CSC 607 Meeting 8 Charts

CSC 607 Meeting 8 Charts - Security in Computing – CSC...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Security in Computing – CSC 607 Security Wireless Security – WCM 605 Wireless Meeting 8 Tuesday 26 Jan, 2010 1/26/2010 1/26/2010 1 “Week 4” Schedule Sat 1/23 Voice Oriented Wireless Networks II Data Oriented Wireless Networks Security in Traditional Wireless Networks Security in Wireless LANs ­ I Tue 1/26 Security in Wireless LANs ­ II Breaking WEP Project Presentations Privacy Issues Review for Final Exam Thu 1/28 Legal and Ethical Issues Breaking WEP Project Presentations Final Exam Week 4 Reading – Pfleeger & Pfleeger 4th Edition Chapters 10 and 11 Chandra Chapters 6 & 7 1/23/2010 1/23/2010 2 Synchronous Stream Cipher (from Chapter 1) Key Generator Key Generator ki ki Plaintext (Pi) Ciphertext (Ci) Plaintext (Pi) •Sender and receiver must be perfectly synchronized •Security is completely compromised if key is compromised 1/23/2010 1/23/2010 WEP Uses RC4 in stream cipher in Synchronous Mode Loss of one bit of ciphertext causes loss of all following data Loss of data bits is common in wireless communications Therefore, use of a synchronous stream cipher is a fundamental problem for WEP • RC4 is not the problem. Synchronous mode is the problem 3 Scary WEP Weaknesses I RC4 operates very successfully in SSL sessions at the application layer • Sits on TCP • TCP is reliable; TCP does not lose any data • Perfect synchronization guaranteed by TCP layer WEP designers attempted to address data loss problem by working at the packet level instead of the session level • Unique key for EVERY packet • Key does not depend on previous packet(s) 1/23/2010 1/23/2010 4 Scary WEP Weaknesses II 24­bit IV is too short • 24­ bits gives 16.7 million(224) possibilities Assume 1500 byte packets, 11 Mb/s • All keys will be used in (1500 X 8)/(11X106 X 224) sec ≈ 5 hours SSL would use the same key space in 224 ≈ 107 sessions • Will typically last several years Problem is clearly with the way RC4 is being use; not with RC4 • Forced repeat of IVs violates a RC4 cardinal rule ­ never repeat keys. • IV selection is not specified in standard Changing IV with each packet is optional!!! Key is too easy to discover • Per­packet key is generated by concatenating an IV with the master (shared secret) key A different RC4 key for each packet. IV transmitted in clear (prepended to ciphertext) • Gives eavesdropper access to first three bytes of the per packet key 1/23/2010 1/23/2010 5 WEP Vulnerability to FMS Attack Weaknesses make WEP vulnerable to a Fluhrer­Mantin­Shamir (FMS) attack • Exploits fact that very weak RC4 keys are generated by WEP • FMS attack vulnerability is an RC4 weakness • The way per packet keys are generated makes FMS attack much more effective in 802.11 networks Attacker can collect multiple 802.11 packets encrypted with weak keys Limited key space combined with plaintext availability of IV makes FMS attack very real threat Additional problem: first 8 bytes of every packet are a well­known Sub­Network Access Protocol (SNAP) header. • XORing first 2 bytes of encrypted payload with SNAP header (well­ known) first 2 bytes of generated key­stream • With FMS, if first two bytes of enough key­streams are known, the RC4 key can be recovered 1/23/2010 1/23/2010 WEP is an ideal candidate for FMS attack 6 Key Stream Attack Based on key stream reuse If two cipher texts are known ( e.g. captured from sniffer data) and one plain text is known, then the second plain text can be derived Math: • • • Since C1= P1 h RC4(key) RC4(key) And C2= P2 h RC4(key) RC4(key) Then C1 h C2 = P1 h P2 C2 = P1 P2 If either plantext can be discovered, the other can then be computed easily, e.g. • P2 = [P1 h P2] h P1 P2] P1 1/23/2010 1/23/2010 Statistical analysis shows: •50% chance of key reuse after 4823 packets •99% chance of key reuse after 12,430 packets 7 Example Plaintext P1 10011001 Plaintext P2 11100101 Keystream 10101010 Keystream 10101010 Cipher text 00110011 Cipher text 01001111 Ciphertext 00110011 P1 10011001 Ciphertext 01001111 C1 h C2 01111100 = P1 h P2 01111100 P2 01111100 [P1 h P2] h P1 = P2 11100101 P2] P1 = P2 Also, if attacker can get hold of <P1,C1> pair 1/23/2010 1/23/2010 •P1 h C1 = K C1 = K •K can then be used to decrypt C2 to get P1 8 WEP Integrity Problem WEP uses an Integrity Check (IC) field • Protects against modifications to packets in transit The Integrity check field is a CRC­32 checksum • Part of the encrypted payload of the packet. Drawback: CRC­32 is linear • ICV is NOT cryptographically protected • Attacker can modify ICV to force receiver to accept the packet Flipping bits carries through after in RC4 • Attacker can flip arbitrary bits in an encrypted message • Attacker can then adjust checksum correctly • Resulting message appears valid. 