wireless network (in)securitysiva/talks/wsec.pdf · wireless networks cryptographic protocols...
TRANSCRIPT
Wireless Networks Cryptographic Protocols Wireless Security
Wireless Network (In)Security
G. Sivakumar
CSE DepartmentIIT Bombay
1 Wireless Networks
2 Cryptographic ProtocolsSome Puzzles
3 Wireless Security
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Internet’s Growth and Charter
Information AnyTime, AnyWhere, AnyForm, AnyDevice, ...WebTone like DialTone
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Internet’s Dream
Why should a fridge be on Internet?
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Will security considerations make this a nightmare?
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
802.11 Wireless LAN
802.11 Variants
802.11b (2.4 GHz band, up to 11 Mbits/sec, up to 300ft)802.11a (5 GHz band, up to 54 Mbits/sec, up to 80 ft)802.11g (2.4 GHz band, 20+ Mbits/sec, up to 300 ft)
802.11 ArchitecturesCentralized Wireless LAN: BSS (Basic Service Set)
AP (Access Point)Stations
Ad hoc LAN: IBSS (Independent Basic Service Set)
Additional Working Groups
802.11i (Security)802.11c (QOS: Quality of Service)802.11r (Fast Roaming)Management Frames Security Study Group
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Wireless Threats
Classification by C. He and J. C. Mitchell, Stanford Univ.
1 Passive Eavesdropping
2 Message Injection
3 Message Deletion and Interception
4 Masquerading and Malicious AP
5 Session Hijacking
6 Man-in-the-Middle
7 Denial of Service
How to handle last threat? (Technology alone does not suffice!)
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Wardriving
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Wardriving
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Airsnort
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Security Requirements
Informal statements (formal is much harder)
Confidentiality Protection from disclosure to unauthorized persons
Integrity Assurance that information has not been modifiedunauthorizedly.
Authentication Assurance of identity of originator of information.
Non-Repudiation Originator cannot deny sending the message.
Availability Not able to use system or communicate when desired.
Anonymity/Pseudonomity For applications like voting, instructorevaluation.
Traffic Analysis Should not even know who is communicating withwhom. Why?
Emerging Applications Online Voting, Auctions
And all this with postcards (IP datagrams overwireless)!
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all theirconversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all theirconversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Mutual Authentication
Goal
A and B to verify that both know the same secret number. Nothird party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Mutual Authentication
Goal
A and B to verify that both know the same secret number. Nothird party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Zero-Knowledge Proofs
Goal
A to prove to B that she knows how to solve the cube. Withoutactually revealing the solution!
Solution?
A tells B: Close your eyes, let me solve it...
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Zero-Knowledge Proofs
Goal
A to prove to B that she knows how to solve the cube. Withoutactually revealing the solution!
Solution?
A tells B: Close your eyes, let me solve it...
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Security Mechanisms
System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...
Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Security Mechanisms
System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...
Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Security Mechanisms
System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...
Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Cryptography and Data Security
sine qua non [without this nothing :-]
Historically who used first? (L & M)
Code Language in joint families!
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
One way Functions
Mathematical Equivalents
Factoring large numbers (product of 2 large primes)
Discrete Logarithms
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
One-way Functions
Computing f(x) = y is easy.Eg. y = 4x mod 13 (If x is 3, y is —?)
n 4n mod 13 10n mod 131 4 102 3 93 12 124 9 35 10 46 1 17 4 10...
......
Note: need not work with numbers bigger than 13 at all!
But given y = 11, finding suitable x is not easy!
Can do by brute-force (try all possibilities!)
No method that is much better known yet!
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Network Security Mechanism Layers
Cryptograhphic Protocols underly all security mechanisms. RealChallenge to design good ones for key establishment, mutualauthentication etc.
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Motivation for Session keys
Combine Symmetric (fast) and Asymmetric (very slow) Methodsusing session (ephemeral) keys for the following additional reasons.
Limit available cipher text (under a fixed key) for cryptanalyticattack;
Limit exposure with respect to both time period and quantity ofdata, in the event of (session) key compromise;
Avoid long-term storage of a large number of distinct secret keys (inthe case where one terminal communicates with a large number ofothers), by creating keys only when actually required;
Create independence across communications sessions orapplications. No replay attacks.
How to establish session keys over insecure medium where adversary islistening to everything?
