Transcript Lecture

FELK 19: Security of Wireless Networks*
Mario Čagalj
University of Split
2013/2014.
WiFi (In)Security – 1st part
Assembled from different sources: Čapkun, Hubaux,
Buttyan,...
Produced by Mario Čagalj
Introduction
 Classical wired networks
UTP cable
 WLAN
Radio link
3
Wireless vs. classical nets
simplicity
mobility
speed
security
classical
wireless
+
+
+
+
-
 Novel security model
radio signal
closed
environment
closed
enviroment
attacker
4
Why security is more of a concern in
wireless?
•
no inherent physical protection
– physical connections between devices are replaced by logical associations
– sending and receiving messages do not need physical access to the network
infrastructure (cables, hubs, routers, etc.)
•
broadcast communications
– wireless usually means radio, which (generally) has a broadcast nature
– transmissions can be overheard by anyone in range
– anyone can generate transmissions,
• which will be received by other devices in range
• which will interfere with other nearby transmissions and may prevent their
correct reception (jamming)





eavesdropping is easy
injecting bogus messages into the network is easy
replaying previously recorded messages is easy
illegitimate access to the network and its services is easy
denial of service is easily achieved by jamming
5
Infrastructure vs. ad hoc networks
infrastructure
network
AP: Access Point
AP
AP
wired network
AP
ad hoc network
6
IEEE 802.11 - Architecture of an
infrastructure network
 Station (STA)
802.11 LAN
802.x LAN
 terminal with access mechanisms to the
wireless medium and radio contact to the
access point
STA1
 Basic Service Set (BSS)
BSS1
Portal
Access
Point
frequency
 Access Point
Distribution System
 station integrated into the wireless LAN
and the distribution system
Access
Point
ESS
 group of stations using the same radio
 Portal
 bridge to other (wired) networks
BSS2
 Distribution System
 interconnection network to form one
STA2
802.11 LAN
STA3
logical network (ESS: Extended Service
Set) based on several BSS
 one ESS has one SSID (Service Set
7
Identifier)
IEEE 802.11 standard
 Defined for Wireless LANs (WLANs)
 IEEE 802.11 layers
 physical layer
 data link layer (Media Access Control - MAC, security)
terminal
mobile station
Ethernet
access point
Application
Application
TCP
TCP
IP
IP
802.11 MAC
802.11 MAC
802.3 MAC
802.3 MAC
802.11 PHY
802.11 PHY
802.3 PHY
802.3 PHY
8
802.11 - Layers and functions
 PLCP (Physical Layer Convergence Protocol)
 MAC
 clear channel assessment signal
 access mechanisms, fragmentation,
(carrier sense)
encryption
 PMD (Physical Medium Dependent)
 MAC Management
 synchronization, roaming, MIB
(management information base),
power management
 modulation, coding
 PHY Management
 channel selection, MIB
 Station Management
 coordination of all management
IP
MAC
MAC Management
PHY
PLCP
PHY Management
PMD
Station Management
functions
9
IEEE 802.11b/g: physical layer
 2.4 GHz (2.4–2.4835 GHz) 14 channels
 Central frequencies shifted by 5 MHz
 13 in EU, 11 in USA
 Based on spred spectrum (SS) modulation
 Frequency Hopping (FHSS)
 Direct Sequence (DSSS)
 Maximal data rates depends on coding and modulation schemes selected
(1, 2, 5.5, 11, + up to 54Mbps)
 802.11b at 11Mbps
 Complementary Code Keying (CCK)
 Differential Quadrature Phase Shift Keying (DQPSK)
 802.11g na 54Mbps
 Orthogonal Frequency Division Multiplexing (OFDM)