1/23/2010 1/23/2010 9 IV+Key ID 4-bytes Payload ICV 802.11 MAC Header Integrity Attack Details Math • X = payload of packet over which CRC 32 is computed • ICV = CRC(X) • Fact: CRC(X h Y) = CRC(X) h CRC(Y) The Attack: Intruder wants to change X to Z • Intruder captures X from air interface • Intruder calculates Y = X h Z Note Z = X h Y • Intruder XORs captured packet with Y Packet changes from {X, CRC(X)} to {X h Y, CRC(X) h CRC(Y)} {X h Y, CRC(X) h CRC(Y)} = {X h Y, CRC(X h Y)} • Intruder retransmits modified packet 1/23/2010 1/23/2010 Receiver has no way of knowing that the packet has been modified •RC4 encryption of ICV does not use keys and cryptographic operations •Bit­flips carry through RC4 process linearly 10 Redirection Attack Bob • Very attractive t ed c r ot e ot p n AP decrypts packets/ forwards decrypted packets to Bob nk ed li Wir WEP­protected link Alice Eve • Captures packets from A • Modifies MAC header to C • Resends • AP decrypts/forwards to C 802.11 MAC Header 1/23/2010 1/23/2010 E uses infrastructure to decrypt packets B or C could also have wirelss links not using any encryption Fundamental issue: ICV is not calculated over MAC header IV+Key ID 4-bytes Payload ICV Charlie Extremely simple MAC header not protected Lesson: Confidentiality without Integrity leaves system open to redirection attacks 11 Replay Attack Bank A send message to B • “Pay E $500 from A” E captures • Waits a few days • Resends ed tect pr o not link ired W WEP­protected link B pays E again from A’s account E • Captures packets from A • Resends with no change Prevent replays with timestamps/sequence nos. Not part of WEP A 802.11 MAC Header 1/23/2010 1/23/2010 IV+Key ID 4-bytes Payload ICV MAC header not protected 12 Summary of WEP Weaknesses 1. No mechanism for key establishment over insecure medium a) Key sharing among STAs within and across BSAs a) Exposes base key or master key to FMS and similar attacks a) 24bit IV very limited key­space a) Makes key reuse highly likely a) Opens door to redirection attacks 3. Uses synchronous cipher over medium that is difficult to keep in synch Use of per­packet key concatenated to master key to produce key for RC4 4. Master key is manually configured 5. WEP spec makes changing IV with each packet optional 2. 6. 7. 8. 9. 1/23/2010 1/23/2010 Checksum used (CRC­32) is linear OCV does not protect integrity of 802.11 header No protection against replay attacks No support for STA to authenticate network Principle deficiency: Using RC4 in an unsuitable mode 13 WPA WPA ( Wi­Fi Protected Access ), IEEE 802.11i, was announced October 31, 2002 User authentication • 802.1X + Extensive Authentication Protocol (EAP) Encryption • Temporal Key Integrity Protocol (TKIP) • 802.1X for dynamic key distribution • Message Integrity Code (MIC) ; Michael algorithm 1/23/2010 1/23/2010 WPA = 802.1X + EAP + TKIP + MIC 14 The Two-Step Evolution Picture The WEPWPAWPA2 WEP IEEE 802.11i ­ Robust Security Network (RSN) designed to fix WEP’s problems • Only RSN­compatible devices can join network • No 802.11i non­compliant devices Transition from 802.11 to RSN may require multiple steps • RSN and WEP can co­exist in transitional networks WPA2 uses Advance Encryption Standard (AES) • Not backward compatible with existing WEP hardware WiFi Alliance introduced Temporal Key Integrity Protocol (TKIP) to provide backward compatibility • Better known as WiFi Protected Access (WPA) WPA is prestandard subset of 802.11i • 802.11i has come to be known as WPA2 • WPA2 uses AES for confidentiality and integrity • WPA uses 1/23/2010 1/23/2010 TKIP for confidentiality MICHAEL for integrity 15 Constraint on WEP to WPA WEP process is implemented in HARDWARE in existing APs, and WLAN NIC cards WLAN NIC consists of small microprocessor, firmware, memory, and special purpose hardware engine. WEP process implemented in hardware • Software implementations of WEP are too slow • Hardware inputs: IV, base (master) key, plaintext data • Hardware output: ciphertext Hardware engine cannot be changed in implementing TKIP 1/23/2010 1/23/2010 16 Closing the WEP Key Closing Establishment Loophole Establishment IEEE 802.11i task group recognized two distinct environments • Specifies use of IEEE 802.1X for master key establishment and authentication for enterprise • Allows manual configuration of master key for homes Significant reduction in exposure of master key • Much more difficult for attacker to discover • WPA adds additional layer to key hierarchy WEP has master key and per packet key WPA has multiple tiers • • • Pair­wise Master Key (PMK) Pair­wise Transient Key (PTK) Per­packet key generated by using PTK with mixing function WPA avoids exposing PMK in each packet by introducing PTK concept 1/23/2010 1/23/2010 17 WEP WPA Key Hierarchy WPA WPA (used with 802.1X) (used without 802.1X) Master­Secret Master­Secret (used by authenti­ cation process, Certificate, pass­ Word, …) Master­Key (Pre­Shared/Manu­ ally configured) 40 bits/104 bits Prepended With IV Per­Packet Encryption Key 1/23/2010 1/23/2010 By­product of 802.1X­based authentication (user password) PMK 256 bits) Can be specified by network administrator PRF­512 (PMK,”Pair­wise Key Expansion”, MACf||MAC2||Noncef || Nonce2) Pair­wise Transient Keys Data Encryption key (128­bits) Data MIC key (128­bits) EAPoLEncryption key (128­bits) EAPoL MIC key (128­bits) Phase­1 and Phase­2 Key Mixing Per­Packet Encryption Key 18 Pair-wise Transient Keys Pair-wise Basically Session Keys • Session = Association between STA and AP • Each time STA associates with AP starts a new session Four