The 802.11 Protocol Stack Part of the 802.11 protocol stack.
COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.
-
date post
19-Dec-2015 -
Category
Documents
-
view
225 -
download
1
Transcript of COMP4690, HKBU1 Security of 802.11 COMP4690: Advanced Topic.
COMP4690, HKBU 1
Security of 802.11
COMP4690: Advanced Topic
COMP4690, HKBU 2
Outline
Introduction of 802.11 Introduction of WEP Security of WEP References
COMP4690, HKBU 3
Example of Single-Cell Wireless LAN
COMP4690, HKBU 4
Example of Multi-Cell Wireless LAN
COMP4690, HKBU 5
IEEE 802.11 – infrastructure mode Smallest building block is Basic Service Set (BSS)
A number of stations executing the same MAC protocol Compete for access to same shared wireless medium
A BSS may be isolated, or may connect to a Backbone Distribution System (DS) through an Access Point (AP) AP functions as bridge
MAC protocol may be distributed or controlled by a central coordination function in AP
BSS generally corresponds to a “cell” DS can be a switch, wired network, or wireless
network
COMP4690, HKBU 6
IEEE 802.11 – infrastructure mode
BSS 1
BSS 2
Internet
hub, switchor routerAP
AP
COMP4690, HKBU 7
IEEE 802.11 Protocol Architecture
COMP4690, HKBU 8
Some history Cordless phones Analog cell phones Anybody with a scanner that operated at the right frequency
could easily listen to calls not intended for them. 802.11 tried to avoid, but the same cycle still played out… Wireless access points must announce themselves to the world:
by broadcasting 802.11 beacon frames. Wandering users with an 802.11 receiver can find out about
wireless networks in the area simply by putting up an antenna. War driving: driving around looking for access points
http://www.securityfocus.com/news/192 One quick solution: MAC-address filtering
But malicious attackers can alter addresses (with sufficient operating system privileges).
COMP4690, HKBU 9
Security of 802.11
Existing security consists of two subsystems A data encapsulation technique called Wired Equivalent Privacy (WEP)
An authentication algorithm called Shared Key Authentication
Defined in Section 8 “Authentication and privacy” in the IEEE Std 802.11 (in 1997).
COMP4690, HKBU 10
WEP Wired Equivalent Privacy
To protect authorized users of a wireless LAN from casual eavesdropping
To create the privacy achieved by a wired network (using a switch)
Because of the U.S. export regulations, WEP secret keys were limited to 40 bits. The rules were relaxed later.
WEP has been an option feature. But WEP itself was a flawed anchor point for
security. Even with “128-bit” version, WEP is still not secure!
COMP4690, HKBU 11
WEP
WEP relied on a secret key (40-bit) shared between the two peers (usually a mobile station and an access point).
Before transmission of a frame: Checksumming: compute an integrity checksum on the
message using CRC-32 algorithm, then concatenate the two into plaintext P
Encryption: encrypt the plaintext P using RC4. This requires an initialization vector (IV). IV has only 24 bits. It is inserted into the frame in plaintext (so that the peer can decrypt the ciphertext).
COMP4690, HKBU 12
WEP Encapsulation
802.11 Hdr Data
WEP Encapsulation Summary:
• Encryption Algorithm = RC4
• Per-packet encryption key = 24-bit IV concatenated to a pre-shared key
• WEP allows IV to be reused with any frame
• Data integrity provided by CRC-32 of the plaintext data (the “ICV”)
• Data and ICV are encrypted under the per-packet encryption key
802.11 Hdr DataIV ICV
Encapsulate Decapsulate
COMP4690, HKBU 13
WEP Encryption
IV: 24-bit, how often to change IV values?
Secret Key: 40-bit, be distributed by an external key management service
Seed: 64-bit
PRNG: Pseudo-Random Number Generator, using RC4 algorithm from RSA Data Security, Inc.
ICV: 32-bit, using CRC-32
COMP4690, HKBU 14
WEP Encryption
Message: M Initialization vector (IV): v Integrity checksum (ICV): c(M) After concatenation: P = M || c(M) Key sequence: RC4(v, k) Ciphertext: C = PRC4(v, k)
COMP4690, HKBU 15
WEP Decryption
COMP4690, HKBU 16
WEP Decryption
The receiver gets v from the received frame. The receiver calculates the key sequence using
RC4(v, k). The receiver decrypts the ciphertext using
P = CRC4(v, k) P is divided into two parts: M' and c' where c'
contains the last 32 bits of P. If c(M') = c', the receiver will think that M' is the message.
