1 / 62

IEEE 802.11 (WiFi)

IEEE 802.11 (WiFi). Wired Equivalent Privacy (WEP). 1. IEEE 802.11 – Two modes. (Independent) Basic Service Set (IBSS) (ad-hoc network). Extended Service Set (ESS) (infrastructure network). See in lab #4. 2. Network Lab 1996. 3. 4. 8.1.1 Open System Authentication

toshi
Download Presentation

IEEE 802.11 (WiFi)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IEEE 802.11 (WiFi) Wired Equivalent Privacy (WEP) 1

  2. IEEE 802.11 – Two modes (Independent) Basic Service Set (IBSS) (ad-hoc network) Extended Service Set (ESS) (infrastructure network) See in lab #4 2

  3. Network Lab 1996 3

  4. 4

  5. 8.1.1 Open System Authentication ► “Essentially it is a null authentication algorithm.” ► this is the default ► simple handshake – just two messages ► station’s application for authentication is not required to be successful (AP may be too busy to accept another station) 5

  6. 8.1.2 Shared-Key Authentication “Shared Key authentication supports authentication of STAs as either a member of those who know a shared key or a member of those who do not.” “The required secret, shared, key is presumed to have been delivered to participating STAs via a secure channel that is independent of IEEE 802.11.” 6

  7. “During the Shared Key authentication exchange, both the challenge and the encrypted challenge are transmitted.” We had this demonstration in discussion of stream ciphers: Encryption with RC4 stream cipher plaintext 0 1 1 0 1 1 1 1 1 0 1 1 0 0 1 1 keystream 1 0 1 1 0 0 0 1 1 0 1 0 0 1 1 0 ciphertext 1 1 0 1 1 1 1 0 0 0 0 1 0 1 0 1 Detection of the keystream C XOR P = (K XOR P) XOR P = K plaintext 0 1 1 0 1 1 1 1 1 0 1 1 0 0 1 1 ciphertext 1 1 0 1 1 1 1 0 0 0 0 1 0 1 0 1 keystream 1 0 1 1 0 0 0 1 1 0 1 0 0 1 1 0 Will this be a problem in WEP? 7

  8. Shared Key Authentication involves exchange of four frames: Frame 1 – requester to responder: “I want to be a member of the ‘in’ group.” Frame 2 - responder to requester: Responder uses WEP to generate a 128-octet challenge text and transmits it to requester. Frame 3 – requester to responder: Requester copies the challenge text into the frame data area and transmits it using WEP (thereby encrypting the text). Frame 4 – responder to requester: Responder decrypts challenge and compares with original. Code for “OK” or “not OK” 8

  9. 8.2 The Wired Equivalent Privacy (WEP) Algorithm Objective is to protect users from “casual eavesdropping” “Data confidentiality depends on an external key management service to distribute data enciphering/deciphering keys.” 8.2.2 Properties of the WEP Algorithm ► It is reasonably strong ► It is self-synchronizing – will explain later ► It is efficient – may be implemented in either hardware or software ► It may be exportable ► It is optional 9

  10. Reminder from Chapter 2: Stream cipher operation Given the key, a key-stream is generated as long as the plaintext. 128 bits Length of Message Figure 2.8 Stream Cipher Diagram

  11. 8.2.3 WEP theory of operation “The WEP algorithm is a form of electronic code book [not in the same sense as we used ECB in Chapter 2] in which a block of plaintext is bitwise XORed with a pseudorandom key sequence of equal length. The key sequence is generated by the WEP algorithm.” 8.2.4 WEP Algorithm Specification WEP uses the RC4 PRNG 11

  12. Unlike the IV necessary with a block cipher using CBC, this IV would not have been required in this design using a stream cipher, but it was adopted to expand the secret key and avoid using the same key repeatedly (IV is a “salt”). “The secret key remains constant while the IV changes periodically. Each new IV results in a new seed and a new key sequence …The IV may be changed as frequently as each MPDU [frame] and, since it travels with the message, the receiver will always be able to decipher any message [self-synchronizing]” The PRNG seed is 64 bits = 24-bit IV || 40-bit Secret Key (later option: seed 128 bits = 24-bit IV || 104-bit secret key – became widely used). 12

  13. 13

  14. Figure 45 – WEP decipherment block diagram 14

  15. 8.2.5 WEP Frame Body Expansion Recall from CS 334/534: Wired Ethernet Frame Format CRC-32 Figure 6 - 802.11 frame format 15

  16. CRC-32 CRC-32 Figure 46 – Construction of expanded WEP frame body 16

  17. 17

  18. “The WEP mechanism is invisible to entities outside the 802.11 data path.” WEP applies only within a BSS End of excerpt from IEEE 802.11 1999 standard 18

