opensig 2003: panel discussion on the differences and similarities of wired vs. wireless security...
Post on 19-Dec-2015
214 views
TRANSCRIPT
Vigil
SecurityLLC
OpenSig 2003:Panel Discussion on the
Differences and Similarities of Wired vs. Wireless Security
Russ Housley
9 October 2003
Vigil
SecurityLLC
Ethernet vs. 802.11 Wireless LAN
Do Ethernet and 802.11 WLANs offer the same services?
From a protocol stack perspective, Ethernet and WLANs are largely interchangeable. Both allow the application layer protocols to deliver the expected services.
From a security perspective, they are quite different.
Vigil
SecurityLLC
Wired Guest Network Example
CorporateNetwork
Guard
GuestNetwork
Internet
Vigil
SecurityLLC
With WLANs … (1 of 3)
Internet
Guard
Vigil
SecurityLLC
With WLANs … (2 of 3)
Internet
Guard
Vigil
SecurityLLC
With WLANs … (3 of 3)
Internet
Guard
Vigil
SecurityLLC
Security Services
Mechanisms for confidentiality, integrity, and authentication are essential for any WLAN to offer comparable security to an Ethernet.
Vigil
SecurityLLC
WLAN Frame Security All currently deployed IEEE 802.11 WLAN
devices have flawed security WEP data encryption easy to break IEEE 802.11 authentication easy to subvert
IEEE 802.11 security solution has two phases: Short-term security solution called TKIP
Accommodates existing hardware Firmware and driver upgrade
Long-term security solution called CCMP (uses AES) Targeted at new hardware designs
Vigil
SecurityLLC
WEP Description
802.11 Hdr Data
Append ICV = CRC32(Data)
Data802.11 Hdr ICV
Data802.11 Hdr IV ICV
Select and insert IV
Per-packet Key = IV || RC4 Base Key
RC4 Encrypt Data and ICV
0xAA 0xAA 0x00 0x00 0x00 0x00 0x80 0x00
Remove IV from packet
Per-packet Key = IV || RC4 Base Key
RC4 Decrypt Data and ICV
24 bits
Check ICV = CRC32(Data)
SNAP SAP
Vigil
SecurityLLC
RC4 is a Stream Cipher
RC4Pseudo-random
number generator
Plaintext data byte p
“key stream” byte b
Ciphertext data byte
c = p b
Decryption works the same way: p = c b
What happens when p1 and p2 are encrypted under the same “key stream” byte b?
c1 = p1 b and c2 = p2 b
Thus: c1 c2 = (p1 b) (p2 b) = p1 p2
Vigil
SecurityLLC
IV Collisions
WEP expands the RC4 Base Key into 224 per-packet keys Data can be recovered if IV is ever repeated with same per-packet key RC4 key must be changed at least every 224 packets, otherwise data is
exposed when the same IV is used for a second packet WEP does not provide a standard way to change keys!
Often all stations are using the same key Immediate IV collisions between stations that share the RC4 Base Key
Data802.11 Hdr IV ICV
24 bits Per-packet Key = IV || RC4 Base Key
Vigil
SecurityLLC
Weak Key Attacks
Data802.11 Hdr IV ICV
0xC0 0x15 0x7E 0xA5 0x3F 0x22 0xEA 0xA1
SNAP SAP provides known plaintext 0xAA 0xAA 0x00 0x00 0x00 0x00 0x80 0x00
First eight bytes of ciphertext
Per-packet key = IV || RC4 Base Key, so the first threebytes of the Per-packet Key are always exposed!
Some RC4 weak keys exist, where patterns in the first three bytes of the key causes a corresponding pattern in first few bytes of the key stream
The IV identifies the use of potential weak keys Known plaintext allows direct computation of start of the key stream,
exposing some of the secret RC4 Base Key value Iterate over a sequence of packets with different IVs until all the bits
in the RC4 base key are found
Vigil
SecurityLLC
Forgery AttacksSample Attack 1 – Attacker has accomplice on the wired network:
1. Recv-Addr, Src-Addr, Dest-Addr are unprotected
2. Record any packet, replace the Dest-Addr with accomplice’s address; resend it
3. AP will decrypt data and send it to the accomplice
Sample Attack 2 – Attacker alters recorded traffic:
Data802.11 Hdr IV ICV
Recv-Addr, Src-Addr, Dest-Addr 0 … … 01 New ICV
1. Create a blank message with same number of data bytes
2. Flip some bits and compute the ICV on the flipped bits
3. XOR resulting bit-flipped message + ICV into captured message
Vigil
SecurityLLC
Attacker
Replay Attacks
Authorized WEP communications
1. Record
2. Play back selections
Vigil
SecurityLLC
Must Address All Problems
Solutions must address all of the problems, otherwise new attack tools will be developed to exploit the remaining holes
Need to address all of the problems IV Collisions Weak Keys Message Forgery Replay
Vigil
SecurityLLC
IEEE 802.11 TGi Short-term IEEE 802.11 Task Group i (TGi) is defining the
Temporal Key Integrity Protocol (TKIP) TKIP accommodates existing hardware with
firmware and driver upgrade TKIP mandates 4 new algorithms
Message Integrity Check (MIC) called Michael New per-packet key construction, with a large IV IV Sequencing Key Distribution
Vigil
SecurityLLC
Defeating IV Collision Attacks
Expand IV space to 48-bits At IEEE 802.11a rates, it would take about 1090 years
to exhaust the IV space
Use IEEE 802.1X EAPOL Key message to establish a new key at start of every association
IV New Key MIC
Vigil
SecurityLLC
Defeating Weak Key Attacks
BaseKey
TA IV
Phase 1
Phase 2
