Recommended
More Related Content
What's hot
What's hot (8)
Viewers also liked
Viewers also liked (10)
Similar to Wireless Security
Similar to Wireless Security (20)
Recently uploaded
Recently uploaded (20)
Wireless Security
- 1. Wireless security The Competa Plane <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 1
- 2. Wireless security See if it Flies .... <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 2
- 3. Wireless security Me • Rudi van Drunen • Senior Consultant & CTO Competa IT • Design, Deliver and Maintain Complex IT Infrastructure • CTO XlexiT Technology B.V. <XlexiT> • Wireless / Embedded / Networking • Tech Guru Wireless Leiden • Largest wireless community network in NL ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 3
- 4. Wireless security This Talk • Attacks • What to do about it, Applied to wireless • RF level • Protocol level • Encryption <XlexiT> • Authentication • Application level ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 4
- 5. Wireless security Hierarchy Attacks Passive Active <XlexiT> Eavesdropping Denial Replay of Service Traffic analysis Masquerade Message Modification ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 5
- 6. Wireless security Passive • Eavesdropping • Need signal • Decrypt if needed <XlexiT> • Traffic Analysis • Get data from signal and traffic ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 6
- 7. Wireless security Active (1) • Denial of Service • Radio Level (microwave method) • <XlexiT> Flooding AP with packets • Disconnect messages ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 7
- 8. Wireless security Active (2) • Replay • Listen to the traffic, get SSID, MAC • replay and associate, masquerade <XlexiT> • Message modification • Rogue Accesspoint ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 8
- 9. Wireless security 802.11 alphabet soup • 802.11a 5 GHz WLAN • 802.11b 2.4 GHz WLAN • 802.11c Bridging between APs • 802.11d Global frequency harmonization • 802.11e MAC level enhancements for QoS • <XlexiT> 802.11f Inter Access Point Protocol for Roaming • 802.11g High Rate 2.4 GHz WLAN • 802.11h ETSI requirements of Dynamic Frequency Selection and Transmitter Power Control • 802.11i Security Enhancements • 802.11n Super Fast WLAN (mimo) ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 9
- 10. Wireless security Wireless • RF Level ... • <XlexiT> cf. ethernet level..... ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 10
- 11. Wireless security leaky building ... <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 11
- 12. Wireless security Antennae <XlexiT> Omnidirectional Directional ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 12
- 13. Wireless security Shaping coverage <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 13
- 14. Wireless security Site Survey <XlexiT> - Outside-in - Use Antennas (remember:Leaky building) - Check RF interference ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 14
- 15. Wireless security Protocol Level • Encryption • WEP, WPA, WPA2 • Key management • Authorization - Authentication <XlexiT> • 802.1x, RADIUS • EAP Methods • Cooking it up: WPA2 with EAP-TLS ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 15
- 16. Wireless security WEP <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 16
- 17. Wireless security Next please ... • 802.11i • WPA • Transient Security Network (TSN) • TSN = TKIP + WPA(1) + Radius <XlexiT> • Temporal keys, Message Integrity Check • WPA2 • Robust Security Network (RSN) • RSN = CCMP + WPA(2) + Radius ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 17
- 18. Wireless security WPA • 802.11i framework • Try to fix the flaws introduced in WEP • TKIP, MIC, tsc • Keep backwards compatible <XlexiT> • (HW level (should be firmware update)) • Add authentication layer (802.1x) ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 18
- 19. Wireless security WPA <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 19
- 20. Wireless security WPA2 <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 20
- 21. Wireless security Key managment • Pairwise Keys • Between EACH client and AP different pair • Computed / Distributed @association time • Unicast <XlexiT> • Group Keys • Same key between AP and every client • Broadcast (and multicast) ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 21
- 22. Wireless security Key Hierachy • Pairwise master key (PMK) • From Auth server (or pre-shared) • Generated during authentication (tls/ssl) • WPA: Radius server sends PMK to AP • From PMK AP derives Temporal keys <XlexiT> • Pairwise Transient Keys • Data Encryption ,Integrity keys ; EAPOL keys • These keys are used in encryption engines ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 22
- 23. Wireless security Authentication • 802.1x • Not part of 802.11 suite <XlexiT> • Can also be used on wired networks. ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 23
- 24. Wireless security Authentication: Radius • Component in 802.1x • Other Applications in Wireless • MAC Address authentication <XlexiT> • NOT SECURE ! • Captive Portal • nocat, m0n0wall (www.m0n0.ch/wall) ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 24
- 25. Wireless security 802.1x + RADIUS <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 25
- 26. Wireless security Cooking it up • EAP-TLS enterprise in time • Authentication mechanism • Key distribution mechanism • Other fun things wpa <XlexiT> • WPA @home ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 26
- 27. Wireless security EAP-TLS <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 27
- 28. Wireless security EAP-TLS <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 28
- 29. Wireless security Fun things WPA • Key caching • Returning authenticated client • send (PM)Key name in associate request • AP start 4-way handshake <XlexiT> • AP verifies PMKey • Pre-authentication • Makes Roaming seamless and faster ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 29
- 30. Wireless security WPA@home • No Radius server • Primary Master Key as Shared Secret • Key generation from password (rfc 2898) • good passwords: https://www.grc.com/passwords <XlexiT> • AP and Client have same PMK • 4 way handshake between AP - Client • Client / AP derive temporal keys for encryption ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 30
- 31. Wireless security WPA-PSK Overview <XlexiT> ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 31
- 32. Wireless security Application Level • VPN (ipsec, OpenVPN) • Some Setup required • SSL connections • <XlexiT> You thought everything did ssl, right ?! • Captive portals • Hotspot model ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 32
- 33. Wireless security Questions ?! <XlexiT> R.van.Drunen@competa.com ver. 1.3 © 2008 R.van.Drunen@competa.com Slide 33