Вы находитесь на странице: 1из 41

CWNA Guide to Wireless

LANs, Second Edition

Chapter Eight
Wireless LAN Security and Vulnerabilities
Objectives

• Define information security


• Explain the basic security protections for IEEE
802.11 WLANs
• List the vulnerabilities of the IEEE 802.11 standard
• Describe the types of wireless attacks that can be
launched against a wireless network

CWNA Guide to Wireless LANs, Second Edition 2


Security Principles: What is
Information Security?
• Information security: Task of guarding digital
information
– Ensures protective measures properly implemented
– Protects confidentiality, integrity, and availability
(CIA) on the devices that store, manipulate, and
transmit the information through products, people,
and procedures

CWNA Guide to Wireless LANs, Second Edition 3


Security Principles: What is
Information Security? (continued)

Figure 8-1: Information security components


CWNA Guide to Wireless LANs, Second Edition 4
Security Principles: Challenges of
Securing Information
• Trends influencing increasing difficultly in
information security:
– Speed of attacks
– Sophistication of attacks
– Faster detection of weaknesses
• Day zero attacks
– Distributed attacks
• The “many against one” approach
• Impossible to stop attack by trying to identify and
block source

CWNA Guide to Wireless LANs, Second Edition 5


Security Principles: Categories of
Attackers
• Six categories of attackers:
– Hackers
• Not malicious; expose security flaws
– Crackers
– Script kiddies
– Spies
– Employees
– Cyberterrorists

CWNA Guide to Wireless LANs, Second Edition 6


Security Principles: Categories of
Attackers (continued)

Table 8-1: Attacker profiles

CWNA Guide to Wireless LANs, Second Edition 7


Security Principles: Security
Organizations
• Many security organizations exist to provide
security information, assistance, and training
– Computer Emergency Response Team Coordination
Center (CERT/CC)
– Forum of Incident Response and Security Teams
(FIRST)
– InfraGard
– Information Systems Security Association (ISSA)
– National Security Institute (NSI)
– SysAdmin, Audit, Network, Security (SANS) Institute

CWNA Guide to Wireless LANs, Second Edition 8


Basic IEEE 802.11 Security
Protections
• Data transmitted by a WLAN could be intercepted
and viewed by an attacker
– Important that basic wireless security protections be
built into WLANs
• Three categories of WLAN protections:
– Access control
– Wired equivalent privacy (WEP)
– Authentication
• Some protections specified by IEEE, while others
left to vendors
CWNA Guide to Wireless LANs, Second Edition 9
Access Control
• Intended to guard availability of information
• Wireless access control: Limit user’s admission to
AP
– Filtering
• Media Access Control (MAC) address filtering:
Based on a node’s unique MAC address

Figure 8-2: MAC address


CWNA Guide to Wireless LANs, Second Edition 10
Access Control (continued)

Figure 8-4: MAC address filtering


CWNA Guide to Wireless LANs, Second Edition 11
Access Control (continued)

• MAC address filtering considered to be a basic


means of controlling access
– Requires pre-approved authentication
– Difficult to provide temporary access for “guest”
devices

CWNA Guide to Wireless LANs, Second Edition 12


Wired Equivalent Privacy (WEP)

• Guard the confidentiality of information


– Ensure only authorized parties can view it
• Used in IEEE 802.11 to encrypt wireless
transmissions
– “Scrambling”

CWNA Guide to Wireless LANs, Second Edition 13


WEP: Cryptography

• Cryptography: Science of transforming


information so that it is secure while being
transmitted or stored
– scrambles” data
• Encryption: Transforming plaintext to ciphertext
• Decryption: Transforming ciphertext to plaintext
• Cipher: An encryption algorithm
– Given a key that is used to encrypt and decrypt
messages
– Weak keys: Keys that are easily discovered
CWNA Guide to Wireless LANs, Second Edition 14
WEP: Cryptography (continued)

Figure 8-5: Cryptography


CWNA Guide to Wireless LANs, Second Edition 15
WEP: Implementation
• IEEE 802.11 cryptography objectives:
– Efficient
– Exportable
– Optional
– Reasonably strong
– Self-synchronizing
• WEP relies on secret key “shared” between a
wireless device and the AP
– Same key installed on device and AP
– Private key cryptography or symmetric
encryption
CWNA Guide to Wireless LANs, Second Edition 16
WEP: Implementation (continued)

Figure 8-6: Symmetric encryption


CWNA Guide to Wireless LANs, Second Edition 17
WEP: Implementation (continued)
• WEP shared secret keys must be at least 40 bits
– Most vendors use 104 bits
• Options for creating WEP keys:
– 40-bit WEP shared secret key (5 ASCII characters or
10 hexadecimal characters)
– 104-bit WEP shared secret key (13 ASCII characters
or 16 hexadecimal characters)
– Passphrase (16 ASCII characters)
• APs and wireless devices can store up to four
shared secret keys
– Default key used for all encryption

CWNA Guide to Wireless LANs, Second Edition 18


WEP: Implementation (continued)

Figure 8-8: Default WEP keys


CWNA Guide to Wireless LANs, Second Edition 19
WEP: Implementation (continued)

Figure 8-9: WEP encryption process

CWNA Guide to Wireless LANs, Second Edition 20


WEP: Implementation (continued)

• When encrypted frame arrives at destination:


– Receiving device separates IV from ciphertext
– Combines IV with appropriate secret key
• Create a keystream
– Keystream used to extract text and ICV
– Text run through CRC
• Ensure ICVs match and nothing lost in transmission
• Generating keystream using the PRNG is based on
the RC4 cipher algorithm
– Stream Cipher

