Wireless Security
description
Transcript of Wireless Security
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 1
Wireless Security
(Based on slides by Dr. Frank Adelstein of ATC-NY/Odyssey
Research Associates)
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 2
Protect what?
• Integrity– System: performs its intended function in an unimpaired manner, free
from deliberate or inadvertent unauthorized manipulation of the system.
– Data: Should be possible for receiver to verify that data has not been modified; intruder should not be able to substitute fake data
• Confidentiality– Only intended recipient(s) should be able to read data
• Non-repudiation– Sender should not be able to falsely deny sending data.
• Availability (Denial of Service, Distributed DoS)– A third party with no access should not be able to block legitimate parties
from using a resource.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 3
Security: Before/During/After
•Prevention (before)– Authentication, authorization, accounting
•Detection (during)– Intrusion Detection
• Host/network• Signature/behavior
•Reaction (after)– Digital Forensics
• Evidence preservation• Who? What? When? From where?• Sources (files, logs, timestamp info, ISP records, …)
– Attack Assessment, Damage Assessment, Data Recovery
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 4
Before
• Prevention– Authentication: “Are they who they claim to be?”
“The act of verifying a claimed identity, in the form of a pre-existing label from a mutually known name space, as the originator of a message (message authentication) or as the end-point of a channel (entity authentication).”
– Authorization: “Do they have permission to do it?”“The act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential.”
– Accounting: a log or history of what happened“The collection of resource consumption data for the purposes of capacity and trend analysis, cost allocation, auditing, and billing. Accounting management requires that resource consumption be measured, rated, assigned, and communicated between appropriate parties.”
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 5
Security Tradeoffs
Security vs.: • Convenience
– long vs. short passwords– Multi-factor authentication– callback, smart cards, etc.
• Availability – locked out after 3 bad passwords– ATM eats bank card – Don’t allow remote access?– what happens when log files fill up?
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 6
Wireless Risks
• Wireless – all of the above concerns plus an increased risk of eavesdropping (and transmitting). – No need to tap or plug into the network. Only need to be
“nearby.” – Depending on the wireless technology, nearby can be
line-of-sight, same room, outside a building, within a few miles (e.g., Bluetooth sniper rifle)
• Greatly increases threats to: confidentiality, integrity, non-repudiation
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 7
Risks (2)
These risks can allow adversaries to:
• Perform data snooping– Medical data becoming more available
• Hijack sessions
• Commit Fraud and identity theft
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 8
Risks: Resource Depletion
• Hardware limitations, such as low network bandwidth and limited battery power, also increases denial-of-service risk:– Resource depletion/exhaustion attacks
“want a business card?”
“want a business card?”“want a business card?”“want a business card?”“want a business card?”“want a business card?”“want a business card?”“want a business card?”
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 9
Protections
• Make it harder to intercept transmissions at the intruder’s physical layer– Use low power, limit reception/interception
range.– Use a technique like frequency hopping
• But, generally want anyone to be able to join in and use the network.
• Actually used to increase number of users, not for protection.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 10
Protections
• Encryption: “they” can’t decode data, so they can’t use what they do steal
• Digital signatures: prevent forging or modifying data
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 11
Encryption
• Symmetric key: C = Ek(P),
P = Dk (C)
ABCDEFGHI
?T#!@=~cx
P
C
encryptionfunction
key
• Public key: C = Epub(P),
P = Dpriv(C), also
C’ = Epriv (P),
P = Dpub(C’)
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 12
Block vs. Stream Cipher
Plain text
streamkey
generator
cipher text
Pseudo-random stream
blockE(block)
key
block
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 13
Block vs. Stream Cipher
• Block: accumulates a group of plaintext and then operates on it at once (e.g., 64 bits at a time) and produce an encrypted block of equal size. e.g., DES, AES, RSA
• Stream: operate on plaintext a single bit/byte at a time. e.g., RC4, used in WEP
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 14
Simple examples
– XOR: Text Key* Result
• 1111 0000 XOR 1010 1010 = 0101 1010
• 0101 1010 XOR 1010 1010 = 1111 0000(* Note that this is really a single sample from a key-stream.)
– Rotation (trivial cipher):• ROT1: “HAL” “IBM”
• Caesar cipher (+3)
• USENIX ROT13: tr ‘[a-zA-z]’ ‘[n-za-m][N-ZA-M]’
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 15
Message Digests and Hashes
• Cryptographically secure one-way function, produces a short sequence of bytes (e.g., 128 or 160 bits) based on the input.
