Wireless Security: Token, WEP, Cellular

Transcription

1 Wireless Security: Token, WEP, Cellular 27 May 2015 Lecture 9 Some slides adapted from Jean-Pierre Seifert (TU Berlin) 27 May 2015 SE 425: Communication and Information Security 1

2 Topics for Today Security Tokens and Wireless Wired Equivalent Privacy (WEP) Cellular Network Security Intro Sources: WEP: Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting mobile communications: The Insecurity of In Proceedings of the 7th Annual International Conference on Mobile Computing and Networking, MobiCom '01. Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key scheduling algorithm of RC4. In Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography, SAC '01. Karen Scarfone, Derrick Dicoi, Matthew Sexton, and Cyrus Tibbs. Guide to securing legacy IEEE wireless networks. Recommendations of the National Institute of Standards and Technology NIST Special Publication Revision 1, National Institute of Standards and Technology, Gaithersburg, MD, July May 2015 SE 425: Communication and Information Security 2

3 Smart Cards About the same size as magnetic stripe cards Small microchip, memory Can run programs Java Encryption Decryption Most have contacts Some are contactless (RFID) Tamper resistant More secure than magnetic stripe cards They may contain secrets Encryption keys Commonly used for High security banks High security operations Payment (NDS pay tv) 20 May 2015 SE 425: Communication and Information Security 3

4 Security Tokens Small devices that generate a sequence of random numbers from a secret seed. Synchronized with the remote location when the token is assigned to a user Often requires a pin or other password for local authentication since it can be stolen or lost! 20 May 2015 SE 425: Communication and Information Security 4

5 Uses of Tokens: Keyless Entry Reference: Francillon, et al. Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars (NDSS 2011) 20 May 2015 SE 425: Communication and Information Security 5

6 PKES Details 1. Car sends beacon messages using low frequency signals (LF short range) May be sent only when the handle opens 2. Key responds to challenge over high frequency (UHF longer range) 3. Where is key? Outside doors? Car opens door Inside car? Car turns on ignition Reference: Francillon, et al. Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars (NDSS 2011) 20 May 2015 SE 425: Communication and Information Security 6

7 Hacking car tokens Break Cryptography Intercept messages sent Figure out key/secret Physical key with RFID tag? Use fake key for entry atch?v=eu79c7ka_ea Passive key? Just a radio Signal Amplification Amplify the car s beacon signal to excite the key Key responds over UHF (up to 100m) Details: pdf 20 May 2015 SE 425: Communication and Information Security 7

8 PKES Setup Reference: Francillon, et al. Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars (NDSS 2011) 20 May 2015 SE 425: Communication and Information Security 8

9 E-Commerce Signatures Digital signatures for verifying transactions Token replacement for smart card Token can perform encryption/digital signatures Can add biometric id Software communicates with token via USB Example: Algorithmic Research Minikey 5 (2005): AES, DES, SHA1, RSA (up to 2048 bits), ECB, CBC, OFB Encrypts and authenticates ryptokit-developers-guide.pdf 20 May 2015 SE 425: Communication and Information Security 9

10 Using Tokens Best used in combination with Something you know Shows intent and prevents passive attacks Token theft? Token misuse? Commonly found in Two Factor Authentication schemes Use of smartphones for Something you have : SMS, one time codes, location (?) 20 May 2015 SE 425: Communication and Information Security 10

11 So Far Security Tokens and Wireless Wired Equivalent Privacy (WEP) Cellular Network Security Intro 27 May 2015 SE 425: Communication and Information Security 11

12 LAN Architecture Internet Wireless host communicates with base station Base station = access point (AP) BSS 1 AP hub, switch or router Basic Service Set (BSS) (aka cell ) in infrastructure mode contains: Wireless hosts Access point (AP): base station AP Security Assumption: Shared key k known to AP and nodes Support up to 4 keys per AP BSS 2 27 May 2015 SE 425: Communication and Information Security 12

13 Security Goals of Wireless Internet Confidentiality: Prevent data sent over network from being read by others BSS 1 AP hub, switch or router AP Access Control: Ensure only packets sent by authorized nodes are sent by the AP BSS 2 Data Integrity: Prevent tampering with transmitted messages 27 May 2015 SE 425: Communication and Information Security 13

14 WEP Encryption Functions 1. Checksum (CRC32): Message M CRC32 remainder c(m) Plaintext P = M, c M 2. Encryption with RC4: Choose IV v Concatenate v with shared secret key k Use RC4 to generate keystream RC4 v, k Encrypt using XOR: C = P RC4(v, k) 3. Transmission: Send v, C over link 27 May 2015 SE 425: Communication and Information Security 14

15 WEP Decryption Functions 1. Receive v, C 2. Decryption with RC4: Separate v, C Concatenate v with shared secret key k Use RC4 to generate keystream RC4 v, k Decrypt using XOR: C RC4 v, k P RC4 v, k RC4 v, k = P 3. Check CRC: Extract M, c M Check that CRC32( M, c M = 0 27 May 2015 SE 425: Communication and Information Security 15

16 WEP Encryption Overview 27 May 2015 SE 425: Communication and Information Security 16

17 WEP Authentication Open System No authentication used Auth is a no op 1. Client requests authentication 2. AP says OK 3. Client connects to network Shared Key 1. Client requests authentication 2. AP sends challenge 3. Client encrypts with shared key and returns 4. AP verifies response and ACKs 27 May 2015 SE 425: Communication and Information Security 17

