Computer security 2015 –Ýmir Vigfússon
Based on slides by Björn@Syndis, Roy Werber, Pascal Meunier@Purdue, material from Computer Networking: A Top Down Approach Featuring the Internet,
Jim Kurose, Keith Ross, Addison-Wesley

200
54
5-11
4
1 802.15
802.11n
802.11a,g
802.11b
.384
.056
NFR
Indoor
10-30m
802.11a,g point-to-point
802.16 (WiMAX (4G?))
UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO
UMTS/WCDMA, CDMA2000
IS-95, CDMA, GSM
Outdoor
50-200m
Mid-range outdoor
200m – 4 Km
Long-range outdoor
5Km – 20 Km
3G
2G data
3G cellular enhanced

 How does wireless differ from wired settings?



Base stations relay traffic between wireless and wired networks
 Cell towers
 Access points
 ...
Infrastructure mode network infrastructure
 vs. ad-hoc
 No base stations

 Basic service set (BSS)
 A.k.a. “cell“
 Set of wireless hosts
 In infrastructure-mode, also base station
 In ad-hoc mode, hosts relay for each other
 Interesting research questions ...
BSS 1
AP
Internet hub, switch or router
AP
BSS 2

 Genesis of a wireless/WiFI network
JOIN ME Beacon!!!
I have powerful signal!
I am called Secure! ( SSID )
My MAC address is
00:de:ad:be:ef:00 ( BSSID )
I encrypt .. or not

 Genesis of a wireless/WiFI network
 ... and a WLAN is born
 Afterward, may authenticate, run DHCP, etc.



2.4 GHz – 2.485 GHz divided into 11 channels
 Each is a band. How would you share bandwidth?
Share band, Carrier Sense Multiple Access (CSMA)
 Instead of just dividing frequency or time slots among users, 802.11 uses Code Divison Multiple Access (CDMA)

time
 Optional: CSMACA : Collision Avoidance
 Short Req-to-Send (RTS) messages to reserve channel
 Base station (access point) decides „Clear-to-Send“ (CTS)
B
A Access Point reservation collision
DATA (A) defer

 Suppose you‘re in charge of designing the first wireless protocol for the masses, 802.11.
 How would you make it backward compatible?
Application protocol
Application
Transport
Network
Link
TCP protocol
IP protocol
Data
Link
IP
Network
Access
IP protocol
Data
Link
Application
Transport
Network
Link

 Strive to replace only the lowest layer: link layer
 In regular networks, this is usually Ethernet
Link Layer frame
IP Header
ETH IP TCP data ETF
Link (Ethernet)
Header
Link (Ethernet)
Trailer
 Let‘s try to encapsulate it with the information that we need
 Who we are
 What access point we‘re talking to
 Encryption?

2 frame control
2 duration
6 address
1
6 address
2
6 address
3
2 seq control
Sequence No.: needed for ARQ
(ACK required) mode.
6 0 - 2312 4 address
4 payload CRC
Address 4: MAC address of wireless relay host (ad hoc networks only) Address 1: MAC address of wireless host or AP to receive this frame
Address 3: MAC address of router interface to which AP is attached
[Serves as Ethernet destination address]
Address 2: MAC address of wireless host or AP transmitting this frame
[Serves as Ethernet source address]

Internet
H1 R1 router
AP
R1 MAC addr H1 MAC addr dest. address source address
802.
3 (Ethernet) frame
AP MAC addr H1 MAC addr R1 MAC addr address 1
1st dest (AP) address 2 source address 3
2nd dest (eth)
802.
11 (WiFi) frame

duration of reserved transmission time (RTS/CTS) frame seq #
(for reliable ARQ)
2 frame control
2 duration
6 address
1
6 address
2
6 address
3
2 seq control
6 address
4
0 - 2312 payload
4
CRC
2
Protocol version
2
Type
4
Subtype
1
To
AP
1
From
AP
1
More frag
1
Retry
1
Power mgt
1
More data
1
WEP
1
Rsvd frame type
(RTS, CTS, ACK, data)

 How would you attack this protocol?
 We can hinder communication (Denial-of-Service)
 We can hijack and modify connections
 We can pretend to be whoever we want (spoofing)
 ...
 Effectively no security measures are being taken
 What can we do to enhance security?




