Transcript 6990sl3
Wireless Security
(Based on slides by Dr. Frank
Adelstein of ATC-NY/Odyssey
Research Associates)
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
1
Protect what?
• Integrity
– System: performs its intended function in an unimpaired manner, free
from deliberate or inadvertent unauthorized manipulation of the system.
– Data: Should be possible for receiver to verify that data has not been
modified; intruder should not be able to substitute fake data
• Confidentiality
– Only intended recipient(s) should be able to read data
• Non-repudiation
– Sender should not be able to falsely deny sending data.
• Availability (Denial of Service, Distributed DoS)
– A third party with no access should not be able to block legitimate parties
from using a resource.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
2
Security: Before/During/After
•Prevention (before)
– Authentication, authorization, accounting
•Detection (during)
– Intrusion Detection
• Host/network
• Signature/behavior
•Reaction (after)
– Digital Forensics
• Evidence preservation
• Who? What? When? From where?
• Sources (files, logs, timestamp info, ISP records, …)
– Attack Assessment, Damage Assessment, Data Recovery
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
3
Before
• Prevention
– Authentication: “Are they who they claim to be?”
“The act of verifying a claimed identity, in the form of a pre-existing label from a
mutually known name space, as the originator of a message (message
authentication) or as the end-point of a channel (entity authentication).”
– Authorization: “Do they have permission to do it?”
“The act of determining if a particular right, such as access to some resource, can
be granted to the presenter of a particular credential.”
– Accounting: a log or history of what happened
“The collection of resource consumption data for the purposes of capacity and
trend analysis, cost allocation, auditing, and billing. Accounting management
requires that resource consumption be measured, rated, assigned, and
communicated between appropriate parties.”
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
4
Security Tradeoffs
Security vs.:
• Convenience
– long vs. short passwords
– Multi-factor authentication
– callback, smart cards, etc.
• Availability
–
–
–
–
locked out after 3 bad passwords
ATM eats bank card
Don’t allow remote access?
what happens when log files fill up?
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
5
Wireless Risks
• Wireless – all of the above concerns plus an
increased risk of eavesdropping (and transmitting).
– No need to tap or plug into the network. Only need to
be “nearby.”
– Depending on the wireless technology, nearby can be
line-of-sight, same room, outside a building, within a
few miles (e.g., Bluetooth sniper rifle)
• Greatly increases threats to: confidentiality,
integrity, non-repudiation
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
6
Risks (2)
These risks can allow adversaries to:
• Perform data snooping
– Medical data becoming more available
• Hijack sessions
• Commit Fraud and identity theft
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
7
Risks: Resource Depletion
• Hardware limitations, such as low network
bandwidth and limited battery power, also
increases denial-of-service risk:
– Resource depletion/exhaustion attacks
“want a business card?”
“want a business card?”
“want
“wanta abusiness
businesscard?”
card?”
“want
a
business
card?”
“want
a
business
card?”
“want
a
business
card?”
Original slides ©2003 Odyssey Research Associates, “want a business card?”
updated 2004 by Golden G. Richard III, Ph.D.
8
Protections
• Make it harder to intercept transmissions at
the intruder’s physical layer
– Use low power, limit reception/interception
range.
– Use a technique like frequency hopping
• But, generally want anyone to be able to join in and
use the network.
• Actually used to increase number of users, not for
protection.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
9
Protections
• Encryption: “they” can’t decode data, so
they can’t use what they do steal
• Digital signatures: prevent forging or
modifying data
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
10
Encryption
P
C
ABC
DEF
GHI
encryption
function
key
• Symmetric key:
C = Ek(P),
P = Dk (C)
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
?T#
!@=
~cx
• Public key:
C = Epub(P),
P = Dpriv(C), also
C’ = Epriv (P),
P = Dpub(C’)
11
Block vs. Stream Cipher
key
E(block)
block
block
Plain text
cipher text
stream
key
generator
Pseudo-random
stream
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
12
Block vs. Stream Cipher
• Block: accumulates a group of plaintext and
then operates on it at once (e.g., 64 bits at a
time) and produce an encrypted block of
equal size. e.g., DES, AES, RSA
• Stream: operate on plaintext a single
bit/byte at a time. e.g., RC4, used in WEP
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
13
Simple examples
– XOR:
Text
Key*
Result
• 1111 0000 XOR 1010 1010 = 0101 1010
• 0101 1010 XOR 1010 1010 = 1111 0000
(* Note that this is really a single sample from a key-stream.)
