SlideShare une entreprise Scribd logo

802.11w Tutorial

AirTight Networks
AirTight Networks

The new 802.11 security protocol called 802.11w was recently ratified. Check this 802.11w-Tutorial to know how it works and what it means for your WLAN.

Technologie
1  sur  14
Télécharger pour lire hors ligne
Global Leader in Wireless Security Hooray, 802.11w Is Ratified... So, What Does it Mean for Your WLAN? A Brief Tutorial on IEEE 802.11w Gopinath K N and Hemant Chaskar AirTight Networks www.AirTightNetworks.com 2009 AirTight Networks, Inc. All Rights Reserved.
Background 802.11 WiFi going from “convenience” to “mission critical” Access However, ever since inception, Client Point (AP) WiFi has been vulnerable to Denial of Service (DoS) attacks of various types: X • RF Jamming • Virtual Jamming • Spoofed Disconnect • EAP Spoofing DoS Attacker • Connection Request Flooding • etc. Page 2 2009 AirTight Networks, Inc. All Rights Reserved.
802.11w: A step in the direction of DoS avoidance 802.11w gets rid of “Spoofed Disconnect” DoS attacks resulting from spoofing of • (i) Deauthentication (Deauth), (ii) Disassociation (Disassoc), (iii) Association (Assoc) Request in existing connection, or (iv) Authentication (Auth) Request in existing connection Certain “Action Management Frames” are also made anti-spoofing • Spectrum Management, QoS, BlockAck, Radio Measurement, Fast BSS Transition Page 3 2009 AirTight Networks, Inc. All Rights Reserved.
How does 802.11w avoid Spoofed Disconnect DoS 802.11w adds cryptographic protection to Deauth and Disassoc frames to make them anti-spoofing Mechanism called Security Association (SA) teardown protection is added to prevent spoofed Assoc Request or Auth Request from disconnecting the already connected Client Page 4 2009 AirTight Networks, Inc. All Rights Reserved.
Example: Deauth Attack • Deauthentication frame was meant to gracefully break the connection between AP and Client • Problem however is that it is in clear text, so it can be spoofed (in the absence of 802.11w) Page 5 2009 AirTight Networks, Inc. All Rights Reserved.
Example: Deauth attack averted with 802.11w Only legitimate Deauth is accepted MIC (Message Integrity Code) Spoofed Deauth is ignored added using shared key Legitimate Deauth Legacy Deauth MIC Secret key shared between AP and Client th eau ofed D MIC No MIC or Spo th D eau bad MIC ac y Leg Page 6 2009 AirTight Networks, Inc. All Rights Reserved.
Where does the shared secret key come from It is derived using EAPOL 4-way handshake between AP and Client This also means that 802.11w can only be used if you are using WPA or WPA2 Broadcast/multicast management frames are protected using a key called Integrity Group Temporal Key (IGTK) Unicast management frames are protected using WPA/WPA2 pair-wise encryption key (PTK) Page 7 2009 AirTight Networks, Inc. All Rights Reserved.
SA teardown protection Pre 802.11w, if AP receives Assoc or Auth Request from already associated Client, it terminates existing connection to start a new one • So existing connection can be broken with spoofed Auth Request or Assoc Request With SA teardown of 802.11w • After AP receives Assoc or Auth Request for associated Client, • Crypto protected probe is sent to Client • If crypto protected response is received, the Assoc or Auth Request is considered spoofed and rejected • Else, existing connection is terminated to start a new one Page 8 2009 AirTight Networks, Inc. All Rights Reserved.
How are Action Mgmt Frames made spoof resistant By adding authentication & encryption using IGTK • Spectrum Management • QoS • DLS • Block Ack • Radio measurement • Fast BSS Transition • HT • SA Query • Protected Dual of Public Action Page 9 2009 AirTight Networks, Inc. All Rights Reserved.
802.11w: A piece in WiFi security puzzle 802.11w averts Spoofed Disconnect DoS and makes Action Management Frames spoof-resistant Other DoS attacks (RF jamming, virtual jamming, EAP spoofing, connection request flooding etc.) are outside the scope of 802.11w WPA/WPA2 is still needed for client authentication and data encryption. Also WPA/WPA2 is needed for 802.11w to work Threats from unmanaged devices (rogue APs, mis-associations, ad hoc connections, honeypots (Evil Twin), AP/client MAC spoofing, cracking, infrastructure attacks (skyjacking) etc.) are outside the scope of 802.11w You should definitely enable 802.11w in your WLAN when it becomes available (shortly) in WLAN equipment, but one should not be complacent that it will solve all wireless security problems Page 10 2009 AirTight Networks, Inc. All Rights Reserved.
Questions/comments Please discuss@ http://blog.airtightnetworks.com/802-11w-tutorial/ Page 11 2009 AirTight Networks, Inc. All Rights Reserved.
Appendix 1: Broadcast Integrity Protocol (BIP) Provides authentication and replay protection for broadcast/multicast Management Frames Uses “Integrity Group Temporal Key” (IGTK), a new key derived & distributed via EAPOL 4-way handshake Transmitter appends each protected frame with a Management MIC Information Element (IE) Receiver validates the MIC before accepting the frame Page 12 2009 AirTight Networks, Inc. All Rights Reserved.
Appendix 2: Message Integrity Check (MIC) IE ID Length Key ID IPN MIC ID • Information Element number Key ID • Indicates the IGTK used for computing MIC IPN • Used for replay protection • Monotonically increasing non-negative number MIC • The keyed cryptographic hash derived over management frame body (Payload + MAC header) Page 13 2009 AirTight Networks, Inc. All Rights Reserved.
Appendix 3: 802.11w parameter negotiation Negotiated at the beginning of Association MFP Mandatory AES-128-CMAC MFPR = 1 MFPC = 0 Page 14 2009 AirTight Networks, Inc. All Rights Reserved.

