Vigil

SecurityLLC

OpenSig 2003:Panel Discussion on the

Differences and Similarities of Wired vs. Wireless Security

Russ Housley

9 October 2003

Vigil

SecurityLLC

Ethernet vs. 802.11 Wireless LAN

Do Ethernet and 802.11 WLANs offer the same services?

From a protocol stack perspective, Ethernet and WLANs are largely interchangeable. Both allow the application layer protocols to deliver the expected services.

From a security perspective, they are quite different.

Vigil

SecurityLLC

Wired Guest Network Example

CorporateNetwork

Guard

GuestNetwork

Internet

Vigil

SecurityLLC

With WLANs … (1 of 3)

Internet

Guard

Vigil

SecurityLLC

With WLANs … (2 of 3)

Internet

Guard

Vigil

SecurityLLC

With WLANs … (3 of 3)

Internet

Guard

Vigil

SecurityLLC

Security Services

Mechanisms for confidentiality, integrity, and authentication are essential for any WLAN to offer comparable security to an Ethernet.

Vigil

SecurityLLC

WLAN Frame Security All currently deployed IEEE 802.11 WLAN

devices have flawed security WEP data encryption easy to break IEEE 802.11 authentication easy to subvert

IEEE 802.11 security solution has two phases: Short-term security solution called TKIP

Accommodates existing hardware Firmware and driver upgrade

Long-term security solution called CCMP (uses AES) Targeted at new hardware designs

Vigil

SecurityLLC

WEP Description

802.11 Hdr Data

Append ICV = CRC32(Data)

Data802.11 Hdr ICV

Data802.11 Hdr IV ICV

Select and insert IV

Per-packet Key = IV || RC4 Base Key

RC4 Encrypt Data and ICV

0xAA 0xAA 0x00 0x00 0x00 0x00 0x80 0x00

Remove IV from packet

Per-packet Key = IV || RC4 Base Key

RC4 Decrypt Data and ICV

24 bits

Check ICV = CRC32(Data)

SNAP SAP

Vigil

SecurityLLC

RC4 is a Stream Cipher

RC4Pseudo-random

number generator

Plaintext data byte p

“key stream” byte b

Ciphertext data byte

c = p b

Decryption works the same way: p = c b

What happens when p1 and p2 are encrypted under the same “key stream” byte b?

c1 = p1 b and c2 = p2 b

Thus: c1 c2 = (p1 b) (p2 b) = p1 p2

Vigil

SecurityLLC

IV Collisions

WEP expands the RC4 Base Key into 224 per-packet keys Data can be recovered if IV is ever repeated with same per-packet key RC4 key must be changed at least every 224 packets, otherwise data is

exposed when the same IV is used for a second packet WEP does not provide a standard way to change keys!

Often all stations are using the same key Immediate IV collisions between stations that share the RC4 Base Key

Data802.11 Hdr IV ICV

24 bits Per-packet Key = IV || RC4 Base Key

Vigil

SecurityLLC

Weak Key Attacks

Data802.11 Hdr IV ICV

0xC0 0x15 0x7E 0xA5 0x3F 0x22 0xEA 0xA1

SNAP SAP provides known plaintext 0xAA 0xAA 0x00 0x00 0x00 0x00 0x80 0x00

First eight bytes of ciphertext

Per-packet key = IV || RC4 Base Key, so the first threebytes of the Per-packet Key are always exposed!

Some RC4 weak keys exist, where patterns in the first three bytes of the key causes a corresponding pattern in first few bytes of the key stream

The IV identifies the use of potential weak keys Known plaintext allows direct computation of start of the key stream,

exposing some of the secret RC4 Base Key value Iterate over a sequence of packets with different IVs until all the bits

in the RC4 base key are found

Vigil

SecurityLLC

Forgery AttacksSample Attack 1 – Attacker has accomplice on the wired network:

1. Recv-Addr, Src-Addr, Dest-Addr are unprotected

2. Record any packet, replace the Dest-Addr with accomplice’s address; resend it

3. AP will decrypt data and send it to the accomplice

Sample Attack 2 – Attacker alters recorded traffic:

Data802.11 Hdr IV ICV

Recv-Addr, Src-Addr, Dest-Addr 0 … … 01 New ICV

1. Create a blank message with same number of data bytes

2. Flip some bits and compute the ICV on the flipped bits

3. XOR resulting bit-flipped message + ICV into captured message

Vigil

SecurityLLC

Attacker

Replay Attacks

Authorized WEP communications

1. Record

2. Play back selections

Vigil

SecurityLLC

Must Address All Problems

Solutions must address all of the problems, otherwise new attack tools will be developed to exploit the remaining holes

Need to address all of the problems IV Collisions Weak Keys Message Forgery Replay

Vigil

SecurityLLC

IEEE 802.11 TGi Short-term IEEE 802.11 Task Group i (TGi) is defining the

Temporal Key Integrity Protocol (TKIP) TKIP accommodates existing hardware with

firmware and driver upgrade TKIP mandates 4 new algorithms

Message Integrity Check (MIC) called Michael New per-packet key construction, with a large IV IV Sequencing Key Distribution

Vigil

SecurityLLC

Defeating IV Collision Attacks

Expand IV space to 48-bits At IEEE 802.11a rates, it would take about 1090 years

to exhaust the IV space

Use IEEE 802.1X EAPOL Key message to establish a new key at start of every association