Keys, each 128­bits long • • • • Encryption key for data Integrity key for data Encryption key for EAPoL data Integrity key for EAPoL data Keys are valid only for a limited time • Called Temporal Keys 1/23/2010 1/23/2010 Keys are derived from Pair­wise Master Key using PseudoRandom Function (PRF) • Based on HMAC­SHA algorithm • PTK=PRF_512(PMK, “Pair­wise expansion”, AP_MAC|| STA_MAC||ANonce||SNonce) 19 PTK Computation Five inputs • • • PMK Both MAC addresses (STA and AP) One Nonce from each endpoint Ensures that session of bound to the two endpoints Increases effective key space • Nonces are generated in parallel by the endpoints 1/23/2010 1/23/2010 Nonce for AP = PRF­256(Random Number, “Init Counter”, AP_MAC||Time) Nonce for STA = PRF­256(Random Number, “Init Counter”, STA_MAC||Time) •STA and AP derive same PTK from PMK simultaneously ­ follows exchange of nonces and MAC addresses •PTKs are shared between a specific AP and a specific STA •PTKs protect both data and EAPoL messages between them 20 TKIP Replaces WEP with a new encryption algorithm TKIP, like WEP, uses a key scheme based on RC4 TKIP provides: • • • 1/23/2010 1/23/2010 per­packet key mixing a message integrity check a re­keying mechanism TKIP ensures that every data packet is sent with its own unique encryption key TKIP can implement by firmware 21 TKIP Derivation of Per Packet Keys TKIP – Per Packet Key Mixing Per TSC*/IV lo16 TSC*_lo16_hi8 TSC*_lo16_lo8 MAC address (own) 104­bit Per­Packet Key PTK_Data_Enc_ Key Phase­1 Key Mixing Phase­2 Key Mixing Assumes 48­bit IV input 104­bit per packet Key compatible with existing WEP hardware Phase 1 computationally intensive (hash generation) • This is why computation is split into Phase 1 and Phase 2 • PTK_Data_Encryption_Key TSC*/IV hi32 Once every 65,536 packets Phase 1 computation only required when a high order IV bit changes Key mixing function makes it very hard for eavesdropper to correlate IV and per­packet key used to encrypt the packet 1/23/2010 1/23/2010 * TSC = TKIP Sequence Counter 22 Recall: 802.1X/EAP Port Model Uncontrolled Port Supplicant EAPoL Switched or Shared Ethernet Authentication Server Port Authorization Controlled Port Authorized LAN Resources May be limited by MAC filtering. (Can be used to deter DoS attacks) 1/23/2010 1/23/2010 EAP Controlled port open only when device connected to authenticator has been authorized by 802.1X Uncontrolled port provides path ONLY for Extensible Authentication Protocol over LAN (EAPoL) traffic. • MAC Enable/D isable Authenticator Only STAs with a “registered” MAC address are accepted EAPoL can be easily adapted to 802.11 environment • • STA=Supplicant AP = Authenticator Layer 2 switch with both wired and wireless interface 23 Recall: EAPoL Supplicant (STA) 802.1X authentica­ tion pro­ cess is between STA and Radius Master Key estab­lished be­tween STA and Auth. Server Confidenti­ ality and integrity in 802.1X is between AP and STA 1/23/2010 1/23/2010 Authenticator (AP) Session (PTK) and per packet keys are needed at STA and AP EAPOL­Start EAP­Request/Identity EAP­Response/Identity RADIUS­Access­Request EAP Request/OTP RADIUS­Access­Challenge EAP­Response/OTP RADIUS­Access­Request EAP­Success RADIUS­Access­Accept EAPoL­Logoff Authentication Server (Radius) Port Authorized Port Unauthorized STA has PMK and can derive PTK AP does not have PMK Secure mechanism needed to get PMK from Auth. Server to AP RADIUS protocol enables secure key distribution from auth server to AP 24 Recall how EAP is Used With TLS 1. EAP­Request: ID 2. EAP­Response ID 3. EAP­Request: TLS_Start 4. EAP­Response: TLS_Client_Hello EAP­Request: TLS_Server_Hello TLS_Server_Cert, TLS_Server_Hello_Done 5. EAP­Response: TLS_Client_Key_Exchange TLS_Client_Change, TLS_Client_Finished 6. EAP­Request: TLS_Server_Change_CS TLS_Server_Finished 7. EAP­Response: Null Data 8. (A) 802.1X does not specify authentication protocol to be used • 1/23/2010 1/23/2010 (B) Network Admin must choose one TLS is commonly used 25 Supplicant (STA) TLS with EAPoL in WLAN AP RADIUS Server (Radius) Enterprise Network EAPOL­Start Start EAP Authentication EAP­Request/Identity EAP­Response/Identity (UserID) Ask Client for Identity RADIUS­Access­Request Server­side TLS Client­side TLS Key EAP­Success Client derives session key EAPoL­Key (Multicast) EAPoL­Key (Session Parameters) 1/23/2010 1/23/2010 RADIUS­Access Success (Pass Session Key to AP) Access Request with UserID Perform Sequence Defined by EAP TLS Key Deliver Broadcast Key En­ crypted with Session Key and Session Parameters 26 EAP-TLS WLAN Alternatives Analysis of EAP­TLS has shown no significant weaknesses • Attractive option for 802.1X One deployment issue • EAP­TLS relies on use of certificates for mutual authentication Network Client • Requirement for every client to have certificate leads to widespread deployment of PKI Not always cost­effective • Alternatives EAP­TTLS (tunnelled TLS) PEAP Both use certificates to authenticate network to client Clients can use password schemes to authenticate themselves to network Two­phases • Phase 1 – Authenticate network to client using certificate Establish tunnel • Phase 2 ­ Carry out password authentication over secure tunnel 