Indoor 10-30m Outdoor m Mid-range outdoor 200m – 4 Km Long-range outdoor 5Km – 20 Km IS-95, CDMA, GSM 2G UMTS/WCDMA, CDMA2000 3G b a,g UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO 3G cellular enhanced (WiMAX (4G?)) a,g point-to-point n Data rate (Mbps) data NFR
Computer security 2015 mir Vigfsson Based on slides by Roy
Werber, Pascal material from Computer Networking: A Top Down
Approach Featuring the Internet, Jim Kurose, Keith Ross,
Addison-Wesley Indoor 10-30m Outdoor m Mid-range outdoor 200m 4 Km
Long-range outdoor 5Km 20 Km IS-95, CDMA, GSM 2G UMTS/WCDMA,
CDMA2000 3G b a,g UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO 3G cellular
enhanced (WiMAX (4G?)) a,g point-to-point n Data rate (Mbps) data
NFR How does wireless differ from wired settings? Base stations
relay traffic between wireless and wired networks Cell towers
Access points ... Infrastructure mode vs. ad-hoc No base stations
network infrastructure Basic service set (BSS) A.k.a. cell Set of
wireless hosts In infrastructure-mode, also base station In ad-hoc
mode, hosts relay for each other Interesting research questions...
BSS 1 BSS 2 Internet hub, switch or router AP Genesis of a
wireless/WiFI network JOIN ME Beacon!!! I have powerful signal! I
am called Secure! (SSID) My MAC address is 00:de:ad:be:ef:00
(BSSID) I encrypt.. or not Genesis of a wireless/WiFI network ...
and a WLAN is born Afterward, may authenticate, run DHCP, etc. 2.4
GHz GHz divided into 11 channels Each is a band. How would you
share bandwidth? Share band, Carrier Sense Multiple Access (CSMA)
Instead of just dividing frequency or time slots among users, uses
Code Divison Multiple Access (CDMA) Optional: CSMA-CA: Collision
Avoidance Short Req-to-Send (RTS) messages to reserve channel Base
station (access point) decides Clear-to-Send (CTS) Access Point A B
time RTS(A) RTS(B) RTS(A) CTS(A) DATA (A) ACK(A) reservation
collision defer Suppose youre in charge of designing the first
wireless protocol for the masses, How would you make it backward
compatible? Application Transport Network Link Application protocol
TCP protocol IP protocol Data Link IP Network Access IP protocol
Data Link Application Transport Network Link Strive to replace only
the lowest layer: link layer In regular networks, this is usually
Ethernet Lets try to encapsulate it with the information that we
need Who we are What access point were talking to Encryption? Link
Layer IP Header dataTCPIPETHETF Link (Ethernet) Header Link
(Ethernet) Trailer frame control duration address 1 address 2
address 4 address 3 payloadCRC seq control Address 2: MAC address
of wireless host or AP transmitting this frame [Serves as Ethernet
source address] Address 1: MAC address of wireless host or AP to
receive this frame Address 3: MAC address of router interface to
which AP is attached [Serves as Ethernet destination address]
Sequence No.: needed for ARQ (ACK required) mode. Address 4: MAC
address of wireless relay host (ad hoc networks only) Internet
router AP H1 R1 AP MAC addr H1 MAC addr R1 MAC addr address 1 1st
dest (AP) address 2 source address 3 2nd dest (eth) (WiFi) frame R1
MAC addr H1 MAC addr dest. address source address (Ethernet) frame
frame control duration address 1 address 2 address 4 address 3
payloadCRC seq control Type From AP Subtype To AP More frag WEP
More data Power mgt RetryRsvd Protocol version duration of reserved
transmission time (RTS/CTS) frame seq # (for reliable ARQ) frame
type (RTS, CTS, ACK, data) How would you attack this protocol? We
can hinder communication (Denial-of-Service) We can hijack and
modify connections We can pretend to be whoever we want (spoofing)
... Effectively no security measures are being taken What can we do
to enhance security? Authentication: How do we know a user is who
he says she is? Username/Password? PIN? SmartCard? Two-factor?
Usually a binary (yes/no) process Authorization: How do we
establish what an authorized user should and shouldnt be able to
do? Administrator? Customer? On a free trial?
Groups/Roles/Privileges/Permissions Access control: How do we
enforce that resources are only accessed by authorized users?
