無線網(wǎng)絡(luò)-第七講

1、無線網(wǎng)絡(luò)第七講 無線安全基礎(chǔ)安全連接剖析通信安全 通信安全的三個主要目的1.授權(quán)（Authentication）：我的確是我所有安全策略的基礎(chǔ)2.機密性（Confidentiality）: 我說的話不想被別人聽到3.完整性（Integrity）：我說的話沒有被別人篡改認證客戶端 區(qū)分三種用戶類型： 受信用戶：允許訪問機密信息 訪客用戶：僅允許訪問公開資源 欺詐客戶：不允許建立關(guān)聯(lián)關(guān)系 無線網(wǎng)絡(luò)在與客戶端建立關(guān)聯(lián)之前需要對客戶端設(shè)備進行認證認證無線AP 中間人攻擊 偽AP發(fā)送信標、應(yīng)答探測請求并關(guān)聯(lián)客戶端：竊取信息 偽AP發(fā)送欺騙性的管理幀，解除與合法用戶的關(guān)聯(lián)：破壞網(wǎng)絡(luò)消息私密性 在發(fā)送每個無

2、線幀之前，對無線幀中的數(shù)據(jù)凈荷進行加密，然后在接收端進行解密。每個WLAN僅支持一種認證和加密方法。AP為每個關(guān)聯(lián)客戶端安全地協(xié)商一個不同的加密密鑰。消息完整性 怎樣防止原始數(shù)據(jù)在途中被修改呢？ MIC（Message Integrity Check, 消息完整性檢查） 防范數(shù)據(jù)被篡改的安全工具入侵保護 無線攻擊不會停止，會從不同角度或不同載體來發(fā)送惡意攻擊操作。 欺詐設(shè)備 客戶端關(guān)聯(lián)問題 被動或主動攻擊 wIPS（Wireless Intrusion Protection System, 無線入侵防御系統(tǒng)）無線客戶端認證方法 開放式認證：任何客戶端都能通過認證并訪問網(wǎng)絡(luò) 用于提供無線熱點的公

3、共場合開放系統(tǒng)認證Open System共享密鑰認證Shared KeyWEP WEP（Wireless Equivalent Privacy, 無線等效私密性） Goals of WEP: Privacy of frames Integrity of frames Uses a symmetric stream cipher(RC4)How Does WEP Work? 使用RC4密碼算法來保證每個無線數(shù)據(jù)幀的私密性。 RC4密碼（cipher）屬于對稱性流密碼（stream cipher）RC4密鑰流密碼 偽隨機數(shù)生成器（PseudoRandom Number Generator, PRN

4、G）是一組用來將密鑰展開為密鑰流的規(guī)則。 雙方必須擁有相同的密鑰，并且使用相同的算法將密鑰展開為偽隨機數(shù)序列。WEP的數(shù)據(jù)處理WEP的數(shù)據(jù)處理-Step 11. The 802.11 frame is queued for transmission. It consists of a frame header and the payload. WEP protects only the payload of the 802.11 MAC, and leaves the 802.11 frame header, as well as any lower-layer headers, intact

5、.802.2 Sub-Network Access Protocol (SNAP)WEP的數(shù)據(jù)處理WEP的數(shù)據(jù)處理-Step 22. An integrity check value (ICV) is calculated over the payload of the 802.11 MAC frame. It is calculated over the frame payload, so it starts at the first bit of the SNAP header, and goes upto the last data bit in the body. The 802.11

6、 frame check sequence has not yet been calculated, so it is not included in the ICV calculation. The ICV used by WEP is a Cyclic Redundancy Check (CRC), a point that will be expanded on later.ICV : Integrity Check Value, 完整性校驗值，確保幀在傳輸過程中沒有被篡改。HeaderPayloadICVPayload802.11 FrameWEP Encryption ICV com

7、puted 32-bit CRC of payloadCRC32WEP的數(shù)據(jù)處理 ICV computed 32-bit CRC of payload One of four keys selected 40-bitsKeyKeynumberKey 1Key 2Key 3Key 4WEP Encryption404 x 40 ICV computed 32-bit CRC of payload One of four keys selected 40-bits IV selected 24-bits, prepended to keynumberIVWEP Encryptionkeynumbe

