Final Exam

1
Final Exam

• Review assigned reading and experiences from
  homework projects
• Oral exam, approx 20 minutes?
• Tuesday at 530pm
• Wait on 2nd floor either in student lounge or
  near elevators
• Bring ID to get into lounge

2
802.11, WEP, 802.1xCase Study

• Lecture Notes for 91.561UMass Lowell Computer
  ScienceDavid Martin

3
Orientation

• Miraculously, free downloads available
• IEEE 802 Overview Architecture
• IEEE 802.1 Bridging Management
• IEEE 802.2 Logical Link Control
• IEEE 802.3 CSMA/CD Access Method
• IEEE 802.5 Token Ring Access Method
• IEEE 802.11 Wireless
• IEEE 802.12 Demand Priority Access
• IEEE 802.15 Wireless Personal Area Networks
• IEEE 802.16 Broadband Wireless Metropolitan
  Area Networks

4
Recommended Reference

• Real 802.11 Security Wi-Fi Protected Access and
  802.11i, Edney and Arbaugh, Addison-Wesley, 2003
• Available through Safari books,
  http//proquest.safaribooksonline.com/?uicodeumas
  slowell

5
Orientation

• IEEE 802.11
• Late 90s wireless networking
• 802.11 1999, base wireless spec
• WEP is defined here
• 802.11a 1999, 5 GHz, 1 and 2 Mb/s
• 802.11b 1999, 2.4 GHz, 5.5 and 11 Mb/s
• 802.11g 2003, 2.4 GHz, 54 Mb/s
• IEEE 802.1
• 802.1d bridging
• 802.1q virtual LANs
• 802.1x port-based access control
• Much of this presentation text is taken from
  these standards
• WiFi
• Industry association trying to achieve
  interoperability
• Trademark protection of WiFi logo

6
802.11 Wireless

• Individual cells are called basic service sets
  (BSS)
• BSS can be combined by distribution systems (DS)
  into extended service sets (ESS)
• Like how individual wired LANs can be combined
  into an extended LAN via bridging

7
Complete Picture
Source IEEE 802.11 standard
8
(No Transcript)
9
Connecting to 802.11 LAN

• Three types of transmissions
• Management
• Control (media sharing)
• Data
• Each wireless station has its own MAC address
• SSID a network's name (service set ID)
• Can be overlapping sensible for creating
  extended LAN
• APs run over (small) numeric channels that
  correspond to frequencies in the given range
• Probe request response
• For determining which APs are accessible
• Passive variant also possible
• Learn published SSIDs, associated parameters

10
802.11 Authentication

• If desired, an IEEE 802.11 network may be
  operated using Open System authentication. This
  may violate implicit assumptions made by higher
  network layers. In an Open System, any station
  may become authenticated.
• In other words, no authentication required
• IEEE 802.11 also supports Shared Key
  authentication. Use of this authentication
  mechanism requires implementation of the wired
  equivalent privacy (WEP) option. In a Shared Key
  authentication system, identity is demonstrated
  by knowledge of a shared, secret, WEP encryption
  key.

11
802.11 Association

• Association required in order to transmit through
  an AP to anywhere
• Once associated, the extended network can route
  transmissions to appropriate AP
• Authentication happens before association
• Management messages
• Association / reassociation request response

12
802.11 Transmission

• CSMA / CA
• Carrier sense multiple access / collision
  avoidance
• Transmissions are ACKed
• Otherwise you don't know if your frame was
  received there's no reliable collision detection
• Request to send / clear to send also possible but
  not required
• CTS presumably can be heard by each station able
  to cause a collision
• Extra messages are Control messages

13
802.11 Layering
14
MAC Frame Layout

• Note long frame body
• 4 Addresses depending on frame type, could
  include
• Service set ID
• Destination, Source ultimate
• Receiver, Transmitter current hop
• Frame control field

15
Message types
16
Message types
17
802.11 Privacy (Confidentiality)

• From IEEE 802.11 standard, Section 5.4.3.3
• In a wired LAN, only those stations physically
  connected to the wire may hear LAN traffic. Not
  so with a wireless shared medium.
• IEEE 802.11 specifies an optional privacy
  algorithm, WEP, that is designed to satisfy the
  goal of wired LAN equivalent privacy. The
  algorithm is not designed for ultimate security
  but rather to be at least as secure as a wire.
• IEEE 802.11 uses the WEP mechanism to perform the
  actual encryption of messages. Note that privacy
  may only be invoked for data frames and some
  Authentication Management frames.
• All stations initially start in the clear in
  order to set up the authentication and privacy
  services.
• The default privacy state for all IEEE 802.11
  STAs is in the clear. If the privacy service is
  not invoked, all messages shall be sent
  unencrypted.