• e.g., MD4, MD5, SHA
ABCDEFGHI
3C 00 3C FF 01 FE CB E6 A4 22 19 5D 8B EE …
One-way hash
H(P)
P
MD
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 16
Hash Space
• Single bit change in source changes ~½ the bits in the hash.• Small changes in the hash come from very different sources.• Computationally unfeasible to find matching source from hash.
ABCDEFGHI
We the
people …
A Long Time ago in a galaxy
far, far, away
1,000,201,548,007 1,000,201,548,008 1,000,201,548,009. . . . . .
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 17
Message Authentication Code (MAC)
• For authenticity without secrecy; attached to message• MAC is a one-way hash function plus a secret key
– Encrypt the hash of the message with the key, or– Hash the concatenation of the message and key
ABCDEFGHI
ABC DEF GHI
P
P + MAC
H(P, key)
P! X. #/ [n +p 1c <M ex xq ^P
Rk os qp …
•H(P || key)
or
• Encrypted H(P)
key
MAC
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 18
Costs of Protections
• Encryption overhead! (more tradeoffs)– Poor performance– CPU load– Power consumption– Reduced battery life– Increased data size increased transmission
time
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 19
Cost of Protections
• Public Key Infrastructure (PKI)– Key management
• Key setup
• Key exchange
– Certificates
– Trusted 3rd party
– Shared secrets (and risks) vs. public key
– Individual vs. group keys (overhead)
– Certificate revocation or expiration
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 20
IP Security (IPsec)
• IETF IPsec Working Group – Provide authentication.
• Authentication Header (AH): RFC2402
– Protect the data payload• Encapsulating Security Payload (ESP): RFC2406
– Key management • Internet Security Association and Key Management
Protocol (ISAKMP): RFC2408
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 21
Misc. Attacks
Additional attack methods:• Man-in-the-middle attacks (e.g., ARP cache
poisoning, bogus services)–Use good authentication
• Replay attacks– Use sequence numbers + one time data
• Traffic analysis–Use encrypted communication
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 22
Misc. Security
Physical security• “Stolen laptop” scenario• Defenses:
– CMOS password w/ hardware tamper protection– Password protected accounts on computer– Encrypted data– Biometrics for authentication
• None of these defenses result in return of the laptop, unfortunately
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 23
Misc. Non-Technical Attacks
• “Social engineering” plus $$$ tend to be very effective– Look for resumes on the web, buy a drink, etc.– See Kevin Mitnick’s book for lots more
• “Rubber-hose” cryptanalysis
"Believe me, Baldric, an eternity in the company of Beelzebub and all his hellish minions will be as nothingcompared to five minutes alone with me...and this pencil.”
– Blackadder.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 24
IEEE 802 Standards
• 802.11 – IEEE Standard, 1997.• 802 LAN/MAN Standard
Committee– 802.1d – MAC bridging
standard– 802.1x – Port-based Network
Access Control– 802.2 – Logical Link Control– 802.3 – Ethernet
• 802.3z – 100BaseT Fast Ethernet
– 802.5 – Token Ring
– 802.11 – Wireless LAN• 802.11 – “basic” wireless• 802.11a - 5GHz, 54Mb• 802.11b – 2.4GHz, 11Mb• 802.11e – QoS• 802.11f – AP interop• 802.11g – faster 802.11b,
starting at 20Mbps• 802.11h – transmit power
control for 802.11a (Europe)• 802.11i – better security• 802.11j – Japanese 802.11• 802.11n – 100+Mb• 802.11p – automotive apps
– 802.15.1 Bluetooth– 802.15.4 Low-rate (low power)– 802.16 Wireless Metropolitan
Area Network (WMAN)
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 25
WEP – Protection for 802.11b
• Wired Equivalent Privacy– “No worse than what you get with wire-based systems”
• Criteria:– “Reasonably strong”– Self-synchronizing – stations often go in and out of
coverage– Computationally efficient – in HW or SW since low
MIPS CPUs might be used– Exportable –– Optional – not required to used it
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 26
WEP – How It Works
• Secret key (40 bits or 104 bits)
• Initialization vector (24 bits, by IEEE std.)– Total of 64 or 128 bits “of protection.”