1/23/2010 1/23/2010 27 TKIP vs. WEP Confidentiality Inappropriate use of a stream cipher is fundamental WEP weakness • WEP solution = per­packet key Per packet key generated by adding 24­bit IV to fixed preshared key Only 16,777,216 values before IV duplicates No specification on how to select per packet IV Not mandatory to vary IV per packet No mechanism to guarantee unique IV per STA Makes IV collisions (same IV in different packets) very likely • Concatenating IV with preshared key to obtain per­packet key is cryptographically insecure, making WEP vulnerable to FMS attack • • • • TKIP modifications • Size of IV doubled from 24 to 48 bits Increases key collision time from hours to “a few hundred years” Actual increase is to 56 bits, but first 8­bits reserved for discarding weak (yet to be discovered) keys • WEP hardware built for 24­bit IV+40/104­bit preshared key 1/23/2010 1/23/2010 Generates 64/128­bit per­packet key Hardware cannot be upgraded to deal with 48­bit IV and generate 88/156­bit per­packet key Solution: Use per­packet key mixing function increases effective IV size but retains compatibility with existing hardware 28 TKIP vs WEP Integrity WEP use of linear CRC­32 for integrity check not cryptographically secure • Used because it is not computationally intensive TKIP Aims • Integrity protocol that is cryptographically secure • Integrity protocol that is NOT computationally intensive TKIP Approach • • Avoid MIC that has lots of multiplication operations Use MICHAEL 1/23/2010 1/23/2010 WEP hardware weak on processing power Uses “Shift” and “Add” instead of “Multiply” Implementable on existing WEP hardware 29 MICHAEL Michael is a compromise • Improves on CRC­32 used in WEP • Not as cryptographically secure as MIC protocols like MD5 or SHA­1 Two countermeasures added to handle situations in which MICHAEL might be compromised • Disconnect in case of two failed forgeries in one second Failed forgery = Calculated MIC ‡ Attached MIC Actions: • Delete keys • Disassociate • Wait one minute, then re­associate • Use IV as a sequence counter 1/23/2010 1/23/2010 Each STA must start using an IV = 0 Increment by 1 for each new packet transmitted during session Eliminates possibility of Replay Attacks 30 TKIP (WPA) Complete Picture TSC*/IV lo16 TSC*_lo16_hi8 Dummy Byte (to avoid weak keys) TSC*_lo16_lo8 MAC address (own) PTK_Data_Enc_ Key Phase­2 Key Mixing RC4 1/23/2010 1/23/2010 MSDU = MAC Service Data Unit MPDU = Message (or MAC) Protocol Data Unit *TSC = TKIP Sequence Counter WEP ICV PTK_Data_MIC_Key MPDU For each MPDU MPDU M DUs MPPDUs MPDUs Fragmentation MICHAEL MSDU ICV MSDU Phase­1 Key Mixing ICV Encrypted­MPDU 104­bit Per­Packet Key PTK_Data_Encryption_Key TSC*/IV hi32 CRC­32 WEP­Block 31 WEP Problems Fixed by WPA WEP Preshared (out­of­band) key establishment • Key reuse is highly probable 802.1X key establishment for enterprise deployments • Exposes master­key to FMS and similar attacks Static Master­Key + Small size of IV + Method of per­packet key generation Extremely Limited Key Space Changing IV per packet optional • Usually manual + key sharing within BSS (sometimes ESS) Uses synchronous stream cipher unsuitable for wireless Generates per­packet key by concatenating IV direct to master­key • WPA Same Solves problem with Pairwise Transient Keys (PTK) generated by mixing function • Significantly reduces exposure of master­key Increases IV to 56 bits (8 bits reserved to discard weak keys) + New PTK per session expands effective key space Specifies that transmitter and receiver set IV=0 initially for each new PTK set • 1/23/2010 1/23/2010 WEP method still supported Incrementing by one for each packet eliminates key reuse 32 WEP Problems Fixed by WPA (cont.) (cont.) WEP WEP Linear algorithm (CRC­32) for message integrity • 1/23/2010 1/23/2010 Weak integrity protection ICV does not protect integrity of 802.11 header • WPA • Susceptible to redirection attacks No protection against replay attacks No support for STA to authenticate the network Specifies non­linear algorithm (MICHAEL) for message integrity ICV computation includes MAC source and destination address • Specified countermeasures for special cases Protects against redirection attacks Use of IV as a sequence number provides replay protection Use of 802.1X in enterprise deployment allows STA to authenticate network 33 Robust Security Network Robust (RSN) (WPA2) (802.11i) (RSN) Primary aims of WPA • Improve security of existing 802.11 networks • Deployable with simple software upgrade No need for hardware upgrade • “Stepping­stone” to final (802.11i) solution Pre­standard subset of 802.11i Almost completely adopted several 802.11i specifications • Key­Establishment • Key Hierarchy • Authentication WPA vs. WPA2 • Identical authentication mechanism • WPA2 uses same key forencryption and integrity protection One less key needed by WPA2 • WPA2 replaces WEP/WPA stream cipher (RC4) algorithm WPA2 uses an AES­based block cipher algorithm 1/23/2010 1/23/2010 Replacement of RC4 with AES­based block cipher is major enhancement 34 Stream Ciphers vs. Block Ciphers Stream ciphers convert one symbol of plaintext into one symbol of ciphertext Block ciphers convert groups (or