CS代写 WK02: StreamCiphers and WLAN Security Securing Fixed and Wireless Networks,

WK02: StreamCiphers and WLAN Security Securing Fixed and Wireless Networks, COMP4337/9337
Professor Sanjay K. Jha
School of Computer Science and Engineering, UNSW

Copyright By PowCoder代写 加微信 powcoder

Today’s Agenda
• Stream Ciphers
• How to design a flawed Security Protocol:
– WEP Case Study
• Fixing a flawed Protocol: WPA, WPA2
WK 02-WLAN

Two types of symmetric ciphers
• Block ciphers (last week – recap)
– Break plaintext message in equal-size blocks
– Encrypt each block as a unit
– Used in may Internet protocols (PGP-secure email, SSL (secure TCP), IPsec (secure net-transport layer)
• Stream ciphers (today)
– encrypt one bit at time – Used in secure WLAN
WK 02-WLAN

Stream Ciphers
keystream generator
• Process message bit by bit (as a stream)
– Idealforreal-timecommunication
– Akeystreammustnotbereused;otherwisetheencrypted
messages can be recovered
• combine each byte of keystream with byte of plaintext to get ciphertext:
– m(i) = ith unit of message
– ks(i) = ith unit of keystream
– c(i) = ith unit of ciphertext
– c(i) = ks(i) Å m(i) (Å = exclusive or) – m(i) = ks(i) Å c(i)
WK 02-WLAN

Rivest Cipher 4 (RC4)
• Rivest Cipher 4: Designed by
– A proprietary cipher owned by RSA.com
– No longer a trade secret
– Ideal for software implementation, as it requires only byte manipulations
• Variable key size (40 to 256 bits), byte-oriented stream cipher
• Widely used
– SSL, Wireless WEP and WPA, Cellular Digital Packet Data, OpenBSD pseudo-random number generator
WK 02-WLAN

Wired Equivalent Privacy (WEP)
• Provide security equivalent to Wired Network – Problem starts with this thinking!
• Symmetric key crypto
– confidentiality
– end host authorization – data integrity
• Efficient
– implementable in hardware or software
WK 02-WLAN

Stream cipher and packet independence
• Design goal: each packet separately encrypted
• If for frame n+1, use keystream from where we left off for
frame n, then each frame is not separately encrypted
– need to know where we left off for packet n (e.g Cipher
Block chain approach)
• WEP approach: initialize keystream with key + new IV for each packet:
Key+IVpacket
keystreampacket
keystream generator
WK 02-WLAN

WEP Pre-shared Key
• Enter a key (password) on access point and then enter the key on all devices
– This is the pre-shared key, AKA WEP Key (Shared Secret).
• Not possible to authenticate individuals
– hard to distinguish who is using service – needs extra work.
• A key compromise for one user means that every device needs to change new key
– Must be distributed to all users securely
WK 02-WLAN

WEP encryption (1)
• sender calculates Integrity Check Value (ICV) over data – four-bytesfordataintegrity:usesCRC-32
• each side has 104-bit shared key(earlier only 40-bit)
• sender creates 24-bit initialization vector (IV), appends to key: gives
128-bit key
• sender also appends keyID (in 8-bit field)
• 128-bit key input into pseudo random number generator (PRNG) e.g. RC4 to get keystream
• data in frame + ICV is encrypted with RC4:
– BytesofkeystreamareXORedwithbytesofdata&ICV
– IV & keyID are appended to encrypted data to create payload
MAC payload
WK 02-WLAN

WEP encryption (2)
IV (per frame)
KS: 104-bit secret symmetric
key sequence generator ( for given KS, IV)
k1IV k2IV k3IV … kNIV kN+1IV… kN+1IV
d1 d2 d3 … dN CRC1 …CRC4
key plaintext frame data plus CRC
WK 02-WLAN
c1 c2 c3…cN cN+1…cN+4
new IV for each frame
802.11 header
WEP-encrypted data plus ICV
Figure 7.8-new1: 802.11 WEP protocol

WEP decryption
MAC payload
• receiver extracts IV (received in plaintext)
• inputs IV, shared secret key into pseudo random generator,
gets keystream
• XORs keystream with encrypted data to decrypt data + ICV
• verifies integrity of data with ICV
– note: message integrity approach used here is CRC-32 different from MAC (message authentication code) and signatures (using PKI).
WK 02-WLAN

End-point authentication w/ nonce
Nonce: number (R) used only once –in-a-lifetime How to prove Alice “live”: Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key
“I am Alice” R
Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice!
Nonce: Handy tool for secure protocol design
WK 02-WLAN

WEP authentication
authentication request
nonce (128 bytes)
nonce encrypted shared key
success if decrypted value equals nonce
v not all APs do it, even if WEP is being used
v AP indicates if authentication is necessary in beacon frame v done before association
WK 02-WLAN

Breaking 802.11 WEP encryption
Security hole:
• 24-bit IV, one IV per frame, -> IV’s eventually reused ~16Million IVs at high speed exhausted in 2 hours
• IV transmitted in plaintext -> IV reuse detected Attack:
– Trudy causes Alice to encrypt known plaintext d1 d2 d3 d4 … – Trudy sees: ci = di XOR kiIV
– Trudy knows ci di, so can compute kiIV = di XOR ci
– Trudy knows encrypting key sequence k1IV k2IV k3IV …
– Next time IV is used, Trudy can decrypt!
WK 02-WLAN

Problem with Linear Checksum
• Encrypted CRC-32 used as integrity checkVector (ICV) – Fine for random errors, but not malicious ones
– Bits can be changed in packet without decrypting
• An attacker can change encrypted content (substitute by gibberish), compute a CRC over the substituted text and produce an 802.11 frame that will be accepted by the receiver.
WK 02-WLAN

