《Security of Wireless Local Area Networks.doc》由会员分享,可在线阅读,更多相关《Security of Wireless Local Area Networks.doc(12页珍藏版)》请在三一办公上搜索。
1、Security of Wireless Local Area NetworksLelia BarlowJune 2004I. IntroductionWireless Local Area Networks (WLANs) are growing in popularity. Both home users and corporations make use of wireless technology to network computers. However, security vulnerabilities of wireless networks may compromise inf
2、ormation confidentiality, integrity and availability. Countermeasures that were developed to protect wired networks are ineffective against many attacks on WLANs. In fact, it can be difficult to even identify threats to a WLAN without some form of wireless intrusion detection. We will present some c
3、ommon attacks to WLANs and the associated exploit tools. We will also discuss wireless intrusion detection systems, including the capabilities of these systems and some currently available products. II. Overview of 802.11The 802.11 standard is a group of specifications for WLANs created by the Insti
4、tute of Electrical and Electronics Engineers (IEEE). The first WLAN standard was adopted in 1997. The standards are still evolving, with new versions such as 802.11i under development. However, the focus for this discussion is the original 802.11 standard. OSI Layer DefinitionsThe 802.11 Standard sp
5、ecifies the Media Access Control Layer (MAC) and Physical Layer (PHY) for a wireless LAN. The MAC layer is responsible for reliably delivering data from the physical layer to the upper layers of the OSI model. The MAC layer also provides a controlled method, CSMA/CA, for the upper layers to access t
6、he physical layer. CSMA/CA, or Carrier-Sense Multiple Access with Collision Avoidance, is similar to the collision detection access method used by 802.3 Ethernet LANs. The MAC layer also provides authentication and encryption services, including Wired Equivalent Privacy (WEP), which will be discusse
7、d in more detail later.The physical layer is the interface between the MAC layer and the wireless media. The PHY layer provides a carrier sense indication to the MAC layer, verifying activity on the media. The PHY layer utilizes signal carrier and spread spectrum modulation to transmit frames over t
8、he wireless media. The 802.11 Standard defines both Frequency Hopping Spread Spectrum (FHSS) and Direct Sequence Spread Spectrum (DSSS), both of which support 1Mbps and 2Mbps data rates.Modes of Operation802.11 networks can operate in either ad-hoc mode or in infrastructure mode.Ad-hoc mode, also kn
9、own as Independent Basic Service Set (IBSS), allows wireless devices to communicate directly with each other. When wireless devices are within range of each other and need to communicate, and no pre-existing network infrastructure exists, they form an ad-hoc network “on the fly.” This ad-hoc network
10、 has no connection to “the outside world.”Device 1Device 2Device 3Access PointDevice 1Device 2Device 3Wired LANInfrastructure mode, also known as Basic Service Set (BSS), only allows devices to communicate with a central access point. The access point functions as an Ethernet bridge between the wire
11、less media and a wired network. Wired Equivalent Privacy (WEP) The designers of the original 802.11 standard saw a need to balance “reasonably strong” security with the need for an efficient and easy-to-implement technology, which could also be exported from the United States to other countries. WEP
12、 was developed to try to satisfy these requirements. Although WEP has many security weaknesses, it is still in use today. There are two parts to WEP security described in the 802.11 standard. The first part is the authentication phase, and the second part is the encryption phase. In the authenticati
13、on phase, the objective is for each device to prove its identity. In the encryption phase, the objective is to provide some amount of data confidentiality.Authentication and AssociationWireless clients and access points must establish an association before they can communicate. For example, in infra
14、structure mode, a wireless device associates with an access point. At fixed intervals of time, the access point transmits a beacon management frame. A wireless device that wants to associate with an access point and become part of a BSS will listen for this beacon. Some wireless devices may also sen
15、d a probe management frame to try to find an access point with a specific Set Service Identifier, or SSID. Once the wireless device has found an access point, it transitions to the Unauthenticated and Unassociated state.Now the wireless device needs to authenticate with the access point. There are s
16、everal types of authentication available: open system authentication, access control lists based on MAC addresses, and shared key authentication.Open system authentication is the default for 802.11. It authenticates any wireless device that requests authentication. Even when WEP is enabled, the auth
