Final Exam - PowerPoint PPT Presentation

1 / 43
About This Presentation
Title:

Final Exam

Description:

Final Exam. Review assigned reading and experiences from homework & projects ... Miraculously, free downloads available. IEEE 802 : Overview & Architecture ... – PowerPoint PPT presentation

Number of Views:73
Avg rating:3.0/5.0
Slides: 44
Provided by: csU72
Category:
Tags: downloads | exam | final | free

less

Transcript and Presenter's Notes

Title: Final Exam


1
Final Exam
  • Review assigned reading and experiences from
    homework projects
  • Oral exam, approx 20 minutes?
  • Tuesday at 530pm
  • Wait on 2nd floor either in student lounge or
    near elevators
  • Bring ID to get into lounge

2
802.11, WEP, 802.1xCase Study
  • Lecture Notes for 91.561UMass Lowell Computer
    ScienceDavid Martin

3
Orientation
  • Miraculously, free downloads available
  • IEEE 802 Overview Architecture
  • IEEE 802.1 Bridging Management
  • IEEE 802.2 Logical Link Control
  • IEEE 802.3 CSMA/CD Access Method
  • IEEE 802.5 Token Ring Access Method
  • IEEE 802.11 Wireless
  • IEEE 802.12 Demand Priority Access
  • IEEE 802.15 Wireless Personal Area Networks
  • IEEE 802.16 Broadband Wireless Metropolitan
    Area Networks

4
Recommended Reference
  • Real 802.11 Security Wi-Fi Protected Access and
    802.11i, Edney and Arbaugh, Addison-Wesley, 2003
  • Available through Safari books,
    http//proquest.safaribooksonline.com/?uicodeumas
    slowell

5
Orientation
  • IEEE 802.11
  • Late 90s wireless networking
  • 802.11 1999, base wireless spec
  • WEP is defined here
  • 802.11a 1999, 5 GHz, 1 and 2 Mb/s
  • 802.11b 1999, 2.4 GHz, 5.5 and 11 Mb/s
  • 802.11g 2003, 2.4 GHz, 54 Mb/s
  • IEEE 802.1
  • 802.1d bridging
  • 802.1q virtual LANs
  • 802.1x port-based access control
  • Much of this presentation text is taken from
    these standards
  • WiFi
  • Industry association trying to achieve
    interoperability
  • Trademark protection of WiFi logo

6
802.11 Wireless
  • Individual cells are called basic service sets
    (BSS)
  • BSS can be combined by distribution systems (DS)
    into extended service sets (ESS)
  • Like how individual wired LANs can be combined
    into an extended LAN via bridging

7
Complete Picture
Source IEEE 802.11 standard
8
(No Transcript)
9
Connecting to 802.11 LAN
  • Three types of transmissions
  • Management
  • Control (media sharing)
  • Data
  • Each wireless station has its own MAC address
  • SSID a network's name (service set ID)
  • Can be overlapping sensible for creating
    extended LAN
  • APs run over (small) numeric channels that
    correspond to frequencies in the given range
  • Probe request response
  • For determining which APs are accessible
  • Passive variant also possible
  • Learn published SSIDs, associated parameters

10
802.11 Authentication
  • If desired, an IEEE 802.11 network may be
    operated using Open System authentication. This
    may violate implicit assumptions made by higher
    network layers. In an Open System, any station
    may become authenticated.
  • In other words, no authentication required
  • IEEE 802.11 also supports Shared Key
    authentication. Use of this authentication
    mechanism requires implementation of the wired
    equivalent privacy (WEP) option. In a Shared Key
    authentication system, identity is demonstrated
    by knowledge of a shared, secret, WEP encryption
    key.

11
802.11 Association
  • Association required in order to transmit through
    an AP to anywhere
  • Once associated, the extended network can route
    transmissions to appropriate AP
  • Authentication happens before association
  • Management messages
  • Association / reassociation request response

12
802.11 Transmission
  • CSMA / CA
  • Carrier sense multiple access / collision
    avoidance
  • Transmissions are ACKed
  • Otherwise you don't know if your frame was
    received there's no reliable collision detection
  • Request to send / clear to send also possible but
    not required
  • CTS presumably can be heard by each station able
    to cause a collision
  • Extra messages are Control messages

13
802.11 Layering
14
MAC Frame Layout
  • Note long frame body
  • 4 Addresses depending on frame type, could
    include
  • Service set ID
  • Destination, Source ultimate
  • Receiver, Transmitter current hop
  • Frame control field

15
Message types
16
Message types
17
802.11 Privacy (Confidentiality)
  • From IEEE 802.11 standard, Section 5.4.3.3
  • In a wired LAN, only those stations physically
    connected to the wire may hear LAN traffic. Not
    so with a wireless shared medium.
  • IEEE 802.11 specifies an optional privacy
    algorithm, WEP, that is designed to satisfy the
    goal of wired LAN equivalent privacy. The
    algorithm is not designed for ultimate security
    but rather to be at least as secure as a wire.
  • IEEE 802.11 uses the WEP mechanism to perform the
    actual encryption of messages. Note that privacy
    may only be invoked for data frames and some
    Authentication Management frames.
  • All stations initially start in the clear in
    order to set up the authentication and privacy
    services.
  • The default privacy state for all IEEE 802.11
    STAs is in the clear. If the privacy service is
    not invoked, all messages shall be sent
    unencrypted.