Can be done even without any public key! Randomization to rescue (like
in CSMA/CD of Ethernet).G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Diffie-Hellman Key Establishment Protocol
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Man-in-the-middle attack
Authentication was missing!
Can be solved if Kasparov and Anand know each other’s public key(Needham-Schroeder).
Yes, but different attack possible.
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Needham-Schroeder Protocol
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Attack by Lowe (1995)
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security Some Puzzles
Why Are Security Protocols Often Wrong?
They are trivial programs built from simple primitives, BUT, theyare complicated by
concurrency
a hostile environment
a bad user controls the networkConcern: active attacks masquerading, replay, man-in-middle,etc.
vague specifications
we have to guess what is wanted
Ill-defined concepts
Protocol flaws rather than cryptosystem weaknessesFormal Methods needed!
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
WLAN Security Timeline
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
802.11i Evolution
Wired Equivalent WiFi Protected Robust SecurityPrivacy (WEP) Access Networks
Security Feature (WPA) (RSN)Encryption Algorithm RC4 RC4 AESKey Management None EAP-based EAP-basedCryptographic Keysize 40-bit or 104-bit 128-bit (64-bit for 128-bit
authentication)Data/Header Integrity CRC-32 / None Michael Algorithm CCMCryptographic Key life 24-bit, wrap 48-bit 48-bitReplay protection None Uses IV Uses IV
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
WEP Overview
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
What’s so bad about WEP?
Not designed or reviewed by crypographers
Poor choice of cipher
No replay protection
Integrity checking is not cryptographically secure
Shared one-key-per-network auth
No forward secrecy
No key distribution
Terrible exposure to known-plaintext attacks
Not “equivilent to wired privacy” at all!
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Attacks against authentication: WEP
Original observations by Tim Newsham regarding weakness inpassphrase to key generation for 40bit WEP
Requires 24GB of packet dumps to crackFailure due to poor choice of key-generation algorithm
FMS (Fluhrer, Mantin, Shamir) attack on the KSA (KeyScheduling Algorithm) for the RC4 stream cipher.
Statistical attack based on some packets leaking informationabout the keyRequires about 6m packetsLater refinement to 100-500k packets.Failure due to poor choice of KSA, poor understanding of thecryptography
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Accelerated FMS
FMS WEP attack depends on having lots of packets withweak IVs
Why wait for them? Cause them to be created.
We can capture an encrypted packet, and replay it becauseWEP has no replay prevention.
This is one of the critical design flaws in WEPFailure to learn lessons from other network crypto work
Capture a packet that elicits a response, e.g. an ARP request,We can spot based on length and other metadata
Replay packet repeatedly, collecting responses...
...at 54mbps and beyond!
Totally feasible to crack a 128bit WEP network while youhave coffee
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Other Useless “defenses”
Closed/Hidden SSIDs
Only hidden in beacons, not in probe responses, triviallydetected
MAC Filtering
Every single packet has a valid source MAC in itTrivially bypassed: ip link set wlan0 address 00:de:ad:be:ef:00Multiple stations with the same MAC works just fine
Manual WEP Key rotation
“Change keys once a week!”
Any or all of the above– Still broken!
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
Attacks against the client: Rogue AP
An attacker pretends to be an AP the Station wants to talk to
the “Man in the Middle”
Station hands over it’s auth credentials to the Rogue, whoreuses them to auth to the real AP
Can be done at L2, to 802.1X auth
Or at public hot spots to fool user fake “captive portal” logins.
Insidious, defeats all auth methods, human or crypto, thatdon’t have strong mutual authentication (PKI!)
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
802.11i Overview
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security
Wireless Networks Cryptographic Protocols Wireless Security
References
802.11 Security Articleshttp://www.wardrive.net/security/links
802.11 Security Newshttp://www.wifinetnews.com/archives/cat security.html
State-of-the-Art WEP crackinghttp://securityfocus.com/infocus/1814http://securityfocus.com/infocus/1824http://securityfocus.com/infocus/1877
Hacking Techniques in Wireless Networkshttp://www.cs.wright.edu/ pmateti/InternetSecurity/Lectures/WirelessHacks/
Wireless LAN security guidehttp://www.lanarchitect.net/Articles/Wireless/SecurityRating/
Wikipediahttp://en.wikipedia.org/wiki/Wi-Fi Protected Access
G. Sivakumar CSE Department IIT Bombay [email protected]
Wireless Network (In)Security