Wireless Security: Token, WEP, Cellular

30  Download (0)

Full text

(1)

Wireless Security: Token,

WEP, Cellular

27 May 2015

Lecture 9

(2)

Topics for Today

• Security Tokens and Wireless

• Wired Equivalent Privacy (WEP)

• Cellular Network Security Intro

Sources:

• WEP:

– Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting mobile communications: The Insecurity of 802.11. In Proceedings of the 7th Annual International Conference on Mobile Computing and

Networking, MobiCom '01.

– Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key scheduling algorithm of RC4. In Revised Papers from the 8th Annual

International Workshop on Selected Areas in Cryptography, SAC '01.

– Karen Scarfone, Derrick Dicoi, Matthew Sexton, and Cyrus Tibbs. Guide to securing legacy IEEE 802.11 wireless networks.

Recommendations of the National Institute of Standards and

Technology NIST Special Publication 800-48 Revision 1, National Institute of Standards and Technology, Gaithersburg, MD, July 2008.

(3)

Smart Cards

• About the same size as magnetic stripe cards

• Small microchip, memory

• Can run programs

– Java

– Encryption – Decryption

• Most have contacts

– Some are contactless (RFID)

• Tamper resistant

• More secure than magnetic stripe cards

– They may contain secrets – Encryption keys

• Commonly used for

– High security banks

(4)

Security Tokens

• Small devices that generate

a sequence of random

numbers from a secret seed.

• Synchronized with the

remote location when the

token is assigned to a user

• Often requires a pin or other

password for local

authentication since it can

be stolen or lost!

(5)
(6)

PKES Details

1.

Car sends “beacon” messages using low frequency signals

(LF – short range)

– May be sent only when the handle opens

2. Key responds to challenge over high frequency (UHF – longer

range)

3. Where is key?

– Outside doors? Car opens door – Inside car? Car turns on ignition

(7)

Break Cryptography

• Intercept messages sent

• Figure out key/secret

• Physical key with RFID

tag? Use fake key for

entry

https://www.youtube.com/w

atch?v=eU79c7kA_eA

• Passive key? Just a radio

Signal Amplification

• Amplify the car’s beacon

signal to excite the key

• Key responds over UHF

(up to 100m)

• Details:

http://eprint.iacr.org/2010/

332.pdf

(8)

PKES Setup

(9)

E-Commerce Signatures

Digital signatures for verifying transactions

• Token replacement for smart card

• Token can perform encryption/digital signatures

• Can add biometric id

Software communicates with token via USB

Example

:

Algorithmic Research Minikey 5 (2005): AES, DES,

SHA1, RSA (up to 2048 bits), ECB, CBC, OFB

• Encrypts and authenticates

https://www.arx.com/files/DOCUMENTS/Support/C

ryptoKit-Developers-Guide.pdf

(10)

Using Tokens

• Best used in combination with “Something you know”

– Shows intent and prevents passive attacks

• Token theft?

• Token misuse?

• Commonly found in “Two Factor Authentication” schemes

– Use of smartphones for “Something you have”: SMS, one time

codes, location (?)

(11)

So Far

• Security Tokens and Wireless

• Wired Equivalent Privacy (WEP)

• Cellular Network Security Intro

(12)

802.11 LAN Architecture

Wireless host communicates

with base station

 Base station = access point (AP)

Basic Service Set (BSS)

(aka “cell”) in infrastructure

mode contains:

 Wireless hosts

 Access point (AP): base station

Security Assumption

:

 Shared key 𝑘 known to AP and nodes

 Support up to 4 keys per AP BSS 1 BSS 2

Internet

hub, switch

or router

AP

AP

(13)

Security Goals of Wireless

• Confidentiality

: Prevent

data sent over network

from being read by

others

• Access Control

: Ensure

only packets sent by

authorized nodes are

sent by the AP

• Data Integrity

: Prevent

tampering with

transmitted messages

BSS 1

Internet

hub, switch

or router

AP

AP

(14)

WEP Encryption Functions

1.