18
Desired Properties of WEP
  • It is reasonably strong
  • The security afforded by the algorithm relies on
    the difficulty of discovering the secret key
    through a brute-force attack. This in turn is
    related to the length of the secret key and the
    frequency of changing keys. WEP allows for the
    changing of the key and frequent changing of the
    IV.
  • It is self-synchronizing
  • WEP is self-synchronizing for each message. This
    property is critical for a data-link level
    encryption algorithm, where best effort
    delivery is assumed and packet loss rates may be
    high.
  • It is efficient
  • The WEP algorithm is efficient and may be
    implemented in either hardware or software.
  • It may be exportable
  • ... However, due to the legal and political
    climate toward cryptography at the time of
    publication, no guarantee can be made that any
    specific IEEE 802.11 implementations that use WEP
    will be exportable from the USA.
  • It is optional
  • The implementation and use of WEP is an IEEE
    802.11 option.

19
WEP Design
  • About 4 pages of 802.11 specification
  • Encryption via stream cipher
  • PRNG is RC4
  • Integrity algorithm is CRC-32

20
WEP Design
Note the encypherment process has expanded the
original Frame Body by 8 octets, 4 for the IV
field and 4 for the ICV. The ICV is calculated
on the data field only.
21
RC4 Reminder
  • From Fluhrer et al paper

22
IV in Stream Cipher
  • Normally don't think of initialization vectors in
    stream ciphers they just take a key and generate
    a byte at a time
  • Also true in this case IV is completely
    specified outside of RC4
  • Used to ensure that retransmission of same
    plaintext will look different
  • ( IV WEP key ) is used as RC4 key

23
WEP as Foundation for
  • Authentication
  • Initial assurance of identity
  • Binding authentication to session
  • Mutual authentication
  • Subkey generation
  • Integrity protection
  • Message modification detection
  • Replay detection
  • Confidentiality
  • Message privacy
  • Key privacy

24
Authentication
  • "Open" authentication takes one round trip to
    negotiate and doesn't do much
  • Otherwise, "Shared key" authentication between
    Client and Access Point
  • C AP "Want shared authentication"
  • AP C 128-byte challenge
  • challenge must not be static
  • C AP WEP( challenge ) using shared key
  • AP C approve/deny

25
Analysis
  • Nothing from authentication procedure persists
    into subsequent transmissions
  • No ongoing session authentication
  • No subkey generation
  • No (mutual) authentication of AP to client
  • Note that client chooses IV when transmitting
    response
  • Attacker Eve eavesdrops on one challenge/response
  • Plaintext, ciphertext, and IV are known can
    recover keystream used in that transmission with
    XOR
  • Then to authenticate herself, she reuses the IV
    and recovered keystream to encrypt an arbitrary
    challenge

26
WEP as Foundation for
  • Authentication
  • Initial assurance of identity
  • Binding authentication to session
  • Mutual authentication
  • Subkey generation
  • Integrity protection
  • Message modification detection
  • Replay detection
  • Confidentiality
  • Message privacy
  • Key privacy

27
Integrity Protection
  • After authentication phase, using WEP to protect
    the data
  • Integrity protection value is CRC-32, not a hash
    function
  • WEP uses a stream cipher
  • So, flip bit n of ciphertext and adjust plaintext
    CRC to compensate
  • Not very good protection at all
  • Replay detection
  • None!

28
WEP as Foundation for
  • Authentication
  • Initial assurance of identity
  • Binding authentication to session
  • Mutual authentication
  • Subkey generation
  • Integrity protection
  • Message modification detection
  • Replay detection
  • Confidentiality
  • Message privacy
  • Key privacy

29
Confidentiality Message Privacy
  • Constant WEP key constant IV same keystream
    each time
  • If Eve knows IV plaintext ciphertext then she
    knows the keystream for that IV
  • Or if she knows IV ciphertext1 ciphertext2
    difference
  • Generally, WEP keys are long-term
  • Hard to change, that's why you configure 4 of
    them
  • So IV shouldn't be constant
  • 802.11 standard doesn't require change, but
    (most) everyone does change it per frame

30
So change the IV
  • IV is 24 bits max 16,777,216 values
  • Choose randomly?
  • Birthday paradox expect reuse after 212 4096
    transmissions
  • So increment instead
  • 11 Mb/s, you can get about 500 full frames / s
  • After about 9 hours your IVs will wrap around at
    this rate
  • 1500 bytes per IV can write them all down in 23
    Gb
  • Note that since most stations use same key, you
    don't have to attack any particular transmitter
  • All in all, very leaky, even when you never learn
    the key
  • Borisov, Goldberg, Wagner give more specific
    attacks in "Intercepting Mobile Communications
    Insecurity of 802.11", Mobicom 2001

