240 likes | 416 Vues
Wireless Security. How does the wireless dimension change the security problem?. SYN. SYN Wireless Dimension Weak assumptions & security How is wireless different? 802.11 Security Further Readings FIN. Wireless Dimension. Access to Medium:
E N D
Wireless Security How does the wireless dimension change the security problem?
SYN • SYN • Wireless Dimension • Weak assumptions & security • How is wireless different? • 802.11 Security • Further Readings • FIN Wireless Security
Wireless Dimension Access to Medium: Unlike wired medium (cables) wireless medium (air) is ubiquitous hence access restrictions to the medium must be handled explicitly, where as in wired environments it is implicit. War Dialing:Attacker gains access to wired medium by exhaustive dialing of phone numbers War Driving: Attacker gains access to wireless medium by just driving by the network coverage area. Wireless Security
Expansion of Wireless Dimension • Expansion of Wireless Dimension… • Wired networks – e.g LAN, WAN, Internet • Wireless networks – e.g 802.11 networks • Wireless environments or “Evernet” • “Evernet” is the future wireless network with billions of “always on” electronic devices – from cell phones to refrigerators– communicating with each other. (Bluetooth) • Security has to be built into the design not built on top of it! • Question: How does the wireless dimension change the security problem? Wireless Security
Assumptions & Security • Security mechanisms make implicit and/or explicit assumptions • Wired networks implicitly assume certain level of authentication by having access to the medium (wire) • For instance, only students who have physical access to the Poly’s lab can connect to lab’s network • This is not true in a wireless environment! • Wrong assumptions lead to weak security Wireless Security
How is wireless different? • The Medium • Wireless medium has no explicit packet boundary • This property weaken privacy and authentication mechanisms adopted from wired environment • Portability • Wireless devices are smaller in size and portable • Data in those devices require more protection than data on non-portable devices • Mechanisms to recover stolen or lost devices are important • Mechanisms for self-destruction of data is also important Wireless Security
How is wireless different? • Mobility • Mobility brings even bigger challenges • Trust in infrastructure • Wired networks assume certain level of trust in local infrastructure (we trust our routers) • In wireless networks this is a weak assumption • Would you put same level of trust on an Access Point in JFK as you put on your home AP? • Security mechanisms should anticipate these variances in trust • Or, security mechanisms should be independent of location or infrastructure • Trust in location • Wired networks implicitly assume network address is equivalent to physical location (128.238.x.x is Poly’s resources) • In wireless networks physical location is not tied to network address. Physical location may change transparent to end nodes. Wireless Security
How is wireless different? • Mobility • Privacy of location • On wired network privacy of location is not a concern • In wireless networks location privacy of the user is a serious issue because users can be tracked, their travel behaviors can be used for marketing purposes etc. • Similar scenario exists on the Web: A user’s web surfing pattern can be tracked and this raised several privacy issues in 1999 (Double Click’s Cookie Tracking) Wireless Security
How is wireless different? • Processing power, memory & energy requirements • Handheld devices have stringent processing power, memory, and energy requirements • Current security solutions require expensive processing power & memory • Handheld devices mandate inexpensive substitutes for • Crypto algorithms (AES instead of 3-DES) • Authentication schemes • Better one-time password schemes with feasible remote key updates Wireless Security
Power consumption & crypto algorithms Piyush Mishra et al. Wireless Security
How is wireless different? • Network Topologies • Wired networks usually rely on network topology to deploy security solutions • E.g: firewall is installed on a machine where all traffic is visible • Wireless networks (esp. ad-hoc) have dynamic topologies • Wireless networks may not have single point of convergence (hidden host problem!) • Wireless networks put emphasize on host based solutions e.g: distributed firewalls Wireless Security
BSS (1) STA 1 (AP) DS STA 2 (AP) BSS (2) 802.11 & Security • A MAC, PHY layer specification • Should serve mobile and portable devices • What is mobile? • What is portable? • Should provide transparency of mobility • Should appear as 802 LAN to LLC (“messy MAC”) • Basic Service Set (BSS) • Distribution System (DS) • Station (STA) • STA that is providing access to Distribution System Service (DSS) is an Access Point (AP) • 802.11 supports Ad-hoc networking • Provide link level security Components of 802.11 Wireless Security
Jargons • Association • STAs need to associate themselves with an AP • Reassociation • Done when STAs move between APs in an ESS • Preauthentication • Done during Reassociation • Like, WTSL Abbreviated Handshake • Deauthentication • Deauthenticate a STA before Disassociation • It’s a notice as oppose to a request • Disassociation • Disassociate a STA from an AP • It’s a notice as oppose to a request • Can Deauthentication, Disassociation notices be spoofed? (Possibility of DoS) Wireless Security