Wi-Fi Protected Access (WPA)
• Two versions WPA and WPA2
– WPA temporary solution to fix WEP while WPA2 developed
• WPA compatible with existing hardware that supported WEP
• WPA uses Temporal Key Integrity Protocol (TKIP)
– Used RC4 for compatibility
– Every packet encrypted with unique encryption key
WK 02-WLAN

802.11i: WPA –
• To provide stronger authentication than in WEP:
– Special purpose Message Integrity Code (MIC) as opposed to WEP CRC
• To prevent Fluhrer, Mantin and Shamir (FMS) aka FMS-style attacks
– a new per-frame key is constructed using a cryptographic hash
• Temporal Key Integrity Protocol (TKIP) uses a cryptographic mixing function to combine a temporal key, the TA (transmitter MAC address), and the sequence counter into the WEP seed (128 bits)
– Pre Shared Key (PSK) AKA WPA-Personal similar to WEP-Key o However, it is not used for encryption
– Instead, PSK serves as the seed for hashing the per-frame key
WK 02-WLAN

FMS Attack
• Fluhrer, Mantin and Shamir (FMS) attack
– For 50% success rate, capture around 5 Million packets on average
– Due to inherent weakness in RC4, output of encrypting with first few bytes of key not random
– Certain key values generate predictable pattern of encrypted data
o Associated packets have IVs that are “weak”
– Initial determine first bytes of key through IVs and then get the
rest through statistical analysis
– Encrypted ARP packets can be captured and replayed to get encrypted ARP response
o more in lab WK 02-WLAN

802.11i: WPA Contd.
PSK Hash Temporal key Nonce
Sequence counter (IV) TA (transmitter MAC address)
Hash/ Encryption key Mixing per frame
Integrity key per frame
– TKIP changes the per packet key completely after every single packet § One key for encryption (128 bits)
§ One key for integrity (64 bits)
– The WEP IV is extended to 48 bits, and used as a packet sequence counter
o A per packet sequence counter is used to prevent replay attacks
o If a packet is received out of order, it is dropped by the receiving station
802.11 frame with WPA
Ciphertext
MIC IC FC VS
WK 02-WLAN

Recap: WEP vs WPA security
• WPA temporary solution to fix WEP while WPA2 developed
• WEP IV extended to 48-bit IV
o Reuse > 100 years for replay of the same IV
• RC4 key = Function(WPA Key||IV)
o Every packet encrypted with unique encryption key
• IV used as a packet sequence space to prevent replay attack
IV: 24 bits
Key: 40/104/232 bits
Plaintext di stream
Keystreami
ci Ciphertext
IV: 48 bits
Hash/mixing
Keystreami di ci
Temporal Key
WK 02-WLAN

802.11i: WPA2
• WPA22004
– P hardware, 30 Million Instructions/sec, RC4 off-load hardware doesn’t do AES or CCMP
–AES-CCMP 128-bitAES
o CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
– Improved 4-way handshake and temporary key generation
• We may cover some details of WPA2 but for now, if you have WPA2, this would be the safest option to use.
• WPA- Enterprise network security (802.1X) in later weeks
WK 02-WLAN

WPA PSK Weakness – no exam
• WPA, using the Temporal Key Integrity Protocol, was cracked by and
– More in lab
• demonstrated at the 2011 conference that WPA PSKs can be cracked quickly and easily using Amazon’s Elastic Compute Cloud (EC2) service
– He cracked his neighbor’s WPA password in 20 minutes using a dictionary attack and a list of 70 million words
– The attack only required one instance of Roth’s self-made Cloud Cracking Suite (CCS) tool running in the cloud
– It reached about 50,000 PSKs/s
EC2 uses 400 cloud CPUs to launch a dictionary attack on a WPA key for $17
– http://www.wpacracker.com/
– The attack is based on a list containing 135 million entries which can be
extended to include such optional extras as a German dictionary or an extended English language word list (284 million entries)
WK 02-WLAN

Hotspot Security
• For most hotspots: Unfortunately almost none!
• If you do not have to configure any security parameters besides typing in a username
and password in a web page, expect the following:
– Thehotspotoperatorchecksyourauthenticityatlogontime(oftenprotected with SSL to protect against eavesdropping on your password)
– Onlyauthenticatedclientswillreceiveserviceaspacketfilteringisdeployedto only allow accessing the logon page until successful authentication
– Oncelogonauthenticationhasbeenchecked:nofurthersecuritymeasures
– Noprotectionforyouruserdata:
• Everything can be intercepted and manipulated
– However,youcandeployyourownmeasures,e.g.VPNorSSL,butconfigurationis often tedious or not even supported by communication partner and performance is affected because of additional (per-packet-) overhead
o Plus: your session can be stolen by using your MAC & IP addresses!
WK 02-WLAN

Acknowledgements
• Acknowledgement: foils are adapted mainly from Introduction to Computer Networks and Cybersecurity by Wu and Irwin, CRC Press (Chapter 21)
• Some foils are also from Günter Schäfer, Security in Fixed and Wireless Networks, Wiley (new edition available in German only, English in 2015)
• A few foils are from (ETH)
• Refer to Cybok Network Security KA Section:7 for brief summary
WK 02-WLAN

Message Forgery (Self-Read)
• CRC-32 is linear, which means that it is possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken.
• Flipping bit n in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum on the modified message.
• Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid.
• Implications:
• “Integritycheck”doesnotpreventpacketmodification • Canmaliciouslyflipbitsinpackets
o Modify active streams!
o Bypass access control
• Partial knowledge of packet is sufficient
WK 02-WLAN

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com