CS 378 - Network Security and Privacy
Download
Report
Transcript CS 378 - Network Security and Privacy
Hacking Wireless Networks
(Part II – WEP & WPA)
SCSC 555
slide 1
802.11b Overview
Standard for wireless networks
• Approved by IEEE in 1999
Two modes: infrastructure and ad hoc
IBSS (ad hoc) mode
BSS (infrastructure) mode
slide 2
Access Point SSID
Service Set Identifier (SSID) differentiates one
access point from another
• By default, access point broadcasts its SSID in
plaintext “beacon frames” every few seconds
Default SSIDs are easily guessable
• Linksys defaults to “linksys”, Cisco to “tsunami”, etc.
• This gives away the fact that access point is active
Access point settings can be changed to prevent
it from announcing its presence in beacon frames
and from using an easily guessable SSID
• But then every user must know SSID in advance
slide 3
Wired Equivalent Privacy (WEP)
Special-purpose protocol for 802.11b
• Intended to make wireless as secure as wired network
Goals: confidentiality, integrity, authentication
Assumes that a secret key is shared between
access point and clients
Uses RC4 stream cipher seeded with 24-bit
initialization vector and 40-bit key
• Terrible design choice for wireless environment
• RC4 is used properly in SSL
slide 4
Shared-Key Authentication
Prior to communicating data, access point may require client to authenticate
Access Point
Client
beacon
probe request
unauthenticated &
unassociated
OR
authenticated &
unassociated
challenge
challengeRC4(IV,K)
association
request
association
response
authenticated &
associated
Passive eavesdropper recovers RC4(IV,K),
can respond to any challenge from then
on without knowing K
slide 5
How WEP Works
IV | shared key used as RC4 seed
• Must never be repeated (why?)
• There is no key update protocol in 802.11b,
so security relies on never repeating IV
24 bits
40 bits
IV sent in the clear
CRC-32 checksum is linear in : if attacker flips some bit
in plaintext, there is a known, plaintext-independent set of CRC
bits that, if flipped, will produce the same checksum
no integrity!
Worse: 802.11b says that changing
IV with each packet is optional!
slide 6
Why RC4 is a Bad Choice for WEP
Stream ciphers require synchronization of key
streams on both ends of connection
• This is not suitable when packet losses are common
WEP solution: a separate seed for each packet
• Can decrypt a packet even if a previous packet was lost
But number of possible seeds is not large enough!
• RC4 seed = 24-bit initialization vector + fixed key
• Assuming 1500-byte packets at 11 Mbps,
224 possible IVs will be exhausted in about 5 hours
Seed reuse is deadly for stream ciphers
slide 7
Recovering Keystream
Get access point to encrypt a known plaintext
• Send spam, access point will encrypt and forward it
• Get victim to send an email with known content
If attacker knows plaintext, it is easy to recover
keystream from ciphertext
• C M = (MRC4(IV,key)) M = RC4(IV,key)
• Not a problem if this keystream is not re-used
Even if attacker doesn’t know plaintext, he can
exploit regularities (plaintexts are not random)
• For example, IP packet structure is very regular
slide 8
Keystream Will Be Re-Used
In WEP, repeated IV means repeated keystream
Busy network will repeat IVs often
• Many cards reset IV to 0 when re-booted, then
increment by 1 expect re-use of low-value IVs
• If IVs are chosen randomly, expect repetition in O(212)
due to birthday paradox (similar to hash collisions)
Recover keystream for each IV, store in a table
• (KnownM RC4(IV,key)) KnownM = RC4(IV,key)
• Even if don’t know M, can exploit regularities
Wait for IV to repeat, decrypt and enjoy plaintext
• (M’ RC4(IV,key)) RC4(IV,key) = M’
slide 9
It Gets Worse
Misuse of RC4 in WEP is a design flaw with no fix
• Longer keys do not help!
– The problem is re-use of IVs, their size is fixed (24 bits)
• Attacks are passive and very difficult to detect
Perfect target for Fluhrer et al. attack on RC4
• Attack requires known IVs of a special form
• WEP sends IVs in plaintext
• Generating IVs as counters or random numbers will
produce enough “special” IVs in a matter of hours
This results in key recovery (not just keystream)
• Can decrypt even ciphertexts whose IV is unique
slide 10
Do Not Do This
[Brian Lee]
Ingredients: Laptop (with 802.11b card, GPS, Netstumbler, Airsnort,
Ethereal) and the car of your choice
Drive around, use Netstumbler to map out active wireless
networks and (using GPS) their access points
If network is encrypted, park the car, start Airsnort, leave it be
for a few hours
• Airsnort will passively listen to encrypted network traffic and, after
5-10 million packets, extract the encryption key
Once the encryption key is compromised, connect to the network
as if there is no encryption at all
Alternative: use Ethereal (or packet sniffer of your choice) to
listen to decrypted traffic and analyze
Many networks are even less secure
slide 11
Weak Countermeasures
Run VPN on top of wireless
• Treat wireless as you would an insecure wired network
• VPNs have their own security and performance issues
– Compromise of one client may compromise entire network
Hide SSID of your access point
• Still, raw packets will reveal SSID (it is not encrypted!)
