Link layer security. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Transcription

1 Link layer security CS642: Computer Security Professor Ristenpart h9p:// rist at cs dot wisc dot edu University of Wisconsin CS 642

2 GeFng started on network security Internet protocol stack Man- in- the- middle Address resolumon protocol and ARP spoofing Jamming and MITM prevenmon University of Wisconsin CS 642

3 Internet Alice ISP1 ISP2 backbone Bob Local area network (LAN) Ethernet Internet TCP/IP BGP (border gateway protocol) DNS (domain name system)

4 Internet threat models ISP1 ISP2 backbone (1) Malicious hosts

5 Internet threat models ISP1 ISP2 backbone (1) Malicious hosts (2) Subverted routers or links

6 Internet threat models ISP1 ISP2 backbone (1) Malicious hosts (2) Subverted routers or links (3) Malicious ISPs or backbone

7

8 Internet protocol stack ApplicaMon Transport Network Link HTTP, FTP, SMTP, SSH, etc. TCP, UDP IP, ICMP, IGMP 802x (802.11, Ethernet) ApplicaMon Transport Network Link Network Link ApplicaMon Transport Network Link

9 Internet protocol stack user data ApplicaMon TCP IP Appl user data Ethernet TCP Appl user data TCP segment IP TCP Appl user data IP datagram ENet IP TCP Appl user data ENet tlr Ethernet frame to 1500 bytes

10 Ethernet Carrier Sense, MulMple Access with Collision DetecMon (CSMA/CD) Take turns using broadcast channel (the wire) Detect collisions, jam, and random backoff Security issues?

11 Ethernet ENet IP datagram ENet tlr Ethernet frame desmnamon address source address type CRC Media access control (MAC) addresses 48 bits Type = what is data payload (0x0800 = IPv4, 0x0806 = ARP, 0x86DD = IPv6) 32 bit Cyclic Redundancy Check (CRC) checksum LLC frame format slightly different, but similar ideas

12 MAC addresses Two types: universally or locally administered 3 byte 2 control bits & OID 3 byte NIC idenmfier 2 LSBs of first byte are control bits: 1 st LSB: mulmcast/unicast 2 nd LSB: universal/local flag Hardware (ethernet card/wifi card) inimalized with MAC address But: Most ethernet cards allow one to change address

13 MAC spoofing Many LANs, WiFis use MAC- based access controls Courtesy of wikibooks h9p://en.wikibooks.org/wiki/changing_your_mac_address/mac_os_x

14 MAC spoofing Aaron Swartz, a fellow at Harvard University's Center for Ethics and an open source programmer involved with creamng the RSS 1.0 specificamon and more generally in the open culture movement, has been arrested and charged with wire fraud, computer fraud, unlawfully obtaining informamon from a protected computer, and recklessly damaging a protected computer aler he entered a computer lab at MIT in Cambridge, Massachuse9s and downloaded two- thirds of the material on JSTOR, an academic journal repository. h9p://en.wikinews.org/wiki/ Aaron_Swartz_arrested_and_charged_for_do wnloading_jstor_armcles Supposedly used MAC spoofing to get onto MIT network

15

16 Internet protocol stack user data ApplicaMon TCP IP Appl user data Ethernet TCP Appl user data TCP segment IP TCP Appl user data IP datagram ENet IP TCP Appl user data ENet tlr Ethernet frame to 1500 bytes

17 IPv4 ENet IP data ENet tlr Ethernet frame containing IP datagram 4- bit version 8- bit Mme to live (TTL) 4- bit len 16- bit idenmficamon 8- bit type of service 8- bit protocol 3- bit flags 32- bit source IP address 32- bit desmnamon IP address opmons (opmonal) 16- bit total length (in bytes) 13- bit fragmentamon offset 16- bit header checksum

18 Address resolumon protocol IP roumng: Figure out where to send an IP packet based on desmnamon address. Link layer and IP must cooperate to get things sent 32- bit IP address ARP RARP 48- bit MAC address ARP/RARP enables this cooperamon by mapping IPs to MACs

19 Address resolumon protocol enet dest enet src type hw type prot type hw size prot size op enet sender ip sender enet target frame type = 0x0806 (ARP) or 0x8035 (RARP) ip target pad enet dest is all 1 s, 0xFFFFFFFFFFFF for broadcast CRC hw type, prot(ocol) type specify what types of addresses we re looking up op specifies whether this is an ARP request, ARP reply, RARP request, RARP reply

20 ARP caches Hosts maintain cache of ARP data just a table mapping between IPs and MACs

21 ARP has no authenmcamon Easy to sniff packets on (non- switched) ethernet What else can we do? Easy Denial of Service (DoS): Send ARP reply associamng gateway with a non- used MAC address

22 ARP has no authenmcamon Easy to sniff packets on (non- switched) ethernet What else can we do? AcMve Man- in- the- Middle: ARP reply to MAC > MAC MAC1 ARP reply to MAC > MAC MAC MAC3 Now traffic routed through malicious box

23 ARP and switched networks Switches do not broadcast, but transfer traffic through appropriate ports. Maintain a table of port <- > MAC bindings Inhibits traffic sniffing ARP poisoning MitM inhibited (one MAC address per port) Some switches allow MAC flooding a9acks Flood ARP replies to switch Switch can t store all values, fails to broadcast

