Date post: | 13-Dec-2015 |
Category: |
Documents |
Upload: | merryl-cleopatra-lester |
View: | 217 times |
Download: | 1 times |
11/28/2001 Wireless Security 2
Overview Introduction Data Encryption
Private Key Cryptography Public Key Cryptography
Digital Signatures Cryptographic Hash Functions Wireless Security Issues WEP Security Issues
11/28/2001 Wireless Security 3
Network Security – Issues. Confidentiality– Can you keep a secret? Integrity – Did you get the message I sent? Availability – Are you there when needed? Identification – Who are you? Authentication – Can you prove who you
are? Access Control – What are you allowed to
do? Non-repudiability – Yes you did! Audit Trails – What have you been up to? Privacy – Can you treat my like a human?
11/28/2001 Wireless Security 4
Network Security - Why is it difficult? Complexity. Resource sharing. Unknown Perimeter. Many points of attack. Anonymity. Unknown Paths.
11/28/2001 Wireless Security 8
Security Mechanisms Three basic building blocks are used:
Encryption is used to provide confidentiality, can provide authentication and integrity protection
Digital signatures are used to provide authentication, integrity protection, and non-repudiation
Checksums/hash algorithms are used to provide integrity protection, can provide authentication
One or more security mechanisms are combined to provide a security service
11/28/2001 Wireless Security 9
Services, Mechanisms, Algorithms A typical security protocol provides one
or more services Services are built from mechanisms Mechanisms are implemented using
algorithms
11/28/2001 Wireless Security 10
Data Encryption Encryption is the process of encoding a message
such that its meaning is not obvious. Decryption is the reverse process, ie,
transforming an encrypted message to its original form.
We denote plaintext by P and ciphertext by C. C = E(P), P = D(C) and P = D(E(P)), where E() is
the encryption function (algorithm) and D() the decryption function.
Encryption DecryptionPlaintext PlaintextCiphertext
11/28/2001 Wireless Security 11
Kerckhoff’s Principle How do you prevent and eavesdropper from
computing P, given C? Keep the encryption algorithm E() secret.
BAD IDEA!! Choose E() (and corresponding D()) from a large
collection, based on secret key. GOOD IDEA!! Kerckhoff’s principle.
C = E(K, P) and P = D(K, C)
Encryption DecryptionPlaintext PlaintextCiphertext
Secret Key
11/28/2001 Wireless Security 12
Symmetric and Asymmetric Cryptosystems Just by changing key we have different
encryptions of one plaintext. If the encryption key and the decryption key are
the same then we have a symmetric encryption scheme (also private key, one-key).
If the encryption key and the decryption key are different then we have an asymmetric encryption scheme (also public key, two-key).
A cryptosystem is then a five-tuple consisting of 1) The set of all plaintexts 2) The set of all ciphertexts 3) The set of all keys 4) A family of encryption functions 5) A family of decryption functions.
11/28/2001 Wireless Security 13
Example – Caesar Cipher Let messages be all lower case from a through
z (no spaces or punctuation).itsnotthathardtoread
Represent letters by numbers from 0 to 25. Encryption function
Ci = E(Pi ) = Pi + K.
where K is secret key and addition done modulo 26.
Decryption isPi = D(Ci ) = Ci - K.
UNIX ROT13 uses K as 13.
11/28/2001 Wireless Security 14
Cryptanalysis A cryptosystem had to be secure
against the following kinds of attacks: Ciphertext only attack. Known plaintext attack. Chosen plaintext attack. Adaptive chosen plaintext attack. Chosen ciphertext attack. Chosen key attack.
Of course there is one attack against which no cryptosystem can offer protection – rubber hose attack.
11/28/2001 Wireless Security 15
Brute Force Attacks. If key space is finite, given a ciphertext a
cryptanalyst can try and check all possible keys. For above to be not feasible, key space should
be large!! How large? How about 256?
Large enough to make it impractical for an adversary. But what is impractical today, may not be so tomorrow.
In practice, for a “good” cryptosystem, the only possible attack should be the brute force attack, which should be impractical into the foreseeable future, as long as message may have value.