Wired Equivalent Privacy (WEP) • Wired equivalence privacy? • Wireless medium has no packet boundaries • WEP control access to LAN via authentication • Wireless is an open medium • Provides link-level security equivalent to a closed medium • No end-to-end privacy • Security Goals of WEP • Access Control • Provide access control to the underlying medium through authentication • Confidentiality • Provide confidentiality to data on the underlying medium through encryption • Data Integrity • Provide means to determine integrity of data between links Wireless Security
Wired Equivalent Privacy (WEP) • An attack on WEP should compromise at least one of these properties • Three levels of security • Open system – WEP is disabled in this mode. No security. • Shared Key Authentication – provides access control to medium • Encryption – provides confidentiality to data on network • You can have confidentiality on an open system! • That is, you can encrypt all the traffic and not have access control to the medium! • Which also means, a wily hacker can have all his traffic encrypted on our network so that no one “see” what s/he is doing! Wireless Security
Properties of WEP • It is reasonably strong • Withstand brute force attacks and cryptanalysis • It is self-synchronizing • Uses self-synchronizing stream cipher • It is efficient • Hardware/software implementation • It may be exportable • Rest of the world need security too! • It is optional • WEP layer should be independent of other layers Wireless Security
PDU >=1 ICV4 IV 4 WEP Frame • Key id is used to choose between four secret keys • ICV is integrity check sum (CRC-32) • Pad is zero. Unused. IV 3 pad (6) Key id (2) Wireless Security
IV init. vector seed key sequence WEPPRNG secret key cipher text plaintext ICV + integrity algorithm message WEP crypto function • WEP uses RC4 PRNG • CRC-32 for integrity algorithm • IV is renewed for each packet (usu. iv++) • actual key size = (vendor advertised size – 24) 24 64 40 Wireless Security
Attacks on WEP • Stream ciphers and keystream reuse • Stream ciphers expand a secret key to a stream of pseudo random numbers • Message is XORed (denoted by ‘+’ here after) with random number stream to produce the cipher text • Suppose two messages used the same secret key then stream cipher is easily broken so WEP uses an IV to extend the life of secret key • But, reusing IV is same as reusing the secret key! • Given two cipher texts with the same IV, we can remove the effects of XORing with the RC4 stream! (for the same secret key) C1 = P1 + RC4(IV, key) C2 = P2 + RC4(IV, key) but… (C1+C2) = (P1+P2) and (P1+P2) can be easily cryptanalyzed Wireless Security
Attacks on WEP • Two assumptions for this attack • Availability of ciphertexts with same IV • IV length is fixed 24 bits (224 = 16,777,216) • Implementations make the reuse factor worse! • Every time a card is initialized IV is set to zero! • IV is usually reused after only 5,000 packets! • So, obtaining cipher text with same IV is practical • Partial knowledge of plaintexts • Can use legitimate traffic to obtain known plain texts e.g: Login:, password: prompts in a telnet session • Bouncing Spam off a mail server through wireless network Wireless Security
Dictionary Attack • Assuming secret key is rarely changed, this attack compromises WEP’s confidentiality goal… • A dictionary of IVs (~224 entries) can be built • For each IV find the associated key stream C1= P1 + RC4(IV, key), C2= P2 + RC4(IV, key)if we know either P1 or P2 we can find RC4(IV, key) • Tabulate these two fields searchable by IV • For each packet, scan the table to find the IV first and then XOR the message with corresponding keystream in the dictionary to decrypt the message.Cn = Pn + RC4(IV, key) we know RC4(IV, key) from the dictionary, we know Cn so we can find Pn! • Size of the dictionary depends on size of the IV, which is fixed by the standard at 24 bits! • Increasing key size has no affect on this attack! Wireless Security
Request.Authentication Request.Authentication 128 nonce 128 nonce nonce+RC4(IV, key) IV nonce+RC4(IV, key) IV Attack on Access Control • It is possible to get authenticated without knowing the secret key! (shown in red) • We only need a plaintext, ciphertext pair of a legitimate authentication. (shown in black) Request received nonce+RC4(IV, key) Normal session Decrypt the packet and verify nonce client Request received Hacker Using Data Obtained From Previous Session nonce+RC4(IV, key) Decrypt the packet and verify nonce hacker server Wireless Security
Further Readings • 802.11 specification • Overview of IEEE 802.11b Security, Sultan Weatherspoon • Intercepting Mobile Communications: The Insecurity of 802.11, Nikita Borisov, Ian Goldberg et al. • Coping with Risk: Moving to Coping with Risk: Moving to Wireless Wireless • Using the Fluhrer, Mantin, and Shamir Attack to Break WEP, Adam Stubblefield, John Ioannidis, et al. • http://www.practicallynetworked.com/tools/wireless_articles_security.htm • http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html Wireless Security
FIN Comments, Concerns, Questions? Wireless Security