31
Attacking the Key
  • Fluhrer, Mantin, Shamir 2001 "Weaknesses in the
    Key Scheduling Algorithm of RC4", Eighth Annual
    Workshop on Selected Areas in Cryptography
  • "IV Weakness" When part of the RC4 key is known,
    the unknown part can sometimes be derived from
    the keystream
  • Easiest when known part precedes unknown part
  • ( IV WEP key ) RC4 key

32
Attacking the Key
  • Time to recover bytes of the key is linear in
    length of key, not exponential
  • Stubblefield, Ioannidis, Rubin implemented attack
    and described in "Using the Fluhrer, Mantin,
    Shamir Attack to break WEP", Symposium on Network
    and Distributed System Security 2002.
  • They could recover the key after about 5,000,000
    packets
  • Various recommendations
  • don't use WEP
  • to resist IV attack, make RC4 key be a "secure
    hash" of IV using secret key rather than just (
    IV secret key )
  • throw away first 256 bytes of keystream to resist
    another attack
  • wepcrack, aircrack, airsnort, weplab

33
WEP as Foundation for
  • Authentication
  • Initial assurance of identity
  • Binding authentication to session
  • Mutual authentication
  • Subkey generation
  • Integrity protection
  • Message modification detection
  • Replay detection
  • Confidentiality
  • Message privacy
  • Key privacy

34
Wired Equivalent Properties?
  • Authentication
  • With wired LAN, typically just whether you can
    find a plug or not, and VLAN considerations
  • Integrity protection
  • CRC-32 fairly common similar attacks possible
  • Confidentiality
  • bridging minimizes number of hosts that see
    transmissions, but optional of course
  • So in this sense, WEP is not so far off from its
    namesake
  • Thing is, far better security properties than
    this are reasonably attainable, at similar cost

35
Improvements Future
  • TKIP Temporal Key Integrity Protocol
  • Designed to allow many older WEP devices to be
    upgraded to a secure protocol. Includes
  • Integrity check "Michael" mandatory
    countermeasures
  • Avoiding weak IVs
  • Anti-replay
  • Avoiding IV reuse
  • Automatic per-packet key update to avoid FMS
    attack
  • "TKIP is a masterpiece of retro-engineering and
    provides real security in a way that WEP never
    could. All the major weaknesses of WEP have been
    addressed... "
  • wrote Edney and Arbaugh

36
Dynamic WEP
  • "The key is provided for me automatically"
    (checkbox in Windows)
  • Simple patch to change keys over time to avoid
    FMS attacks
  • Forces clients to reauthenticate after a timeout
    (e.g. 60 minutes)
  • A faint shadow of TKIP/WPA

37
Improvements Future
  • 802.11i a workable spec for wireless security
  • RSN Robust Security Network
  • Main mode is AES-CCMP Counter ModeCBC MAC
    Protocol
  • Designed cleanly for new hardware
  • 802.11i finalized in June 2004
  • TKIP is a mode under RSN
  • WiFi alliance
  • Industry group didn't want to wait
  • Tore out TKIP and 802.1x EAP, naming it
  • WPA WiFi Protected Access

38
802.1x
  • "Port-based Network Access Control"
  • Not specifically wireless predates that
  • Looking for better mechanism than MAC filtering

39
802.1x Central Idea
  • Supplicant wants to use a LAN port (PAE)
  • Uses 802.1x Extensible Authentication Protocol
    (EAP)
  • Authentication server uses Remote Access Dial-in
    User Service (RADIUS)

40
802.1x
  • Recall 802.11 authentication precedes association
  • Supplicant will engage in EAP session with access
    point before associating
  • EAP Extensible Authentication Protocol
  • Supports TLS, PEAP, SecureID, RSA, MS-CHAPv2,etc.
  • Problem physical port swapping assumed to be
    unlikely, but wireless hijacking is comparatively
    easy
  • Microsoft invented MS-MPPE-Recv-Key attribute in
    order to deliver session key for their
    Point-to-Point Encryption protocol (their own VPN
    technology)
  • Adopted in WPA I don't know about 802.11i
  • EAP is not done confidentially
  • User identification sent in clear
  • Server responses can be spoofed!

41
EAP options
  • EAPTLS widely supported on wireless clients and
    RADIUS servers
  • uses public key certificates to authenticate both
    the wireless clients and the RADIUS servers by
    establishing an encrypted TLS session between the
    two.
  • PEAP "Protected" EAP
  • Phase 1 client performs simple EAP but may use
    anonymous identifier
  • Establishes session key for encryption
    integrity
  • Phase 2 client performs normal EAP within
    established tunnel, now sending its real
    authenticator

42
EAP options
  • TTLS two stages, similar to PEAP
  • uses a TLS session to protect tunneled client
    authentication
  • can also use nonEAP authentication protocols
    such as CHAP, MSCHAP, etc.
  • LEAP "Lightweight", proprietary Cisco protocol

43
UML Implementation
  • Intended to support Windows, Mac, Linux
  • 802.1x PEAP with MS-CHAPv2
  • MS-CHAPv2 RFC 2759
  • straightforward challenge-response proving
    knowledge of username password
  • appears to require WPA TKIP now, though was
    using dynamic WEP previously
Write a Comment
User Comments (0)
About PowerShow.com