Home Page Icon
Home Page
Table of Contents for
I. What Everyone Should Know
Close
I. What Everyone Should Know
by William A. Arbaugh, Jon Edney
Real 802.11 Security: Wi-Fi Protected Access and 802.11i
Copyright
Praise for Real 802.11 Security: Wi-Fi Protected Access and 802.11i
Preface
Why This Book Now?
To Wi-Fi or Not to Wi-Fi
The Cavalry Is Here
Audience
Organization
Disclaimer
Acknowledgments
I. What Everyone Should Know
1. Introduction
Setting the Scene
Roadmap to the Book
Notes on the Book
2. Security Principles
What Is Security?
Good Security Thinking
1. Don't Talk to Anyone You Don't Know
2. Accept Nothing Without a Guarantee
3. Treat Everyone as an Enemy until Proved Otherwise
4. Don't Trust Your Friends for Long
5. Use Well-Tried Solutions
6. Watch the Ground You Are Standing on for Cracks
Security Terms
Summary
3. Why Is Wi-Fi Vulnerable to Attack?
Changing the Security Model
What Are the Enemies Like?
Gaming Attackers
Profit or Revenge Attackers
Ego Attackers
Traditional Security Architecture
Option 1: Put Wireless LAN in the Untrusted Zone
Option 2: Make Wi-Fi LAN Trusted
Danger of Passive Monitoring
Summary
4. Different Types of Attack
Classification of Attacks
Attacks Without Keys
Snooping
Man-in-the-Middle Attack (Modification)
Attacks on the Keys
One-Time Passwords
Burying the Keys
Wireless Attacks
Attacking the Keys Through Brute Force
Dictionary Attacks
Algorithmic Attacks
Summary
II. The Design of Wi-Fi Security
5. IEEE 802.11 Protocol Primer
Layers
Wireless LAN Organization
Basics of Operation in Infrastructure Mode
Beacons
Probing
Connecting to an AP
Roaming
Sending Data
Protocol Details
General Frame Formats
MAC header
Management Frames
Timestamp
Beacon Interval
Capabilities Information
SSID
Supported Data Rates
Radio Parameters
Power Save Flags (TIM)
Others
Radio Bits
Summary
6. How IEEE 802.11 WEP Works and Why It Doesn't
Introduction
Authentication
Privacy
Use of RC4 Algorithm
Initialization Vector (IV)
WEP Keys
Default Keys
Key Mapping Keys
Mechanics of WEP
Fragmentation
Integrity Check Value (ICV)
Preparing the Frame for Transmission
RC4 Encryption Algorithm
Why WEP Is Not Secure
Authentication
Access Control
Replay Prevention
Message Modification Detection
Message Privacy
IV Reuse
RC4 Weak Keys
Direct Key Attacks
Summary
7. WPA, RSN, and IEEE 802.11i
Relationship Between Wi-Fi and IEEE 802.11
What Is IEEE 802.11i?
What Is WPA?
Differences Between RSN and WPA
Security Context
Keys
Security Layers
How the Layers Are Implemented
Relationship of the Standards
List of Standards
Pictorial Map
Summary
8. Access Control: IEEE 802.1X, EAP, and RADIUS
Importance of Access Control
Authentication for Dial-in Users
IEEE 802.1X
IEEE 802.1X in a Simple Switched Hub Environment
IEEE 802.1X in Wi-Fi LANs
EAP Principles
EAP Message Formats
EAPOL
EAPOL-Start
EAPOL-Key
EAPOL-Packet
EAPOL-Logoff
Messages Used in IEEE 802.1X
Authentication Sequence
Implementation Considerations
RADIUS—Remote Access Dial-In User Service
RADIUS Mechanics
Core Messages
Core Message Format and Attributes
Attributes
EAP over RADIUS
Use of RADIUS in WPA and RSN
Summary
9. Upper-Layer Authentication
Introduction
Who Decides Which Authentication Method to Use?
