Well, the weekend is here, finally.
I thought I would post a long-reader for those computer science geeks who happen to be reading my journal. The following is a paper I co-wrote for my Applied Cryptography class on the weaknesses and vulnerabilities of wireless networks. For those who are interested, the paper also outlines ways to break each security scheme currently utilized by the 802.11b standard. Enjoy.
Abstract:
With the abundant growth of Wireless Hotspots in metro areas, nowadays many people are accessing the internet through publicly available access points. Users are utilizing this provably insecure technology to browse their email, check their stocks, and exchange instant messages with their family and friends, as well as many other tasks [7]. Going completely unrealized by these unsuspecting users, all of the confidential information broadcasting from their laptops and PDAs may be falling into the hands of a benign or malicious user. Moreover, these publicly available access points may be depending on their guests to pay for their time spent on the business’s wireless network to sustain the existence of the network. Users equipped with the right tools and knowledge of the infrastructure of such networks could very well find a way to circumvent authentication schemas to obtain free network access at the cost of the business.
1. Introduction
The most notoriously insecure of newer technologies is the Wireless Network. Unlike local area networks (LAN’s), Wireless Networks are unbounded by physical constraints. This introduces a new problem, since physicality of the network no longer ensures its impenetrability. Because of this fact, special methods and mechanisms must be utilized to secure the network from the inside. Numerous solutions have been devised and specified; however, all of which have still fallen short of creating a long-term, secured wireless channel. This essay discusses the security features and failures of many of the more popular and widely implemented security models for wireless networks, while suggesting a more long-term solution to create secured wireless channels.
It has become accepted in the field of computer science that 802.11 based Wireless Networks are as insecure as the greater Internet [5][6]. It has also been shown that the encryption algorithm used by WEP (the primary authentication mechanism for wireless networks) has not held up to its expectations of satisfying confidentiality, integrity and authenticity [1]. Network administrators may utilize several schemes for securing a wireless network. A short list consists of WEP, Access Control Lists (ACLs), 802.1x and static routing via Web-based username/password verification.
Few papers have been written on the security models and difficulty in security circumvention of wireless networks. This essay will outline several security models ranging from a control model with no security to a model that specifies an authentication system. Following the overview of security models will be a discussion of their exploits and vulnerabilities.
2. Security Models
There exist many candidates for security models for wireless networks. Depending on the security model, the attacker may be required to spend a large amount of time before he can break the model if he can at all. Any security model used makes tradeoffs on performance vs. actual security.
We will consider the following short list security models that an administrator may decide to implement:
–No model (Open System)
–Access Point’s SSID Changed
–Access Control List (ACL)
–Vanilla WEP
–WEP with ACL
–WEP with VPN
–Cisco’s LEAP Technology
–802.1x
2.1 No Model
The simplest configuration for a wireless network is the “out-of-the-box” configuration. This is where the Access Point (AP) is removed from its box and inserted into the network with no extra configuration. This AP allows authentication via “Open System”. Open System authentication allows a node to join the network without providing any credentials such as a password (or WEP key). This network is trivially easy to access, and is surprisingly popular among wireless home users.
2.2 Access Point’s SSID Changed
When a network administrator adds a wireless segment to his network he will commonly change the SSID, or the name of the network. The security scheme in this case is no different than the No Model case in that nodes connecting to this network use Open System authentication. If the SSID is not broadcasted from the AP, then the SSID can be sniffed by monitoring wireless packets sent through the air.
2.3 Access Control List (ACL)
An ACL is a step in the right direction for securing a wireless network, but still does not provide unconditional security. The way an ACL works is the network admin manually enters a list of MAC addresses from wireless network cards allowed to join the network on his Access Point. The ACL works as a filter, screening users who are attempting to access the network. Even if the network authentication is Open System for this network the unauthorized user must have the MAC address of his wireless card in the list to authenticate to the network. If his MAC is not listed then the AP ignores the requests.
The authentication method when using an ACL is still Open System, however an ACL adds either (or both) a “black list” for MAC addresses disallowed to access the medium, or a “white list” for MAC addresses allowed access to the medium.
2.4 Vanilla WEP
We refer to Vanilla WEP in this paper as “plain ol’ WEP” with no extra security mechanisms in place. In this model the network administrator configures a symmetric encryption key (or multiple keys) on his AP, and the same key (or keys) for each of his nodes. Every WEP packet is encrypted separately with an RC4 cipher stream generated by an encryption key. That key is made up of a 24-bit initialization vector (IV) and either a 40-bit or 104-bit WEP key. When wireless nodes need to communicate with the AP, the nodes encrypt their data packets and forward them over the link. The same process follows for AP-to node-communication. WEP authentication is generally referred to as “Shared Key” authentication.
2.5 WEP with ACL
As we have seen from above, WEP is insecure on its own, as well as an ACL. Although combining the two may be an option for a network administrator we will reason why the combination of the two is no more secure than one alone.