18
Desired Properties of WEP

• It is reasonably strong
• The security afforded by the algorithm relies on
  the difficulty of discovering the secret key
  through a brute-force attack. This in turn is
  related to the length of the secret key and the
  frequency of changing keys. WEP allows for the
  changing of the key and frequent changing of the
  IV.
• It is self-synchronizing
• WEP is self-synchronizing for each message. This
  property is critical for a data-link level
  encryption algorithm, where best effort
  delivery is assumed and packet loss rates may be
  high.
• It is efficient
• The WEP algorithm is efficient and may be
  implemented in either hardware or software.
• It may be exportable
• ... However, due to the legal and political
  climate toward cryptography at the time of
  publication, no guarantee can be made that any
  specific IEEE 802.11 implementations that use WEP
  will be exportable from the USA.
• It is optional
• The implementation and use of WEP is an IEEE
  802.11 option.

19
WEP Design

• About 4 pages of 802.11 specification
• Encryption via stream cipher
• PRNG is RC4
• Integrity algorithm is CRC-32

20
WEP Design
Note the encypherment process has expanded the
original Frame Body by 8 octets, 4 for the IV
field and 4 for the ICV. The ICV is calculated
on the data field only.
21
RC4 Reminder

• From Fluhrer et al paper

22
IV in Stream Cipher

• Normally don't think of initialization vectors in
  stream ciphers they just take a key and generate
  a byte at a time
• Also true in this case IV is completely
  specified outside of RC4
• Used to ensure that retransmission of same
  plaintext will look different
• ( IV WEP key ) is used as RC4 key

23
WEP as Foundation for

• Authentication
• Initial assurance of identity
• Binding authentication to session
• Mutual authentication
• Subkey generation
• Integrity protection
• Message modification detection
• Replay detection
• Confidentiality
• Message privacy
• Key privacy

24
Authentication

• "Open" authentication takes one round trip to
  negotiate and doesn't do much
• Otherwise, "Shared key" authentication between
  Client and Access Point
• C AP "Want shared authentication"
• AP C 128-byte challenge
• challenge must not be static
• C AP WEP( challenge ) using shared key
• AP C approve/deny

25
Analysis

• Nothing from authentication procedure persists
  into subsequent transmissions
• No ongoing session authentication
• No subkey generation
• No (mutual) authentication of AP to client
• Note that client chooses IV when transmitting
  response
• Attacker Eve eavesdrops on one challenge/response
• Plaintext, ciphertext, and IV are known can
  recover keystream used in that transmission with
  XOR
• Then to authenticate herself, she reuses the IV
  and recovered keystream to encrypt an arbitrary
  challenge

26
WEP as Foundation for

• Authentication
• Initial assurance of identity
• Binding authentication to session
• Mutual authentication
• Subkey generation
• Integrity protection
• Message modification detection
• Replay detection
• Confidentiality
• Message privacy
• Key privacy

27
Integrity Protection

• After authentication phase, using WEP to protect
  the data
• Integrity protection value is CRC-32, not a hash
  function
• WEP uses a stream cipher
• So, flip bit n of ciphertext and adjust plaintext
  CRC to compensate
• Not very good protection at all
• Replay detection
• None!

28
WEP as Foundation for

• Authentication
• Initial assurance of identity
• Binding authentication to session
• Mutual authentication
• Subkey generation
• Integrity protection
• Message modification detection
• Replay detection
• Confidentiality
• Message privacy
• Key privacy

29
Confidentiality Message Privacy

• Constant WEP key constant IV same keystream
  each time
• If Eve knows IV plaintext ciphertext then she
  knows the keystream for that IV
• Or if she knows IV ciphertext1 ciphertext2
  difference
• Generally, WEP keys are long-term
• Hard to change, that's why you configure 4 of
  them
• So IV shouldn't be constant
• 802.11 standard doesn't require change, but
  (most) everyone does change it per frame

30
So change the IV

• IV is 24 bits max 16,777,216 values
• Choose randomly?
• Birthday paradox expect reuse after 212 4096
  transmissions
• So increment instead
• 11 Mb/s, you can get about 500 full frames / s
• After about 9 hours your IVs will wrap around at
  this rate
• 1500 bytes per IV can write them all down in 23
  Gb
• Note that since most stations use same key, you
  don't have to attack any particular transmitter
• All in all, very leaky, even when you never learn
  the key
• Borisov, Goldberg, Wagner give more specific
  attacks in "Intercepting Mobile Communications
  Insecurity of 802.11", Mobicom 2001

31
Attacking the Key

• Fluhrer, Mantin, Shamir 2001 "Weaknesses in the
  Key Scheduling Algorithm of RC4", Eighth Annual
  Workshop on Selected Areas in Cryptography
• "IV Weakness" When part of the RC4 key is known,
  the unknown part can sometimes be derived from
  the keystream
• Easiest when known part precedes unknown part
• ( IV WEP key ) RC4 key

