wpa.pdf

(101 KB) Pobierz
Wireless Network Security: 802.11i
I assure on my honour that I have actively participated in these solutions, and that the
solutions were developed independently from other groups.
Group members:
Kevin Tercier, kevin.tercier@gmail.com
Henning HellKvist, henning@fri.nu
Qian Li , biz.tinalee@gmail.com
My name and personal number:
Qian Li
770903-5567
Henning Hellkvist
860822-1514
Kevin Tercier
880915-P312
2009-03-04
Introduction
Wireless security is the prevention of unauthorized access or damage to computers using wireless
networks [1]. 802.11, developed by a working group of IEEE, is an evolving family of
specifications for WLANs [2]. However, 802.11 doesn't provide enough security for most enterprise
WLANs. Several serious weaknesses were identified by cryptanalysts with the result that today a
Wired Equivalent Privacy (WEP) – the algorithm used to secure 802.11 WLANs – connection can
be cracked with readily available software within minutes. As a result, 802.11i, a new task force to
counteract the security problems with WEP, were created by IEEE [3]. Because it took too long for
the 802.11i standard to be ratified, the Wi-Fi Alliance took a bold step forward to expedite the
availability of effective standardized WLAN security by defining Wi-Fi Protected Access (WPA).
WPA is a snapshot of 802.11i standard. It was designed to run on existing hardware as a software
upgrade. So it is an intermediate solution to WEP security problems. WPA deploys Temporal Key
Integrity Protocol (TKIP) at its lower layer and 802.1x at its higher layer. After IEEE ratified the
802.11i standard in June 2004, Wi-Fi Alliance announced WPA2 specification, which implements
the full version of 802.11i standard. WPA2 uses 802.1x to authenticate users and AES-based CCMP
to encrypt messages. WPA2 is also called Robust Security Network (RSN).
802.11i
The 802.11i specification consists of three main pieces organized into two layers. This is shown in
Figure 1.
802.1x
RC4-based TKIP AES-based CCMP
Figure 1: 802.11i specification structure
956152045.005.png 956152045.006.png 956152045.007.png 956152045.008.png 956152045.001.png
 
