CS 378 - Network Security and Privacy - USC UpstateFaculty

Document Sample
CS 378 - Network Security and Privacy - USC UpstateFaculty Powered By Docstoc
					Hacking Wireless Networks
  (Part II – WEP & WPA)

        SCSC 555

                            slide 1
802.11b Overview
Standard for wireless networks
  • Approved by IEEE in 1999
Two modes: infrastructure and ad hoc

  IBSS (ad hoc) mode           BSS (infrastructure) mode
                                                           slide 2
Access Point SSID
Service Set Identifier (SSID) differentiates one
 access point from another
  • By default, access point broadcasts its SSID in
    plaintext “beacon frames” every few seconds
Default SSIDs are easily guessable
  • Linksys defaults to “linksys”, Cisco to “tsunami”, etc.
  • This gives away the fact that access point is active
Access point settings can be changed to prevent
 it from announcing its presence in beacon frames
 and from using an easily guessable SSID
  • But then every user must know SSID in advance
                                                              slide 3
Wired Equivalent Privacy (WEP)
Special-purpose protocol for 802.11b
   • Intended to make wireless as secure as wired network
Goals: confidentiality, integrity, authentication
Assumes that a secret key is shared between
 access point and clients
Uses RC4 stream cipher seeded with 24-bit
 initialization vector and 40-bit key
   • Terrible design choice for wireless environment
   • RC4 is used properly in SSL

                                                        slide 4
 Shared-Key Authentication
Prior to communicating data, access point may require client to authenticate

        Access Point                                   Client
                         beacon                   unauthenticated &
                                         OR         unassociated
                        probe request

                                                    authenticated &

                           association              authenticated &
                           request                    associated
                          response            Passive eavesdropper recovers RC4(IV,K),
                                              can respond to any challenge from then
                                              on without knowing K
                                                                                    slide 5
How WEP Works

                                                                   IV | shared key used as RC4 seed
                                                                   • Must never be repeated (why?)
                                                                   • There is no key update protocol in 802.11b,
                                                                     so security relies on never repeating IV

                                   24 bits       40 bits

                                                                                IV sent in the clear
                                                                                Worse: 802.11b says that changing
CRC-32 checksum is linear in : if attacker flips some bit                      IV with each packet is optional!
in plaintext, there is a known, plaintext-independent set of CRC
bits that, if flipped, will produce the same checksum

                                              no integrity!                                                        slide 6
Why RC4 is a Bad Choice for WEP
Stream ciphers require synchronization of key
 streams on both ends of connection
  • This is not suitable when packet losses are common
WEP solution: a separate seed for each packet
  • Can decrypt a packet even if a previous packet was lost
But number of possible seeds is not large enough!
  • RC4 seed = 24-bit initialization vector + fixed key
  • Assuming 1500-byte packets at 11 Mbps,
    224 possible IVs will be exhausted in about 5 hours
Seed reuse is deadly for stream ciphers
                                                          slide 7
Recovering Keystream
Get access point to encrypt a known plaintext
  • Send spam, access point will encrypt and forward it
  • Get victim to send an email with known content
If attacker knows plaintext, it is easy to recover
 keystream from ciphertext
  • C  M = (MRC4(IV,key))  M = RC4(IV,key)
  • Not a problem if this keystream is not re-used
Even if attacker doesn’t know plaintext, he can
 exploit regularities (plaintexts are not random)
  • For example, IP packet structure is very regular
                                                          slide 8
Keystream Will Be Re-Used
In WEP, repeated IV means repeated keystream
Busy network will repeat IVs often
  • Many cards reset IV to 0 when re-booted, then
    increment by 1  expect re-use of low-value IVs
  • If IVs are chosen randomly, expect repetition in O(212)
    due to birthday paradox (similar to hash collisions)
Recover keystream for each IV, store in a table
  • (KnownM  RC4(IV,key))  KnownM = RC4(IV,key)
  • Even if don’t know M, can exploit regularities
Wait for IV to repeat, decrypt and enjoy plaintext
  • (M’  RC4(IV,key))  RC4(IV,key) = M’
                                                          slide 9
It Gets Worse
Misuse of RC4 in WEP is a design flaw with no fix
  • Longer keys do not help!
     – The problem is re-use of IVs, their size is fixed (24 bits)
  • Attacks are passive and very difficult to detect
Perfect target for Fluhrer et al. attack on RC4
  • Attack requires known IVs of a special form
  • WEP sends IVs in plaintext
  • Generating IVs as counters or random numbers will
    produce enough “special” IVs in a matter of hours
This results in key recovery (not just keystream)
  • Can decrypt even ciphertexts whose IV is unique
                                                                     slide 10
Do Not Do This
                                                                        [Brian Lee]

Ingredients: Laptop (with 802.11b card, GPS, Netstumbler, Airsnort,
                     Ethereal) and the car of your choice
 Drive around, use Netstumbler to map out active wireless
   networks and (using GPS) their access points
 If network is encrypted, park the car, start Airsnort, leave it be
   for a few hours
    • Airsnort will passively listen to encrypted network traffic and, after
      5-10 million packets, extract the encryption key
 Once the encryption key is compromised, connect to the network
  as if there is no encryption at all
 Alternative: use Ethereal (or packet sniffer of your choice) to
  listen to decrypted traffic and analyze
 Many networks are even less secure

