how-to block ads
|
jbibe
Premium,MVM
join:2001-02-22
4 edits | reply to Jason Cohen
Re: Questions about WPA2 and WPA
said by Jason Cohen  :1) Is WPA/WPA2-Enterprise inherently more secure than WPA/WPA2-PSK? In most cases the answer is yes, the Enterprise mode is more secure than the PSK mode. Most access points use a single PSK when operating in the WPA-PSK or WPA2-PSK modes. Although the specification (802.11i) allows the use of multiple PSKs, most access points do not provide this feature. This means that cases where PSK is in use there is a single PMK, since the PMK=PSK.
In the Enterprise mode, every station has a different PMK. During authentication, the RADIUS server produces a new Master Key (MK). The RADIUS server transfers the MK to the station. The RADIUS server and station then derive the PMK. Beyond producing a new PMK with during the initial connection, many access points require re-authentication at regular intervals, perhaps every 30 minutes. Each re-authentication produces a new PMK.
2) Is WPA2-PSK vulnerable to offline dictionary/brute-force attack like WPA-PSK or does AES-CCMP remedy the offline attack issue? Yes. There is no difference.
3) Does the fact that WPA/WPA2-PSK fails to allow a client to authenticate the server allow for an attack which attempts to trick the user's client into automatically authenticating with his rogue AP, thus giving up your secret passphrase?
I'm assuming here that the passphrase is sent to authenticate, rather than the hash of the passphrase, which would then be used to compare against the hash stored in the AP. If this is the case, then the best the attacker could do is mount an offline attack on your password hash- which he could pretty much do anyways). Neither the passphrase nor its hash (the PSK) is sent. Each side verifies that the other side has the PMK during the 4-handshake, | |
Jason Cohen
join:2004-11-06
Waltham, MA
1 edit | If that's the case, I think I will setup FreeRadius with EAP-TLS on my Debian server using the instructions you provide here: »FreeRADIUS/WinXP Authentication Setup
EAP-TLS is the most secure EAP mode, correct? I would think it is as it uses server and client certificates, nullifying the problem of weak passwords, and allowing bidirectional authentication. | |
jbibe
Premium,MVM
join:2001-02-22
| Be careful with my original writeup. FreeRADIUS has been modified so that some of the information is outdated. For example, a portion of the radiusd.conf file has been extracted and placed in the eap.conf file.
For more information about building a FreeRADIUS server look at the following document which provides information about building a server for PEAP authentication:
»www.tldp.org/HOWTO/html_single/8021X-HOWTO/
Most of the recent Linux releases include a prepackaged FreeRADIUS server that can be installed with little or no trouble. The major tasks are configuring the server, and producing and installing the the required certificates.
Other members here use a FreeRADIUS server for authentication. If you get stuck, ask your question here or on the freeradius.org mail list.
