xiuzhen cheng cheng@gwu
DESCRIPTION
Xiuzhen Cheng [email protected]. Csci 388 Wireless and Mobile Security – Wireless LAN: Introduction, WEP. Outline. Challenges in Wireless Communications Introduction to IEEE 802.11 Wireless LAN Break (5 minutes) Intercepting Mobile Communications: The Insecurity of 802.11 - PowerPoint PPT PresentationTRANSCRIPT
Xiuzhen ChengXiuzhen Cheng [email protected]
CsciCsci388388 Wireless and Mobile SecurityWireless and Mobile Security – – Wireless LAN: Introduction, WEPWireless LAN: Introduction, WEP
Outline
Challenges in Wireless Communications
Introduction to IEEE 802.11 Wireless LAN
Break (5 minutes)
Intercepting Mobile Communications: The Insecurity of 802.11
Wireless Security’s Future
Uniqueness of Wireless Communication
Uniqueness of Wireless CommunicationInterference and Noise; Full connectivity can not be assumed; Battery usage; Security
Requirements of a wireless MAC standard:Single MAC to support multiple PHY mediums
Robust to interference
Need to deal with the hidden/exposed terminal problem
Need provision for time bounded services
Support for power management to save battery power
Ability to operate world wide: ISM band
Problems of wireless networks
Hidden TerminalDecrease throughput
Increase delay
Exposed TerminalDecrease channel utilization
Limited energyNetwork partition
Mobility
Security
A B
At B: Transmission from C collides with transmission from A
C
A CB
C unnecessarily defers its transmission to D
D
802.11 System Architecture
Two basic system architectures
Ad hocInfrastructure based
Access PointStations select an AP and “associate” with it Support roaming Provide other functions
time synchronization (beaconing); power management, PCF;
802.11 Protocol Stack
802.11 MAC Layer
Three basic access mechanismsCSMA/CA; DCF(CSMA/CA+RTS/CTS); PCFDIFS: lowest priority, asynchronous dataPIFS: media priority, time-bounded serviceSIFS: highest priority, short control message
Carrier sense at two levelsPhysical carrier sense: done by physical layerVirtual carrier sense at MAC layer using Network Allocation Vector (NAV) set while RTS/CTS/Data/Ack are overheard: solves problem of Hidden and Exposed terminalReduces collision by deferring transmission if any of the carrier sense mechanisms sense the channel busy
DCF Basic Access
Basic AccessWhen a STA has data to send, it senses mediumThe STA may transmit a MAC Protocol Data Unit (MPDA) when medium idle time is greater or equal to DIFSIf medium is busy, wait for a random backoff time
DCF
Backoff ProcedureBackoff procedure is invoked for a STA to transfer a frame but the medium is busySet Backoff Timer to be random backoff timeBackoff Timer start decreasing after an idle time of DIFS following the medium busyness Backoff Timer is suspended when medium is busy, and won’t resume until the medium is idle for DIFSA frame may be transmitted immediately when Backoff Timer is 0
DCF
Recovery proceduresCollision may happen during contention
When collision happens, retransmission with a new random selection of the backoff time, contention window is doubled.
No special rights for retransmission
DCF
Random backoff time=random()xaSlotTime
aSlotTime: the value of the correspondingly named PHY characteristic (20s for DSSS)Random(): a random integer uniformly distributed over [0, CW]
CW (contention window) Increases exponentially after each retry fails (so does average backoff time. Why to do this?)Keep constant after reaching the maximumReset after a successful transmission
DCF RTS/CTS SchemeRTS/CTS Scheme
Four way handshake: RTS-CTS-DATA-ACK
NAV (Network Allocation Vector)An indicator, maintained at each STA, for the period that transmission will not be initiated
Setting and resetting NAV according to “Duration” in MAC header when receiving a valid frame
DCF – Fragmentation
Control of the channel Once the STA has contented for the channel, it shall continue to send fragments until
All fragments of a MSDU or MMPDU have been sent
An ACK is not received
STA is restricted from sending additional fragments by PHY layer
Duration fieldRTS/CTS: time till the end of ACK0
Fragments/ACK: time till the end of the ACK for the next fragment
Last fragment/ACK: length of ACK/0
PCF
Only available for infrastructured architecture, why?PCF is on top of DCFSuper frame contains a contention-free period and a contention periodProcedure (assume the media is just free):
Point coordinator (PC) polls s1 after PIFS; s1 replied with dataPC continues to poll other stations After no reply from a station, PC waits for PIFS time, then continues to poll other stationsAfter finishing, send CFE message. Then contention period starts.
