How Things Goes Wrong: Misuse of Cryptography in Secure System Design

Similar documents
Wireless security (WEP) b Overview

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

Security in IEEE WLANs

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Chapter 6 CDMA/802.11i

Wireless security. Any station within range of the RF receives data Two security mechanism

Symm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2

Client Server Registration Protocol

Overview of Symmetric Encryption

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Chapter 10. Network Security

Wireless Networks. Welcome to Wireless

Your Wireless Network has No Clothes

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

Wireless Security. Jason Bonde ABSTRACT. 2. BACKGROUND In this section we will define the key concepts used later in the paper.

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

Netzwerksicherheit: Anwendungen

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

Introduction to WiFi Security. Frank Sweetser WPI Network Operations and Security

Key Management (Distribution and Certification) (1)

How To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2002): 15 Wireless LAN Security 1 Dr.-Ing G.

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

The next generation of knowledge and expertise Wireless Security Basics

CSC574: Computer and Network Security

Wireless Security: Token, WEP, Cellular

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Agenda. Wireless LAN Security. TCP/IP Protocol Suite (Internet Model) Security for TCP/IP. Agenda. Car Security Story

Chapter 7 Transport-Level Security

Network Security: Cryptography CS/SS G513 S.K. Sahay

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

The Misuse of RC4 in Microsoft Word and Excel

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Tutorial 3. June 8, 2015

TLS and SRTP for Skype Connect. Technical Datasheet

Secured Communications using Linphone & Flexisip

Protocol Rollback and Network Security

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Journal of Mobile, Embedded and Distributed Systems, vol. I, no. 1, 2009 ISSN

Chapter 7: Network security

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

CS 758: Cryptography / Network Security

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

SIP Security. ENUM-Tag am 28. September in Frankfurt. Prof. Dr. Andreas Steffen. Agenda.

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Distributed Systems Security

Network Security Part II: Standards

Wireless Security. New Standards for Encryption and Authentication. Ann Geyer

CSE/EE 461 Lecture 23

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

Chapter 17. Transport-Level Security

What is network security?

Midterm 2 exam solutions. Please do not read or discuss these solutions in the exam room while others are still taking the exam.

Security vulnerabilities in the Internet and possible solutions

Wireless Local Area. Network Security

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

White paper. Testing for Wi-Fi Protected Access (WPA) in WLAN Access Points.

Overview. SSL Cryptography Overview CHAPTER 1

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2003): 15 Wireless LAN Security 1. Dr.-Ing G.

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Topics in Network Security

EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE i (WPA2)

WLAN and IEEE Security

Transport Level Security

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Wireless LAN Security Mechanisms

Chapter 8 Network Security. Slides adapted from the book and Tomas Olovsson

CRYPTOGRAPHY IN NETWORK SECURITY

Network Security. HIT Shimrit Tzur-David

Network Access Security. Lesson 10

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

Wireless LANs and Privacy. Ido Dubrawsky Network Security Engineer Cisco Secure Consulting Services Cisco Systems, Inc. And

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

First Semester Examinations 2011/12 INTERNET PRINCIPLES

Chapter 8. Network Security

CS549: Cryptography and Network Security

EXAM questions for the course TTM Information Security May Part 1

TECHNICAL CHALLENGES OF VoIP BYPASS

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

VoIP Security. Seminar: Cryptography and Security Michael Muncan

Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

Computer Networks. Secure Systems

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Security in Wireless and Mobile Networks

Hash Functions. Integrity checks

Bit Chat: A Peer-to-Peer Instant Messenger

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Secure Text in SIP Based VoIP

Web Security Considerations

Transcription:

CS 380S How Things Goes Wrong: Misuse of Cryptography in Secure System Design Vitaly Shmatikov slide 1

One-Time Pad ----- ----- ----- = 10111101 = 00110010 10001111 10111101 00110010 = Key is a random bit sequence as long as the plaintext Encrypt by bitwise XOR of plaintext and key: ciphertext = plaintext key Decrypt by bitwise XOR of ciphertext and key: ciphertext key = (plaintext key) key = plaintext (key key) = plaintext Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, and every key is equally likely (Claude Shannon) slide 2

Problems with One-Time Pad Key must be as long as plaintext Impractical in most realistic scenarios Still used for diplomatic and intelligence traffic Does not guarantee integrity One-time pad only guarantees confidentiality Attacker cannot recover plaintext, but can easily change it to something else Insecure if keys are reused Attacker can obtain XOR of plaintexts slide 3

Stream Ciphers With one-time pad, Ciphertext(Key,Message)=Message Key Key must be a random bit sequence as long as message Idea: replace random with pseudo-random Encrypt with pseudo-random number generator (PRNG) PRNG takes a short, truly random secret seed and expands it into a long random-looking sequence E.g., 128-bit seed into a 10 6 -bit pseudo-random sequence No efficient algorithm can tell this sequence from truly random Ciphertext(Key,Msg)=IV, Msg PRNG(IV,Key) Message processed bit by bit, not in blocks slide 4