11/28/2001 Wireless Security 16
DES – Data Encryption Standard Private key. Encrypts by series of
substitution and transpositions. Worldwide standard for more than 20
years. Has a history of controversy. Designed by IBM (Lucipher) with later
help (interference?) from NSA. No longer considered secure for highly
sensitive applications. Replacement standard (AES - Rijndael)
has been selected.
11/28/2001 Wireless Security 20
Computation of F: Expansion function E:
maps bit string of length 32 to bit string of length 48.
Permutes bits in a fixed way and duplicates certain bits
Key schedule: each round uses a 48 bit key obtained by performing permutations, shifts, and discarding bits from the original 56 bit key. Fixed algorithm for each round
resulting 48 bit string broken into 8 6-bit strings
11/28/2001 Wireless Security 21
S-boxes: S1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 70 15 7 4 14 2 13 1 10 6 12 11 9 5 3 84 1 14 8 13 6 2 11 15 12 9 7 3 10 5 015 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
Sj
1 2 3 4 5 6( ) :S b b b b b b
6543
21
:
:
bbbbcolumn
bbrowIs the table entry from
(011001) [1,9] 6 0110dS table
11/28/2001 Wireless Security 22
Double DES
Double DES is almost as easy to break as single DES (Needs more memory though)!
11/28/2001 Wireless Security 23
Triple DES
Triple DES (2 keys) requires 2112 search. Is reasonably secure.
3 keys requires 2168 .
11/28/2001 Wireless Security 24
Other Private Key Cryptosystems IDEA Twofish Blowfish RC4, RC5, RC6 Rijndael (AES Winner) Serpent MARS Feal
11/28/2001 Wireless Security 25
Private key cryptography revisited.
Key distribution and management is a serious problem! N users – O(N2) keys!
11/28/2001 Wireless Security 26
Public key cryptography
Key management problem not really that simple as we will see later!!! (trust).
11/28/2001 Wireless Security 27
A Simple Example
Anyone can map from plaintext to ciphertext. Decryption easy only with inverted phone book.
P
O
K
E
M
O
N
Peggy
Olivia
Kathy
Erica
Mary
Olga
Nancy
7123456
6752345
2563859
6723952
9753658
7490469
7036027
P
O
K
E
M
O
N
Ph
on
e B
ook
Invert
ed
Ph
on
e
Book
Plaintext
Public Key
Ciphertext Plaintext
Private Key
11/28/2001 Wireless Security 28
One-way functions and trapdoors. A function f() is said to be one-way if given
x it is “easy” to compute y = f (x), but given y it is “hard” to compute x = f -1(y).
A trap-door one-way function fK() is such that to compute y = fK(x) is easy if K and x are known. x = f -1
K(y) is easy if K and y are known. x = f -1
K(y) is hard if y is known but K is unknown.
Given a trap-door one-way function one can design a public key cryptosystem.
11/28/2001 Wireless Security 29
Encryption and 1-way trap doors Two keys:
public encryption key e private decryption key d
encryption easy when e is known decryption hard when d is not known d provides “trap door”: decryption easy
when d is known We’ll study the RSA public key
encryption scheme.
11/28/2001 Wireless Security 30
RSA overview - setup Alice wants people to be able to send her
encrypted messages. She chooses two (large) prime numbers, p and
q and computes n=pq and . [“large” = 100 digits +]
She chooses a number e such that e is relatively prime to and computes d, the inverse of e in
She publicizes the pair (e,n) as her public key. She keeps d secret and destroys p, q, and
Plaintext and ciphertext messages are elements of Zn and e is the encryption key.
)(n
( ) ( 1) ( 1)n p q )(nZ
)(n
11/28/2001 Wireless Security 31
RSA overview - encryption Bob wants to send a message x (an
element of Zn) to Alice. He looks up her encryption key, (e,n), in
a directory. The encrypted message is
Bob sends y to Alice.
nxxEy e mod)(
11/28/2001 Wireless Security 32
RSA overview - decryption
To decrypt the message
she’s received from Bob, Alice
computes
Claim: D(y) = x
nyyD d mod)(
nxxEy e mod)(
11/28/2001 Wireless Security 33
Tiny RSA example. Let p = 7, q = 11. Then n = 77 and
Choose e = 13. Then d = 13-1 mod 60 = 37.
