Network Security Lecture 03: WiFi Security PDF

Summary

This document, titled 'Network Security, Lecture 03: Wi-Fi Security', is a lecture presentation on Wi-Fi security for a computer science course. It covers various aspects of Wi-Fi infrastructure, security protocols, and vulnerabilities. The lecture notes are for the 2024 academic year.

Full Transcript

Network Security

Lecture 03: WiFi Security
Prof. Dr. Sahar M. Ghanem
Associate Professor
Computer & Systems Engineering Dept.
Faculty of Engineering, Alexandria University
Prerequisites
Medium Access Control (MAC) Address
Address Resolution Protocol (ARP)
RC4 stream cipher
AES

Network Security 2024, (c) Sahar M. Ghanem 2
Outline
WiFi Architecture
WiFi Frame
WiFi Security Services
WiFi Security Standards
WiFi Vulnerability
WPA2-PSK attack, 2017
WEP Attacks
aircrack-ng tool

Network Security 2024, (c) Sahar M. Ghanem 3
WiFi Standards
IEEE 802.11 wireless LAN standards is known as WiFi (Wireless
Fidelity) that defines
frame structure
medium access protocol
internetworking with wired Ethernet LANs

Network Security 2024, (c) Sahar M. Ghanem 4
Network Security 2024, (c) Sahar M. Ghanem 5
Network Security 2024, (c) Sahar M. Ghanem 6
WiFi Architecture (1/4)
The fundamental building block is the basic service set (BSS).
A BSS contains one or more wireless stations and a central base
station, known as an access point (AP).
As with Ethernet devices, each 802.11 wireless station has a 6-byte
MAC address that is stored in the firmware of the station’s adapter
(i.e. network interface card).
Each AP also has a MAC address for its wireless interface.
As with Ethernet, these MAC addresses are administered by IEEE and
are (in theory) globally unique.

Network Security 2024, (c) Sahar M. Ghanem 7
WiFi Architecture (2/4)
When a network administrator installs an AP, the administrator
assigns a one or two-word Service Set Identifier (SSID) to the access
point.
The administrator must also assign a channel number to the AP.
802.11 operates in the frequency range of 2.4 GHz to 2.4835 GHz.
Within this 85 MHz band, 11 partially overlapping channels are defined.
A WiFi jungle is any physical location where a wireless station
receives a sufficiently strong signal from two or more APs.

Network Security 2024, (c) Sahar M. Ghanem 8
WiFi Architecture (3/4)
Each of these APs is located in a different IP subnet and would have
been independently assigned a channel.
A wireless device needs to join exactly one of the subnets and needs
to associate with exactly one of the APs.
The wireless device creates a virtual wire between itself and the associated
AP.
An AP periodically send beacon frames, each of which includes the
AP’s SSID and MAC address.
A wireless device, knowing that APs are sending out beacon frames,
scans the 11 channels, seeking beacon frames from any APs
This type of scanning is known as passive scanning.

Network Security 2024, (c) Sahar M. Ghanem 9
WiFi Architecture (4/4)
A wireless device can also perform active scanning, by broadcasting a
probe frame that will be received by all APs within the wireless device’s
range and then the APs respond with a probe response frame.
Once associated with an AP, the device will want to join the subnet to
which the AP belongs by sending a DHCP discovery message.
The wireless device is required to authenticate itself to the AP either
based on a device’s MAC address or
employs username and password
The AP can communicate with an authentication server using a protocol
such as RADIUS or the recently standardized DIAMETER protocol.

Network Security 2024, (c) Sahar M. Ghanem 10
Network Security 2024, (c) Sahar M. Ghanem 11
Multiple Access Control (MAC) Protocol
Because multiple wireless devices, or the AP itself may want to
transmit data frames at the same time over the same channel, a
multiple access protocol is needed to coordinate the transmissions
There are three classes of multiple access protocols: channel
partitioning, random access, and taking turns.
The designers of 802.11 chose a random access protocol that is
referred to as carrier sense multiple access with collision avoidance
(CSMA/CA).

Network Security 2024, (c) Sahar M. Ghanem 12
Network Security 2024, (c) Sahar M. Ghanem 13
WiFi Frame
The payload, which typically consists of an IP datagram or an ARP
packet.
It has four address fields, each of which can hold a 6-byte MAC
address.
Three address fields are needed for moving the network-layer datagram from
a wireless station through an AP to a router interface.
The fourth address field is used in ad hoc mode.
The WEP field indicates whether encryption is being used or not.