blocks) of plaintext symbols into groups (or blocks) of ciphertext Advantages Disadvantages 1/23/2010 1/23/2010 Stream Encryption Block Encryption Faster - no delay to combine High Diffusion - one characters into blocks ciphertext block may depend on several plaintext characters Low error propagation - error Immune to insertion of affects one cipher character symbols - impossible to insert a single symbol into a ciphertext block Low Diffusion - each symbol Slower - a whole block of is separately enciphered plaintext must be read before encryption can start Susceptible to malicious Error propagation - an error insertions and modifications affects transformation of all other characters in the same block 35 Recall OFB: Output Feed Back Mode P1 P2 … XOR XOR XOR Ek(S0)=S1 Ek(S1)=S2 C1 C2 Pn­1 XOR Ek(Sn­2)=Sn­1 … Cn­1 Pn Pn+1 XOR XOR Sn Sn+1 Cn Sn=Ek(Sn­1) Cn=Pn XOR Sn Or Pn=Cn XOR Sn Cn+1 Pi = 64 bit block; Ci = 64 bit block; S0= Ek(IV); Encryption of chain of Sn can be done “off line” (no message needed) Biggest Advantages: • Fast to compute Key­stream can be precomputed • • • 1/23/2010 1/23/2010 Errors in ciphertext cause limited errors in plaintext Not self synchronizing Susceptible to known plaintext attacks Biggest Disadvantages: •Variations of OFB are the closest to mechanisms used for Wireless Security 36 WPA2 Uses AES in Counter Mode M1 M2 δ1 K C1 E K C2 δn E … K Cn­1 δn+1 E K Cn E Cn+1 Nonce changes with each successive message Key Stream = 128 bit blocks Security of system lies in the counter • • 1/23/2010 1/23/2010 δn­1 Mn+1 Most implementations specify δ1= Nonce Mn Mn = 128­bit block; Cn = 128­bit block; Cn=Mn EK(δn); δ = counter E=AES, δn= δn­1+ε; ε may be 1, but may be some other value • Mn­1 δ2 E K … System is secure so long as the counter is never repeated WPA2 uses fresh counter for each new session •Combines security of block cipher with ease of use of a stream cipher 37 Main Features of AES in Counter Mode Allows block cipher to be operated as a stream cipher Makes generated key stream independent of message • Allows key stream to be generated befor emessage arrives Various blocks can be computed in parallel if hardware is available • No interdependency between encryption of blocks Each device needs only to implement the AES encryption mechanism • Decryption is identical process to encryption Length of encrypted text can exactly equal length of plain text • Counter mode does NOT require that message be broken up into an exact number of blocks 1/23/2010 1/23/2010 •AES/Counter Mode Only Provides Confidentiality •AES/Counter Mode Does NOT Provide Integrity 38 AES-CCMP AES-CCMP WPA2 Cipher Block Chaining (CBC)-MAC WPA2 M1 M2 h1 IV (128 bits) EK … h2 Mn­1 … … Mn+1 hn­1 … EK Mn EK EK optional EK 1/23/2010 1/23/2010 hn=MAC EK = AES Encryption with key K Any change made to ciphertext by malicious intruder changes decrypted output of last block (the residue) 802.11i Task Group combined Counter Mode of operation with CBC­MAC Integrity Protocol to Create CCMP (Counter­mode CBC­MAC protocol) Process is integrated with Cipher Block Chaining operation •Allows use of same key for encryption and integrity 39 WPA2 Complete Picture Packet Number Priority Source Address CCMP Header MIC Divide Red part into blocks 128­bit blocks M IC 128­bit 128­bit blocks blocks 1/23/2010 1/23/2010 MPDU Divide into blocks MPDU MAC Header MPDU MPDU MPD MPDU U For each MPDU Add CCMP Header CCMP Header MAC Header MA MAC C H der Heaeader Fragmentation MSDU PTK_Data_Key MAC Header Update PN AES Counter Mode CCMP Header IV (128­bits) Counter MAC Header Priority Source Address, Data Length AES CBC­MAC Only “red” part is encrypted 40 WPA2 Observations Same key is used for Encryption and Integrity • • • One less key than in WPA Adds some “cost” in terms of amount of computation required Encryption of blocks cannot be done in parallel PTK in WPA2 is 384 bits long • • The most significant (high­order) 256 bits form the EAPoL MIC key and EAPoL encryption key The least significant 128 bits form the data key Used for both encryption and integrity 8­byte CCMP header is added to 802.11 packet before transmission • 6 bytes carry the per­packet sequence number • Incremented for each packet processed Needed by receiver for both encryption and integrity check One byte is reserved for future One byte carrier the key ID Not encrypted 1/23/2010 1/23/2010 CBC­MAC needs output of previous block to compute MAC for current block Receiver needs to know packet number before it can do anything 41 WPA2 Integrity Details WPA2 integrity protection begins with generation of 128­bit Initialization Vector for CBC­MAC IV is concatenation of: • Fixed value flag: 01011001 • Priority field • • • (reserved for future use) Source MAC address Packet Number (6­bytes) Data length of the plaintext (16­bits) Note: these 3 fields combine to provide the 104­bit Nonce input to the encryption process CBC­MAC computation is done over 802.11 header + MPDU • Extends integrity protection to include source and destination MAC address+ QOS traffic class + data length Provides protection against replay attacks • Computation requires exact number of blocks 1/23/2010 1/23/2010 May require padding of plaintext