18 WEP Encryption Details Encryption uses RC4 stream cipher Invented by Ron Rivest (of RSA fame) Accepts multiple length keys Most commonly used stream cipher (SSL uses it) Has know biases and weaknesses, but not broken Encryption key length: Original version: 40b (due to US export restrictions) Newer versions: 104b or longer (232b) (after US lifted relaxed restrictions in 1996 and 2000) Key commonly specified in hexademical characters Some routers use just ASCII characters Initialization Vector length: 24b (fixed in standard) Should be chosen randomly, but standard doesn t specify how 27 May 2015 SE 425: Communication and Information Security 18

19 WEP Analysis Key Strength 40b isn t too big DES was 56b and still crackable in 24 hours Brute forcing the key isn t too hard Solution: Bigger key 104b or 232b is big Problem: Key strength isn t the only issue Stream Cipher Use Stream ciphers generate random bits and XOR over them Same bits on two messages is a bad idea C 1 = P 1 RC4 v, k C 2 = P 2 RC4(v, k) C 1 C 2 = P 1 RC4 v, k P 2 RC4 v, k = P 1 P 2 Knowing one plaintext (ex. IP header) lets you know the others The more C n you have, the easier it is 27 May 2015 SE 425: Communication and Information Security 19

20 WEP IV Management WEP designers knew this, so each packet gets its own key (k v) With 24b IV, each 2 24 = 16,777,216 different versions of the key Problems: Some wireless cards reset IV to 0 when installed and just increment Old PCMCIA wireless cards would reset on insert When does IV wrap? AP with 1500B packets and 5Mbps bandwidth 5 106b s b p = p s and 16,777,216 p p s 40,265s hours Birthday paradox: after 16,777,216 = 4096 duplicates likely IV is sent with message, so attacker can easily find duplicates 27 May 2015 SE 425: Communication and Information Security 20

21 Duplicate Found Now What? You have P 1 P 2 Do you know one of them? Login structures (field names) IP headers or TCP headers predictable Send spam which you know Some APs send broadcasts both encrypted and un-encrypted, so send a broadcast to it and watch Eventually: Can build a decryption library for the AP Key doesn t change often Just focus on first few thousand IV is space is an issue 27 May 2015 SE 425: Communication and Information Security 21

22 Authentication Problems Message Modification CRC not designed for security c x y = c x c(y) 1. Grab a message C = RC4 v, k M, c M 2. Make some changes Δ that you want to change in M 3. Calculate c(δ) 4. XOR both sides of C C = C Δ, c Δ 5. Now C decrypts to M = M Δ Attacker doesn t need to know M, but can choose the modification Message Injection Attacker gets a known plaintext P and ciphertext C pair IV reuse perhaps Attacker can extract: P C = P P RC4 v, k = RC4(v, k) Attacker can encrypt with RC4(v, k) as desired IV reuse is allowed by spec 27 May 2015 SE 425: Communication and Information Security 22

23 Authentication Problems Attacker watches for shared key authentication Gets challenge Gets response Can calculate keystream Attacker can now respond to any challenge 27 May 2015 SE 425: Communication and Information Security 23

24 Lazy Message Decryption Decryption too much work? Make the AP do it 1. Grab an encrypted WEP packet 2. Modify the Destination field in the IP header plus CRC IP checksum can be defeated Need to guess the destination IP address Compensate by changing other IP header fields to match checksum ones-complement math Choose a target IP which is the same as the destination IP with respect to ones-complement math 3. AP will decrypt and send packet to target Can also use TCP reaction attack Change one bit at a time and watch if recipient accepts it Checksum tells one bit of information per attempt 27 May 2015 SE 425: Communication and Information Security 24

25 WEP Summary Designed to be weak key (40b), but is weak in almost every way Increasing key size doesn t help Classic failure: Network standards people didn t ask cryptography community for input Stream cipher misused IV misused CRC and checksum misused Newer standards (WPA2) are better 27 May 2015 SE 425: Communication and Information Security 25

26 So Far Security Tokens and Wireless Wired Equivalent Privacy (WEP) Cellular Network Security Intro 27 May 2015 SE 425: Communication and Information Security 26

27 Cellular Network Architecture Cellular phone Mobile Station (MS) Mobile Equipment (ME) Terminal Equipment (TE) Subscriber Identity Module (SIM) Card USIM card for 3G Antenna Cell, Node B, Basic Service Set (BSS) Home Location: Who you pay your bill to Long term contract Shared secret Visitor Location: Where you are right now Roaming agreement with home Gives you service now You don t trust them, but they want to bill you Mobile Switching Center: Routes calls Serving GPRS Node: Packet Switching 27 May 2015 SE 425: Communication and Information Security 27

28 UMTS Architecture 27 May 2015 SE 425: Communication and Information Security 28

29 GSM Lessons Security lessons learned from GSM & 2.75G: Weak Cryptography Eavesdropping attacks One-way authentication Man in the Middle Attacks Attacker can trick the phone and network to stop encrypting or to use a weak cipher Denial of Service attacks Jamming Core (SS7) vulnerabilities Caller ID spoofing IMSI catchers Listen for International Mobile Subscriber Identity (IMSI) numbers which let you track phones (privacy) 27 May 2015 SE 425: Communication and Information Security 29

30 Conclusion Security Tokens and Wireless Wired Equivalent Privacy (WEP) Cellular Network Security Intro 27 May 2015 SE 425: Communication and Information Security 30