1 / 32

802.11 Wireless Security

802.11 Wireless Security. Presentation by Paul Petty and Sooner Brooks-Heath. Wireless Networks? Beer….huh?. Presentation Outline. 802.11 Protocol Overview 802.11 (in)Security Wireless LAN Attacks Software Demonstration. 802.11 Protocol Overview. IEEE Wireless LAN Standard

dwight
Download Presentation

802.11 Wireless Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath

  2. Wireless Networks?Beer….huh?

  3. Presentation Outline • 802.11 Protocol Overview • 802.11 (in)Security • Wireless LAN Attacks • Software Demonstration

  4. 802.11 Protocol Overview • IEEE Wireless LAN Standard • Operates on ISO Model within the Data Link and Physical Layers • Two Primary Operating Modes • Infrastructure Mode • Ad-Hoc Mode • SSID assigned to Access Points

  5. Security Methods • Two Main Security Objectives of 802.11 • User Authentication • Protocol Specified • Other • Data Integrity and Privacy • WEP • Third Party

  6. Security Methods - Authentication • 802.11 Specifies Two Modes for Authentication • OSA (Opens Systems Authentication) • Shared Key Authentication • Other Authentication Methods (Currently Used) • MAC Address Table

  7. Open System Authentication Node Access Point

  8. Open System Authentication Node Access Point Beacon

  9. Open System Authentication Node Access Point Beacon Authentication Req SSID Matches

  10. Open System Authentication Node Access Point Beacon Authentication Req SSID Matches Access Point Accepts Node Authentication Resp

  11. Open System Authentication Node Access Point Beacon Authentication Req SSID Matches Access Point Accepts Node Authentication Resp Node is Associated

  12. Shared Key Authentication Node Access Point

  13. Shared Key Authentication Node Access Point Authentication Req

  14. Shared Key Authentication Node Access Point Authentication Req Challenge Text

  15. Shared Key Authentication Node Access Point Authentication Req Challenge Text WEP Encryption of Challenge Text

  16. Shared Key Authentication Node Access Point Authentication Req Challenge Text WEP Encryption of Challenge Text Encrypted Challenge Text

  17. Shared Key Authentication Node Access Point Authentication Req Challenge Text WEP Encryption of Challenge Text WEP Decryption of Encrypted Challenge Text Encrypted Challenge Text

  18. Shared Key Authentication Node Access Point Authentication Req Challenge Text WEP Encryption of Challenge Text WEP Decryption of Encrypted Challenge Text Encrypted Challenge Text Authentication Decision

  19. Shared Key Authentication Node Access Point Authentication Req Challenge Text WEP Encryption of Challenge Text WEP Decryption of Encrypted Challenge Text Encrypted Challenge Text Authentication Decision Node Approval based on Decision

  20. MAC Address Authentication • Access Points Programmed With List of MAC Addresses • Only Valid Node MAC Addresses Authorized • Practical in Smaller Wireless LANs • Not Outlined in 802.11 Protocol – Hardware Specific

  21. Data Integrity and Privacy • Due to the vulnerability of the wireless medium, the 802.11 protocol has specified a method of protecting the integrity and privacy of data transmitted over wireless LANs. • Wired Equivalent Privacy (WEP)

  22. WEP – Wired Equivalent Privacy • WEP is the security protocol for wireless LANs operating under the 802.11 standard. • WEP is designed to provide the security of a wired LAN through encryption via the RC4 algorithm. • Primary function is to safeguard against eavesdropping.

  23. RC4 • Stream Cipher or Symmetric Encryption Algorithm • Developed by Ron Rivest at RSA Securities in 1987 • Source Code Cracked and Leaked in 1994 • Often Used in Software Applications due to its Speed • Original WEP Schemes Specified 40 bit keys • New Hardware Specifies 104 bit keys

  24. Initialization: For i = 0 .. N - 1 S[i] = i j = 0 Scrambling: For i = 0 .. N - 1 j = j + S[i] + K[i mod l] Swap(S[i], S[j]) RC4 Algorithms KSA PRGA Initialization: i = 0 j = 0 Generation Loop: i = i + 1 j = j + S[i] Swap(S[i], S[j]) Output z = S[S[i] + S[j]]

  25. RC4 Implemented in WEP

  26. ICV Encrypted under Key + IV using the RC4 Stream Cipher Hdr + Prbl IV Data Encrypted WEP Packet Header and Preamble Information 24 bit Initialization Vector

  27. Example of RC4 Encoding Two (00000010 in binary) is our encrypting variable (key). It is XORed with some plain text to produce cipher text. For this example we will use the plain text message “HI”                      H                          I            0 1 0 0 1 0 0 0     0 1 0 0 1 0 0 1 XOR   0 0 0 0 0 0 1 0     0 0 0 0 0 0 1 0             0 1 0 0 1 0 1 0     0 1 0 0 1 0 1 1 Encrypted Message Once the receiving node gets the message, it must XOR the encrypted message with the same key to decrypt it. 0 1 0 0 1 0 1 0      0 1 0 0 1 0 1 1 Encrypted Message XOR   0 0 0 0 0 0 1 0     0 0 0 0 0 0 1 0           0 1 0 0 1 0 0 0      0 1 0 0 1 0 0 1                   H                         I

  28. Problems with WEP • No Defined Key Management Protocol • Manual Key Configuration Required • Initialization Vector (IV) is too Small • Inappropriate Integrity Check Value Algorithm • Weak Use of RC4 • Easily Forged Authentication Messages

  29. Attack Types Against Wireless LANs • Passive • Packet Listening and Decryption • Active • Table Building • Man-in-the-Middle Attacks • Bit Flipping

  30. Demonstration AirMagnet Wireless LAN Discovery Suite • Application for Laptop PCs and PDAs • Wireless LAN Analyzer • Real Time Packet Capture and Decode • AP SSID Discovery • Mismatch Tools

  31. Conclusion • Wireless LANs under 802.11 are NOT fully secured • Possible Attack Prevention Techniques • VPNs • Dynamic Key Rescheduling • 802.1X – User Authentication • More research needs to be done on wireless LAN security techniques and their implementation.

  32. Questions ? - References Listed on Project Website -

More Related