Recommandé

Wi fi
Wi fiWi fi
Wi fi
Mayank Saxena
 
WiFi-integration into EPC
WiFi-integration into EPCWiFi-integration into EPC
WiFi-integration into EPC
Franz Edler
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotik
Tola LENG
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
Nilesh Sapariya
 
nl80211 and libnl
nl80211 and libnlnl80211 and libnl
nl80211 and libnl
awkman
 
802.11ac
802.11ac802.11ac
802.11ac
yousef emami
 
Aruba 802.11ac networks: Validated Reference Designs
Aruba 802.11ac networks: Validated Reference DesignsAruba 802.11ac networks: Validated Reference Designs
Aruba 802.11ac networks: Validated Reference Designs
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN TroubleshootingEMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 

Recommandé

Wi fi
Wi fiWi fi
Wi fi
Mayank Saxena
 
WiFi-integration into EPC
WiFi-integration into EPCWiFi-integration into EPC
WiFi-integration into EPC
Franz Edler
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotik
Tola LENG
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
Nilesh Sapariya
 
nl80211 and libnl
nl80211 and libnlnl80211 and libnl
nl80211 and libnl
awkman
 
802.11ac
802.11ac802.11ac
802.11ac
yousef emami
 
Aruba 802.11ac networks: Validated Reference Designs
Aruba 802.11ac networks: Validated Reference DesignsAruba 802.11ac networks: Validated Reference Designs
Aruba 802.11ac networks: Validated Reference Designs
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN TroubleshootingEMEA Airheads- Aruba Instant AP- VPN Troubleshooting
EMEA Airheads- Aruba Instant AP- VPN Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
Wifi tecnology
Wifi tecnology Wifi tecnology
Wifi tecnology
Tahseen Jawaid
 
Wi-Fi Direct
Wi-Fi DirectWi-Fi Direct
Wi-Fi Direct
shivam_kedia
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
Bryley Systems Inc.
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
Ahmad Yar
 
Network Virtualization
Network Virtualization Network Virtualization
Network Virtualization
InterVision Systems
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Security
yousef emami
 
