Transcript Slides

Computer security 2015 –Ýmir Vigfússon
Based on slides by Björn@Syndis, Roy Werber, Pascal Meunier@Purdue,
material from Computer Networking: A Top Down Approach Featuring the Internet,
Jim Kurose, Keith Ross, Addison-Wesley
200
802.11n
Data rate (Mbps)
54
802.11a,g
5-11
802.11b
4
1
802.11a,g point-to-point
data
802.16 (WiMAX (4G?))
3G cellular
enhanced
UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO
802.15
.384
3G
UMTS/WCDMA, CDMA2000
.056
2G
IS-95, CDMA, GSM
NFR
Indoor
Outdoor
10-30m
50-200m
Mid-range
outdoor
Long-range
outdoor
200m – 4 Km
5Km – 20 Km

How does wireless differ from wired settings?

Base stations relay traffic between wireless and
wired networks
 Cell towers
 Access points
 ...

Infrastructure mode

vs. ad-hoc
 No base stations
network
infrastructure

Basic service set (BSS)
 A.k.a. “cell“
Internet
 Set of wireless hosts
 In infrastructure-mode,
also base station

In ad-hoc mode, hosts
relay for each other
 Interesting research
AP
hub, switch
or router
BSS 1
AP
questions ...
BSS 2

Genesis of a wireless/WiFI network
JOIN ME Beacon!!!
I have powerful signal!
I am called Secure! (SSID)
My MAC address is
00:de:ad:be:ef:00 (BSSID)
I encrypt .. or not

Genesis of a wireless/WiFI network

... and a WLAN is born

Afterward, may authenticate, run DHCP, etc.

2.4 GHz – 2.485 GHz divided into 11 channels
 Each is a band. How would you share bandwidth?

Share band, Carrier Sense Multiple Access (CSMA)
 Instead of just dividing frequency or time slots among
users, 802.11 uses Code Divison Multiple Access (CDMA)

Optional: CSMA-CA: Collision Avoidance
 Short Req-to-Send (RTS) messages to reserve channel
 Base station (access point) decides „Clear-to-Send“ (CTS)
A
Access Point
B
reservation collision
DATA (A)
time
defer

Suppose you‘re in charge of designing the first
wireless protocol for the masses, 802.11.
 How would you make it backward compatible?
Application protocol
Application
Application
TCP protocol
Transport
Transport
Network
IP protocol
IP
IP protocol
Network
Link
Data
Link
Network
Access
Data
Link
Link

Strive to replace only the lowest layer: link layer
 In regular networks, this is usually Ethernet
Link Layer
frame
IP Header
ETH IP TCP
Link (Ethernet)
Header

data
ETF
Link (Ethernet)
Trailer
Let‘s try to encapsulate it with the information
that we need
 Who we are
 What access point we‘re talking to
 Encryption?
2
2
6
6
6
frame
address address address
duration
control
1
2
3
Address 1: MAC address
of wireless host or AP
to receive this frame
2
Sequence No.: needed for ARQ
(ACK required) mode.
6
4
0 - 2312
address
seq
4
control
payload
CRC
Address 4: MAC address
of wireless relay host (ad hoc
networks only)
Address 3: MAC address of router interface to
which AP is attached
[Serves as Ethernet destination address]
Address 2: MAC address
of wireless host or AP
transmitting this frame
[Serves as Ethernet source address]
Internet
R1 router
H1
AP
R1 MAC addr
dest. address
H1 MAC addr
source address
802.3 (Ethernet) frame
AP MAC addr
address 1
1st dest (AP)
H1 MAC addr
address 2
source
R1 MAC addr
address 3
2nd dest (eth)
802.11 (WiFi) frame
frame seq #
(for reliable ARQ)
duration of reserved
transmission time (RTS/CTS)
2
2
6
6
6
frame
address address address
duration
control
1
2
3
2
Protocol
version
6
2
address
seq
4
control
2
4
1
1
1
1
Type
Subtype
To
AP
From
AP
More
frag
Retry
frame type
(RTS, CTS, ACK, data)
4
0 - 2312
payload
1
1
Power More
mgt
data
CRC
1
1
WEP
Rsvd

How would you attack this protocol?
 We can hinder communication (Denial-of-Service)
 We can hijack and modify connections
 We can pretend to be whoever we want (spoofing)
 ...

Effectively no security measures are being taken

What can we do to enhance security?

Authentication:
 How do we know a user is who he says she is?
▪ Username/Password? PIN? SmartCard? Two-factor?
▪ Usually a binary (yes/no) process

Authorization:
 How do we establish what an authorized user should and
shouldn’t be able to do?
▪ Administrator? Customer? On a free trial?
▪ Groups/Roles/Privileges/Permissions

Access control:
 How do we enforce that resources are only accessed by
authorized users?
▪ Implemented through logic, permissions, access lists, etc.

First, let‘s optionally authenticate users

Second, let‘s at least try to to encrypt every packet
 How do we do that?

Unless we want an open network, we‘re going to
have to share a key
 Later, we should have key management!
 How would you implement this?

At the time WEP was defined, export restrictions
limited cryptography, so 64-bit RC4 was used
 Extensions later for for 128-bit WEP

What about authentication with shared key?

First idea:
 Client sends authentication request with key
 Access point responds with ACCEPT if key correct

Second idea:
 Client sends num and hash(num | key)
 Access point also computes hash, ACCEPTS if
it likes the outcome

Third idea:
 Client sends intention to authenticate
 Access point sends back a random number (nonce) x
 Client computes hash(x | key), sends to access point
 Access point sends ACCEPT if matches local hash(x | key)

This is used in WEP

Called 4-step challenge-response handshake
 Avoids disclosing the (static) key
 Prevents replay attack (“pass-the-hash“)

Same input key
=
same output
Ideally, want to encrypt our communications
(“plaintext”) with a long, long string (“key”).
 How would you store the key? Need it to be generated
Key
D
B
LE
R
E
P
H
Pseudo-random
number generator
Stream cipher Z
E
P K
X B
O ...
ZT AJ W
R Q

Idea: Just use the WEP key as input to the PRNG
then XOR with plaintext
 What’s the problem?

Idea: Use num | WEP key as input instead, share
num as part of packet
 This is used in the original WEP!
 num is called an “Initialization Vector” (IV)

Basic idea behind WEP encryption
 RC4: Streaming cipher algorithm

Why Initialization Vector (IV)?
 Prevents reuse of keys

Also need a checksum (ICV) to avoid malicious bit
flips
CRC
802.11 Frame
Header
Payload
Payload
ICV
3
2

ICV computed – 32-bit CRC of payload
ICV = Integrity Check Value checksum
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4


Key
40
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV = Initialization vector
IV
keynumber
24



8
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
64
IV
Key
Payload




ICV
RC4
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
IV+key used to encrypt payload+ICV
WEP Frame
Header





IV
keynumber
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
IV+key used to encrypt payload+ICV
IV+keynumber prepended to encrypted
payload+ICV
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4

Keynumber is used to select key
Key
40
64
IV
Key
Payload
ICV
RC4
Payload

Keynumber is used to select key

IV+key used to decrypt payload+ICV

Done!
ICV

IV (Initialization vector) is 24 bits long
 How many seeds for random number generators?
 Only 16 million different RC4 cipher streams per key

If an IV is ever reused, XOR between packets
equivalent to XOR of plaintext messages
 C = cipher text, P = plain text:
 C1  C2 = (P1  IV)  (P2  IV) = P1  P2
 If you guess one plain text message, you obtain another

How long until we expect a reused IV?
 Remember class about DNS birthday attacks?


