Presentation Jing Tan, Umass-Lowell Slide 1 Wireless and its Security Jing Tan Department of...

Presentation Jing Tan, Umass-Lowell Slide 1

Wireless and its Security

Jing Tan

Department of Computer Science

University of Massachusetts, Lowell

[email protected]

Presentation Jing Tan, Umass-LowellSlide 2

My message

It’s (Wireless Security) not too late, but it’s time to start.


History of Wireless

Wireless Technologies are relatively old.The development of wireless started about a century ago The wireless played an important role from world war II to aircraft business and NASA space exploration. But now the wireless technology has developed into one of today’s hottest topics because of its ability to bring the power of communications and the Internet into the hands of users worldwide.


The Growth of WLANs

Demand for wireless access to LANs is fueled by the growth of mobile device. There will be over a billion mobile devices by 2003, and the wireless LAN market is projected to grow to over US$20 billion by 2003.

Internet


The Technologies

The wireless technologies802.11 and 802.11b

Wireless Application Protocol (WAP)

Wired Equivalent Privacy (WEP)


What’s 802.11/802.11b?

802.11 and 802.11b standard In 1997 IEEE published the first world-recognized

standard for wireless, 802.11. About two years later, the IEEE published 802.11b, also know as 802.11 High Rate, which specifies the standards for building wireless system that operate with data speeds of up to 11Mbps.


Detail of 802.11/802.11b

Wireless Architecture Modes 802.11b physical layer 801.11 Media Access Control Layer (MAC)


Wireless Architecture Modes

Architecture Modes Infrastructure mode (802.11)

All stations in the system connect to an access point, not directly to one another.

BBS (Basic Service Set) and ESS (Extended Service Set)

Ad hoc mode (Bluetooth)The stations interconnect directly, without

communicating through an access point.


802.11b physical layer

802.11b physical layer One of the most valuable additions the 802.11b

standard provides is the standardization for the physical layer support of the two new speeds, 5.5Mpbs and 11Mbps.

To increase the data rate in 802.11b, advanced coding techniques are described


801.11 Media Access Control Layer (MAC)

801.11 Media Access Control Layer (MAC)

801.11 MAC is designed to support multiple users on a shared medium by having the sender detect and gather information about the medium before accessing it.

It is same as the 802.3 Ethernet wire connection. However the protocol employed [CSMA/CD] (carrier sense multiple access with collision detection) details collision handing and redirection.

In 801.11, collision detection is not possible because stations cannot listen and transmit at the same time; the radio transmission prevents the station from sending a collision. The protocol specified is slightly different from that in 802.3. It is termed [CSMA/CA] (carrier sense multiple access with collision avoidance) involves sending extra packets to confirm receipt to transmitted packets, called explicit packet acknowledgment (ACK).


Wired Equivalent Privacy

Wired Equivalent Privacy (WEP)The WEP protocol algorithm is designed on five premises:

Reasonably strong. Takes a reasonably long time to break the encryption.

Self-synchronizing. It’s not too much based on battery power. Exportable. Can be moved when necessary. Optional. Can be turned on and off when a user

needs.


Bluetooth

Bluetooth Unlink 802.11, Bluetooth is a technology

that operates in ad hoc network.


Wireless Application Protocol

Wireless Application Protocol (WAP)WAP is considered by some to be the standard in

wireless communications. Main members are Nokia, Ericsson, and Motorola, etc.

WAP has WTLS (Wireless Transport Layer Security) equivalent to Transport Layer Security (TLS) or Secure Socket Layer (SSL) provides authentication, privacy, and secure connections between applications. The problem with WTLS is that it does not provide end-to-end security and opens its holes.


WAP Overview

The subscriber push a key on her phone that has a URL (www.google.com) WAP gateway (AP). receives WTP/WTLS package and translated into HTTP/HTTPS to web server.

The web server passes the requested file with HTTP/SSL the returned data to the gateway.The Gateway performs translation into WML.The problem starts at this point. It does not provide end-to-end security and opens holes.

WTP

WTLS

WAP Gateway (AP)WAP Gateway (AP)

Internet

Web ServerWeb Server

HTTP/HTTPS

SSL


The Languages

The wireless languagesWAP BrowsersWireless Markup Language (WML)WMLScriptJava 2 Micro Edition (J2ME)C#XHTMLWireless Operating System


WAP Browsers

WAP BrowsersMore and more pages on the wireless web are being

written in WML to avoid having to translate to or from HTML. To view a WML page, a device must have a browsers are Netscape, IE and Openwave Mobile Browser.


