Wireless Security

Original slides ©2003 Odyssey Research Associates, updated 2004 by Golden G. Richard III, Ph.D. 1

Wireless Security

(Based on slides by Dr. Frank Adelstein of ATC-NY/Odyssey

Research Associates)


Protect what?

• Integrity– System: performs its intended function in an unimpaired manner, free

from deliberate or inadvertent unauthorized manipulation of the system.

– Data: Should be possible for receiver to verify that data has not been modified; intruder should not be able to substitute fake data

• Confidentiality– Only intended recipient(s) should be able to read data

• Non-repudiation– Sender should not be able to falsely deny sending data.

• Availability (Denial of Service, Distributed DoS)– A third party with no access should not be able to block legitimate parties

from using a resource.


Security: Before/During/After

•Prevention (before)– Authentication, authorization, accounting

•Detection (during)– Intrusion Detection

• Host/network• Signature/behavior

•Reaction (after)– Digital Forensics

• Evidence preservation• Who? What? When? From where?• Sources (files, logs, timestamp info, ISP records, …)

– Attack Assessment, Damage Assessment, Data Recovery


Before

• Prevention– Authentication: “Are they who they claim to be?”

“The act of verifying a claimed identity, in the form of a pre-existing label from a mutually known name space, as the originator of a message (message authentication) or as the end-point of a channel (entity authentication).”

– Authorization: “Do they have permission to do it?”“The act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential.”

– Accounting: a log or history of what happened“The collection of resource consumption data for the purposes of capacity and trend analysis, cost allocation, auditing, and billing. Accounting management requires that resource consumption be measured, rated, assigned, and communicated between appropriate parties.”


Security Tradeoffs

Security vs.: • Convenience

– long vs. short passwords– Multi-factor authentication– callback, smart cards, etc.

• Availability – locked out after 3 bad passwords– ATM eats bank card – Don’t allow remote access?– what happens when log files fill up?


Wireless Risks

• Wireless – all of the above concerns plus an increased risk of eavesdropping (and transmitting). – No need to tap or plug into the network. Only need to be

“nearby.” – Depending on the wireless technology, nearby can be

line-of-sight, same room, outside a building, within a few miles (e.g., Bluetooth sniper rifle)

• Greatly increases threats to: confidentiality, integrity, non-repudiation


Risks (2)

These risks can allow adversaries to:

• Perform data snooping– Medical data becoming more available

• Hijack sessions

• Commit Fraud and identity theft


Risks: Resource Depletion

• Hardware limitations, such as low network bandwidth and limited battery power, also increases denial-of-service risk:– Resource depletion/exhaustion attacks

“want a business card?”

“want a business card?”“want a business card?”“want a business card?”“want a business card?”“want a business card?”“want a business card?”“want a business card?”


Protections

• Make it harder to intercept transmissions at the intruder’s physical layer– Use low power, limit reception/interception

range.– Use a technique like frequency hopping

• But, generally want anyone to be able to join in and use the network.

• Actually used to increase number of users, not for protection.


Protections

• Encryption: “they” can’t decode data, so they can’t use what they do steal

• Digital signatures: prevent forging or modifying data


Encryption

• Symmetric key: C = Ek(P),

P = Dk (C)

ABCDEFGHI

?T#!@=~cx

P

C

encryptionfunction

key

• Public key: C = Epub(P),

P = Dpriv(C), also

C’ = Epriv (P),

P = Dpub(C’)


Block vs. Stream Cipher

Plain text

streamkey

generator

cipher text

Pseudo-random stream

blockE(block)

key

block


Block vs. Stream Cipher

• Block: accumulates a group of plaintext and then operates on it at once (e.g., 64 bits at a time) and produce an encrypted block of equal size. e.g., DES, AES, RSA

• Stream: operate on plaintext a single bit/byte at a time. e.g., RC4, used in WEP


Simple examples

– XOR: Text Key* Result

• 1111 0000 XOR 1010 1010 = 0101 1010

• 0101 1010 XOR 1010 1010 = 1111 0000(* Note that this is really a single sample from a key-stream.)

– Rotation (trivial cipher):• ROT1: “HAL” “IBM”

• Caesar cipher (+3)

• USENIX ROT13: tr ‘[a-zA-z]’ ‘[n-za-m][N-ZA-M]’


Message Digests and Hashes

• Cryptographically secure one-way function, produces a short sequence of bytes (e.g., 128 or 160 bits) based on the input.