23 people in a room
How likely that two people
share the same birthday?
For 𝑚 people and 𝑛 days, the
probability is about 1 − 𝑒
𝑚2
−
2𝑛
Roughly:
Answer: 50.7%!

Here, n = 16M, so:
 50% chance of collision after only 4,823 packets!
 99% chance of collision 12,430 packets
 If network is operating at 11Mbps, takes 3 seconds

Start listening in on traffic, gradually obtaining all
16M IVs to be fully authenticated

More worrying: Fluhrer, Martin, Shamir attack
 Passive attack against RC4 in WEP to recover RC4 key
one letter at a time! Implemented in aircrack-ng
 Can inject data to network to speed up attack

Online demo of a WEP crack using airsnort

https://www.youtube.com/watch?v=_G4kOaJqMOE

Remember: Do NOT use any hacking software
without express permission from the owner of the
network you are attacking.

It was quickly realized that WEP offered lax security.
 WEP was decommissioned in 2004

Teams from Wi-Fi Alliance set-up to think of two
solutions for Protected Access (WPA)

Backward compatible: WPA-TKIP
 Stopgap solution for WEP that could be flashed as firmware on
to existing infrastructure
 (i) Uses a key mixing function between IV and key
 (ii) Adds message integrity checks (MIC) instead of ICV of
CRC32 (cryptographically insecure)
 Attack (2008): Inject 7 packets to a wireless client

Forward thinking: WPA2
 Implemented more elaborate 4-way handshake and
group key handshake
 Supports TKIP, CCMP, etc.
 WPA2 Personal: Pre-shared key between people
 WPA2 Enterprise: Connect to a RADIUS server
▪ Tedious to set up. Also means that if your WiFi credentials are
compromised, your whole account will be too.
 2012: Flaw in WPS – the device configuration tool for
routers that uses a PIN for fast access.
▪ Even when disabled, obtains shared key in about 7 hours

Key sharing still vulnerable to handshake capture
 WEP, WPA-TKIP, WPA2-PSK – PSK = Pre-Shared Key
 Cracking the hashes depends on password strength and -
can take a long time
 Rainbow tables accelerate the process (coWPAtty)
 http://www.renderlab.net/projects/WPA-tables/

Does take long(er) to crack

WPA2 Enterprise / WPA-802.1x
 Mostly used in corporate or larger wifi environments
 A Radius server acts as an authentication server
 Uses EAP or “Extensible Authentication Protocol”
which handles the actual authentication
 Very few setups use EAP-TLS
▪ Considered most secure variant of EAP
 Most setups use EAP-PEAP or something less secure
Probe Response
SSID: SuperSecure
ENC: WPA2-Enterprise
Deauth attack
4 way handshake
authentication
- User name
Probe Requests
-
Password (MSCHAPv2)

Many devices send authenticating information
without doing any verification of certificates.

Some people even setup their devices in this way.
 Several phone manufacturers
 Even Linux distributions

Need to be in range of the device to capture the
encrypted password

The default setting for most devices is, however,
to ask the user to accept the modified certificate

Built on
 Evil access point/hotspot idea
 The fact most devices connect to multiple networks

The idea
 We know NICs continually scan and sens probe requests
 What if we send broadcast requests for a million SSIDs?
 If a device has connected before, will I get a response ?

Widespread risk
 Applies to those that use traditional Wi-Fi networks
 Also applies to singular devices and non AP networks
Broadcast SSIDs
- Hot Spot
- Guests
- Free WiFi
- xfinitywifi
- ETC
- ....
(OPN, WEP, WPAPSK)
Association
request á SSID:
gestir

Confidentiality:
 Record authentication handshakes (WEP, WPA, WPA2)
 Record and log traffic remotely (leaks)
 Lure people to fake access points

Integrity:
 Record packets, then replay, modify and inject them

Availability:
 Easy to jam frequencies. Turn on the microwave oven...

Accountability:
 Attacker can remain fully anonymous
 Attacker can spoof and frame others