Electronic Business: Concepts, Methodologies, Tools, and Applications (4-Volumes) P224

Wireless LAN Setup and Security Loopholes RADIUS Overview Remote authentication dial-in user service (RA-DIUS) is a widely deployed protocol enabling centralized authentication, authorization, and accounting for network access. RADIUS is originally developed for dial-up remote access, but now it is supported by virtual private network (VPN) servers, wireless access points, authenti-cating ethernet switches, digital subscriber line (DSL) access, and other network access types. A RADIUS client (here is referred to access point) sends the details of user credentials and connection parameter in the form of a UDP (user datagram protocol) message to the RADIUS server. The RADIUS server authenticates and authorizes the RADIUS client request, and sends back a RADIUS message response. To provide security for RADIUS messages, the RADIUS 3. The Authentication (RADIUS) Server sends back a challenge to the Authenticator (Ac-cess Point), such as with a token password system. The Authenticator unpacks this from RADIUS, repacks it into EAPOL (EAP over LAN), and sends it to the Supplicant (Client). 4. The Supplicant (Client) responds to the challenge via the Authenticator (Access Point), which passes the response onto the Authentication (RADIUS) Server. 5. If the Supplicant (Client) provides proper credentials, the Authentication (RADIUS) Server responds with a success message that is then passed on to the Supplicant. The Authenticator (Access Point) now allows access to the LAN, based on the attributes that came back from the Authentication Server. FOLHQWDQGWKH5$`,86VHUYHUDUHFRQ¿JXUHG with a common shared secret. The shared secret LVXVHGWRVHFXUHWKHWUDI¿FEDFNDQGIRUWKIURP RADIUS server, and is commonly entered as a text string on both the RADIUS client and server (Microsoft, 2000). Simple 802.1x Authentication with RADIUS Server The following steps show the necessary interac-tions that happen during authentication (Gast, 2002). Figure 3 shows the details in a pictorial way, where client, AP, and RADIUS server interact. There are a few EAP types of authentication that include EAP-MD5, EAP-TLS, EAP-TTLS,LEAP, and PEAP with MS-CHAPv2. The PEAP authen-tication process consists of two main phases. Step 1: Server authentication and the creation of a TLS (transport layer security) encryption channel hap-SHQVLQWKLVVWHS7KHVHUYHULGHQWL¿HVLWVHOIWRD FOLHQWE\SURYLGLQJFHUWL¿FDWHLQIRUPDWLRQWRWKH FOLHQW$IWHUWKHFOLHQWYHUL¿HVWKHLGHQWLW\RIWKH server, a master secret is generated. The session keys that are derived from the master secret are 1. The Authenticator (Access Point) sends an EAP-Request/Identity packet to the Sup-plicant (Client) as soon as it detects that the link is active. 2. The Supplicant (Client) sends an EAP-Re-sponse/Identity packet, with its identity in it, to the Authenticator (Access Point). The Authenticator then repackages this packet in the RADIUS protocol and passes it to the Authentication (RADIUS) Server. then used to create a TLS encryption channel that encrypts all subsequent communication between the server and the wireless client. Step 2: EAP conversation and user and client computer authen-tication happens in this step. A complete EAP conversation between the client and the server is encapsulated within the TLS encryption channel. With PEAP, you can use any one of several EAP authentication methods, such as passwords, smart FDUGVDQGFHUWL¿FDWHVWRDXWKHQWLFDWHWKHXVHU and client computer. 2164 Wireless LAN Setup and Security Loopholes Figure 3. Step-by-step extensible authentication protocol (EAP) sequences that include the client or user computer, the Access Point, as well as the RADIUS server PEAP-Microsoft challenge handshake au-thentication protocol version 2 (MS-CHAP v2) is a mutual authentication method that supports password-based user or computer authentication. During the PEAP with MS-CHAPv2 authentica-tion process, both the server and client must prove that they have knowledge of the user’s password in order for authentication to succeed. With PEAP-MS-CHAPv2, after successful authentication, users can change their passwords, and they are QRWL¿HGZKHQWKHLUSDVVZRUGVH[SLUH Implementing EAP Authentication with RADIUS Server This section shows the implementation of 802.1x port-based authentication of PEAP (protected extensible authentication protocol) with MS-CHAPv2 (Microsoft challenge handshake authen-tication protocol version 2) by setting up RADIUS servers on Windows 2000 server and Linux Red Hat 9 as shown in Figure 4. Like what has been discussed in the authentication part, the purpose of this implementation is to allow authorized us- 2165 Wireless LAN Setup and Security Loopholes Figure 4. Wireless network implementation. The WLAN is connected to the LAN where RADIUS server is used for authentication purpose Figure 5. AP association table shows that the clients are EAP authenticated 2166 Wireless LAN Setup and Security Loopholes ers to login to the WLAN. Authorized users are those users who are to register their usernames and their passwords with