  19. Recall from Chapter 2 - Manipulation of message: If a bit in the ciphertext is flipped, this produces an undetectable change in the decrypted message! 19

  20. Encryption with RC4 stream cipher plaintext 0 1 1 0 1 1 1 1 1 0 1 1 0 0 1 1 keystream 1 0 1 1 0 0 0 1 1 0 1 0 0 1 1 0 ciphertext 1 1 0 1 1 1 1 0 0 0 0 1 0 1 0 1 Detection of the keystream C XOR P = (K XOR P) XOR P = K plaintext 0 1 1 0 1 1 1 1 1 0 1 1 0 0 1 1 ciphertext 1 1 0 1 1 1 1 0 0 0 0 1 0 1 0 1 keystream 1 0 1 1 0 0 0 1 1 0 1 0 0 1 1 0 However, this is the keystream, not the key itself “Factoring out the Keystream” C1 XOR C2 = (P1 XOR K ) XOR (P2 XOR K) = P1 XOR P2 XOR K XOR K = P1 XOR P2 20

  21. Problems with WEP After standard was issued in 1999, there was a flurry of criticism in 2001. Borisov paper – July 2001 ► Possible Attacks in Principle 1. If an attacker flips a bit in the ciphertext, then on decryption the corresponding bit in the plaintext will be flipped. 2. XOR of two ciphertexts encrypted with same keystream yields the XOR of the two plaintexts (“factors out the keystream”) If both plaintext and ciphertext are known, XOR gives keystream. ► Claimed Defenses 1. To ensure that a packet has not been modified in transit, WEP includes an ICV within the encrypted packet 2. To avoid encrypting two plaintexts with the same keystream, an IV is used to produce a different RC4 key for each packet. 21

  22. ► Claimed Defenses (repeat) 1. To ensure that a packet has not been modified in transit, WEP uses an ICV within the encrypted packet. 2. To avoid encrypting two plaintexts with the same keystream, an IV is used to produce a different RC4 key for each packet. 22

  23. ► Claimed Defenses (repeat) 1. To ensure that a packet has not been modified in transit, WEP uses an ICV within the encrypted packet. 2. To avoid encrypting two plaintexts with the same keystream, an IV is used to produce a different RC4 key for each packet. ► Defense Failures 1. The ICV is implemented as a CRC-32 checksum; flipping bit n in the encrypted message results in a deterministic set of bits that must be flipped in the encrypted ICV to produce a correct checksum for the modified message. 2. IV is only 24 bits, sent “in the clear,” so in a busy network it will recycle fairly quickly (“IV collision”); usually all stations in the network use the same key, so it will not be hard to find two messages encrypted with the same keystream. Additionally, IV changes are not required by the 1999 standard 23

  24. A Note on the CRC-32 cyclic redundancy check (“checksum”) We first meet it in the wired Ethernet Frame Format: CRC-16 detects all random errors with an odd number of bits, all double errors, all burst errors with length 16 or less, 99.997% of 17-bit error bursts, and 99.998% of 18-bit and longer bursts. CRC-32 is extremely good at detecting random transmission errors, but useless against intentional changes made by Darth. 24

  25. ► Attacks in Practice Passive Attack to Decrypt Traffic Wait for an IV collision, then XOR ciphertexts to get XOR of plaintexts; XOR of plaintext and ciphertext gives keystream for that IV. Active Attack to Inject Traffic Knowing keystream from above, Darth can construct a correctly encrypted packet; Variant: Darth flips selected bits in the ciphertext and adjusts the ICV to make it correct for the altered message. 25

  26. Active Attack involving Internal and External Machines Darth! Since WEP is applied only on the wireless link, if attacker has access to an external host (anywhere in the Internet) and knows the IP address of a machine inside the BSS, he can send a message to that machine, viewing theencrypted version on the wireless link (this would be a “chosen plaintext attack”). Alternative: Copy encrypted packet on wireless link, guess destination IP address, change IP destination address to ownexternal machine, adjust ICV and send to AP; AP will decrypt message and forward plaintext to attacker’s machine. 26

  27. Table-Based Attack “The small space of possible IVs allows an attacker, over time, to build a decryption table. Once he learns the plaintext for some packet, he can compute the RC4 keystream generated by particular IV used in that packet …. Attacker can decrypt every packet that is sent over the wireless link until the secret key is changed.” ► Conclusion “Wired Equivalent Privacy (WEP) isn’t.” None of these attacks reveal the secret key 27

  28. Vulnerability of Challenge/Response, by Arbaugh et al (March, 2001) Genuine authentication: Frame 2 AP STA 128-octet challenge Frame 3 128-octet challenge || 4-octet ICV IV3 28

