IBM ResearchWireless Security

Initiatives

Douglas DykemanManager Computer Science

IBM Zurich Research Laboratory

New YorkTJ WatsonAlmaden

Zurich

HaifaTokyo

Cryptographic FoundationsSecure government workstations

Trust ManagementPrivacy Policies

Digital WatermarkingXML SecurityVLSI Design for Cryptography

Cryptographic FoundationsMultiparty ProtocolsPrivacyIDS systems and alert correlationJava CryptographySmartcard systems and applications

Cryptographic FoundationsInternet SecuritySecure Systems and Software"Ethical Hacking"IDS sensors and vulnerability analysisAntiVirusBiometrics

IBM Global Security Research

NewDelhi

High-performance crypto software

China

Mobile and Wireless: Security Problems

Access to confidential information

Transactions

Security of wireless infrastructure

Privacy

No system is 100% secure but they should be secure against hackers with a PC attached to the Internet.

Protect thedevice

Ensureprivacy

Protect theinfrastructure

Secure Client Systems

Authentication: PKIcomplicatedexpensiveinflexible processesbusiness model?

Secure Repository: Smart Cards and SIMsproprietary systems

cards and applications come from a single vendorexpensive

Changes in Smart Card Industry

JavaCard

Java Applications

OpenPlatform

PK

CS

#15

PKCS#11 driver

proprietary mgmt

proprietary protocol

& environemnt

proprietary Applications

proprietary driver

Open Systems

JavaCard

eCheck Applet

Logon Applet

. . .

Java Virtual Machine ROM

Secure Applet Install (OpenPlatform)

JavaCard Class Library (JavaCard)

ROM

eCash Applet

ROM / EEPROMLoyalty Applet

Smart Card Hardware Hardware

Device Drivers for Communications, Cryptography (RSA, DSA, ...) ROM

State of the Art

JavaCard + OpenPlatformPKI1024-2048 bit crypto16-32 Kbytes free EEPROMsigning: 200-400 mskey generation: 6-9s on card$3.50

PKI Public or Closed User Groups

Home banking client

1. Generate keys on card

certificateauthority

2. Generate user certificate

public key

certificate

3. Install certificate

4. Issue card

"Cost and Control"

Secure Home Banking Solution

Home banking client

Banking server

Internet

SSL

AuthenticationDigital Signature

JavaCard

Data Encryption

Internet/Mobile/In-Store Commerce

ConsumerOnline Merchant

Clearing

Offline Merchant System

Internet

Devices: PC, phone, banking and merchant terminals...Applications: banking, payment, identification, tickets...

Secure Client Platform

PKISmart "cards"Taking off now! (Visa, Home Banking, US)

Watson Research: Side-Channel Cryptanalysis

Privacy technology & services

Privacy Management Technology

Privacy Security Technology

Privacy-enabled Svcs & Apps

Information Security and Audit

Privacy Assessment

Design for Privacy

idemix

myPrivacy

Privacy-preservingdata mining

WES Location-Based Services

MobileDevice

WESAuthentication

Server

WES LocationProxy

Self-carePortalpage App

WPS WAS

LFE

HTTP

MIN/MSISDN

SGSFL M

WLI

SGSFLocal.info

SII

RCI

HTTP+MIN/MSISDN

WirelessGateway

1

2

87

6

34

Tivoli PolicyDirector

5

WebSphere Everyplace SuiteLocation Based Services

LocationProcessing

Privacy-preserving data mining

Data Mining Algorithms Model

Reconstruct Distribution of

Salary

Reconstruct Distribution of

Age

50 | 40K | ...30 | 70K | ... ...

65 | 20K | ... 25 | 60K | ...

Randomizer Randomizer

...

The primary task in data mining: development of models about aggregated data.Can we develop accurate models without access to precise information in individual data records?Approach: Using randomization to protect privacy

FirewallsFirewalls Host-based Host-based IDsIDs Web IDsWeb IDs

Tivoli Risk ManagerCorrelation

EngineTEC Server

TEC Console TEC Console

TEC Event

DB

Risk MgrIDS Rules

TEC: Tivoli Enterprise Console

Network IDsNetwork IDs

Intrusion Detection at Work

Standards

Filtering

Filtering

Often you must trust devices and systems that you cannot control

Motivated adversaries may have direct accessA user might be the adversary. . .

A merchant might be the adversary. . .

An employee might be the adversary

Why Secure Hardware?

The Family of Hardware Security ModulesSmart cards

Portable tokens

Mobile phones

PCMCIA cards Standalone boxes

PCI cards for servers

(Crypto Accelerators are a related family)

The Family of Hardware Security ModulesSmart cards

Acceleration of security operations (e.g.cryptography, random number generation)

Physical protection of information assets

encryption keyselectronic valuables (e.g. e-cash, postage, coupons)

software (e.g. meters, risk calculation)

What do applications need from secure hardware?

IBM 4758 PCI Cryptographic Coprocessor

Performs high speed cryptographic operationsProvides secure key storage

Detects physical attacks: probe, voltage, temperature, radiation

Programmable!