WiFi Technology
WiFi TechnologyWiFi Technology
WiFi Technology
HasanMaster
 
Advanced RF Design & Troubleshooting
Advanced RF Design & TroubleshootingAdvanced RF Design & Troubleshooting
Advanced RF Design & Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
802.11ac Migration - Airheads Local
802.11ac Migration - Airheads Local802.11ac Migration - Airheads Local
802.11ac Migration - Airheads Local
Aruba, a Hewlett Packard Enterprise company
 
Basic security & info
Basic security & infoBasic security & info
Basic security & info
Tola LENG
 
Wi-Fi 6.pptx
Wi-Fi 6.pptxWi-Fi 6.pptx
Wi-Fi 6.pptx
NicJones15
 
IEEE 802.11ax
IEEE 802.11axIEEE 802.11ax
IEEE 802.11ax
Alice Valentini
 
Wifi & 802.11 Standards
Wifi & 802.11 StandardsWifi & 802.11 Standards
Wifi & 802.11 Standards
Vipul Kumar Maurya
 
Huawei Router Basic Configuration Command
Huawei Router Basic Configuration CommandHuawei Router Basic Configuration Command
Huawei Router Basic Configuration Command
Huanetwork
 
Chapter 10 - DHCP
Chapter 10 - DHCPChapter 10 - DHCP
Chapter 10 - DHCP
Yaser Rahmati
 
Automating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleAutomating Network Infrastructure : Ansible
Automating Network Infrastructure : Ansible
Bangladesh Network Operators Group
 
wi-fi technology
wi-fi technology wi-fi technology
wi-fi technology
sai kumar R
 
Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2
Aruba, a Hewlett Packard Enterprise company
 
EMEA Airheads- Aruba Central with Instant AP
EMEA Airheads- Aruba Central with Instant APEMEA Airheads- Aruba Central with Instant AP
EMEA Airheads- Aruba Central with Instant AP
Aruba, a Hewlett Packard Enterprise company
 
Customer Presentation - Aruba Wi-Fi Overview (1).PPTX
Customer Presentation - Aruba Wi-Fi Overview (1).PPTXCustomer Presentation - Aruba Wi-Fi Overview (1).PPTX
Customer Presentation - Aruba Wi-Fi Overview (1).PPTX
ssuser5824cf
 
Dos on 802.11 and other security issues ( Case Study )
Dos on 802.11 and other security issues ( Case Study ) Dos on 802.11 and other security issues ( Case Study )
Dos on 802.11 and other security issues ( Case Study )
Shrobon Biswas
 
Proposta de avaliação de uma WLAN com padrão 802.11w sob ataques RF Jamming
Proposta de avaliação de uma WLAN com padrão 802.11w sob ataques RF Jamming Proposta de avaliação de uma WLAN com padrão 802.11w sob ataques RF Jamming
Proposta de avaliação de uma WLAN com padrão 802.11w sob ataques RF Jamming
Felipe Cesar Costa
 

Contenu connexe

Tendances

Basic security & info
Basic security & infoBasic security & info
Basic security & info
Tola LENG
 

Tendances (20)

Wifi tecnology
Wifi tecnology Wifi tecnology
Wifi tecnology
 
Wi-Fi Direct
Wi-Fi DirectWi-Fi Direct
Wi-Fi Direct
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
 
Network Virtualization
Network Virtualization Network Virtualization
Network Virtualization
 
Wi Fi Security
Wi Fi SecurityWi Fi Security
Wi Fi Security
 
WiFi Technology
WiFi TechnologyWiFi Technology
WiFi Technology
 
Advanced RF Design & Troubleshooting
Advanced RF Design & TroubleshootingAdvanced RF Design & Troubleshooting
Advanced RF Design & Troubleshooting
 
802.11ac Migration - Airheads Local
802.11ac Migration - Airheads Local802.11ac Migration - Airheads Local
802.11ac Migration - Airheads Local
 
Basic security & info
Basic security & infoBasic security & info
Basic security & info
 
