530 likes | 618 Views
Wireless Security. (Based on slides by Dr. Frank Adelstein of ATC-NY/Odyssey Research Associates). Protect what?. Integrity System: performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
E N D
Wireless Security (Based on slides by Dr. Frank Adelstein of ATC-NY/Odyssey Research Associates) 1
Protect what? • Integrity • System: performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. • Data: Should be possible for receiver to verify that data has not been modified; intruder should not be able to substitute fake data • Confidentiality • Only intended recipient(s) should be able to read data • Non-repudiation • Sender should not be able to falsely deny sending data. • Availability (Denial of Service, Distributed DoS) • A third party with no access should not be able to block legitimate parties from using a resource. 2
Security: Before/During/After • Prevention (before) • Authentication, authorization, accounting • Detection (during) • Intrusion Detection • Host/network • Signature/behavior • Reaction (after) • Digital Forensics • Evidence preservation • Who? What? When? From where? • Sources (files, logs, timestamp info, ISP records, …) • Attack Assessment, Damage Assessment, Data Recovery 3
Before • Prevention • Authentication: “Are they who they claim to be?” “The act of verifying a claimed identity, in the form of a pre-existing label from a mutually known name space, as the originator of a message (message authentication) or as the end-point of a channel (entity authentication).” • Authorization: “Do they have permission to do it?” “The act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential.” • Accounting: a log or history of what happened “The collection of resource consumption data for the purposes of capacity and trend analysis, cost allocation, auditing, and billing. Accounting management requires that resource consumption be measured, rated, assigned, and communicated between appropriate parties.” 4
Security Tradeoffs Security vs.: • Convenience • long vs. short passwords • Multi-factor authentication • callback, smart cards, etc. • Availability • locked out after 3 bad passwords • ATM eats bank card • Don’t allow remote access? • what happens when log files fill up? 5
Wireless Risks • Wireless – all of the above concerns plus an increased risk of eavesdropping (and transmitting). • No need to tap or plug into the network. Only need to be “nearby.” • Depending on the wireless technology, nearby can be line-of-sight, same room, outside a building, within a few miles (e.g., Bluetooth sniper rifle) • Greatly increases threats to: confidentiality, integrity, non-repudiation 6
Risks (2) These risks can allow adversaries to: • Perform data snooping • Medical data becoming more available • Hijack sessions • Commit Fraud and identity theft 7
“want a business card?” “want a business card?” “want a business card?” “want a business card?” “want a business card?” “want a business card?” “want a business card?” “want a business card?” Risks: Resource Depletion • Hardware limitations, such as low network bandwidth and limited battery power, also increases denial-of-service risk: • Resource depletion/exhaustion attacks 8
Protections • Make it harder to intercept transmissions at the intruder’s physical layer • Use low power, limit reception/interception range. • Use a technique like frequency hopping • But, generally want anyone to be able to join in and use the network. • Actually used to increase number of users, not for protection. 9
Protections • Encryption: “they” can’t decode data, so they can’t use what they do steal • Digital signatures: prevent forging or modifying data 10
ABCDEFGHI ?T#!@=~cx Encryption P C • Symmetric key: C = Ek(P), P = Dk(C) encryptionfunction key • Public key: • C = Epub(P), • P = Dpriv(C), also • C’ = Epriv (P), • P = Dpub(C’) 11
