Xiuzhen Cheng cheng@gwu.edu

1
Xiuzhen Cheng
cheng_at_gwu.edu
Csci388 Wireless and Mobile Security Wireless
LAN Introduction, WEP
2
Outline

• Challenges in Wireless Communications
• Introduction to IEEE 802.11 Wireless LAN
• Break (5 minutes)
• Intercepting Mobile Communications The
  Insecurity of 802.11
• Wireless Securitys Future

3
Uniqueness of Wireless Communication

• Uniqueness of Wireless Communication
• Interference and Noise Full connectivity can not
  be assumed Battery usage Security
• Requirements of a wireless MAC standard
• Single MAC to support multiple PHY mediums
• Robust to interference
• Need to deal with the hidden/exposed terminal
  problem
• Need provision for time bounded services
• Support for power management to save battery
  power
• Ability to operate world wide ISM band

4
Problems of wireless networks

• Hidden Terminal
• Decrease throughput
• Increase delay
• Exposed Terminal
• Decrease channel utilization
• Limited energy
• Network partition
• Mobility
• Security

5
802.11 System Architecture

• Two basic system architectures
• Ad hoc
• Infrastructure based
• Access Point
• Stations select an AP and associate with it
• Support roaming
• Provide other functions
• time synchronization (beaconing) power
  management, PCF

6
802.11 Protocol Stack
7
802.11 MAC Layer

• Three basic access mechanisms
• CSMA/CA DCF(CSMA/CARTS/CTS) PCF
• DIFS lowest priority, asynchronous data
• PIFS media priority, time-bounded service
• SIFS highest priority, short control message
• Carrier sense at two levels
• Physical carrier sense done by physical layer
• Virtual carrier sense at MAC layer using Network
  Allocation Vector (NAV) set while
  RTS/CTS/Data/Ack are overheard solves problem of
  Hidden and Exposed terminal
• Reduces collision by deferring transmission if
  any of the carrier sense mechanisms sense the
  channel busy

8
DCF Basic Access

• Basic Access
• When a STA has data to send, it senses medium
• The STA may transmit a MAC Protocol Data Unit
  (MPDA) when medium idle time is greater or equal
  to DIFS
• If medium is busy, wait for a random backoff time
  

9
DCF

• Backoff Procedure
• Backoff procedure is invoked for a STA to
  transfer a frame but the medium is busy
• Set Backoff Timer to be random backoff time
• Backoff Timer start decreasing after an idle time
  of DIFS following the medium busyness
• Backoff Timer is suspended when medium is busy,
  and wont resume until the medium is idle for
  DIFS
• A frame may be transmitted immediately when
  Backoff Timer is 0

10
DCF

• Recovery procedures
• Collision may happen during contention
• When collision happens, retransmission with a new
  random selection of the backoff time, contention
  window is doubled.
• No special rights for retransmission

11
DCF

• Random backoff timerandom()xaSlotTime
• aSlotTime the value of the correspondingly named
  PHY characteristic (20?s for DSSS)
• Random() a random integer uniformly distributed
  over 0, CW
• CW (contention window)
• Increases exponentially after each retry fails
  (so does average backoff time. Why to do this?)
• Keep constant after reaching the maximum
• Reset after a successful transmission

12
DCF RTS/CTS Scheme

• RTS/CTS Scheme
• Four way handshake RTS-CTS-DATA-ACK
• NAV (Network Allocation Vector)
• An indicator, maintained at each STA, for the
  period that transmission will not be initiated
• Setting and resetting NAV according to Duration
  in MAC header when receiving a valid frame

13
DCF Fragmentation

• Control of the channel
• Once the STA has contented for the channel, it
  shall continue to send fragments until
• All fragments of a MSDU or MMPDU have been sent
• An ACK is not received
• STA is restricted from sending additional
  fragments by PHY layer
• Duration field
• RTS/CTS time till the end of ACK0
• Fragments/ACK time till the end of the ACK for
  the next fragment
• Last fragment/ACK length of ACK/0

14
PCF

• Only available for infrastructured architecture,
  why?
• PCF is on top of DCF
• Super frame contains a contention-free period and
  a contention period
• Procedure (assume the media is just free)
• Point coordinator (PC) polls s1 after PIFS s1
  replied with data
• PC continues to poll other stations
• After no reply from a station, PC waits for PIFS
  time, then continues to poll other stations
• After finishing, send CFE message. Then
  contention period starts.
• Question how time-bounded service is provided?