Wi-Fi 6.pptx
Wi-Fi 6.pptxWi-Fi 6.pptx
Wi-Fi 6.pptx
 
IEEE 802.11ax
IEEE 802.11axIEEE 802.11ax
IEEE 802.11ax
 
Wifi & 802.11 Standards
Wifi & 802.11 StandardsWifi & 802.11 Standards
Wifi & 802.11 Standards
 
Huawei Router Basic Configuration Command
Huawei Router Basic Configuration CommandHuawei Router Basic Configuration Command
Huawei Router Basic Configuration Command
 
Chapter 10 - DHCP
Chapter 10 - DHCPChapter 10 - DHCP
Chapter 10 - DHCP
 
Automating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleAutomating Network Infrastructure : Ansible
Automating Network Infrastructure : Ansible
 
wi-fi technology
wi-fi technology wi-fi technology
wi-fi technology
 
Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2
 
EMEA Airheads- Aruba Central with Instant AP
EMEA Airheads- Aruba Central with Instant APEMEA Airheads- Aruba Central with Instant AP
EMEA Airheads- Aruba Central with Instant AP
 
Customer Presentation - Aruba Wi-Fi Overview (1).PPTX
Customer Presentation - Aruba Wi-Fi Overview (1).PPTXCustomer Presentation - Aruba Wi-Fi Overview (1).PPTX
Customer Presentation - Aruba Wi-Fi Overview (1).PPTX
 

En vedette

When WLANs Launch Self DoS Attacks
When WLANs Launch Self DoS AttacksWhen WLANs Launch Self DoS Attacks
When WLANs Launch Self DoS Attacks
AirTight Networks
 
802.11-2012 Update
802.11-2012 Update802.11-2012 Update
802.11-2012 Update
Savvius, Inc
 

En vedette (8)

Dos on 802.11 and other security issues ( Case Study )
Dos on 802.11 and other security issues ( Case Study ) Dos on 802.11 and other security issues ( Case Study )
Dos on 802.11 and other security issues ( Case Study )
 
Proposta de avaliação de uma WLAN com padrão 802.11w sob ataques RF Jamming
Proposta de avaliação de uma WLAN com padrão 802.11w sob ataques RF Jamming Proposta de avaliação de uma WLAN com padrão 802.11w sob ataques RF Jamming
Proposta de avaliação de uma WLAN com padrão 802.11w sob ataques RF Jamming
 
When WLANs Launch Self DoS Attacks
When WLANs Launch Self DoS AttacksWhen WLANs Launch Self DoS Attacks
When WLANs Launch Self DoS Attacks
 
802.11-2012 Update
802.11-2012 Update802.11-2012 Update
802.11-2012 Update
 
802.11i
802.11i802.11i
802.11i
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
 
Aruba OS 6.4 User Guide
Aruba OS 6.4 User GuideAruba OS 6.4 User Guide
Aruba OS 6.4 User Guide
 
Best Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-FiBest Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-Fi
 

Similaire à 802.11w Tutorial

IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
ijceronline
 
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Dr. Amarjeet Singh
 
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server BrochureBloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase
 
Monetizing the Enterprise: Borderless Networks
Monetizing the Enterprise: Borderless NetworksMonetizing the Enterprise: Borderless Networks
Monetizing the Enterprise: Borderless Networks
Cisco Service Provider Mobility
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
Warren Bent
 
Wireless security
Wireless securityWireless security
Wireless security
paripec
 
Pangpse training q12011
Pangpse training q12011Pangpse training q12011
Pangpse training q12011
Joe Palo Alto
 

Similaire à 802.11w Tutorial (20)

Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk management
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
WPA/WPA2 TKIP Exploit
WPA/WPA2 TKIP ExploitWPA/WPA2 TKIP Exploit
WPA/WPA2 TKIP Exploit
 
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
 
Wi Fi
Wi FiWi Fi
Wi Fi
 
Protect your guest wifi - NOW
Protect your guest wifi - NOWProtect your guest wifi - NOW
Protect your guest wifi - NOW
 