data for purposes of MIC computation 42 WPA2 Encryption Details Only MAC part of packet and the data part are encrypted 802.11 header and CCMP header are NOT encrypted Key and “Counter” are inputs to the AES­Counter mode encryption process “Counter” is almost identical to integrity IV • Replace last 16 bits of IV (Data Length) with a 16­bit counter 1/23/2010 1/23/2010 Last 16­bits start with one/count up to 216 (65,536) Allows MPDUs up to 223 43 WPA / WPA2 Comparison WPA 802.1X key establishment for enterprise deployments • Solves problem with Pairwise Transient Keys (PTK) generated by mixing function 1/23/2010 1/23/2010 Significantly reduces exposure of master­key Increases IV to 56 bits (8 bits reserved to discard weak keys) + New PTK per session expands effective key space Specifies that transmitter and receiver set IV=0 initially for each new PTK set • Same as WPA WEP method still supported Same as WEP • WPA2 Incrementing by one for each packet eliminates key reuse Replaces stream cipher (RC4) with strong block cipher (AES) Same as WPA Same as WPA Same as WPA 44 WPA / WPA2 Comparison (cont.) (cont.) WPA WPA Specifies non­linear algorithm (MICHAEL) for message integrity • WPA2 Specified countermeasures for special cases ICV computation includes MAC source and destination address Provides stronger integrity protection using AES­CCMP 1/23/2010 1/23/2010 Same as WPA Same as WPA • Same as WPA Protects against redirection attacks Use of IV as a sequence number provides replay protection Use of 802.1X in enterprise deployment allows STA to authenticate network 45 Privacy 1/26/2010 1/26/2010 Section 9.6 of 3rd Edition of Textbook Chapter 10 of 4th Edition of Textbook 46 Recent Privacy News “Another 3.9 million people learned yesterday that electronic records holding their Social Security numbers and other private financial data had been lost, this time by a unit of Citigroup, the latest incident in a swelling epidemic of such security breaches … ‘We have no reason to believe that this information has been used inappropriately and we have not received any reports of unauthorized activity regarding your credit or loan,’ the company said … The loss of the tapes pushes to more than six million the number of U.S. consumers whose personal data have been l or stolen in just the past six months, the Washington Post notes, with the spate of breaches including federal agencies, universities, banks and other financial institutions, data brokers and data­storage companies.” Extracted from Another Massive Breach of Private Record Protection, Joseph Schuman, The Wall Street Journal, June 7, 2005 1/26/2010 1/26/2010 47 Definition of Privacy “Privacy is the right to control who knows certain aspects about you, your communications and your activities” Pfleeger and Pfleeger, “Security in Computing” 4th Ed., p. 604 • • • You decide what you want to share Nobody else but you should decide In practice You have considerable influence but… You do not have complete control • Once shared you lose some control over further sharing 1/26/2010 1/26/2010 48 Privacy Identity Theft is a major driving force for privacy laws Threats to privacy • • • • The Internet Bribery Aggregation and Data Mining Poor System Security People Technical vulnerabilities • Governments 1/26/2010 1/26/2010 Companies are free to collect data on individuals that governments are prohibited from collecting What is the right balance between needs of society for governmental protection and individual privacy rights? 49 Sensitivity of Private Data Some private data is more sensitive than others • • • • • Legal matters, criminal records Health information Preferences (religious, sexual, …) Financial information … Sensitivity may depend on context • Who you are Fame may cost you a lot of privacy • Who you are with Sensitive individual information may need to be protected by companies/groups • (not just by other individuals) 1/26/2010 1/26/2010 Privacy is an aspect of confidentiality 50 Summary of Key Points Privacy is about controlled disclosure After disclosure, the subject relinquishes much control Subject decides what is sensitive • Why subject considers something sensitive is not to be questioned Privacy is not limited to individuals • Groups/Organizations/Countries have private information 1/26/2010 1/26/2010 Privacy has a cost 51 Controls to Protect Privacy Facts: • Huge volumes of data are being collected legally • The potential to correlate and mine this data is enormous Limited only by capacities of computers Technical Controls: • • • • • • • Authentication Encryption Anonymity Pseudonymity EU Data Protection Act Gramm­Leach­Bliley Act (1999) Health Insurance Portability and Accountability Act (HIPAA) (1996) Legal Controls Conflicting needs in computer voting illustrates complexity of the problem •Privacy of vote is essential 1/26/2010 1/26/2010 •Validation of accuracy of collection and reporting is also essential 52 Dimensions of Computer-Related Dimensions Information Privacy Information 1/26/2010 1/26/2010 What info can be collected How the info can be used How long the info can be kept To whom can info be disclosed Info must be protected against unauthorized disclosure All modes of access must be controlled Logs of accesses must be maintained Less restrictive disclosure policies can never be applied after­the­fact. Who OWNS your private information? 