Question: how time-bounded service is provided?
Other Considerations
SyschronizationBeacon signal
Power-ControlSleep and awake states
Wakeup periodically every TIM interval
RoamingAssociation request and response
Break
The WEP Protocol
Security goals of the WEP (Wired Equivalent Privacy) protocol:
Confidentiality: Prevent an adversary from learning the contents of your wireless traffic.Access Control: Prevent an adversary from using your wireless infrastructure.Data Integrity: Prevent an adversary from modifying your data in transit.
WEP Protocol was designed to protect the confidentiality of user data from eavesdroppingPart of 802.11It has been integrated by manufacturers into their 802.11 hardware.Widespread in use.
The WEP Protocol (cont.)
Sender and receiver share a secret key k.
Two classes of WEP implementation:
classic WEP as documented in standard (40-bit key)extended version developed by some vendors (128-bit key)
The WEP Protocol (cont.)
In order to transmit a message M:P = <M, c(M)>pick Initial Vector(IV) v and generate RC4(v,k)—is a
keystream
C = P RC4(v,k)
A -> B: v, (P RC4(v,k))
Upon receipt:generate RC4(v,k)P’ = C RC4(v,k)
= P RC4(v,k) RC4(v,k)= P
check if c=c(M) If so, accept the message M as being the one transmitted
WEP, Pictorially
An Example
P
C
P
sender
receiver
Attack Practicality
Access to the transmitted data.Need equipment capable of monitoring 2.4 GHz frequencies.Need to understand the physical layer of 802.11 protocol.For active attacks, need equipment capable to transmit at the same frequencies.High cost, but not impractical:
“corporate espionage can be a highly profitable business.”
Passive attacks possible with off-the-shelf equipment by modifying driver settings (Lucent PCMCIA Orinoco wireless card).
The “Two-Time Pad” Problem
You must never encrypt two messages with the same keystream K.Suppose P1 and P2 are both encrypted with the same K. Then C1 = P1 K, and C2 = P2 K.But then C1 C2 = P1 K P2 K = P1 P2So the adversary learns the XOR of two plaintexts!Does he know (or can guess) parts of one plaintext?Usually, just knowing the XOR of two plaintexts is enough to recover them.
What Does WEP Do?
The keystream for WEP is RC4(v,k).k is a fixed shared secret, that changes rarely, if ever (in many setups, every user shares the same k).
· If two packets ever get transmitted with the same value of v, you reuse the keystream.Since v gets transmitted in clear for each packet, the adversary can even easily tell when a value of v is reused (a "collision").How many possible values of v are there?
v only occupies 24 bits of the header = at most there are 2^24 (about 16 million of v).After 16 million packets, you have to repeat one!Birthday paradox for random 24-bit vMany 802.11 cards reset their IV counter to 0 every time they were activated, and incremented by 1 for each packet transmitted.
What Does WEP Do? (cont.)
This means that low IV values get reused at the beginning of every wireless session.
Usually use the same secret k, and often many different people use the same k.
So you can find collisions between packets sent by different people!
This makes collisions much more common.
Decryption Dictionaries
Adversary knows both the C and the P for some packets encrypted with a given IV v.Easy if he knows the P (pings, or spam email!).He can also do it passively by watching for collisions.RC4(k,v) = P CNote: no need to know the value of the shared secret k.
