Electronic Security

1
Electronic Security

• Inaugural meeting
• (for Hasheem that means the first meeting

2
What Is Electronic Security?

• For our purposes
• Security that does not involve the mechanical
  exploitation of vulnerabilities in physical locks
• The examination of security systems which are
  implemented primarily by means of an electronic
• Basically, anything interesting that involves
  both security and electronics (we are open to
  suggestions for future meetings! )

3
Quick and Dirty Network Security(NOT an
exhaustive list, just enough concept to move to
our main topic)

• Privacy
• Only trusted parties can participate in
  conversations (actively)
• Anyone who tries to listen wont understand the
  conversation
• Integrity
• When person A sends message M to person B, the
  person B can be certain that M did not change at
  all from the time A sent it to the time B
  received it

4
WEP(or when smart engineers make very, very bad
decisions)

• Wired Equivalent Privacy
• Outlined in the IEEE 802.11b standard
• Uses RC4 stream cipher for privacy/encryption
• Used badly/improperly
• Uses CRC-32 checksum for integrity
• Ultimately this provides ZERO integrity

5
RC4 is a Stream Cipher
Keystream
To infinity and beyond!
Plaintext
Cyphertext

• Claude E Shannon proved that this encryption
  scheme provides PERFECT security if and only if
• There is no repeating pattern in the keystream
• The keystream is as long as the plaintext
• RC4 Provides a PSEUDORANDOM keystream a secret
  key Initialization Vector.
• Not perfect, but pretty good ONLY if the IV
  NEVER repeats!

6
WEP Implementation(credit for this image Vitaly
Shmatikov)
RC4 keystream IV secret key 1 keystream 1
data layer frame IV is sent in the clear CRC-32
is a linear translation through xor, so anyone
can re -compute
THE FREAKING IV IS SENT IN THE CLEAR, IT MAKES UP
24 BITS OF THE KEY NO MATTER HOW BIG THE KEY
IS Vulnerable to Fluhrer et al. attack on RC4.
John Gordon will now demonstrate.