無(wú)線網(wǎng)絡(luò)-第七講

1、無(wú)線網(wǎng)絡(luò)第七講 無(wú)線安全基礎(chǔ)安全連接剖析通信安全 通信安全的三個(gè)主要目的1.授權(quán)（Authentication）：我的確是我所有安全策略的基礎(chǔ)2.機(jī)密性（Confidentiality）: 我說(shuō)的話不想被別人聽(tīng)到3.完整性（Integrity）：我說(shuō)的話沒(méi)有被別人篡改認(rèn)證客戶端 區(qū)分三種用戶類型： 受信用戶：允許訪問(wèn)機(jī)密信息 訪客用戶：僅允許訪問(wèn)公開(kāi)資源 欺詐客戶：不允許建立關(guān)聯(lián)關(guān)系 無(wú)線網(wǎng)絡(luò)在與客戶端建立關(guān)聯(lián)之前需要對(duì)客戶端設(shè)備進(jìn)行認(rèn)證認(rèn)證無(wú)線AP 中間人攻擊 偽AP發(fā)送信標(biāo)、應(yīng)答探測(cè)請(qǐng)求并關(guān)聯(lián)客戶端：竊取信息 偽AP發(fā)送欺騙性的管理幀，解除與合法用戶的關(guān)聯(lián)：破壞網(wǎng)絡(luò)消息私密性 在發(fā)送每個(gè)無(wú)

2、線幀之前，對(duì)無(wú)線幀中的數(shù)據(jù)凈荷進(jìn)行加密，然后在接收端進(jìn)行解密。每個(gè)WLAN僅支持一種認(rèn)證和加密方法。AP為每個(gè)關(guān)聯(lián)客戶端安全地協(xié)商一個(gè)不同的加密密鑰。消息完整性 怎樣防止原始數(shù)據(jù)在途中被修改呢？ MIC（Message Integrity Check, 消息完整性檢查） 防范數(shù)據(jù)被篡改的安全工具入侵保護(hù) 無(wú)線攻擊不會(huì)停止，會(huì)從不同角度或不同載體來(lái)發(fā)送惡意攻擊操作。 欺詐設(shè)備 客戶端關(guān)聯(lián)問(wèn)題 被動(dòng)或主動(dòng)攻擊 wIPS（Wireless Intrusion Protection System, 無(wú)線入侵防御系統(tǒng)）無(wú)線客戶端認(rèn)證方法 開(kāi)放式認(rèn)證：任何客戶端都能通過(guò)認(rèn)證并訪問(wèn)網(wǎng)絡(luò) 用于提供無(wú)線熱點(diǎn)的公

3、共場(chǎng)合開(kāi)放系統(tǒng)認(rèn)證Open System共享密鑰認(rèn)證Shared KeyWEP WEP（Wireless Equivalent Privacy, 無(wú)線等效私密性） Goals of WEP: Privacy of frames Integrity of frames Uses a symmetric stream cipher(RC4)How Does WEP Work? 使用RC4密碼算法來(lái)保證每個(gè)無(wú)線數(shù)據(jù)幀的私密性。 RC4密碼（cipher）屬于對(duì)稱性流密碼（stream cipher）RC4密鑰流密碼 偽隨機(jī)數(shù)生成器（PseudoRandom Number Generator, PRN

4、G）是一組用來(lái)將密鑰展開(kāi)為密鑰流的規(guī)則。 雙方必須擁有相同的密鑰，并且使用相同的算法將密鑰展開(kāi)為偽隨機(jī)數(shù)序列。WEP的數(shù)據(jù)處理WEP的數(shù)據(jù)處理-Step 11. The 802.11 frame is queued for transmission. It consists of a frame header and the payload. WEP protects only the payload of the 802.11 MAC, and leaves the 802.11 frame header, as well as any lower-layer headers, intact

5、.802.2 Sub-Network Access Protocol (SNAP)WEP的數(shù)據(jù)處理WEP的數(shù)據(jù)處理-Step 22. An integrity check value (ICV) is calculated over the payload of the 802.11 MAC frame. It is calculated over the frame payload, so it starts at the first bit of the SNAP header, and goes upto the last data bit in the body. The 802.11

6、 frame check sequence has not yet been calculated, so it is not included in the ICV calculation. The ICV used by WEP is a Cyclic Redundancy Check (CRC), a point that will be expanded on later.ICV : Integrity Check Value, 完整性校驗(yàn)值，確保幀在傳輸過(guò)程中沒(méi)有被篡改。HeaderPayloadICVPayload802.11 FrameWEP Encryption ICV com