• e.g., MD4, MD5, SHA

ABCDEFGHI

3C 00 3C FF 01 FE CB E6 A4 22 19 5D 8B EE …

One-way hash

H(P)

P

MD


Hash Space

• Single bit change in source changes ~½ the bits in the hash.• Small changes in the hash come from very different sources.• Computationally unfeasible to find matching source from hash.

ABCDEFGHI

We the

people …

A Long Time ago in a galaxy

far, far, away

1,000,201,548,007 1,000,201,548,008 1,000,201,548,009. . . . . .


Message Authentication Code (MAC)

• For authenticity without secrecy; attached to message• MAC is a one-way hash function plus a secret key

– Encrypt the hash of the message with the key, or– Hash the concatenation of the message and key

ABCDEFGHI

ABC DEF GHI

P

P + MAC

H(P, key)

P! X. #/ [n +p 1c <M ex xq ^P

Rk os qp …

•H(P || key)

or

• Encrypted H(P)

key

MAC


Costs of Protections

• Encryption overhead! (more tradeoffs)– Poor performance– CPU load– Power consumption– Reduced battery life– Increased data size increased transmission

time


Cost of Protections

• Public Key Infrastructure (PKI)– Key management

• Key setup

• Key exchange

– Certificates

– Trusted 3rd party

– Shared secrets (and risks) vs. public key

– Individual vs. group keys (overhead)

– Certificate revocation or expiration


IP Security (IPsec)

• IETF IPsec Working Group – Provide authentication.

• Authentication Header (AH): RFC2402

– Protect the data payload• Encapsulating Security Payload (ESP): RFC2406

– Key management • Internet Security Association and Key Management

Protocol (ISAKMP): RFC2408


Misc. Attacks

Additional attack methods:• Man-in-the-middle attacks (e.g., ARP cache

poisoning, bogus services)–Use good authentication

• Replay attacks– Use sequence numbers + one time data

• Traffic analysis–Use encrypted communication


Misc. Security

Physical security• “Stolen laptop” scenario• Defenses:

– CMOS password w/ hardware tamper protection– Password protected accounts on computer– Encrypted data– Biometrics for authentication

• None of these defenses result in return of the laptop, unfortunately


Misc. Non-Technical Attacks

• “Social engineering” plus $$$ tend to be very effective– Look for resumes on the web, buy a drink, etc.– See Kevin Mitnick’s book for lots more

• “Rubber-hose” cryptanalysis

"Believe me, Baldric, an eternity in the company of Beelzebub and all his hellish minions will be as nothingcompared to five minutes alone with me...and this pencil.”

– Blackadder.


IEEE 802 Standards

• 802.11 – IEEE Standard, 1997.• 802 LAN/MAN Standard

Committee– 802.1d – MAC bridging

standard– 802.1x – Port-based Network

Access Control– 802.2 – Logical Link Control– 802.3 – Ethernet

• 802.3z – 100BaseT Fast Ethernet

– 802.5 – Token Ring

– 802.11 – Wireless LAN• 802.11 – “basic” wireless• 802.11a - 5GHz, 54Mb• 802.11b – 2.4GHz, 11Mb• 802.11e – QoS• 802.11f – AP interop• 802.11g – faster 802.11b,

starting at 20Mbps• 802.11h – transmit power

control for 802.11a (Europe)• 802.11i – better security• 802.11j – Japanese 802.11• 802.11n – 100+Mb• 802.11p – automotive apps

– 802.15.1 Bluetooth– 802.15.4 Low-rate (low power)– 802.16 Wireless Metropolitan

Area Network (WMAN)


WEP – Protection for 802.11b

• Wired Equivalent Privacy– “No worse than what you get with wire-based systems”

• Criteria:– “Reasonably strong”– Self-synchronizing – stations often go in and out of

coverage– Computationally efficient – in HW or SW since low

MIPS CPUs might be used– Exportable –– Optional – not required to used it


WEP – How It Works

• Secret key (40 bits or 104 bits)

• Initialization vector (24 bits, by IEEE std.)– Total of 64 or 128 bits “of protection.”

• RC4-based pseudo random number generator (PRNG)

• Integrity Check Value (ICV): CRC 32


WEP Data Frame

IV(4 bytes)

Data (PDU)( 1 byte)

ICV(4 bytes)

Init Vector(3 bytes)

1 byte

Pad6 bits

Key ID2 bits

Note: can use up to 4 different keys.