Authentication:
 How do we know a user is who he says she is?
▪ Username/Password? PIN? SmartCard? Two-factor?
▪ Usually a binary (yes/no) process
Authorization:
 How do we establish what an authorized user should and shouldn’t be able to do?
▪ Administrator? Customer? On a free trial?
▪ Groups/Roles/Privileges/Permissions
Access control:
 How do we enforce that resources are only accessed by authorized users?
▪ Implemented through logic, permissions, access lists, etc.

 First, let‘s optionally authenticate users
 Second, let‘s at least try to to encrypt every packet
 How do we do that?
 Unless we want an open network, we‘re going to have to share a key
 Later, we should have key management!
 How would you implement this?
 At the time WEP was defined, export restrictions limited cryptography, so 64-bit RC4 was used
 Extensions later for for 128-bit WEP

 What about authentication with shared key?
 First idea:
 Client sends authentication request with key
 Access point responds with ACCEPT if key correct
 Second idea:
 Client sends num and hash(num | key)
 Access point also computes hash, ACCEPTS if it likes the outcome

 Third idea:
 Client sends intention to authenticate
 Access point sends back a random number (nonce) x
 Client computes hash(x | key) , sends to access point
 Access point sends ACCEPT if matches local hash(x | key)
 This is used in WEP
 Called 4-step challenge-response handshake
 Avoids disclosing the (static) key
 Prevents replay attack (“pass-the-hash“)


Ideally, want to encrypt our communications

(“plaintext”) with a long, long string (“key”).
D E R P Key
Pseudo-random number generator
Stream cipher E T J W P X O ...

 Idea: Just use the WEP key as input to the PRNG then XOR with plaintext
 What’s the problem?
 Idea: Use num | WEP key as input instead, share num as part of packet
 This is used in the original WEP!
 num is called an “Initialization Vector” (IV)

 Basic idea behind WEP encryption
 RC4: Streaming cipher algorithm


Why Initialization Vector (IV)?
 Prevents reuse of keys
Also need a checksum (ICV) to avoid malicious bit flips

CRC
802.11 Frame
Header Payload Payload
 ICV computed – 32-bit CRC of payload
ICV = Integrity Check Value checksum
ICV
3
2

Keynumber
4 x 40
Key 1
Key 2
Key 3
Key 4
Key
40


ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits

IV = Initialization vector
IV
24 keynumber
8



ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber

IV
64
Key
Payload ICV RC4 Payload ICV




ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
IV+key used to encrypt payload+ICV

Header IV
WEP Frame keynumber Payload ICV





ICV computed – 32-bit CRC of payload
One of four keys selected – 40-bits
IV selected – 24-bits, prepended to keynumber
IV+key used to encrypt payload+ICV
IV+keynumber prepended to encrypted payload+ICV

Keynumber
4 x 40
Key 1
Key 2
Key 3
Key 4
 Keynumber is used to select key
Key
40

IV
64
Key
Payload ICV RC4 Payload ICV
 Keynumber is used to select key
 IV+key used to decrypt payload+ICV
 Done!

 IV (Initialization vector) is 24 bits long
 How many seeds for random number generators?
 Only 16 million different RC4 cipher streams per key
 If an IV is ever reused, XOR between packets equivalent to XOR of plaintext messages


C = cipher text, P = plain text:
C1

C2 = (P1

IV)

(P2

IV) = P1

P2
 If you guess one plain text message, you obtain another
 How long until we expect a reused IV?
 Remember class about DNS birthday attacks?



