Xiao Kan wireless network security (3)

Author: [I .T. S] LeiG

3.3 link layer security.
Link layer Security issues mainly fall into two aspects: 1) security issues of the standard; 2) security issues of some protocols that support link layer security.

For example, DoS attacks against the standard MAC (media access control). The problem with MAC is that all the routers that want to transmit data are listening to public channels. If the channel is idle, data transmission starts, if the router detects that data is being transmitted through the current channel, it will use some so-called avoidance algorithms (backoff, I don't know if this is true in China. Attackers can easily circumvent themselves for a short period of time and seize the channel, while other normal access requests may be rejected and continue to circumvent. Therefore, MAC generally tries its best to adopt a fair avoidance algorithm. For example, the router that accepts the information provides the avoidance time to the router that sends the information, rather than deciding the avoidance time by the router that sends the information. When an attacker uses a small amount of avoidance time, or the root node does not circumvent it, it keeps occupying the nest and does not allow other routers that want to send messages to use this channel, the router that receives information can detect changes in the current transmission mechanism and the predefined information transmission mechanism, so that the router that accepts the information can be provided to attackers for a long time (the time can be set, let him wait for a while, because it may not be an attacker, but the misoperation of some legitimate users or problems of the system itself ).

I believe you have read a lot of articles about the request to send/clear to send issue. When A ---> B sends the data (A sends the RTS, if B does nothing, it sends the CTS, and then waits for A to send the message), if A/B's neighbor monitors this process, you can send bits (bit: 0, 1 at the same time. Everyone knows it ...) As a result, the information being sent may go wrong and therefore may need to be resold. Because the amount of information sent is usually several hundred bits, or even more, the attacker only sends a bit that affects normal data, which is smaller than the amount of data re-transmitted. Therefore, it can effectively affect the power consumption of mobile wireless communication devices, without power, it cannot be used... You said charging... No, me!

The question is coming to the fore ..... Don't worry .....

WEP Security
WEP (Wired Equivalent Privacy) is a security protocol developed for the wireless LAN in. It is designed to prevent user data from being monitored. Most hardware manufacturers must have used this stuff in their 802.11 products, such as wireless router (some friends certainly know me better, I bought a smc two days ago, ). Therefore, it is critical to ensure the security of the Protocol itself. I will concentrate on talking about this... Please make appropriate preparations for warm-up ...)

1) WEP Protocol
Its core is to use the key k known to both parties for sending and receiving to ensure the confidentiality of the sent information.
#1. Calculate the information M to be sent, and calculate the verification and checksum --> C (M). Combine the information with the verification. We call it plaintext, which is expressed as <M, C (M)>. this step does not use any confidentiality mechanism, and our leading role k has not yet appeared.
#2 use the RC4 algorithm to encrypt P. The specific process is. We construct an initial vector v and combine the key k to use RC4 to generate a dense stream (which is actually a series of random bytes). We use RC4 (v, k) to represent the dense stream, then the P and the secret stream are different or
C = P ^ RC4 (v, k) (XOR or I use ^ to represent pulling)
#3 send the generated ciphertext (cipher text, C) together with the vector v.
========================
MESSAGE | CRC
========================
XOR
========================
Keystream = RC4 (v, k)
========================
-----------------
========================
V | Ciphertext
========================

When the receiver receives this frame (WEP standard frame), as long as k and v are re-used for decryption, it is OK. I call the new plaintext generated by Decryption P,
P = C ^ RC4 (v, k) = (P ^ RC4 (v, k) ^ RC4 (v, k)
The generated P is re-divided into M, C (M). If the checksum is C (M) = C (M), the information is OK and accepted.

The security of WEP lies in:
1) Prevent listening
2) access control: All packages that do not follow the wep Security Rules will be lost.
3) check and verify the information integrity (no package is transferred in the middle)

WEP generally uses a 40bit/104bit (that is, some 10/26 hex keys on the wireless router) key k, and 24bit is a fixed v, so it can be said that it is a 64bit/128bit key, however, we should be clear that 24bit is for v, and v is what I have already said.

Wep's weakness lies in that you can modify the package without cracking these keys. That is to say, the length of the key does not affect the attack !!!

2) Feasibility of attacks
It is more difficult to implement wireless attacks on the link layer than on the internet because of devices. For example, if you want to listen, you must first have a device that can listen to the 802.11 GHz frequency, and support the 802.11 Protocol (seems to require a lot of knives ...), If you want to modify the package, you need a device that can send a 2-4 GHz signal. Many of these items can be purchased from stores, such as laptops using wireless network cards and wireless router. Of course they can be used without being used. Currently, most wireless router use firmware and can be upgraded, you need to modify these firmware before they can be used for attack purposes. Of course, it is not that simple and takes some time. However, I believe someone is willing to do this, you can easily share ...........................