  29. Vulnerability of Challenge/Response, by Arbaugh et al (March, 2001) Genuine authentication: Frame 2 AP STA 128-octet challenge ICV Frame 3 128-octet challenge || 4-octet ICV IV3 Darth has observed both 128-octet challenge (so can compute the ICV) and the 132-octet response, so by XORing the strings computes the 132-octet keystream for IV3. Darth applies for authentication. He will receive a different 128-octet challenge. He transmits it using IV3 and the above 132-octet keystream. He is authenticated. Shared-key authentication less secure than Open Key! 29

  30. Brief [Non-Rigorous] Description of Fluhrer Attack (August, 2001) 3-octet IV || 5-octet secret key is used to seed RC4. Introduce variable keybyte = 1..5 for the 5 octets of the secret key. Fluhrer, Mantin and Shamir showed that certain IVs are “weak.” The form of the weak IVs is (keybyte + 3, 0xFF, N) where N = anything. For these weak IVs, the first byte of the keystream depends only on three internal 1-octet variables in RC4. If we know the first octet of the keystream, we have a good chance of guessing the corresponding byte of the secret key. The key, not just the keystream 30

  31. But how can we know the first byte of the keystream? Recall 802.11 Frame Format: When an IP datagram is encapsulated in an 802.11 frame, this is the format: For IP traffic, the contents of the first 6 octets after the 802.11 headers and the IV are fixed – first octet is 0xAA So we know both the plaintext and ciphertext byte and can XOR. To guess first octet of secret key, look for IVs of form 00000100 11111111 xxxxxxxx 31

  32. Paper by Stubblefield, Ioannidis, and Rubin (August, 2001) They demonstrated the theoretical Fluhrer attack in practice. “ … protocol designers without a strong grounding in cryptography and security may not be aware of the correct way to implement them, and that is exactly what happened in the case of WEP.” RSA Security, Inc. now recommends that the first 256 bytes of RC4 output be discarded. Stubblefield recommendations: (1) assume WEP provides no security! (2) Use IPSec or SSH (3) Treat all 802.11 systems as external; place all APs outside firewall Download “cracking” packages, such as Airsnort, quickly became available. 32

  33. Slides will follow the handout “Wi-Fi Protected Access (WPA)” This is a composite of Stallings’ Section 6.2 and two other books. 33

  34. What can be done to repair WEP? By the end of 2001 it was clear that WEP was “broken,” and had to be replaced by a more secure algorithm. Problem: Millions of pieces of WEP-oriented equipment, particularly Access Points had been deployed (“legacy equipment”). A replacement algorithm had to run on this equipment. Three major constraints on a replacement algorithm ► software/firmware upgrades only – no chip replacement ► only a few spare cycles available in usual AP microprocessor ► WEP encryption algorithm (RC4) is “wired in” by special-purpose hardware WEP Replacement is “Wi-Fi Protected Access” (WPA) 34

  35. Figure 45 – WEP decipherment block diagram In the AP these are done in a hardware “encryption engine,” not in software 35

  36. WPA and WPA2 WPA, introduced in April, 2003 was based on draft 3 of IEEE 802i It was an interim “fix” designed to rescue “legacy” equipment and therefore subject to the severe constraints listed earlier. In July, 2004 IEEE approved the final 802.11i specification as the Robust Security Network and the WiFi alliance adopted this as WPA2. WPA2 provided all of the mechanisms available in WPA, plus: Strong encryption (AES) and authentication support for infrastructure and ad-hoc networks (WPA is limited to infrastructure networks) RSN/WPA2 involves an Authentication Server with protocol IEEE 801X and uses AES/CBC for encryption. This will probably be appropriate in and Enterprise (large company) situation. We shall content ourselves with studying WPA in Small Office/Home Office (SOHO) Mode. 36

  37. IEEE 802i Phases of Operation – preview (Stallings page 184-6) 802.11i security is provided only over the wireless link within a BSS, not externally. Phase 1 - Discovery Phase 2 - Authentication Phase 3 - Key Generation and Distribution to STA and AP Phase 4 - Actual User Data Transfer Phase 5 - Connection Termination when Transfer Complete 37

  38. Phase 1 – Discovery The purpose of this phase is for STA and AP to establish (unsecure) contact and negotiate a set of security algorithms to be used in subsequent phases. STA and AP need to decide on: ► The methods to be used in phase 3 to perform mutual authentication of STA and AP and generate/distribute keys. ► Confidentiality and integrity algorithms to protect user data in phase 4 38

