Wireless Network Security

2021-12-13

1. background

1.1. Categories of wireless networks

Wireless Personal Area Network (WPAN)
- Bluetooth
Wireless Local Area Network (WLAN)（Wi-Fi）
- IEEE 802.11a/b/g/n
Wireless Wide Area Network (WWAN)
- Mobile phone networks (5G/4G/3G/GPRS/CDMA)

1.2. IEEE802.11 (WLAN)

1.2.1. Infrastructure mode

服务集（Service set）
是无线局域网中的一个术语，用以描述802.11无线网络的构成单位（一组互相有联系的无线设备），使用服务集标识符（SSID）作为识别。可以分为独立基本服务集（IBSS）、基本服务集（BSS）和扩展服务集（ESS）三类
BSS (Basic Service Set or cell)
- an AP (Access Point（接入点）, or base station（基站）) + wireless stations.
ESS (Extended Service Set)
- two or more BSSes interconnected by a Distributed System (a cable, a wired network, or another WLAN).
All communications are via APs
SSID：Service Set Identifier
- 基本服务集标识符（BSSID），表示的是AP的数据链路层的MAC地址
- 扩展服务集定标识符（ESSID），一个最长32字节区分大小写的字符串,表示无线网络的名称

1.2.2. Ad hoc mode(对等拓扑模式)

也就是独立基本服务集（IBSS）

Used when no pre-defined infrastructure – stations/clients communicate directly without any AP

1.3. Security threats

WLANs use radio signal, making them more vulnerable to both passive and active attacks than their wired counterparts

Monitor or eavesdrop channels
Impersonate a legitimate AP
Man-in-the-middle
Denial of Service (DoS) attack

2. Original 802.11 Security

2.1. Wired Equivalent Privacy (WEP)

有线等效加密

The first WLAN security specification
又称无线加密协议（Wireless Encryption Protocol）
标准的64比特WEP使用40比特的钥匙接上24位的初向量（initialization vector，IV）成为RC4用的钥匙
2003年被淘汰
因为RC4是流加密的一种，同一个钥匙绝不能使用二次，所以使用（虽然是用明文发送的）IV的目的就是要避免重复；然而24位的IV并没有长到足以担保在忙碌的网络上不会重复，而且IV的使用方式也使其可能遭受到关连式钥匙攻击。

2.2. Station-to-AP Authentication

Open System Authentication (Using Service Set Identifier (SSID))

Each client can connect to AP by just supplying the correct SSID

PSK (pre-shared/WEP key) Authentication（预分享密钥认证）

Client requests association with AP (Association Request【**关联请求(帧)**】)
AP returns a Challenge, n, a random number, also called nonce.
Client encrypts n using the pre-set WEP key (WKey) and sends it back
AP compares decrypted challenge with transmitted one to accept/reject
Client is accepted if {n xor RC4(WKey)} xor RC4(WKey’)=n’; where WKey’ is AP’s copy of the WEP key; n’ is AP’s copy of the challenge
The authN is vulnerable to interception and replay attacks, provided WKey is reused
1. lack of key management

MAC Address Filtering

Each AP maintains a list of MAC addresses that are allowed to connect to it
MAC address authentication was not part of the 802.11 standard, but many vendors, e.g. Cisco, used it to augment the shared key authN.

2.3. Confidentiality and integrity

WEP also provides confidentiality and integrity protections of data
streams sent between a wireless station/client and AP.
- Confidentiality is provided by using RC4 based stream cipher (plaintext XORed with keystream from RC4)
- Integrity is provided by using Integrity Check Value (ICV) (CRC-32, which is a 32-bit Cyclic Redundancy Check value).
WEP Encryption
- C=M xor RC4(IV||WKey)，M=Plaintext||ICV
Decryption
- C xor RC4(IV||WKey) = M
- Verifying ICV
  - Compute fresh ICV’ based on M received and compare

Weaknesses

No key establishment/distribution mechanism
Use WKey (master and static key) directly
From security point of view, the use of master keys should be minimised, i.e. they should only be used to generate other temporary keys
Small key size
- WKey is a 40-bit or 104-bit value; easier to crack(破解) by brute force
Short IV
- Security of stream ciphers relies on never repeating keystream
- Input for generating keystream is (IV||WKey), where WKey is static and shared among stations and IV space is small
Vulnerable to passive attacks
- Attacker collects traffic on the channel, say C1 and C2.
- If these two messages are generated using the same key and same IV, then as C1=(M1xor RC4(IV||WKey)) and C2=(M2 xor RC4(IV|| WKey)), C1 xor C2 = (M1 xor M2).
- Whenever a byte in (M1xor M2) is zero, M1 and M2 have the same content/value.(i.e. white space)
Vulnerable to active attacks
- If attacker knows a plaintext and ciphertext pair, {C, M}
  - Keystream for IV values are known
  - Attacker can create correctly encrypted messages.
Weak ICV algorithm
- CRC-32 is linear in xor
- Integrity protection for source/destination addresses is not provided
No anti-replay protection
One-way authentication only

WEP has failed in three security goals – station authentication, data confidentiality and integrity

3. IEEE 802.11i standard (2004)

Authentication service

IEEE 802.11i utilizes IEEE 802.1X standard for its authentication and key establishment services
Confidentiality and integrity services
WPA
- TKIP
- Implemented a subset of IEEE 802.11i.
- Targeted on legacy (then) equipment, i.e. only requiring firmware/software update (no hardware update required).
WPA2
- Full implementation of IEEE 802.11i using CCMP.

