Friday, May 14, 2010

Unsecured Wifi and we----------Part-3

What is Secure in Wifi.

Dear Friends,
As I promised you earlier that my wifi series posting will be interesting to all you so my friend Sudipta of Future Netwings (www.futurenetwings.com) again has come to stretch his hand to make you understand why WPA-2 is secure and how much secure. So lets have a look:

WPA2 compliments TKIP and the improved data integrity control algorithm with more secured encryption mechanism called Advanced Encryption Standard (AES) - Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). In other words, this means an improved encryption algorithm. Experts say that AES-CCMP is robust enough to be used for government data security purposes.

WPA2 also has two flavours - WPA2-PSK and WPA2-802.1x Just like WPa-802.1x WPA2-802.1x would require integration of the Access Points with a Directory server using RADIUS.

Release time: July 2004
Encryption: TKIP
Authentication: PSK or 802.1x
Suitable for Corporate: For Corporate WPA2-802.1x needs to be implemented where the authentication database would reside on the Active Directory or any other LDAP directory. WPA2-PSK may also be used alternatively.
Suitable for Home/Small Business: WPA2-PSK is sufficient for home/SMB.
Cracking: Though there are rumours, it is safe to consider WPA2 as not crackable.


Therefore, for Home/SMBs the order of choice needs to be WPA2-PSK>WPA-PSK>WEP. In addition to this one should also do MAC- binding in the APs for the clients.

However the Corporates should implement 802.1x versions of WPA or WPA2. We have found EAP-TLS implementations with WPA2 and an in-house certificate server very strong in terms of security.

Pl keep in touch with my forthcoming interesing articles on wifi.

Thanking you

Urproblemmusolution Team

4 comments:

Sitanshu said...

Dear Sujit/Sudipto,

Thank you for a fantastic article on WLAN Security.

I thought that our readers deserve a bit more. There are many advanced users who would like to know more about TKIP, MIC, WPA, WPA2.

I'm therefore posting this article to explain to our valuable advanced readers the inner details of TKIP and MIC.

TEMPORAL KEY INTEGRITY PROTOCOL (For upgrading a WEP based Wi-Fi Network)

The (TKIP) Temporal key Integrity Protocol was an interim solution developed to fix the key reuse problem of WEP. By key reuse we mean that a single key was used to encrypt all packets in the transmission. Once you examined enough packets as mentioned in an earlier posting you could build the key using XOR operations (WEP Key Builder uses that concept)
TKIP later became part of the 802.11i and subsequently part of WPA and WPA2 standards. I have mentioned in a previous posting that both WPA and WPA2 are interim steps towards moving to 802.11i.

TKIP was included in the 802.11i standards for backwards compatibility. The 802.11i standard did not want to use a cipher based RC4, so they chose AES (Advanced Encryption Standard). TKIP was put into 802.11i for the sole reason of helping older devices transition to 802.11i. To do this, 802.11i needed to support a protocol that could easily upgrade WEP to something safe enough to include in 802.11i.. WEP as we all know was weak and flawed. Using TKIP protected against attacks and reduced the overall risk of operating a wireless network.
Today, Cisco differentiates its versions of TKIP and the standard one by calling it the Cisco Key Integrity Protocol (CKIP).
The TKIP encryption portion works in a two-phase process. The first phase generates a session key from a temporal key, TKIP sequence counter (TSC), and the transmitter’s MAC address. The temporal key is made up of a 128-bit value similar to the base WEP key value. The TKIP sequence counter (TSC) is made up of the source address (SA), destination address (DA), priority, and the payload or data. Once this phase is completed, a value called the TKIP-mixed transmit address and key (TTAK) is created. This value is used as a session-based WEP key in the second phase.
In the second phase, the TTAK and the IV are used to produce a key that encrypts the data. This is similar to how WEP is processed. In WEP the first 24 bits of the IV are added in front of the WEP key and then used to create an encryption key that is applied to the data. Then the IV is inserted into the packet header.
The basis of TKIP came from the WEP protocol. In the 802.11i standard, TKIP is referred to as a cipher suite enhancing the WEP protocol on pre- RSNA hardware. This is espoused because RC4 is still used as a cipher, although the technique in which it is used has improved greatly.

The article continues.....

Sitanshu said...

Dear All,

This is second part of the previous article I posted. Consider is the next page of the same article.

