Wireless Networking Security

“…those who would sacrifice freedom for security deserve neither…” Benjamin Franklin

Why go wireless

The popularity of wireless network is clearly on the increase. But what are the hidden costs of going wireless? Are we giving up our security?

The main benefits of wireless networking are:

cost
convenience

The main drawbacks are:

speed
security

General Security Issues of Wireless Networks

Network security issues, whether wired or wireless, fall into three main categories: availability, confidentiality and integrity:

Confidentiality: is the information being sent across the network transmitted in such a way that only the intended recipient(s) can read it.
Integrity: is the information reaching the recipient intact
Availability: is the network available to users whenever it is supposed to be

Confidentiality

The main way to ensure that data is not disclosed to unauthorised users is by encrypting it during transit, and wireless networks are able to do this in just the same way as wired networks. However, encryption is meaningless without authentication, since an unauthorised user could authenticate themselves onto the network and then be given the key with which to decrypt the data.

The traditional model for authorisation is to have some form of centralised system which stores access control lists. This model is fine for use in networks which have a relatively static set of users, and so is suitable for Wi-Fi, but in other networks such as Bluetooth networks, which are much more ad-hoc in nature, this approach becomes impractical. In ad-hoc networks, not only does the dynamically changing set of users make updating access control lists infeasible in terms of cost, but there is also no guarantee that these devices would be able to access any central system. In these systems, a better approach is to form secure transient associations between devices, where the decision on who to trust is made either by each device, or by one master device which instructs the slave devices on how to behave.

There is a lot of interest in this model for applications such as controlling police weapons. In America, a large proportion of injuries to police officers come from stolen police guns. If each officer had a very short range ring (the master) associated with the gun (the slave) it would prevent anyone other than that officer from using the weapon.

Integrity

Because packets of data in wireless networks are sent through the air, they can be intercepted and modified quite easily by malicious users. This means that wireless networks are more vulnerable to attacks on the integrity of data. However, the current methods used by wired networks to ensure the integrity of packets, such as checksums, are perfectly adequate for ensuring the integrity of packets in wireless networks, and so no novel solutions have been adopted.

Availability

Wireless networks are particularly susceptible to DoS (Denial of Service) attacks. Unlike wired networks, which require the attacker to be physically connected to the network in some way before they can launch such an attack, with wireless networks an attacker only has to be within a certain range of the network (usually 100m) to be able to launch such an attack. These kind of attacks are particularly difficult to stop since network providers want to allow legitimate users to initiate communications with the network, and cannot stop malicious users from exploiting this to cause a denial of service.

Another way in which malicious users can potentially restrict the availability of the wireless networks is through radio jamming. This involves sending out a lot of noise on the same frequency as the network uses. However, there are techniques, such as frequency hopping which can make this kind of attack more difficult. Also, this threat is less relevant in the non-military world since the 'jammer' could be reported to the police and arrested.

One kind of attack on the availability of wireless networks which has arisen in the last few years is battery exhaustion attacks. Because many wireless network devices are portable and therefore battery powered, malicious users can repeatedly send messages to the device. This prevents it from going into its sleep mode, and the battery runs down much faster.

Wi-Fi (Wireless Fidelity)

Standards

Like with most new geeky technologies there is currently a mish mash of standards.

802.11

original 1997 2.4Ghz wireless Ethernet standard
data rate 1 or 2Mbps

802.11a

5Ghz frequency less susceptible to interference
not compatible with 802.11b
data rate of 54Mbps
uses OFDM (Orthogonal Frequency Division Multiplexing)
short range (60 feet)

802.11b

most widely used standard
up to 11Mbps
2.4Ghz frequency is subject to interference
uses direct sequence spread spectrum modulation
long range (300 feet)

802.11g

regarded by most as an extension to the life of 802.11b
uses the OFDM bit of 802.11a and 2.4Ghz bit of 802.11b
same frequency as 802.11b and so backwards compatible
data rate of 54Mbps

802.11i (coming soon)

IEEE certified security specification
not a wireless protocol as such
offers improved security for data in transit
better control of who can use the network

802.11c/d/e/f/h/IR/j/k/m?

technical specifications of low level standards

Gi-Fi (maybe coming, but not soon)

theoretically 2Gbps can be achieved at frequencies of 56Ghz [1]

Stream and Block Ciphering Overview

Block Ciphers

A block cipher is a symmetric cipher that operates on a fixed size block of bytes at a time. The stream of binary digits that make up a message are divided into blocks of a standard size (typically 64 or 128 bits long) and then the encryption algorithm is applied so that all the bits of each block are encrypted at the same time using the same key.

Example: Using blocks of 8-bits and a 10-bit key...

Following transmission the ciphertext is decrypted a block at a time at the receiver by applying the reverse transformation using the same, shared secret key.

Examples of block ciphers are DES, triple DES (3DES), AES and Blowfish.

Stream Ciphers

A stream cipher is a symmetric (secret key) cipher that operates on small units of data (as small as a single bit) at a time.