3) Risks of keystream in dense streams
C1 and C2 are two WEP-standard ciphertext values.
C1 = P1 ^ RC4 (v, k)
C2 = P2 ^ RC4 (v, k)
C1 ^ C2 = (P1 ^ RC4 (v, k) ^ (P2 ^ RC4 (v, k) = P1 ^ P2 ^ (RC4 (v, k) ^ RC4 (v, k) = P1 ^ P2 ^ 0 = P1 ^ P2
Do you see the name of the hall? Even if you do not know v, k, and two ciphertext encrypted with the same v and k, you can obtain P1 ^ P2 through the XOR. P1 is the sender's information. M is appended with M's test. P2. The test on M and M is not encrypted ....... There are many practical methods to identify the original plaintext of the two information by using the XOR value of the two information. I will not talk about it here. Or else I leave the question.

The possibility of this attack must meet the following two conditions:
1) v and k are repeatedly used multiple times. Otherwise, a single frame encrypted with v and k cannot be read.
2) some content of P1 or P2 can be found. Otherwise, it is difficult to identify the original plaintext of the two information by using the XOR value of the two information. Note that there are multiple possibilities, 1 ^ 0 = ^ 1 = 1. You know that the value of XOR is 1. Each bit has two possibilities. If you know part of the plain text, that is, you know part of the bits value, it is much easier.

#1 v repeatedly used
To prevent this attack, WEP recommends that the value of v (24 bits) for each frame be different, k (40 bits/104 bits) it can be the same for a certain number of frames (because of the large number of BITs, it is not easy to duplicate ). V appears in plain text (not encrypted) in the frame, so that when the receiver receives the information, it can be used together with the key k for decryption (anyone may obtain v, but k is generally kept confidential ). What I will introduce below is that these mechanisms are not very effective.

WEP standards recommend that each package have different values (note: this is not mandatory), but it does not explicitly indicate how to choose v, therefore, many current applications are very problematic when selecting v. For example, in the simplest example (the example copied from berkley, ), PCMCIA sets v to 0 every time it is re-initialized, each packet is transmitted, the value of v is increased by 1. Every time the PCMCIA card is inserted into the notebook, it needs to be initialized once (once the PCMCIA card is restarted ), therefore, the value of v is expected to appear frequently in the range of small numbers (k should be refreshed once in a certain period of time to ensure security ).
In addition, most applications use a random method to select v, so there will be repeated v for every thousands of packets, and thousands of packets is just a few minutes of transmission. 802.11 since each packet is not required to use a different v, many applications use the same v in different data packets.

#2 how to obtain plaintext P based on repeated values
As we have just said, we can find two or more encrypted ciphertext C1 and C2 through the repeated v. How can I read these encrypted packages?
As discussed above, if you know some content of P1 and P2, you can easily obtain other content. So how can we get the content of P1 and P2.
One way is to find sensitive words, such as login, password, and other data formats closely related to applications. These Metropolis are fixed,
Another method is to use spoofing. For example, an attacker sends useless information (SPAM email) to a wireless mobile router. When these router detect these messages, you can obtain part of the plain text format of these routers.
The more lovely way is that the attacker sends a broadcast packet (following the 802.11 Protocol). If some access points (access points) do not have access control (because they can be set or not set ), when these access points receive these broadcast packets, they will continue broadcasting in encrypted form. These attackers can intercept these broadcast packets and analyze the plaintext format of these access points...

#3 Dictionary Attacks
It seems that everyone is familiar with this, so I will drop my face and talk about it. As I said just now, the key k usually takes a long time to refresh (you think you cannot change your email password every day, not to mention 40 bits/104 bits), while v often changes, therefore, Dictionary attacks are concentrated on the v of 24bits. There is a total of two power-24 possibilities, which may be dozens of Gbits dictionaries. You can stand firm and don't be scared, this should be fine with the development of the current computer, as if everyone's memory is now starting to use GB as the unit, sweat. I want to change the machine at the end of the year, haha

4) key mechanism
In my first post, I mentioned several popular key mechanisms, which are mainly used in the transport layer to ensure end-to-end authentication, I will make a summary at the end of this post.
In section 802.11, we did not talk about how to allocate keys for key mechanisms. He uses a shared key array containing four different keys. Each Information Package specifies the index of the array of keys used by the package, each array uses a unique key for each wireless mobile router. In reality, most routers in the mobile network usually only use one key. Although to prevent key leakage, the network management can prevent users from knowing the key of the network, the key actually exists on every mobile router and is hidden by the network management. Therefore, it is possible to be discovered. The most dangerous situation is that, once a key is leaked, a new key must be refreshed, which requires all network users to reset their wireless drivers, this seems to take some time to implement.

I found that there are still a lot to say ..... Bite your teeth and continue writing ......

(5) Data Authentication
As mentioned above WEP is used to verify and to ensure data integrity, this verification and C (M) are used to CRC-32, Here attention shi is CRC-32 is not what encryption method, just submit and, it is only used to detect whether the information is wrong during the sending process, so that you can request to resend the information and so on... So how can we hijack the data packet to modify the information without allowing the receiver to discover the verification and error.

Same as above, come back
C = RC4 (v, k) ^ (M, C (M ))
The modified ciphertext is C = RC4 (v, k) ^ (M, C (M)