Week11_1

advertisement
Wireless LAN Security
Security Basics
• Three basic tools
– Hash function. SHA-1, SHA-2, MD5…
– Block Cipher. AES, RC4,…
– Public key / Private key. RSA.
Cryptographic hash functions
• One-way: given x, very difficult to find a such
that H(a) = x.
• Collision resistance: very difficult to find two
strings x1 and x2 such that H(x1) = H(x2).
• Here, difficult means that computational
infeasible.
Block Cipher
• Very widely used.
• The sender is sending information to the receiver via
an insecure channel, but wishes no one can know the
information.
• The sender and the receiver share a secret key.
• The information is encrypted according to the secret
key, and if other people does not have the key, they
cannot decrypt the information.
• C=Ekey (P), P=Dkey(C).
• Typically, C and P are of the same size. In AES, 128 bits.
• ``Cannot’’ means computational infeasible.
Cipher Modes – ECB
• ECB –Electronic Code Book Mode. Break the
entire file into blocks, and encode every block
individually.
• Problems. You can replace a block if it is good
for you.
CBC – Cipher block chaining
• Encryption:
– C0 = E(P0 xor IV).
– C1 = E(P1 xor C0), and so on.
– IV is transmitted in plain text.
• Decryption:
– P0 = IV xor D(C0)
– P1 = C0 xor D(C1), and so on.
• So, same message won’t result in the same
code.
Stream Cipher Mode
•
•
•
•
T0 = E(IV).
T1 = E(T0), and so on.
C = P xor T.
Don’t use the same stream twice.
Counter mode
• Ti = E(IV+i).
• Ci = Pi xor Ti.
• The advantage is that you can randomly
access any block.
• Used by Skype. Often called ICM (Integer
counter mode).
• ECB also supports random access. Does it have
the same problem as ECB? No, because the Ivs
are different.
Public key / Private Key
• If A and B wants to use a block cipher, they
must share the same secret key.
• How can the key be established?
Public Key / Private Key
• Everyone has a public key and private key.
• With B’s public key (pkB) A can encode data
that only B can decode with his private key
(skB) because other people does not have B’s
private key.
• D_skB[E_pkB(W)] = W
• E_pkB[D_skB(W)] = W
Public Key /Private key
• So, A can choose a string W as the session key
and send E_pkB(W) to B. B runs the
decryption algorithm to get D_skB[E_pkB(W)]
= W.
The RSA algorithm
• Most common, the RSA algorithm is used to
get the public key/private key.
1. Choose two large primes, p and q.
2. Compute n=pq and z=(p-1)(q-1).
3. Choose a large number relatively prime to z and
call it d.
4. Find e such that ed = 1 mod z. (such e must
exist)
• (e,n) is the public key for encoding and (d,n)
is the private key for decoding.
The RSA algorithm
•
•
•
•
To encrypt a message M, C=M^e mod n.
To decrypt from C, M = C^d mod n.
D_skB[E_pkB(M)] = M
E_pkB[D_skB(M)] = M.
Why is RSA secure?
• The problem is, given (d,n), can you figure out
e?
• It is difficult.
• You can try to find p and q given n. If you
indeed can, then you get z. Given z and d, you
get e.
• But it is difficult to factor large numbers.
Wireless LAN Security
• Compared to wired LAN, wireless LAN are
more vulnerable because the frames are
broadcast in the air, everyone can sniff it if
they like, while wired LANs typically has a
pretty good physical security.
802.11 Security
• A node needs to associate with the AP.
– The AP broadcast the beacon signal periodically,
which contains the SSID (Service Set ID).
– The node selects an AP, send a request (probe
request management frame) to join.
– The AP either just lets the node in without any
authentication, or authenticate the node with
some mechanisms.
– Then the client is associated with the AP. Can start
to send or receive data.
802.11 Security – WEP Overview
• WEP: Wired Equivalent Privacy
– Has flaws, but people still use it.
– Provides some level of security, better than nothing.