Per-Packet Key
Compute Per-packet Key from: 128-bit Base Key 48-bit Transmitter Address (TA) 48-bit IV
Structure permits: Efficient on deployed hardware Supports caching and precomputation
Avoids the weak keys exploited by AirSnort and other hacker tools
Vigil
SecurityLLC
Defeat Forgeries
MIC Michael ( Key, Src-Addr || Dest-Addr || Data )
ICV CRC ( Data || MIC )
Data ICVMIC
DataIV802.11 Hdr
IV802.11 Hdr
Compute MIC using Michael (a new algorithm) Designed for deployed hardware by Niels Ferguson
3-4 cycles/byte on ARM7 (2.7 – 3.6 MHz) 5-6 cycles/byte on i486 (4.5 – 5.4 MHz)
Provides about 30 bits of security – best possible in time budget
The most critical step – it takes away active attacks
Vigil
SecurityLLC
Defeating Replays
IV Data MIC ICV802.11 Hdr
IV IV + 1
Use the IV as a sequence number IV management rules:
Reinitialize IV to 0 when the base key is established IV is a strictly increasing counter Data traffic halts if IV value reaches maximum value Receiver discards any packets associated with the same key when
the IV value is less than a previously received packet
Vigil
SecurityLLC
TKIP Summary “Fixes” all known WEP vulnerabilities Designed and scrutinized by well-known
cryptographers Pragmatic sacrifice of bullet-proof security to
minimize performance degradation on existing hardware
TKIP provides only minimal security on deployed equipment and degrades performance
Vigil
SecurityLLC
IEEE 802.11 TGi Long-term
IEEE 802.11 Task Group i (TGi) is defining the AES-based long-term solution
A more robust security solution is not hard to design (there are many places to borrow from); however, it does require: New hardware Protocol changes
Vigil
SecurityLLC
Updated Protocol Requirements Message integrity — prevent forgeries Packet sequencing — detect replays Avoid rekeying — 48 bit packet sequence number Eliminate per-packet key Protect source and destination addresses Interoperate with proposed quality of service
(QoS) enhancements (IEEE 802.11 TGe) Desirable to use one strong cryptographic
primitive for both confidentiality and integrity
Vigil
SecurityLLC
Mechanisms 48-bit IV used for replay detection
First four bits of IV indicate QoS traffic class Remaining 44 bits used as counter Decryption/integrity check fail if traffic class bits are
altered Sender uses single counter space, but receiver needs
one for each traffic class AES with CCM or OCB authenticated encryption
CCM is mandatory, and OCB is optional Header authentication Payload authentication and confidentiality
Vigil
SecurityLLC
Counter Mode with CBC-MAC
Authenticated Encryption composed of Counter (CTR) mode and CBC-MAC using a single key Assumes 128 bit block cipher – IEEE 802.11i uses AES
Designed for IEEE 802.11i By D. Whiting, N. Ferguson, and R. Housley Intended for packet environment No attempt to accommodate streams
RFC 3610 and NIST SP 800-38C define CCM Expansion results from:
Nonce value used in the CTR blocks Message Integrity Check (MIC) value
Vigil
SecurityLLC
CCM Mode Overview
Use CBC-MAC to compute a MIC on the plaintext header, length of the plaintext header, and the payload
Use CTR mode to encrypt the payload Counter values 1, 2, 3, …
Use CTR mode to encrypt the MIC Counter value 0
Header Payload MIC
Authenticated
Encrypted
Vigil
SecurityLLC
SmSm
Br
E ...
B1 Bk
Header Payload MIC
A1 AmE E A0 E
... 0
padding
0
padding
Bk+1...
... E
Sm...S1 S0
B0
E
...
Vigil
SecurityLLC
CCM Security Proof
Jakob Jonsson did a security proof of CCM Published last August at SAC ’02
The proof shows that CCM provides a level of confidentiality and authenticity that is comparable to other proposed authenticated encryption modes, such as OCB mode.
Vigil
SecurityLLC
CCM Patent Status
The authors have explicitly released any intellectual property rights to CCM to the public domain
The authors are not aware of any patent or patent application anywhere in the world that covers CCM mode
The authors believe that CCM is a simple combination of well-established techniques;it is obvious to a person of ordinary skill in the arts
Vigil
SecurityLLC
Long-term Solution Summary
Builds on the lessons learned from IEEE 802.10 and IPsec ESP protocol designs Relies on proper use of strong cryptographic primitives
Strong security against all known attacks Requires new hardware
New hardware, proper protocol design, AES … Success
Vigil
SecurityLLC
Short-term vs. Long-term WEP (RC4) TKIP (RC4) CCMP (AES)
Key Size 40 or 104 bits 128 bits 128 bits
Key Life 24-bit IV, wrap 48-bit IV 48-bit IV
Packet Key Concat. TKIP KDF Not Needed
IntegrityData CRC-32 Michael CCM or OCBHeader None Michael CCM or OCB
Replay None Use IV Use IV
Key Mgmt. None EAP-based EAP-based
Vigil
SecurityLLC
WLAN Frame Security Conclusion
Any solution that does not address all the problems is a failure
TKIP provides only minimal security, but much more than WEP Meets deployed equipment constraints (most devices) Degrades performance
Long-term solution … Success New hardware Proper protocol design AES