I use WPA2 with a FreeRADIUS server. The server is normally configured for TLS. | |
Jason Cohen
join:2004-11-06
Waltham, MA
| reply to jbibe
said by jbibe :said by Jason Cohen :1) Is WPA/WPA2-Enterprise inherently more secure than WPA/WPA2-PSK? In most cases the answer is yes, the Enterprise mode is more secure than the PSK mode. Most access points use a single PSK when operating in the WPA-PSK or WPA2-PSK modes. Although the specification (802.11i) allows the use of multiple PSKs, most access points do not provide this feature. This means that cases where PSK is in use there is a single PMK, since the PMK=PSK. In the Enterprise mode, every station has a different PMK. During authentication, the RADIUS server produces a new Master Key (MK). The RADIUS server transfers the MK to the station. The RADIUS server and station then derive the PMK. Beyond producing a new PMK with during the initial connection, many access points require re-authentication at regular intervals, perhaps every 30 minutes. Each re-authentication produces a new PMK. What security risk is entailed by having a single PMK? I would think that the biggest risk of PSK mode is that any client on the wireless network can decrypt the traffic from any other client. | |
Jason Cohen
join:2004-11-06
Waltham, MA
| reply to jbibe
said by jbibe :said by Jason Cohen :1) Is WPA/WPA2-Enterprise inherently more secure than WPA/WPA2-PSK? In most cases the answer is yes, the Enterprise mode is more secure than the PSK mode. Most access points use a single PSK when operating in the WPA-PSK or WPA2-PSK modes. Although the specification (802.11i) allows the use of multiple PSKs, most access points do not provide this feature. This means that cases where PSK is in use there is a single PMK, since the PMK=PSK. In the Enterprise mode, every station has a different PMK. During authentication, the RADIUS server produces a new Master Key (MK). The RADIUS server transfers the MK to the station. The RADIUS server and station then derive the PMK. Beyond producing a new PMK with during the initial connection, many access points require re-authentication at regular intervals, perhaps every 30 minutes. Each re-authentication produces a new PMK. So, let me see if I understand you correctly. Since WPA/WPA2 PSK mode use the PSK as the PMK, and all clients share the same PSK, it should be fairly trivial to capture and decrypt traffic from other clients on the network. If you capture the EAPOL packets from the client's initial four-way handshake, then you have the SNonce, ANonce, STA and AP MACs as well as the PMK. Now, you just need to concotenate this information and put it through the HMAC-SHA1 one way hash function which gives you the Pairwise Transient Key (PTK) used by that client, and from that the TK (Temporal Key) used for data encryption/integrity can be derived. You now can decrypt any captured data packets sent by the client.
Also, as you noted since the PMK never changes, it's more open to attack whereas with 802.1x every client station has its own PMK, and a new PMK is created upon each authentication with the RADIUS server. Because each client has a unique PMK, no client can discover the PMK or PTK used by any other client. This seems to be a significant advantage over PSK mode in a business environment where you don't necessarily want clients to be able to snoop on eachother's communications, whereas in a home environment, it probably doesn't matter.
I have a question about your statement that "many access points require re-authentication at regular intervals, perhaps every 30 minutes. Each re-authentication produces a new PMK."
At least on the consumer level routers I've seen that support 802.1x authentication, the only option similar to what you are mentioning is "Key Renewal Timeout" period which is set to 1800 or 3600 seconds. However, I believe this just does a new four-way handshake, which would create a new PTK, and therefore a fresh TK to encrypt client traffic, but not a new PMK. I have my WHR-G54S set to timeout every 1800 seconds, but I only see successful logins in my freeradius log when I disconnect from the network and reconnect. Does DD-WRT simply not provide this feature to force re-authentication with the RADIUS server? I also thought this was a setting that you would create on the RADIUS server itself, rather than on the AP. | |
jbibe
Premium,MVM
join:2001-02-22
| The "Key Renewal Timeout" refers to the Group Transient Key, not the Pairwise Transient Key. Based on my limited tests with Linksys consumer grade devices, the Pairwise Transient Key is not changed. Some, but not all, ZyXEL consumer grade access points include two timeout periods, the Group Key Renewal Timeout and the Re-Authentication Timeout. Since you don't see a re-authentication in your logs, your access point does not include a re-authentication timeout control.
FreeRADIUS does not include any timers. The access point controls all of the timeout periods. | |
Jason Cohen
join:2004-11-06
Waltham, MA
1 edit | jbibe,
Thanks for the response. I also am wondering about the DH parameters that are created in the Freeradius setup. The howto I followed on Paranoid Penguin [»www.linuxjournal.com/article/8151] said to use the command "openssl dhparam -check -text -5 512 -out dh" which creates a DH parameter file with a 512 bit prime. You recommended that one use, "openssl gendh >> dh" which also creates a 512 bit prime. Isn't this insecure, as the current recommended minimum for DH/DSS public keys is 1024 bits. 512 bit keys have already been broken, and 768 bit keys are also considered insecure. Incidentally, the default setting in Freeradius is "dh_key_length = 512" so in addition to creating a DH parameter file with a larger prime, you also need to manually set the DH key length in eap.conf.