Assuming a network administrator has implemented WEP and an ACL, to access the medium an unauthorized user will need to acquire two credentials: a valid MAC address and the WEP key.
2.6 WEP with VPN
A VPN is a way to provide remote access to an organization’s network via the Internet. VPNs send data over the public Internet through secure “tunnels.”. For instance, a home user may wish to use certain software on his work computer. He would use a VPN client to “tunnel” his connection to his work’s network, appearing as if he was actually on a computer at work. In this situation the user’s computer is encapsulating datagrams for his work’s network within the datagrams sent to his work’s VPN server.
An eavesdropper may be sitting between the user and his work’s VPN server and would be capable of sniffing all of the traffic between both networks. Seeing as how this is a problem, the VPN session generally involves encryption of the encapsulated datagrams. When encryption is used in a VPN session the eavesdropper sees datagrams destined for the user’s work with an encrypted payload.
When WEP is combined with a VPN, a user joining a wireless network must first use Shared Key authentication to authenticate to the network. Once the user is associated with the network he is essentially blocked until he logs into a VPN server for a VPN session. His connection to the wireless network would actually be a tunneled connection to a private, secured network. The authentication credentials in this situation are a WEP encryption key, and a VPN encryption key.
2.7 Cisco’s LEAP Technology
Cisco’s LEAP is a proprietary protocol that stands for Lightweight Extensible Authentication Protocol, or Lightweight EAP. LEAP is a method for mutual authentication, meaning that both the AP and node must be authenticated before access is granted to the node. LEAP uses a username/password verification method where a user sends an authentication message encoded with his username and password. By forcing both the AP and the node to be authenticated LEAP attempts to prevent rogue access points from joining the network.
LEAP also utilizes WEP for shared key encryption between the AP and node. Encryption with LEAP functions differently than standard WEP. As a measure of additional security, symmetric keys are often changed automatically by the system between each communication session. This technique is often referred to as “key-hopping”. Hopping from key to key helps to prevent attackers from performing the Fluhrer, Mantin, Shamir attack on WEP.
2.8 802.1x
802.1x is another example of an authentication protocol that uses EAP. It intends to provide strong authentication via port-based authentication, and privacy via WEP with automatic key updates. 802.1x utilizes a RADIUS server for authentication of joining nodes, called the authentication server, and another device called the authenticator, which controls incoming requests to the authentication server.
802.1x functions similarly to LEAP, since 802.1x is an EAP framework. The primary difference is that 802.1x is only a specification for the framework, whereas LEAP is an implementation of the framework.
3. Security Discussion
Depending on the constraints for a network, such as cost and security concerns, the administrator may choose to implement the most expensive scheme listed above and still have the worst results. We now consider the vulnerabilities of each of the above schemes.
3.1 No Scheme
This is the most vulnerable security model since no measures have been taken to prevent unauthorized users from joining the network. An attacker may drive by the network and immediately gain access to the network medium. If there exist other nodes on the wireless segment or the attacker is capable of routing traffic to the wired segment any machine on the network is may be at risk if it is powered on. Although this scheme is the simplest to setup and the most cost effective solution, it should not be utilized by administrators who have sensitive information on their networks. The results of such a breach of sensitive information to outside parties might cause a network administrator to lose his job.
3.2 Access Point’s SSID Changed
Changing the SSID does not secure the network, and since the authentication mode is the same as the No Model case, Open System, an unauthorized user scanning for wireless networks may authenticate to this network without verifying any credentials. There may be a case where the SSID is not broadcasted by the AP, in effect the AP is cloaked. This situation is easily circumvented by intercepting network traffic and reading a few packet headers to determine its destination.
3.3 Access Control List (ACL)
Although a seemingly secure solution, there is a weakness in this strategy that can be easily exploited. Depending on the operating system and network card being used, an attacker may be able to temporarily change his MAC address to be the same as one of those on the ACL. Although the attacker may not know which MACs are on the ACL, he may infer this information from watching data transmissions on the wireless segment. The attacker can determine a valid MAC address by sniffing for data transmitted over the link. Once the attacker has found the MAC address of a machine transmitting on the network he makes the temporary change and negates the purpose of an ACL.
3.4 Vanilla WEP
WEP has a fatal vulnerability. Configurations using WEP use either a 40-bit or 128-bit encryption key, installed on the AP and nodes. WEP also uses a 24-bit Initialization Vector (IV) to encrypt datagrams prepended to the encryption key. This IV is sent unencrypted in the network frame. Since an attacker can view the unencrypted data in an encrypted network frame body, he can gather packets with “weak” IVs. There are close to 17-million possible IV numbers to use with RC4, some of them better than others in terms of security. When one of these approximately 9,000 “Weak” IVs are used to encrypt packets, a snooping program (such as AirSnort) can recognize and collect them. These Weak IVs give additional clues on the full encryption key, regardless of its bit-length. Fluhrer, Mantin and Shamir developed a method to use these weak IVs to determine information about a single encrypted byte in frames encrypted with a weak IV, eventually giving the attacker enough information to obtain the key used on the network. A “sufficient” number of weakly encrypted packets must be acquired by the attacker to determine the key, however on heavily trafficked networks it is possible to do this during hours or a days. Since Vanilla WEP can be broken in such a short period of time, it is not considered the best candidate for heavily trafficked wireless networks.