8、r248WEP的數(shù)據(jù)處理-Step 33. The frame encryption key, or WEP seed, is assembled. WEP keys come in two parts: the secret key, and the initialization vector (IV). Stream ciphers will produce the same key stream from the same key, so an initialization vector is used to produce different stream ciphers for ea

9、ch transmitted frame. To reduce the occurrence of encryption with the same key stream, thesending station prepends the IV to the secret key. 802.11 does not place any constraints on the algorithm used to choose IVs; some products assign IVs sequentially, while others use apseudorandom hashing algori

10、thm. IV selection has some security implications because poor IV selection can compromise keys.WEP的數(shù)據(jù)處理 ICV computed 32-bit CRC of payload One of four keys selected 40-bits IV selected 24-bits, prepended to keynumber IV+key used to encrypt payload+ICVIVKeyICVPayloadICVPayloadRC4WEP Encryption64WEP的數(shù)

11、據(jù)處理-Step 44. The frame encryption key is used as the RC4 key to encrypt the 802.11 MAC payload from step 1 and the ICV from step 2. The encryption process is often assisted with dedicated RC4 circuitry on the card.WEP的數(shù)據(jù)處理 ICV computed 32-bit CRC of payload One of four keys selected 40-bits IV selec

12、ted 24-bits, prepended to keynumber IV+key used to encrypt payload+ICV IV+keynumber prepended to encrypted payload+ICVICVPayloadIVkeynumberHeaderWEP EncryptionWEP FrameWEP的數(shù)據(jù)處理-Step 55. With the encrypted payload in hand, the station assembles the final frame for transmission. The 802.11 header is r

13、etained intact. Between the 802.11 MAC header and the encrypted payload, a WEP header is inserted. In addition to the IV, the WEP header includes a key number. WEP allows up to four keys to be defined, so the sender must identify which key is in use. Once the final header is assembled, the 802.11 FC

14、S value can be calculated over the entire MAC frame from the start of the header to the end of the (encrypted) ICV.WEP加密機制 24位初始向量（位初始向量（IV）和）和40位（或位（或104位）密鑰構(gòu)成位）密鑰構(gòu)成64位偽隨機數(shù)種子，產(chǎn)生數(shù)據(jù)長位偽隨機數(shù)種子，產(chǎn)生數(shù)據(jù)長度度4（單位字節(jié)）的一次性密鑰；（單位字節(jié)）的一次性密鑰； 數(shù)據(jù)的循環(huán)冗余檢驗碼（數(shù)據(jù)的循環(huán)冗余檢驗碼（4個字節(jié)）作為數(shù)據(jù)的完整性檢驗值（個字節(jié)）作為數(shù)據(jù)的完整性檢驗值（ICV）用于檢測數(shù)據(jù)）用于檢測數(shù)據(jù)的完整性

15、；的完整性； 一次性密鑰和數(shù)據(jù)及一次性密鑰和數(shù)據(jù)及ICV進行異或運算，其結(jié)果作為密文；進行異或運算，其結(jié)果作為密文； 為了在發(fā)送端和接收端同步偽隨機數(shù)種子，以明文方式傳輸為了在發(fā)送端和接收端同步偽隨機數(shù)種子，以明文方式傳輸IV，由于偽隨機數(shù)種子，由于偽隨機數(shù)種子由密鑰和由密鑰和IV組成，截獲組成，截獲IV并不能獲得偽隨機數(shù)種子。并不能獲得偽隨機數(shù)種子。WEP加密過程加密過程WEP的數(shù)據(jù)處理接收端1. 驗證FCS2. 使用密鑰，加上IV，產(chǎn)生密鑰串；解密數(shù)據(jù)。3. 驗證ICV4. 根據(jù)SNAP標頭所記載的內(nèi)容，將封包數(shù)據(jù)交給適當?shù)纳蠈訁f(xié)議。 Keynumber is used to select

16、 keyWEP DecryptionKeyKeynumberKey 1Key 2Key 3Key 4404 x 40WEP DecryptionIVKeyICVPayloadICVPayloadRC464 Keynumber is used to select key ICV+key used to decrypt payload+ICVWEP DecryptionCRCICVPayloadHeaderPayloadICV Keynumber is used to select key ICV+key used to decrypt payload+ICV ICV recomputed and