17、entication management frames used by this type of authentication are sent as clear text. Clearly, the default setting for authentication does little to thwart attackers.Using access control lists based on MAC addresses of wireless devices is a common, but flawed, method for authentication. Access po
18、ints maintain a list of authorized MAC addresses, and restrict network access to wireless devices with a MAC address on that list. One problem is that maintaining a list of authorized MAC addresses takes time, and may be prone to errors. The bigger security problem is MAC address spoofing (discussed
19、 later). Worse, using this type of authentication provides a false sense of security that does not exist when open system authentication is used.Shared key authentication uses a challenge-response mechanism and a shared secret key. The wireless device indicates to the access point that it would like
20、 to use this type of authentication. The access point sends a response: challenge text generated by the WEP pseudo-random number generator using a shared secret and a random initialization vector (IV). The wireless device encrypts this challenge text with WEP using the shared secret and a new IV tha
21、t it selects. The access point receives the response from the wireless device, decrypts it, and verifies that the text matches its original text sent to the wireless device. If the text matches, the process repeats with the access point initiating the challenge. This last step was designed to provid
22、e mutual authentication.This method of shared key authentication also has problems. First, the wireless device and the access point must share a secret key. The 802.11 purposefully did not specify a method of secret key distribution. While this is not unreasonable, since different methods may be mor
23、e suitable for different types of devices (for example, a laptop computer versus a cellular telephone), it can make key management very difficult, particularly for large networks. Also, once a new wireless device has authenticated, there are no more secrets exchanged. Unfortunately, this means that
24、there is no way to know whether subsequent messages come from the trusted device or from an imposter. Additionally, there are problems with the challenge/response protocol. For example, if an attacker observes the challenge/response exchange, the attacker is given a plaintext/ciphertext pair, from w
25、hich the attacker could mount a known plaintext attack. However, one benefit of requiring WEP authentication in a large network is for management reasons. If a user of the network entered the wrong WEP key value or failed to update the WEP key, the access point would reject the user and the user wou
26、ld be notified. However, without the authentication phase, the users device would be accepted, but every frame sent to the access would be rejected because the encryption failed. This type of failure could be difficult for the user to recognize, as distinguishable from interference on the wireless n
27、etwork or being out of range of the access point. Once a wireless device has been successfully authenticated, the device transitions to the Authenticated and Unassociated state. To transition to the third and final state, Authenticated and Associated, the wireless device sends an association frame t
28、o the access point, and the access point responds with an association response frame. Now the wireless device can transmit data frames as a peer on the WLAN. EncryptionData frames on the WLAN are encrypted using the RC4 algorithm. The RC4 algorithm is a symmetric algorithm that is simple to implemen
29、t. The RC4 algorithm expands a key of relatively short length into a pseudorandom key stream. The key stream is XORed with the data block to generate the ciphertext. Both the sender and receiver generated the same pseudorandom key stream, and so the receiver can recover the plaintext data block by X
30、ORing the ciphertext with the (synchronized) key stream. Several attacks are possible because of this mode of operation. An attacker can change a bit in the ciphertext to change the corresponding bit in the plaintext. If two ciphertexts encrypted with the same key stream are intercepted, then the XO
31、R of the two plaintexts can be obtained, which can enable statistical attacks to recover the plaintext. Thus, RC4 was not really designed to encrypt many small blocks of data, such as the packets exchanged over the wireless network. Because RC4 has a fixed key value, each time the same data block is
32、 encrypted following a key initialization, the corresponding ciphertext block will be the same. Particularly in the case of IP traffic on a network, where packets have a standardized format, this gives an attacker too much information. In an attempt to solve this problem, WEP uses an initialization