Have each access point maintain a list of network
cards addresses that are allowed to connect to it
• Infeasible for large networks
• Attacker can sniff a packet from a legitimate card, then
re-code (spoof) his card to use a legitimate address
slide 12
Fixing the Problem
Extensible Authentication Protocol (EAP)
• Developers can choose their own authentication method
– Cisco EAP-LEAP (passwords), Microsoft EAP-TLS (public-key
certificates), PEAP (passwords OR certificates), etc.
802.11i standard fixes 802.11b problems
• Patch: TKIP. Still RC4, but encrypts IVs and establishes
new shared keys for every 10 KBytes transmitted
– No keystream re-use, prevents exploitation of RC4 weaknesses
– Use same network card, only upgrade firmware
• Long-term: AES in CCMP mode, 128-bit keys, 48-bit IVs
– Block cipher (in special mode) instead of stream cipher
– Requires new network card hardware
slide 13
Hacking Wireless Networks
(Part III – WPA)
slide 14
What is WPA?
WPA (Wireless Protected Access) or WEP2
■ An interim solution to replace WEP.
■ Aimed to work well with hardware designed for WEP.
■ Still use RC4 for encryption.
■ Several new elements were introduced:
- TKIP (Temporal Key Integrity Protocol).
- MIC (message integrity code) for preventing forgery.
- IV=48 bits for preventing replay attack.
- A mixing function for generating per-frame key.
slide15
15
WPA Structure
802.11 Hdr
data
TKIP
||
WEP Key
K
MIC
MIC
Function
Per-Frame Key
Mixing
Function
802.11 Hdr
K’
IV
RC4
Encryption
Data
Integrity
Key
MIC
slide16
16
WPA Structure (in details)
slide 17
WPA - Modes of Operation
Enterprise Mode:
- Requires an authentication server – RADIUS
(Remote Authentication Dial In Service) for authentication and
key distribution
- RADIUS has centralized management of user credentials
Pre-shared key (PSK) Mode:
- Does not require authentication server
- A “shared secret” is used for authentication to access point
vulnerable to dictionary attacks
slide18
18
Enterprise Mode Diagram
slide19
19
PSK Mode Diagram
slide20
20
Issues of PSK Mode
Needed if no authentication server is in use
“shared secret” – revealed, network security is compromised
No standardized way of changing shared secret
It increases the attacker’s effort to do decryption of messages
The more complex the shared secret is, the better it is
as there are less chances of dictionary attacks
slide21
21
Summary: Security Mechanisms in WPA
slide22
22
802.1X Authentication prevents end users from
accessing Enterprise networks
slide23
23
TKIP – Temporal Key Integrity Protocol
TKIP is responsible for generating the encryption key, encrypting the
message and verifying its integrity
TKIP ensures:
- Encryption key changes with every packet
- Encryption key is unique for every client
- TKIP encryptions keys are 256 bit long
WEP Encryption key = shared secret + IV
TKIP packet comprises of:
- 128 bit temporal key (shared by both clients and AP)
- Client Device MAC address
- 48 bit IV (Packet sequence number) to prevent known plain text
attacks (WEP = 24 bit IV)
slide24
24
TKIP for Data Privacy
TKIP key mixing function + temporal key = per packet key
Temporal keys - 128 bit, change frequently, definite life
MAC Address + Temporal key + four most significant octets of the
packet sequence number are fed into the S-Box to generate
intermediate key
Results in a unique encryption key
Then, mix the intermediate key with two least significant octets of
packet sequence number = 128 bit per packet key
Each key encrypts only one packet of data and prevents weak key
attacks
slide25
25
Message Integrity Check (MIC)
Used to enforce data integrity
“Message Integrity Code” (MIC) = 64 bit message calc.
using Michael’s algorithm
MIC is inserted in the TKIP packet
The sender and the receiver each compute MIC and then
compare. MIC does not match = data is manipulated
Detects potential packet content altercation due to
transmission error or purposeful manipulation
Uses 64 bit key and partitions the data into 32 bit blocks
Various operations: shifts, XOR’s, additions
slide26
26
WPA2
A long term solution specified by IEEE 802.11i
Use AES (in a new mode called CCM) for encryption.
Counter Mode with CBC-MAC Protocol (CCMP)
encryption
CCMP = CTR + CBC + MAC
■ Several new elements were introduced:
- The base key K=128 bits.
- MIC is 64 bits for preventing forgery.
- IV=48 bits for preventing replay attack.
- Packet sequence number is used to generate IV.
Will require or replacement hardware (AP’s and NIC’s)
slide27
27
WPA2
IV
Key ID
Encrypted by AES
802.11 Hdr 802.11i Hdr
Data
MIC
FCS
Authenticated by MIC
slide28
28
Encryption Method Comparison Table
WEP
WPA
WPA2
Cipher
RC4
RC4
AES
Key Size
40 bits
128 bits encryption 64
bits authentication
128 bits
Key Life
24 bit IV
48 bit IV
48 bit IV
Packet Key
Concatenated
Mixing Function
Not needed
Data Integrity
CRC-32
Michael Algorithm
CCM
Header Integrity
None
Michael Algorithm
CCM
Replay Attack
None
IV Sequence
IV Sequence
Key Management
None
EAP Based
EAP Based
slide29
29
Conclusions
WEP is not secure anymore !
WPA solves almost all WEP weaknesses
WPA still considered secure and provides secure
authentication, encryption and access control
WPA is not yet broken…!
WPA2 is a stronger cipher than WPA and will provide robust
security for WLANs
slide30
30