Also, when I used Etherreal to capture the EAP-TLS authentiation, I saw that the server cipher suite for TLS was set to "TLS_RSA_WITH_RC4_128_MD5". This is the default setting that Freeradius uses when no cipher suite is manually selected. I'm confused because this ciphersuite does not include support for DH, and Freeradius by default uses the "rsa_key_exchange = no" setting. So, if DH isn't being used, and RSA isn't being used, how is the Master Key created? It seems like DH is necessary because if "dh_file = ..." is commented out, freeradius fails to start. What is DH being used for in the TLS exchange, and is a large DH key necessary or beneficial? | |
Jason Cohen
join:2004-11-06
Waltham, MA
| I read the NIST " Guide to IEEE 802.11i: Robust Security Networks" yesterday [»csrc.nist.gov/publications/draft···p800-97]. I have read on various sites as well on this forum that both WPA and WPA2 use unique encryption keys for each frame. However, the NIST document states that "CCM uses a new Temporal Key every session—with every new STA-AP association. Unlike TKIP, the use of AES at the core of CCM obviates the need to have per-packet keys. As a result, the two-phase key mixing functions of TKIP encapsulation are not present in the CCMP encapsulation." Thus, the encryption key used in WPA2 remains the same until you re-authenticate with the RADIUS server which generates a fresh PMK whereas in TKIP "A two-phase cryptographic key-mixing process occurs to produce a new key for every frame that is transmitted. The process takes a session Temporal Key along with the dynamically changing TSC to create a dynamic WEP key."
So, is there any safe limit to the amount of data or the number of packets that is safe to encrypt with the same Temporal Key? I routinely stream TV shows from my MythTV server over the wireless network. The recordings are appx. 7 mbit/sec (as they're MPEG-2). This leads to massive amounts of data being transferred in the same session. So, for example, yesterday after watching two shows, Windows said that I had received 2 million packets, and sent 4 million- in a period of 2 hours. The total amount of data transferred was around 6 GB. Is this safe? I would think that as a single AES encryption key can be used to encrypt HDs with hundreds of GBs of data, this shouldn't be an issue, but I wanted to verify that it is in fact a safe practice. | |
jbibe
Premium,MVM
join:2001-02-22
| reply to Jason Cohen
said by Jason Cohen :I also am wondering about the DH parameters that are created in the Freeradius setup. The howto I followed on Paranoid Penguin [» www.linuxjournal.com/article/8151] said to use the command "openssl dhparam -check -text -5 512 -out dh" which creates a DH parameter file with a 512 bit prime. You recommended that one use, "openssl gendh >> dh" which also creates a 512 bit prime. I use "openssl dhparam -check -text -5 512 -out dh" for the generation of the DH parameters. OpenSSL has obsoleted "openssl gendh >> dh".
Isn't this insecure, as the current recommended minimum for DH/DSS public keys is 1024 bits. 512 bit keys have already been broken, and 768 bit keys are also considered insecure. Incidentally, the default setting in Freeradius is "dh_key_length = 512" so in addition to creating a DH parameter file with a larger prime, you also need to manually set the DH key length in eap.conf. I don't remember the dh_key_length setting. It may be one of the changes in the recent releases. I should download and review the latest server information.
Also, when I used Etherreal to capture the EAP-TLS authentiation, I saw that the server cipher suite for TLS was set to "TLS_RSA_WITH_RC4_128_MD5". This is the default setting that Freeradius uses when no cipher suite is manually selected. I'm confused because this ciphersuite does not include support for DH, and Freeradius by default uses the "rsa_key_exchange = no" setting. So, if DH isn't being used, and RSA isn't being used, how is the Master Key created? It seems like DH is necessary because if "dh_file = ..." is commented out, freeradius fails to start. What is DH being used for in the TLS exchange, and is a large DH key necessary or beneficial?