IV New Key MIC

Vigil

SecurityLLC

Defeating Weak Key Attacks

BaseKey

TA IV

Phase 1

Phase 2

Per-Packet Key

Compute Per-packet Key from: 128-bit Base Key 48-bit Transmitter Address (TA) 48-bit IV

Structure permits: Efficient on deployed hardware Supports caching and precomputation

Avoids the weak keys exploited by AirSnort and other hacker tools

Vigil

SecurityLLC

Defeat Forgeries

MIC Michael ( Key, Src-Addr || Dest-Addr || Data )

ICV CRC ( Data || MIC )

Data ICVMIC

DataIV802.11 Hdr

IV802.11 Hdr

Compute MIC using Michael (a new algorithm) Designed for deployed hardware by Niels Ferguson

3-4 cycles/byte on ARM7 (2.7 – 3.6 MHz) 5-6 cycles/byte on i486 (4.5 – 5.4 MHz)

Provides about 30 bits of security – best possible in time budget

The most critical step – it takes away active attacks

Vigil

SecurityLLC

Defeating Replays

IV Data MIC ICV802.11 Hdr

IV IV + 1

Use the IV as a sequence number IV management rules:

Reinitialize IV to 0 when the base key is established IV is a strictly increasing counter Data traffic halts if IV value reaches maximum value Receiver discards any packets associated with the same key when

the IV value is less than a previously received packet

Vigil

SecurityLLC

TKIP Summary “Fixes” all known WEP vulnerabilities Designed and scrutinized by well-known

cryptographers Pragmatic sacrifice of bullet-proof security to

minimize performance degradation on existing hardware

TKIP provides only minimal security on deployed equipment and degrades performance

Vigil

SecurityLLC

IEEE 802.11 TGi Long-term

IEEE 802.11 Task Group i (TGi) is defining the AES-based long-term solution

A more robust security solution is not hard to design (there are many places to borrow from); however, it does require: New hardware Protocol changes

Vigil

SecurityLLC

Updated Protocol Requirements Message integrity — prevent forgeries Packet sequencing — detect replays Avoid rekeying — 48 bit packet sequence number Eliminate per-packet key Protect source and destination addresses Interoperate with proposed quality of service

(QoS) enhancements (IEEE 802.11 TGe) Desirable to use one strong cryptographic

primitive for both confidentiality and integrity

Vigil

SecurityLLC

Mechanisms 48-bit IV used for replay detection

First four bits of IV indicate QoS traffic class Remaining 44 bits used as counter Decryption/integrity check fail if traffic class bits are

altered Sender uses single counter space, but receiver needs

one for each traffic class AES with CCM or OCB authenticated encryption

CCM is mandatory, and OCB is optional Header authentication Payload authentication and confidentiality

Vigil

SecurityLLC

Counter Mode with CBC-MAC

Authenticated Encryption composed of Counter (CTR) mode and CBC-MAC using a single key Assumes 128 bit block cipher – IEEE 802.11i uses AES

Designed for IEEE 802.11i By D. Whiting, N. Ferguson, and R. Housley Intended for packet environment No attempt to accommodate streams

RFC 3610 and NIST SP 800-38C define CCM Expansion results from:

Nonce value used in the CTR blocks Message Integrity Check (MIC) value

Vigil

SecurityLLC

CCM Mode Overview

Use CBC-MAC to compute a MIC on the plaintext header, length of the plaintext header, and the payload

Use CTR mode to encrypt the payload Counter values 1, 2, 3, …

Use CTR mode to encrypt the MIC Counter value 0

Header Payload MIC

Authenticated

Encrypted

Vigil

SecurityLLC

SmSm

Br

E ...

B1 Bk

Header Payload MIC

A1 AmE E A0 E

... 0

padding

0

padding

Bk+1...

... E

Sm...S1 S0

B0

E

...

Vigil

SecurityLLC

CCM Security Proof

Jakob Jonsson did a security proof of CCM Published last August at SAC ’02

The proof shows that CCM provides a level of confidentiality and authenticity that is comparable to other proposed authenticated encryption modes, such as OCB mode.

Vigil

SecurityLLC

CCM Patent Status

The authors have explicitly released any intellectual property rights to CCM to the public domain

The authors are not aware of any patent or patent application anywhere in the world that covers CCM mode

The authors believe that CCM is a simple combination of well-established techniques;it is obvious to a person of ordinary skill in the arts

Vigil

SecurityLLC

Long-term Solution Summary

Builds on the lessons learned from IEEE 802.10 and IPsec ESP protocol designs Relies on proper use of strong cryptographic primitives

Strong security against all known attacks Requires new hardware

New hardware, proper protocol design, AES … Success

Vigil

SecurityLLC

Short-term vs. Long-term WEP (RC4) TKIP (RC4) CCMP (AES)

Key Size 40 or 104 bits 128 bits 128 bits

Key Life 24-bit IV, wrap 48-bit IV 48-bit IV

Packet Key Concat. TKIP KDF Not Needed

IntegrityData CRC-32 Michael CCM or OCBHeader None Michael CCM or OCB

Replay None Use IV Use IV

Key Mgmt. None EAP-based EAP-based

Vigil

SecurityLLC

WLAN Frame Security Conclusion

Any solution that does not address all the problems is a failure

TKIP provides only minimal security, but much more than WEP Meets deployed equipment constraints (most devices) Degrades performance

Long-term solution … Success New hardware Proper protocol design AES

Vigil

SecurityLLC

For More Information

Russ Housley

Vigil Security, LLC

housley@vigilsec.com