 Borrowed from 802.11a
10
Channel allocation (2-2.4835 GHz)
1
2
3
4
5
6
7
8
9
10
11
12
13
11
IEEE 802.11a - more robust
 Uses robust Orthogonal Frequency Division Multiplexing (OFDM)
 Uses 5GHz ISM band (as opposed to 2.4GHz)
 Two non-continuous areas 5.15GHz - 5.35GHz and 5.725GHz - 5.825GHz
 A total of 12 (overlapping) channels spaced 20MHz (cover 300MHz)
12
Access point – station communication
ch 2
 AP and station use one channel (e.g. ch 2)
 Only one station communicates with AP at a given time (regulated by 802.11
MAC protocol)
 Received signal is filtered (e.g., fc ± 22MHz for 802.11b/g) to reduce
neighboring channels interference
 Nevertheless, substantial interference remains
 from neighboring channels (channels are only 5 MHz appart)
 background noise and interference (e.g., microwave oven, )
 Spread spectrum techniques (DSSS) help to some extent in reducing the
effect of interference (narrowband)
13
Direct Sequence Spread Spectrum (DSSS)
DSSS Signal
(RF link)
Spreading
Modulator
Spreading
Demodulator
Spreading Code
Spreading Code
14
Jamming IEEE 802.11b/g
• Spreading techniques in 802.11
– spreading codes are publicly known
– e.g. Barker sequence for 802.11b at
1Mbps and 2Mbps = “1 0 1 1 0 1 1 1 0 0 0”
– spreading codes are the same for all channels
• Spreading codes in 802.11 are not used for confidentiality
• Jamming:
– jammer knows the codes and therefore can jam any channel by
transmitting symbols using the same codes ...
– even if the attacker uses adjacent channels the throughput will be
affected (there are only 3 non-overlapping channels)
– there is no solution for this DoS attack on 802.11
15
Sigurnosni problemi na fizičkoj razini
 Denial-of-Service (DoS) napadi ometanjem radio singala (radio jamming)
 Kod za raspršivanje signala je javan (dostupan napadaču)
 Napadač ometa radio kanal tako da transmitira legitimne signale koristeći isti kod za
raspršivanje
 Da bi pojačao efekt ometanja, napadač koristi usmjeravajuće antene (ili mikrovalnu
peć :-)
zatvorena
prostorija
napadač
●
IEEE 802.11 ne pruža zaštitu protiv aktivnog ometanja signala (radio
jamming)
– DoS putem radio ometanja često se zanemaruje (pogrešno)
16
IEEE 802.11b: Media Access Control
(MAC)
 MAC omogućava da više korisnika mogu transmitirati na istom kanalu (npr.
spojiti se na istu pristupnu točku)
 Osigurava “fair” raspodjelu raspoloživog kapaciteta kanala
 Distributed Coordination Function (DCF) – osnovni protokol za pristup radio kanalu
 DCF zasnovan na Carrier Sense Multiple Access with Collision Avoidance
(CSMA/CA) paradigmi
 Prije transmitiranja paketa na kanalu, mobilno računalo osluškuje da li je kanal već
“zauzet” (npr., od strane drugog računala)
 Izbjegavanje kolizija između paketa dva ili više računala putem randomiziranog
“back-off” mehanizma
Računalo A
Računalo B
AP
17
802.11 - MAC layer principles (1/2)
 Traffic services
 Asynchronous Data Service (mandatory)
 exchange of data packets based on “best-effort”
 support of broadcast and multicast
 Time-Bounded Service (optional)
 implemented using PCF (Point Coordination Function)
 Access methods (called DFWMAC: Distributed Foundation Wireless MAC)
 DCF CSMA/CA (mandatory)
 collision avoidance via randomized „back-off“ mechanism
 minimum distance between consecutive packets
 ACK packet for acknowledgements (not for broadcasts)
 DCF with RTS/CTS (optional)