15
Other Considerations

• Syschronization
• Beacon signal
• Power-Control
• Sleep and awake states
• Wakeup periodically every TIM interval
• Roaming
• Association request and response

16
Break
17
The WEP Protocol

• Security goals of the WEP (Wired Equivalent
  Privacy) protocol
• Confidentiality Prevent an adversary from
  learning the contents of your wireless traffic.
• Access Control Prevent an adversary from using
  your wireless infrastructure.
• Data Integrity Prevent an adversary from
  modifying your data in transit.
• WEP Protocol was designed to protect the
  confidentiality of user data from eavesdropping
• Part of 802.11
• It has been integrated by manufacturers into
  their 802.11 hardware.
• Widespread in use.

18
The WEP Protocol (cont.)

• Sender and receiver share a secret key k.
• Two classes of WEP implementation
• classic WEP as documented in standard (40-bit
  key)
• extended version developed by some vendors
  (128-bit key)

19
The WEP Protocol (cont.)

• In order to transmit a message M
• P ltM, c(M)gt
• pick Initial Vector(IV) v and generate
  RC4(v,k)is a keystreamC P ? RC4(v,k)
• A -gt B v, (P ? RC4(v,k))
• Upon receiptgenerate RC4(v,k)P C ?
  RC4(v,k)
• P ? RC4(v,k) ? RC4(v,k)
• P check if cc(M)
• If so, accept the message M as being the one
  transmitted

20
WEP, Pictorially
21
An Example
22
Attack Practicality

• Access to the transmitted data.
• Need equipment capable of monitoring 2.4 GHz
  frequencies.
• Need to understand the physical layer of 802.11
  protocol.
• For active attacks, need equipment capable to
  transmit at the same frequencies.
• High cost, but not impractical
• corporate espionage can be a highly profitable
  business.
• Passive attacks possible with off-the-shelf
  equipment by modifying driver settings (Lucent
  PCMCIA Orinoco wireless card).

23
The Two-Time Pad Problem

• You must never encrypt two messages with the same
  keystream K.
• Suppose P1 and P2 are both encrypted with the
  same K.
• Then C1 P1 ? K, and C2 P2 ? K.
• But then C1 ? C2 P1 ? K ? P2 ? K P1 ? P2
• So the adversary learns the XOR of two
  plaintexts!
• Does he know (or can guess) parts of one
  plaintext?
• Usually, just knowing the XOR of two plaintexts
  is enough to recover them.

24
What Does WEP Do?

• The keystream for WEP is RC4(v,k).
• k is a fixed shared secret, that changes rarely,
  if ever (in many setups, every user shares the
  same k).
• If two packets ever get transmitted with the
  same value of v, you reuse the keystream.
• Since v gets transmitted in clear for each
  packet, the adversary can even easily tell when a
  value of v is reused (a "collision").
• How many possible values of v are there?
• v only occupies 24 bits of the header at most
  there are 224 (about 16 million of v).
• After 16 million packets, you have to repeat one!
• Birthday paradox for random 24-bit v
• Many 802.11 cards reset their IV counter to 0
  every time they were activated, and incremented
  by 1 for each packet transmitted.

25
What Does WEP Do? (cont.)

• This means that low IV values get reused at the
  beginning of every wireless session.
• Usually use the same secret k, and often many
  different people use the same k.
• So you can find collisions between packets sent
  by different people!
• This makes collisions much more common.

26
Decryption Dictionaries

• Adversary knows both the C and the P for some
  packets encrypted with a given IV v.
• Easy if he knows the P (pings, or spam email!).
• He can also do it passively by watching for
  collisions.
• RC4(k,v) P ? C
• Note no need to know the value of the shared
  secret k.
• Store keystream in a table, indexed by v.
• Next time a packet with an IV stored in the table
  passes by, look up the keystream, XOR it against
  the packet, and read the data!
• Table is at most 1500 224 bytes 24 GB
• If the cards that are being used have the
  IV-reset-to-0 property, then most IV's will be
  small, and the dictionary will be even smaller!

