wireless network (in)securitysiva/talks/wsec.pdf · wireless networks cryptographic protocols...

Wireless Networks Cryptographic Protocols Wireless Security

Wireless Network (In)Security

G. Sivakumar

CSE DepartmentIIT Bombay

[email protected]

1 Wireless Networks

2 Cryptographic ProtocolsSome Puzzles

3 Wireless Security

G. Sivakumar CSE Department IIT Bombay [email protected]



Internet’s Growth and Charter

Information AnyTime, AnyWhere, AnyForm, AnyDevice, ...WebTone like DialTone




Internet’s Dream

Why should a fridge be on Internet?




Will security considerations make this a nightmare?




802.11 Wireless LAN

802.11 Variants

802.11b (2.4 GHz band, up to 11 Mbits/sec, up to 300ft)802.11a (5 GHz band, up to 54 Mbits/sec, up to 80 ft)802.11g (2.4 GHz band, 20+ Mbits/sec, up to 300 ft)

802.11 ArchitecturesCentralized Wireless LAN: BSS (Basic Service Set)

AP (Access Point)Stations

Ad hoc LAN: IBSS (Independent Basic Service Set)

Additional Working Groups

802.11i (Security)802.11c (QOS: Quality of Service)802.11r (Fast Roaming)Management Frames Security Study Group




Wireless Threats

Classification by C. He and J. C. Mitchell, Stanford Univ.

1 Passive Eavesdropping

2 Message Injection

3 Message Deletion and Interception

4 Masquerading and Malicious AP

5 Session Hijacking

6 Man-in-the-Middle

7 Denial of Service

How to handle last threat? (Technology alone does not suffice!)




Wardriving




Airsnort




Security Requirements

Informal statements (formal is much harder)

Confidentiality Protection from disclosure to unauthorized persons

Integrity Assurance that information has not been modifiedunauthorizedly.

Authentication Assurance of identity of originator of information.

Non-Repudiation Originator cannot deny sending the message.

Availability Not able to use system or communicate when desired.

Anonymity/Pseudonomity For applications like voting, instructorevaluation.

Traffic Analysis Should not even know who is communicating withwhom. Why?

Emerging Applications Online Voting, Auctions

And all this with postcards (IP datagrams overwireless)!



Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles

Exchanging Secrets

Goal

A and B to agree on a secret number. But, C can listen to all theirconversation.

Solution?

A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.




Mutual Authentication

Goal

A and B to verify that both know the same secret number. Nothird party (intruder or umpire!)

Solution?

A tells B: I’ll tell you first 2 digits, you tell me the last two...




Zero-Knowledge Proofs

Goal

A to prove to B that she knows how to solve the cube. Withoutactually revealing the solution!

Solution?

A tells B: Close your eyes, let me solve it...




Security Mechanisms

System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...

Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”

Data Security: “for your eyes only”

Encryption, Digests, Signatures, ...




Cryptography and Data Security

sine qua non [without this nothing :-]

Historically who used first? (L & M)

Code Language in joint families!




One way Functions

Mathematical Equivalents

Factoring large numbers (product of 2 large primes)

Discrete Logarithms




One-way Functions

Computing f(x) = y is easy.Eg. y = 4x mod 13 (If x is 3, y is —?)

n 4n mod 13 10n mod 131 4 102 3 93 12 124 9 35 10 46 1 17 4 10...

......

Note: need not work with numbers bigger than 13 at all!

But given y = 11, finding suitable x is not easy!

Can do by brute-force (try all possibilities!)

No method that is much better known yet!




Network Security Mechanism Layers

Cryptograhphic Protocols underly all security mechanisms. RealChallenge to design good ones for key establishment, mutualauthentication etc.




Motivation for Session keys

Combine Symmetric (fast) and Asymmetric (very slow) Methodsusing session (ephemeral) keys for the following additional reasons.

Limit available cipher text (under a fixed key) for cryptanalyticattack;

Limit exposure with respect to both time period and quantity ofdata, in the event of (session) key compromise;

Avoid long-term storage of a large number of distinct secret keys (inthe case where one terminal communicates with a large number ofothers), by creating keys only when actually required;

Create independence across communications sessions orapplications. No replay attacks.

How to establish session keys over insecure medium where adversary islistening to everything?