 avoids hidden terminal problem
 PCF (optional)
 access point polls terminals according to a list
 DCF: Distributed Coordination Function
 PCF: Point Coordination Function
18
802.11 - MAC layer principles (2/2)
 Priorities
 defined through different inter frame spaces
 no guaranteed, hard priorities
 SIFS (Short Inter Frame Spacing)
 highest priority, for ACK, CTS, polling response
 PIFS (PCF IFS)
 medium priority, for time-bounded service using PCF
 DIFS (DCF, Distributed Coordination Function IFS)
 lowest priority, for asynchronous data service
DIFS
DIFS
PIFS
medium busy
direct access if
medium is free  DIFS
Note : IFS durations are specific to each PHY
SIFS
contention
next frame
t
time slot
19
802.11 - CSMA/CA principles
DIFS
DIFS
medium busy
direct access if
medium has been free
for at least DIFS
contention window
(randomized back-off
mechanism)
next frame
t
time slot
 station ready to send starts sensing the medium (Carrier Sense based on
CCA, Clear Channel Assessment)
 if the medium is free for the duration of an Inter-Frame Space (IFS), the
station can start sending (IFS depends on service type)
 if the medium is busy, the station has to wait for a free IFS, then the station
must additionally wait a random back-off time (collision avoidance,
multiple of slot-time)
 if another station occupies the medium during the back-off time of the
station, the back-off timer stops (to increase fairness)
20
IEEE 802.11b: Media Access Control
(MAC)
DIFS
Računalo A
DIFS
A zamrzava brojač
i odgađa slanje
Podaci
Backoff
NAV
Backoff
SIFS
SIFS
ACK
Pristupna točka
ACK
NAV
Računalo B
Podaci
Backoff
vrijeme
B odgađa slanje
 Notacija:
 DIFS: Distributed Inter-Frame Spacing
 SIFS: Short Inter-Frame Spacing
 Backoff: slučajan broj iz skupa {1,2,…, CW} – izražava se u kratkim vremenskim intervalima
(time slot)
 CW: maksimalno trajanje Backoff-a
 NAV: Network Allocation Vector
21
802.11 – CSMA/CA broadcast
=
DIFS
DIFS
station1
station2
DIFS
boe
bor
boe
busy
DIFS
boe bor
boe
busy
busy
station3
boe
station4
boe
station5
bor
boe
(detection by upper layer)
busy
busy
(detection by upper layer)
t
Here St4 and St5 happen to have
the same back-off time
busy
medium not idle (frame, ack etc.)
boe
elapsed backoff time
packet arrival at MAC
bor
residual backoff time
The size of the contention window can be adapted
(if more collisions, then increase the size)
Note: broadcast is not acknowledged
22
802.11 - CSMA/CA unicast
 Sending unicast packets
 station has to wait for DIFS before sending data
 receiver acknowledges at once (after waiting for SIFS) if the packet was
received correctly (CRC)
 automatic retransmission of data packets in case of transmission errors
DIFS
sender
data
SIFS
receiver
other
stations
ACK
DIFS
waiting time
The ACK is sent right at the end of SIFS
(no contention)
Contention
window
data
t
23
Hidden terminal problem
 A is hidden from C
A
B
C
D
24
Receiver informs interferers before
transmission – MACA protocol
 Sender B asks receiver C whether C is
able to receive a transmission
Request to Send (RTS)
A
B
C
D
RTS
 Receiver C agrees, sends out a Clear
to Send (CTS)
CTS
 Potential interferers overhear either
RTS or CTS and know about
impending transmission and for how
long it will last
 Store this information in a Network
Data
NAV indicates
busy medium
NAV indicates
busy medium
Allocation Vector
 B sends, C acks
MACA protocol is in IEEE 802.11!