Implemented through logic, permissions, access lists, etc. First,
lets optionally authenticate users Second, lets at least try to to
encrypt every packet How do we do that? Unless we want an open
network, were going to have to share a key Later, we should have
key management! How would you implement this? At the time WEP was
defined, export restrictions limited cryptography, so 64-bit RC4
was used Extensions later for for 128-bit WEP What about
authentication with shared key? First idea: Client sends
authentication request with key Access point responds with ACCEPT
if key correct Second idea: Client sends num and hash(num | key)
Access point also computes hash, ACCEPTS if it likes the outcome
Third idea: Client sends intention to authenticate Access point
sends back a random number (nonce) x Client computes hash(x | key),
sends to access point Access point sends ACCEPT if matches local
hash(x | key) This is used in WEP Called 4-step challenge-response
handshake Avoids disclosing the (static) key Prevents replay attack
(pass-the-hash) Ideally, want to encrypt our communications
(plaintext) with a long, long string (key). How would you store the
key? Need it to be generated DERP ETJWPXO... Key Stream cipher
Pseudo-random number generator BLEH ZZARQKB... Same input key =
same output Idea: Just use the WEP key as input to the PRNG then
XOR with plaintext Whats the problem? Idea: Use num | WEP key as
input instead, share num as part of packet This is used in the
original WEP! num is called an Initialization Vector (IV) Basic
idea behind WEP encryption RC4: Streaming cipher algorithm Why
Initialization Vector (IV)? Prevents reuse of keys Also need a
checksum (ICV) to avoid malicious bit flips HeaderPayloadICVPayload
Frame ICV computed 32-bit CRC of payload CRC 3232 ICV = Integrity
Check Value - checksum ICV computed 32-bit CRC of payload One of
four keys selected 40-bits Key Keynumber Key 1 Key 2 Key 3 Key x 40
ICV computed 32-bit CRC of payload One of four keys selected
40-bits IV selected 24-bits, prepended to keynumber IVkeynumber 24
8 IV = Initialization vector ICV computed 32-bit CRC of payload One
of four keys selected 40-bits IV selected 24-bits, prepended to
keynumber IV+key used to encrypt payload+ICV IVKey
ICVPayloadICVPayload RC4 64 ICV computed 32-bit CRC of payload One
of four keys selected 40-bits IV selected 24-bits, prepended to
keynumber IV+key used to encrypt payload+ICV IV+keynumber prepended
to encrypted payload+ICV ICVPayload IVkeynumberHeader WEP Frame
Keynumber is used to select key Key Keynumber Key 1 Key 2 Key 3 Key
x 40 IVKey ICVPayloadICVPayload RC4 64 Keynumber is used to select
key IV+key used to decrypt payload+ICV Done! IV (Initialization
vector) is 24 bits long How many seeds for random number
generators? Only 16 million different RC4 cipher streams per key If
an IV is ever reused, XOR between packets equivalent to XOR of
plaintext messages C = cipher text, P = plain text: C1 C2 = (P1 IV)
(P2 IV) = P1 P2 If you guess one plain text message, you obtain
another How long until we expect a reused IV? Remember class about
DNS birthday attacks? 23 people in a room How likely that two
people share the same birthday? Roughly: Answer: 50.7%! Here, n =
16M, so: 50% chance of collision after only 4,823 packets! 99%
chance of collision 12,430 packets If network is operating at
11Mbps, takes 3 seconds Start listening in on traffic, gradually
obtaining all 16M IVs to be fully authenticated More worrying:
Fluhrer, Martin, Shamir attack Passive attack against RC4 in WEP to
recover RC4 key one letter at a time! Implemented in aircrack-ng
Can inject data to network to speed up attack Online demo of a WEP
crack using airsnort https://www.youtube.com/watch?v=_G4kOaJqMOE
https://www.youtube.com/watch?v=_G4kOaJqMOE Remember: Do NOT use
any hacking software without express permission from the owner of
the network you are attacking. It was quickly realized that WEP
offered lax security. WEP was decommissioned in 2004 Teams from
Wi-Fi Alliance set-up to think of two solutions for Protected
Access (WPA) Backward compatible: WPA-TKIP Stopgap solution for WEP
that could be flashed as firmware on to existing infrastructure (i)
Uses a key mixing function between IV and key (ii) Adds message
integrity checks (MIC) instead of ICV of CRC32 (cryptographically
insecure) Attack (2008): Inject 7 packets to a wireless client
Forward thinking: WPA2 Implemented more elaborate 4-way handshake
and group key handshake Supports TKIP, CCMP, etc. WPA2 Personal:
Pre-shared key between people WPA2 Enterprise: Connect to a RADIUS
server Tedious to set up. Also means that if your WiFi credentials
are compromised, your whole account will be too. 2012: Flaw in WPS
the device configuration tool for routers that uses a PIN for fast
access. Even when disabled, obtains shared key in about 7 hours Key
sharing still vulnerable to handshake capture WEP, WPA-TKIP,
WPA2-PSK PSK = Pre-Shared Key Cracking the hashes depends on
password strength and - can take a long time Rainbow tables
accelerate the process (coWPAtty) Does take long(er) to crack WPA2
Enterprise / WPA-802.1x Mostly used in corporate or larger wifi
environments A Radius server acts as an authentication server Uses
EAP or Extensible Authentication Protocol which handles the actual
authentication Very few setups use EAP-TLS Considered most secure
variant of EAP Most setups use EAP-PEAP or something less secure
SuperSecure WPA2-Enterprise Deauth attack Probe Requests Probe
Response SSID: SuperSecure ENC: WPA2-Enterprise 4 way handshake
authentication -User name -Password (MSCHAPv2) Many devices send
authenticating information without doing any verification of
certificates. Some people even setup their devices in this way.
Several phone manufacturers Even Linux distributions Need to be in
range of the device to capture the encrypted password The default
setting for most devices is, however, to ask the user to accept the
modified certificate Built on Evil access point/hotspot idea The
fact most devices connect to multiple networks The idea We know
NICs continually scan and sens probe requests What if we send
broadcast requests for a million SSIDs? If a device has connected
before, will I get a response ? Widespread risk Applies to those
that use traditional Wi-Fi networks Also applies to singular
devices and non AP networks Broadcast SSIDs -Hot Spot -Guests -Free
WiFi -xfinitywifi -ETC (OPN, WEP, WPA- PSK) Association request
SSID: gestir Confidentiality: Record authentication handshakes
(WEP, WPA, WPA2) Record and log traffic remotely (leaks) Lure
people to fake access points Integrity: Record packets, then
replay, modify and inject them Availability: Easy to jam
frequencies. Turn on the microwave oven... Accountability: Attacker
can remain fully anonymous Attacker can spoof and frame others