3.1. WPA (WiFi Protected Access)

TKIP

临时密钥完整性协议（Temporal Key Integrity Protocol）
用以在不需要升级硬件（Only require software and firmware upgrade.）的基础上替代有线等效加密（WEP）协议。由于WEP协议的薄弱造成了数据链路层安全被完全跳过，且由于已经应用的大量按照WEP要求制造的网络硬件急需更新更可靠的安全协议，在此背景下临时密钥完整性协议应运而生
2012年起已不再视为安全，且即将废弃

WPA

机密性：
- it still uses RC4, but with a base key size of 128-bits and IV of 48-bits (doubled the IV size used in WEP)
- it uses the base key, sender’s MAC address and IV (sequence number) to compute the per-packet key
完整性：
- it uses a more secure (non-linear) algorithm and a separate key (Michael key) for MIC (Message Integrity Code)
实现
- TKIP使用密钥混合功能。该功能混合了根密钥（Root Secret key）和初始化向量，而后再通过RC4初始化。在WEP中初始化向量基本上被直接连在根密钥上而后直接通过RC4，从而造成了RC4为基础的WEP可以被轻而易举的使用相关密钥攻击而破解

TKIP is a front-end wrapping up（包装） the WEP encryption function.

3.2. WPA2

CCMP

计数器模式密码块链消息完整码协议（Counter Cipher Mode with Block Chaining Message Authentication Code Protocol）
Use a single key to provide confidentiality and integrity.(用同一个密钥K)
Encryption
- Uses Advanced Encryption System (AES) with 128-bit key and 128-bit block size.
- Integrity check value is not encrypted
Confidentiality
- AES in Counter-Mode
Authentication/Integrity
- AES in CBC-Mode, i.e. CBC-MAC
Use 48-bits IV as a sequence number for anti-replay detection

WPA2

WAP2 does not have the restraint（限制） of having to support the already-deployed WEP hardware

4. IEEE 802.1X Authentication Standard

X要大写

defines port-based access control (“port” meaning a single point of attachment to the LAN infrastructure
Extensible Authentication Protocol (EAP) over LAN (EAPoL Protocol)
It makes use of a separate authentication server, e.g. RADIUS, to perform authentication

申请者STA（Supplicant）\验证者（Authenticator）(aka the wireless access point, router or switch)\证服务器（Authentication server）
- 等于说连ap要经过认证，然后IEEE 802.1X就是要额外考虑与认证服务器的传输安全

4.1. EAP

可扩展身份验证协议(Extensible Authentication Protocol)

interoperability(互通性)
- EAP means choices – supports the use of many authN methods.
- No guarantee that STA and AP will always support the same authenN method
types
- Lightweight EAP (LEAP)
- EAP-TLS
  Creates a TLS session within EAP, between the Supplicant and the Authentication Server, both entities need valid (x509) certificates, and support mutual authentication
  Drawbacks:
  - User’s identity is passed in cleartext and in the certificate
  - Needs client certificate in order to authenticate client
- EAP-TTLS
  - TTLS与TLS最大的区别是TTLS不需要客户端认证的协议
- Protected EAP (PEAP)
  (EAP-TTLS and PEAP) With this method, the main idea is to first establish an encrypted SSL/TLS tunnel using server-side PK certificates, and then user delivers the user’s identity to, and performs authentication with, the server inside the tunnel thus protecting against eavesdropping
- 总的说来就是在AP（也就是验证者）和认证服务器之间的信道是TSL加密的，而AP与用户之间的加密是WPA/WPA2负责的，不要搞混淆了

5. WAP Key Hierarchy

无线应用协议(Wireless Application Protocol)

MK (Master Key)
PMK (Pairwise Master Key) 成对主密钥
PTK (Pairwise Transient Key) 成对传输密码
- TKIP/CCMP
- EAPOL-Key Confirmation Key (EAP Over Lan-KCK)
- EAPOL-Key Encryption Key (KEK).
Group Temporal Key (GTK)
- to secure multicast/broadcast data traffic

6. 其他参考

实验:无线网络嗅探基础
Scapy扫描及隐藏SSID扫描
实验：WPA/WPA2 PSK破解
密码学备忘录-分组密码