Week11_1
advertisement
Wireless LAN Security Security Basics • Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA. Cryptographic hash functions • One-way: given x, very difficult to find a such that H(a) = x. • Collision resistance: very difficult to find two strings x1 and x2 such that H(x1) = H(x2). • Here, difficult means that computational infeasible. Block Cipher • Very widely used. • The sender is sending information to the receiver via an insecure channel, but wishes no one can know the information. • The sender and the receiver share a secret key. • The information is encrypted according to the secret key, and if other people does not have the key, they cannot decrypt the information. • C=Ekey (P), P=Dkey(C). • Typically, C and P are of the same size. In AES, 128 bits. • ``Cannot’’ means computational infeasible. Cipher Modes – ECB • ECB –Electronic Code Book Mode. Break the entire file into blocks, and encode every block individually. • Problems. You can replace a block if it is good for you. CBC – Cipher block chaining • Encryption: – C0 = E(P0 xor IV). – C1 = E(P1 xor C0), and so on. – IV is transmitted in plain text. • Decryption: – P0 = IV xor D(C0) – P1 = C0 xor D(C1), and so on. • So, same message won’t result in the same code. Stream Cipher Mode • • • • T0 = E(IV). T1 = E(T0), and so on. C = P xor T. Don’t use the same stream twice. Counter mode • Ti = E(IV+i). • Ci = Pi xor Ti. • The advantage is that you can randomly access any block. • Used by Skype. Often called ICM (Integer counter mode). • ECB also supports random access. Does it have the same problem as ECB? No, because the Ivs are different. Public key / Private Key • If A and B wants to use a block cipher, they must share the same secret key. • How can the key be established? Public Key / Private Key • Everyone has a public key and private key. • With B’s public key (pkB) A can encode data that only B can decode with his private key (skB) because other people does not have B’s private key. • D_skB[E_pkB(W)] = W • E_pkB[D_skB(W)] = W Public Key /Private key • So, A can choose a string W as the session key and send E_pkB(W) to B. B runs the decryption algorithm to get D_skB[E_pkB(W)] = W. The RSA algorithm • Most common, the RSA algorithm is used to get the public key/private key. 1. Choose two large primes, p and q. 2. Compute n=pq and z=(p-1)(q-1). 3. Choose a large number relatively prime to z and call it d. 4. Find e such that ed = 1 mod z. (such e must exist) • (e,n) is the public key for encoding and (d,n) is the private key for decoding. The RSA algorithm • • • • To encrypt a message M, C=M^e mod n. To decrypt from C, M = C^d mod n. D_skB[E_pkB(M)] = M E_pkB[D_skB(M)] = M. Why is RSA secure? • The problem is, given (d,n), can you figure out e? • It is difficult. • You can try to find p and q given n. If you indeed can, then you get z. Given z and d, you get e. • But it is difficult to factor large numbers. Wireless LAN Security • Compared to wired LAN, wireless LAN are more vulnerable because the frames are broadcast in the air, everyone can sniff it if they like, while wired LANs typically has a pretty good physical security. 802.11 Security • A node needs to associate with the AP. – The AP broadcast the beacon signal periodically, which contains the SSID (Service Set ID). – The node selects an AP, send a request (probe request management frame) to join. – The AP either just lets the node in without any authentication, or authenticate the node with some mechanisms. – Then the client is associated with the AP. Can start to send or receive data. 802.11 Security – WEP Overview • WEP: Wired Equivalent Privacy – Has flaws, but people still use it. – Provides some level of security, better than nothing. – Used to • Protect from eavesdropping • Prevent from unauthorized access • Prevent from tampering with transmitted message – Uses static 40 or 104 bit key for authentication and encryption. – Uses RC4 stream cipher. – Only exists between wireless stations WEP continued • The stations share a secret key. • Before the data transmission, a 24-bit random Initialization Vector (IV) is generated by the sender. • The IV and the secret key are combined to make the session key. So the session key is 64 or 128 bits. • The data is encrypted with the session key by the RC4 stream cipher. Then the encrypted data is sent to the receiver along with the plaintext IV. • The receiver can decrypt the data with the IV and the shared key. • Different IV are used for each transmission. WEP Vulnerabilities • WEP is vulnerable because the keys are static and the IVs are short. – With 24 bits, eventually, packets will share the same IV. 24 bits is about 16M. Remember that the IVs are sent in plaintext. With enough data packets encrypted by the same IV, the hackers can then recover the key stream, and maybe the secret key. – Does not specify how to establish the secret keys. So the same key exists for a long time. – Does not prevent replay attack. –… WEP vulnerabilities • WEP authenticates the node, but not the AP. • So, an attacker can pose as the AP! 802.11i • Goals: – The data should not be decrypted by unauthorized means. – All transmitted packets should be from the original sender – Authentication should be mutual Authentication Enhancements – 802.1X • Port-based authentication mechanism • Interplay by – Supplicant – Authenticator – Authentication Server (AS) • "Port-based network access control makes use of the physical access characteristics of IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases which the authentication and authorization fails. A port in this context is a single point of attachment to the LAN infrastructure." Authentication Enhancements – 802.1X • A wireless node (WN, the supplicant) asks for authentication. It needs to prove its credentials. The WN sends the request following EAPOL protocol. Before authentication, only EAP traffic is allowed. • The Authenticator then forwards the message to the Authentication Server using the RADIOUS format. • If the authentication passes, ports can be opened for the WN. http://www.docmirror.net/en/linux/howto/networking/8021X-HOWTO/intro.html Better Key Management • The AS sends the Master Key (MK) in the last authentication message if the authentication is successful. • Both the WN and the AS derives a key, called the Pairwise Master Key (PMK). • The PMK is moved from the AS to the Authenticator (the AP). • PMK is used between the WN and the AP to ``derive, bind, and verify” the Pairwise Transient Key (PTK). The PTK includes – Key Confirmation Key (KCK), used to prove the posession of the PMK and to bind the PMK to the AP – Key Encryption Key (KEK) : used to distributed the Group Transient Key (GTK) – Temporal Key 1 & 2 (TK1/TK2) :used for encryption TKIP CCMP Reading • http://www.sans.org/reading_room/whitepapers/wireless/the_evolution_of_wireless_security_in_802_11_networks_wep_ wpa_and_802_11_standards_1109?show=1109.php&cat=wireless • http://www.larsstrand.org/writings/pres/2005-linpro/Linpro-80211i.pdf • http://www.aspdac.com/aspdac2008/Archive_Folder/7B_Slides/7B-5.pdf • http://www.seas.gwu.edu/~cheng/388/LecNotes/TKIP.pdf • • • • http://madwifi-project.org/browser/madwifi/trunk/net80211/ieee80211_crypto_wep.c http://madwifi-project.org/browser/madwifi/trunk/net80211/ieee80211_crypto_tkip.c http://madwifi-project.org/browser/madwifi/trunk/net80211/ieee80211_crypto_ccmp.c http://www.docmirror.net/en/linux/howto/networking/8021X-HOWTO/intro.html • Check http://www.aircrack-ng.org/doku.php for attack tools.