RADIUS server before they are allowed to access the WLAN. 7KH5$`,86VHUYHUFDQEHFRQ¿JXUHGDV EULHÀ\H[SODLQHGQH[WRQ:LQGRZVVHUYHU ZLWKVHUYLFHSDFNE\FRQ¿JXULQJWKH,$6 (Internet authentication server). In the IAS au-thentication service, there is a need to register the RADIUS client. Typically, that would be an access point, and its name and IP address with the shared secret are entered into IAS. Remote DFFHVV SROLF\ QHHGV WR EH FRQ¿JXUHG WR JLYH proper access rights. EAP authentication needs to EHVHOHFWHGDV3($3SURWHFWHG($3&HUWL¿FDWH VHUYLFHVQHHGWREHFRQ¿JXUHGDQGFHUWL¿FDWLRQ authority details need to be entered to create the FHUWL¿FDWHWKDWKDVWREHXVHGZLWK,$67KHXVHU account that uses wireless network needs to be given remote access rights in the active directory user management. On the access point, there is a need to do the DXWKHQWLFDWRU FRQ¿JXUDWLRQ E\ DGGLQJ WKH ,3 address of the RADIUS server and the shared secret details. On the client’s side, windows XP ZRUNVWDWLRQKDVWREHFRQ¿JXUHGZLWKDZLUH-less card to negotiate with the AP that is doing RADIUS authentication through IAS server. The association table on CISCO AP in Figure 5 shows the details after the client’s EAP authentication with RADIUS server. Note the words ‘EAP As-soc’ under the State column. An example setup used by the authors can be explained as follows. The user guest who had an account in the RADIUS/Windows 2000 server, risecure.isecures.com (with IP address 172.20.121.15), had connected from a client, PC.isecures.com (with IP address 172.20.121.60), through a CISCO Aironet 350 access point (with IP address 172.20.121.57). The event viewer output (only selected lines are shown) after successful EAP authenticatio was as follows: IAS event viewer output on Windows 2000 Server: Event Type: Information Event Source: IAS Computer: RISECURES Description: User ISECURES\guest was granted access. )XOO\4XDOL¿HG8VHU1DPH LVHFXUHVFRP8VHUV*XHVW 1$6,3$GGUHVV 1$6,GHQWL¿HU $3 &OLHQW)ULHQGO\1DPH LVHFXUHVODE &OLHQW,3$GGUHVV 3ROLF\1DPH $OORZDFFHVVLIGLDOLQHQWU\HQDEOHG $XWKHQWLFDWLRQ7\SH ($3 ($37\SH 3URWHFWHG($33($3 7R LPSOHPHQW WKH 5$`,86 FRQ¿JXUDWLRQ in Linux platform, a GNU RADIUS software, known asFreeRADIUS, can be downloaded and EHFRQ¿JXUHGDVWKH5$`,86VHUYHU7KHGHWDLOV of that can be found at the Web site http://www. freeradius.org. The details of the authentication messages (only selected lines are shown) when FreeRADIUSis run in a debug mode (i.e., radiusd - X) in Linux after successful EAP authentication can be as shown. FreeRADIUS authentication output on red hat Linux: rad_recv: Access-Request packet from host LG OHQJWK 8VHU1DPH ³JXHVW´ &LVFR$93DLU ³VVLG LVHFXUHVODE´ 1$6,3$GGUHVV &DOOHG6WDWLRQ,G ³;;´ &DOOLQJ6WDWLRQ,G ³FIG;;´ 1$6,GHQWL¿HU ³$3;;´« UOPBHDS($3SHDS rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success /RJLQ2.>JXHVW@IURPFOLHQWLVHFXUHVODESRUWFOL FIGEF« 2167 Wireless LAN Setup and Security Loopholes The authors had used FreeRADIUS 1.0.0 GLG7KH¿UVWSXEOLFGHVFULSWLRQZDVLQIURP to setup the RADIUS server. The source was DQ $7 7 /DEV WHFKQLFDO UHSRUW 6WXEEOH¿HOG compiled and executable was created. Some con-¿JXUDWLRQ¿OHVZHUHHGLWHGOLNHUDGLXVGFRQIHDS conf and clients.conf, to allow user permission ZLWKSDVVZRUGWRFRQ¿JXUH3($306&+$3Y functions. THE WEP CRACKING PROCEDURE Problems with WEP Generally, attacks on WEP were based on the design of the system, which many people thought was sound. However, a paper written by Fluhrer, Mantin, and Shamir (2001) dispelled that notion. 7KHDXWKRUVIRXQGDÀDZLQWKH³NH\VFKHGXOLQJ algorithm” of RC4 that made certain RC4 keys fundamentally weak, and they designed an attack that would allow a passive listener to recover the VHFUHW:(3NH\VLPSO\E\FROOHFWLQJDVXI¿FLHQW number of frames encrypted with weak keys. Though they did not implement the attack, others Ioannidis, & Rubin, 2001). Aircrack is a WEP key cracker that the authors had used. It implements the so-called Fluhrer-Mantin-Shamir (FMS) attack, along with some new attacks by KoreK. When enough encrypted packets have been gathered, Aircrack can almost instantly recover the WEP key. Every WEP en-crypted packet has an associated 3-byte (24 bits) initialization vector. Some IVs leak information about a certain byte of key and, thus statistically, WKHFRUUHFWNH\HPHUJHVZKHQDVXI¿FLHQWQXPEHU of IVs have been collected. To recover a WEP key, it really depends on the way the IVs are distributed. Most of the time, one million unique IVs (thus about 2 million packets) are enough. Practical Cracking Both the 64-bit and 128-bit WEP key cracking were tested and analyzed by the authors. The cracking was done using an ACER laptop client VWDWLRQZLWKDSSURSULDWHVRIWZDUH+XJH¿OHVIURP Table 2. Hardware and software used for WEP cracking Equipment/Item Laptop Network Detection Software Packets Capturing Software Wireless Network Adapters WEP Cracking Software 6SHFL¿FDWLRQ Acer Laptop with Mobile Centrino Intel processor, 256 MB RAM and 20 GB HDD with Windows XP. NetStumbler 0.4.0 Link Ferret 3.10 (also used as analyzer) Onboard wireless network adapter and CISCO Aironet 350 series PCMCIA Aircrack 2.1 2168 ... - tailieumienphi.vn