Store keystream in a table, indexed by v.Next time a packet with an IV stored in the table passes by, look up the keystream, XOR it against the packet, and read the data!Table is at most 1500 * 2^24 bytes = 24 GBIf the cards that are being used have the IV-reset-to-0 property, then most IV's will be small, and the dictionary will be even smaller!
Message Authentication in WEP
An 802.11 receiver will accept a packet if, after decryption, it contains a correct checksum of the plaintext.
The checksum algorithm used is CRC-32.
CRC's are used to detect random errors; they are useless against malicious errors.
There is already a CRC at a lower layer of the protocol to detect random bit errors in transmission.
CRC-32 Has the following properties:It is independent of the shared secret and the IV.It is linear: c(M D) = c(M) c(D)We can make a controlled modification and get unnoticed.
Message Modification
Assume a message M was transmitted, and the ciphertext was C and the IV was v (i.e. C and v are known to the adversary).
C = RC4(v,k) <M,c(M)>A -> B: <v,C>Possible to find C’ such that it decrypts to M’ and M’ = M D D = arbitrarily chosen by the attackerAdversary -> B: <v,C’>C’= C <D,c(D)> = RC4(v,k) <M,c(M)> <D,c(D)> = RC4(v,k) <M D, c(M) c(D)> = RC4(v,k) <M’, c(M D)> = RC4(v,k) <M’, c(M’)>Receiver checks that c’ = c(M’) Accept message M’ as the one transmitted.
Message Injection
The adversary just needs to know a single plaintext, and its corresponding encrypted packet.
A -> B: <v,C>P C = P RC4(v,k) P = RC4(v,k)Construct M’ and P’ = <M’,c(M’)>C’ = RC4(v,k) P’“A” -> B: <v,C’>
Authentication Protocol
Goal: the base station verifies that a client joining the network really knows the shared secret key k. The base station sends a challenge string to the clientB->A: MThe client sends encrypted challenge:A -> B: v, <M,c(M)> RC4(v,k) The base station checks if the challenge is correctly encrypted, and if so, accepts the client. Adversary sees a challenge/response pair for a given key k; he can extract v and RC4(v,k).Adversary can execute authentication protocol himself!
Authentication Protocol (cont.)
Adversary connects to the network himself:The base station sends a challenge string M' to the adversary.The adversary replies with
v, <M',c(M')> RC4(v,k)This is the correct response, so the base station accepts the adversary.Success even though he never did learn the value of k.
Message Decryption
Useful symmetry property: the operation of encryption is the same as the operation of decryption with the same key. An adversary can decrypt packets with the help of the base station! Ways to do it:
Double-encryptionIP RedirectionReaction attacks
Double Encryption
Join the network.Use a second Internet connection to send the packet to his computer over the wireless network.The base station will encrypt this packet a second time:
C’ = (P RC4(v,k)) RC4(v,k) = PTiming important to get the same IV, but not so difficult because the base station uses sequential IV’s.
IP Redirection
Join the network (authentication spoofing)Take the packet to be decrypted, modify the IP address as being his.Transmit the modified packet to the base station for decryption.Base station will send the plaintext on its merry way, straight to the adversary's machine.
IP Redirection (cont.)
The only headache: find the original destination IP address.Not difficult: all the incoming traffic has a destination IP address on the wireless subnet, easy to determine.Fix the IP checksum.
IP Redirection (cont.)
Suppose original IP address = DH, DLModified IP address = DH’, DL’newCRC = oldCRC + DH’+ DL’- DH - DLTrick: we only know to do XOR!Ways to go around this:
IP CRC is known: do arithmeticIP CRC not known: get luckyarrange that newCRC = oldCRC: change other fields.