COMP4690, HKBU 17
Properties of Vernam Ciphers
The WEP encryption algorithm RC4 is a Vernam Cipher:
Pseudo-random number
generator
Encryption Key K
Plaintext data byte p
Random byte b
Ciphertext data byte p
Decryption works the same way: p = c b
COMP4690, HKBU 18
Properties of Vernam Ciphers
Thought experiment 1: what happens when p1 and p2 are encrypted under the same “random” byte b?
c1 = p1 b c2 = p2 b
Then:
Conclusion: it is a very bad idea to encrypt any two messages using the same key sequence.
The ciphertexts can be sniffered easily. So once p1 is know, you can know p2, and vice versa.
c1 c2 = (p1 b) (p2 b) = p1 p2
COMP4690, HKBU 19
Keystream Reuse
Keystream (or key sequence): RC(v, k) Usually k is fixed. How about v?
It’s better to have different values of v for different packets: per-packet IV.
However, “IV collision” is difficult to avoid: For some implementations, IV is reset to 0 when
initialized, and incremented by one for each packet. IV has only 24 bits, too short!!!
COMP4690, HKBU 20
How to Read WEP Encrypted Traffic (1)
•If IV is randomly chosen, by Birthday Paradox, probability Pn that two packets will share same IV after n packets is P2 = 1/224 after two frames and Pn = Pn–1 + (n–1)(1–Pn–1)/ 224 for n > 2.
• 50% chance of a collision exists already after only 4823 packets!!!
•Once two encrypted packets that use the same IV are discovered, various methods of attack can be applied to recover the plaintext. If the plaintext of one of the messages is knows, it is easy to derive the contents of the other one; and also other messages that have been encrypted using the same IV can be directly decrypted.
802.11 Hdr DataIV ICV
24 bits Encrypted under Key +IV using RC4
COMP4690, HKBU 21
How to Read WEP Encrypted Traffic (2)
Ways to accelerate the process: Send spam into the network: no pattern
recognition required! Get the victim to send e-mail to you
The AP creates the plaintext for you! Decrypt packets from one Station to another
via an Access PointIf you know the plaintext on one leg of the
journey, you can recover the key stream immediately on the other
Etc., etc., etc.
COMP4690, HKBU 22
Data Integrity
CRC checksum is insufficient to ensure data integrity. It is designed to detect random errors, not to stop
malicious attackers! It is easy for attackers to modify the message
and to inject messages without detection! Mainly because CRC is a linear function of the
message: c(xy) = c(x) c(y)
COMP4690, HKBU 23
Message Modification
Assume C is the ciphertext of message M C = RC4(v, k) (M||c(M))
For an attacker, he can easily capture C and v. But he doesn’t know k.
The main purpose of the attacker is to replay a different message C' to the receiver without being detected. In another word, the receiver will get a wrong message M'.
COMP4690, HKBU 24
Message Modification
Given any E, the attacker can calculate its checksum c(E). Then the attacker generates C' as: C' = C (E||c(E))
Once C' is received by the receiver, it will decrypt as follows:
Therefore the receiver gets a wrong message M' = ME.
4( , )
( || ( )) 4( , )
4( , ) ( || ( )) ( || ( )) 4( , )
( || ( )) ( || ( ))
( ) || ( )
|| ( )
C RC v k
C E c E RC v k
RC v k M c M E c E RC v k
M c M E c E
M E c M E
M c M
COMP4690, HKBU 25
Final answer?
WPA: Wi-Fi Protected Access Intended as an intermediate measure to take the place of WEP
while 802.11i was prepared 802.11i
Ratified in June 2004. Supported by Intel, IBM, etc. AES-CCMP (Counter-Mode/CBC-MAC Protocol) WRAP (Wireless Robust Authenticated Protocol) 802.1x
WPA2 WPA2 is the certified form of 802.11i tested by the Wi-Fi Alliance. WPA2 implements the mandatory elements of 802.11i .
COMP4690, HKBU 26
References
ISO/IEEE Std 802.11, Section 8, “MAC and PHY Specifications -- Authentication and Privacy”, 1999 Edition.
Nikita Borisov, et al, “Intercepting Mobile Communications: the Insecurity of 802.11”, 2001.
W. A. Arbaugh, et al, “Your 802.11 Wireless Network has No Clothes”, 2001.
Matthew Gast, “Wireless LAN Security: a Short History”, 2002.