Advanced Encryption and Other Security Techniques
Download
Report
Transcript Advanced Encryption and Other Security Techniques
Lecture 12:
Security in Wireless
Computing
Wayne Patterson
SYCS 654
Spring 2006
802.11
Wireless technology LAN 802.11
802.11b
11 Mbits bandwidth
2.4 GHz frequency
802.11a
More advanced
Access Point
Access point (AP) or base station
Wireless server that connects clients to the
internal network
Base stations < $300
802.11 networks in
Airports
Hotels
Starbucks
Antennas
Antennas
Can build cheaply
Pringles cans
Security Risks
Major security risks
Insertion attacks
Interception and monitoring wireless traffic
Misconfiguration
Jamming
Client to client attacks
War-X
War-dialing
War-walking
War-driving
War-flying
War-chalking
SSID and WEP
Base station server set id (SSID)
WEP
Encryption standard for 802.11
Only encrypts the data packets not the 802.11
management packets
The SSID is not encrypted if WEP is turned on
SSID goes over the air in cleartext
WEP Configuration
WEP can be configured in 3 modes
No encryption
40 bit encryption
128 bit encryption
Most public access points do not ena ble WEP
SNMP
Many base stations have SNMP (Simple
Network Management Protocol) agents running
If the community word is not properly
configured, an intruder can read and potentially
write sensitive information and data on the
base station
By default, all base stations are read
accessible by using the community word
“public.”
Security of the WEP
algorithm
This work was performed jointly by Nikita
Borisov, Ian Goldberg, and David Wagner
Passive attacks to decrypt traffic based on
statistical analysis.
Active attack to inject new traffic from
unauthorized mobile stations, based on known
plaintext.
Active attacks to decrypt traffic, based on
tricking the access point.
Dictionary-building attack that, after analysis of
about a day's worth of traffic, allows real-time
automated decryption of all traffic.
WEP Setup
WEP relies on a secret key that is shared
between a mobile station (eg. a laptop
with a wireless ethernet card) and an
access point (ie. a base station).
The secret key is used to encrypt
packets before they are transmitted, and
an integrity check is used to ensure that
packets are not modified in transit.
RC4
WEP uses the RC4 encryption algorithm, which
is known as a stream cipher.
A stream cipher operates by expanding a short
key into an infinite pseudo-random key stream.
The sender XORs the key stream with the
plaintext to produce ciphertext.
The receiver has a copy of the same key, and
uses it to generate identical key stream.
XORing the key stream with the ciphertext
yields the original plaintext.
Crypto Weaknesses
This mode of operation makes stream ciphers
vulnerable to several attacks. If an attacker
flips a bit in the ciphertext, then upon
decryption, the corresponding bit in the
plaintext will be flipped.
Also, if an eavesdropper intercepts two
ciphertexts encrypted with the same key
stream, it is possible to obtain the XOR of the
two plaintexts. Knowledge of this XOR can
enable statistical attacks to recover the
plaintexts.
Crypto Weaknesses
(more)
The statistical attacks become
increasingly practical as more ciphertexts
that use the same key stream are known.
Once one of the plaintexts becomes
known, it is trivial to recover all of the
others.
Conclusions
Wired Equivalent Privacy (WEP) isn't. The
protocol's problems are a result of
misunderstanding of some cryptographic
primitives and therefore combining them in
insecure ways. These attacks point to the
importance of inviting public review from
people with expertise in cryptographic protocol
design; had this been done, the problems
stated here would have surely been avoided.
Bluetooth Security White
Paper
http://grouper.ieee.org/groups/1451/5/Co
mparison%20of%20PHY/Bluetooth_24Se
curity_Paper.pdf
Bluetooth Security White
Paper
The Bluetooth wireless technology provides
short range, wireless connectivity between
common devices.
Different applications can be built based on
these spontaneous, ad-hoc networks.
The security requirements for Bluetooth
applications will vary based on the sensitivity of
the information involved, the market, and the
needs of the user.
There are some applications that do not
require any security and others which
require extremely high levels of security.
Risk analysis and trade studies need to
be conducted prior to implementing new
applications using Bluetooth wireless
technology.
General
Recommendations
There are some well known security
shortcomings in the current Bluetooth security
concept briefly discussed below.
Based on these shortcomings we make the
following general recommendations:
1. Avoid the use of unit keys. Use combination
keys instead.
2. Perform the bonding in an environment that
is as secure as possible against
eavesdroppers, and use long random
Bluetooth passkeys.
Unit keys
The authentication and encryption mechanisms
based on unit keys are the same as those
based on combination keys.
However, a unit that uses a unit key is only
able to use one key for all its secure
connections. Hence, it has to share this key
with all other units that it trusts.
Consequently all trusted devices are able to
eavesdrop on any traffic based on this key.
A trusted unit that has been modified or
tampered with could also be able to
impersonate the unit distributing the unit key.
Thus, when using a unit key there is no
protection against attacks from trusted devices.
The Bluetooth combination keys would be
much more appropriate to use for almost any
Bluetooth unit and therefore we do not
recommend the use of unit keys.
Short passkey values
During the pairing procedure both units
calculate an initialisation key.
The only secret input to the key calculation is
the passkey (PIN).
In the next step the combination or unit key is
calculated.
This calculation is protected using the
initialisation key.
Directly after the exchange of the link key, the
authentication procedure is performed.
The authentication uses the newly derived link key.
All key derivation algorithms are symmetric algorithms
that can be implemented in hardware or in software.
The computational complexity of the algorithms is not
large.
Assume that an intruder records all communication
during the key exchange and the first authentication
between two units.
He can then calculate, for each possible passkey
value, the corresponding initialisation key.
Furthermore, for each initialisation value, he can
calculate the corresponding link key.
Finally, for each link key value he can then
check the response value for the observed
challenge (or he can issue a challenge himself
towards the victim device).
If he finds a match, he has obtained the correct
link key. Since all calculation steps have low
complexity, unless the passkey space is large, the
intruder can easily compute the correct link key
Recommendations (cont)
As an alternative, the attacker can obtain the
passkey and link key by initiating a key
exchange with a victim device and perform the
same step as described above.
If the attack described above should succeed,
the intruder must be present at the pairing
occasion and record all communication.
Hence, we do not recommend pairing at public
places and strongly encourage the use of long
passkey number.