• RC4-based pseudo random number generator (PRNG)
• Integrity Check Value (ICV): CRC 32
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 27
WEP Data Frame
IV(4 bytes)
Data (PDU)( 1 byte)
ICV(4 bytes)
Init Vector(3 bytes)
1 byte
Pad6 bits
Key ID2 bits
Note: can use up to 4 different keys.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 28
WEP Encryption
InitializationVector (IV)
Secret Key
Plaintext
Integrity Algorithm
Seed WEP PRNG
Key Sequence
Integrity Check Value (ICV)
IV
CiphertextMessage
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 29
WEP Encryption Process
1. Compute ICV using CRC-32 over plaintext msg.
2. Concatenate ICV to plaintext message.
3. Choose random IV and concat it to secret key and input it to RC4 to produce pseudo random key sequence.
4. Encrypt plaintext + ICV by doing bitwise XOR with key sequence to produce ciphertext.
5. Put IV in front of cipertext.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 30
WEP Decryption
IV
Ciphertext
Secret Key
Message
WEP PRNG
Seed
Key Sequence
Integrity Algorithm
Plaintext
ICV’
ICV
ICV’ - ICV
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 31
WEP Decryption Process
1. IV of message used to generate key sequence, k.
2. Ciphertext XOR k original plaintext + ICV.
3. Verify by computing integrity check on plaintext (ICV’) and comparing to recovered ICV.
4. If ICV ICV’ then message is in error; send error to MAC management and back to sending station.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 32
WEP Station Authentication
1. Wireless Station (WS) sends Authentication Request to Access Point (AP).
2. AP sends (random) challenge text T.
3. WS sends challenge response (encrypted T).
4. AP sends ACK/NACK.
WS APAuth. Req.
Challenge Text
Challenge Response
Ack
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 33
WEP Weaknesses
• Forgery Attack– Packet headers are unprotected, can fake src and dest addresses.– AP will then decrypt data to send to other destinations.– Can fake CRC-32 by flipping bits.
• Replay – Can eavesdrop and record a session and play it back later.
• Collision (24 bit IV; how/when does it change?)– Sequential: roll-over in < ½ day on a busy net– Random: After 5000 packets, > 50% of reuse.
• Weak Key– If ciphertext and plaintext are known, attacker can determine key.– Certain RC4 weak keys reveal too many bits. Can then determine RC4
base key.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 34
WEP Weakness
• Key Management
• 4 possible keys, externally populated
• 802.11 standard does not specify distribution mechanism (backbone network)
• Can be unique key for each WS or single key for entire network (commonly used)
• Single key increases chances of IV reuse
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 35
(Old) Recent Developments
As of August 2001:
• WEP 128 bit encryption broken in 15 minutes!
• Need to see ~6,000,000 encrypted messages to break WEP (not a lot).
• Weakness had been known for a while, just had not been exploited that quickly before.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 36
Practical Results…
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 37
War Driving in New Orleans (back in December 2001)
• Equipment– Laptop, wireless card, software
– GPS, booster antenna (optional)
• Results– 64 Wireless LAN’s
– Only 8 had WEP Enabled (12%)
– 62 AP’s & 2 Peer to Peer Networks
– 25 Default (out of the box) Settings (39%)
– 29 Used The Company Name For ESSID (45%)
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 38
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 39
X X
XX
XX
X
XXXXXXX X X
9 nets
X
5 nets
XXX
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 40
X
X
X
X
XX
XX
XX X XX
X
X
X
XX
X
X
X
X
X
X
X
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 41
Ways to Improve Security with WEP
• All encryption modes of operation should use (secure) MAC, rather than CRC
• Use WEP(!)• Put wireless network outside of firewall• Use VPN to get inside• Limit connections based on MAC address
– Easily defeated• Better key management:
– Use individual keys– Change them early and often
• Better: replace with something else
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 42
What’s next?
• WiFi Protected Access (WPA) available sooner– Approximation of what will be in 802.11i
– Already cracked (11/2004)
• 802.11i– Provides better security, key distribution, longer/better
initialization vectors, etc.