Can be done even without any public key! Randomization to rescue (like

in CSMA/CD of Ethernet).G. Sivakumar CSE Department IIT Bombay [email protected]



Diffie-Hellman Key Establishment Protocol




Man-in-the-middle attack

Authentication was missing!

Can be solved if Kasparov and Anand know each other’s public key(Needham-Schroeder).

Yes, but different attack possible.




Needham-Schroeder Protocol




Attack by Lowe (1995)




Why Are Security Protocols Often Wrong?

They are trivial programs built from simple primitives, BUT, theyare complicated by

concurrency

a hostile environment

a bad user controls the networkConcern: active attacks masquerading, replay, man-in-middle,etc.

vague specifications

we have to guess what is wanted

Ill-defined concepts

Protocol flaws rather than cryptosystem weaknessesFormal Methods needed!




WLAN Security Timeline




802.11i Evolution

Wired Equivalent WiFi Protected Robust SecurityPrivacy (WEP) Access Networks

Security Feature (WPA) (RSN)Encryption Algorithm RC4 RC4 AESKey Management None EAP-based EAP-basedCryptographic Keysize 40-bit or 104-bit 128-bit (64-bit for 128-bit

authentication)Data/Header Integrity CRC-32 / None Michael Algorithm CCMCryptographic Key life 24-bit, wrap 48-bit 48-bitReplay protection None Uses IV Uses IV




WEP Overview




What’s so bad about WEP?

Not designed or reviewed by crypographers

Poor choice of cipher

No replay protection

Integrity checking is not cryptographically secure

Shared one-key-per-network auth

No forward secrecy

No key distribution

Terrible exposure to known-plaintext attacks

Not “equivilent to wired privacy” at all!




Attacks against authentication: WEP

Original observations by Tim Newsham regarding weakness inpassphrase to key generation for 40bit WEP

Requires 24GB of packet dumps to crackFailure due to poor choice of key-generation algorithm

FMS (Fluhrer, Mantin, Shamir) attack on the KSA (KeyScheduling Algorithm) for the RC4 stream cipher.

Statistical attack based on some packets leaking informationabout the keyRequires about 6m packetsLater refinement to 100-500k packets.Failure due to poor choice of KSA, poor understanding of thecryptography




Accelerated FMS

FMS WEP attack depends on having lots of packets withweak IVs

Why wait for them? Cause them to be created.

We can capture an encrypted packet, and replay it becauseWEP has no replay prevention.

This is one of the critical design flaws in WEPFailure to learn lessons from other network crypto work

Capture a packet that elicits a response, e.g. an ARP request,We can spot based on length and other metadata

Replay packet repeatedly, collecting responses...

...at 54mbps and beyond!

Totally feasible to crack a 128bit WEP network while youhave coffee




Other Useless “defenses”

Closed/Hidden SSIDs

Only hidden in beacons, not in probe responses, triviallydetected

MAC Filtering

Every single packet has a valid source MAC in itTrivially bypassed: ip link set wlan0 address 00:de:ad:be:ef:00Multiple stations with the same MAC works just fine

Manual WEP Key rotation

“Change keys once a week!”

Any or all of the above– Still broken!




Attacks against the client: Rogue AP

An attacker pretends to be an AP the Station wants to talk to

the “Man in the Middle”

Station hands over it’s auth credentials to the Rogue, whoreuses them to auth to the real AP

Can be done at L2, to 802.1X auth

Or at public hot spots to fool user fake “captive portal” logins.

Insidious, defeats all auth methods, human or crypto, thatdon’t have strong mutual authentication (PKI!)




802.11i Overview




References

802.11 Security Articleshttp://www.wardrive.net/security/links

802.11 Security Newshttp://www.wifinetnews.com/archives/cat security.html

State-of-the-Art WEP crackinghttp://securityfocus.com/infocus/1814http://securityfocus.com/infocus/1824http://securityfocus.com/infocus/1877

Hacking Techniques in Wireless Networkshttp://www.cs.wright.edu/ pmateti/InternetSecurity/Lectures/WirelessHacks/

Wireless LAN security guidehttp://www.lanarchitect.net/Articles/Wireless/SecurityRating/

Wikipediahttp://en.wikipedia.org/wiki/Wi-Fi Protected Access



wireless network (in)securitysiva/talks/wsec.pdf · wireless networks cryptographic protocols...

Documents