7、puted 32-bit CRC of payloadCRC32WEP的數(shù)據(jù)處理 ICV computed 32-bit CRC of payload One of four keys selected 40-bitsKeyKeynumberKey 1Key 2Key 3Key 4WEP Encryption404 x 40 ICV computed 32-bit CRC of payload One of four keys selected 40-bits IV selected 24-bits, prepended to keynumberIVWEP Encryptionkeynumbe

8、r248WEP的數(shù)據(jù)處理-Step 33. The frame encryption key, or WEP seed, is assembled. WEP keys come in two parts: the secret key, and the initialization vector (IV). Stream ciphers will produce the same key stream from the same key, so an initialization vector is used to produce different stream ciphers for ea

9、ch transmitted frame. To reduce the occurrence of encryption with the same key stream, thesending station prepends the IV to the secret key. 802.11 does not place any constraints on the algorithm used to choose IVs; some products assign IVs sequentially, while others use apseudorandom hashing algori

10、thm. IV selection has some security implications because poor IV selection can compromise keys.WEP的數(shù)據(jù)處理 ICV computed 32-bit CRC of payload One of four keys selected 40-bits IV selected 24-bits, prepended to keynumber IV+key used to encrypt payload+ICVIVKeyICVPayloadICVPayloadRC4WEP Encryption64WEP的數(shù)

11、據(jù)處理-Step 44. The frame encryption key is used as the RC4 key to encrypt the 802.11 MAC payload from step 1 and the ICV from step 2. The encryption process is often assisted with dedicated RC4 circuitry on the card.WEP的數(shù)據(jù)處理 ICV computed 32-bit CRC of payload One of four keys selected 40-bits IV selec

12、ted 24-bits, prepended to keynumber IV+key used to encrypt payload+ICV IV+keynumber prepended to encrypted payload+ICVICVPayloadIVkeynumberHeaderWEP EncryptionWEP FrameWEP的數(shù)據(jù)處理-Step 55. With the encrypted payload in hand, the station assembles the final frame for transmission. The 802.11 header is r

13、etained intact. Between the 802.11 MAC header and the encrypted payload, a WEP header is inserted. In addition to the IV, the WEP header includes a key number. WEP allows up to four keys to be defined, so the sender must identify which key is in use. Once the final header is assembled, the 802.11 FC

14、S value can be calculated over the entire MAC frame from the start of the header to the end of the (encrypted) ICV.WEP加密機(jī)制 24位初始向量（位初始向量（IV）和）和40位（或位（或104位）密鑰構(gòu)成位）密鑰構(gòu)成64位偽隨機(jī)數(shù)種子，產(chǎn)生數(shù)據(jù)長(zhǎng)位偽隨機(jī)數(shù)種子，產(chǎn)生數(shù)據(jù)長(zhǎng)度度4（單位字節(jié)）的一次性密鑰；（單位字節(jié)）的一次性密鑰； 數(shù)據(jù)的循環(huán)冗余檢驗(yàn)碼（數(shù)據(jù)的循環(huán)冗余檢驗(yàn)碼（4個(gè)字節(jié)）作為數(shù)據(jù)的完整性檢驗(yàn)值（個(gè)字節(jié)）作為數(shù)據(jù)的完整性檢驗(yàn)值（ICV）用于檢測(cè)數(shù)據(jù)）用于檢測(cè)數(shù)據(jù)的完整性

15、；的完整性； 一次性密鑰和數(shù)據(jù)及一次性密鑰和數(shù)據(jù)及ICV進(jìn)行異或運(yùn)算，其結(jié)果作為密文；進(jìn)行異或運(yùn)算，其結(jié)果作為密文； 為了在發(fā)送端和接收端同步偽隨機(jī)數(shù)種子，以明文方式傳輸為了在發(fā)送端和接收端同步偽隨機(jī)數(shù)種子，以明文方式傳輸IV，由于偽隨機(jī)數(shù)種子，由于偽隨機(jī)數(shù)種子由密鑰和由密鑰和IV組成，截獲組成，截獲IV并不能獲得偽隨機(jī)數(shù)種子。并不能獲得偽隨機(jī)數(shù)種子。WEP加密過(guò)程加密過(guò)程WEP的數(shù)據(jù)處理接收端1. 驗(yàn)證FCS2. 使用密鑰，加上IV，產(chǎn)生密鑰串；解密數(shù)據(jù)。3. 驗(yàn)證ICV4. 根據(jù)SNAP標(biāo)頭所記載的內(nèi)容，將封包數(shù)據(jù)交給適當(dāng)?shù)纳蠈訁f(xié)議。 Keynumber is used to select

