Computer Security CS 426 Lecture 21

1
Computer Security CS 426Lecture 21

• Examples of Using Cryptography Incorrectly

2
Related Readings

• Analysis of an electronic voting system
• Kohno, Stubblefield, Rubin, Wallach, 2004
• Intercepting Mobile Communications The
  Insecurity of 802.11
• Borisov, Goldberg, Wagner, 2001
• The Final Nail in WEPs Coffin
• Bittau, Handley, Lackey, 2006

3
Example voting machine

• Standard hardware
• Commercial OS
• Many run WinCE
• Programmable
• Specify election
• Smartcard authentication
• Invalidate card when done
• Data output
• Network, or
• Place disk in another computer

4
Basic security analysis

• What is voting system supposed to do?
• Correctly count votes
• One person, one vote
• Voter privacy
• Prohibit vote selling
• Allow recount, provide confidence in results
• Who might attack system?
• Voter wants to vote twice
• Election worker
• Programmer working for voting machine company

5
Diebold Case Study
T. Kohno, A. Stubblefield, A. Rubin, D. Wallach

• Proprietary system
• Certification mandated by election laws
• Without public review Security through obscurity
• Diebold system leaked
• AccuVote-TS DRE system, Oct 2000 - April 2002
• Available on open ftp server
• Identified by activist Bev Harris
• Some zip files, cvs repository
• DMCA concern over zip encryption
• Available on New Zealand site

6
Some problems

• Encrypted votes and audit logs
• define DESKEY ((des_key)"F2654hD4")
• No authentication of smartcard to voting terminal
• Insufficient code review

7
Sample comment in code

• // LCG - Linear Conguential Generator
• // used to generate ballot serial numbers
• // A psuedo-random-sequence generator
• // (per Applied Cryptography,
• // by Bruce Schneier, Wiley, 1996)

Unfortunately, linear congruential generators
cannot be used for cryptography Page
369 Applied Cryptography, by Bruce Schneier
- BallotResults.cpp Diebold Election Systems
8
Other problems

• Smartcards use no cryptography
• Votes kept in sequential order
• Several glaring errors in cryptography
• Inadequate security engineering practices
• Default Security PINs of 1111 on administrator
  cards
• Windows Operating System
• tens of millions of lines of code
• new critical security bugs announced frequently

9
802.11 Security

• Used between a Wireless Access Point and Wireless
  Ethernet Cards
• Existing security consists of two subsystems
• A data encapsulation technique called Wired
  Equivalent Privacy (WEP)
• An authentication algorithm called Shared Key
  Authentication
• Goals
• Create the privacy achieved by a wired network
• Simulate physical access control by denying
  access to unauthenticated stations

10
WEP Encapsulation

• WEP Encapsulation Summary
• A master key shared between the end points
• Encryption Algorithm RC4
• Per-packet encryption key 24-bit IV
  concatenated to a master key
• WEP allows IV to be reused with any frame
• Data integrity provided by CRC-32 of the
  plaintext data (the ICV)
• Data and ICV are encrypted under the per-packet
  encryption key

11
What Went Wrong in WEP?

• The space of IV is too small IV is sent in
  clear.
• With two messages encrypted using the same IV,
  one can recover the key stream.
• The attack is made much easier by chosen
  plaintext attacks, which can be carried out in
  the environment where WEP is used.

12
Ways to Accelerate the Attack

• Send spam into the network no pattern
  recognition required!
• Get the victim to send e-mail to you
• The AP creates the plaintext for you!
• Decrypt packets from one Station to another via
  an Access Point
• If you know the plaintext on one leg of the
  journey, you can recover the key stream
  immediately on the other
• Etc., etc., etc.

13
Fragmentation Attacks

• Knowing several bytes of plaintexts in the
  beginning of a message enables one to extract the
  beginning of key streams
• Using fragmentation, one can send messages using
  a short key stream
• By crafting messages sent to a particular IP
  address, one can have the WAP decrypt to get the
  plaintext and long key stream
• Attack can be carried out after receiving one
  packet

14
Coming Attractions

• November 9
• Introduction to network security