Sender and receiver both share the secret key

To send a message the sender uses the key to produce an infinite pseudo-random keystream. The keystream is then logically combined with the plaintext, typically via an operation such as XOR to produce ciphertext.

At the other end of the network, the receiver uses the shared secret key to produce an identical keystream to the sender. This is then XOR-ed with the incoming ciphertext to reproduce the original plaintext.

Example of Stream Cipher: RC4

Regardless of the type of symmetric cipher being used it is important to keep changing the key used for encryption. If an attacker can obtain two different cipher-texts encrypted using the same key, statistical analysis of the text’s can be applied to break the encryption and determine the contents of the shared key.

Note: In reality an infinite keystream is obviously never produced. The keystream is simply as long as the message being sent.

Security flaws with first generation Wi-Fi

Pre 802.11i hardware manufacturers are/were free to provide which ever level of security that they saw fit. The baseline security protocol for Wi-Fi is WEP (Wired Equivalent Privacy) this was first used in the early 802.11 wireless standard and also exists in 802.11b unchanged [2].

Run down of WEP

Optional encryption standard implemented in the MAC layer.

Encryption in WEP:

uses a secret key, k (40 or 128 bit).
k is shared between the access point and the mobile node.
does not specify how k is established – so this is done manually for the moment.
k is used to encrypt packets before transmission.
integrity check (CRC-32) is used to ensure that packets are not modified in transit.

To compute an encrypted frame:

the plaintext frame data, M, is first concatenated with its ICV (integrity check value) or checksum, c(M), to produce M + c(M).

ICV used after decryption to check that the frame hasn’t been tampered with in transit.
If the receiver calculates and ICV that doesn’t match the one found in the frame the receiving station can reject it or flag the user.

an initialisation vector (IV) is joined to the secret key to create the packet key, (IV + k).

a random 24bit IV lengthens the life of the secret key because it can be changed for each frame transmission.
The IV is included unencrypted in the frame so it can be used for decryption.

the RC4 cipher is constructed using the packet key RC4(IV + k).

the cipher is XORed with the checksummed plaintext to get the ciphertext (encrypted data):

C = (M + c(M)) XOR RC4(IV + k)

Weaknesses

IV – The small space of possible initialisation vectors means that a collision is inevitable.
CRC and RC4 – The combination of CRC and RC4 means it is possible to change the message while flipping appropriate bits in the checksum to keep the packet valid.

Types of attack

Passive attacks to decrypt traffic based on statistical analysis.
Active attack to inject new traffic from unauthorised mobile stations, based on known plaintext.
Active attack to decrypt traffic by tricking the access point.
Dictionary building attack that after a day’s worth of traffic, allows real time automated decryption of traffic.

Passive Attack

A passive eavesdropper intercepts all wireless traffic, until an IV collision occurs. By XORing two packets that use the same IV, the attacker obtains the XOR of the two plaintext messages. The resulting XOR can be used to infer data about the contents of the two messages. IP traffic is often very predictable and includes a lot of redundancy. This redundancy can be used to eliminate many possibilities for the contents of messages. Further educated guesses about the contents of one or both of the messages can be used to statistically reduce the space of possible messages, and in some cases it is possible to determine the exact contents [2].

An extension of this attack uses a host on the Internet to send known messages to a wireless network station. Because the attacker knows the contents of these messages he will easily be able to decrypt all packets that are sent using the same initialisation vector.

Active Attack to inject new traffic

If an attacker knows the exact plaintext for one encrypted message, this can be used to construct correct encrypted packets. This procedure involves calculating the checksum for a new message and performing bit flips on the original encrypted message to change the plaintext to the new message. The basic property is that RC4(X) XOR X XOR Y = RC4(Y). This new packet can now be sent to a mobile station or access point and will be accepted as a valid packet.

Active Attack to decrypt traffic

If the attacker is able to guess part of the header of a packet then he may be able to flip appropriate bits to change the destination IP address of the packet. The address could be changed to a match the address of a machine somewhere on the Internet that the attacker controls. The attacker could then broadcast the modified packet from a rogue mobile station. As most wireless network installations have Internet connectivity the packet will be successfully decrypted by the access point and forwarded unencrypted to the attackers machine on the Internet!

DictionaryBuilding Attack

The small space of initialisation vectors allows an attacker to quite quickly build a table of key streams with an entry for each IV. Once a key stream is identified it can be used to decrypt all other packets that use the same IV. Remember that the IV is sent unencrypted in the packet header. Over time the attacker can build an exhaustive table of IVs and corresponding key streams. Once built the attacker can easily decrypt every packet sent over the wireless link, without actually ever knowing the secret key, by looking up the correct key stream in the table. As the initialisation vector in WEP is only a 24-bit field a busy access point will exhaust every possible IV in just 5 hours!

Wired Equivalent Privacy isn’t equivalent to the privacy over a wired connection.