53 Fair Information Policies (1973) I (1973) Fair Collection limitation • Data must be obtained lawfully and fairly Quality • Data should be relevant, accurate, complete, and up­to­date Purpose Specification • Purpose for which the data is to be used must be specified • Data should be destroyed when it is no longer necessary to serve that purpose Use Limitation • Use for any purpose not specified should only be with consent of subject or by authority of law 1/26/2010 1/26/2010 •These policies describe rights of individuals •The policies are not about the responsibilities of collectors 54 Fair Information Policies (1973) II (1973) Fair Security Safeguards • Adequate procedures to guard against loss, corruption, destruction or misuse of data should be established Openness • Info about the collection, storage and use of personal data should be readily available Individual Participation • Subject should have a right to access and challenge data about him/her Accountability • There should be a data controller accountable for ensuring all of the above are observed 1/26/2010 1/26/2010 •These policies describe rights of individuals •The policies are not about the responsibilities of collectors 55 Four Ways to Protect Stored Four Private Information (1975) (1975) Reduce exposure • • • Limit amount of data maintained Only ask for what is necessary Use random samples when possible Reduce data sensitivity • Mask or add subtle errors Anonymize data • Remove or modify identifying data items 1/26/2010 1/26/2010 Encrypt the data Collections of private data are attractive targets for attack 56 US Privacy Laws Much of the Fair Information Policies incorporated into 1974 Privacy Act • Applies only to data collected by US government • Applies to all private data held anywhere in the government Some subsequent laws • • • • 1/26/2010 1/26/2010 Health Insurance Portability and Accountability Act (HIPAA) Gramm­Leach­Bliley Act (GLBA) Children’s Online Privacy Protection Act (COPPA) Student records under Federal Educational Rights and Privacy Act •There are inconsistencies across these laws •Companies are free to collect data that the government can’t!!! 57 Impact of HIPAA Improved statements concerning data transfer Consumers still had little control of disclosure/dissemination Privacy policy statements became harder to understand – more complex Policies varied, even within the same industry • Harder for consumers to compare 1/26/2010 1/26/2010 Statements often covered ONLY a single web page Overlapping laws have different protection and handling requirements 58 FTC Privacy Requirements for US FTC Government Web Sites Government Notice • Collectors must disclose info practices in advance Choice • Consumers must have choice over whether and how their info can be used Access • Consumers must have access to their data and ability to contest incorrect data Security • Data collectors must take reasonable steps to ensure accuracy of info collected • Data collectors must secure against unauthorized use Enforcement • A reliable mechanism must exist to impose sanctions for noncompliance by government agencies 1/26/2010 1/26/2010 Applies ONLY to US government web sites 59 E-Government Act (2002) Requires that federal agencies post privacy policies on web sites. Policies must disclose: • • • • • • • What info is to be collected Why (the reason for collection) Intended use Entities with which info will be shared Notice/opportunities for consent How info will be secured Rights of individuals 1/26/2010 1/26/2010 Under Privacy Act Under other relevant privacy laws Applies ONLY to US government web sites 60 Controls on Commercial Web Sites There is no counterpart to the e­Government Act What control exists derives from Federal Trade Commission (FTC) limitations on deceptive practices • FTC can sue for false advertising • FTC will sue if a company gives false statements about privacy protection • Sometimes leads company to make NO statement about privacy 1/26/2010 1/26/2010 If they make no statement, the FTC can’t sue 61 European Privacy Directive European 95/46/EC (1995) 95/46/EC Adopted in 1995 Considerably more restrictive than US laws Adds 3 principles to Fair Information Policies (See charts 12 & 13 above) • More restrictions on “sensitive data” Examples of sensitive data include data on racial/ethnic origin, political opinions, religious beliefs, philosophical or ethical persuasion, health, sexual life • Authorized users are specifically forbidden to transfer data to 3rd parties without explicit permission of data subject • Entities holding personal data are not only accountable; they are subject to independent oversight 1/26/2010 1/26/2010 Sharing with companies or countries with weaker laws is forbidden 62 Some Ways to Preserve Privacy Anonymity • Desire for anonymity may be perfectly legitimate • Can cause procedural problems How do you remain anonymous when you pay for something? Multiple identities • We all have them Examples: drivers license number, credit card number, … • Key issue is