27
Message Authentication in WEP

• An 802.11 receiver will accept a packet if, after
  decryption, it contains a correct checksum of the
  plaintext.
• The checksum algorithm used is CRC-32.
• CRC's are used to detect random errors they are
  useless against malicious errors.
• There is already a CRC at a lower layer of the
  protocol to detect random bit errors in
  transmission.
• CRC-32 Has the following properties
• It is independent of the shared secret and the
  IV.
• It is linear c(M ? D) c(M) ? c(D)
• We can make a controlled modification and get
  unnoticed.

28
Message Modification

• Assume a message M was transmitted, and the
  ciphertext was C and the IV was v (i.e. C and v
  are known to the adversary).
• C RC4(v,k) ? ltM,c(M)gt
• A -gt B ltv,Cgt
• Possible to find C such that it decrypts to M
  and M M ? D D arbitrarily chosen by the
  attacker
• Adversary -gt B ltv,Cgt
• C C ? ltD,c(D)gt RC4(v,k) ? ltM,c(M)gt ?
  ltD,c(D)gt RC4(v,k) ? ltM ? D, c(M) ? c(D)gt
  RC4(v,k) ? ltM, c(M ? D)gt RC4(v,k) ?
  ltM, c(M)gt
• Receiver checks that c c(M)
• Accept message M as the one
  transmitted.

29
Message Injection

• The adversary just needs to know a single
  plaintext, and its corresponding encrypted
  packet.
• A -gt B ltv,Cgt
• P ? C P ? RC4(v,k) ? P RC4(v,k)
• Construct M and P ltM,c(M)gt
• C RC4(v,k) ? P
• A -gt B ltv,Cgt

30
Authentication Protocol

• Goal the base station verifies that a client
  joining the network really knows the shared
  secret key k.
• The base station sends a challenge string to the
  clientB-gtA M
• The client sends encrypted challengeA -gt B v,
  ltM,c(M)gt ? RC4(v,k)
• The base station checks if the challenge is
  correctly encrypted, and if so, accepts the
  client.
• Adversary sees a challenge/response pair for a
  given key k he can extract v and RC4(v,k).
• Adversary can execute authentication protocol
  himself!

31
Authentication Protocol (cont.)

• Adversary connects to the network himself
• The base station sends a challenge string M' to
  the adversary.
• The adversary replies with v, ltM',c(M')gt ?
  RC4(v,k)
• This is the correct response, so the base station
  accepts the adversary.
• Success even though he never did learn the value
  of k.

32
Message Decryption

• Useful symmetry property the operation of
  encryption is the same as the operation of
  decryption with the same key.
• An adversary can decrypt packets with the help of
  the base station! Ways to do it
• Double-encryption
• IP Redirection
• Reaction attacks

33
Double Encryption

• Join the network.
• Use a second Internet connection to send the
  packet to his computer over the wireless network.
• The base station will encrypt this packet a
  second time C (P ? RC4(v,k)) ? RC4(v,k) P
• Timing important to get the same IV, but not so
  difficult because the base station uses
  sequential IVs.

34
IP Redirection

• Join the network (authentication spoofing)
• Take the packet to be decrypted, modify the IP
  address as being his.
• Transmit the modified packet to the base station
  for decryption.
• Base station will send the plaintext on its merry
  way, straight to the adversary's machine.

35
IP Redirection (cont.)

• The only headache find the original destination
  IP address.
• Not difficult all the incoming traffic has a
  destination IP address on the wireless subnet,
  easy to determine.
• Fix the IP checksum.

36
IP Redirection (cont.)

• Suppose original IP address DH, DL
• Modified IP address DH, DL
• newCRC oldCRC DH DL- DH - DL
• Trick we only know to do XOR!
• Ways to go around this
• IP CRC is known do arithmetic
• IP CRC not known get lucky
• arrange that newCRC oldCRC change other
  fields.

37
Reaction Attacks

• Drawback the packet to be decrypted needs to
  be a TCP packet.
• Useful property a TCP packet with TCP checksum
  invalid is silently dropped.
• Otherwise, get back an ACK packet (easy to
  identify by its size).
• Monitor the reaction of a recipient of a TCP
  packet and use that to infer info about the
  unknown plaintext.
• Intercept ltv,Cgt
• Flip a few bits in C, recompute checksum, wait
  (patiently) to see if an ACK is sent back.