On the lower level are improved encryption algorithms. They are Temporal Key Integrity Protocol
(TKIP) and CBC-MAC protocol (CCMP). TKIP targets at legacy equipment. To be backward
compatible with WEP, TKIP uses RC4 stream cipher, which is also used in WEP. CCMP is based on
Advanced Encryption Standard (AES), which is one of the most popular algorithm used in
symmetric key cryptography. Both TKIP and CCMP provide enhanced data integrity over WEP.
On the higher level is 802.1x, which is a standard for port based access control. 802.1x provides a
framework for robust user authentication and encryption key distribution. Both features are
originally missing from the 802.11 standard.
802.1x – Enterprise WLAN
There are three main entities in an enterprise WLAN. They are an Authenticator or Access Point
(AP) in 802.11, the supplicant or the client device in 802.11, and an Authentication Server (AS).
The Authenticator is the port that enforces the authentication and routes the traffic to appropriate
entities on the network. The supplicant is the port accessing the network. And the Authentication
Server performs actual authentication. An AS can be in the AP or connected to a wired network.
RADIUS server is a typical AS used today. See Figure 2 for a better understanding of these entities.
Figure 2
Before a supplicant is authorized, it is only allowed to communicate with the AS, after it is
authorized, the supplicant can access other resources on the network. The authentication process is a
mutual one. Both of the client and the network have be prove their identities.
There are two kinds of keys in a 802.1x enabled network. One is the session key, or pairwise key,
the other is the group key, or groupwise key. One group key is shared by all of the clients connected
to the same AP. It is used for mult-cast traffic. A session key is only shared between a client and its
AP.
802.1x provides the following improvements over WEP:
1. A centralized security model.
2. The primary encryption keys are unique to each station
3. The AS dynamically generate the encryption keys
4. It provides support for upper layer authentication
TKIP
TKIP consists of the following elements:
1. MIC – Message Integrity Code. It takes as input both source and destination MAC
addresses, and the plaintext data
2. Countermeasures to bound the probability of successful forgery.
956152045.002.png
3. A 48-bit IV and an IV sequence counter
4. Per-packet key mixing of the IV
Figure 3 shows the structure of a TKIP encrypted MPDU.
Figure 3
The encapsulation process of TKIP is shown in Figure 4.
Figure 4
CCMP
CCM is a generic authenticate-and-encrypt block cipher mode.
This encryption protocol needs two parameters:
*M: the size needed to receive the authentication field, the choice of this length involves a trade-off
between message expansion and the probability that an attacker can undetectably modify a
message.
*L: the length of the message.
CCMP builds, around AES algorithm, a 128-bit key and a 128-bit block. CCM provides other
parameters (K, M and L) that must have the values: K=16, M=8 and L=2. CCM requires refreshing
the temporal key (TK) every session. CCM also requires a unique nonce value for each frame
protected by a given TK, and CCMP uses a 48-bit packet number (PN) for this purpose. Using again
the same PN with the same TK cancels all security guarantees.
Authentication steps:
1. Encrypt the first 128-bit data block by using AES with an authentication key
2. Do a XOR between the result and the next 128-bit block
3. Encrypt again the result with the same key
4. Do a XOR between the result and the next 128-bit block
Repeat the last two until there will be no more block. At the end the final result is a 128-bit block,
and we keep only the 64 bits which have the highest weight to have finally the MIC (message
integrity code). The MIC is using as an authentication code.
956152045.003.png 956152045.004.png
Encryption steps:
The header of the CCMP packet has already the initial value of the counter.
1. Encrypt the initial value of the counter by using AES and an encryption key
2. Do a XOR between the encrypted counter and the next 128-bit block, we have the first
encrypted block.
3. Increase the counter and encrypt it again with the same key
4. Do a XOR between the encrypted counter and the next 128-bit block, we have an other
encrypted block
Repeat the last two until there will be no more block.
Attacking WPA
As of today, there are two know attacks possible on the WPA protocol , the modified chopchop
attack and the bruteforce attack.
The modified chopchop attack
this attack is a rather recent discovery. In November 2008, two german researchers discovered a
way to make a previously known “chopchop” attack work on WPA networks. The chopchop attack
was one way to crack the WEP protocol, and was built on testing weather or not the server would
accept a package or not, and thereby testing your way to a full package bit by bit. In the WPA
version of the attack, only ARP packages can be be used, and as a result we will not get the key to
the network, but may send a limited amount of packages, no more than 7 of them.
There are also several restrictions for when this attack works, but almost every real WPA network in
the real world meets these restrictions. These restrictions are:
IPv4 protocol is used, and the greater part of the address is known by the attacker
a quality of service feature is enabled, providing several (8) channels to communicate on.
Now, the concept of the attack. The attacker has to wait until a arp packet is sent on the network
from a real client. An arp packet is easy to identify because of the characteristically short length. In
this packet, most of the data is known to the attacker, only a few bits of information should be
unknown. The attacker can now test what these last bit of plaintext were by sending the server a lot
of test packages, sooner or later we’ll guess the right combination and the server will accept, each
time we fail the server will provide a 60 sec stop on all communications. These tests have to be
made on another channel, one with less traffic, than the channel on which we originally intercepted
the message. This is because a sequence counter will discard any packets with lower sequence
number than the one the server is expecting, and because the real client will chat along with the
server in the original channel, the number in the packet we intercepted will be outdated quickly.
Once all of this is done, the attacker knows enough information to reverse engineer the message
integrity code used by the client, and after that information is obtained, he may send a packet of his
own to the server, one packet on each channel with a counter set to something lower than the
counter we know, and that is usually 7 channels.
This attack is a bit messy and does not reveal the shared key to gain access to the network, but if the
attacker can send a few packets of data to the server, thaose packets could be used to cause more
damage by for example attempting to reroute the flow of information. This attack is not possible in
WPA2, because it exploits a vulnerability in TKIP that is not present in WPA2.
http://dl.aircrack-ng.org/breakingwepandwpa.pdf
The brute force attack.
The brute force Attack is a constant threat to everything security related, even to WPA. Normally,
hacking a WPA network by brute force is a slow process taking a very long time. However, because
we’re all humans and we tend to make stupid choices about or passwords there is a way to speed up
this process.
In WPA, the passphrase is hashed many times over, 4096 times in fact, and as an added bonus, the
network name is a part of this passphrase. All that hashing makes it a slow process to try and guess
passwords, it also makes it impossible to reuse your guesses should you later try to hack into
another WPA network with another name.
However, there is a way, that although it takes a lot of time and effort, makes it possible to
precompute keys for WPA networks. We will go into detail of such a method and then see if the
result is any useful. We will follow the method used by a group called Church of Wifi in the text
below. [4]
In order to exploit the human error of choosing bad passphrases, such as words, we need a list of
words to use. Once we get our hands on such a wordlist we need to sort out the words that aren’t
allowed as WPA passphrases, and that’s words with fewer than 8 or more then 63 characters. But
just this list is not enough to start precomputing our hashed passphrases, because as stated above,
we also the network name that we’re trying to breach. To this there is no real solution, because there
is a huge amount of possible network names possible, but just like with passwords, we humans tend
to pick the same network names over and over again, so some names are more common than others.
There are lists on the internet showing the most common names, so using one of these lists is a
good idea in order to get going. The Church of Wifi did this with a 1 million word wordlist for the
1000 most common network names.
With this all of this precomputed information we have drastically increased the speed of wich we
can hack a network flawed by humans. If the network has one of these common names and the
password is in the wordlist, it will be found in a matter of minutes. If its not, all that work is of no
use and the only way is too use brute force with all possible passphrases, and that does indeed take
a lot of time.
But even in the later case there is a chance the passphrase can be broken in reasonable time. Using a
distributed system, a Russian security company recently decreased the time needed to brute force a
passphrase to days from years, and with computational power always increasing this will drop even
lower with time [5]. So in the end of the day, not even WPA is totally secure, and additional layers
of encryption are needed is you want to obtain security that cant be broken (as of today).
References
[1] http://en.wikipedia.org/wiki/Wireless_security
[2] http://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci341007,00.html
[3] http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
[4] http://www.renderlab.net/projects/WPA-tables/
[5] http://www.prweb.com/releases/wi-fi/cracking/prweb1405954.htm
http://www.commsdesign.com/printableArticle/?articleID=16506047

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin