Wireless Security
Download
Report
Transcript Wireless Security
COEN 350
Mobile Security
Wireless Security
Wireless offers additional challenges:
Physical media can easily be sniffed.
War Driving
Legal?
U.S. federal computer crime statute, Title 18 U.S.C. 1030,
Crime to knowingly access a computer used in interstate or
foreign communication "without authorization" and obtain
any information from the computer.
Crime to access a computer without authorization with
"intent to defraud" to obtain "anything of value."
But not if "the object of the fraud and the thing obtained
consists only of the use of the computer and the value of
such use is not more than $ 5,000 in any 1-year period."
Wireless Security
Wireless offers additional challenges:
Physical media can easily be sniffed.
Mobile computing needs to preserve
battery power.
Calculations cost more on a mobile platform.
Wireless Security
Knowing the Threat
Targets of opportunity
Goal is
Targeted attacks
Internet access.
Easy pickings.
Needs an asset valuable enough.
Internal attackers
Can open an unintentional security hole
IEEE 802.11
Wired Equivalent Privacy (WEP)
Protocol
Based on a shared secret k.
Distributed out of band.
Uses CRC for internal integrity protection.
Uses RC4 to encrypt network traffic.
WEP Protocol
WEP Protocol
Confidentiality
Original packet is first check-summed.
Checksum and data form the payload.
Transmitting device creates a 24-bit
random initialization vector IV.
IV and shared key are used to encrypt with
RC4
WEP Protocol
Authentication
Station associating with access point needs
to authenticate itself.
Both exchange the type of authentication
that is accepted.
Open: Just identification between station and
AP
Shared Secret: Participants send nonces to
each other, encrypt the nonce using WEP (and
the shared secret key), and verify the other’s
response.
WEP has no key management
Everyone allowed to have access to a
wireless network has the same key.
Anyone with the key can read ALL
traffic.
RC4
RC4 uses the key and the IV to produce
a stream of pseudo-random bytes.
Calculates cipher text from plaintext by
XORing the pseudo-random stream with
the plain-text.
RC4
Attacks on RC4
Dictionary Attack
Build database:
224 different IVs
Build a database of 224 streams of MTU bytes
(2,312 B) for each different IV.
Takes < 40 GB storage.
XOR two entries with the same IV.
Result are the two plaintexts XORed.
Natural language text has enough redundancy
to decrypt the XOR of two text streams.
Attacks on RC4
Dictionary Attack
Many packages can be completely or
partially guessed.
XORing guessed plaintext and captured
cipher gives pseudo-random byte stream
for a given IV.
Some implementations reset IVs poorly.
This simplifies dictionary attacks.
Attacks on RC4
Injection Attack
Attacker creates packets on the wireless
connection.
Attacker XORs plaintext and cipher.
Builds Pseudo-Random Stream database
indexed by IV.
RC4
Fluhrer, Mantin, Shamir Attack
First few bits of several thousand
messages reveals key.
Based on an analysis of the RC4 code.
Originally kept secret, but later leaked on the
internet.
RC4
Fluhrer, Mantin, Shamir Attack
Key Scheduling Algorithm
Sets up RC4 state array S
S is a permutation of 0, 1, … 255
Output generator uses S to create a
pseudo-random sequence.
First byte of output is given by
S[S[1]+S[S[1]]].
First byte depends on
{S[1], S[S[1], S[S[1]+S[S[1]]}
RC4
Fluhrer, Mantin, Shamir Attack
Key Scheduling Algorithm
First byte of plain text package is part of the SNAP header
0xAA for IP and ARP packages
0xFF or 0xE0 for IPX
Guessing the first byte is trivial
Some IVs are vulnerable: “resolved”
(KeyByte+3, 0xFF, *)
Plus some more
Easy to test whether an IV is vulnerable.
Search for vulnerable IVs.
They leak key bytes probabilistically.
Large number of packets does it.
RC4
Fluhrer, Mantin, Shamir Attack
Optimization needs about 5,000,000 to
1,000,000 packages.
Counter-measures:
Change key frequently.
Change IV counters to avoid bad IVs.
WEP Message Modification
WEP uses CRC code to ascertain integrity of
messages.
CRC code is linear:
CRC(x y) = CRC(x) CRC(y).
Attacker knows plaintext M and desired modification
for target plaintext M’ = M .
Attacker want to substitute X = P(M,CRC(M)) for
P(M’,CRC(M’)).
Attacker sends
X(,CRC())
= P(M,CRC(M)) (,CRC())
= P(M’,CRC(M’))
Wireless Insecurity Problems
WiFi card software allows users to
change the MAC address.
Wireless Security
Casual user, low yield traffic
WEP is good enough.
Enterprise, Commercial
Combine WEP with higher order security
SSH
VPN
IPSec
Protocol Layers
WEP
Privacy only.
Very elementary security.
WPA
Temporal Key Exchange Protocol
AES: Advanced Encryption Standard
802.11i
Military grade encryption, replaces DES
802.1X
Fixes WEP that scrambles keys between packages and adds a secure
message check.
General purpose and extensible framework for authentication users
and generating / distributing keys.
Simple Secure Network (SSN)
Recipe for authentication based on 802.1X