Block vs. Stream Cipher key E(block) block block Plain text cipher text stream key Pseudo-random stream generator 12
Block vs. Stream Cipher • Block: accumulates a group of plaintext and then operates on it at once (e.g., 64 bits at a time) and produce an encrypted block of equal size. e.g., DES, AES, RSA • Stream: operate on plaintext a single bit/byte at a time. e.g., RC4, used in WEP 13
Simple examples • XOR: TextKey*Result • 1111 0000 XOR 1010 1010 = 0101 1010 • 0101 1010 XOR 1010 1010 = 1111 0000 (* Note that this is really a single sample from a key-stream.) • Rotation (trivial cipher): • ROT1: “HAL” “IBM” • Caesar cipher (+3) • USENIX ROT13: tr ‘[a-zA-z]’ ‘[n-za-m][N-ZA-M]’ 14
3C 00 3C FF 01 FE CB E6 A4 22 19 5D 8B EE … ABCDEFGHI Message Digests and Hashes P • Cryptographically secure one-way function, produces a short sequence of bytes (e.g., 128 or 160 bits) based on the input. • e.g., MD4, MD5, SHA H(P) MD One-way hash 15
A Long Time agoin a galaxyfar, far,away ABCDEFGHI We the people … Hash Space • Single bit change in source changes ~½ the bits in the hash. • Small changes in the hash come from very different sources. • Computationally unfeasible to find matching source from hash. . . . 1,000,201,548,007 1,000,201,548,008 1,000,201,548,009 . . . 16
ABCDEFGHI P! X. #/ [n +p 1c <M ex xq ^P Rk os qp … Message Authentication Code (MAC) P + MAC key • For authenticity without secrecy; attached to message • MAC is a one-way hash function plus a secret key • Encrypt the hash of the message with the key, or • Hash the concatenation of the message and key P ABC DEF GHI H(P, key) • H(P || key) • or • Encrypted H(P) MAC 17
Costs of Protections • Encryption overhead! (more tradeoffs) • Poor performance • CPU load • Power consumption • Reduced battery life • Increased data size increased transmission time 18
Cost of Protections • Public Key Infrastructure (PKI) • Key management • Key setup • Key exchange • Certificates • Trusted 3rd party • Shared secrets (and risks) vs. public key • Individual vs. group keys (overhead) • Certificate revocation or expiration 19
IP Security (IPsec) • IETF IPsec Working Group • Provide authentication. • Authentication Header (AH): RFC2402 • Protect the data payload • Encapsulating Security Payload (ESP): RFC2406 • Key management • Internet Security Association and Key Management Protocol (ISAKMP): RFC2408 20
Misc. Attacks Additional attack methods: • Man-in-the-middle attacks (e.g., ARP cache poisoning, bogus services) • Use good authentication • Replay attacks • Use sequence numbers + one time data • Traffic analysis • Use encrypted communication 21
Misc. Security Physical security • “Stolen laptop” scenario • Defenses: • CMOS password w/ hardware tamper protection • Password protected accounts on computer • Encrypted data • Biometrics for authentication • None of these defenses result in return of the laptop, unfortunately 22
Misc. Non-Technical Attacks • “Social engineering” plus $$$ tend to be very effective • Look for resumes on the web, buy a drink, etc. • See Kevin Mitnick’s book for lots more • “Rubber-hose” cryptanalysis • "Believe me, Baldric, an eternity in the company of Beelzebub and all his hellish minions will be as nothing compared to five minutes alone with me...and this pencil.” • – Blackadder. 23
IEEE 802 Standards • 802.11 – Wireless LAN • 802.11 – “basic” wireless • 802.11a - 5GHz, 54Mb • 802.11b – 2.4GHz, 11Mb • 802.11e – QoS • 802.11f – AP interop • 802.11g – faster 802.11b, starting at 20Mbps • 802.11h – transmit power control for 802.11a (Europe) • 802.11i – better security • 802.11j – Japanese 802.11 • 802.11n – 100+Mb • 802.11p – automotive apps • 802.15.1 Bluetooth • 802.15.4 Low-rate (low power) • 802.16 Wireless Metropolitan Area Network (WMAN) • 802.11 – IEEE Standard, 1997. • 802 LAN/MAN Standard Committee • 802.1d – MAC bridging standard • 802.1x – Port-based Network Access Control • 802.2 – Logical Link Control • 802.3 – Ethernet • 802.3z – 100BaseT Fast Ethernet • 802.5 – Token Ring 24