Ack
25
802.11 – DCF with RTS/CTS
 Sending unicast packets
 station can send RTS with reservation parameter after waiting for DIFS (reservation
determines amount of time the data packet needs the medium)
 acknowledgement via CTS after SIFS by receiver (if ready to receive)
 sender can now send data at once, acknowledgement via ACK
 other stations store medium reservations distributed via RTS and CTS
DIFS
sender
RTS
data
SIFS
receiver
other
stations
CTS
SIFS
NAV (RTS)
NAV (CTS)
defer access
NAV: Network Allocation Vector
SIFS
ACK
DIFS
data
t
Contention
window
RTS/CTS can be present for
some packets and not for other
26
802.11 – Point Coordination Function
(1/2)
t0
medium busy
point
coordinator
wireless
stations
stations‘
NAV
t1
PIFS
SuperFrame
SIFS
D1
SIFS
D2
SIFS
SIFS
U1
U2
NAV
contention free period
• Purpose: provide a time-bounded service
• Not usable for ad hoc networks
• Di represents the polling of station i
• Ui represents transmission of data from station i
27
802.11 – Point Coordination Function
(2/2)
t2
point
coordinator
D3
PIFS
SIFS
D4
SIFS
wireless
stations
stations‘
NAV
t3
t4
CFend
U4
NAV
contention free period
contention
period
In this example, station 3 has no data to send
28
t
Sigurnosni problemi na MAC razini:
‘virtual’ carrier sense attack
DIFS
Računalo A
DIFS
Podaci
Backoff
Podaci
Backoff
SIFS
ACK
ACK
Pristupna točka
NAV
Računalo B
SIFS
B odgađa slanje
NAV
vrijeme
B odgađa slanje
 Notacija:
 DIFS: Distributed Inter-Frame Spacing
 SIFS: Short Inter-Frame Spacing
 Backoff: slučajan broj iz skupa {1,2,…, CW}
 CW: maksimalno trajanje Backoff-a
 NAV: Network Allocation Vector
29
Sigurnosni problemi na MAC razini:
‘real’ carrier sense attack
 Exploits the need of a wireless station to receive the "clear
channel assessment (CCA)“ before accessing the channel
 affects IEEE 802.11b/g networks only
 CCA – how to sense a channel clear
 energy level is above a threshold
 can detect a 802.11 signal/symbol
 use both
 if signal present/energy above the predefined threshold detect
channel busy and wait
30
Sigurnosni problemi na MAC razini:
backoff manipulation
DIFS
Računalo A
DIFS
Podaci
Backoff
SIFS
ACK
Pristupna točka
Računalo B
Podaci
Backoff
SIFS
ACK
NAV
Backoff
B zamrzava brojač
i odgađa slanje
NAV
Backoff
vrijeme
B zamrzava brojač
i odgađa slanje
 Notacija:
 DIFS: Distributed Inter-Frame Spacing
 SIFS: Short Inter-Frame Spacing
 Backoff: slučajan broj iz skupa {1,2,…, CW}
 CW: maksimalno trajanje Backoff-a
 NAV: Network Allocation Vector
31
Sigurnosni problemi na MAC razini
 Primjer: manipulacija Backoff vrijednostima
 Jednostavna implementacija (jedna linija koda kod bežičnih adaptera koji koriste
Atheros radio čipove, npr. Proxim Orinoco)
 IEEE 802.11e sa QoS (Quality of Service) podrškom omogućava manipulaciju
AP
Računalo A
UDP
UDP
Računalo B
Brzina komunikacije [Mbps]
Backoff-a, DIFS-a, SIFS-a!
Računalo A
Računalo B
CW (Backoff) računala A
32
Sigurnosni problemi na MAC razini:
rezime
 Manipulacijom parametara protokola za pristup kanalu
(CSMA/CA) moguće je, na jednostavan način, potpuno
“okupirati” radio kanal
 Maliciozni napadač može lako izvršiti DoS napad
 Sebični korisnici mogu ostvariti veći dio raspoloživog kapaciteta
 IEEE 802.11 ne pruža zaštitu protiv ovakvih manipulacija
 Postoje određena rješenja pomoću kojih je moguće detektirati neke
kategorije manipulacija, no…
 Ostaje otvoreno pitanje: Što napraviti nakon detekcije takvih
manipulacija?
