Download
coen 350 n.
Skip this Video
Loading SlideShow in 5 Seconds..
COEN 350 PowerPoint Presentation

COEN 350

149 Vues Download Presentation
Télécharger la présentation

COEN 350

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. COEN 350 Mobile Security

  2. Wireless Security • Wireless offers additional challenges: • Physical media can easily be sniffed. • War Driving • Legal? • U.S. federal computer crime statute, Title 18 U.S.C. 1030, • Crime to knowingly access a computer used in interstate or foreign communication "without authorization" and obtain any information from the computer. • Crime to access a computer without authorization with "intent to defraud" to obtain "anything of value." • But not if "the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $ 5,000 in any 1-year period."

  3. Wireless Security • Wireless offers additional challenges: • Physical media can easily be sniffed. • Mobile computing needs to preserve battery power. • Calculations cost more on a mobile platform. • Especially important for sensor networks

  4. Wireless Security:Attackers Perspective • Knowing the Threat • Targets of opportunity • Goal is • Internet access. • Easy pickings. • Targeted attacks • Targets assets valuable enough. • Internal attackers • Most Dangerous • Can open an unintentional security hole

  5. IEEE 802.11 • Wired Equivalent Privacy (WEP) Protocol • Based on a shared secret k. • Distributed out of band. • Uses CRC for internal integrity protection. • Uses RC4 to encrypt network traffic.

  6. WEP Protocol

  7. WEP Protocol • Confidentiality • Original packet is first check-summed. • Checksum and data form the payload. • Transmitting device creates a 24-bit random initialization vector IV. • IV and shared key are used to encrypt with RC4

  8. WEP Protocol • RC4 • Generates a pseudo-random stream of bytes (keystream) • Based on a secret internal state • Permutation S of all 256 possible bytes • Two index pointers • Plaintext is XORed with keystream

  9. WEP Protocol • RC4 • Key Scheduling Algorithm (KSA) • Initializes S based on a key for i from 0 to 255 S[i] := i j := 0 for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap(S[i],S[j])

  10. WEP Protocol • RC4 • Pseudo-Random Generation Algorithm (PRGA) • Generates pseudo-random byte stream i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(S[i],S[j]) output S[(S[i] + S[j]) mod 256]

  11. WEP Protocol • RC4 • Known weaknesses • Keystream slightly biased • Fluhrer & McGrew attack can distinguish keystream from random stream given a GB of input. • Fluhrer, Mantin, Shamir: statistics for output of the first few bytes of output keystream are non-random, leaking information about key.

  12. WEP Protocol • Authentication • Station associating with access point needs to authenticate itself. • Both exchange the type of authentication that is accepted. • Open: Just identification between station and AP • Shared Secret: Participants send nonces to each other, encrypt the nonce using WEP (and the shared secret key), and verify the other’s response.

  13. WEP has no key management • Everyone allowed to have access to a wireless network has the same key. • Anyone with the key can read ALL traffic.

  14. WEP: RC4 • RC4 uses the key and the IV to produce a stream of pseudo-random bytes. • Calculates cipher text from plaintext by XORing the pseudo-random stream with the plain-text.

  15. WEP: RC4

  16. WEP: Attacks on RC4 • Dictionary Attack • Build database: • 224 different IVs • Build a database of 224 streams of MTU bytes (2,312 B) for each different IV. • Takes < 40 GB storage. • XOR two entries with the same IV. • Result are the two plaintexts XORed. • Natural language text has enough redundancy to decrypt the XOR of two text streams.

  17. WEP: Attacks on RC4 • Dictionary Attack • Many packages can be completely or partially guessed. • XORing guessed plaintext and captured cipher gives pseudo-random byte stream for a given IV. • Some implementations reset IVs poorly. • This simplifies dictionary attacks.

  18. WEP: Attacks on RC4 • Injection Attack • Attacker creates packets on the wireless connection. • Attacker XORs plaintext and cipher. • Builds Pseudo-Random Stream database indexed by IV.

  19. RC4 Fluhrer, Mantin, Shamir Attack • First few bits of several thousand messages reveals key. • Based on an analysis of the RC4 code. • Originally kept secret, but later leaked on the internet.

  20. RC4 Fluhrer, Mantin, Shamir Attack • Key Scheduling Algorithm • Sets up RC4 state array S • S is a permutation of 0, 1, … 255 • Output generator uses S to create a pseudo-random sequence. • First byte of output is given by S[S[1]+S[S[1]]]. • First byte depends on • {S[1], S[S[1], S[S[1]+S[S[1]]}

  21. RC4 Fluhrer, Mantin, Shamir Attack • Key Scheduling Algorithm • First byte of plain text package is part of the SNAP header • 0xAA for IP and ARP packages • 0xFF or 0xE0 for IPX • Guessing the first byte is trivial • Some IVs are vulnerable: “resolved” • (KeyByte+3, 0xFF, *) • Plus some more • Easy to test whether an IV is vulnerable. • Search for vulnerable IVs. • They leak key bytes probabilistically. • Large number of packets does it.

  22. RC4 Fluhrer, Mantin, Shamir Attack • Optimization needs about 5,000,000 to 1,000,000 packages. • Counter-measures: • Change key frequently. • Change IV counters to avoid bad IVs.

  23. WEP Message Modification • WEP uses CRC code to ascertain integrity of messages. • CRC code is linear: • CRC(x  y) = CRC(x)  CRC(y). • Attacker knows plaintext M and desired modification  for target plaintext M’ = M  . • Attacker want to substitute X = P(M,CRC(M)) for P(M’,CRC(M’)). • Attacker sends X(,CRC()) = P(M,CRC(M)) (,CRC()) = P(M’,CRC(M’))

  24. Wireless Insecurity Problems • WiFi card software allows users to change the MAC address.

  25. Wireless Security • Casual user, low yield traffic • WEP is good enough. • Enterprise, Commercial • Combine WEP with higher order security • SSH • VPN • IPSec

  26. WPA • Created by WiFi Alliance • Certification started April 2003 • Uses 802.1X authentication server • Distributed different keys to each user. • Can also be used in “pre-shared key” (PSK) mode • Every user uses the same passphrase. • Called WPA Personal

  27. IEEE 802.1X • Standard for port-based authentication. • Uses a third-party authentication server such as Radius http://www.linux.com/howtos/8021X-HOWTO/index.shtml

  28. WPA • Protocol changes over WEP • CRC is replaced by “Michael” MIC. • MIC now includes a frame counter, preventing replay attacks. • Payload bit flipping is now impossible. • Data encryption still uses RC4, but now • Prevents key recovery attacks on WEP by using • 128b Key • 48b Initialization vector • Temporal Key Integrity Protocol (TKIP) changes key dynamically.

  29. TKIP • Temporal Key Integrity Protocol • Ensures that every data packet has its own encryption key.

  30. 802.11i • Uses AES instead of RC4. • Subset published as WPA2 • Uses 802.1X authentication

  31. Protocol Layers • WEP • Privacy only. • Very elementary security. • WPA • Temporal Key Exchange Protocol • Fixes WEP that scrambles keys between packages and adds a secure message check. • AES: Advanced Encryption Standard • 802.11i • Military grade encryption, replaces DES • 802.1X • General purpose and extensible framework for authentication users and generating / distributing keys. • Simple Secure Network (SSN) • Recipe for authentication based on 802.1X