Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.

Similar presentations


Presentation on theme: "Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering."— Presentation transcript:

1 Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering

2 802.11b overview Not originally designed for the business worldNot originally designed for the business world No load balancingNo load balancing SSID was intended to be used much like a strong password (long, non-meaningful strings, symbols)SSID was intended to be used much like a strong password (long, non-meaningful strings, symbols) Access Points (APs) broadcast ‘Beacon Frames’ periodically. SSID scans were not an intended feature of the standard.Access Points (APs) broadcast ‘Beacon Frames’ periodically. SSID scans were not an intended feature of the standard.

3 There are two types of security in 802.11b (1)An authentication standard for connecting to an access point (2)Wireless Encryption Protocol (WEP) which encrypts each wireless data frame

4 Access Point Authentication There are two choices: (1)Open Authentication (none) (2)Shared Key Authentication: a) user sends request to AP b) user receives ChallengeText c) user sends back {ChallengeText} WEP_Key The encryption method used is called RC4 RC4 is a symmetric stream cipher with an arbitrary key size. RC4 was created by Ron Rivest of RSA Security in 1987.

5 Shared Key Authentication is horrible A WEP key is just 40 bits and malicious party has access to RC4 (open standard), the ciphertext, and plaintext! Over all possible RC4 keys, the statistics for the first few bytes of output keystream are strongly non-random. Every source I read said that open authentication is far safer then Shared Key Authentication (SKA). Why is SKA dangerous to keep on?

6 Wireless Encryption Protocol (WEP) Every wireless frame is encrypted with a global 40-bit WEP key and a generated 24- bit number called an initialization vector (IV) It is completely insecure. You don’t need anything other then a regular wireless card to compromise everything.

7 Vulnerability 1 RC4 is a stream cipher –Produces a stream of keys that is XORed with the plain text –Susceptible to “key stream re-use” attacks Plaintext P Message M Checksum c(M) +  RC4(iv,k) Cipher text C =

8 A Property of Stream Ciphers Observe: C 1 = P 1  RC4(iv, k) C 2 = P 2  RC4(iv, k) Suppose we are given: Then: C 1  C 2 = P 1  RC4(iv, k)  P 2  RC4(iv, k) = P 1  P 2 XORing two cipher texts together gives the XOR of the two plain texts!! – –C1  C2 = P1  P2

9 Consequences of Observation Given P 1, C 1 and C 2, you can calculate P 2 In the real world, it is possible to recover P 1 and P 2 given C 1, C 2, and P 1  P 2 using –classical techniques (frequency analysis) –known formats (IP header) –secure and insecure broadcast packets Just observed that: C 1  C 2 = P 1  P 2

10 How to fix this problem? The vulnerability exists because the same key stream is used for both p 1 and p 2 –Simple fix: change the key stream! This is done by changing the initialization vector used for each packet –Augment the plain text portion of each packet with its initialization vector –WEP recommends that this be done In practice, this does NOT prevent key stream reuse attacks!!

11 IV was an idiotic fix to keep RC4 Easy to find re-used initialization vectors –Sent as plain text Management problems –WEP does not specify how it is chosen Most simply start at 0 upon boot, and increment by 1!!! WEP specifies that the initialization vector is only 24 bits –Essentially guarantees re-use WEP does not require changing the initialization vector. –Can stay the same!

12 Now decryption is easy Decryption dictionary: –Once the plain text is known from vulnerability 1, the key stream is also known RC4(iv,k) = C  P –An attacker can store this key stream in a table indexed by the initialization vector Assuming 1.5KB for each of the 2 24 initialization vectors, this table would only be 24GB –Once created, decryption is easy This attack is not affected by key size

13 Vulnerability 2 Key Management –WEP does not specify how the secret key is distributed –In practice, the key is manually entered For convenience, most sites use a single shared key –Increases the probability of initialization vector reuse Due to inconvenience, keys are rarely changed in practice

14 Vulnerability 3 WEP does not provide access control –Once a key stream is found, the attacker can inject any messages into the network Can calculate CRC-32 checksum Can encrypt message + checksum using the known key stream –This defeats the WEP authentication protocol Simple challenge-encrypt-reply-decrypt-compare protocol

15 Proposed Solutions Use 128-bit WEP Key – still suxors, who cares? IV is the source of attacks not WEP Rotational WEP Keys – Global Key and Rotating Session keys each encrypted with previous one. Helps but IV still weak link. MAC address filtering – management nightmare, MAC addresses can be sniffed out of frames

16 VPN Each client is configured with a VPN client and tunneled over the wireless network to a VPN concentrator on the wired network Malicious party just ignores the tunnel! Some clients have the option to battle with the Operating System and only allow traffic to go through the tunnel, but not common place

17 802.11X New authentication protocol (replaces Shared Key Authentication) Steps: (1) Client requests connection from AP (2) AP asks for “credentials” (3) AP sends credentials to a RADIUS Server RADIUS = Remote Authentication Dial-In User Service The secure protocol for supplying credentials must follow the 802.11X Extensible Authentication Protocol (EAP) standard

18 Some EAP implementations EAP-MD5 - one of the first implementations - passes a hash of a username/password pair to the RADIUS Server -Doesn’t prevent current WEP Attacks EAP-Cisco Wireless, or LEAP -A one-time WEP key is used to validate credentials -RADIUS has session timeout feature

19 The Future? IEEE is working on 802.11i, which will go beyond just ratifying authentication which is what 802.11X did - MAC addresses will be reworked - Temporal Key Integrity Protocol (TKIP). Generates new encryption keys for every 10 kilobytes of data transmitted. Still uses WEP and RC4.

20 References ars technica Wireless Security Black Paper 7/18/2002, http://arstechnica.com/articles/paedia/security.ars/ Intercepting Mobile Communications: The Insecurity of 802.11 Nikita Borisov, Ian Goldberg, David Wagner University of California, Berkeley MobiCom 2001, http://classes.cec.wustl.edu/~cs673/WEP.ppt Real Security for Wireless LANs By: Erlanger, Leon. PC Magazine 8/05/2003, Vol. 22 Issue 13, p72 Beefing Up 802.11b Security Yardena Arar, PCWorld.com 2/04/2002, http://www.pcworld.com/news/article/0,aid,82563,00.asp


Download ppt "Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering."

Similar presentations


Ads by Google