Field upgradeableFIPS 140-1 overall level 4 certified (hardware and microcode)

Popular PCI bus interface for servers

Device drivers for NT, Win2000, AIX, OS/400, z/OS, Linux, Solaris

Develop a secure operating system for pervasive devices (smart card, GSM phone SIMs, USB tokens, etc)

use hardware to enforce the security

allow controlled sharing of data

Common Criteria security evaluation by an independent third party at a very high assurance level

Code written by companies who don't know or trust each other's programs (or programmers)

Interpreted and native OS interface to applications inside

Field loadable applications and applets

Joint development with Philips Semiconductors

Goals of IBM Research's Secure Embedded Operating System Project

Side-Channel Cryptanalysis

countermeasures that were provably resistant to power.

This is cryptanalysis using information leaked by a device during

the computation of cryptographic primitives.

Several researchers have published attacks based upon power or

timing attacks

In ’99 the team at Watson produced analysis attacks.

SPA - Simple Power Analysis

Code execution sequence is easily observable

If code is key dependent, then key can be read from a SINGLE power profile

For example, conditional jumps easy to detect

des_check_parity: � for (byte = 7; byte >=0; byte--) {� count=0; �

for (bit = 7; bit >= 0; bit--) {� if (parity(bit, byte)) � count++� }� }

SPA - Simple Power Analysis

802.11b defines two security featuresWEP encryptionShared Key authentication

Security IssuesManagementBroken Cryptography

802.11b Wireless LAN Security

WEP and Shared Key are OPTIONAL

Access points ship with both turned off

Intranet exposed to “drive by” hacking

Question:

what AP’s exist?

Are they configured correctly?

802.11 Management Issue

802.11 Cryptographic Issues

http://www.crypto.com/papers/others/rc4_ksaproc.ps

Recover WEP key in 5 - 6 Million packets

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

WEP encryption broken

simple passive eavesdropping attackshard active attacks

http://www.cs.umd.edu/~waa/attack/v3dcmnt.htm

added authentication attack,

extended passive attacks

Fixing 802.11Cryptography

802.1x providescallout to application provided per session keyingcan prevent recovering key

Cisco has LEAP per-card, per-session keying "now"

802.11g (WEP2)firmware only tweak to WEP (128 bit IV)

802.11i (AES/OCB)firmware/driver change on clienthardware change on AP

complete fix

VPN - harder/more expensive, but available/strong

Audit 802.11 Access Points forWEP configurationFirmware/driver revision

Thinkpad, or IPAQ based

Cisco/Intersil pcmcia card

IBM T23 Embedded 802.11 card

Linux

Wireless Auditor Project

Wireless Auditor Main Program

No policy violations seenInsufficient information

Policy violation

Out of range

Old firmware

Invalid AP

Source MAC address

Base station ID

“Network” ID

AP name

Policy violation

Insufficient data

(June, IBM Hawthorne, 3rd floor)

Wireless Auditor Detail

Back-up slides

Back-up slides

WEP Encapsulation

WEP Encapsulation Summary: Encryption Algorithm = RC4 Per-packet encryption key = 24-bit IV concatenated to a pre-shared key WEP allows IV to be reused with any frame, at sender’s choice

Data integrity provided by CRC-32 of the plaintext data (the “ICV”) Data and ICV are encrypted under the per-packet encryption key

Data

Data

802.11 Hdr

ICV

DecapsulateEncapsulate

IV802.11 Hdr

WEP encryption

The WEP encryption algorithm RC4 is a Vernam Cipher (One Time Pad). For each packet:

Pseudo-random number generator

(RC4)

Encryption Key KEncryption Key K

Plaintext data byte p

Plaintext data byte p

Random byte b

?

Random byte bRandom byte b

? Ciphertext data byte p

Ciphertext data byte p

Decryption works the same way: p = c ? b

Plaintext IV (24b)Plaintext IV (24b)

The WEP encryption algorithm RC4 is a Vernam Cipher (One Time Pad). For each packet :

Encryption Key

Plaintext

Random byte

Cypher Data byte

(24b)

Plaintext Data byte

Decryption works the same way : =

Pseudo-randomnumber generator

(RC4)

WEP encryption issues

Only 2^24 unique pads per K

Total codebook only 2^35 bytes

Duplicate IV in 2^12 packets (birthday paradox)frequent reuse of “one time” pad!

IV may be freely chosen

xor of two packets gives xor of plaintext

CRC is not cryptographically strong

known plaintext gives codebook

WEP Authentication

APAP

Shared secret distributed out of bandShared secret distributed out of bandShared secret distributed out of hand

Response (Nonce RC4 encrypted under shared key)

Challenge (Nonce)

Decrypted nonce OK ?

802.11 Authentication Summary: Authentication key distributed out-of-band Access Point generates a “randomly generated” challenge Station encrypts challenge using pre-shared secret

STA

Sniffed successful authentication givesplaintext, ciphertext, IV, pad

Given one IV, pad attacker canauthenticatesend (not receive) packets

WEP Authentication issues