Properties of Stream Ciphers Usually very fast (faster than block ciphers) Used where speed is important: WiFi, DVD Unlike one-time pad, stream ciphers do not provide perfect secrecy Only as secure as the underlying PRNG If used properly, can be as secure as block ciphers PRNG is, by definition, unpredictable Given the stream of PRNG output (but not the seed!), it s hard to predict what the next bit will be If PRNG(unknown random seed)=b 1 b i, then b i+1 is 0 with probability ½, 1 with probability ½ slide 5

Stream Cipher Terminology Seed of pseudo-random generator often consists of initialization vector (IV) and key IV is usually sent with the ciphertext The key is a secret known only to the sender and the recipient, not sent with the ciphertext The pseudo-random bit stream produced by PRNG(IV,key) is referred to as keystream PRNG must be cryptographically secure Encrypt message by XORing with keystream ciphertext = message keystream slide 6

How Random is Random? slide 7

Cryptographically Secure PRNG Next-bit test Given N bits of the pseudo-random sequence, predict (N+1) st bit Probability of correct prediction should be very close to 1/2 for any efficient adversarial algorithm PRNG state compromise Even if attacker learns complete or partial state of the PRNG, he should not be able to reproduce the previously generated sequence or future sequence, if there ll be future random input(s) Common PRNGs are not cryptographically secure slide 8

Weaknesses of Stream Ciphers No integrity Associativity & commutativity: (X Y) Z=(X Z) Y (M 1 PRNG(seed)) M 2 = (M 1 M 2 ) PRNG(seed) Known-plaintext attack is very dangerous if keystream is ever repeated Self-cancellation property of XOR: X X=0 (M 1 PRNG(seed)) (M 2 PRNG(seed)) = M 1 M 2 If attacker knows M 1, then easily recovers M 2 Most plaintexts contain enough redundancy that knowledge of M 1 or M 2 is not even necessary to recover both from M 1 M 2 slide 9

Linear Feedback Shift Register (LFSR) Example: b 0 4-bit LFSR b 1 b 2 b 3 add to pseudo-random sequence Key is used as the seed For example, if the seed is 1001, the generated sequence is 1001101011110001001 Repeats after 15 bits (2 4-1) slide 10

Content Scrambling System (CSS) DVD encryption scheme from Matsushita and Toshiba Each player has its own PLAYER KEY (409 player manufacturers, each has its player key) Each DVD is encrypted with a disk-specific 40-bit DISK KEY This helps attacker verify his guess of disk key KEY DATA BLOCK contains disk key encrypted with 409 different player keys: Encrypt DiskKey (DiskKey) Encrypt PlayerKey1 (DiskKey) Encrypt PlayerKey409 (DiskKey) What happens if even a single player key is compromised? slide 11

Attack on CSS Decryption Scheme [Frank Stevenson] 2 key bytes disk key 1 seeded in one of the bits 3 key bytes LFSR-17 Some bytes of section header 1 seeded in one of the bits LFSR-25 invert carry + mod 256 Decrypted title key Encrypt DiskKey (DiskKey) stored on disk Encrypted title key Table-based mangling With known ciphertext and plaintext, guess the byte output by XOR; repeat 5 times to recover 5 output bytes this takes O(2 8 ) Guess 2 bytes of the key contained in LFSR-17 this takes O(2 16 ) Clock out 3 bytes out of LFSR-17, use them to determine the corresponding output bytes of LFSR-25 (this reveals all of LFSR-25 except the highest bit) Clock back 3 bytes, try both possibilities this takes O(2) Verify the key This attack takes O(2 25 ) slide 12

DeCSS In CSS, disk key is encrypted under hundreds of different player keys including Xing, a software DVD player Reverse engineering object code of Xing revealed its decryption key Recall that every CSS disk contains the master disk key encrypted under Xing s key One bad player entire system is broken! Easy-to-use DeCSS software slide 13

DeCSS Aftermath DVD CCA sued Jon Lech Johansen, one of DeCSS authors (eventually dropped) Publishing DeCSS code violates copyright Underground distribution as haikus and T-shirts Court to address DeCSS T-Shirt: When can a T-shirt become a trade secret? When it tells you how to copy a DVD. - From Wired News slide 14

RC4 Designed by Ron Rivest for RSA in 1987 Simple, fast, widely used SSL/TLS for Web security, WEP for wireless Byte array S[256] contains a permutation of numbers from 0 to 255 i = j := 0 loop i := (i+1) mod 256 j := (j+s[i]) mod 256 swap(s[i],s[j]) output (S[i]+S[j]) mod 256 end loop slide 15