Let message = 2. E(2) = 213 mod 77 = 30. D(30) = 3037 mod 77=2
60)( n
11/28/2001 Wireless Security 34
Authentication and Authorization Authentication is a service that
allows receivers of a messages to identify its origin. makes is difficult for third parties to masquerade as
someone else. e.g., your driver’s license and photo authenticates
your image to a name, address, and birth date.
Authorization is a service that Allows only entities that have been authenticated
and who appear on an access list to utilize a service. E.g., your date of birth on your driver’s license
authorizes you to drink as someone who is over 21.
11/28/2001 Wireless Security 35
Authentication Authentication codes provide assurance that
message has not been tampered with and has indeed originated from a specific source.
Independent of encryption. In fact, encryption may even be undesirable.
Alice(Transmitter)
OscarBob
(Receiver)X Y Y’ X’
Au
then
tic?
Authentication Key Verification Key
11/28/2001 Wireless Security 36
Substitution and Impersonation Two types of attacks on authentication
schemes: Substitution attack
Impersonation attack
Hello Bob, I love you- Alice
Hello Bob, I hate you
- Alice
Hello Bob, I love you- Olivia
11/28/2001 Wireless Security 37
Digital Signatures Desirable properties of handwritten signatures:
Signed document is authentic. Signature is unforgeable. Signature is not reusable. Signed document is unalterable. Signature cannot be repudiated. (Above not strictly true but mostly so)
Same properties and more can be achieved by digital signatures.
Digital Signatures use public key cryptography.
11/28/2001 Wireless Security 38
RSA based signature
Alice signs message by encrypting with private key. Bob decrypts message with Alice’s public key. If meaningful message then it must have been
encrypted with Alice’s private key!
Hello, I love you
EncryptWith
Privatekey
HjkhrkHj837**ji8hj]
DecryptWith
Publickey
Hello, I love you
Message Alice signs Signed messageBob verifies Message
11/28/2001 Wireless Security 39
Signing With Message Digests A fixed length “fingerprint” of a
message. Instead of signing message, sign the
message digest.
11/28/2001 Wireless Security 40
Cryptographic Hash Functions Requirements of cryptographic hash
functions: Can be applied to data of any length. Output is fixed length. Relatively easy to compute h(x), given x. Infeasible to get x, given h(x). Given x, infeasible to find y such that h(x) =
h(y). Weak collision property. Infeasible to find any pair x and y such that
h(x) = h(y). Strong collision property.
11/28/2001 Wireless Security 43
Wireless Dimension
Access to Medium:Unlike wired medium
(cables) wireless medium (air) is
ubiquitous hence access restrictions to the medium must be handled explicitly, where as in wired environments it is
implicit.
War Dialing:Attacker gains access to wired
medium by exhaustive dialing of
phone numbers
War Driving:Attacker gains
access to wireless medium by just driving by the
network coverage area.
11/28/2001 Wireless Security 44
How is wireless different? The Medium
Wireless medium has no explicit packet boundary This property weaken privacy and authentication
mechanisms adopted from wired environment Portability
Wireless devices are smaller in size and portable Data in those devices require more protection than
data on non-portable devices Mechanisms to recover stolen or lost devices are
important Mechanisms for self-destruction of data is also
important
11/28/2001 Wireless Security 45
How is wireless different? Mobility
Mobility brings even bigger challenges Trust in infrastructure
Wired networks assume certain level of trust in local infrastructure (we trust our routers)
In wireless networks this is a weak assumption Would you put same level of trust on an Access Point in JFK as
you put on your home AP? Security mechanisms should anticipate these variances in trust Or, security mechanisms should be independent of location or
infrastructure Trust in location
Wired networks implicitly assume network address is equivalent to physical location (128.238.x.x is Poly’s resources)
In wireless networks physical location is not tied to network address. Physical location may change transparent to end nodes.