Bapinger Network Security
Bapinger Network SecurityBapinger Network Security
Bapinger Network Security
 
Airheads vail 2011 pci 2.0 compliance
Airheads vail 2011 pci 2.0 complianceAirheads vail 2011 pci 2.0 compliance
Airheads vail 2011 pci 2.0 compliance
 
D2 d wifi
D2 d wifiD2 d wifi
D2 d wifi
 
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server BrochureBloombase Spitfire Link Encryptor Server Brochure
Bloombase Spitfire Link Encryptor Server Brochure
 
Monetizing the Enterprise: Borderless Networks
Monetizing the Enterprise: Borderless NetworksMonetizing the Enterprise: Borderless Networks
Monetizing the Enterprise: Borderless Networks
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutions
 
Wireless security
Wireless securityWireless security
Wireless security
 
Pangpse training q12011
Pangpse training q12011Pangpse training q12011
Pangpse training q12011
 
Cat6500 Praesentation
Cat6500 PraesentationCat6500 Praesentation
Cat6500 Praesentation
 
Wireless Security
Wireless SecurityWireless Security
Wireless Security
 
IoT Security
IoT SecurityIoT Security
IoT Security
 

Plus de AirTight Networks

Wi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfWi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise Thyself
AirTight Networks
 

Plus de AirTight Networks (20)

Is 11ac Right for Your Network?
Is 11ac Right for Your Network?Is 11ac Right for Your Network?
Is 11ac Right for Your Network?
 
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
 
Wi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfWi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise Thyself
 
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
 
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
 
AirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSP
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6
 
AirTight social wifi solution brief
AirTight social wifi solution briefAirTight social wifi solution brief
AirTight social wifi solution brief
 
Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
 
Survey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecuritySurvey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise Security
 
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
 
Non WiFi interference combat guide 1
Non WiFi interference combat guide 1Non WiFi interference combat guide 1
Non WiFi interference combat guide 1
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQs
 
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesWPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
 
Conquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseConquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the Enterprise
 
Windows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseWindows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the Enterprise
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutions
 
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresSkyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
 
Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—Recommendations
 

Dernier

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Dernier (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

