SeqNo SAID HMAC(2)
  • Message 3
  • M1 to rekey a data SA, or create a new SA
  • TEK encrypted with Triple-DES-ECB

IEEE 802.16 Security Flaws
  • Lack of Explicit Definitions
  • Authorization SA not explicitly defined
  • SA instances not distinguished open to replay
  • Solution Need to add nonces from BS and SS to
    the authorization SA
  • Data SA treats 2-bit key as circular buffer
  • Attacker can interject reused TEKs
  • SAID 2 bits ? at least 12 bits (AK lasts 70 days
    while TEK lasts for 30 minutes)
  • TEKs need expiration due to DES-CBC mode
  • Determine the period 802.16 can safely produce
    232 64-bit blocks only.

IEEE 802.16 Security Flaws
  • Need for mutual authentication
  • Authentication is one way
  • BS authenticates SS
  • No way for SS to authenticate BS
  • Rouge BS ? possible because all information's are
  • Possible enhancement BS certificate
  • SS?BS Cert (Manufacturer)
  • SS?BS SS-Rand Cert(SS) Capabilities SAID
  • BS?SS BS-Rand SS-Rand E(Pub(SS),AK)
    Lifetime Seq No SAID Cert (BS) Sig (BS)

IEEE 802.16 Security Flaws
  • Authentication Key (AK) generation
  • BS generates AK
  • No contribution from SS
  • SS must trust BS for the generation of AK
  • AK HMAC-SHA1(contribution from SS contribution
    from BS)
  • AK HMAC-SHA1(pre-AK, SS-Random BS-Random
    SS-MAC-Addr BS-MAC-Addr 160)

IEEE 802.16 Security Flaws
  • Key management
  • TEK sequence space (2-bit sequence )
  • Replay attack can force reuse of TEK/IV
  • Increase it to 12-bit
  • No specification on the generation of TEK and
    therefore TEKs are random
  • No TEK freshness assurance
  • Message 1
  • BS ? SS SS-Random BS-Random SeqNo12 SAID
  • Message 2
  • SS ? BS SS-Random BS-Random SeqNo12 SAID
  • Message 3
  • BS ?SS SS-Random BS-Random SeqNo12 SAID
    OldTEK NewTEK HMAC(3)
  • Not transmit TEK, generate TEK
  • TEK HMAC-SHA1(pre-TEK, SS-Random BS-Random
    SS-MAC-Addr BS-MAC-Addr SeqNo12 160)
  • SS-Random BS-Random is used as an instance

IEEE 802.16 Security Flaws
  • Alternative Cryptographic Suite
  • IEEE 802.16 used DES-CBC
  • DES uses 64 bit block size
  • According to studies a CBC mode using block
    cipher with n-bit block loses its security after
    operating on 2n/2 blocks with the same
    encryption key.
  • So IEEE 802.16 can safely produce 232 64-bit
  • Also IV used in DES-CBC are predictable.
  • Use AES-CCM as encryption primitive
  • 128 bit key (TEK)
  • Replay Protection using Packet Number

IEEE 802.16 Security Flaws
  • Data protection errors
  • 56-bit DES does not offer strong data
  • Forgeries or replies (WEP-like vulnerability)
  • Writes are not prevented, read-protects only
  • even w/o encryption key
  • Uses a PREDICTABLE initialization vector (while
    DES-CBC requires a random IV)
  • IV is the xor of the IV in SA and the PHY
    synchronization field from the most recent GMH
  • Generates each per-frame IV randomly and inserts
    into the payload.
  • Though increases overhead, no other choice.

IEEE 802.16 Security Flaws
  • No data Authentication
  • Encryption only prevents reading but any one
    without key can write (change the message).
  • Strong MAC needs to be included in the message

  • Wireless Security Reference Site
  • Wireless Security Policies
  • NIST Wireless Network Security (includes wireless
    security checklist)
  • Wireless Security Checklists