                                                                                slide 11
Weak Countermeasures
Run VPN on top of wireless
  • Treat wireless as you would an insecure wired network
  • VPNs have their own security and performance issues
     – Compromise of one client may compromise entire network
Hide SSID of your access point
  • Still, raw packets will reveal SSID (it is not encrypted!)
Have each access point maintain a list of network
 cards addresses that are allowed to connect to it
  • Infeasible for large networks
  • Attacker can sniff a packet from a legitimate card, then
    re-code (spoof) his card to use a legitimate address
                                                                slide 12
Fixing the Problem
Extensible Authentication Protocol (EAP)
  • Developers can choose their own authentication method
     – Cisco EAP-LEAP (passwords), Microsoft EAP-TLS (public-key
       certificates), PEAP (passwords OR certificates), etc.
802.11i standard fixes 802.11b problems
  • Patch: TKIP. Still RC4, but encrypts IVs and establishes
    new shared keys for every 10 KBytes transmitted
     – No keystream re-use, prevents exploitation of RC4 weaknesses
     – Use same network card, only upgrade firmware
  • Long-term: AES in CCMP mode, 128-bit keys, 48-bit IVs
     – Block cipher (in special mode) instead of stream cipher
     – Requires new network card hardware
                                                                   slide 13
Hacking Wireless Networks
      (Part III – WPA)

                            slide 14
What is WPA?
 WPA (Wireless Protected Access) or WEP2
 ■ An interim solution to replace WEP.
 ■ Aimed to work well with hardware designed for WEP.
 ■ Still use RC4 for encryption.
 ■ Several new elements were introduced:
   - TKIP (Temporal Key Integrity Protocol).
   - MIC (message integrity code) for preventing forgery.
   - IV=48 bits for preventing replay attack.
   - A mixing function for generating per-frame key.

WPA Structure

                   802.11 Hdr        data
                                            ||     MIC     MIC
     WEP Key         Per-Frame Key

               Mixing                   RC4
 K             Function        K’     Encryption          Integrity

          802.11 Hdr      IV            Data        MIC

WPA Structure (in details)

                             slide 17
  WPA - Modes of Operation
 Enterprise Mode:

  - Requires an authentication server – RADIUS
  (Remote Authentication Dial In Service) for authentication and
  key distribution
  - RADIUS has centralized management of user credentials

 Pre-shared key (PSK) Mode:

  - Does not require authentication server
  - A “shared secret” is used for authentication to access point
    vulnerable to dictionary attacks

Enterprise Mode Diagram

PSK Mode Diagram

   Issues of PSK Mode
 Needed if no authentication server is in use

 “shared secret” – revealed, network security is compromised

 No standardized way of changing shared secret

 It increases the attacker’s effort to do decryption of messages

 The more complex the shared secret is, the better it is
 as there are less chances of dictionary attacks

Summary: Security Mechanisms in WPA

802.1X Authentication prevents end users from
accessing Enterprise networks

      TKIP – Temporal Key Integrity Protocol
 TKIP is responsible for generating the encryption key, encrypting the
message and verifying its integrity

 TKIP ensures:
  - Encryption key changes with every packet
  - Encryption key is unique for every client
  - TKIP encryptions keys are 256 bit long

 WEP Encryption key = shared secret + IV

 TKIP packet comprises of:
   - 128 bit temporal key (shared by both clients and AP)
   - Client Device MAC address
   - 48 bit IV (Packet sequence number) to prevent known plain text
attacks (WEP = 24 bit IV)

    TKIP for Data Privacy
 TKIP key mixing function + temporal key = per packet key
 Temporal keys - 128 bit, change frequently, definite life
 MAC Address + Temporal key + four most significant octets of the
packet sequence number are fed into the S-Box to generate
intermediate key
 Results in a unique encryption key
 Then, mix the intermediate key with two least significant octets of
packet sequence number = 128 bit per packet key
 Each key encrypts only one packet of data and prevents weak key

    Message Integrity Check (MIC)
   Used to enforce data integrity
 “Message Integrity Code” (MIC) = 64 bit message calc.
      using Michael’s algorithm
 MIC is inserted in the TKIP packet
 The sender and the receiver each compute MIC and then
      compare. MIC does not match = data is manipulated
 Detects potential packet content altercation due to
      transmission error or purposeful manipulation
 Uses 64 bit key and partitions the data into 32 bit blocks
 Various operations: shifts, XOR’s, additions

 A long term solution specified by IEEE 802.11i
Use AES (in a new mode called CCM) for encryption.
     Counter Mode with CBC-MAC Protocol (CCMP)
        CCMP = CTR + CBC + MAC
■ Several new elements were introduced:
  - The base key K=128 bits.
  - MIC is 64 bits for preventing forgery.
  - IV=48 bits for preventing replay attack.
  - Packet sequence number is used to generate IV.
Will require or replacement hardware (AP’s and NIC’s)


             IV   Key ID

                              Encrypted by AES

  802.11 Hdr 802.11i Hdr         Data            MIC   FCS

       Authenticated by MIC

          Encryption Method Comparison Table

                      WEP                 WPA                WPA2

    Cipher             RC4                RC4                 AES

                                  128 bits encryption 64
   Key Size           40 bits                                128 bits
                                    bits authentication

   Key Life          24 bit IV          48 bit IV           48 bit IV

  Packet Key       Concatenated      Mixing Function       Not needed
 Data Integrity      CRC-32         Michael Algorithm         CCM
Header Integrity      None          Michael Algorithm         CCM
 Replay Attack        None            IV Sequence          IV Sequence
Key Management        None             EAP Based           EAP Based

 WEP is not secure anymore !

 WPA solves almost all WEP weaknesses

 WPA still considered secure and provides secure
authentication, encryption and access control

 WPA is not yet broken…!

 WPA2 is a stronger cipher than WPA and will provide robust
security for WLANs


Shared By: