09 - Wireless
09 - Wireless
Wireless
Phillip Fitzpatrick
Secure Communications
WLAN
WLAN
➢ Our focus will be on infrastructure mode, and on the access control options on
an access point
Controlling access to a WLAN
➢ Normally this SSID is broadcast by the access point allowing users to find and
connect to the access point
➢ An open WLAN does not restrict who may connect to an access point, but it is
not necessarily unprotected. Security mechanisms could be provided in other
protocol layers
Controlling access to a WLAN [1]
➢ This required the clients to know the SSID of the network in order to connect
to it
➢ The SSID is included (in plain text) in many of the signaling messages,
which could be intercepted by an attacker
Controlling access to a WLAN [2]
➢ However?
➢ An attacker sniffing the traffic could find a valid MAC address of another
user and spoof their own MAC address to match
Controlling access to a WLAN
➢ When the clients web browser starts, either the DNS or http request is intercepted
➢ The user is redirected to a https session and asked for a username and
password
➢ The web server verifies the username and password using a RADIUS server
➢ The protection of subsequent traffic between client and the AP is a sperate issue
Captive Portal Software
Captive Portal
➢ The login page that the users uses is sometimes called a captive portal
➢ Captive portals are used at mostWi-Fi hotspots, and it can be used to control
wired access (e.g. apartment houses, hotel rooms, business centres, "open"
Ethernet jacks) as well
Captive Portal
Captive Portal Software
➢ Because of the broad support and the ubiquitous nature of the RADIUS
protocol it is often used by ISPs and enterprises to manage access to the
Internet or internal networks, wireless networks, and integrated e-mail
services
➢ So-called pre-shared secrets are installed manually in all devices that should
get access to the network
➢ To transmit a message, M
➢ The user calculate a checksum, H
➢ H = CRC-32(M)
➢ The user generates a 64-bit or 128-bit key stream K* using the stream
cipher RC4
➢ K* = IV || K
➢ The client uses the above algorithm to encrypt the challenge with the pre-
shared key, and the AP verifies the response
The Flaws with WEP
➢ The cryptographic mechanisms used in WEP suffers from two major design
flaws
➢ CRC-32 is a cyclic redundancy check, useful for detecting random errors but
no defence against targeted modifications
➢ An attacker who only has a WEP ciphertext, but neither K* nor plaintext M,
can modify the plaintext
The Flaws with WEP [1]
Example:
➢ As long as the secret key remains unchanged, the IV is the only variable
part of the key K*
➢ An attacker could observe traffic for a longer period until IVs repeat and
then try to reconstruct the key streams and build a table of IV’s and
corresponding key streams
Secure Communications
WPA
WiFi Protected Access (WPA)
➢ WPA was designed as a quick preliminary solution that removed the major
flaws in WEP prior to a complete redesign of the WLAN security architecture
➢ Given the design constraints, the WPA security mechanisms are not as strong
as one might expect from a cryptographic perspective, but WPA is still a
definite improvement of WEP
How does WPA work?
➢ It uses the Temporal Key Integrity Protocol (TKIP) to create a key hierarchy
➢ Client and AP have a long-term Pairwise Master Key (PMK)
➢ For each connection new Pairwise Transient Keys (PTKs) are derived from
the master key
How does WPA work?
➢ When WPA is deployed with pre-shared master keys (WPA-PSK), the PMK is
computed with the key generation function PBKDF2
➢ PMK = PBKDF2(passphase, SSID, SSID Length, 4096, 256)
➢ The inputs (Passphase, SSID, Length) are hashed 4096 times and a 256-bit
key is returned
➢ The algorithm computing a PTK takes the PMK, the MAC address of both
devices, and nonces (sent in the clear) generated by both devices, as its
inputs
Attacking WPA