WEP – Protection for 802.11b • Wired Equivalent Privacy • “No worse than what you get with wire-based systems” • Criteria: • “Reasonably strong” • Self-synchronizing – stations often go in and out of coverage • Computationally efficient – in HW or SW since low MIPS CPUs might be used • Exportable – • Optional – not required to used it 25
WEP – How It Works • Secret key (40 bits or 104 bits) • Initialization vector (24 bits, by IEEE std.) • Total of 64 or 128 bits “of protection.” • RC4-based pseudo random number generator (PRNG) • Integrity Check Value (ICV): CRC 32 26
WEP Data Frame IV(4 bytes) Data (PDU)( 1 byte) ICV(4 bytes) 1 byte Init Vector(3 bytes) Note: can use up to 4 different keys. Pad6 bits Key ID2 bits 27
WEP Encryption IV InitializationVector (IV) Key Sequence Seed Message WEP PRNG Secret Key Ciphertext Plaintext Integrity Algorithm Integrity Check Value (ICV) 28
WEP Encryption Process • Compute ICV using CRC-32 over plaintext msg. • Concatenate ICV to plaintext message. • Choose random IV and concat it to secret key and input it to RC4 to produce pseudo random key sequence. • Encrypt plaintext + ICV by doing bitwise XOR with key sequence to produce ciphertext. • Put IV in front of cipertext. 29
WEP Decryption Secret Key Key Sequence Plaintext WEP PRNG IV Seed Ciphertext Message ICV’ ICV’ - ICV Integrity Algorithm ICV 30
WEP Decryption Process • IV of message used to generate key sequence, k. • Ciphertext XOR k original plaintext + ICV. • Verify by computing integrity check on plaintext (ICV’) and comparing to recovered ICV. • If ICV ICV’ then message is in error; send error to MAC management and back to sending station. 31
WEP Station Authentication WS AP • Wireless Station (WS) sends Authentication Request to Access Point (AP). • AP sends (random) challenge text T. • WS sends challenge response (encrypted T). • AP sends ACK/NACK. Auth. Req. Challenge Text Challenge Response Ack 32
WEP Weaknesses • Forgery Attack • Packet headers are unprotected, can fake src and dest addresses. • AP will then decrypt data to send to other destinations. • Can fake CRC-32 by flipping bits. • Replay • Can eavesdrop and record a session and play it back later. • Collision (24 bit IV; how/when does it change?) • Sequential: roll-over in < ½ day on a busy net • Random: After 5000 packets, > 50% of reuse. • Weak Key • If ciphertext and plaintext are known, attacker can determine key. • Certain RC4 weak keys reveal too many bits. Can then determine RC4 base key. 33
WEP Weakness • Key Management • 4 possible keys, externally populated • 802.11 standard does not specify distribution mechanism (backbone network) • Can be unique key for each WS or single key for entire network (commonly used) • Single key increases chances of IV reuse 34
(Old) Recent Developments As of August 2001: • WEP 128 bit encryption broken in 15 minutes! • Need to see ~6,000,000 encrypted messages to break WEP (not a lot). • Weakness had been known for a while, just had not been exploited that quickly before. 35
War Driving in New Orleans (back in December 2001) • Equipment • Laptop, wireless card, software • GPS, booster antenna (optional) • Results • 64 Wireless LAN’s • Only 8 had WEP Enabled (12%) • 62 AP’s & 2 Peer to Peer Networks • 25 Default (out of the box) Settings (39%) • 29 Used The Company Name For ESSID (45%) 37
9 nets X X X X X X X X X X X X X X X X X X X X 5 nets 39
X X X X X X X X X X X X X X X X X X X X X X X X X 40