33、vector (IV). An IV is combined with the secret key to produce an encrypting key for each block of data. The IV is then transmitted in the open with the encrypted data, so that the receiving device can decrypt the block of data. However, because the IV is not a secret, it should never be used twice w
34、ith a given secret key, in order to prevent the type of statistical attack described above. Unfortunately, the IV for WEP was chosen to be only 24 bits in length. This means there are only 224 possible values for the IV, which is less than 17 million values. A busy access point transmitting 1,500-by
35、te packets at 11Mbps will exhaust the IV key space in (1500 bytes) x (8 bits/byte) .(11x106 bits/second) x (224 seconds) This is about five hours. Because it would be very difficult for the secret keys for an entire large network to be changed every five hours or less, IV values are going to be reus
36、ed.In addition to data encryption, WEP uses a 4-byte integrity check value (ICV). The ICV is computed using a CRC-32 checksum, and is added to the data block before encryption. Because the CRC-32 checksum is a linear operation, it is possible to find the bit difference of two CRCs knowing the bit di
37、fference of the data used to compute them. This means that if you change one bit in the data, you can determine the bits in the checksum that must be changed to produce a correct checksum for the modified message. The WEP data encryption and encapsulation procedure is described in the following figu
38、re (Source: PETR2003):802.11 HeaderData block802.11 HeaderIVCiphertextCRC-32RC4 Stream CipherData blockICVIVSecretIII. Common Attacks against Wireless LANs802.11 wireless LANs have a variety of weaknesses that can be exploited by an attacker. Not only are wireless networks susceptible to attacks bas
39、ed on TCP/IP, but wireless networks are also susceptible to attacks based on the 802.11 protocol. Some of the common attacks are described here. (Some of the common attack tools will be described later.)Information GatheringSnooping information, such as corporate secrets, can give an adversary an ad
40、vantage. Encryption can be used to make it more difficult for an attacker to access sensitive data. However, there is other information that may be useful to an attacker which is not protected by encryption. WLAN DiscoveryFrequently, the first step in an attack is to discover something about the sys
41、tem you wish to attack. For WLANs, it is useful to locate wireless access points, MAC addresses, SSIDs, operating channels used, and whether WEP is used. Scanning software such as NetStumbler can accomplish this task with ease. Traffic Sniffing / Traffic AnalysisAlthough messages may be encrypted, e
42、xternal information is available. This information includes the frequency of messages, the timing of messages, the size of the packets, and which devices on the network are being used. From this information, an attacker could identify the network protocol in use, and the kind of activity that is occ
43、urring on the network. For example, an attacker could watch for DHCP discover messages, or determine that a user is browsing the web. MasqueradingHere, an attacking device pretends to be a valid device. If the attacking device is successful in fooling the network into validating it, the attacker has
44、 all the access rights that the valid device established. This type of attack will be difficult to detect, unless the attacker behaves in ways that a valid user would not. “Identity” TheftRecall that it is easy to use scanning software to discover the SSIDs, MAC addresses, and other information abou
45、t authorized devices on the WLAN. An attacker could then use this information to “impersonate” the authorized device and connect to the WLAN. Then the attacker could steal network bandwidth, corrupt or access files, or launch other types of attacks. MAC Address SpoofingAs described above, it is comm
46、on for wireless devices to authenticate to an access point using a MAC address. However, it is easy for an attacker to spoof a MAC address. Using software tools for WLAN discovery, an attacker can sniff MAC addresses on a WLAN. Once the attacker knows an authorized MAC address, the attacker can easi
47、ly modify his MAC address to match, using a software tools such as SMAC. MAC address spoofing is the type of attack used by Joseph Duncan and Joshua Fanning in their successful attack on the Oregon State University wireless network in Spring of 2003, described in DUNC2003. Malicious AssociationsAn a
48、ttacker can use a tool such as HostAP to set up a rogue access point in the WLAN coverage area. This rogue access point can be used for “identity theft” attacks, such as stealing network bandwidth. It can be introduced by a user to create a backdoor into a wired LAN. It can also be used for a variety of other attacks, such as man-in-the-middle attacks, and Denial of