17、 compared against original32 用發(fā)送端以明文傳輸?shù)挠冒l(fā)送端以明文傳輸?shù)腎V和接收端保留的密鑰構(gòu)成偽隨機數(shù)種子，產(chǎn)生一和接收端保留的密鑰構(gòu)成偽隨機數(shù)種子，產(chǎn)生一次性密鑰，如果接收端保留的密鑰和發(fā)送端相同，則接收端產(chǎn)生和發(fā)送端次性密鑰，如果接收端保留的密鑰和發(fā)送端相同，則接收端產(chǎn)生和發(fā)送端相同的一次性密鑰；相同的一次性密鑰； 用和密文相同長度的一次性密鑰異或密文，得到數(shù)據(jù)和用和密文相同長度的一次性密鑰異或密文，得到數(shù)據(jù)和4字節(jié)的字節(jié)的ICV； 根據(jù)數(shù)據(jù)計算出循環(huán)冗余檢驗碼，并與根據(jù)數(shù)據(jù)計算出循環(huán)冗余檢驗碼，并與ICV比較，如果相同，表明數(shù)據(jù)傳輸比較，如果相同，表明數(shù)據(jù)傳

18、輸過程未被篡改。過程未被篡改。WEP解密過程WEP解密過程解密過程128-bit Variant Purpose increase the encryption key size Non-standard, but in wide use IV and ICV set as before 104-bit key selected IV+key concatenated to form 128-bit RC4 keyIVKeyICVPayloadICVPayloadRC424104128-bitsWEP Keying Keys are manually distributed Keys are

19、statically configured Implications: often infrequently changed and easy to remember! Four 40-bit keys (or one 104-bit key) Key values can be directly set as hex data Key generators provided for convenience ASCII string is converted into keying material Non-standard but in wide use Different key gene

20、rators for 64- and 128-bitThe major flaw A Stream-Cipher should never use the same key twiceThe Stream-Cipher-Breakdown E(A) = A xor C C is the keyE(B) = B xor C Compute E(A) xor E(B) xor is commutative, hence: E(A) xor E(B) = A xor C xor B xor C= A xor B xor C xor C= A xor BThe major flaw A Stream-

21、Cipher should never use the same key twice. .or else we know A xor B, which is relatively easy to break if both messages are in a natural language. or if we know one of the messages.The WEP-repetition For a 24 bit Initialization Vector, there is a 50% chance of repetition after 5000 packets.WEP Inse

22、curitiesWhy is IV reused?1) IV only 24-bits in WEP, IV must repeat after 224 or 16.7M packets -practical? -IV sent in clear with ciphertext, easy collision detection - Initial Vector (IV) problem yes, since WEP key rarely changes yes, usually less than 16 million packets (some keys filtered) yes, im

23、plementations make it worse IV reset, multi-user shared keyJ. Wang. Computer Network Security Theory and Practice. Springer 2008Data Integrity Check Goal: to ensure that packets are not modified or injected by non-legitimate STAs WEP uses the CRC-32 value of M as its ICV CRC-32 is common network tec

24、hnique to detect transmission errors Simple Algorithm for CRC is and bit shifting Can be easily implemented on a chip To get a k-bit CRC value: M: an n-bit binary string P: a binary polynomial of degree k, yielding a (k+1)-bit binary string Divide M0k by P to obtain a k-bit remainder CRCk(M) If M|CR

25、Ck(M) is not divisible by P, it implies that M has been modifiedWEP Insecurities- Checksum (ICV) CRC-32 is NOT a hash function! Still can be malicious Already a CRC in network stack to detect errorsLinear Properties: CRC-32(P C) = CRC-32(P) CRC-32(C)- Bit flipping46ICV Prevents Forgery? Uses CRC-32

26、checksum CRC-32 is linear: CRC(A B) = CRC(A) CRC(B) RC4 is transparent to XOR C = RC4 ( M,CRC(M) ) C = C X,CRC(X) = M,CRC(M) S X,CRC(X) = RC4 (M X, CRC( M X)J. Wang. Computer Network Security Theory and Practice. Springer 2008Message Tampering:Alice sends to Bob: C = (M| CRC32(M) RC4(V|K)Malice intercep