32
Attacking the Key

• Time to recover bytes of the key is linear in
  length of key, not exponential
• Stubblefield, Ioannidis, Rubin implemented attack
  and described in "Using the Fluhrer, Mantin,
  Shamir Attack to break WEP", Symposium on Network
  and Distributed System Security 2002.
• They could recover the key after about 5,000,000
  packets
• Various recommendations
• don't use WEP
• to resist IV attack, make RC4 key be a "secure
  hash" of IV using secret key rather than just (
  IV secret key )
• throw away first 256 bytes of keystream to resist
  another attack
• wepcrack, aircrack, airsnort, weplab

33
WEP as Foundation for

• Authentication
• Initial assurance of identity
• Binding authentication to session
• Mutual authentication
• Subkey generation
• Integrity protection
• Message modification detection
• Replay detection
• Confidentiality
• Message privacy
• Key privacy

34
Wired Equivalent Properties?

• Authentication
• With wired LAN, typically just whether you can
  find a plug or not, and VLAN considerations
• Integrity protection
• CRC-32 fairly common similar attacks possible
• Confidentiality
• bridging minimizes number of hosts that see
  transmissions, but optional of course
• So in this sense, WEP is not so far off from its
  namesake
• Thing is, far better security properties than
  this are reasonably attainable, at similar cost

35
Improvements Future

• TKIP Temporal Key Integrity Protocol
• Designed to allow many older WEP devices to be
  upgraded to a secure protocol. Includes
• Integrity check "Michael" mandatory
  countermeasures
• Avoiding weak IVs
• Anti-replay
• Avoiding IV reuse
• Automatic per-packet key update to avoid FMS
  attack
• "TKIP is a masterpiece of retro-engineering and
  provides real security in a way that WEP never
  could. All the major weaknesses of WEP have been
  addressed... "
• wrote Edney and Arbaugh

36
Dynamic WEP

• "The key is provided for me automatically"
  (checkbox in Windows)
• Simple patch to change keys over time to avoid
  FMS attacks
• Forces clients to reauthenticate after a timeout
  (e.g. 60 minutes)
• A faint shadow of TKIP/WPA

37
Improvements Future

• 802.11i a workable spec for wireless security
• RSN Robust Security Network
• Main mode is AES-CCMP Counter ModeCBC MAC
  Protocol
• Designed cleanly for new hardware
• 802.11i finalized in June 2004
• TKIP is a mode under RSN
• WiFi alliance
• Industry group didn't want to wait
• Tore out TKIP and 802.1x EAP, naming it
• WPA WiFi Protected Access

38
802.1x

• "Port-based Network Access Control"
• Not specifically wireless predates that
• Looking for better mechanism than MAC filtering

39
802.1x Central Idea

• Supplicant wants to use a LAN port (PAE)
• Uses 802.1x Extensible Authentication Protocol
  (EAP)
• Authentication server uses Remote Access Dial-in
  User Service (RADIUS)

40
802.1x

• Recall 802.11 authentication precedes association
• Supplicant will engage in EAP session with access
  point before associating
• EAP Extensible Authentication Protocol
• Supports TLS, PEAP, SecureID, RSA, MS-CHAPv2,etc.
• Problem physical port swapping assumed to be
  unlikely, but wireless hijacking is comparatively
  easy
• Microsoft invented MS-MPPE-Recv-Key attribute in
  order to deliver session key for their
  Point-to-Point Encryption protocol (their own VPN
  technology)
• Adopted in WPA I don't know about 802.11i
• EAP is not done confidentially
• User identification sent in clear
• Server responses can be spoofed!

41
EAP options

• EAPTLS widely supported on wireless clients and
  RADIUS servers
• uses public key certificates to authenticate both
  the wireless clients and the RADIUS servers by
  establishing an encrypted TLS session between the
  two.
• PEAP "Protected" EAP
• Phase 1 client performs simple EAP but may use
  anonymous identifier
• Establishes session key for encryption
  integrity
• Phase 2 client performs normal EAP within
  established tunnel, now sending its real
  authenticator

42
EAP options

• TTLS two stages, similar to PEAP
• uses a TLS session to protect tunneled client
  authentication
• can also use nonEAP authentication protocols
  such as CHAP, MSCHAP, etc.
• LEAP "Lightweight", proprietary Cisco protocol

43
UML Implementation

• Intended to support Windows, Mac, Linux
• 802.1x PEAP with MS-CHAPv2
• MS-CHAPv2 RFC 2759
• straightforward challenge-response proving
  knowledge of username password
• appears to require WPA TKIP now, though was
  using dynamic WEP previously