Checksum (CRC32):

– Message 𝑀

– CRC32 remainder 𝑐(𝑀)

– Plaintext 𝑃 = 〈𝑀, 𝑐 𝑀 〉

2.

Encryption with RC4:

– Choose IV 𝑣

– Concatenate 𝑣 with shared secret key 𝑘

– Use RC4 to generate keystream

𝑅𝐶4 𝑣, 𝑘

– Encrypt using XOR:

𝐶 = 𝑃 ⊕ 𝑅𝐶4(𝑣, 𝑘)

3.

Transmission:

(15)

WEP Decryption Functions

1.

Receive

𝑣, 𝐶

2.

Decryption with RC4:

– Separate 𝑣, 𝐶

– Concatenate 𝑣 with shared secret key 𝑘

– Use RC4 to generate keystream

𝑅𝐶4 𝑣, 𝑘

– Decrypt using XOR:

𝐶 ⊕ 𝑅𝐶4 𝑣, 𝑘

𝑃 ⊕ 𝑅𝐶4 𝑣, 𝑘 ⊕ 𝑅𝐶4 𝑣, 𝑘 = 𝑃

3.

Check CRC:

– Extract 〈𝑀, 𝑐 𝑀 〉

(16)
(17)

Open System

Shared Key

WEP Authentication

No authentication used

Auth is a “no op”

1.

Client requests authentication

2.

AP says “OK”

3.

Client connects to network

1.

Client requests authentication

2.

AP sends challenge

3.

Client encrypts with shared

key and returns

4.

AP verifies response and

ACKs

(18)

WEP Encryption Details

• Encryption uses

RC4

stream cipher

– Invented by Ron Rivest (of RSA fame) – Accepts multiple length keys

– Most commonly used stream cipher (SSL uses it) – Has know biases and weaknesses, but not “broken”

• Encryption key length:

– Original version: 40𝑏 (due to US export restrictions)

– Newer versions: 104𝑏 or longer (232𝑏) (after US lifted relaxed restrictions in 1996 and 2000)

– Key commonly specified in hexademical characters

• Some routers use just ASCII characters

• Initialization Vector length:

24𝑏

(fixed in standard)

(19)

Key Strength

• 40𝑏

isn’t too big

– DES was 56b and still

crackable in 24 hours

– Brute forcing the key isn’t

too hard

• Solution: Bigger key

– 104b or 232b is big

• Problem: Key strength

isn’t the only issue

Stream Cipher Use

Stream ciphers generate random bits and XOR over them

• Same bits on two messages is a bad idea

• 𝐶1 = 𝑃1 ⊕ 𝑅𝐶4 𝑣, 𝑘 • 𝐶2 = 𝑃2 ⊕ 𝑅𝐶4(𝑣, 𝑘)

• 𝐶1 ⊕ 𝐶2 = 𝑃1 ⊕ 𝑅𝐶4 𝑣, 𝑘 ⊕ 𝑃2 ⊕ 𝑅𝐶4 𝑣, 𝑘 = 𝑃1 ⊕ 𝑃2

• Knowing one plaintext (ex. IP header) lets you know the others • The more 𝐶𝑛 you have, the

easier it is

(20)

WEP IV Management

• WEP designers knew this, so each packet gets its own key

(

𝑘||𝑣

)

– With 24b IV, each 224 = 16,777,216 different versions of the key

Problems:

• Some wireless cards reset IV to 0 when installed and just

increment

– Old PCMCIA wireless cards would reset on insert

• When does IV wrap?

– AP with 1500B packets and 5Mbps bandwidth

– 5×106𝑏𝑠

1500×8𝑏𝑝 = 416.6 𝑝

𝑠 and

16,777,216 𝑝

416.6𝑝𝑠 ≈ 40,265𝑠 ≈ 11.18 ℎ𝑜𝑢𝑟𝑠

• Birthday paradox: after

≈ 16,777,216 =

4096

duplicates likely

(21)

Duplicate Found– Now What?