– Probably incompatible with most current hardware
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 43
802.11i
– Improved encryption Algorithms• Temporal Key Integrity Protocol (TKIP) – for legacy
hardware– Generates per-packet keys
– 48 bit IV prevents replay attacks
• Counter mode CBC-MAC Protocol (CCMP) – for new hardware
– Not for legacy hardware—insufficient CPU power to run AES encryption
– 802.1x – port based network access control• Authentication
• Encryption key distribution
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 44
802.1X
From Meetinghouse Data Communications, http://www.mtghouse.com/8021X.pdf
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 45
802.11i >> WEP
• Forgery– Stronger Message Integrity Code– Cryptographically secure hash– Apply hash to packet payload plus src and dest addresses
• Replay– 48 bit IV, strictly increasing sequence, cannot roll-over (must
rekey), receiver discards out-of-sequence packets• Weak Keys of WEP
– Per-packet key computed using transmitter address, IV, base key• Collision
– 48 bit IV, force a rekey after 215 packets– Use 802.1X EAPOL (Extensible Authentication Protocol Over
LAN) to configure a new key for every association
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 46
802.11: DoS a Major Concern
• Denial of service attacks still a major problem
• Physical-level DoS
• De-authentication attacks
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 47
e.g., De-authentication DoS
From “12th USENIX Security Symposium USENIX Association 15
802.11 Denial-of-Service Attacks:Real Vulnerabilities and Practical Solutions”, Ballardo &
Savage, 12th USENIX Security Symposium (2003).
One possible solution for existing hardware:Queue de-authenticate packets for a short time (15s?). If additional data packets are
seen from the client, discard the de-authentication request.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 48
Why?• Firmware in 802.11 cards is supposed to
prevent illegal 802.11 frames from being generated…but
From “12th USENIX Security Symposium USENIX Association 15
802.11 Denial-of-Service Attacks:Real Vulnerabilities and Practical Solutions”, Ballardo &
Savage, 12th USENIX Security Symposium (2003).
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 49
802.11
• Jim Geier, “Spread Spectrum: Frequency Hopping vs. Direct Sequence,” http://www.wireless-nets.com/whitepaper_spread.htm.
• 3com, “What’s New in Wireless LANs: The IEEE 802.11b Standard,” http://www.3com.com/technology/tech_net/white_papers/503072a.html.
• Sultan Weatherspoon, “Overview of IEEE 802.11b Security,” Intel Technology Journal, 2nd Quarter 2000, http://developer.intel.com/technology/itj/q22000/pdf/art_5.pdf.
• Jim Lansford, Adrian Stephens, and Ron Nevo, “Wi-Fi (802.11b) and Bluetooth: Enabling Coexistence,” IEEE Network, Sept/Oct 2001.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 50
WEP
• R.L. Rivest, “The RC4 Encryption Algorithm,” RSA Data Security, Inc. March 12, 1992 (proprietary).
• RFC2401, Stephen Kent and Randall Atkinson, “Security Architecture for the Internet Protocol,” Internet Engineering Task Force, Nov. 1998, http://www.ietf.org/rfc/rfc2401.txt.
• Nikita Borisov, Ian Goldberg, and David Wagner, “Intercepting Mobile Communications: The Insecurity of 802.11 (-Draft-),” Mac Crypto Workshop, Jan. 2001, http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf.
• Scott Fluhrer, Itsik Mantin, and Adi Shamir, “Weaknesses in the Key Scheduling Algorithm of RC4,” Proceedings of Selected Areas in Cryptography (SAC), Toronto, August 2001, http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps.
• Adam Stubblefield, John Ioannidis, and Aviel D. Rubin, “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP,” AT&T Labs Technical Report TD-4ZCPZZ, August 2001, http://www.cs.rice.edu/~astubble/wep/.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 51
WEP
• Nicki Hayes, “Wired Equivalent Privacy (WEP) – Gone in 15 Minutes!” http://www.wirelessdevnet.com/channels/wireless/features/newsbyte31.html.
• “WEP Security Goes ‘Poof’,” Information Security, 4(9), September 2001, p 30.
• Craig Ellison, “Wireless LANs at Risk”, PC Magazine, April 9, 2002, pp. 66 – 68.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 52
Recent Additions
• Fun stuff: Neal Stephenson, Cryptonomicon, Perennial, 1999.
• “Evolving to Seamless All-IP Wireless/Mobile Networks,” Special Issue of IEEE Communications Magazine, Dec. 2001, 39(12).
• AirSnort: http://airsnort.sorceforge.net.
Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 53
802.11i and 802.1x
• Jesse Walker, “802.11 Security Considerations and Solutions,” Intel Developer Forum, Spring 2002.
• Merwyn Andrade, “Securing the WLAN with 802.11i,” …• Dennis Eaton, “Diving into the 802.11i Spec: A Tutorial,”
CommsDesign, Nov 22, 2002, http://www.commsdesign.com/printableArticle?doc_id=OEG20021126S0003
• “Wireless Netowkr Security Bulletin V.2.1,” White Paper, Proxim Corp, CP6-0103, 2003.
• “IEEE Standard for Local and metropolitan area networks – Port Based Network Access Control,” IEEE Std 802.1X-2001.