11/28/2001 Wireless Security 46
How is wireless different? Mobility
Privacy of location On wired network privacy of location is not a
concern In wireless networks location privacy of the user is
a serious issue because users can be tracked, their travel behaviors can be used for marketing purposes etc.
Similar scenario exists on the Web: A user’s web surfing pattern can be tracked and this raised several privacy issues in 1999 (Double Click’s Cookie Tracking)
11/28/2001 Wireless Security 47
How is wireless different? Processing power, memory & energy
requirements Handheld devices have stringent processing
power, memory, and energy requirements Current security solutions require expensive
processing power & memory Handheld devices mandate inexpensive
substitutes for Crypto algorithms (AES instead of 3-DES) Authentication schemes
Better one-time password schemes with feasible remote key updates
11/28/2001 Wireless Security 49
How is wireless different? Network Topologies
Wired networks usually rely on network topology to deploy security solutions
E.g: firewall is installed on a machine where all traffic is visible
Wireless networks (esp. ad-hoc) have dynamic topologies
Wireless networks may not have single point of convergence (hidden host problem!)
Wireless networks put emphasis on host based solutions e.g: distributed firewalls
11/28/2001 Wireless Security 50
802.11 & Security A MAC, PHY layer specification Should serve mobile and portable
devices What is mobile? What is portable?
Should provide transparency of mobility
Should appear as 802 LAN to LLC (“messy MAC”)
Basic Service Set (BSS) Distribution System (DS) Station (STA) STA that is providing access to
Distribution System Service (DSS) is an Access Point (AP)
802.11 supports Ad-hoc networking Provide link level security
Components of 802.11
BSS (1)
BSS (2)
STA 1
(AP)
STA 2
(AP)
DS
11/28/2001 Wireless Security 51
Wired Equivalent Privacy (WEP) Wired equivalence privacy?
Wireless medium has no packet boundaries WEP control access to LAN via authentication
Wireless is an open medium Provides link-level security equivalent to a closed medium No end-to-end privacy
Security Goals of WEP Access Control
Provide access control to the underlying medium through authentication
Confidentiality Provide confidentiality to data on the underlying
medium through encryption Data Integrity
Provide means to determine integrity of data between links
11/28/2001 Wireless Security 52
Wired Equivalent Privacy (WEP) An attack on WEP should compromise at least
one of these properties Three levels of security
Open system – WEP is disabled in this mode. No security. Shared Key Authentication – provides access control to
medium Encryption – provides confidentiality to data on network
You can have confidentiality on an open system! That is, you can encrypt all the traffic and not have
access control to the medium! Which also means, a wily hacker can have all his traffic
encrypted on our network so that no one “see” what s/he is doing!
11/28/2001 Wireless Security 53
Properties of WEP It is reasonably strong
Withstand brute force attacks and cryptanalysis It is self-synchronizing
Uses self-synchronizing stream cipher It is efficient
Hardware/software implementation It may be exportable
Rest of the world needs security too! It is optional
WEP layer should be independent of other layers
11/28/2001 Wireless Security 54
WEP Frame
Key id is used to choose between four secret keys
ICV is integrity check sum (CRC-32) Pad is zero. Unused.
IV4
PDU>=1
ICV4
IV3 p
ad
(6
)
Key id
(2
)
11/28/2001 Wireless Security 55
WEP crypto function
WEP uses RC4 PRNG CRC-32 for integrity algorithm IV is renewed for each packet (usu. iv++) actual key size = (vendor advertised size – 24)
+plaintext
secret key
init. vectorWEPPRNG
seed key sequence
integrity algorithm ICV
IV
cipher text
message
24
40
64
11/28/2001 Wireless Security 56
Attacks on WEP Stream ciphers and keystream reuse
Stream ciphers expand a secret key to a stream of pseudo random numbers
Message is XORed (denoted by ‘+’ here after) with random number stream to produce the cipher text
Suppose two messages used the same secret key then stream cipher is easily broken so WEP uses an IV to extend the life of secret key
But, reusing IV is same as reusing the secret key!