WEP Encryption

InitializationVector (IV)

Secret Key

Plaintext

Integrity Algorithm

Seed WEP PRNG

Key Sequence

Integrity Check Value (ICV)

IV

CiphertextMessage


WEP Encryption Process

1. Compute ICV using CRC-32 over plaintext msg.

2. Concatenate ICV to plaintext message.

3. Choose random IV and concat it to secret key and input it to RC4 to produce pseudo random key sequence.

4. Encrypt plaintext + ICV by doing bitwise XOR with key sequence to produce ciphertext.

5. Put IV in front of cipertext.


WEP Decryption

IV

Ciphertext

Secret Key

Message

WEP PRNG

Seed

Key Sequence

Integrity Algorithm

Plaintext

ICV’

ICV

ICV’ - ICV


WEP Decryption Process

1. IV of message used to generate key sequence, k.

2. Ciphertext XOR k original plaintext + ICV.

3. Verify by computing integrity check on plaintext (ICV’) and comparing to recovered ICV.

4. If ICV ICV’ then message is in error; send error to MAC management and back to sending station.


WEP Station Authentication

1. Wireless Station (WS) sends Authentication Request to Access Point (AP).

2. AP sends (random) challenge text T.

3. WS sends challenge response (encrypted T).

4. AP sends ACK/NACK.

WS APAuth. Req.

Challenge Text

Challenge Response

Ack


WEP Weaknesses

• Forgery Attack– Packet headers are unprotected, can fake src and dest addresses.– AP will then decrypt data to send to other destinations.– Can fake CRC-32 by flipping bits.

• Replay – Can eavesdrop and record a session and play it back later.

• Collision (24 bit IV; how/when does it change?)– Sequential: roll-over in < ½ day on a busy net– Random: After 5000 packets, > 50% of reuse.

• Weak Key– If ciphertext and plaintext are known, attacker can determine key.– Certain RC4 weak keys reveal too many bits. Can then determine RC4

base key.


WEP Weakness

• Key Management

• 4 possible keys, externally populated

• 802.11 standard does not specify distribution mechanism (backbone network)

• Can be unique key for each WS or single key for entire network (commonly used)

• Single key increases chances of IV reuse


(Old) Recent Developments

As of August 2001:

• WEP 128 bit encryption broken in 15 minutes!

• Need to see ~6,000,000 encrypted messages to break WEP (not a lot).

• Weakness had been known for a while, just had not been exploited that quickly before.


Practical Results…


War Driving in New Orleans (back in December 2001)

• Equipment– Laptop, wireless card, software

– GPS, booster antenna (optional)

• Results– 64 Wireless LAN’s

– Only 8 had WEP Enabled (12%)

– 62 AP’s & 2 Peer to Peer Networks

– 25 Default (out of the box) Settings (39%)

– 29 Used The Company Name For ESSID (45%)


X X

XX

XX

X

XXXXXXX X X

9 nets

X

5 nets

XXX


X

X

X

X

XX

XX

XX X XX

X

X

X

XX

X

X

X

X

X

X

X


Ways to Improve Security with WEP

• All encryption modes of operation should use (secure) MAC, rather than CRC

• Use WEP(!)• Put wireless network outside of firewall• Use VPN to get inside• Limit connections based on MAC address

– Easily defeated• Better key management:

– Use individual keys– Change them early and often

• Better: replace with something else


What’s next?

• WiFi Protected Access (WPA) available sooner– Approximation of what will be in 802.11i

– Already cracked (11/2004)

• 802.11i– Provides better security, key distribution, longer/better

initialization vectors, etc.

– Probably incompatible with most current hardware


802.11i

– Improved encryption Algorithms• Temporal Key Integrity Protocol (TKIP) – for legacy

hardware– Generates per-packet keys

– 48 bit IV prevents replay attacks

• Counter mode CBC-MAC Protocol (CCMP) – for new hardware

– Not for legacy hardware—insufficient CPU power to run AES encryption

– 802.1x – port based network access control• Authentication

• Encryption key distribution


802.1X

From Meetinghouse Data Communications, http://www.mtghouse.com/8021X.pdf


802.11i >> WEP

• Forgery– Stronger Message Integrity Code– Cryptographically secure hash– Apply hash to packet payload plus src and dest addresses