Network Security 2024, (c) Sahar M. Ghanem 14
WiFi Security Services
WiFi Security handles:
Mutual authentication. The network will typically want to first
authenticate the device (verify its identity and to check its access
privileges). Similarly, the mobile device will want to authenticate the
network to which it is attaching.
Encryption. Encrypting link-level frames carrying user-level data
exchanged between the mobile device and the access point (AP). The
mobile device and AP will need to derive the symmetric encryption
and decryption keys to be used.

Network Security 2024, (c) Sahar M. Ghanem 15
Network Security 2024, (c) Sahar M. Ghanem 16
WiFi Authentication (1/5)
For authentication, the AP serves as a pass-through device, relaying
authentication and key derivation messages between the mobile
device and the authentication server.
The process of mutual authentication and encryption-key derivation
has four distinct phases:
1. Discovery
2. Mutual authentication and shared symmetric key derivation
3. Shared symmetric session key distribution
4. Encrypted communication between mobile device and a remote host via the
AP

Network Security 2024, (c) Sahar M. Ghanem 17
WiFi Authentication (2/5)
Discovery:
The AP advertises its presence and the forms of authentication and
encryption that can be provided to the mobile device.
The mobile device then requests the specific forms of authentication
and encryption that it desires.

Network Security 2024, (c) Sahar M. Ghanem 18
WiFi Authentication (3/5)
Mutual authentication and shared symmetric key derivation:
Assuming that the authentication server and the mobile device
already have a shared common secret before starting mutual
authentication.
The device and the authentication server will use this shared secret
along with nonces and cryptographic hashing in authenticating each
other.
They will also derive the shared session key to be used by the mobile
device and the AP to encrypt frames transmitted over the 802.11
wireless link.
Network Security 2024, (c) Sahar M. Ghanem 19
WiFi Authentication (4/5)
Shared symmetric session key distribution:
Since the symmetric encryption key is derived at the mobile device
and the authentication server, a protocol will be needed for the
authentication server to inform the AP of the shared symmetric
session key.

Network Security 2024, (c) Sahar M. Ghanem 20
WiFi Authentication (5/5)
Encrypted communication between mobile device and a remote host via
the AP:
This communication happens with the link-layer frames sent between
the mobile device and the AP being encrypted using the shared
session key created and distributed.
AES symmetric key cryptography, is typically used in practice.

Network Security 2024, (c) Sahar M. Ghanem 21
WiFi Security Standards
The original 802.11security specification known collectively as Wired
Equivalent Privacy (WEP) contained a number of serious security flaws.
WiFi Protected Access (WPA1) was developed in 2003 to overcome WEP’s
security flaws.
WPA1 soon gave way to WPA2, which mandated the use of AES symmetric
key encryption.
At the heart of WPA is a four-way handshake protocol that performs both
mutual authentication and shared symmetric session-key derivation.
WPA3 was released in June 2018 as an update to WPA2.

Network Security 2024, (c) Sahar M. Ghanem 22
Network Security 2024, (c) Sahar M. Ghanem 23
Four-way handshake Protocol (1/2)
Mutual authentication and shared symmetric session-key derivation
are accomplished in the first two steps of the four-way handshake.
The other steps are used to derive a second key used for group
communication.
Both the mobile device (M) and the authentication server (AS) begin
knowing a shared secret key 𝑲𝑨𝑺−𝑴 (e.g., a password).
Them derive a shared symmetric session key, 𝑲𝑴−𝑨𝑷 , which will be
used to encrypt/decrypt frames.

Network Security 2024, (c) Sahar M. Ghanem 24
Four-way handshake Protocol (2/2)
First, the authentication server (AS) generates a nonce, 𝑵𝒐𝒏𝒄𝒆𝑨𝑺 ,
and sends it to the mobile device.
The mobile device, M, receives the nonce and generates its own
nonce, 𝑵𝒐𝒏𝒄𝒆𝑴.
Then generates the symmetric shared session key, 𝑲𝑴−𝑨𝑷 and sends ,
𝑵𝒐𝒏𝒄𝒆𝑴 , and a signed value that encodes 𝑵𝒐𝒏𝒄𝒆𝑨𝑺 and 𝑲𝑨𝑺−𝑴.
The session key, 𝑲𝑴−𝑨𝑷 , is generated by M and AS using 𝑵𝒐𝒏𝒄𝒆𝑨𝑺 ,
𝑵𝒐𝒏𝒄𝒆𝑴 , 𝑲𝑨𝑺−𝑴 , M MAC address, and AS MAC address.
The AS informs the AP of this key value.

Network Security 2024, (c) Sahar M. Ghanem 25
WiFi Vulnerability

Network Security 2024, (c) Sahar M. Ghanem 26
WiFi Encryption
WiFi communications are encrypted with WEP (Wired Equivalent
Privacy), WPA (WiFi Protected Access), or WPA2 protocol.
RC4 is used for packet-based data encryption in both WEP and WPA.
WPA2, on the other hand, uses the AES block cipher.
WEP would be considered to be a highly unsafe protocol for use
today in practically any context.

Network Security 2024, (c) Sahar M. Ghanem 27
WiFi Authentication (1/2)
Authentication to be carried out with a Pre-Shared Key (PSK).
A PSK is 10 manually specified hex digits for the case of WEP.
For WPA and WPA2, PSK is derived with a key derivation function
from a shared secret passphrase/password.
The passphrase would become the shared secret amongst the
allowed users of the WiFi router.
WPA2-PSK is also referred to as WPA2-Personal for SOHO (small office
and home) applications.

Network Security 2024, (c) Sahar M. Ghanem 28
WiFi Authentication (2/2)
WPA2 can also be used in a more secure enterprise mode, in which
case it is referred to as WPA2-Enterprise.
Client authentication in WPA2-Enterprise is carried out on a per user
basis and also allows for 2-factor authentication and authentication
with certificates.
The authentication services in WPA2-Enterprise involves three
agents: a client/supplicant, an authenticator/AP, and an
authentication server for verifying the login credentials.

Network Security 2024, (c) Sahar M. Ghanem 29
KRACK attack, 2017
A serious vulnerability in the WPA2-PSK protocol is discovered that
known as KRACK: Key Reinstallation AttaCK.
The cause of the vulnerability was NOT a bug in an implementation
of the protocol, but in the WiFi standard itself.
This vulnerability is in the 4-way handshake that is used to establish
a randomly generated key for AES based encryption.
The attack allows the platform to be tricked into (re)installing an all-
zero encryption key.

Network Security 2024, (c) Sahar M. Ghanem 30
RC4 in WEP (1/3)
It is educational to see how RC4 was used in WEP and why that led to
the demise of WEP.
The WEP protocol requires each packet to be encrypted separately
with its own RC4 key.
If the same keystream is used for two different plaintext byte
streams, an XOR of the corresponding ciphertext streams becomes
independent of the keystream and that can create a backdoor to
extracting the plaintext stream from the ciphertext stream.

Network Security 2024, (c) Sahar M. Ghanem 31
RC4 in WEP (2/3)
The RC4 key for each packet is a simple concatenation of a 24-bit
Initialization Vector (IV) and the root key (AP’s security code).
While the root key remains fixed over all the packets, the value of IV
is incremented from one packet to the next.
The official WEP standard only calls for 40-bits for the root key (10
hex characters) and there is also support for 104-bit root key.
The RC4 key for a packet is then used to encrypt the data followed by
its ICV value.

Network Security 2024, (c) Sahar M. Ghanem 32
RC4 in WEP (3/3)
The problem is that the root key remains fixed for long periods of
time (in home use, people almost never change their root keys) and
the IV has only 24 bits in it.
This implies that distinct keystreams can be generated for only 2^24
(around 16 millions) different packets.
This implies that the same keystream will be used for different
packets in a long session.
Since the IV is sent in plaintext, anyone with a packet sniffer can
directly see the first three bytes (IV) of the RC4 key used for a packet.

Network Security 2024, (c) Sahar M. Ghanem 33
WPA
WPA provides enhanced security because it uses a 48-bit Initialization
Vector.
WPA is merely a just slightly-more-secure wrapper around WEP and
suffers from the basic RC4-based weaknesses as WEP.
WPA2 does NOT use RC4 instead it uses AES in the Counter mode
(CTR).