Given two cipher texts with the same IV, we can remove the effects of XORing with the RC4 stream! (for the same secret key)
C1 = P1 + RC4(IV, key)C2 = P2 + RC4(IV, key)but…(C1+C2) = (P1+P2) and (P1+P2) can be easily cryptanalyzed
11/28/2001 Wireless Security 57
Attacks on WEP Two assumptions for this attack
Availability of ciphertexts with same IV IV length is fixed 24 bits (224 = 16,777,216) Implementations make the reuse factor worse! Every time a card is initialized IV is set to zero! IV is usually reused after only 5,000 packets! So, obtaining cipher text with same IV is practical
Partial knowledge of plaintexts Can use legitimate traffic to obtain known plain
texts e.g: Login:, password: prompts in a telnet session
Bouncing Spam off a mail server through wireless network
11/28/2001 Wireless Security 58
Dictionary Attack Assuming secret key is rarely changed, this
attack compromises WEP’s confidentiality goal…
A dictionary of IVs (~224 entries) can be built For each IV find the associated key stream Ci= Pi + RC4(IVi, key)Tabulate these two fields searchable by IV For each packet, scan the table to find the IV first and
then XOR the message with corresponding keystream in the dictionary to decrypt the message.Cn = Pn + RC4(IV, key) we know RC4(IV, key) from the dictionary, we know Cn so we can find Pn!
Size of the dictionary depends on size of the IV, which is fixed by the standard at 24 bits!
Increasing key size has no affect on this attack!
11/28/2001 Wireless Security 59
Attack on Access Control
It is possible to get authenticated without knowing the secret key! (shown in red)
We only need a plaintext, ciphertext pair of a legitimate authentication. (shown in black)
client
server
Request.Authentication
128 nonce
nonce+RC4(IV, key) IV
Request received
nonce+RC4(IV, key)
Decrypt the packetand verify nonce
Request.Authentication
128 nonce
nonce+RC4(IV, key) IV
Request received
nonce+RC4(IV, key)
Decrypt the packetand verify nonce
Norm
al s
essio
nH
acker U
sin
g D
ata
Ob
tain
ed
Fro
m P
revio
us S
essio
n
hacker
11/28/2001 Wireless Security 60
Further Reading Cryptography: Theory and Practice – D. Stinson. CRC Press. Handbook of Applied Cryptography – Menezes et. al. CRC
Press. Cryptography and Network Security – William Stallings. Applied Cryptography – B. Schneier. John Wiley. North American Crypto archive http://cryptography.org/ Crypto Resource page
http://world.std.com/~franl/crypto.html Ron Rivest’s crypto page
http://www.toc.lcs.mit.edu/~rivest/crypto-security.html Cryptography Research Inc. Resource page
http://www.cryptography.com/resources/index.html Cryptography archive: http://www.austinlinks.com/Crypto/ AES home page http://csrc.nist.gov/encryption/aes/
11/28/2001 Wireless Security 61
Further Reading The MD5 unofficial homepage -
http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html
HMAC RFC - http://www.landfield.com/rfcs/rfc2104.html Secure Hash Algorithm – SHA -
http://csrc.nist.gov/fips/fip180-1.txt Digital Signature Standard – DSS -
http://www.itl.nist.gov/fipspubs/fip186.htm X.509 page http://www.ietf.org/html.charters/pkix
-charter.html Ten Risks of PKI - http://www.counterpane.com/pki
-risks.html
11/28/2001 Wireless Security 62
Further Reading – Wireless Security
802.11 specification Overview of IEEE 802.11b Security, Sultan Weatherspoon Intercepting Mobile Communications: The Insecurity of 802.11, Nikita
Borisov, Ian Goldberg et al. Coping with Risk: Moving to Coping with Risk: Moving to Wireless
Wireless Using the Fluhrer, Mantin, and Shamir Attack to Break WEP, Adam
Stubblefield, John Ioannidis, et al. http://www.practicallynetworked.com/tools/wireless_articles_security.
htm http://www.nas.nasa.gov
/Groups/Networks/Projects/Wireless/index.html