Security of 802.11 - PowerPoint PPT Presentation

About This Presentation
Title:

Security of 802.11

Description:

Example of Multi-Cell Wireless LAN. COMP4690, HKBU. 5. IEEE 802.11 ... BSS generally corresponds to a 'cell' DS can be a switch, wired network, or ... cell phones ... – PowerPoint PPT presentation

Number of Views:12
Avg rating:3.0/5.0
Slides: 27
Provided by: compHk
Category:

less

Transcript and Presenter's Notes

Title: Security of 802.11


1
COMP4690 Advanced Topic
  • Security of 802.11

2
Outline
  • Introduction of 802.11
  • Introduction of WEP
  • Security of WEP
  • References

3
Example of Single-Cell Wireless LAN
4
Example of Multi-Cell Wireless LAN
5
IEEE 802.11 infrastructure mode
  • Smallest building block is Basic Service Set
    (BSS)
  • A number of stations executing the same MAC
    protocol
  • Compete for access to same shared wireless medium
  • A BSS may be isolated, or may connect to a
    Backbone Distribution System (DS) through an
    Access Point (AP)
  • AP functions as bridge
  • MAC protocol may be distributed or controlled by
    a central coordination function in AP
  • BSS generally corresponds to a cell
  • DS can be a switch, wired network, or wireless
    network

6
IEEE 802.11 infrastructure mode
hub, switch or router
BSS 1
BSS 2
7
IEEE 802.11 Protocol Architecture
8
Some history
  • Cordless phones
  • Analog cell phones
  • Anybody with a scanner that operated at the right
    frequency could easily listen to calls not
    intended for them.
  • 802.11 tried to avoid, but the same cycle still
    played out
  • Wireless access points must announce themselves
    to the world by broadcasting 802.11 beacon
    frames.
  • Wandering users with an 802.11 receiver can find
    out about wireless networks in the area simply by
    putting up an antenna.
  • War driving driving around looking for access
    points
  • http//www.securityfocus.com/news/192
  • One quick solution MAC-address filtering
  • But malicious attackers can alter addresses (with
    sufficient operating system privileges).

9
Security of 802.11
  • Existing security consists of two subsystems
  • A data encapsulation technique called Wired
    Equivalent Privacy (WEP)
  • An authentication algorithm called Shared Key
    Authentication
  • Defined in Section 8 Authentication and privacy
    in the IEEE Std 802.11 (in 1997).

10
WEP
  • Wired Equivalent Privacy
  • To protect authorized users of a wireless LAN
    from casual eavesdropping
  • To create the privacy achieved by a wired network
    (using a switch)
  • Because of the U.S. export regulations, WEP
    secret keys were limited to 40 bits.
  • The rules were relaxed later.
  • WEP has been an option feature.
  • But WEP itself was a flawed anchor point for
    security.
  • Even with 128-bit version, WEP is still not
    secure!

11
WEP
  • WEP relied on a secret key (40-bit) shared
    between the two peers (usually a mobile station
    and an access point).
  • Before transmission of a frame
  • Checksumming compute an integrity checksum on
    the message using CRC-32 algorithm, then
    concatenate the two into plaintext P
  • Encryption encrypt the plaintext P using RC4.
    This requires an initialization vector (IV). IV
    has only 24 bits. It is inserted into the frame
    in plaintext (so that the peer can decrypt the
    ciphertext).

12
WEP Encapsulation
  • WEP Encapsulation Summary
  • Encryption Algorithm RC4
  • Per-packet encryption key 24-bit IV
    concatenated to a pre-shared key
  • WEP allows IV to be reused with any frame
  • Data integrity provided by CRC-32 of the
    plaintext data (the ICV)
  • Data and ICV are encrypted under the per-packet
    encryption key

13
WEP Encryption
IV 24-bit, how often to change IV values? Secret
Key 40-bit, be distributed by an external key
management service Seed 64-bit PRNG
Pseudo-Random Number Generator, using RC4
algorithm from RSA Data Security, Inc. ICV
32-bit, using CRC-32
14
WEP Encryption
  • Message M
  • Initialization vector (IV) v
  • Integrity checksum (ICV) c(M)
  • After concatenation P M c(M)
  • Key sequence RC4(v, k)
  • Ciphertext C P?RC4(v, k)

15
WEP Decryption
16
WEP Decryption
  • The receiver gets v from the received frame.
  • The receiver calculates the key sequence using
    RC4(v, k).
  • The receiver decrypts the ciphertext using
  • P C?RC4(v, k)
  • P is divided into two parts M' and c' where c'
    contains the last 32 bits of P. If c(M') c',
    the receiver will think that M' is the message.