– Rotation (trivial cipher):
• ROT1: “HAL” “IBM”
• Caesar cipher (+3)
• USENIX ROT13: tr ‘[a-zA-z]’ ‘[n-za-m][N-ZA-M]’
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
14
Message Digests and Hashes
P
H(P)
ABC
DEF
GHI
One-way
hash
MD
3C 00 3C FF 01
FE CB E6 A4 22
19 5D 8B EE …
• Cryptographically secure one-way function,
produces a short sequence of bytes (e.g., 128 or
160 bits) based on the input.
• e.g., MD4, MD5, SHA
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
15
Hash Space
...
1,000,201,548,007 1,000,201,548,008 1,000,201,548,009
ABC
DEF
GHI
We the
people
…
...
A Long Time ago
in a galaxy
far, far,
away
• Single bit change in source changes ~½ the bits in the hash.
• Small changes in the hash come from very different sources.
• Computationally unfeasible to find matching source from hash.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
16
Message Authentication Code
key
(MAC)
P
ABC
DEF
GHI
H(P, key)
MAC
P + MAC
ABC
DEF
GHI
P! X. #/ [n +p
1c <M ex xq ^P
Rk os qp …
•H(P || key)
or
• Encrypted H(P)
• For authenticity without secrecy; attached to message
• MAC is a one-way hash function plus a secret key
– Encrypt the hash of the message with the key, or
– Hash the concatenation of the message and key
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
17
Costs of Protections
• Encryption overhead! (more tradeoffs)
–
–
–
–
–
Poor performance
CPU load
Power consumption
Reduced battery life
Increased data size increased transmission
time
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
18
Cost of Protections
• Public Key Infrastructure (PKI)
– Key management
• Key setup
• Key exchange
–
–
–
–
–
Certificates
Trusted 3rd party
Shared secrets (and risks) vs. public key
Individual vs. group keys (overhead)
Certificate revocation or expiration
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
19
IP Security (IPsec)
• IETF IPsec Working Group
– Provide authentication.
• Authentication Header (AH): RFC2402
– Protect the data payload
• Encapsulating Security Payload (ESP): RFC2406
– Key management
• Internet Security Association and Key Management
Protocol (ISAKMP): RFC2408
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
20
Misc. Attacks
Additional attack methods:
• Man-in-the-middle attacks (e.g., ARP cache
poisoning, bogus services)
–Use good authentication
• Replay attacks
– Use sequence numbers + one time data
• Traffic analysis
–Use encrypted communication
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
21
Misc. Security
Physical security
• “Stolen laptop” scenario
• Defenses:
–
–
–
–
CMOS password w/ hardware tamper protection
Password protected accounts on computer
Encrypted data
Biometrics for authentication
• None of these defenses result in return of the
laptop, unfortunately
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
22
Misc. Non-Technical Attacks
• “Social engineering” plus $$$ tend to be very
effective
– Look for resumes on the web, buy a drink, etc.
– See Kevin Mitnick’s book for lots more
• “Rubber-hose” cryptanalysis
"Believe me, Baldric, an eternity in the company of
Beelzebub and all his hellish minions will be as nothing
compared to five minutes alone with me...and this pencil.”
– Blackadder.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
23
IEEE 802 Standards
• 802.11 – IEEE Standard, 1997.