38
Reaction Attacks (cont.)

• A clever choice of what bits to flip ensures TCP
  checksum remains undisturbed exactly when Pi ?
  Pi16 1 holds.
• Each time we check the reaction of the recipient
  to a modified packet, we learn one more bit of
  the plaintext.
• TCP CRC 1s complement addition of the 16-bit
  words of message M.
• 1s complement addition modulo 216 -1
• C C ? D, D bit positions to flip.
• We choose D pick i arbitrarily, set positions i
  and i16 of D to 1 and the rest to 0.
• Convenient property P ? D P mod 216-1 holds
  when Pi ? Pi16 1

39
Countermeasures

• Just don't assume it's secure.
• Treat your wireless network as a public network.
• Put the wireless network outside your firewall.
• Use another authentication protocol for packets
  coming from the wireless network to internal
  intranet (e.g. VPN, IPSec, ssh).
• Long IV's which never repeat for the lifetime of
  the shared secret (and are never duplicated
  across machines sharing the same secret).
• Replace the shared key more often.
• Use a strong Message Authentication Code (instead
  of the CRC) which depends on the key and IV.

40
Conclusions

• Attacks on the Wired Equivalent Privacy protocol
  which defeat each of the security goals of
• Confidentiality We can read WEP-protected
  traffic.
• Access Control We can inject traffic on
  WEP-protected networks.
• Data Integrity We can modify WEP-protected
  traffic in transit.

41
Wireless Securitys Future

• IEEE 802.11i
• Phased deployment process due to the large number
  of 802.11 users
• Three major parts of 802.11i
• Temporal Key Integrity protocol (TKIP), enhancing
  and replacing WEP
• Counter mode CBC-MAC for link-layer data
  confidentiality and integrity
• 802.1x for access control

42
Temporal Key Integrity Protocol

• Immediate replacement of WEP
• Uses 48-vit vectors
• Uses 128-bit encryption key
• Uses per-packet keying
• A shared base key, a clients MAC address, and a
  packets sequence number create a unique key for
  each packet
• Avoid data-harvesting problem
• Periodically rotates the broadcast key
• Avoid data-harvesting problem
• Uses a message integrity code (MIC)
• A cryptographically protected one-way hash
• Immediate packet tampering detection
• TKIP is a part of WPA by the WiFi Alliance

43
Counter Mode with CBC-MAC

• Design goals confidentiality, integrity and
  authentication
• 128-bit AES
• 48-bit IV
• 128-bit cipher block chaining with MAC
• A required component of any 802.11i implementation

44
802.1x

• A port-based authentication protocol
• Before a successful 802.1x authentication, a
  wireless client is only allowed access to the
  authentication server. All other traffics are
  blocked at the AP
• After a successful 802.1x authentication, the
  client is granted access to the network
• UMD researchers found that 802.1x suffers from
  two attacks session hijacking and
  man-in-the-middle

45
Readings and Homeworks

• Readings for the lecture in Sep 9. Submit your
  reading report for the papers on DOMINO and DoS
  Attack
• C.D.J. Welch and M.S. D. Lathrop, A survey of
  802.11a wireless security threats and security
  mechanisms, 2003.
• M. Raya, J. P. Hubaux,, and I. Aad DOMINO A
  System to Detect Greedy Behavior in IEEE 802.11
  Hotspots, Proceedings of the Second International
  Conference on Mobile Systems, Applications, and
  Services, Boston, June 2004
• J. Bellardo and S. Savage, 802.11
  Denial-of-Service Attacks Real Vulnerabilities
  and Practical Solutions, Proceedings of USENIX
  Security Symposium, August 2003.
• 2 SepReadings for the lecture in Sep 2
• M.J. Hanson and D. McNamee, Efficient Reading of
  Papers in Science and Technology.
• N. Borisov, I. Goldberg, and D. Wagner,
  Intercepting Mobile Communications The
  Insecurity of 802.11, MobiCom 2001, pp. 180-188.
• B. Potter, Wireless Security's Future, IEEE
  Security and Privacy Magazine 01(4), pp. 68-72,
  July-Aug. 2003.

46
Questions?