Wireless Markup Language

Wireless Markup Language (WML) Although WML is similar to HTML and XML, programming in it requires the use of different

tags and structures. Because an entire screen size web page, it must be broken into smaller subparts. The

following is an example of a simple Hello World page in WML.<?xml version=”1.0”?><!DOCTYPE wml PUBLIC “-//WAPFORUM//DTD WML 1.1//EN”http://www.wapforum.org/DTD/wml_1.1.xml><!-Hello World in WML --><wml>

<card id=”Card1” title=”WML example”> <p> Hello World</p></card>

</wml>


WMLScript

WMLScript WMLScript is based on JavaScript. WMLScript gives WML added

functionality just as JavaScript adds to Java. . Check the validity of user input . Provides access to the device’s facilities. . Generates message and dialogs locally Etc. Current WMALScript application are predominantly benign, there are

many risks. For example, the cell phone has been setup that makes a call is to display the phone number before the call is made. If the WAP browser being used does not prompt the user before placing the call, the call is automatically activated. In Japan, a prank was played on phone users who pressed a number in response to a voice mail message that automatically dialed the Japanese police emergency number without the callers’ knowledge. Japan uses imode technology, which is different from WAP, but represents an initial exploitation of a native capability.


Java 2 Micro Edition (J2ME)

Java 2 Micro Edition (J2ME)Sun’s Java 2 Programming Language consists of three

versions:. J2SE Java 2 Enterprise Edition

. J2EE Java 2 Standard Edition

. J2ME Java 2 Micro Edition

Java 2 Micro Edition selectively rewrites and removes integral components of the core runtime environment to make it easily portable to smaller devices.


C#

C#C# .NET and Visual Basic .NET are two main

programming languages used for developing software for .NET platform, including .NET Compact Framework for wireless devices. .NET platform is a direct competition for Java platforms like J2EE and J2ME.


The New Wireless Language: XHTML

XHTML Designers often write HTML code in a sloppy fashion. Web browsers

are supposed to be very forgiving when rendering a page. In other words, they still try to display the page even if some tags are nested incorrectly or missing. This has led the browser developers to add extra code to the browser engine so that the pages still come out looking as they are supposed to look. However, all this code makes the browser a pretty big application, often between 15-18+ megs.

Now this might be fine for your PC with all the hard drive space you may have. However, small devices such as PDAs, cell phones, automobiles, refrigerators, etc., cannot hold such a big browser. Therefore, in order to be able to surf the web (and see your web site) with one of these devices, we need a small browser. In order to make the browser smaller the code must be less. That's where XHTML comes in.


Wireless Operating System

Wireless Operating systemNokia Symbian OSCompaq Palm OSMicrosoft Windwos CE, Pocket PC and

Smartphone OSNTTDoCoMo I-mode OS


ISO and WAP network model

Functionality 802.11b Internet WAP

L7: Application HTML

JavaScript

Wireless Application Env. (WAE)

WML, WMLScript

L6: Presentation

L5: Session HTTP Wireless Session Protocol (WSP)

Transaction HTTP Wireless Transaction Protocol (WSP)

Security TLS-SSL Wireless Transport Layer Security

L4: Transport TCP/UDP Wireless Datagram Protocol (WDP)

L3: Network IP Bearers: SMS, GSM, CDPD, etc

L2: Data Link

L1: Physical WEP


The Problem: Security!

Wireless networking is just radio communications It transmitted data by broadcast over the air using

waves, so everyone in the area served by the data transmitter. Hence anyone with a radio can eavesdrop, inject traffic

Internet


The Setting

An example of a 802.11 and 802.11b wireless network(current installed base in the millions of users)

Internet


WEP

The industry’s solution: WEP (Wired Equivalent Privacy) Share a single cryptographic key among all devices Encrypt all packets sent over the air, using the shared key Use a checksum to prevent injection of spoofed packets

(encrypted traffic)


WEP vulnerabilities

The industry’s solution: WEP (Wired Equivalent Privacy) vulnerabilities have been identified. (2000/10) Jesse R. Walker, Intel Corporation was one of the first

people to identify several of the problems in WEP.

( 2001/03) University of Maryland found several problem with the access control and authentication mechanisms used in the 802.11 standard.

(2001/01) University of California at Berkely independently released a paper describing the problems with WEP


How WEP Works

IV

RC4key

IV encrypted packet

original unencrypted packet checksum


WEP Encapsulation

WEP Encapsulation Summary: Encryption Algorithm = RC4 Per-packet encryption key = 24-bit IV concatenated to a pre-shared key WEP allows IV to be reused with any frame Data integrity provided by CRC-32 of the plaintext data (the “ICV”) Data and ICV are encrypted under the per-packet encryption key

802.11 Hdr Data

802.11 Hdr DataIV ICV

Encapsulate Decapsulate


How to Read WEP Encrypted Traffic (1)

By the Birthday Paradox, probability Pn two packets will share same IV after n packets is P2 = 1/224 after two frames and Pn = Pn–1 + (n–1)(1–Pn–1)/ 224 for n > 2.