• 802 LAN/MAN Standard
Committee
– 802.1d – MAC bridging
standard
– 802.1x – Port-based Network
Access Control
– 802.2 – Logical Link Control
– 802.3 – Ethernet
• 802.3z – 100BaseT Fast
Ethernet
– 802.5 – Token Ring
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
– 802.11 – Wireless LAN
•
•
•
•
•
•
•
•
•
•
•
802.11 – “basic” wireless
802.11a - 5GHz, 54Mb
802.11b – 2.4GHz, 11Mb
802.11e – QoS
802.11f – AP interop
802.11g – faster 802.11b,
starting at 20Mbps
802.11h – transmit power
control for 802.11a (Europe)
802.11i – better security
802.11j – Japanese 802.11
802.11n – 100+Mb
802.11p – automotive apps
– 802.15.1 Bluetooth
– 802.15.4 Low-rate (low power)
– 802.16 Wireless Metropolitan24
Area Network (WMAN)
WEP – Protection for 802.11b
• Wired Equivalent Privacy
– “No worse than what you get with wire-based systems”
• Criteria:
– “Reasonably strong”
– Self-synchronizing – stations often go in and out of
coverage
– Computationally efficient – in HW or SW since low
MIPS CPUs might be used
– Exportable –
– Optional – not required to used it
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
25
WEP – How It Works
• Secret key (40 bits or 104 bits)
• Initialization vector (24 bits, by IEEE std.)
– Total of 64 or 128 bits “of protection.”
• RC4-based pseudo random number
generator (PRNG)
• Integrity Check Value (ICV): CRC 32
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
26
WEP Data Frame
IV
(4 bytes)
Data (PDU)
( 1 byte)
ICV
(4 bytes)
1 byte
Init Vector
(3 bytes)
Pad
6 bits
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
Key ID
2 bits
Note: can use up to
4 different keys.
27
WEP Encryption
Initialization
Vector (IV)
Secret Key
Seed
Key
Sequence
WEP PRNG
IV
Ciphertext
Message
Plaintext
Integrity Algorithm
Integrity Check Value (ICV)
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
28
WEP Encryption Process
1. Compute ICV using CRC-32 over plaintext msg.
2. Concatenate ICV to plaintext message.
3. Choose random IV and concat it to secret key
and input it to RC4 to produce pseudo random
key sequence.
4. Encrypt plaintext + ICV by doing bitwise XOR
with key sequence to produce ciphertext.
5. Put IV in front of cipertext.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
29
WEP Decryption
Secret Key
Key
Sequence
IV
Ciphertext
Plaintext
WEP PRNG
Seed
Message
Integrity Algorithm
ICV’
ICV’ - ICV
ICV
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
30
WEP Decryption Process
1. IV of message used to generate key sequence, k.
2. Ciphertext XOR k original plaintext + ICV.
3. Verify by computing integrity check on plaintext
(ICV’) and comparing to recovered ICV.
4. If ICV ICV’ then message is in error; send
error to MAC management and back to sending
station.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
31
WEP Station Authentication
1.
2.
3.
4.
Wireless Station (WS) sends
Authentication Request to
Access Point (AP).
AP sends (random) challenge
text T.
WS sends challenge response
(encrypted T).
AP sends ACK/NACK.
WS
AP
Auth. Req.
Challenge Text
Challenge Response
Ack
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
32
WEP Weaknesses
• Forgery Attack
– Packet headers are unprotected, can fake src and dest addresses.
– AP will then decrypt data to send to other destinations.
– Can fake CRC-32 by flipping bits.
• Replay
– Can eavesdrop and record a session and play it back later.
• Collision (24 bit IV; how/when does it change?)
– Sequential: roll-over in < ½ day on a busy net
– Random: After 5000 packets, > 50% of reuse.
• Weak Key
– If ciphertext and plaintext are known, attacker can determine key.