RC4 Initialization Divide key K into L bytes for i = 0 to 255 do S[i] := i j := 0 for i = 0 to 255 do j := (j+s[i]+k[i mod L]) mod 256 swap(s[i],s[j]) Key can be any length up to 2048 bits Generate initial permutation from key K To use RC4, usually prepend initialization vector (IV) to the key IV can be random or a counter RC4 is not random enough! 1 st byte of generated sequence depends only on 3 cells of state array S. This can be used to extract the key. To use RC4 securely, RSA suggests discarding first 256 bytes Fluhrer-Mantin- Shamir attack slide 16

802.11b Overview Standard for wireless networks (IEEE 1999) Two modes: infrastructure and ad hoc IBSS (ad hoc) mode BSS (infrastructure) mode slide 17

Access Point SSID Service Set Identifier (SSID) is the name of the access point By default, access point broadcasts its SSID in plaintext beacon frames every few seconds Default SSIDs are easily guessable Linksys defaults to linksys, Cisco to tsunami, etc. This gives away the fact that access point is active Access point settings can be changed to prevent it from announcing its presence in beacon frames and from using an easily guessable SSID But then every user must know SSID in advance slide 18

WEP: Wired Equivalent Privacy Special-purpose protocol for 802.11b Intended to make wireless as secure as wired network Goals: confidentiality, integrity, authentication Assumes that a secret key is shared between access point and client Uses RC4 stream cipher seeded with 24-bit initialization vector and 40-bit key Terrible design choice for wireless environment slide 19

Shared-Key Authentication Prior to communicating data, access point may require client to authenticate Access Point beacon probe request OR Client unauthenticated & unassociated challenge IV, challenge RC4(IV,K) association request association response authenticated & unassociated authenticated & associated Passive eavesdropper recovers RC4(IV,K), can respond to any subsequent challenge without knowing K slide 20

How WEP Works (IV, shared key) used as RC4 seed Must never be repeated (why?) There is no key update protocol, so security relies on never repeating IV 24 bits 40 bits CRC-32 checksum is linear in : if attacker flips some plaintext bits, he knows which bits of CRC to flip to produce the same checksum IV sent in the clear Worse: changing IV with each packet is optional! no integrity! slide 21

RC4 Is a Bad Choice for Wireless Stream ciphers require synchronization of key streams on both ends of connection This is not suitable when packet losses are common WEP solution: a separate seed for each packet Can decrypt a packet even if a previous packet was lost But number of possible seeds is not large enough! RC4 seed = 24-bit initialization vector + fixed key Assuming 1500-byte packets at 11 Mbps, 2 24 possible IVs will be exhausted in about 5 hours Seed reuse is deadly for stream ciphers slide 22

Recovering Keystream Get access point to encrypt a known plaintext Send spam, access point will encrypt and forward it Get victim to send an email with known content If attacker knows plaintext, it is easy to recover keystream from ciphertext C M= (M RC4(IV,key)) M= RC4(IV,key) Not a problem if this keystream is not re-used Even if attacker doesn t know plaintext, he can exploit regularities (plaintexts are not random) For example, IP packet structure is very regular slide 23

Keystream Will Be Re-Used In WEP, repeated IV means repeated keystream Busy network will repeat IVs often Many cards reset IV to 0 when re-booted, then increment by 1 expect re-use of low-value IVs If IVs are chosen randomly, expect repetition in O(2 12 ) due to birthday paradox Recover keystream for each IV, store in a table (KnownM RC4(IV,key)) KnownM = RC4(IV,key) Wait for IV to repeat, decrypt and enjoy plaintext (M RC4(IV,key)) RC4(IV,key) = M slide 24

It Gets Worse Misuse of RC4 in WEP is a design flaw with no fix Longer keys do not help! The problem is re-use of IVs, their size is fixed (24 bits) Attacks are passive and very difficult to detect Perfect target for Fluhrer et al. attack on RC4 Attack requires known IVs of a special form WEP sends IVs in plaintext Generating IVs as counters or random numbers will produce enough special IVs in a matter of hours This results in key recovery (not just keystream) Can decrypt even ciphertexts whose IV is unique slide 25

Weak Countermeasures Run VPN on top of wireless Treat wireless as you would an insecure wired network VPNs have their own security and performance issues Compromise of one client may compromise entire network Hide SSID of your access point Still, raw packets will reveal SSID (it is not encrypted!) Have each access point maintain a list of network cards addresses that are allowed to connect to it Infeasible for large networks Attacker can sniff a packet from a legitimate card, then re-code (spoof) his card to use a legitimate address slide 26