Use of Keys in Upper-Layer Authentication
Symmetric Keys
Asymmetric Keys
Certificates and Certification Authorities
A Detailed Look at Upper-Level Authentication Methods
Transport Layer Security (TLS)
Functions of TLS
Handshake Exchange
Client Hello (client → server)
Server Hello (server → client)
Server Certificate (server → client)
Client Certificate (client → server)
Client Key Exchange (client → server)
Client Certificate Verification
Change Connection State
Finished
Relationship of TLS Handshake and WPA/RSN
TLS over EAP
Summary of TLS
Kerberos
Using Tickets
Kerberos Tickets
Obtaining the Ticket-Granting Ticket
Service Tickets
Cross-Domain Access
How Tickets Work
Use of Kerberos in RSN
Cisco Light EAP (LEAP)
Protected EAP Protocol (PEAP)
Phase 1
Phase 2
Status of PEAP
Authentication in the Cellular Phone World: EAP-SIM
Overview of Authentication in a GSM Network
Linking GSM Security to Wi-Fi LAN Security
EAP-SIM
Status of GSM-SIM Authentication
Summary
10. WPA and RSN Key Hierarchy
Pairwise and Group Keys
Pairwise Key Hierarchy
Creating and Delivering the PMK
Computing the Temporal Keys
Exchanging and Verifying Key Information
Message (A): Authenticator → Supplicant
Message (B): Supplicant → Authenticator
Message (C): Authenticator → Supplicant
Message (D): Supplicant → Authenticator
Completing the Handshake
Group Key Hierarchy
Summary of the Key Establishment Process
Key Hierarchy Using AES–CCMP
Mixed Environments
Summary of Key Hierarchies
Details of Key Derivation for WPA
Four-Way Handshake
Message (A): Authenticator → Supplicant
Message (B): Supplicant → Authenticator
Message (C): Authenticator → Supplicant
Message (D): Supplicant → Authenticator
Group Key Handshake
Nonce Selection
Computing the Temporal Keys
Summary
11. TKIP
What Is TKIP and Why Was It Created?
TKIP Overview
Message Integrity
IV Selection and Use
IV Length
IV as a Sequence Counter—the TSC
Countering the FMS Attack
Per-Packet Key Mixing
TKIP Implementation Details
Message Integrity—Michael
Countermeasures
MIC Failure at Mobile Device
MIC Failure at Access Point
Computation of the MIC
Per-Packet Key Mixing
Substitution Table or S-Box
Phase 1 Computation
Phase 2 Computation
Summary
12. AES–CCMP
Introduction
Why AES?
AES Overview
Modes of Operation
Electronic Code Book (ECB)
Counter Mode
Counter Mode + CBC MAC : CCM
Offset Codebook Mode (OCB)
How CCMP Is Used in RSN
Steps in Encrypting a Transmission
CCMP Header
Overview of Implementation
Steps in Encrypting an MPDU
Computing the MIC
Encrypting the MPDU
Decrypting MPDUs
Summary
13. Wi-Fi LAN Coordination: ESS and IBSS
Network Coordination
ESS Versus IBSS
Joining an ESS Network
WPA/RSN Information Element
Validating the Information Elements
Preauthentication Using IEEE 802.1X
IBSS Ad-Hoc Networks
Summary
III. Wi-Fi Security in the Real World
14. Public Wireless Hotspots
Development of Hotspots
Public Wireless Access Defined
Barriers to Growth
Fax Machine Problem
Multiparty Barrier
Model 1: Wireless Internet Service Provider
Model 2: Brand-Based Service Provider
Model 3: Cellular Operator Extension Service
Security Issues in Public Hotspots
How Hotspots Are Organized
Subscribers
Access Points
Hotspot Controllers
Authentication Server
Different Types of Hotspots
Airports
Hotels
Coffee Shops
Homes
How to Protect Yourself When Using a Hotspot
Personal Firewall Software
Virtual Private Network (VPN)
VPN Details
Summary
15. Known Attacks: Technical Review
Review of Basic Security Mechanisms