Network Security 2024, (c) Sahar M. Ghanem 34
WEP Attacks

Network Security 2024, (c) Sahar M. Ghanem 35
FMS Attack, 2001
FMS attack, named after Fluhrer, Mantin, and Shamir in their
publication “Weaknesses in Key Scheduling Algorithm of RC4”.
The attack describes how to guess the key bytes when the 3-byte
Initialization Vector satisfies certain properties but the attack require
a large amount of data (4 million packets).
In 2004, this attack was made stronger where the key bytes could be
guessed with about 500,000 packets (KoreK attack).

Network Security 2024, (c) Sahar M. Ghanem 36
Klein Attack, 2008 (1/3)
Klein Attack for figuring out the WEP root key.
This attack is based on combinatorial analysis of the pseudorandom
sequence produced by the RC4 algorithm.
It was shown that strong correlations exist in the byte sequence
produced by the pseudorandom byte generation algorithm.
The attack proposed by Klein is a plaintext-ciphertext attack.

Network Security 2024, (c) Sahar M. Ghanem 37
Network Security 2024, (c) Sahar M. Ghanem 38
Klein Attack, 2008 (2/3)
An easy way to collect the needed plaintext-ciphertext pairs is for the
attacker’s wireless interface to send a large number of repeated ARP
(Address Resolution Protocol) requests to the wireless AP being
attacked and collect the response packets to be harvested.
The attacker can make good guesses for the fields that come before
the “Data” field even it is encrypted.
These plaintext bytes can be XOR’ed with the ciphertext bytes to
recover several initial bytes of the pseudorandom sequence that was
generated by the RC4 algorithm.

Network Security 2024, (c) Sahar M. Ghanem 39
Klein Attack, 2008 (3/3)
For WEP, the first three bytes of the key used for each packet are the
three bytes of the Initialization Vector that is transmitted in plaintext.
To apply the Klein attack to WEP, you start with knowing the first
three bytes of the key and then using Klein’s recursive reasoning to
figure out the bytes of the root key.

Network Security 2024, (c) Sahar M. Ghanem 40
PTW Attack, 2007
The publication “Breaking 104 Bit WEP in Less Than 60 Seconds” by
Tews, Weinmann, and Pyshkin.
This attack removed an important shortcoming of the Klein attack’s
need to calculate the key bytes recursively.
The key bytes are calculated independently.
Although it is incredibly fast and requires not much data, the main
limitation of PTW is that it can only crack 40 and 104 bit keys.

Network Security 2024, (c) Sahar M. Ghanem 41
aircrack-ng tool
aircrack-ng is a tool for recovering the WEP encryption key in under a
minute.
The tool gets a wireless interface to establish fake associations and
fake authentications with the attacked access point.
Then, the wireless interface mounts a replay attack on the attacked
access point for the purpose of acquiring a large number of ARP
packets with different initialization vectors.

Network Security 2024, (c) Sahar M. Ghanem 42
Before the Attack
Identify the AP MAC address and the channel it is using (iwlist command).
Create a Monitor Mode of the wireless interface that is usually operates in
the Managed Mode. This mode allows to capture packets going to and
coming off an AP without having to associate with it (airmon-ng
command).
Supply the wireless interface created in the Monitor Mode with a MAC
address that’s distinct and different from that of the Managed Mode
wireless interface (macchanger command).
A script (StartMonitorModeInterface.sh) is provided in which are packaged
the various steps.

Network Security 2024, (c) Sahar M. Ghanem 43
The Attack Steps
Step 1: As root, execute the shell script
StartMonitorModeInterface.sh

Step 2: In a separate window, execute the following command as root to inject and
replay the ARP packets

aireplay-ng -2 -p 6000 -c FF:FF:FF:FF:FF:FF -b xx:xx:xx:xx:xx:xx -h 00:11:22:33:44:55 mon0

Step 3: Both windows will show a continuously changing readout. After capturing a large
enough collection of packets (say, around 100,000 packets) kill both of those jobs and
execute as root

aircrack-ng -b xx:xx:xx:xx:xx:xx mydumpfile-01.cap

Network Security 2024, (c) Sahar M. Ghanem 44
Assignment 3
How to set a WiFi authentication server (RADIUS or DIAMETER)?
Wireshark ARP lab
aircrack-ng assignment

Network Security 2024, (c) Sahar M. Ghanem 45