Ways to Improve Security with WEP • All encryption modes of operation should use (secure) MAC, rather than CRC • Use WEP(!) • Put wireless network outside of firewall • Use VPN to get inside • Limit connections based on MAC address • Easily defeated • Better key management: • Use individual keys • Change them early and often • Better: replace with something else 41
What’s next? • WiFi Protected Access (WPA) available sooner • Approximation of what will be in 802.11i • Already cracked (11/2004) • 802.11i • Provides better security, key distribution, longer/better initialization vectors, etc. • Probably incompatible with most current hardware 42
802.11i • Improved encryption Algorithms • Temporal Key Integrity Protocol (TKIP) – for legacy hardware • Generates per-packet keys • 48 bit IV prevents replay attacks • Counter mode CBC-MAC Protocol (CCMP) – for new hardware • Not for legacy hardware—insufficient CPU power to run AES encryption • 802.1x – port based network access control • Authentication • Encryption key distribution 43
802.1X From Meetinghouse Data Communications, http://www.mtghouse.com/8021X.pdf 44
802.11i >> WEP • Forgery • Stronger Message Integrity Code • Cryptographically secure hash • Apply hash to packet payload plus src and dest addresses • Replay • 48 bit IV, strictly increasing sequence, cannot roll-over (must rekey), receiver discards out-of-sequence packets • Weak Keys of WEP • Per-packet key computed using transmitter address, IV, base key • Collision • 48 bit IV, force a rekey after 215 packets • Use 802.1X EAPOL (Extensible Authentication Protocol Over LAN) to configure a new key for every association 45
802.11: DoS a Major Concern • Denial of service attacks still a major problem • Physical-level DoS • De-authentication attacks 46
e.g., De-authentication DoS One possible solution for existing hardware: Queue de-authenticate packets for a short time (15s?). If additional data packets are seen from the client, discard the de-authentication request. From “12th USENIX Security Symposium USENIX Association 15 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”, Ballardo & Savage, 12th USENIX Security Symposium (2003). 47
Why? • Firmware in 802.11 cards is supposed to prevent illegal 802.11 frames from being generated…but From “12th USENIX Security Symposium USENIX Association 15 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”, Ballardo & Savage, 12th USENIX Security Symposium (2003). 48
802.11 • Jim Geier, “Spread Spectrum: Frequency Hopping vs. Direct Sequence,” http://www.wireless-nets.com/whitepaper_spread.htm. • 3com, “What’s New in Wireless LANs: The IEEE 802.11b Standard,” http://www.3com.com/technology/tech_net/white_papers/503072a.html. • Sultan Weatherspoon, “Overview of IEEE 802.11b Security,” Intel Technology Journal, 2nd Quarter 2000, http://developer.intel.com/technology/itj/q22000/pdf/art_5.pdf. • Jim Lansford, Adrian Stephens, and Ron Nevo, “Wi-Fi (802.11b) and Bluetooth: Enabling Coexistence,” IEEE Network, Sept/Oct 2001. 49
WEP • R.L. Rivest, “The RC4 Encryption Algorithm,” RSA Data Security, Inc. March 12, 1992 (proprietary). • RFC2401, Stephen Kent and Randall Atkinson, “Security Architecture for the Internet Protocol,” Internet Engineering Task Force, Nov. 1998, http://www.ietf.org/rfc/rfc2401.txt. • Nikita Borisov, Ian Goldberg, and David Wagner, “Intercepting Mobile Communications: The Insecurity of 802.11 (-Draft-),” Mac Crypto Workshop, Jan. 2001, http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf. • Scott Fluhrer, Itsik Mantin, and Adi Shamir, “Weaknesses in the Key Scheduling Algorithm of RC4,” Proceedings of Selected Areas in Cryptography (SAC), Toronto, August 2001, http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps. • Adam Stubblefield, John Ioannidis, and Aviel D. Rubin, “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP,” AT&T Labs Technical Report TD-4ZCPZZ, August 2001, http://www.cs.rice.edu/~astubble/wep/. 50