Post on 11-Feb-2016
description
Mario Čagalj
University of Split
2013/2014.
FELK 19: Security of Wireless Networks*
WiFi (In)Security – 2st part:Vulnerabilities of WPA and WPA2Assembled from different sources: Walker, Lehembre Buttyan, ...
Produced by Mario Čagalj
3
Introduction: IEEE 802.11iWe have seen that WEP is critically flawed IEEE 802.11i defined to properly secure wireless LANs (2004)
Specifies robust security mechanisms for WLANsDefines Transition Security Network (TSN)
Called WiFi-Protected Access (WPA) by WiFi-AllianceBased on “new” TKIP (that uses “old” RC4 like WEP)Backward compatibility (with old RC4-only hardware)IEEE 802.1X authentication framework
More importantly defines a Robust Security Network (RSN)Called WiFi-Protected Access 2 (WPA2) by WiFi-AllianceBased on AES and optionally TKIPAlso uses IEEE 802.1X authentication framework
4
Tranzicija prema IEEE 802.11i
IEEE 802.11bWEP WPA IEEE 802.11i
(WPA2)
Tajnost podataka (enkripcija) WEP (RC4) TKIP (RC4) AES,
(opcija TKIP)
Integritet podataka WEP (RC4) + CRC TKIP-MIC AES-MAC (opcija TKIP-MIC)
Autentikacija i kontrola pristupa
Shared Key Authentication
IEEE 802.1X/EAP(+ EAP-TLS,
LEAP…)
IEEE 802.1X/EAP(+ EAP-TLS,
LEAP…)
TKIP: Temporal Key Integrity Protocol
AES: Advanced Encryption StandardMIC: Message Integrity CodeMAC: Message Authentication Code
EAP: Extensible Authentication ProtocolTLS: Transport Layer SecurityLEAP: Light EAP (Cisco)
5
Autentifikacijski model IEEE 802.1X u WiFi
Port-based Network Access Control● Mobilni klijent zahtijeva pristup uslugama (želi se spojiti na mrežu)● AP kontrolira pristup uslugama (kontrolirani port)● Autentifikacijski server (AS)
• Mobilni klijent i AS se međusobno autentificiraju• AS informira AP da može otvoriti kontrolirani port mobilnom klijentu
Mobilni klijent
AP
LAN(Internet)
Autentifikacijskiserver
Kontroliran port
Slobodan(otvoren) port
Vulnerabilities of home networksAssembled from different sources: Walker, Lehembre Buttyan, ...
7
Operacijske faze IEEE 802.11i: kućne i ad hoc mreže Autentifikacijski server nije prisutan Autentifikacija zasnovana na dijeljenom ključu (Pre-Shared Key, PSK)
Mobilni klijent (M) Pristupna točka (AP)
PSK(umjesto PMK)
Otkrivanje sigurnosnih funkcionalnosti
IEEE 802.1X key management(Provjera PSK/PTK– “4-way” handshake)
Zaštita podataka(TKIP, CCMP/AES)
8
Key derivation and distribution PTK (Pairwise Transient Key) – unique for this M and this AP
Guillaume Lehembre, hakin9 6/2005
9
IEEE 802.11i: Pre-Shared Key (PSK)No explicit authentication!
The IEEE 802.1X authentication exchange absentUsually a single pre-shared key for entire network
Password-to-Key MappingUses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII
passwordPMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256)
Salt = SSID, so PSK different for different SSIDs4096 is the number of hashes used in this process
10
4-Way Handshake (over a radio channel)Guillaum
e Lehembre, hakin9 6/2005
PTK
PTK = EAPoL-PRF(PSK, ANonce | SNonce | AP MAC Addr | M’s MAC Addr)
11
Vulnerabilities of 4-way handshake (1/3)Affects both WPA and WPA2Password-to-Key Mapping
Uses PKCS #5 v2.0 PBKDF2 to generate a 256-bit PSK from an ASCII passwordPMK=PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256)Salt = SSID, so PSK different for different SSIDs4096 is the number of hashes used in this processPassword length between 8 and 63 printable ASCII characters
VulnerabilityThe PTK used in 4-way handshake derived from PSK and PSK=f(PWD)4-way handshake protected with PTK4-way handshake messages transmited over a public radio channel
12
Vulnerabilities of 4-way handshake (2/3)The strenght of PTK relies on the PSK
which effectively means on the strength of the password PWD
Offline brute-force and dictionary attacks possible1. attacker captures (records) 4-way handshake (only first 2 messages; why?)2. attacker performs brute-force or dictionary attacks (at home)
1. guesses or reads from the dictionary the candidate PWDtest
2. calculates PSKtest = PBKDF2 (PWDtest, SSID, SSIDlength, 4096, 256) PTKtest = EAPoL-PRF(PSKtest, ANonce | SNonce | AP MAC Addr | M’s MAC Addr) PTKtest gives KCKtest (used for message authentication in 4-way hand) MICtest = MAC(KCKtest, public info)
3. if (MICtest==MICcaptured) output PWDtest as the password guesselse go to 1.
13
Vulnerabilities of 4-way handshake (3/3)How to capture the 4-way handshake?
