1 / 30

Wireless Security Why Swiss-Cheese Security Isn’t Enough

Discover the flaws of wireless security and why it is not sufficient to protect your network. Learn about the risks of RF leakage and attacks from afar, and why it is essential to care about wireless security. Get an overview of the history of WEP and its weaknesses, and explore future directions in wireless security.

dunlapr
Download Presentation

Wireless Security Why Swiss-Cheese Security Isn’t Enough

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless SecurityWhy Swiss-Cheese Security Isn’t Enough David WagnerUniversity of California at Berkeley

  2. Wireless Networking is Here 802.11 wireless networking is on the rise • installed base: ~ 15 million users • currently a $1 billion/year industry Internet

  3. The Problem: Security Wireless networking is just radio communications • Hence anyone with a radio can eavesdrop, inject traffic

  4. The Security Risk: RF Leakage

  5. The Risk of Attack From Afar

  6. Why You Should Care

  7. More Motivation

  8. Overview of the Talk • In this talk: • The history: WEP, and its (in)security • Where we stand today • Future directions

  9. WEP • The industry’s solution: WEP (Wired Equivalent Privacy) • Share a single cryptographic key among all devices • Encrypt all packets sent over the air, using the shared key • Use a checksum to prevent injection of spoofed packets (encrypted traffic)

  10. 1997 802.11 WEP standard released Simon, Aboba, Moore: some weaknesses Mar 2000 Walker: Unsafe at any key size Oct 2000 Jan 30, 2001 Feb 5, 2001 Borisov, Goldberg, Wagner: 7 serious attacks on WEP NY Times, WSJ break the story Early History of WEP

  11. WEP - A Little More Detail IV, P  RC4(K, IV) • WEP uses the RC4 stream cipher to encrypt a TCP/IPpacket (P) by xor-ing it with keystream (RC4(K, IV))

  12. A Property of RC4 • Keystream leaks, under known-plaintext attack • Suppose we intercept a ciphertext C, and suppose we can guess the corresponding plaintext P • Let Z = RC4(K, IV) be the RC4 keystream • Since C = P  Z, we can derive the RC4 keystream Z by P  C = P  (P  Z) = Z • This is not a problem ... unless keystream is reused!

  13. IV, P  RC4(K, IV) IV, P’  RC4(K, IV) A Risk of Keystream Reuse • If IV’s repeat, confidentiality is at risk • If we send two ciphertexts (C, C’) using the same IV, then the xor of plaintexts leaks (P  P’ = C  C’), which might reveal both plaintexts  Lesson: If RC4 isn’t used carefully, it becomes insecure

  14. Attack #1: Keystream Reuse • WEP didn’t use RC4 carefully • The problem: IV’s frequently repeat • The IV is often a counter that starts at zero • Hence, rebooting causes IV reuse • Also, there are only 16 million possible IV’s, so after intercepting enough packets, there are sure to be repeats  Attackers can eavesdrop on 802.11 traffic • An eavesdropper can decrypt intercepted ciphertexts even without knowing the key

  15. checksum RC4 key IV encrypted packet WEP -- Even More Detail IV original unencrypted packet

  16. Attack #2: Spoofed Packets • Attackers can inject forged 802.11 traffic • Learn RC4(K, IV) using previous attack • Since the checksum is unkeyed, you can then create valid ciphertexts that will be accepted by the receiver  Attackers can bypass 802.11 access control • All computers attached to wireless net are exposed

  17. P  RC4(K)  0x0101 ACK Attack #3: Reaction Attacks P  RC4(K) • TCP ACKnowledgement appears  TCP checksum on received (modified) packet is valid P & 0x0101 has exactly 1 bit set  Attacker can recover plaintext (P) without breaking RC4

  18. Summary So Far • None of WEP’s goals are achieved • Confidentiality, integrity, access control:all insecure

  19. Mar 2001 Arbaugh: Your 802.11 network has no clothes Arbaugh: more attacks … May 2001 Jun 2001 Newsham: dictionary attacks on WEP keys Aug 2001 Fluhrer, Mantin, Shamir: efficient attack on way WEP uses RC4 Arbaugh, Mishra: still more attacks Feb 2002 Subsequent Events Jan 2001 Borisov, Goldberg, Wagner

  20. To find wireless nets: Load laptop, 802.11 card, and GPS in car Drive While you drive: Attack software listens and builds map of all 802.11 networks found War Driving

  21. War Driving: Chapel Hill

  22. Driving from LA to San Diego

  23. Wireless Networks in LA

  24. Silicon Valley

  25. San Francisco

  26. Toys for Hackers

  27. A Dual-Use Product

  28. Problems With 802.11 WEP • WEP cannot be trusted for security • Attackers can eavesdrop, spoof wireless traffic • Also can break the key with a few minutes of traffic • Attacks are serious in practice • Attack tools are available for download on the Net • And: WEP is often not used anyway • High administrative costs (WEP punts on key mgmt) • WEP is turned off by default

  29. cellphones 1980 analog cellphones: AMPS wireless networks analog cloning, scannersfraud pervasive & costly digital: TDMA, GSM 802.11, WEP 1999 1990 sensor networks TDMA eavesdropping [Bar] 2000 WEP broken [BGW]WEP badly broken [FMS] Berkeley motes 2001 more TDMA flaws [WSK] 2002 GSM cloneable [BGW]GSM eavesdropping [BSW,BGW]  attacks pervasive 2002 TinyOS 1.0, TinySec WPA 2000 2003 2003 Future: 3rd gen.: 3GPP, … Future: 802.11i Future: ??? History Repeats Itself… wireless security: not just 802.11

  30. Conclusions • The bad news:802.11 is insecure, both in theory & in practice • 802.11 encryption is readily breakable, and 50-70% of networks never even turn on encryption • Hackers are exploiting these weaknesses in the field • The good news:Fixes (WPA, 802.11i) are on the way!

More Related