linkages Your name is often the link Your address can be the link, but may not be reliable Linking records can violate privacy Pseudonymity • Classic example: Swiss bank account Number only (+password to access) • Email aliases • Chat room aliases 1/26/2010 1/26/2010 63 Government and Privacy Governments gather and store data on individuals Governments facilitate and regulate commerce Government is: • An enabler or regulator of privacy • A user of private data 1/26/2010 1/26/2010 Government use of private data must be controlled 64 Government and Authentication Complex role Government agencies use identifiers Authentication documents often come from governments • Example: passport, drivers licenses Governments regulate business that use ID and authentication keys Governments may get data from others based on keys • Example: use of credit records to screen airline passenger lists 1/26/2010 1/26/2010 •Potential exists for governments to: ­ Misuse private data ­ Violate privacy rights •What is the right balance between needs of society for governmental protection and rights of the individual? 65 Some Risks* Data errors • From transcription to bad analysis Inaccurate linking • Correct data items incorrectly linked on presumed common element Form/Content differences Purposely wrong data • Source intentionally provides misleading data Mission Creep • Data for one purpose used for broader other purpose) 1/26/2010 1/26/2010 Poorly Protected Data * Technology and Privacy Advisory Committee Report, 2004 66 Steps to Protect Against Privacy Loss* Collect as little data as possible Replace IDs with untraceable codes • Ensure against revelation of sensitive data via linkages to other databases Maintain audit trail of access • Who and when Protect sensitive data and control access Train people in what to protect and how Ensure data quality • Intended use, age, how stored, usefulness Validate new proposals for usage Leave data with the original owner • Protects against misuse Establish and enforce clear policy for data privacy • Do not encourage violation 1/26/2010 1/26/2010 * Technology and Privacy Advisory Committee Report, 2004 67 Identity Theft Identity Theft is a major driving force for privacy laws • >250,000 complaints to FTC in 2005 Having relatively few keys facilitates identity theft • Example: mother’s maiden name • Chain reaction may result from getting that first key Usually detected within one­two months • By that time the thief has moved on to new victim 1/26/2010 1/26/2010 68 Authentication and Identification Authentication ≠Identification • Authentication is subject to false accept (false positive) and false reject (false negative) • Multiple users may choose the same password but ID/Password pair should be unique • There are some strong biometric authentication methods for identification Relatively Easy Question: Do these data match the given identity? • This is authentication Very Hard Question: Which identity matches these authentication data? • This is identification • Subject may not even be in the data base 1/26/2010 1/26/2010 69 Kinds of Authentication Authenticate an individual (unique person) • Example: Physical access to a room Authenticate an identity • Example: validating that a user has presented a valid ID/password pair ID = wildone, Password = danceinendzone Anybody could be using this identifier Authenticate an attribute • Attribute to be verified: age ≥21? Privacy Issues arise when we confuse these different kinds of authentication and what they mean • Example: use of Social Security Number for identifier, authenticator, and/or database key 1/26/2010 1/26/2010 This was never the intent of the SSN When a data value serves multiple uses, a person gaining access to it for one purpose can then use it for another Relating an identity to a person can be tricky 70 Linking Attributes for Identification We all use many identities • • • • • Credit card Drivers license Hotel room key Employee Number … • • • 5­digit zip code Gender Date of birth From a privacy perspective there may (or may not) be a way to LINK these identities Stunning Analysis – 87% of the population of the USA can be identified by linking only three attributes* To preserve privacy we usually try to minimize linkages • One mechanism is to make records anonymous • But, removing identifying info may make the record useless Sweeney, L. “Information Explosion.” Confidentiality, Disclosure and Data Access, Urban Institute, 2001 * 1/26/2010 1/26/2010 71 Data Mining and Privacy Facts: • Huge volumes of data are being collected legally • The potential to correlate and mine this data is enormous Limited only by capacities of computers to search out linkages Technical Control: Preserve privacy by controlling linkages • Data perturbation Field swapping Value swapping Add small positive or negative values to certain fields Data mining can derive results without sacrificing 1/26/2010 1/26/2010 privacy, but an effort is required Privacy will not exist automatically 72 ...
View Full Document

This note was uploaded on 08/29/2011 for the course CSC 607 taught by Professor Dr.pradipp.dey during the Spring '11 term at National.

Ask a homework question - tutors are online