802.11w Tutorial

  • 1. Global Leader in Wireless Security Hooray, 802.11w Is Ratified... So, What Does it Mean for Your WLAN? A Brief Tutorial on IEEE 802.11w Gopinath K N and Hemant Chaskar AirTight Networks www.AirTightNetworks.com 2009 AirTight Networks, Inc. All Rights Reserved.
  • 2. Background 802.11 WiFi going from “convenience” to “mission critical” Access However, ever since inception, Client Point (AP) WiFi has been vulnerable to Denial of Service (DoS) attacks of various types: X • RF Jamming • Virtual Jamming • Spoofed Disconnect • EAP Spoofing DoS Attacker • Connection Request Flooding • etc. Page 2 2009 AirTight Networks, Inc. All Rights Reserved.
  • 3. 802.11w: A step in the direction of DoS avoidance 802.11w gets rid of “Spoofed Disconnect” DoS attacks resulting from spoofing of • (i) Deauthentication (Deauth), (ii) Disassociation (Disassoc), (iii) Association (Assoc) Request in existing connection, or (iv) Authentication (Auth) Request in existing connection Certain “Action Management Frames” are also made anti-spoofing • Spectrum Management, QoS, BlockAck, Radio Measurement, Fast BSS Transition Page 3 2009 AirTight Networks, Inc. All Rights Reserved.
  • 4. How does 802.11w avoid Spoofed Disconnect DoS 802.11w adds cryptographic protection to Deauth and Disassoc frames to make them anti-spoofing Mechanism called Security Association (SA) teardown protection is added to prevent spoofed Assoc Request or Auth Request from disconnecting the already connected Client Page 4 2009 AirTight Networks, Inc. All Rights Reserved.
  • 5. Example: Deauth Attack • Deauthentication frame was meant to gracefully break the connection between AP and Client • Problem however is that it is in clear text, so it can be spoofed (in the absence of 802.11w) Page 5 2009 AirTight Networks, Inc. All Rights Reserved.
  • 6. Example: Deauth attack averted with 802.11w Only legitimate Deauth is accepted MIC (Message Integrity Code) Spoofed Deauth is ignored added using shared key Legitimate Deauth Legacy Deauth MIC Secret key shared between AP and Client th eau ofed D MIC No MIC or Spo th D eau bad MIC ac y Leg Page 6 2009 AirTight Networks, Inc. All Rights Reserved.
  • 7. Where does the shared secret key come from It is derived using EAPOL 4-way handshake between AP and Client This also means that 802.11w can only be used if you are using WPA or WPA2 Broadcast/multicast management frames are protected using a key called Integrity Group Temporal Key (IGTK) Unicast management frames are protected using WPA/WPA2 pair-wise encryption key (PTK) Page 7 2009 AirTight Networks, Inc. All Rights Reserved.
  • 8. SA teardown protection Pre 802.11w, if AP receives Assoc or Auth Request from already associated Client, it terminates existing connection to start a new one • So existing connection can be broken with spoofed Auth Request or Assoc Request With SA teardown of 802.11w • After AP receives Assoc or Auth Request for associated Client, • Crypto protected probe is sent to Client • If crypto protected response is received, the Assoc or Auth Request is considered spoofed and rejected • Else, existing connection is terminated to start a new one Page 8 2009 AirTight Networks, Inc. All Rights Reserved.
  • 9. How are Action Mgmt Frames made spoof resistant By adding authentication & encryption using IGTK • Spectrum Management • QoS • DLS • Block Ack • Radio measurement • Fast BSS Transition • HT • SA Query • Protected Dual of Public Action Page 9 2009 AirTight Networks, Inc. All Rights Reserved.
  • 10. 802.11w: A piece in WiFi security puzzle 802.11w averts Spoofed Disconnect DoS and makes Action Management Frames spoof-resistant Other DoS attacks (RF jamming, virtual jamming, EAP spoofing, connection request flooding etc.) are outside the scope of 802.11w WPA/WPA2 is still needed for client authentication and data encryption. Also WPA/WPA2 is needed for 802.11w to work Threats from unmanaged devices (rogue APs, mis-associations, ad hoc connections, honeypots (Evil Twin), AP/client MAC spoofing, cracking, infrastructure attacks (skyjacking) etc.) are outside the scope of 802.11w You should definitely enable 802.11w in your WLAN when it becomes available (shortly) in WLAN equipment, but one should not be complacent that it will solve all wireless security problems Page 10 2009 AirTight Networks, Inc. All Rights Reserved.
  • 11. Questions/comments Please discuss@ http://blog.airtightnetworks.com/802-11w-tutorial/ Page 11 2009 AirTight Networks, Inc. All Rights Reserved.
  • 12. Appendix 1: Broadcast Integrity Protocol (BIP) Provides authentication and replay protection for broadcast/multicast Management Frames Uses “Integrity Group Temporal Key” (IGTK), a new key derived & distributed via EAPOL 4-way handshake Transmitter appends each protected frame with a Management MIC Information Element (IE) Receiver validates the MIC before accepting the frame Page 12 2009 AirTight Networks, Inc. All Rights Reserved.
  • 13. Appendix 2: Message Integrity Check (MIC) IE ID Length Key ID IPN MIC ID • Information Element number Key ID • Indicates the IGTK used for computing MIC IPN • Used for replay protection • Monotonically increasing non-negative number MIC • The keyed cryptographic hash derived over management frame body (Payload + MAC header) Page 13 2009 AirTight Networks, Inc. All Rights Reserved.
  • 14. Appendix 3: 802.11w parameter negotiation Negotiated at the beginning of Association MFP Mandatory AES-128-CMAC MFPR = 1 MFPC = 0 Page 14 2009 AirTight Networks, Inc. All Rights Reserved.