• Replay– 48 bit IV, strictly increasing sequence, cannot roll-over (must

rekey), receiver discards out-of-sequence packets• Weak Keys of WEP

– Per-packet key computed using transmitter address, IV, base key• Collision

– 48 bit IV, force a rekey after 215 packets– Use 802.1X EAPOL (Extensible Authentication Protocol Over

LAN) to configure a new key for every association


802.11: DoS a Major Concern

• Denial of service attacks still a major problem

• Physical-level DoS

• De-authentication attacks


e.g., De-authentication DoS

From “12th USENIX Security Symposium USENIX Association 15

802.11 Denial-of-Service Attacks:Real Vulnerabilities and Practical Solutions”, Ballardo &

Savage, 12th USENIX Security Symposium (2003).

One possible solution for existing hardware:Queue de-authenticate packets for a short time (15s?). If additional data packets are

seen from the client, discard the de-authentication request.


Why?• Firmware in 802.11 cards is supposed to

prevent illegal 802.11 frames from being generated…but

From “12th USENIX Security Symposium USENIX Association 15

802.11 Denial-of-Service Attacks:Real Vulnerabilities and Practical Solutions”, Ballardo &

Savage, 12th USENIX Security Symposium (2003).


802.11

• Jim Geier, “Spread Spectrum: Frequency Hopping vs. Direct Sequence,” http://www.wireless-nets.com/whitepaper_spread.htm.

• 3com, “What’s New in Wireless LANs: The IEEE 802.11b Standard,” http://www.3com.com/technology/tech_net/white_papers/503072a.html.

• Sultan Weatherspoon, “Overview of IEEE 802.11b Security,” Intel Technology Journal, 2nd Quarter 2000, http://developer.intel.com/technology/itj/q22000/pdf/art_5.pdf.

• Jim Lansford, Adrian Stephens, and Ron Nevo, “Wi-Fi (802.11b) and Bluetooth: Enabling Coexistence,” IEEE Network, Sept/Oct 2001.


WEP

• R.L. Rivest, “The RC4 Encryption Algorithm,” RSA Data Security, Inc. March 12, 1992 (proprietary).

• RFC2401, Stephen Kent and Randall Atkinson, “Security Architecture for the Internet Protocol,” Internet Engineering Task Force, Nov. 1998, http://www.ietf.org/rfc/rfc2401.txt.

• Nikita Borisov, Ian Goldberg, and David Wagner, “Intercepting Mobile Communications: The Insecurity of 802.11 (-Draft-),” Mac Crypto Workshop, Jan. 2001, http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf.

• Scott Fluhrer, Itsik Mantin, and Adi Shamir, “Weaknesses in the Key Scheduling Algorithm of RC4,” Proceedings of Selected Areas in Cryptography (SAC), Toronto, August 2001, http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps.

• Adam Stubblefield, John Ioannidis, and Aviel D. Rubin, “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP,” AT&T Labs Technical Report TD-4ZCPZZ, August 2001, http://www.cs.rice.edu/~astubble/wep/.


WEP

• Nicki Hayes, “Wired Equivalent Privacy (WEP) – Gone in 15 Minutes!” http://www.wirelessdevnet.com/channels/wireless/features/newsbyte31.html.

• “WEP Security Goes ‘Poof’,” Information Security, 4(9), September 2001, p 30.

• Craig Ellison, “Wireless LANs at Risk”, PC Magazine, April 9, 2002, pp. 66 – 68.


Recent Additions

• Fun stuff: Neal Stephenson, Cryptonomicon, Perennial, 1999.

• “Evolving to Seamless All-IP Wireless/Mobile Networks,” Special Issue of IEEE Communications Magazine, Dec. 2001, 39(12).

• AirSnort: http://airsnort.sorceforge.net.


802.11i and 802.1x

• Jesse Walker, “802.11 Security Considerations and Solutions,” Intel Developer Forum, Spring 2002.

• Merwyn Andrade, “Securing the WLAN with 802.11i,” …• Dennis Eaton, “Diving into the 802.11i Spec: A Tutorial,”

CommsDesign, Nov 22, 2002, http://www.commsdesign.com/printableArticle?doc_id=OEG20021126S0003

• “Wireless Netowkr Security Bulletin V.2.1,” White Paper, Proxim Corp, CP6-0103, 2003.

• “IEEE Standard for Local and metropolitan area networks – Port Based Network Access Control,” IEEE Std 802.1X-2001.

Wireless Security

Documents

Transcript of Wireless Security