I looked at the packet exchange during an authentication about three years. If my memory is correct, the choice is negotiated during the exchange. I don't remember the exact sequence. I seem to remember the same choice was always used.
I don't remember the ability to select the cipher suite in FreeRADIUS. It may be one of the new features. The default cipher suite may be similar to MD5 authentication. MD5 is the default authentication method, even though the FreeRADIUS notes recommends against using MD5.
For my purposes, a large DH key is probably not necessary, but I am only protecting my home network. I never send anything important over the wireless network, and I only use the wireless network to beta test new wireless cards, access points and gateways. If I had more important wireless information to protect, I would probably increase the size of the key. At least, I would experiment with changing the key. | |
jbibe
Premium,MVM
join:2001-02-22
3 edits | reply to Jason Cohen
said by Jason Cohen :So, is there any safe limit to the amount of data or the number of packets that is safe to encrypt with the same Temporal Key? I routinely stream TV shows from my MythTV server over the wireless network. The recordings are appx. 7 mbit/sec (as they're MPEG-2). This leads to massive amounts of data being transferred in the same session. So, for example, yesterday after watching two shows, Windows said that I had received 2 million packets, and sent 4 million- in a period of 2 hours. The total amount of data transferred was around 6 GB. Is this safe? I would think that as a single AES encryption key can be used to encrypt HDs with hundreds of GBs of data, this shouldn't be an issue, but I wanted to verify that it is in fact a safe practice. CCM requires a new key for every session. It also requires a unique nonce value for each frame protected by the key. CCMP uses a unique 48-bit packet number for each frame.
Your downloads are not significant, even if your computer remains connected for extended periods of time. I recommend that you turn your computer off on a regular basis, but leaving it on for one day should not cause any security concerns. | |
Jason Cohen
join:2004-11-06
Waltham, MA
1 edit | reply to jbibe
You have to manually set "dh_key_length" in eap.conf as it's not in the file by default. I only learned of its existence by running FreeRadius in debug mode with the -X flag. It shows every option set by Freeradius, including many default options which aren't shown in the configuration files.
I'm still don't think DH is even being used. The default cipher suite used by the server is TLS_RSA_WITH_RC4_MD5. Openssl provides this information about this ciphersuite: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5. So RSA is used for key exchange and authenticaiton, and 128 bit RC4 is used for encryption while MD5 is used for integrity.
You also can manually set this setting in eap.conf with the cipher_list setting which is included in the configuration file. Using a setting of 'HIGH' will use RSA for Kx/Auth, 3DES for encryption, and SHA1 for integrity. I also was able to use RC4-SHA which is the same as RC4-MD5 but uses SHA1 for integrity. | |
jbibe
Premium,MVM
join:2001-02-22 | I seem to remember that Windows XP had a cipher list, and that one was always selected during the exchange. I don't remember the details anymore. | |
Jason Cohen
join:2004-11-06
Waltham, MA
| reply to jbibe
I looked at the packet exchange during an authentication about three years. If my memory is correct, the choice is negotiated during the exchange. I don't remember the exact sequence. I seem to remember the same choice was always used.
The client sends its cipher suite which includes 11 choices. The server then sends its supported list which is usually just RC4-MD5. If the server offers more than one choice, the highest one on the client's list is used. RC4-MD5 is the first client choice, and RC4-SHA is the second.
Unfortunately, the Windows wireless supplicant can't do AES. This is what MS says about the matter:
"In addition to the Data Encryption Standard (DES) and Triple-DES (3DES), Windows Server "Longhorn" and Windows Vista support the following additional algorithms for encrypting data:
•
Advanced Encryption Standard (AES) with cipher block chaining (CBC) and a 128-bit key size (AES 128)
•
AES with CBC and a 192-bit key size (AES 192)
•
AES with CBC and a 256-bit key size (AES 256)
These new encryption algorithms cannot be used for a security association with a computer running Windows Server 2003, Windows XP, or Windows 2000. | |
|
