CWSP-SOHO 802.11 Security

Tags

Here is my notes on Chapter 6 – SOHO 802.11 Security of CWSP Official Study Guide.

* WPA/WPA2-Personal is the most common security method used in SOHO environment.
* WPA2-Personal use CCMP/AES where as WPA-Personal use TKIP/RC4 dynamic encryption-key generation (both use PSK authentication method)
* WPA/WPA2-Personal allows end user to enter a simple ASCII string (passphrase) anywhere from 8-63 character in size.
* Different vendors use different names for PSK authentication
1. WPA/WPA2-Passphrase
2. WPA/WPA2-PSK
3. WPA/WPA2-Preshared Key
4. WPA/WPA2-Personal

* PSK use in RSN is 256bit (or 64 hex) in length.
* Below passphrase-PSK mapping formula is used to derive 256bit PSK from user entered passphrase. You can use this page to convert your paraphrase into 256bit PSK

 PSK=PBKDF2(PassPhrase, SSID, SSIDLength, 4096,256)

* Using above, a simple PassPhrase is combined with SSID & hash it for 4096 times to derive the 256 bit PSK.
* This 256-bit PSK is also used as pairwise master key (PMK), where PMK is the seeding material for 4-Way Handshake used to generate dynamic encryption keys.
* Every client station has the same PMK (as it derive from same PSK) which is a security risk.
* If someone capture 4-Way Handshake frames & having PMK, then it is very easy to derive PTK & then decrypt all unicast traffic.
* Also WPA/WPA2-Personal is vulnerable to offline brute-force dictionary attack.

Entropy
Entropy is a measure of uncertainty associated with a random variable. A passphrase typically has about 2.5 bits of security per character, so “n” octet password will have “2.5n+12” bit of security. It is recommended to have at least 20 character passphrase for SOHO wifi solution. For enterprise(if PSK need to use) recommend 64-hex character PSK by avoiding use of passphrase altogether.

Proprietary PSK
* Certain vendors have PSK solutions that each client will have its own unique PSK.
* Usually client MAC address will map to unique WPA/WPA2 passphrase.
* A database of client stations MAC or usernames must be created on AP or centralized management server.

WiFi Protected Setup (WPS)
* Developed by Wi-Fi Alliance & is not specified by IEEE.
* Defines a simplified and automatic WPA & WPA2 security configuration for home & small business users.

* WPS Architecture defines 3 primary & logical roles
1. AP – An infrastructure mode 802.11 wireless access point
2. Enrollee – A devices seeking to join the WLAN
3. Registrar – An entity with the authority to issue an revoke access credential. This role can be integrated to AP or function as a separate device, not residing on AP. Then it is considered as “External Registrar“.

* The result of adding an AP to a Registrar will include the additional information element(IE) to beacons, probe request & probe response frames. The IE advertise the WPS capability & it does not affect non-WPS client as they simply ignore this IE.

* There are few security options used by WPS, PIN & PBC are most common.
1. Personal Information Number (PIN)
2. Push-Button Configuration (PBC)
3. Near Field Communication (NFC) tokens
4. Universal Serial Bus (USB)

* WPS Registration Protocol accomplishes the following
1. helps to troubleshoot basic connectivity problems with the wireless channel
2. provides demonstrative identification of the Enrollee to the Registrar and the Registrar to Enrollee using out-of-band information.
3. establishes the roles of each device (AP, Registrar & Enrollee)
4. Securely conveys WLAN settings & other configurations from Registrar to Enrollee
5. establishes an Extended Master Session Key (EMSK) which can be used to secure additional application-specific configuration functions.

* Registration protocol can be run “in-band” or “out-of-band”
In-Band Configuration Mode
* a Diffie-Hellman key exchange is performed and authenticated using a shared secret called a device password.

Out-of-Band Configuration Modes
1. Unencrypted Settings
2. Encrypted Settings
3. NFC interface operating in peer-to-peer mode
This method has following characteristicx
1. resistance to man-in-the-middle attack
2. resistance to eavesdropping
3. channel data capacity
4. Physical proximity.

* Guidelines for Requirement for PIN values
1. Minimum recommended length of a numeric PIN is 8 digits
2. PIN values must be randomly generated.
3. If more than one PIN value is present in the system, they must be cryptographically separate from each other.

SOHO Security Best Practices
1. Default Settings: DO NOT use default SSID, admin credential, etc
2. SSID Name        : use random string with no meaning.
3. SSID Cloaking   : Hiding SSID (not a best practice for enterprise)
4. MAC Filters        : Restrict the network for the devices you know
5. WPA2-Personal :CCMP-AES with 20 character passphrase.

References
1. CWSP Official Study Guide – Chapter 6

1. How to decrypt WPA2-PSK using wireshark.

3 thoughts on “CWSP-SOHO 802.11 Security”

Hari Krishna Sahu said:

July 29, 2018 at 4:25 am

Can you please provide the details of sniffer packet exchange (M1 – M8) for WiFi Protected Setup (WPS).

- nayarasi said:
  
  July 30, 2018 at 3:54 pm
  
  Hi Hari,
  
  I do not have one with me. If I get any, I will share it with you here.
  
  Rasika
  
  - Hari Krishna Sahu said:
    
    July 30, 2018 at 5:45 pm
    
    OK thanks.