• You have

𝑃

1

⊕ 𝑃

2

• Do you know one of them?

– Login structures (field names)

– IP headers or TCP headers predictable

– Send spam which you know

– Some APs send broadcasts both encrypted and un-encrypted, so

send a broadcast to it and watch

• Eventually: Can build a decryption library for the AP

– Key doesn’t change often

(22)

Message Modification

CRC not designed for security

• 𝑐 𝑥 ⊕ 𝑦 = 𝑐 𝑥 ⊕ 𝑐(𝑦)

1. Grab a message 𝐶 = 𝑅𝐶4 𝑣, 𝑘 ⊕

〈𝑀, 𝑐 𝑀 〉

2. Make some changes Δ that you want to change in 𝑀

3. Calculate 𝑐(Δ)

4. XOR both sides of 𝐶 𝐶′ = 𝐶 ⊕

〈Δ, 𝑐 Δ 〉

5. Now 𝐶′ decrypts to 𝑀′ = 𝑀 ⊕ Δ • Attacker doesn’t need to know 𝑀,

but can choose the modification

Message Injection

• Attacker gets a known

plaintext

𝑃

and ciphertext

𝐶

pair

– IV reuse perhaps

• Attacker can extract:

– 𝑃 ⊕ 𝐶 =

𝑃 ⊕ 𝑃 ⊕ 𝑅𝐶4 𝑣, 𝑘 = 𝑅𝐶4(𝑣, 𝑘)

• Attacker can “encrypt” with

𝑅𝐶4(𝑣, 𝑘)

as desired

– IV reuse is allowed by spec

(23)

Authentication Problems

• Attacker watches for

shared key

authentication

– Gets challenge

– Gets response

– Can calculate

keystream

• Attacker can now

respond to any

challenge

(24)

Lazy Message Decryption

• Decryption too much work? Make the AP do it

1. Grab an encrypted WEP packet

2.

Modify the “Destination” field in the IP header plus CRC

– IP checksum can be defeated

– Need to guess the destination IP address

– Compensate by changing other IP header fields to match checksum ones-complement math

– Choose a target IP which is the same as the destination IP with respect to ones-complement math

3. AP will decrypt and send packet to target

• Can also use TCP reaction attack

– Change one bit at a time and watch if recipient accepts it – Checksum tells one bit of information per attempt

(25)

WEP Summary

• Designed to be weak key (40b), but is weak in almost

every way

– Increasing key size doesn’t help

• Classic failure: Network standards people didn’t ask

cryptography community for input

– Stream cipher misused

– IV misused

– CRC and checksum misused

(26)

So Far

• Security Tokens and Wireless

• Wired Equivalent Privacy (WEP)

• Cellular Network Security Intro

(27)

Cellular Network Architecture

• Cellular phone

– Mobile Station (MS) – Mobile Equipment (ME) – Terminal Equipment (TE)

• Subscriber Identity Module (SIM) Card – USIM card for 3G

• Antenna

– Cell, Node B, Basic Service Set (BSS) • Home Location: Who you pay your bill to

– Long term contract – Shared secret

• Visitor Location: Where you are right now – Roaming agreement with home

– Gives you service now

– You don’t trust them, but they want to bill you

(28)
(29)

GSM Lessons

Security lessons learned from GSM & 2.75G:

• Weak Cryptography

Eavesdropping attacks

• One-way authentication

Man in the Middle Attacks

– Attacker can trick the phone and network to stop encrypting or to

use a weak cipher

• Denial of Service attacks

• Jamming

• Core (SS7) vulnerabilities

• Caller ID spoofing

• IMSI catchers

– Listen for International Mobile Subscriber Identity (IMSI) numbers

which let you track phones (privacy)

(30)

Conclusion

• Security Tokens and Wireless

• Wired Equivalent Privacy (WEP)

• Cellular Network Security Intro

Figure

Updating...

References