24 DetecMon and prevenmon ARPWATCH logs ARP mapping changes s admin if something suspicious comes up Switched networks with real authenmcamon Check MACs against AAA system (authenmcamon, authorizamon, accounmng) such as RADIUS / Diameter

25 STA = stamon BSS = basic service set DS = distribumon service ESS = extended service set SSID (service set idenmfier) idenmfies the network h9p://technet.microsol.com/en- us/library/cc757419(ws.10).aspx

26 STA = stamon BSS = basic service set DS = distribumon service ESS = extended service set SSID (service set idenmfier) idenmfies the network Infrastructure mode (top) versus Ad- hoc (bo9om) h9p://technet.microsol.com/en- us/library/cc757419(ws.10).aspx

27 Images from h9p://technet.microsol.com/en- us/library/cc757419(ws.10).aspx

28 security issues AP Wired versus wireless

29 h9p://online.wsj.com/armcle/sb html?mod=googlenews_wsj InteresMng report on drone usage by US: h9p://livingunderdrones.org/

30 Parrot ARdrone

31 security issues AP Wired versus wireless Wireless can (try to) compensate via cryptography - WEP = epic failure - WPA = be9er, but not great - WPA2 = be9er yet, but not perfect We ll see more on this in crypto secmon Images from h9p://technet.microsol.com/en- us/library/cc757419(ws.10).aspx

32 aircrack- ng h9p:// ng.org/img/aircrack- ng_movie_1.png

33 security issues AP WPA- personal - Pre- shared key mode - User types in a password to gain access h9p://en.wikipedia.org/wiki/linksys_wrt54g_series

34 security issues AP WPA- personal - Pre- shared key mode - User types in a password to gain access WPA- enterprise - Extended AuthenMcaMon Protocol (EAP) - Centralized AuthenMcaMon, AuthorizaMon, and AccounMng (AAA) RADIUS (Remote AuthenMcaMon Dial In User Service) authenmcamon server Client- server protocol over UDP 1) AuthenMcate users/devices before granmng access to network 2) Authorize users/devices to access certain network services 3) Account for usage of services Many security issues idenmfied

35 evil twins AP Basic idea: - A9acker pretends to be an AP to intercept traffic or collect data associamon Evil twin Probe request SSID: linksys, BSSID: MAC1 Auth request MAC1 Auth response Associate request MAC1 Associate response

36 evil twins AP Basic idea: - A9acker pretends to be an AP to intercept traffic or collect data Two APs for same network Evil twin Choose one of MAC1, MAC2 Probe request SSID: linksys, BSSID: MAC1 SSID: linksys, BSSID: MAC2 Auth request MAC2 MAC1 MAC2

37 evil twins AP Basic idea: - A9acker pretends to be an AP to intercept traffic or collect data Basic a9ack: rogue AP Evil twin Choose one of MAC1, MAC2 Probe request SSID: linksys, BSSID: MAC1 SSID: linksys, BSSID: MAC2 Auth request MAC2 MAC1 MAC2

38 evil twins AP Basic idea: - A9acker pretends to be an AP to intercept traffic or collect data Evil twin: spoof MAC1 Evil twin Choose one of MAC1, MAC2 A9acker can send forged disassociate message to vicmm to get it to look for new connecmon VicMm might send out probe requests for parmcular SSIDs, giving a9acker info MAC1 Probe request SSID: linksys, BSSID: MAC1 MAC1 SSID: linksys, BSSID: MAC1 Auth request MAC2 Conceptually similar to ARP poisoning

39 Push- bu9on configuramon (PBC) AP Problems with WPA- personal: - Users are scared of passwords - Passwords usually weak - New devices lack keypads Push bu9on shared secret PBC probe PBC probe PBC probe PBC response Diffie- Hellman Key exchange Push bu9on shared secret

40 Push- bu9on configuramon (PBC) PBC probe PBC probe Push bu9on PBC response PBC response Push bu9on Diffie- Hellman Key exchange Diffie- Hellman Key exchange shared secret 1 shared secret 2 shared secret 1 shared secret 2 But this is on wireless, so all messages are seen by all parmes A9acker can jam messages, overpower legimmate messages

41 Can we prevent MitM? Gollakata et al., Secure In- Band Wireless Pairing, Security 2011 Basic observamons: - Assume all parmes in range of each other (all honest broadcasts seen) - Signals cannot be negated - Jamming can be made detectable

42 Can we prevent MitM? Gollakata et al., Secure In- Band Wireless Pairing, Security 2011 Tamper- evident Announcement: Figure 1: The format of a tamper-evident announcement (TEA). SynchronizaMon: long random data to make overpowering detectable Payload: key exchange data (public key, etc.) On- Off slots: Encode cryptographic hash of payload in a manipulamon- detectable way Intractable to find two payloads such that Hash(payload1) = Hash(payload2)

43 Can we prevent MitM? Gollakata et al., Secure In- Band Wireless Pairing, Security 2011 On- Off slots: Encode cryptographic hash of payload in a manipulamon- detectable way A9acker can only turn 0 s to 1 s b1 b2 h1 h2 h Receiver detects if channel in use, concludes a 1 Otherwise concludes a 0 Checks that # of 1 s = # of 0 s Checks hash of payload Encode in a way that balances number of 0 s and 1 s TransmiFng a 1: send packet with random data TransmiFng a 0: send nothing To change payload, a9acker must change hash value, but can t

44 Discussion What a9acks aren t prevented? PBC relies on what physical assumpmons? How easy are such jamming based a9acks?

45