TKIP Message Integrity Check (MIC)

Similar to TKIP, the Message Integrity Check (MIC) had also many versions before 802.11i defined it as a single standard. Once this was done, MIC became known as Michael although the acronym MIC still remains. Today with 802.11i, ratified MIC is Michael and vice versa. The protocol itself was created to help fight against the many message modification attacks that were prevalent in the WEP protocol. The IEEE 802.11i standard describes the need for MIC in the following quote: “Flaws in the IEEE 802.11 WEP design cause it to fail to meet its goal of protecting data traffic content from casual eavesdroppers. Among the most significant WEP flaws is the lack of a mechanism to defeat message forgeries and other active attacks. To defend against active attacks, TKIP includes a MIC, named Michael.” The MIC was created as a more secure method of handling integrity checking compared to the IVC in WEP.
The MIC is a hash that is calculated on a per-packet basis. This means a single MIC hash could span multiple frames and handle fragmentation. The MIC is also on a per-sender, per-receiver basis. This means that any given conversation has a MIC flowing from sender A to receiver B and a separate MIC flowing from sender B to receiver A.
The MIC is based on seed value, destination MAC, source MAC, priority, and payload. Unlike IC, MIC uses a hashing algorithm to stamp the packet, giving an attacker a much smaller chance to modify a packet and have it still pass the MIC. The seed value is similar to the WEP protocol’s IV. TKIP and MIC use the same IV space, although they have added an additional four octets to it. This was done to make the threat of using the same IV twice in a short time period less likely.
The MIC is also encrypted inside the data portion, which means it is not obtainable through a hacker’s wireless sniffer. To add to this, the TKIP also left the WEP IVC process, which then adds a second, less secure method of integrity checking on the entire frame. To combat message modification attacks, the TKIP and MIC went a step further and introduced the TKIP countermeasures procedures. This is a mechanism designed to protect against modification attacks. It works by having an access point shut down its communications if two MIC failures occur in 60 seconds. In this event, the access point would shut down for 60 seconds. When it comes back up, it would require that all clients trying to reconnect change their keys and undergo a re-keying. Some vendors allow one to define these thresholds, although the MIC standard calls out these values.
To prevent noise from triggering a TKIP countermeasure procedure, the MIC validation process is performed after a number of other validations. The validations performed before the MIC countermeasure validation are the frame check sum (FCS), integrity check sum (ICV), and TKIP sequence counter (TSC). If noise was to interfere with the packet and modify it, one of these other checks would be able to find it first, thus preventing the frame from incrementing the MIC countermeasure counter.

Sitanshu said...

Dear Sujit,

There a technique for Securing your Wireless Networks called RF Shielding.

Indoor wireless LANs transmit radio frequency (RF) signals that often propagate outside the physically controlled area of a building (a security risk) that hackers can use to connect to your network, and RF signals originating from outside the facility penetrate the walls and interfere with the operation of the wireless LAN (resulting in performance reduction). As a result, the idea of applying a RF shield around the perimeter of the building is a worthy contemplation.

There is an area of Science called Bionics. Several technologies have been borrowed from Nature. Radar, Sonar and even Ultra Sound Imaging were discovered by watching the echolocation of Bats. The hull of a ship is shaped like the back of a Dolphin. Similarly non-stick paint was invented by studying the Lotus Flower Petals to which nothing sticks.

This same Lotus Effect has been further improved by companies in USA, Germany and France to create a type of Paint and Window Film Peels that you can use to Paint the Perimeter of your building or the Walls of the room where your AP (Access Point) is located. Similarly Paint Peels are available for the Windows in your room. This will weaken the RF signal to the point that it cannot used to Access your Wireless Network from outside.

Suppose your Wireless Network is working at Signal Strength of -50 Dbm. This Paint will attenuate your Signal by -80 Dbm. Now your RF Signal Strength is -130 Dbm. This
is well below receive sensitivity of 802.11/Wi-Fi client devices.

Combine this technique with Directional Antennae. This way the RF Signal moves only in a certain direction. So you now control where the Signal can move to. And finally do not broadcast your SSIDs (Service Set Ids).

This will make sure no one can detect you. You get “Security through Obscurity”

Regards,
Sitanshu Ray

Sitanshu said...

Dear Sujit,

Indoor wireless LANs transmit radio frequency (RF) signals that often propagate outside the physically controlled area of a building (a security risk) that hackers can use to connect to your network, and RF signals originating from outside the facility penetrate the walls and interfere with the operation of the wireless LAN (resulting in performance reduction). As a result, the idea of applying a RF shield around the perimeter of the building is a worthy contemplation.

There is an area of Science called Bionics. Several technologies have been borrowed from Nature. Radar, Sonar and even Ultra Sound Imaging were discovered by watching the echolocation of Bats. The hull of a ship is shaped like the back of a Dolphin. Similarly non-stick paint was invented by studying the Lotus Flower Petals to which nothing sticks.

This same Lotus Effect has been further improved by companies in USA, Germany and France to create a type of Paint and Window Film Peels that you can use to Paint the Perimeter of your building or the Walls of the room where your AP (Access Point) is located. Similarly Paint Peels are available for the Windows in your room. This will weaken the RF signal to the point that it cannot used to Access your Wireless Network from outside.

Suppose your Wireless Network is working at Signal Strength of -50 Dbm. This Paint will attenuate your Signal by -80 Dbm. Now your RF Signal Strength is -130 Dbm. This
is well below receive sensitivity of 802.11/Wi-Fi client devices.

Combine this technique with Directional Antennae. This way the RF Signal moves only in a certain direction. So you now control where the Signal can move to. And finally do not broadcast your SSIDs (Service Set Ids).

This will make sure no one can detect you. You get “Security through Obscurity”