Confidentiality
Cryptography
Asymmetric Encryption
Symmetric Encryption
Key Management
Access Control
Integrity
Source Integrity
Data Integrity
Message Authentication Codes
Digital Signatures
Review of Previous IEEE 802.11 Security Mechanisms
Confidentiality
RC4 and WEP
Initialization Vector
Integrity Check Value
WEP Datagram Format
Key Management
Access Control
Integrity and Authentication
Open System Authentication
Shared-Key Authentication
Attacks Against the Previous IEEE 802.11 Security Mechanisms
Confidentiality
RC4 Problems
Mantin and Shamir Bias Flaw
Fluhrer, Mantin, and Shamir Key Schedule Attack
Other WEP Problems
IV Space
Replay Attacks
WEP Message Modification
An Active Implementation of Fluhrer, Mantin, and Shamir
An Inductive Chosen Plaintext Attack
Base Phase
Inductive Phase
MTU Recovery
Building the Dictionary
Cost of the Attack
Effects of Filtering IVs
Access Control
Problems with MAC-Based Access Control Lists
Problems with Proprietary Closed Network Access Control
Authentication
Shared-Key Authentication
Man-in-the-Middle Attacks
Management Frames
ARP Spoofing
Problems Created by Man-in-the-Middle Attacks
802.1x and EAP
PEAP
Denial-of-Service Attacks
Layer 2 Denial-of-Service Attacks Against All Wi-Fi-Based Standards
WPA Cryptographic Denial-of-Service Attack
Summary
16. Actual Attack Tools
Attacker Goals
Process
Reconnaissance
NetStumbler
Kismet
Example Scenarios
Planning
WideOpen
LockedUp
Collection
Analysis
Recovery of WEP Key
Passive Identification of Network Parameters
Execution
Other Tools of Interest
Airsnort
Airjack
DoS Attack
ESSID Determination
Man-in-the-Middle Attack
Summary
17. Open Source Implementation Example
General Architecture Design Guidelines
Protecting a Deployed Network
Isolate and Canalize
Upgrade Equipment's Firmware to WPA
What to Do If You Can't Do Anything
Planning to Deploy a WPA Network
Deploying the Infrastructure
Add a RADIUS Server for IEEE 802.1X Support
Use a Public Key Infrastructure for Client Certificates
Install Client IEEE 802.1X Supplicant Software
Practical Example Based on Open Source Projects
Server Infrastucture
OpenSSL Instead of a PKI
Downloading OpenSSL
Compiling OpenSSL
Configuring OpenSSL
Making the Public Key Certificates
Creating the Certificate Authority
Creating a Server Certificate
Creating a Client Certificate
RADIUS Software
Downloading FreeRADIUS
Compiling FreeRADIUS
Configuring FreeRADIUS
clients.conf
radiusd.conf
users
Testing FreeRADIUS
Building an Open Source Access Point
AP Hardware
AP Software
OpenBSD
Linux
Making It All Work
Configuring Cisco Access Points to Use 802.1X
Setting the RADIUS Server Properties
Client Software
Windows XP
Installing Public Key Certificates
Wireless Device Configuration
Summary
Acknowledgments
References and More Information
Appendixes
A. Overview of the AES Block Cipher
Finite Field Arithmetic
Addition
Subtraction
Multiplication
Division
Galois Field GF()
Conclusion
Steps in the AES Encryption Process
Round Keys
Computing the Rounds
SubBytes
ShiftRows
MixColumns
XorRoundKey
Decryption
Summary of AES
B. Example Message Modification
Example Message Modification
C. Verifying the Integrity of Downloaded Files
Checking the MD5 Digest
Checking the GPG Signature
Acronyms
References
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Acknowledgments
Next
Next Chapter
1. Introduction
Part I. What Everyone Should Know
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset