presentation jing tan, umass-lowell slide 1 wireless and its security jing tan department of...
TRANSCRIPT
Presentation Jing Tan, Umass-Lowell Slide 1
Wireless and its Security
Jing Tan
Department of Computer Science
University of Massachusetts, Lowell
Presentation Jing Tan, Umass-LowellSlide 2
My message
It’s (Wireless Security) not too late, but it’s time to start.
Presentation Jing Tan, Umass-LowellSlide 3
History of Wireless
Wireless Technologies are relatively old.The development of wireless started about a century ago The wireless played an important role from world war II to aircraft business and NASA space exploration. But now the wireless technology has developed into one of today’s hottest topics because of its ability to bring the power of communications and the Internet into the hands of users worldwide.
Presentation Jing Tan, Umass-LowellSlide 4
The Growth of WLANs
Demand for wireless access to LANs is fueled by the growth of mobile device. There will be over a billion mobile devices by 2003, and the wireless LAN market is projected to grow to over US$20 billion by 2003.
Internet
Presentation Jing Tan, Umass-LowellSlide 5
The Technologies
The wireless technologies802.11 and 802.11b
Wireless Application Protocol (WAP)
Wired Equivalent Privacy (WEP)
Presentation Jing Tan, Umass-LowellSlide 6
What’s 802.11/802.11b?
802.11 and 802.11b standard In 1997 IEEE published the first world-recognized
standard for wireless, 802.11. About two years later, the IEEE published 802.11b, also know as 802.11 High Rate, which specifies the standards for building wireless system that operate with data speeds of up to 11Mbps.
Presentation Jing Tan, Umass-LowellSlide 7
Detail of 802.11/802.11b
Wireless Architecture Modes 802.11b physical layer 801.11 Media Access Control Layer (MAC)
Presentation Jing Tan, Umass-LowellSlide 8
Wireless Architecture Modes
Architecture Modes Infrastructure mode (802.11)
All stations in the system connect to an access point, not directly to one another.
BBS (Basic Service Set) and ESS (Extended Service Set)
Ad hoc mode (Bluetooth)The stations interconnect directly, without
communicating through an access point.
Presentation Jing Tan, Umass-LowellSlide 9
802.11b physical layer
802.11b physical layer One of the most valuable additions the 802.11b
standard provides is the standardization for the physical layer support of the two new speeds, 5.5Mpbs and 11Mbps.
To increase the data rate in 802.11b, advanced coding techniques are described
Presentation Jing Tan, Umass-LowellSlide 10
801.11 Media Access Control Layer (MAC)
801.11 Media Access Control Layer (MAC)
801.11 MAC is designed to support multiple users on a shared medium by having the sender detect and gather information about the medium before accessing it.
It is same as the 802.3 Ethernet wire connection. However the protocol employed [CSMA/CD] (carrier sense multiple access with collision detection) details collision handing and redirection.
In 801.11, collision detection is not possible because stations cannot listen and transmit at the same time; the radio transmission prevents the station from sending a collision. The protocol specified is slightly different from that in 802.3. It is termed [CSMA/CA] (carrier sense multiple access with collision avoidance) involves sending extra packets to confirm receipt to transmitted packets, called explicit packet acknowledgment (ACK).
Presentation Jing Tan, Umass-LowellSlide 11
Wired Equivalent Privacy
Wired Equivalent Privacy (WEP)The WEP protocol algorithm is designed on five premises:
Reasonably strong. Takes a reasonably long time to break the encryption.
Self-synchronizing. It’s not too much based on battery power. Exportable. Can be moved when necessary. Optional. Can be turned on and off when a user
needs.
Presentation Jing Tan, Umass-LowellSlide 12
Bluetooth
Bluetooth Unlink 802.11, Bluetooth is a technology
that operates in ad hoc network.
Presentation Jing Tan, Umass-LowellSlide 13
Wireless Application Protocol
Wireless Application Protocol (WAP)WAP is considered by some to be the standard in
wireless communications. Main members are Nokia, Ericsson, and Motorola, etc.
