200 likes | 304 Views
Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering. 802.11b overview. Not originally designed for the business world No load balancing
E N D
Wireless SecurityBy Robert Peterson M.S. C.E.Cryptographic ProtocolsUniversity of FloridaCollege of Information Sciences & Engineering
802.11b overview • Not originally designed for the business world • No load balancing • SSID was intended to be used much like a strong password (long, non-meaningful strings, symbols) • Access Points (APs) broadcast ‘Beacon Frames’ periodically. SSID scans were not an intended feature of the standard.
There are two types of security in 802.11b • An authentication standard for connecting to an access point • Wireless Encryption Protocol (WEP) which encrypts each wireless data frame
Access Point Authentication There are two choices: • Open Authentication (none) • Shared Key Authentication: a) user sends request to AP b) user receives ChallengeText c) user sends back {ChallengeText}WEP_Key The encryption method used is called RC4 RC4 is a symmetric stream cipher with an arbitrary key size. RC4 was created by Ron Rivest of RSA Security in 1987.
Shared Key Authentication is horrible • A WEP key is just 40 bits and malicious party has access to RC4 (open standard), the ciphertext, and plaintext! • Over all possible RC4 keys, the statistics for the first few bytes of output keystream are strongly non-random. • Every source I read said that open authentication is far safer then Shared Key Authentication (SKA). Why is SKA dangerous to keep on?
Wireless Encryption Protocol (WEP) • Every wireless frame is encrypted with a global 40-bit WEP key and a generated 24-bit number called an initialization vector (IV) • It is completely insecure. You don’t need anything other then a regular wireless card to compromise everything.
Plaintext P = RC4(iv,k) + Cipher text C Checksum c(M) Message M Vulnerability 1 • RC4 is a stream cipher • Produces a stream of keys that is XORed with the plain text • Susceptible to “key stream re-use” attacks
A Property of Stream Ciphers • Observe: Suppose we are given: C1 = P1 RC4(iv, k) C2 = P2 RC4(iv, k) Then: C1C2 = P1 RC4(iv, k) P2 RC4(iv, k) = P1 P2 • XORing two cipher texts together gives the XOR of the two plain texts!! • C1C2 = P1 P2
Consequences of Observation • Given P1, C1 and C2, you can calculate P2 • In the real world, it is possible to recover P1 and P2 given C1, C2, and P1 P2 using • classical techniques (frequency analysis) • known formats (IP header) • secure and insecure broadcast packets Just observed that: C1C2 = P1 P2
How to fix this problem? • The vulnerability exists because the same key stream is used for both p1 and p2 • Simple fix: change the key stream! • This is done by changing the initialization vector used for each packet • Augment the plain text portion of each packet with its initialization vector • WEP recommends that this be done • In practice, this does NOT prevent key stream reuse attacks!!
IV was an idiotic fix to keep RC4 • Easy to find re-used initialization vectors • Sent as plain text • Management problems • WEP does not specify how it is chosen • Most simply start at 0 upon boot, and increment by 1!!! • WEP specifies that the initialization vector is only 24 bits • Essentially guarantees re-use • WEP does not require changing the initialization vector. • Can stay the same!
Now decryption is easy • Decryption dictionary: • Once the plain text is known from vulnerability 1, the key stream is also known • RC4(iv,k) = C P • An attacker can store this key stream in a table indexed by the initialization vector • Assuming 1.5KB for each of the 224 initialization vectors, this table would only be 24GB • Once created, decryption is easy • This attack is not affected by key size
Vulnerability 2 • Key Management • WEP does not specify how the secret key is distributed • In practice, the key is manually entered • For convenience, most sites use a single shared key • Increases the probability of initialization vector reuse • Due to inconvenience, keys are rarely changed in practice
Vulnerability 3 • WEP does not provide access control • Once a key stream is found, the attacker can inject any messages into the network • Can calculate CRC-32 checksum • Can encrypt message + checksum using the known key stream • This defeats the WEP authentication protocol • Simple challenge-encrypt-reply-decrypt-compare protocol
Proposed Solutions • Use 128-bit WEP Key – still suxors, who cares? IV is the source of attacks not WEP • Rotational WEP Keys – Global Key and Rotating Session keys each encrypted with previous one. Helps but IV still weak link. • MAC address filtering – management nightmare, MAC addresses can be sniffed out of frames
VPN • Each client is configured with a VPN client and tunneled over the wireless network to a VPN concentrator on the wired network • Malicious party just ignores the tunnel! • Some clients have the option to battle with the Operating System and only allow traffic to go through the tunnel, but not common place
802.11X • New authentication protocol (replaces Shared Key Authentication) • Steps: (1) Client requests connection from AP (2) AP asks for “credentials” (3) AP sends credentials to a RADIUS Server RADIUS = Remote Authentication Dial-In User Service The secure protocol for supplying credentials must follow the 802.11X Extensible Authentication Protocol (EAP) standard
Some EAP implementations • EAP-MD5 - one of the first implementations - passes a hash of a username/password pair to the RADIUS Server - Doesn’t prevent current WEP Attacks • EAP-Cisco Wireless, or LEAP - A one-time WEP key is used to validate credentials - RADIUS has session timeout feature
The Future? IEEE is working on 802.11i, which will go beyond just ratifying authentication which is what 802.11X did - MAC addresses will be reworked - Temporal Key Integrity Protocol (TKIP). Generates new encryption keys for every 10 kilobytes of data transmitted. Still uses WEP and RC4.
References ars technica Wireless Security Black Paper 7/18/2002, http://arstechnica.com/articles/paedia/security.ars/ Intercepting Mobile Communications:The Insecurity of 802.11 Nikita Borisov, Ian Goldberg, David Wagner University of California, Berkeley MobiCom 2001, http://classes.cec.wustl.edu/~cs673/WEP.ppt Real Security for Wireless LANs By: Erlanger, Leon. PC Magazine 8/05/2003, Vol. 22 Issue 13, p72 Beefing Up 802.11b Security Yardena Arar, PCWorld.com 2/04/2002, http://www.pcworld.com/news/article/0,aid,82563,00.asp