17
Properties of Vernam Ciphers
The WEP encryption algorithm RC4 is a Vernam
Cipher
Decryption works the same way p c ? b
18
Properties of Vernam Ciphers
Thought experiment 1 what happens when p1 and p2
are encrypted under the same random byte b?
Then
c1 ? c2 (p1 ? b) ? (p2 ? b) p1 ? p2
Conclusion it is a very bad idea to encrypt any
two messages using the same key sequence. The
ciphertexts can be sniffered easily. So once p1
is know, you can know p2, and vice versa.
19
Keystream Reuse
  • Keystream (or key sequence) RC(v, k)
  • Usually k is fixed.
  • How about v?
  • Its better to have different values of v for
    different packets per-packet IV.
  • However, IV collision is difficult to avoid
  • For some implementations, IV is reset to 0 when
    initialized, and incremented by one for each
    packet.
  • IV has only 24 bits, too short!!!

20
How to Read WEP Encrypted Traffic (1)
24 bits
  • If IV is randomly chosen, by Birthday Paradox,
    probability Pn that two packets will share same
    IV after n packets is P2 1/224 after two frames
    and Pn Pn1 (n1)(1Pn1)/ 224 for n gt 2.
  • 50 chance of a collision exists already after
    only 4823 packets!!!
  • Once two encrypted packets that use the same IV
    are discovered, various methods of attack can be
    applied to recover the plaintext. If the
    plaintext of one of the messages is knows, it is
    easy to derive the contents of the other one and
    also other messages that have been encrypted
    using the same IV can be directly decrypted.

21
How to Read WEP Encrypted Traffic (2)
  • Ways to accelerate the process
  • Send spam into the network no pattern
    recognition required!
  • Get the victim to send e-mail to you
  • The AP creates the plaintext for you!
  • Decrypt packets from one Station to another via
    an Access Point
  • If you know the plaintext on one leg of the
    journey, you can recover the key stream
    immediately on the other
  • Etc., etc., etc.

22
Data Integrity
  • CRC checksum is insufficient to ensure data
    integrity.
  • It is designed to detect random errors, not to
    stop malicious attackers!
  • It is easy for attackers to modify the message
    and to inject messages without detection!
  • Mainly because CRC is a linear function of the
    message c(x?y) c(x) ? c(y)

23
Message Modification
  • Assume C is the ciphertext of message M
  • C RC4(v, k) ? (Mc(M))
  • For an attacker, he can easily capture C and v.
    But he doesnt know k.
  • The main purpose of the attacker is to replay a
    different message C' to the receiver without
    being detected. In another word, the receiver
    will get a wrong message M'.

24
Message Modification
  • Given any E, the attacker can calculate its
    checksum c(E). Then the attacker generates C' as
  • C' C ? (Ec(E))
  • Once C' is received by the receiver, it will
    decrypt as follows
  • Therefore the receiver gets a wrong message M'
    M?E.

25
Final answer?
  • WPA Wi-Fi Protected Access
  • Intended as an intermediate measure to take the
    place of WEP while 802.11i was prepared
  • 802.11i
  • Ratified in June 2004. Supported by Intel, IBM,
    etc.
  • AES-CCMP (Counter-Mode/CBC-MAC Protocol)
  • WRAP (Wireless Robust Authenticated Protocol)
  • 802.1x
  • WPA2
  • WPA2 is the certified form of 802.11i tested by
    the Wi-Fi Alliance.
  • WPA2 implements the mandatory elements of 802.11i
    .

26
References
  • ISO/IEEE Std 802.11, Section 8, MAC and PHY
    Specifications -- Authentication and Privacy,
    1999 Edition.
  • Nikita Borisov, et al, Intercepting Mobile
    Communications the Insecurity of 802.11, 2001.
  • W. A. Arbaugh, et al, Your 802.11 Wireless
    Network has No Clothes, 2001.
  • Matthew Gast, Wireless LAN Security a Short
    History, 2002.
Write a Comment
User Comments (0)
About PowerShow.com