CWNA Guide to Wireless LANs, Second Edition 21


WEP: Implementation (continued)

Figure 8-10: Stream cipher

CWNA Guide to Wireless LANs, Second Edition 22


Authentication

• IEEE 802.11 authentication: Process in which AP


accepts or rejects a wireless device
• Open system authentication:
– Wireless device sends association request frame to
AP
• Carries info about supported data rates and service
set identifier (SSID)
– AP compares received SSID with the network SSID
• If they match, wireless device authenticated

CWNA Guide to Wireless LANs, Second Edition 23


Authentication (continued)

• Shared key authentication: Uses WEP keys


– AP sends the wireless device the challenge text
– Wireless device encrypts challenge text with its WEP
key and returns it to the AP
– AP decrypts returned result and compares to original
challenge text
• If they match, device accepted into network

CWNA Guide to Wireless LANs, Second Edition 24


Vulnerabilities of IEEE 802.11 Security

• IEEE 802.11 standard’s security mechanisms for


wireless networks have fallen short of their goal
• Vulnerabilities exist in:
– Authentication
– Address filtering
– WEP

CWNA Guide to Wireless LANs, Second Edition 25


Open System Authentication
Vulnerabilities
• Inherently weak
– Based only on match of SSIDs
– SSID beaconed from AP during passive scanning
• Easy to discover
• Vulnerabilities:
– Beaconing SSID is default mode in all APs
– Not all APs allow beaconing to be turned off
• Or manufacturer recommends against it
– SSID initially transmitted in plaintext (unencrypted)

CWNA Guide to Wireless LANs, Second Edition 26


Open System Authentication
Vulnerabilities (continued)
• Vulnerabilities (continued):
– If an attacker cannot capture an initial negotiation
process, can force one to occur
– SSID can be retrieved from an authenticated device
– Many users do not change default SSID
• Several wireless tools freely available that allow
users with no advanced knowledge of wireless
networks to capture SSIDs

CWNA Guide to Wireless LANs, Second Edition 27


Open System Authentication
Vulnerabilities (continued)

Figure 8-12: Forcing the renegotiation process

CWNA Guide to Wireless LANs, Second Edition 28


Shared Secret Key Authentication
Vulnerabilities
• Attackers can view key on an approved wireless
device (i.e., steal it), and then use on own wireless
devices
• Brute force attack: Attacker attempts to create
every possible key combination until correct key
found
• Dictionary attack: Takes each word from a
dictionary and encodes it in same way as
passphrase
– Compare encoded dictionary words against
encrypted frame

CWNA Guide to Wireless LANs, Second Edition 29


Shared Secret Key Authentication
Vulnerabilities (continued)
• AP sends challenge text in plaintext
– Attacker can capture challenge text and device’s
response (encrypted text and IV)
• Mathematically derive keystream

CWNA Guide to Wireless LANs, Second Edition 30


Shared Secret Key Authentication
Vulnerabilities (continued)

Table 8-2: Authentication attacks


CWNA Guide to Wireless LANs, Second Edition 31
Address Filtering Vulnerabilities

Table 8-3: MAC address attacks

CWNA Guide to Wireless LANs, Second Edition 32


WEP Vulnerabilities

• Uses 40 or 104 bit keys


– Shorter keys easier to crack
• WEP implementation violates cardinal rule of
cryptography
– Creates detectable pattern for attackers
– APs end up repeating IVs
• Collision: Two packets derived from same IV
– Attacker can use info from collisions to initiate a
keystream attack

CWNA Guide to Wireless LANs, Second Edition 33


WEP Vulnerabilities (continued)

Figure 8-13: XOR operations


CWNA Guide to Wireless LANs, Second Edition 34
WEP Vulnerabilities (continued)

Figure 8-14: Capturing packets

CWNA Guide to Wireless LANs, Second Edition 35


WEP Vulnerabilities (continued)

• PRNG does not create true random number


– Pseudorandom
– First 256 bytes of the RC4 cipher can be determined
by bytes in the key itself

Table 8-4: WEP attacks


CWNA Guide to Wireless LANs, Second Edition 36
Other Wireless Attacks: Man-in-the-
Middle Attack
• Makes it seem that two computers are
communicating with each other
– Actually sending and receiving data with computer
between them
– Active or passive

Figure 8-15: Intercepting transmissions


CWNA Guide to Wireless LANs, Second Edition 37
Other Wireless Attacks: Man-in-the-
Middle Attack (continued)

Figure 8-16: Wireless man-in-the-middle attack


CWNA Guide to Wireless LANs, Second Edition 38
Other Wireless Attacks: Denial of
Service (DoS) Attack
• Standard DoS attack attempts to make a server or
other network device unavailable by flooding it with
requests
– Attacking computers programmed to request, but not
respond
• Wireless DoS attacks are different:
– Jamming: Prevents wireless devices from
transmitting
– Forcing a device to continually dissociate and re-
associate with AP

CWNA Guide to Wireless LANs, Second Edition 39


Summary

• Information security protects the confidentiality,


integrity, and availability of information on the
devices that store, manipulate, and transmit the
information through products, people, and
procedures
• Significant challenges in keeping wireless networks
and devices secure
• Six categories of attackers: Hackers, crackers,
script kiddies, computer spies, employees, and
cyberterrorists

CWNA Guide to Wireless LANs, Second Edition 40


Summary (continued)

• Three categories of default wireless protection:


access control, wired equivalent privacy (WEP),
and authentication
• Significant security vulnerabilities exist in the IEEE
802.11 security mechanisms
• Man-in-the-middle attacks and denial of service
attacks (DoS) can be used to attack wireless
networks

CWNA Guide to Wireless LANs, Second Edition 41

Вам также может понравиться