23 people in a room
How likely that two people share the same birthday?
𝑚2
2𝑛
Roughly:
Answer: 50.7%!

 Here, n = 16M, so:
 50% chance of collision after only 4,823 packets!
 99% chance of collision 12,430 packets
 If network is operating at 11Mbps, takes 3 seconds
 Start listening in on traffic, gradually obtaining all
16M IVs to be fully authenticated
 More worrying: Fluhrer, Martin, Shamir attack
 Passive attack against RC4 in WEP to recover RC4 key one letter at a time! Implemented in aircrack-ng
 Can inject data to network to speed up attack

 Online demo of a WEP crack using airsnort
 https://www.youtube.com/watch?v=_G4kOaJqMOE
 Remember: Do NOT use any hacking software without express permission from the owner of the network you are attacking.

 It was quickly realized that WEP offered lax security.
 WEP was decommissioned in 2004
 Teams from Wi-Fi Alliance set-up to think of two solutions for Protected Access (WPA)
 Backward compatible : WPA-TKIP
 Stopgap solution for WEP that could be flashed as firmware on to existing infrastructure
 (i) Uses a key mixing function between IV and key
 (ii) Adds message integrity checks (MIC) instead of ICV of
CRC32 (cryptographically insecure)
 Attack (2008): Inject 7 packets to a wireless client

 Forward thinking : WPA2
 Implemented more elaborate 4-way handshake and group key handshake
 Supports TKIP, CCMP, etc.
 WPA2 Personal: Pre-shared key between people
 WPA2 Enterprise: Connect to a RADIUS server
▪ Tedious to set up. Also means that if your WiFi credentials are compromised, your whole account will be too.
 2012: Flaw in WPS – the device configuration tool for routers that uses a PIN for fast access.
▪ Even when disabled, obtains shared key in about 7 hours

 Key sharing still vulnerable to handshake capture
 WEP, WPA-TKIP, WPA2-PSK – PSK = Pre-Shared Key
 Cracking the hashes depends on password strength and can take a long time
 Rainbow tables accelerate the process (coWPAtty)
 http://www.renderlab.net/projects/WPA-tables/
 Does take long(er) to crack

 WPA2 Enterprise / WPA-802.1x
 Mostly used in corporate or larger wifi environments
 A Radius server acts as an authentication server
 Uses EAP or “Extensible Authentication Protocol” which handles the actual authentication
 Very few setups use EAP-TLS
▪ Considered most secure variant of EAP
 Most setups use EAP-PEAP or something less secure

Probe Response
SSID: SuperSecure
ENC: WPA2-Enterprise
4 way handshake authentication
User name
Deauth attack Probe Requests
Password (MSCHAPv2)

 Many devices send authenticating information without doing any verification of certificates.
 Some people even setup their devices in this way.
 Several phone manufacturers
 Even Linux distributions
 Need to be in range of the device to capture the encrypted password
 The default setting for most devices is, however, to ask the user to accept the modified certificate

 Built on
 Evil access point/hotspot idea
 The fact most devices connect to multiple networks
 The idea
 We know NICs continually scan and sens probe requests
 What if we send broadcast requests for a million SSIDs?
 If a device has connected before, will I get a response ?
 Widespread risk
 Applies to those that use traditional Wi-Fi networks
 Also applies to singular devices and non AP networks

Broadcast SSIDs
Hot Spot
Guests
Free WiFi
xfinitywifi
ETC
....
(OPN, WEP, WPA-
PSK)
Association request á SSID: gestir




Confidentiality:
 Record authentication handshakes (WEP, WPA, WPA2)
 Record and log traffic remotely (leaks)
 Lure people to fake access points
Integrity:
 Record packets, then replay, modify and inject them
Availability:
 Easy to jam frequencies. Turn on the microwave oven...
 Accountability:
 Attacker can remain fully anonymous
 Attacker can spoof and frame others