3.5 WEP with ACL
Since encrypted 802.11 frames are transmitted with the necessary MAC addresses in the clear, the attacker will be able to acquire the first credential just by sniffing the network. Having the MAC address, we can easily bypass the ACL by using the method described in section 3.3.
We have discussed above why WEP is insecure alone. Thus without an encryption key the attacker will have to sniff enough encrypted data with weak IVs to acquire the encryption key. Since acquiring enough weakly encrypted packets is only a matter of time, it is only a matter of time until WEP is broken and the attacker has both the valid MAC address and the encryption key. Thus WEP with ACL is broken.
3.6 WEP with VPN
An attacker can bypass the WEP with VPN scheme. There are several methods, each varies depending on the network infrastructure. We will consider the following conditions: the AP is using WEP, and no connection to the wireless segment is routed unless logged in to the VPN server.
The simplest solution for the attacker in this scenario is to first break WEP by the Fluhrer, Mantin, Shamir attack. Once WEP is broken the attacker can actually join the wireless network. The problem for the attacker at this point is that he needs to be logged into the VPN server to have his connection tunneled to the outside world. The attacker will want to decrypt all of the datagrams he has received prior to breaking WEP.
The advantage to decrypting the datagrams is that the attacker can use the encrypted VPN data from other users’ sessions to break the VPN key. There exist several flaws with most encryption algorithms used in VPNs, similar to those of WEP, since several popular VPN encryption schemes use the same encryption algorithm as WEP.
Since the attacker can break most VPN sessions once he has broken WEP, which he may be able to break in a matter of a day or two depending on the amount of network traffic, WEP with VPN is broken.
3.7 Cisco’s LEAP Technology
There have been found several flaws with Cisco’s LEAP in the past few months. Recently an attack tool was released, called LEAPCrack, to crack wireless networks running LEAP. This tool forces nodes on a LEAP network to de-authenticate. When the node attempts to re-authenticate the attacker grabs the authentication message and runs a dictionary attack to determine the node’s authentication credentials. Once the credentials have been determined the attacker may join the network as that user. This is an innate flaw in LEAP and is impossible to repair for the current LEAP hardware. However, once the node has changed its authentication credentials the node’s communication is once again secure until another attack happens.
Cisco has fixed The other flaw that was found with a firmware update to LEAP hardware. A trap door vulnerability existed in the firmware in the form of a hard-coded username/password that could be used to manage the AP. An attacker could potentially use this to modify the AP’s settings and compromise the entire network.
3.8 802.1x
802.1x implementations can then have similar vulnerabilities to LEAP. In particular 802.1x is vulnerable to “Session Hijacking” and “Man in the Middle” (MIM) Authentication attacks.
Session Hijacking attacks involve an attacker spoofing an AP disassociate frame from the AP for some authenticated user. This message causes the targeted user to completely disassociate from the network. When the user disassociates, the attacker reconfigures his machine into the authenticated state and uses the now disassociated user’s MAC address to associate with the network.
MIM Authentication attacks involve the attacker forging a special EAP message called EAP-Success on behalf of the authenticator and forwarding this message to a user. No matter what state the user is currently in, he moves to the authenticated state and forwards all of his traffic to the attacker, which then in turn forwards all of this traffic to the real authenticator, completely subverting the authentication mechanisms of 802.1x.
What we see from any of these schemes is none are completely secure. The schemes using Open-System authentication are completely open, however in the case of a public network an Open-System authentication scheme may be desired when there is no need to limit access. When the networks are private administrators need to be concerned with any of the three topics: Authentication, Integrity and Privacy.
Authentication:
The process of authentication verifies who an actor, node or user is. If the user can be verified and is authorized to use a resource then the authentication sequence passes and the user is granted access.
Integrity:
The purpose of integrity is to verify that data transmitted is valid.
Privacy:
The purpose of privacy is to ensure transmitted data cannot be read by a casual watcher.
3.10 Summary:
Unfortunately, none of the above technologies perfectly protect all of the three topics. In the case of WEP, the authentication scheme can be broken in little time when the same key is used. LEAP can take more time to break than WEP since the process of determining the username/password can require a brute force attack if a dictionary attack does not work. 802.1x can fail in a similar fashion to LEAP. WEP and VPN can be very secure when the WEP key is changed often and the VPN encryption does not use a weak cipher. However, if both WEP and VPN use RC4 both can be broken easily.
No comments
Jump to comment form | comments rss [?]