– Certain RC4 weak keys reveal too many bits. Can then determine RC4
base key.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
33
WEP Weakness
• Key Management
• 4 possible keys, externally populated
• 802.11 standard does not specify
distribution mechanism (backbone network)
• Can be unique key for each WS or single
key for entire network (commonly used)
• Single key increases chances of IV reuse
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
34
(Old) Recent Developments
As of August 2001:
• WEP 128 bit encryption broken in 15
minutes!
• Need to see ~6,000,000 encrypted messages
to break WEP (not a lot).
• Weakness had been known for a while, just
had not been exploited that quickly before.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
35
Practical Results…
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
36
War Driving in New Orleans
(back in December 2001)
• Equipment
– Laptop, wireless card, software
– GPS, booster antenna (optional)
• Results
–
–
–
–
–
64 Wireless LAN’s
Only 8 had WEP Enabled (12%)
62 AP’s & 2 Peer to Peer Networks
25 Default (out of the box) Settings (39%)
29 Used The Company Name For ESSID (45%)
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
37
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
38
9 nets
XXX X
XX
X
X
5 nets
X
X
X
X X
X
X
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
X
X
X
X
X
39
X
X
X
X
XX
X
X
X
X
X
X
X
X
XX
XX
X
XX
X
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
X
X
X
40
Ways to Improve Security with WEP
• All encryption modes of operation should use (secure)
MAC, rather than CRC
• Use WEP(!)
• Put wireless network outside of firewall
• Use VPN to get inside
• Limit connections based on MAC address
– Easily defeated
• Better key management:
– Use individual keys
– Change them early and often
• Better: replace with something else
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
41
What’s next?
• WiFi Protected Access (WPA) available sooner
– Approximation of what will be in 802.11i
– Already cracked (11/2004)
• 802.11i
– Provides better security, key distribution, longer/better
initialization vectors, etc.
– Probably incompatible with most current hardware
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
42
802.11i
– Improved encryption Algorithms
• Temporal Key Integrity Protocol (TKIP) – for legacy hardware
– Generates per-packet keys
– 48 bit IV prevents replay attacks
• Counter mode CBC-MAC Protocol (CCMP) – for new
hardware
– Not for legacy hardware—insufficient CPU power to run AES
encryption
– 802.1x – port based network access control
• Authentication
• Encryption key distribution
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
43
802.1X
From
Meetinghouse
Data
Communications,
Original slides
©2003 Odyssey Research
Associates,
updated 2004 by Golden G. Richard III, Ph.D.
http://www.mtghouse.com/8021X.pdf
44
802.11i >> WEP
• Forgery
– Stronger Message Integrity Code
– Cryptographically secure hash
– Apply hash to packet payload plus src and dest addresses
• Replay
– 48 bit IV, strictly increasing sequence, cannot roll-over (must
rekey), receiver discards out-of-sequence packets
• Weak Keys of WEP
– Per-packet key computed using transmitter address, IV, base key
• Collision
– 48 bit IV, force a rekey after 215 packets
– Use 802.1X EAPOL (Extensible Authentication Protocol Over
LAN) to configure a new key for every association
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
45
802.11: DoS a Major Concern
• Denial of service attacks still a major
problem
• Physical-level DoS
• De-authentication attacks
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
46
e.g., De-authentication DoS
One possible solution for existing hardware:
Queue de-authenticate packets for a short
time (15s?). If additional data packets are
seen from the client, discard the deauthentication request.
From “12th USENIX Security Symposium USENIX
Association 15
802.11 Denial-of-Service Attacks:
RealOriginal
Vulnerabilities
and Practical
Solutions”,
&
slides ©2003
Odyssey
Research Ballardo
Associates,
th
Savage,
USENIX
Security
Symposium
(2003).
updated122004
by Golden
G. Richard
III, Ph.D.
47
Why?