16、 keyWEP DecryptionKeyKeynumberKey 1Key 2Key 3Key 4404 x 40WEP DecryptionIVKeyICVPayloadICVPayloadRC464 Keynumber is used to select key ICV+key used to decrypt payload+ICVWEP DecryptionCRCICVPayloadHeaderPayloadICV Keynumber is used to select key ICV+key used to decrypt payload+ICV ICV recomputed and

17、 compared against original32 用發(fā)送端以明文傳輸?shù)挠冒l(fā)送端以明文傳輸?shù)腎V和接收端保留的密鑰構(gòu)成偽隨機(jī)數(shù)種子，產(chǎn)生一和接收端保留的密鑰構(gòu)成偽隨機(jī)數(shù)種子，產(chǎn)生一次性密鑰，如果接收端保留的密鑰和發(fā)送端相同，則接收端產(chǎn)生和發(fā)送端次性密鑰，如果接收端保留的密鑰和發(fā)送端相同，則接收端產(chǎn)生和發(fā)送端相同的一次性密鑰；相同的一次性密鑰； 用和密文相同長(zhǎng)度的一次性密鑰異或密文，得到數(shù)據(jù)和用和密文相同長(zhǎng)度的一次性密鑰異或密文，得到數(shù)據(jù)和4字節(jié)的字節(jié)的ICV； 根據(jù)數(shù)據(jù)計(jì)算出循環(huán)冗余檢驗(yàn)碼，并與根據(jù)數(shù)據(jù)計(jì)算出循環(huán)冗余檢驗(yàn)碼，并與ICV比較，如果相同，表明數(shù)據(jù)傳輸比較，如果相同，表明數(shù)據(jù)傳

18、輸過(guò)程未被篡改。過(guò)程未被篡改。WEP解密過(guò)程WEP解密過(guò)程解密過(guò)程128-bit Variant Purpose increase the encryption key size Non-standard, but in wide use IV and ICV set as before 104-bit key selected IV+key concatenated to form 128-bit RC4 keyIVKeyICVPayloadICVPayloadRC424104128-bitsWEP Keying Keys are manually distributed Keys are

19、statically configured Implications: often infrequently changed and easy to remember! Four 40-bit keys (or one 104-bit key) Key values can be directly set as hex data Key generators provided for convenience ASCII string is converted into keying material Non-standard but in wide use Different key gene

20、rators for 64- and 128-bitThe major flaw A Stream-Cipher should never use the same key twiceThe Stream-Cipher-Breakdown E(A) = A xor C C is the keyE(B) = B xor C Compute E(A) xor E(B) xor is commutative, hence: E(A) xor E(B) = A xor C xor B xor C= A xor B xor C xor C= A xor BThe major flaw A Stream-

21、Cipher should never use the same key twice. .or else we know A xor B, which is relatively easy to break if both messages are in a natural language. or if we know one of the messages.The WEP-repetition For a 24 bit Initialization Vector, there is a 50% chance of repetition after 5000 packets.WEP Inse

22、curitiesWhy is IV reused?1) IV only 24-bits in WEP, IV must repeat after 224 or 16.7M packets -practical? -IV sent in clear with ciphertext, easy collision detection - Initial Vector (IV) problem yes, since WEP key rarely changes yes, usually less than 16 million packets (some keys filtered) yes, im

23、plementations make it worse IV reset, multi-user shared keyJ. Wang. Computer Network Security Theory and Practice. Springer 2008Data Integrity Check Goal: to ensure that packets are not modified or injected by non-legitimate STAs WEP uses the CRC-32 value of M as its ICV CRC-32 is common network tec

24、hnique to detect transmission errors Simple Algorithm for CRC is and bit shifting Can be easily implemented on a chip To get a k-bit CRC value: M: an n-bit binary string P: a binary polynomial of degree k, yielding a (k+1)-bit binary string Divide M0k by P to obtain a k-bit remainder CRCk(M) If M|CR

25、Ck(M) is not divisible by P, it implies that M has been modifiedWEP Insecurities- Checksum (ICV) CRC-32 is NOT a hash function! Still can be malicious Already a CRC in network stack to detect errorsLinear Properties: CRC-32(P C) = CRC-32(P) CRC-32(C)- Bit flipping46ICV Prevents Forgery? Uses CRC-32

26、checksum CRC-32 is linear: CRC(A B) = CRC(A) CRC(B) RC4 is transparent to XOR C = RC4 ( M,CRC(M) ) C = C X,CRC(X) = M,CRC(M) S X,CRC(X) = RC4 (M X, CRC( M X)J. Wang. Computer Network Security Theory and Practice. Springer 2008Message Tampering:Alice sends to Bob: C = (M| CRC32(M) RC4(V|K)Malice intercep