33
Selfish behavior in hotspots
 DOMINO
 http://lcawww.epfl.ch/Domino/Edomino.htm
34
Performance Anomaly of 802.11b
WiFi Access and Confidentiality
Introduction to WiFi
“connected”
scanning on
each channel
STA
association request
association response
AP
beacon
- MAC header
- timestamp (for synchronization)
- beacon interval
- capability info
- SSID (network name)
- supported data rates
- radio parameters
- power slave flags
37
Access mechanisms
Open network (no protection)
• assumption: there are no unauthorized users in the range of the network
• problems: range is hard to determine (unpredictable propagation of the
signals, directional antennas, ...)
Closed network
• using SSIDs for authentication (Service Set Identifier)
• MAC filtering
• shared keys
• authentication servers
38
MAC filtering
• MAC address filtering
– only devices with certain MAC addresses are allowed
to associate
– needs pre-registration of all device at the AP
• MAC can be sniffed and forged
– sent in clear text in each packet (can be sniffed)
– can be forged
39
Overcoming MAC filtering in 3 steps
1.
Put your card in promiscuous mode (accepts all packets).
2.
Sniff the traffic and find out which MAC addresses are accepted by the AP
Ethereal
3.
Change your MAC address (need a card that can do that)
40
SSID-based access control
• SSID = Service Set IDentifier (network name)
• a 32-character unique identifier
• found in the header of packets
• acts as a password when a mobile device tries to connect
to the WLAN
• SSID differentiates one WLAN from another
• all devices attempting to connect to a specific WLAN must
use the same SSID
41
SSID-based access control
• SSIDs can be sniffed (e.g. using Wireshark)
– advertised by the APs
– contained in SSID response frames
• Overcomming SSID-based access control
– Sniff SSID (either sent by the clients or advertised by
the AP)
– Set your SSID to the same value ...
• MAC/SSID access control: not a bad protection from
unskilled neighbors (much better than no
authentication/protection)
42
Disassociation Attacks
State 1
Unauthenticated,
Unassociated
authentication
Ok
deauthentication
State 2
Authenticated,
Unassociated
association or
reassociation
Ok
deauthentication
disassociation
State 3
Authenticated,
Associated
 Generate fake disassociation frames with the victim’s MAC address as the
destination and the real AP MAC as the source
 Send this repeatedly
 aircrack-ng
 Works even with the latest IEEE 802.11i standard! Why?
43
IEEE 802.11b: sigurnosni ciljevi
 Osim funkcija fizičke i MAC razine IEEE 802.11 standard definira i
implementira skup sigurnosnih mehanizama s ciljem
 Osiguranja privatnosti podataka (ekvivalentno žičanim mrežama)
 Simuliranja fizičke kontrole pristupa neautoriziranih računala
napadač
●
(Inicijalni, IEEE 802.11b) sigurnosni mehanizmi
– Algoritam za zaštitu podataka: Wired Equivalent Privacy (WEP)
– Protokol za autentikaciju korisnika: Shared Key Authentication
●
Na žalost, katastrofalan dizajn!!!