Reaction Attacks
“Drawback”: the packet to be decrypted needs to be a TCP packet.Useful property: a TCP packet with TCP checksum invalid is silently dropped. Otherwise, get back an ACK packet (easy to identify by its size).Monitor the reaction of a recipient of a TCP packet and use that to infer info about the unknown plaintext.Intercept <v,C>Flip a few bits in C, recompute checksum, wait (patiently) to see if an ACK is sent back.
Reaction Attacks (cont.)
A clever choice of what bits to flip ensures TCP checksum remains undisturbed exactly when
Pi Pi+16 = 1 holds.Each time we check the reaction of the recipient to a modified packet, we learn one more bit of the plaintext.
TCP CRC = 1’s complement addition of the 16-bit words of message M.1’s complement addition ~ modulo 2^16 -1C’ = C D, D = bit positions to flip.We choose D: pick i arbitrarily, set positions i and i+16 of D to 1 and the rest to 0.Convenient property: P D = P mod 2^16-1 holds when Pi Pi+16 = 1
Countermeasures
Just don't assume it's secure.Treat your wireless network as a public network.Put the wireless network outside your firewall.Use another authentication protocol for packets coming from the wireless network to internal intranet (e.g. VPN, IPSec, ssh).
Long IV's which never repeat for the lifetime of the shared secret (and are never duplicated across machines sharing the same secret).Replace the shared key more often. Use a strong Message Authentication Code (instead of the CRC) which depends on the key and IV.
Conclusions
Attacks on the Wired Equivalent Privacy protocol which defeat each of the security goals of:
Confidentiality: We can read WEP-protected traffic.Access Control: We can inject traffic on WEP-protected networks.Data Integrity: We can modify WEP-protected traffic in transit.
Wireless Security’s Future
IEEE 802.11iPhased deployment process due to the large number of 802.11 users
Three major parts of 802.11i:Temporal Key Integrity protocol (TKIP), enhancing and replacing WEP
Counter mode CBC-MAC for link-layer data confidentiality and integrity
802.1x for access control
Temporal Key Integrity Protocol
Immediate replacement of WEPUses 48-vit vectorsUses 128-bit encryption keyUses per-packet keying
A shared base key, a client’s MAC address, and a packet’s sequence number create a unique key for each packetAvoid data-harvesting problem
Periodically rotates the broadcast keyAvoid data-harvesting problem
Uses a message integrity code (MIC)A cryptographically protected one-way hashImmediate packet tampering detection
TKIP is a part of WPA by the WiFi Alliance
Counter Mode with CBC-MAC
Design goals: confidentiality, integrity and authentication
128-bit AES
48-bit IV
128-bit cipher block chaining with MAC
A required component of any 802.11i implementation
802.1x
A port-based authentication protocol
Before a successful 802.1x authentication, a wireless client is only allowed access to the authentication server. All other traffics are blocked at the AP
After a successful 802.1x authentication, the client is granted access to the network
UMD researchers found that 802.1x suffers from two attacks: session hijacking and man-in-the-middle
Readings and Homeworks
Readings for the lecture in Sep 9. Submit your reading report for the papers on DOMINO and DoS Attack:
C.D.J. Welch and M.S. D. Lathrop, A survey of 802.11a wireless security threats and security mechanisms, 2003. M. Raya, J. P. Hubaux,, and I. Aad DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots, Proceedings of the Second International Conference on Mobile Systems, Applications, and Services, Boston, June 2004 J. Bellardo and S. Savage, 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, Proceedings of USENIX Security Symposium, August 2003.
2 SepReadings for the lecture in Sep 2: M.J. Hanson and D. McNamee, Efficient Reading of Papers in Science and Technology. N. Borisov, I. Goldberg, and D. Wagner, Intercepting Mobile Communications: The Insecurity of 802.11, MobiCom 2001, pp. 180-188. B. Potter, Wireless Security's Future, IEEE Security and Privacy Magazine 01(4), pp. 68-72, July-Aug. 2003.
Questions?