• Firmware in 802.11 cards is supposed to
prevent illegal 802.11 frames from being
generated…but
From “12th USENIX Security Symposium USENIX
Association 15
802.11 Denial-of-Service Attacks:
RealOriginal
Vulnerabilities
and Practical
Solutions”,
&
slides ©2003
Odyssey
Research Ballardo
Associates,
th
Savage,
USENIX
Security
Symposium
(2003).
updated122004
by Golden
G. Richard
III, Ph.D.
48
802.11
• Jim Geier, “Spread Spectrum: Frequency Hopping vs. Direct Sequence,”
http://www.wireless-nets.com/whitepaper_spread.htm.
• 3com, “What’s New in Wireless LANs: The IEEE 802.11b Standard,”
http://www.3com.com/technology/tech_net/white_papers/503072a.html.
• Sultan Weatherspoon, “Overview of IEEE 802.11b Security,” Intel
Technology Journal, 2nd Quarter 2000,
http://developer.intel.com/technology/itj/q22000/pdf/art_5.pdf.
• Jim Lansford, Adrian Stephens, and Ron Nevo, “Wi-Fi (802.11b) and
Bluetooth: Enabling Coexistence,” IEEE Network, Sept/Oct 2001.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
49
WEP
•
•
•
•
•
R.L. Rivest, “The RC4 Encryption Algorithm,” RSA Data Security, Inc. March
12, 1992 (proprietary).
RFC2401, Stephen Kent and Randall Atkinson, “Security Architecture for the
Internet Protocol,” Internet Engineering Task Force, Nov. 1998,
http://www.ietf.org/rfc/rfc2401.txt.
Nikita Borisov, Ian Goldberg, and David Wagner, “Intercepting Mobile
Communications: The Insecurity of 802.11 (-Draft-),” Mac Crypto Workshop,
Jan. 2001, http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf.
Scott Fluhrer, Itsik Mantin, and Adi Shamir, “Weaknesses in the Key
Scheduling Algorithm of RC4,” Proceedings of Selected Areas in
Cryptography (SAC), Toronto, August 2001,
http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps.
Adam Stubblefield, John Ioannidis, and Aviel D. Rubin, “Using the Fluhrer,
Mantin, and Shamir Attack to Break WEP,” AT&T Labs Technical Report TD4ZCPZZ, August 2001, http://www.cs.rice.edu/~astubble/wep/.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
50
WEP
• Nicki Hayes, “Wired Equivalent Privacy (WEP) – Gone in 15
Minutes!”
http://www.wirelessdevnet.com/channels/wireless/features/newsbyte31
.html.
• “WEP Security Goes ‘Poof’,” Information Security, 4(9), September
2001, p 30.
• Craig Ellison, “Wireless LANs at Risk”, PC Magazine, April 9, 2002,
pp. 66 – 68.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
51
Recent Additions
• Fun stuff: Neal Stephenson,
Cryptonomicon, Perennial, 1999.
• “Evolving to Seamless All-IP
Wireless/Mobile Networks,” Special Issue
of IEEE Communications Magazine, Dec.
2001, 39(12).
• AirSnort: http://airsnort.sorceforge.net.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
52
802.11i and 802.1x
• Jesse Walker, “802.11 Security Considerations and
Solutions,” Intel Developer Forum, Spring 2002.
• Merwyn Andrade, “Securing the WLAN with 802.11i,” …
• Dennis Eaton, “Diving into the 802.11i Spec: A Tutorial,”
CommsDesign, Nov 22, 2002,
http://www.commsdesign.com/printableArticle?doc_id=O
EG20021126S0003
• “Wireless Netowkr Security Bulletin V.2.1,” White Paper,
Proxim Corp, CP6-0103, 2003.
• “IEEE Standard for Local and metropolitan area networks
– Port Based Network Access Control,” IEEE Std 802.1X2001.
Original slides ©2003 Odyssey Research Associates,
updated 2004 by Golden G. Richard III, Ph.D.
53