  39. The discovery phase uses three message exchanges (CS334/534): ► Probe request/response (or observation of a beacon frame) APs advertize their capabilities (WEP, WPA, etc.) in Information Elements in their beacon frames and in their probe responses. ► Authentication request/response WEP Open System Authentication, for backward compatibility (provides no security) ► Association request/response STA chooses methods to be used from AP’s menu (we will study the case that the station chooses WPA/TKIP) STA uses an Information Element in Association Request to inform AP 39

  40. Phase 1 This is not Phase 2/3 Authentication! Figure 6.6 (upper) Phase 1 Discovery 40

  41. Phase 2 - Authentication SOHO Mode A pre-shared key (PSK), is provided in advance to the station and AP by a method external to 802.11i In this case the lower half of figure 6.6 is bypassed (and was not shown in the previous slide). There are two methods for providing the PSK: ► the exact 256-bit number can be provided and used as PMK ► a passphrase can be adopted, keyed in by user and expanded to 256 bits by the system. In WPA SOHO mode STA and AP delay authenticating each other until phase 3, when they demonstrate that each knows information derived from the PSK. 41

  42. Phase 3 – Key Generation and Distribution In SOHO mode the PSK has already been shared, so no more distribution is needed and key generation can proceed. Next step in SOHO: The PSK is adopted as the Pairwise Master Key (PMK) (misnomer!) 42 Figure 6.8 (upper)

  43. The Pairwise Master Key is not used directly in any security operation. Instead, it will be used to derive a set of keys, the Pairwise Transient Key, to protect the link between AP and station. Protection is needed during two phases: ► in phase 3 - the handshake between station an AP (protocol called “EAPOL”) ► in phase 4 - Passing user data during actual use of the link 43

  44. In both phases separate keys are needed for integrity and encryption, so the total number of keys needed is four: ► EAPOL-key Confirmation key (KCK) (Integrity) ► EAPOL-key Encryption key (KEK) ► Data Integrity Key (part of Temporal Key) ► Data Encryption Key (part of Temporal Key) PSK 44 Figure 6.8 (middle)

  45. Computation of the PTK from the PMK The PTK is re-computed every time a station associates with an AP. We want the PTK to be different for each STA-AP pair and different each time a STA associates with an AP (so as not to re-use old keys) Four-way handshake: TKIP/WPA uses a four-way handshake during establishment of the association relationship between an AP and a station STA AP Preview 45

  46. We can force the PTK to be different for each STA-AP pair by mixing their MAC addresses into the computation of the PTK. But since these do not change between associations, there must also be some dynamic input to the PTK - nonces. The standard refers to the Supplicant S (the STA seeking authentication) and the Authenticator A (the AP granting authentication). Recall that in the discovery phase the STA sent its association request to the AP, including the selection of WPA/TKIP for security. For later use, we can think of the STA randomly generating a nonce (Nonce1) at that point, but not transmitting it. 46

  47. Four-Way Handshake Frame 1:AP to STA:a nonce chosen by the AP (Nonce2) Nonce2 gives the STA the last piece of information it needs to compute the 512-bit PTK: Computation of PTK from PMK 47

  48. Four-Way Handshake - continued Frame 2: STA to AP: Nonce1, together with a message integrity code (MIC) Nonce1 gives the AP the last piece of information it needs to compute the PTK, so key exchange is complete. This enables the AP to check the validity of the MIC. If correct, this proves that that the STA possesses the PMK and authenticates the STA. Each side has chosen a nonce, and both nonces have been mixed into the computation of the PTK, so PTK is unique to each AP-STA pair and to each association session . 48

  49. Four-Way Handshake - continued Frame 3: AP to STA: message “AP able to turn on encryption” (includes MIC, so STA can check that AP knows PMK) Frame 4: STA to AP: message “STA about to turn on encryption” After sending frame 4, STA activates encryption; on receipt of frame 4, AP activates encryption. At this point Phase 3 is complete – we have authenticated the STA and the AP, using the EAPOL keys, and have generated the 256-bit Temporal Key for use in phase 4. We can proceed to phase 4 – secure transmission of user data. TKIP stands for Temporal Key Integrity Protocol (“temporal” = “temporary” - only for this association session) 49

  50. Phase 4 – Protected Data Transfer WPA/TKIP adds new capabilities to WEP: ■ A cryptographic message integrity code, or MIC, called Michael, to replace CRC-32 and defeat forgeries Designed by Niels Ferguson - will be executed in software; ■ A new IV sequencing discipline, to remove replay attacks from the attacker’s arsenal; the IV is expanded to 48 bits; ■ A per-packet key mixing function, to de-correlate the public IVs from Fluhrer’s “weak keys” and provide different encryption keys for each direction of transfer (to/from AP), and each successive packet. (Recall that we’ve already generated different keys for each STA-AP pair and each association session) 50

More Related