WAP has WTLS (Wireless Transport Layer Security) equivalent to Transport Layer Security (TLS) or Secure Socket Layer (SSL) provides authentication, privacy, and secure connections between applications. The problem with WTLS is that it does not provide end-to-end security and opens its holes.
Presentation Jing Tan, Umass-LowellSlide 14
WAP Overview
The subscriber push a key on her phone that has a URL (www.google.com) WAP gateway (AP). receives WTP/WTLS package and translated into HTTP/HTTPS to web server.
The web server passes the requested file with HTTP/SSL the returned data to the gateway.The Gateway performs translation into WML.The problem starts at this point. It does not provide end-to-end security and opens holes.
WTP
WTLS
WAP Gateway (AP)WAP Gateway (AP)
Internet
Web ServerWeb Server
HTTP/HTTPS
SSL
Presentation Jing Tan, Umass-LowellSlide 15
The Languages
The wireless languagesWAP BrowsersWireless Markup Language (WML)WMLScriptJava 2 Micro Edition (J2ME)C#XHTMLWireless Operating System
Presentation Jing Tan, Umass-LowellSlide 16
WAP Browsers
WAP BrowsersMore and more pages on the wireless web are being
written in WML to avoid having to translate to or from HTML. To view a WML page, a device must have a browsers are Netscape, IE and Openwave Mobile Browser.
Presentation Jing Tan, Umass-LowellSlide 17
Wireless Markup Language
Wireless Markup Language (WML) Although WML is similar to HTML and XML, programming in it requires the use of different
tags and structures. Because an entire screen size web page, it must be broken into smaller subparts. The
following is an example of a simple Hello World page in WML.<?xml version=”1.0”?><!DOCTYPE wml PUBLIC “-//WAPFORUM//DTD WML 1.1//EN”http://www.wapforum.org/DTD/wml_1.1.xml><!-Hello World in WML --><wml>
<card id=”Card1” title=”WML example”> <p> Hello World</p></card>
</wml>
Presentation Jing Tan, Umass-LowellSlide 18
WMLScript
WMLScript WMLScript is based on JavaScript. WMLScript gives WML added
functionality just as JavaScript adds to Java. . Check the validity of user input . Provides access to the device’s facilities. . Generates message and dialogs locally Etc. Current WMALScript application are predominantly benign, there are
many risks. For example, the cell phone has been setup that makes a call is to display the phone number before the call is made. If the WAP browser being used does not prompt the user before placing the call, the call is automatically activated. In Japan, a prank was played on phone users who pressed a number in response to a voice mail message that automatically dialed the Japanese police emergency number without the callers’ knowledge. Japan uses imode technology, which is different from WAP, but represents an initial exploitation of a native capability.
Presentation Jing Tan, Umass-LowellSlide 19
Java 2 Micro Edition (J2ME)
Java 2 Micro Edition (J2ME)Sun’s Java 2 Programming Language consists of three
versions:. J2SE Java 2 Enterprise Edition
. J2EE Java 2 Standard Edition
. J2ME Java 2 Micro Edition
Java 2 Micro Edition selectively rewrites and removes integral components of the core runtime environment to make it easily portable to smaller devices.
Presentation Jing Tan, Umass-LowellSlide 20
C#
C#C# .NET and Visual Basic .NET are two main
programming languages used for developing software for .NET platform, including .NET Compact Framework for wireless devices. .NET platform is a direct competition for Java platforms like J2EE and J2ME.
Presentation Jing Tan, Umass-LowellSlide 21
The New Wireless Language: XHTML
XHTML Designers often write HTML code in a sloppy fashion. Web browsers
are supposed to be very forgiving when rendering a page. In other words, they still try to display the page even if some tags are nested incorrectly or missing. This has led the browser developers to add extra code to the browser engine so that the pages still come out looking as they are supposed to look. However, all this code makes the browser a pretty big application, often between 15-18+ megs.
Now this might be fine for your PC with all the hard drive space you may have. However, small devices such as PDAs, cell phones, automobiles, refrigerators, etc., cannot hold such a big browser. Therefore, in order to be able to surf the web (and see your web site) with one of these devices, we need a small browser. In order to make the browser smaller the code must be less. That's where XHTML comes in.
