Foundations of Network and Computer SecurityAnnouncementsWireless SecurityWireless Security ChallengesIEEE 802.11b/a/gWireless Network ArchitectureSlide 7My Access PointWar DrivingMore War DrivingNext Time You’re in LAWhat’s the Big Deal?MAC FilteringNon-Signalling APsLet’s Use Crypto!WEP ProtocolSlide 17WEP DecryptionGoalsWEP KeysSlide 21Entering WEP KeysGoals Achieved: ;IV repeatsWhat to do with repeated IVs?AuthenticationAltering WEP CiphertextDefeating the WEP Access MechanismSummary: WEP is no goodFoundations of Network and Foundations of Network and Computer SecurityComputer SecurityJJohn BlackLecture #24Nov 29th 2005CSCI 6268/TLEN 5831, Fall 2005AnnouncementsRemainder of the semester:•Project #2 is due today (please hand in)•Quiz #3 is Thursday, 12/01•Following Thursday, 12/08–Project #3 is due–Final Review–FCQs•Final Exam on Monday after that–12/12, 4:30pm, this roomWireless Security•Why is wireless security essentially different from wired security?–Almost impossible to achieve physical security on the network–You can no longer assume that restricting access to a building restricts access to a network•The “parking lot attack”Wireless Security Challenges•Further challenges:–Many wireless devices are resource-constrained•Laptops are pretty powerful these days but PDAs are not•Sensors are even more constrained•RFIDs are ridiculously constrained–Paradox: the more resource-constrained we get, the more ambitious our security goals tend to getIEEE 802.11b/a/g•A standard ratified by IEEE and the most widely-used in the world–Ok, PCS might be a close contender–Also called “Wi-Fi” •802.11 products certified by WECA (Wireless Ethernet Compatibility Alliance)–Bluetooth is fairly commonplace but not really used for LANs•More for PANs (the size of a cubicle)•Connect PDA to Cell Phone to MP3, etc.Wireless Network Architecture•Ad Hoc–Several computers form a LAN•Infrastructure–An access point (AP) acts as a gateway for wireless clients–This is the model we’re most used to–Available all through the EC, for exampleMy Access PointWar Driving•The inherent physical insecurity of wireless networks has led to the “sport” of war-driving–Get in your car, drive around, look for open access points with you laptop–Name comes from the movie “War Games”–Some people get obsessed with this stuff–You can buy “war driving kits” on line•Special antennas, GPS units to hook to you laptop, mapping softwareMore War Driving•People use special antennas on their cars–It used to be Pringles cans, but we’ve moved up in the world•People distribute AP maps•War driving contest at BlackHat each yearNext Time You’re in LAWhat’s the Big Deal?•My home access point is wide-open–People could steal bandwidth–I’m not that worried about it–People could see what I’m doing–I’m not that worried about it•There are ways to lock-down your access point–MAC filtering–Non-signalling APs and non-default SSIDs–Wired Equivalent Privacy (WEP)MAC Filtering•Allow only certain MACs to associate–Idea: you must get permission before joining the LAN–Pain: doesn’t scale well, but for home users not a big deal–Drawback: people can sniff traffic, figure out what MACs are being used on your AP, then spoof their MAC address to get onNon-Signalling APs•802.11 APs typically send a “beacon” advertising their existence (and some other stuff)–Without this, you don’t know they’re there–Can be turned off–If SSID is default, war drivers might find you anyway•SSID is the “name” of the LAN•Defaults are “LinkSYS”, NETGEAR, D-Link, etc•Savvy people change the SSID and turn off beacons–SSID’s can still be sniffed when the LAN is active however, so once again doesn’t help muchLet’s Use Crypto!•WEP (Wired Equivalent Privacy)–A modern study in how not to do things–The good news: it provides a wonderful pedagogical example for us•A familiar theme:–WEP was designed by non-cryptographers who knew the basics only•That’s enough to blow itWEP Protocol•One shared key k, per LAN–All clients and APs have a copy of k–We are therefore in the symmetric key setting •Very convenient: no public key complexities needed•Has drawbacks, as we’ll see later–In the symmetric key model, what do we do (minimally) for data security?•Authentication and Privacy!•(MAC and encrypt)WEP Protocol•For message M, P = (M, c(M))–c() is an unkeye d CRC (cyclic redundancy check)•Compute C = P © RC4(v, k)–RC4 is a stream cipher•Think of a stream cipher as a “randomness stretcher”: give it n random bits and it produces (essentially) infinite pseudo-random bits•The input is variously called the “seed” or the “key”•Seems a lot like a pseudo-random number generator!•We will look at RC4 in more detail later–v is an IV•As usual, the IV should never be repeated over the life of the key•Sender transmits (v, C)WEP Decryption•Receiver obtains (v’, C’) and knows k–Computes C’ © RC4(v’, k) = (P’ © RC4(v’,k)) © RC4(v’,k) = P’–Then checks integrity with P’ = (M’, c’) and asking whether c’ = c(M’)•If not, reject the frame as inauthentic–Looks familiar, but we should be suspicious: a keyless function is not a MAC!Goals•Security Goals of WEP:–Privacy–Integrity•What we also have called “authenticity”•It should be “hard” to tamper with ciphertexts without being detected•It should be “hard” to forge packets–Access Control•Discard all packets not properly encrypted with WEP (optional part of the 802.11 standard)•WEP Document:–Security “relies on the difficult of discovering the secret key through a brute-force attack”WEP Keys•802.11 was drafted when 40 bits were all we could export–This restriction was lifted in 1998, but the standard was already in draft form–Some manufacturers extended the key to an optional 128-bit form•This is misleading: the 128 form uses a 104 bit key because the IV is 24 bitsWEP Keys•Two forms: the 40 bit key•The “128” bit keykIV40 bits24 bitskIV104 bits24 bitsRecall: IV is public, so shouldn’t count as “key”Entering WEP KeysNote: Four keys allowed to encourage key-rotation, but this has to all be synchronizedamong all users of the WLAN.Goals Achieved: ;•Let’s start with the Privacy goal–WEP is using an encryption pad; what is the cardinal rule