– Rješenje u IEEE 802.11i
44
Wired Equivalent Privacy (WEP)
 WEP algoritam - slijedna šifra (stream chiper) zasnovana na RC4
enkripcijskom algoritmu (Ron Rivest, RSA)
 Tajnost podataka, integritet podataka, kontrola pristupa
inicijalizacijski vektor v
tajni ključ k
802.11 hdr
802.11 hdr
Podaci
v
Dodaj CRC = CRC32(Podaci)
802.11 hdr
Podaci

802.11 hdr
v
Podaci
CRC: Cyclic Redundancy Check
Podaci

CRC
RC4(k,v)
CRC
802.11 hdr
Podaci
CRC
RC4(k,v)
CRC
Provjeri CRC = CRC32(Podaci)
802.11 hdr
Podaci
45
Stream Cipher RC4 Operation
 RC4 is a stream cipher
 given a short input key, it produces a pseudorandom sequence (key stream)
 the key stream is always the same for the same key
 The output of the key stream is XORed with the plaintext to obtain a
ciphertext
v
key
RC4
key stream
plaintext

ciphertext
46
WEP ne osigurava tajnost podataka
C1 = P1  RC4(k,v)
C2 = P2  RC4(k,v)
C1  C2 = (P1  RC4(k,v))  (P2  RC4(k,v)) = P1  P2
 Inicijalizacijski vektor (v) se mijenja za svaki transmitirani paket
 Ali v je “dug” samo 24 bita (IEEE 802.11 standard)
 Ako se v generira na slučajan način, dva paketa će imati istu vrijednost nakon
samo 5000 paketa (“birthday paradox”)
 Ako se v jednostavno inkrementira počevši od 0, dva računala koja transmitiraju
konstantno će generirati pakete sa istom vrijednošću v
 Napadač pohrani 2^24 parova (vi, RC4(k,vi)) – otprilike 24 GB
 Kada napadač “vidi” šifrirani paket Ci, pogleda u memoriju (vrijednost vi nije
enkriptirana) i nađe odgovarajući par (vi, RC4(k,vi))
 Pi = Ci  RC4(k,vi)
 RC4 “slabi” ključevi (Airsnort program pronalazi ključ u par sati)
47
WEP ne osigurava integritet podataka
 Za provjeru integriteta i autentičnosti poruke, WEP koristi šifrirani CRC
(checksum) ili Integrity Check Value (IVC)
802.11 hdr
v
Podaci
CRC
 CRC je linearna funkcija: CRC(P1  P2) = CRC(P1)  CRC(P2)
 Napadač:
 Posjeduje C = RC4(k,v)  P, CRC(P) (ne zna P i k)
 Želi generirati poruku P’ = P  , koju će prihvatiti AP kao autentičnu
 Generira:
C’ = C  , CRC()
= RC4(k,v)  P, CRC(P)  , CRC()
= RC4(k,v)  P  , CRC(P)  CRC()
= RC4(k,v)  P’, CRC(P  )
= RC4(k,v)  P’, CRC(P’)
48
WEP ne osigurava kontrolu pristupa
napadač
(ne zna ključ)
tajni ključ k
tajni ključ k
Request
Challenge RN
RC4(k,v) = RC4(k,v)  RN, CRC(RN) 
 RN, CRC(RN)
RN: Random Number
RC4(k,v)  RN, CRC(RN)
Success
Request
Challenge RN’
RC4(k,v)  RN’, CRC(RN’)
Success
 Katastrofalan dizajn!
49
Nužna nova sigurnosna arhitektura
 WPA (WiFi Protected Access)
 Prijelazno rješenje, kompatibilno s postojećim hardverom
 IEEE 802.11i standard (ili WPA2)
 Dugoročno rješenje, ali zahtjeva promjenu hardvera
IEEE 802.11b
WEP
WPA
IEEE 802.11i
(WPA2)
Tajnost podataka
(enkripcija)
WEP (RC4)
TKIP (RC4)
AES,
(opcija TKIP)
Integritet podataka
WEP (RC4) + CRC
TKIP-MIC
AES-MAC
(opcija TKIP-MIC)
Autentifikacija i
kontrola pristupa
Shared Key
Authentication
IEEE 802.1X/EAP
(+ EAP-TLS, LEAP…)
IEEE 802.1X/EAP
(+ EAP-TLS, LEAP…)
TKIP: Temporal Key Integrity Protocol
AES: Advanced Encryption Standard
MIC: Message Integrity Code
MAC: Message Authentication Code
EAP: Extensible Authentication Protocol
TLS: Transport Layer Security
LEAP: Light EAP (Cisco)
50