Presentation Jing Tan, Umass-LowellSlide 22
Wireless Operating System
Wireless Operating systemNokia Symbian OSCompaq Palm OSMicrosoft Windwos CE, Pocket PC and
Smartphone OSNTTDoCoMo I-mode OS
Presentation Jing Tan, Umass-LowellSlide 23
ISO and WAP network model
Functionality 802.11b Internet WAP
L7: Application HTML
JavaScript
Wireless Application Env. (WAE)
WML, WMLScript
L6: Presentation
L5: Session HTTP Wireless Session Protocol (WSP)
Transaction HTTP Wireless Transaction Protocol (WSP)
Security TLS-SSL Wireless Transport Layer Security
L4: Transport TCP/UDP Wireless Datagram Protocol (WDP)
L3: Network IP Bearers: SMS, GSM, CDPD, etc
L2: Data Link
L1: Physical WEP
Presentation Jing Tan, Umass-LowellSlide 24
The Problem: Security!
Wireless networking is just radio communications It transmitted data by broadcast over the air using
waves, so everyone in the area served by the data transmitter. Hence anyone with a radio can eavesdrop, inject traffic
Internet
Presentation Jing Tan, Umass-LowellSlide 25
The Setting
An example of a 802.11 and 802.11b wireless network(current installed base in the millions of users)
Internet
Presentation Jing Tan, Umass-LowellSlide 26
WEP
The industry’s solution: WEP (Wired Equivalent Privacy) Share a single cryptographic key among all devices Encrypt all packets sent over the air, using the shared key Use a checksum to prevent injection of spoofed packets
(encrypted traffic)
Presentation Jing Tan, Umass-LowellSlide 27
WEP vulnerabilities
The industry’s solution: WEP (Wired Equivalent Privacy) vulnerabilities have been identified. (2000/10) Jesse R. Walker, Intel Corporation was one of the first
people to identify several of the problems in WEP.
( 2001/03) University of Maryland found several problem with the access control and authentication mechanisms used in the 802.11 standard.
(2001/01) University of California at Berkely independently released a paper describing the problems with WEP
Presentation Jing Tan, Umass-LowellSlide 28
How WEP Works
IV
RC4key
IV encrypted packet
original unencrypted packet checksum
Presentation Jing Tan, Umass-LowellSlide 29
WEP Encapsulation
WEP Encapsulation Summary: Encryption Algorithm = RC4 Per-packet encryption key = 24-bit IV concatenated to a pre-shared key WEP allows IV to be reused with any frame Data integrity provided by CRC-32 of the plaintext data (the “ICV”) Data and ICV are encrypted under the per-packet encryption key
802.11 Hdr Data
802.11 Hdr DataIV ICV
Encapsulate Decapsulate
Presentation Jing Tan, Umass-LowellSlide 30
How to Read WEP Encrypted Traffic (1)
By the Birthday Paradox, probability Pn two packets will share same IV after n packets is P2 = 1/224 after two frames and Pn = Pn–1 + (n–1)(1–Pn–1)/ 224 for n > 2.
50% chance of a collision exists already after only 4823 packets!!! Pattern recognition can disentangle the XOR’d recovered plaintext. Recovered ICV can tell you when you’ve disentangled plaintext correctly. After only a few hours of observation, you can recover all 224 key streams.
802.11 Hdr DataIV ICV
24 luxurious bits Encrypted under Key +IV using a Vernam Cipher
Presentation Jing Tan, Umass-LowellSlide 31
How to Read WEP Encrypted Traffic (2)
Ways to accelerate the process: Send spam into the network: no pattern recognition
required! Get the victim to send e-mail to you
The AP creates the plaintext for you! Decrypt packets from one Station to another via an Access
Point If you know the plaintext on one leg of the journey, you
can recover the key stream immediately on the other Etc., etc., etc.