Solutions to the short comings of original Wi-Fi security

Wi-Fi Protected Access (WPA)

Wi-Fi Protected Access (WPA) is a subset of the forthcoming IEEE 802.11i security standard (also known as WPA2) and is designed to overcome all of the weaknesses identified in WEP. WPA works with existing 802.11 based hardware using firmware upgrades and will offer full forward compatibility with the new standard following its eventual certification.

Features of WPA

Enhanced encryption scheme: Temporal Key Integrity Protocol (TKIP)
Message Integrity Checks (MIC)
Strong User Authentication using one of the standard Extensible Authentication Protocol (EAP) types available

Encryption

One of WEP’s chief weaknesses was that it used a small (40-bit) static key to initiate encryption. This key is entered manually on the AP (Access Point) and on all clients that communicate with it. It never changes unless it is manually re-entered on all devices.

A 24-bit initialization vector is then appended to this to produce a 64-bit key that is used for encryption. On busy networks, the initialization may need to be repeated in a matter of hours meaning that encryption keys are often re-used.

TKIP replaces the single static key with keys that are dynamically generated each time a wireless client connects to the network.
Key size increased from 40 to 128 bits
Initialisation Vector increased from 24 to 48-bits
A unique encryption key is generated for every packet

After accepting a user’s credentials an authentication server produces a unique master key which is valid for the current computing session only.

“TKIP distributes this key to the client and the AP and sets up a key hierarchy and management system, using the pairwise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated during that user’s session” Wi-Fi Alliance white paper, 2003

Message Integrity Checks

Designed to prevent an attacker from capturing data packets, altering and then re-sending them.

The MIC provides a strong mathematical function that is calculated by both sender and receiver
The receiver compares its calculated value with the contents of the packet
If the calculated value does not match what is found inside the packet, the packet is assumed tampered with and discarded

Authentication

Home Environments

Pre-Shared Key: This method for authentication uses a statically configured pass-phrase on both the client workstations and on the access point. This allows users of the network to be authenticated at the access point without the need for an authentication server, which is unlikely to be available in home or small office environments.

Enterprise Security

Access to the network is controlled by an authentication server. This holds user credentials (e.g. user names and passwords) and authenticates wireless users before they gain access to the network. One of the Extensible Authentication Protocol (EAP) types available is then used to carry out the authentication.

Extensible Authentication Protocol (EAP)

EAP is a general protocol for authentication of network users. It does not select a specific authentication mechanism upon establishing a link, preferring to wait until a separate authentication phase. “This allows the authenticator to request more information before determining the specific authentication mechanism.”

A number of mechanisms are supported under this scheme including digital certificates (already widely used in Internet security), unique usernames and passwords, smart cards, secure IDs, or any other identity credential that the IT administrator is comfortable deploying.

802.11i Security (WPA2)

Why bother?

While WPA offers significantly better security than WEP it can still be strengthened. It uses static keys for user authentication and the RC4 encryption algorithm is known to be vulnerable to some analytic attacks. In addition, one in every 256 keys generated using the RC4 algorithm is likely to be ‘weak’ – “one or more bytes of the generated ciphertext are strongly correlated with a few bytes of the key”.

802.11i Features

New method for encryption: Advanced Encryption Standard (AES)
Combines encryption with authentication using dynamic keys for both
Scheduled for certification September 2004

Bluetooth

Trivia: named after Danish king Harald "Bluetooth" (Blåtand) 950-986, who united Denmark

Bluetooth, like Wi-Fi, is a standard for wireless network communications. However, unlike Wi-Fi, which is designed to replace existing, high bandwidth, long range wired networks Bluetooth is designed primarily for short range, low bandwidth 'Personal Area Networks'. The idea is to provide a common communication specification to allow completely dissimilar devices, such as PDAs, mobile phones, printers and even fridges to communicate with each other. Unlike Wi-Fi, Bluetooth has to be available to devices with low computational power.

Bluetooth devices are divided up into 3 power categories:

Category 1 devices have a range of between 0.1 and 1m. These devices might include mobile phone headsets, where the communicating devices are most likely to be in close proximity

Category 2 devices have a range of between 1 and 10m. This is the most common power range for Bluetooth devices. Most suitable for PAN’s since it provides sufficient range for most applications, but is limited range enough to provide a certain level of security from potential listeners.

Category 3 devices have a range of up to 100m. This is equivalent to most current Wi-Fi networks, but given the low bandwidth of Bluetooth(1Mbps theoretical, ~700Kbps actual with Forward Error Correction) is not a direct competitor

Another difference to Wi-Fi is the ad-hoc nature of Bluetooth networks. Although Wi-Fi networks are designed with a certain amount of flexibility, they are generally fairly static. In contrast, Bluetooth devices (which are most often mobile) are designed to be able to move in and out of networks as the owner moves around. This difference means that the same security procedures that are used in Wi-Fi are not suited to Bluetooth, and new measures have been adopted.