Fixing the Problem Extensible Authentication Protocol (EAP) Developers can choose their own authentication method Passwords (Cisco EAP-LEAP), public-key certificates (Microsoft EAP-TLS), passwords OR certificates (PEAP), etc. 802.11i standard fixes 802.11b problems Patch: TKIP. Still RC4, but encrypts IVs and establishes new shared keys for every 10 KBytes transmitted No keystream re-use, prevents exploitation of RC4 weaknesses Use same network card, only upgrade firmware Long-term: AES in CCMP mode, 128-bit keys, 48-bit IVs Block cipher (in special mode) instead of stream cipher Requires new network card hardware slide 27

VoIP Voice Over Internet Protocol Voice communications over packet data networks Analogdigital converter Data compression Bob s voice terminal (telephone or computer) Alice s voice terminal RTP packet INTERNET UDP packet slide 28

VoIP Protocol Stack Audio Application RTP SRTP ZRTP Key Exchange (SDES, MIKEY) Session Description (SDP) Signaling Layer (SIP) UDP TCP IP Link and Physical Layer slide 29

SIP Session Initiation Protocol (SIP) is an application-layer protocol for creating, modifying and terminating VoIP sessions SIP network elements End Points/User Agents (UAs), Proxy/Redirect Server, Location Server, Registrar Modeled on HTTP, uses URI similar to email addresses sip: alice@domain.com slide 30

SIP Call Flow Illustration Resolve Location BYE INVITE Alice s Address BYE INVITE 180 Ringing 100 Trying 200 OK 100 Trying 200 OK 180 Ringing BYE INVITE 200 OK 180 Ringing ACK Bob Bob calls Alice RTP Voice Alice Hello. Hi. Bye. Alice answers the phone slide 31

What Does VoIP Security Mean? Confidentiality: Voice datagrams under encryption are indistinguishable from random Message authentication: If Alice receives a msg from Bob, then indeed it was sent by Bob Data integrity: Any modification of data in transit is detected by recipients Replay protection: Any attempt to replay data from an old session is detected by participants slide 32

SIP Security Mechanisms (1) HTTP digest authentication One-way authentication, replay prevention Network/transport layer IPsec TLS Hop-by-hop security for UDP, TCP, SCTP Need to manage keys, IPsec profiles Must be implemented by all proxies Hop-by-hop security (i.e., all proxies must be trusted) Can not be applied to UDP-based SIP (only TCP or other reliable transport protocol) slide 33

SIP Security Mechanisms (2) S/MIME Encrypted email, basically Use for public key distribution, authentication, integrity, and confidentiality of SIP signaling data Protect SIP header fields through tunneling entire SIP message as an S/MIME body End-to-end (as opposed to hop-by-hop) security SIP Authenticated Identity Body Basically same as S/MIME tunneling, but instead of tunneling the entire message, only a specific subset of headers are signed slide 34

Attacks on SIP SIP is very vulnerable to denial of service Reflection: send a large number of spoofed requests to SIP proxies using victim s IP address Session termination using unauthenticated BYE requests Registration requests may not be properly authenticated - register/deregister any user Flood location server with false bindings Impersonate proxy server slide 35

VoIP Key Establishment Use a special-purpose key exchange protocol MIKEY, ZRTP, several others OR Initiator sends key as part of Session Description Protocol (session setup) How is the key protected? This is the responsibility of signaling protocol (SIP) slide 36

SDP and SDES VoIP session parameters are described by Session Description Protocol (SDP) This includes key establishment (SDES) SDES: key is directly embedded in the payload of a SIP message Effectively, relies on SIP to transmit key securely This key will be used by Secure Real-Time Transport Protocol (SRTP) to protect actual media stream (voice datagrams) slide 37

SRTP Encryption XOR Pseudo-random key stream Data Encrypted data This may repeat Sender id Encryption key In counter mode (as if it were a stream cipher) This may repeat Sequence number This must be unique! slide 38

Security of SRTP Encryption Security of stream ciphers relies critically upon keystream never repeating If keystream repeats, attacker can replay datagrams from an old session and they will decrypt correctly SRTP encryption keys are computed deterministically from key material provided by the key establishment protocol Key material must never repeat The property must be guaranteed by the key establishment protocol! slide 39

SDES (with S/MIME) + SRTP When SDES is used for key establishment, uniqueness of master key is SIP s responsibility SIP may protect keys using S/MIME (basically, keys are sent inside encrypted email) Not supported by most existing VoIP installations, but can be used if end-to-end security is essential S/MIME does not guarantee freshness No replay prevention mechanisms Mismatch between SRTP requirements and SIP Result: SRTP encryption re-uses keystream Attack similar in spirit to attack on 802.11b slide 40

Lessons Protocol interaction matters! It s important to analyze the entire protocol stack, not just protocols in isolation Mismatch between inter-layer assumptions and guarantees leads to attacks SIP is similar to HTTP, but end-to-end protection requires S/MIME, not TLS SRTP expects that the key is fresh each time, but there is no replay protection in S/MIME slide 41

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information