Presentation Jing Tan, Umass-LowellSlide 32
A Property of RC4
Keystream leaks, under known-plaintext attack Suppose we intercept a ciphertext C, and suppose we can
guess the corresponding plaintext P Let Z = RC4(key, IV) be the RC4 keystream Since C = P Z, we can derive the RC4 keystream Z byP C = P (P Z) = (P P) Z = 0 Z = Z
This is not a problem ... unless keystream is reused!
Presentation Jing Tan, Umass-LowellSlide 33
A Risk With RC4
If any IV ever repeats, confidentiality is at risk Suppose P, P’ are two plaintexts encrypted with same IV Let Z = RC4(key, IV); then the two ciphertexts areC = P Z and C’ = P’ Z
Note that C C’ = P P’,hence the xor of both plaintexts is revealed
If there is redundancy, this may reveal both plaintexts Or, if we can guess one plaintext, the other is leaked
So: If RC4 isn’t used carefully, it becomes insecure
Presentation Jing Tan, Umass-LowellSlide 34
Attack #1: Keystream Reuse
WEP didn’t use RC4 carefully The problem: IV’s frequently repeat
The IV is often a counter that starts at zero Hence, rebooting causes IV reuse Also, there are only 16 million possible IV’s, so after
intercepting enough packets, there are sure to be repeats
Implications: can eavesdrop on 802.11 traffic An eavesdropper can decrypt intercepted ciphertexts
even without knowing the key
Presentation Jing Tan, Umass-LowellSlide 35
Attack #2: Spoofed Packets
Attackers can inject forged traffic onto 802.11 nets Suppose attackers know the value Z = RC4(key, IV) for
some IV e.g., by using the previous attack
This is all attackers need to know to encrypt using this IV Since the checksum is unkeyed, attackers can create valid
ciphertexts that will be accepted by the receiver
Implication: can bypass access control Can attack any computer attached to the wireless net
Presentation Jing Tan, Umass-LowellSlide 36
Summary So Far
None of WEP’s goals are achieved Confidentiality, integrity, access control all broken
Presentation Jing Tan, Umass-LowellSlide 37
Evaluation of WEP
WEP cannot be trusted for security Attackers can eavesdrop, spoof wireless traffic Can often break the key with a few minutes of traffic
Attacks are very serious in practice Attack tools are available for download on the Net Hackers sitting in a van in your parking lot may be able
to watch all your wireless data, despite the encryption
Presentation Jing Tan, Umass-LowellSlide 38
War Driving
To find wireless nets: Load laptop, 802.11
card, and GPS in car Drive
While you drive: Attack software listens
and builds map of all 802.11 networks found
Presentation Jing Tan, Umass-LowellSlide 39
Driving from LA to San Diego
Presentation Jing Tan, Umass-LowellSlide 40
Conclusions
Wireless networks: insecure in theory & in practice 50-70% of networks never even turn on encryption, and
the remaining are vulnerable to attacks shown here Hackers are exploiting these weaknesses in the field,
from distances of a mile or more
Lesson: Open design is important These problems were all avoidable
In security-critical contexts, be wary of wireless!
Presentation Jing Tan, Umass-LowellSlide 41
An example of solutions
In late 2001, RSA release a solution to the weakness present in WEP, the Fast Packet Keying solution, which uses a technique that rapidly generates a unique key for each wireless data packet. The IEEE committee approved this fix in early 2002. Although it quells the war-driving experiments of many, it does not solve the wireless LAN security problems indefinitely.
Presentation Jing Tan, Umass-LowellSlide 42
References
[1] “Wireless Security” by David Wagner, University of California, Berkeley. http://www.cuss.berkeley.edu/~daw
[2] Wireless Security and Privacy by Tara M. Swaminatha and Charles R. Elden ISBN 0-201-76034-7 Publisher Addison-Wesley.
[3] “Overview of 802,11 Security” Jesse Walker, Intel Corp.[4] “An Inductive Chosen Plaintext Attack Against
WEP/WEP2” by Bill A. Arbaugh. http://www.cs.umd.edu/~waa
[5] “Wireless LAN Security” by Cisco Systems.