50% chance of a collision exists already after only 4823 packets!!! Pattern recognition can disentangle the XOR’d recovered plaintext. Recovered ICV can tell you when you’ve disentangled plaintext correctly. After only a few hours of observation, you can recover all 224 key streams.

802.11 Hdr DataIV ICV

24 luxurious bits Encrypted under Key +IV using a Vernam Cipher


How to Read WEP Encrypted Traffic (2)

Ways to accelerate the process: Send spam into the network: no pattern recognition

required! Get the victim to send e-mail to you

The AP creates the plaintext for you! Decrypt packets from one Station to another via an Access

Point If you know the plaintext on one leg of the journey, you

can recover the key stream immediately on the other Etc., etc., etc.


A Property of RC4

Keystream leaks, under known-plaintext attack Suppose we intercept a ciphertext C, and suppose we can

guess the corresponding plaintext P Let Z = RC4(key, IV) be the RC4 keystream Since C = P Z, we can derive the RC4 keystream Z byP C = P (P Z) = (P P) Z = 0 Z = Z

This is not a problem ... unless keystream is reused!


A Risk With RC4

If any IV ever repeats, confidentiality is at risk Suppose P, P’ are two plaintexts encrypted with same IV Let Z = RC4(key, IV); then the two ciphertexts areC = P Z and C’ = P’ Z

Note that C C’ = P P’,hence the xor of both plaintexts is revealed

If there is redundancy, this may reveal both plaintexts Or, if we can guess one plaintext, the other is leaked

So: If RC4 isn’t used carefully, it becomes insecure


Attack #1: Keystream Reuse

WEP didn’t use RC4 carefully The problem: IV’s frequently repeat

The IV is often a counter that starts at zero Hence, rebooting causes IV reuse Also, there are only 16 million possible IV’s, so after

intercepting enough packets, there are sure to be repeats

Implications: can eavesdrop on 802.11 traffic An eavesdropper can decrypt intercepted ciphertexts

even without knowing the key


Attack #2: Spoofed Packets

Attackers can inject forged traffic onto 802.11 nets Suppose attackers know the value Z = RC4(key, IV) for

some IV e.g., by using the previous attack

This is all attackers need to know to encrypt using this IV Since the checksum is unkeyed, attackers can create valid

ciphertexts that will be accepted by the receiver

Implication: can bypass access control Can attack any computer attached to the wireless net


Summary So Far

None of WEP’s goals are achieved Confidentiality, integrity, access control all broken


Evaluation of WEP

WEP cannot be trusted for security Attackers can eavesdrop, spoof wireless traffic Can often break the key with a few minutes of traffic

Attacks are very serious in practice Attack tools are available for download on the Net Hackers sitting in a van in your parking lot may be able

to watch all your wireless data, despite the encryption


War Driving

To find wireless nets: Load laptop, 802.11

card, and GPS in car Drive

While you drive: Attack software listens

and builds map of all 802.11 networks found


Driving from LA to San Diego


Conclusions

Wireless networks: insecure in theory & in practice 50-70% of networks never even turn on encryption, and

the remaining are vulnerable to attacks shown here Hackers are exploiting these weaknesses in the field,

from distances of a mile or more

Lesson: Open design is important These problems were all avoidable

In security-critical contexts, be wary of wireless!


An example of solutions

In late 2001, RSA release a solution to the weakness present in WEP, the Fast Packet Keying solution, which uses a technique that rapidly generates a unique key for each wireless data packet. The IEEE committee approved this fix in early 2002. Although it quells the war-driving experiments of many, it does not solve the wireless LAN security problems indefinitely.


References

[1] “Wireless Security” by David Wagner, University of California, Berkeley. http://www.cuss.berkeley.edu/~daw

[2] Wireless Security and Privacy by Tara M. Swaminatha and Charles R. Elden ISBN 0-201-76034-7 Publisher Addison-Wesley.

[3] “Overview of 802,11 Security” Jesse Walker, Intel Corp.[4] “An Inductive Chosen Plaintext Attack Against

WEP/WEP2” by Bill A. Arbaugh. http://www.cs.umd.edu/~waa

[5] “Wireless LAN Security” by Cisco Systems.

Presentation Jing Tan, Umass-Lowell Slide 1 Wireless and its Security Jing Tan Department of...

Documents

Transcript of Presentation Jing Tan, Umass-Lowell Slide 1 Wireless and its Security Jing Tan Department of...