– Used to
• Protect from eavesdropping
• Prevent from unauthorized access
• Prevent from tampering with transmitted message
– Uses static 40 or 104 bit key for authentication and
encryption.
– Uses RC4 stream cipher.
– Only exists between wireless stations
WEP continued
• The stations share a secret key.
• Before the data transmission, a 24-bit random
Initialization Vector (IV) is generated by the sender.
• The IV and the secret key are combined to make the
session key. So the session key is 64 or 128 bits.
• The data is encrypted with the session key by the RC4
stream cipher. Then the encrypted data is sent to the
receiver along with the plaintext IV.
• The receiver can decrypt the data with the IV and the
shared key.
• Different IV are used for each transmission.
WEP Vulnerabilities
• WEP is vulnerable because the keys are static and
the IVs are short.
– With 24 bits, eventually, packets will share the same
IV. 24 bits is about 16M. Remember that the IVs are
sent in plaintext. With enough data packets encrypted
by the same IV, the hackers can then recover the key
stream, and maybe the secret key.
– Does not specify how to establish the secret keys. So
the same key exists for a long time.
– Does not prevent replay attack.
–…
WEP vulnerabilities
• WEP authenticates the node, but not the AP.
• So, an attacker can pose as the AP!
802.11i
• Goals:
– The data should not be decrypted by
unauthorized means.
– All transmitted packets should be from the
original sender
– Authentication should be mutual
Authentication Enhancements –
802.1X
• Port-based authentication mechanism
• Interplay by
– Supplicant
– Authenticator
– Authentication Server (AS)
• "Port-based network access control makes use of the
physical access characteristics of IEEE 802 LAN
infrastructures in order to provide a means
of authenticating and authorizing devices attached to a
LAN port that has point-to-point connection
characteristics, and of preventing access to that port in
cases which the authentication and authorization fails. A
port in this context is a single point of attachment to the
LAN infrastructure."
Authentication Enhancements –
802.1X
• A wireless node (WN, the supplicant) asks for authentication. It
needs to prove its credentials. The WN sends the request
following EAPOL protocol. Before authentication, only EAP traffic
is allowed.
• The Authenticator then forwards the message to the
Authentication Server using the RADIOUS format.
• If the authentication passes, ports can be opened for the WN.
http://www.docmirror.net/en/linux/howto/networking/8021X-HOWTO/intro.html
Better Key Management
• The AS sends the Master Key (MK) in the last authentication
message if the authentication is successful.
• Both the WN and the AS derives a key, called the Pairwise Master
Key (PMK).
• The PMK is moved from the AS to the Authenticator (the AP).
• PMK is used between the WN and the AP to ``derive, bind, and
verify” the Pairwise Transient Key (PTK). The PTK includes
– Key Confirmation Key (KCK), used to prove the posession of the PMK
and to bind the PMK to the AP
– Key Encryption Key (KEK) : used to distributed the Group Transient Key
(GTK)
– Temporal Key 1 & 2 (TK1/TK2) :used for encryption
TKIP
CCMP
Reading
•
http://www.sans.org/reading_room/whitepapers/wireless/the_evolution_of_wireless_security_in_802_11_networks_wep_
wpa_and_802_11_standards_1109?show=1109.php&cat=wireless
• http://www.larsstrand.org/writings/pres/2005-linpro/Linpro-80211i.pdf
• http://www.aspdac.com/aspdac2008/Archive_Folder/7B_Slides/7B-5.pdf
• http://www.seas.gwu.edu/~cheng/388/LecNotes/TKIP.pdf
•
•
•
•
http://madwifi-project.org/browser/madwifi/trunk/net80211/ieee80211_crypto_wep.c
http://madwifi-project.org/browser/madwifi/trunk/net80211/ieee80211_crypto_tkip.c
http://madwifi-project.org/browser/madwifi/trunk/net80211/ieee80211_crypto_ccmp.c
http://www.docmirror.net/en/linux/howto/networking/8021X-HOWTO/intro.html
• Check http://www.aircrack-ng.org/doku.php for
attack tools.
Download