1. Enter the monitoring mode2. Discover nearby networks and associated clients
MAC addresses, WPA or WPA2, SSID
3. Disassociate clients to force them to run again 4-way handshake Use fake disassociation control packets (not protected by IEEE 802.11i)
4. Record the new 4-way handshake e.g., using Aireplay
5. Go home and launch a dictionary attack Aircrack
14
Attack complexityDepends on the entropy of passwords
Weak passwords easy to crackStrong passwords
E.g., a random passphrase of 13 characters (selected from the set of 95 permitted characters) gives 9513 ≈ 285
Slow hashing algorithm (PBKDF2 involves many iteration of HMAC-SHA1) PSK = PBKDF2 (Password, SSID, SSIDlength, 4096, 256) In practice PBKDF2 forces the attacker to iterate SHA1 16.000 times Increases the attacer’s cost (the time to test a single pwd) E.g., by slowing down the attacker by the factor of 3650 implies that the effort
of 1 day increases to 3650 days (10 years)
Unfortunatelly, people do not select 13 random characters!
15
Speeding up the dictionary attackRecall the dictionary attack
1. attacker captures (records) 4-way handshake2. attacker performs dictionary attacks (at home)
1. reads from the dictionary the candidate PWDtest
2. calculates PSKtest = PBKDF2 (PWDtest, SSID, SSIDlength, 4096, 256) PTKtest = EAPoL-PRF(PSKtest, ANonce | SNonce | AP MAC Addr | M’s MAC Addr) PTKtest gives KCKtest (used for message authentication in 4-way hand) MICtest = MAC(KCKtest, public info)
3. if (MICtest==MICcaptured) output PWDtest as the password guesselse go to 1.
This part is slow
16
Speeding up the dictionary attack Pre-compute the slow part (before attacking) and re-use against
many networksPSKtest = PBKDF2 (PWDtest, SSID, SSIDlength, 4096, 256)Observe, nothing specific about the current session
Where can the attacker re-use the pre-computed data?With networks sharing the same SSID
How much data the attacker has to store?It depends on the concrete attack implementation and targeted success
probabilityE.g. 100.000.000 passwords of average length 10 chars (letters and numbers)
-> 232B i.e. about 4GB
17
Securing against the dictionary attacksTo secure your network against these pre-computed dictionaries
make sure that Your SSID is unique (does not appear in the existing tables)Your PWD is strong enough (sufficiently long and random :-)
Vulnerabilities of enterprise networksAssembled from different sources: Walker, Lehembre Buttyan, ...
19
Autentifikacijski model IEEE 802.1X u WiFi
Port-based Network Access Control● Mobilni klijent zahtijeva pristup uslugama (želi se spojiti na mrežu)● AP kontrolira pristup uslugama (kontrolirani port)● Autentifikacijski server (AS)
• Mobilni klijent i AS se međusobno autentificiraju• AS informira AP da može otvoriti kontrolirani port mobilnom klijentu
Mobilni klijent
AP
LAN(Internet)
Autentifikacijskiserver
Kontroliran port
Slobodan(otvoren) port
20
Operacijske faze IEEE 802.11i
Mobilni klijent (M) Pristupna točka (AP) Autentikacijski server (AS)
Otkrivanje sigurnosnih funkcionalnosti
Distribucija PMK ključa(npr. putem RADIUS-a)
Zaštita podataka(TKIP, CCMP/AES)
Rezultat: M i AS-generiraju Master Key (MK)-izvedu Pairwise MK (PMK)
802.1X autentifikacija
Rezultat: M i AP-provjere PMK-izvedu Paiwise Transient Key (PTK)-PTK vezan uz ovaj M i ovu AP
802.1X key management
CCMP = Counter-Mode / Cipher Block Chaining Message Authentication Code Protocol based on AES block cipher
Tunneled TLS over Extensible Authentication Protocol (EAP-TTLS) Provides protection for initial authentication messages (plaintext passwords, e.g.
PAP used by FESB)
21
Example: FESB WiFi (EAP-TTLS and PAP)
Mobilni klijent (M) Pristupna točka (AP) Autentifikacijskiserver (AS)
TTLS server
Establishing an authentication TLS tunnel
TLS protected authentication
<--no trust--> <--trust--> <--trust-->
<-----------certificate---------->
WLAN master session key
Authentication
Data traffic on secured link
Validation of the authentication server based on certificate validation Trusted issuing authority, matching certificate owner’s Common Name (CN)
Many PEAP (EAP-TTLS) deployments fail to properly deploy Malicious authentication server gains access to inner authentication methods PEAP: MS-CHAPv2 TTLS: MS-CHAPv2, CHAP, PAP, etc.
22
Example: FESB WiFi (EAP-TTLS and PAP)
Mobilni klijent (M) Pristupna točka (AP) TTLS server
Establishing an authentication TLS tunnelwith the rogue AuthSrv
TLS protected inner authentication
<--no trust--> <--trust--> <--trust-->
Record session
controlled by the attacker (Rogue AP)
PEAP: Pwned Extensible Authentication Protocol by Joshua Wright and Brad Antoniewicz, ShmooCon 2008
23
How to set properly setup PEAP-like authentication methods
A standard that attempts to allow easy establishment of a secure wireless home network
The standard allows four usage modes aimed at a home network user adding a new device to the network: PIN Method (e.g., enter the PIN on AP into the client) Push-Button-Method (a user simultaneously pushes a button on the AP and the client) Near-Field-Communication Method (bring the client close to the AP) USB Method
In December 2011 researcher Stefan Viehböck reported a design and implementation flaw that makes brute-force attacks against PIN-based WPS feasible to perform on WPS-enabled Wi-Fi networks A successful attack on WPS allows unauthorized parties to gain access to the network
The only effective workaround is to disable WPS Impossible on some APs 24
Wi-Fi Protected Setup (WPS) Insecurities (home nets again)