Upload
vubao
View
221
Download
0
Embed Size (px)
Citation preview
IBM ResearchWireless Security
Initiatives
Douglas DykemanManager Computer Science
IBM Zurich Research Laboratory
New YorkTJ WatsonAlmaden
Zurich
HaifaTokyo
Cryptographic FoundationsSecure government workstations
Trust ManagementPrivacy Policies
Digital WatermarkingXML SecurityVLSI Design for Cryptography
Cryptographic FoundationsMultiparty ProtocolsPrivacyIDS systems and alert correlationJava CryptographySmartcard systems and applications
Cryptographic FoundationsInternet SecuritySecure Systems and Software"Ethical Hacking"IDS sensors and vulnerability analysisAntiVirusBiometrics
IBM Global Security Research
NewDelhi
High-performance crypto software
China
Mobile and Wireless: Security Problems
Access to confidential information
Transactions
Security of wireless infrastructure
Privacy
No system is 100% secure but they should be secure against hackers with a PC attached to the Internet.
Protect thedevice
Ensureprivacy
Protect theinfrastructure
Secure Client Systems
Authentication: PKIcomplicatedexpensiveinflexible processesbusiness model?
Secure Repository: Smart Cards and SIMsproprietary systems
cards and applications come from a single vendorexpensive
Changes in Smart Card Industry
JavaCard
Java Applications
OpenPlatform
PK
CS
#15
PKCS#11 driver
proprietary mgmt
proprietary protocol
& environemnt
proprietary Applications
proprietary driver
Open Systems
JavaCard
eCheck Applet
Logon Applet
. . .
Java Virtual Machine ROM
Secure Applet Install (OpenPlatform)
JavaCard Class Library (JavaCard)
ROM
eCash Applet
ROM / EEPROMLoyalty Applet
Smart Card Hardware Hardware
Device Drivers for Communications, Cryptography (RSA, DSA, ...) ROM
State of the Art
JavaCard + OpenPlatformPKI1024-2048 bit crypto16-32 Kbytes free EEPROMsigning: 200-400 mskey generation: 6-9s on card$3.50
PKI Public or Closed User Groups
Home banking client
1. Generate keys on card
certificateauthority
2. Generate user certificate
public key
certificate
3. Install certificate
4. Issue card
"Cost and Control"
Secure Home Banking Solution
Home banking client
Banking server
Internet
SSL
AuthenticationDigital Signature
JavaCard
Data Encryption
Internet/Mobile/In-Store Commerce
ConsumerOnline Merchant
Clearing
Offline Merchant System
Internet
Devices: PC, phone, banking and merchant terminals...Applications: banking, payment, identification, tickets...
Secure Client Platform
PKISmart "cards"Taking off now! (Visa, Home Banking, US)
Watson Research: Side-Channel Cryptanalysis
Privacy technology & services
Privacy Management Technology
Privacy Security Technology
Privacy-enabled Svcs & Apps
Information Security and Audit
Privacy Assessment
Design for Privacy
idemix
myPrivacy
Privacy-preservingdata mining
WES Location-Based Services
MobileDevice
WESAuthentication
Server
WES LocationProxy
Self-carePortalpage App
WPS WAS
LFE
HTTP
MIN/MSISDN
SGSFL M
WLI
SGSFLocal.info
SII
RCI
HTTP+MIN/MSISDN
WirelessGateway
1
2
87
6
34
Tivoli PolicyDirector
5
WebSphere Everyplace SuiteLocation Based Services
LocationProcessing
Privacy-preserving data mining
Data Mining Algorithms Model
Reconstruct Distribution of
Salary
Reconstruct Distribution of
Age
50 | 40K | ...30 | 70K | ... ...
65 | 20K | ... 25 | 60K | ...
Randomizer Randomizer
...
The primary task in data mining: development of models about aggregated data.Can we develop accurate models without access to precise information in individual data records?Approach: Using randomization to protect privacy
FirewallsFirewalls Host-based Host-based IDsIDs Web IDsWeb IDs
Tivoli Risk ManagerCorrelation
EngineTEC Server
TEC Console TEC Console
TEC Event
DB
Risk MgrIDS Rules
TEC: Tivoli Enterprise Console
Network IDsNetwork IDs
Intrusion Detection at Work
Standards
Filtering
Filtering
Often you must trust devices and systems that you cannot control
Motivated adversaries may have direct accessA user might be the adversary. . .
A merchant might be the adversary. . .
An employee might be the adversary
Why Secure Hardware?
The Family of Hardware Security ModulesSmart cards
Portable tokens
Mobile phones
PCMCIA cards Standalone boxes
PCI cards for servers
(Crypto Accelerators are a related family)
The Family of Hardware Security ModulesSmart cards
Acceleration of security operations (e.g.cryptography, random number generation)
Physical protection of information assets
encryption keyselectronic valuables (e.g. e-cash, postage, coupons)
software (e.g. meters, risk calculation)
What do applications need from secure hardware?
IBM 4758 PCI Cryptographic Coprocessor
Performs high speed cryptographic operationsProvides secure key storage
Detects physical attacks: probe, voltage, temperature, radiation
Programmable!
Field upgradeableFIPS 140-1 overall level 4 certified (hardware and microcode)
Popular PCI bus interface for servers
Device drivers for NT, Win2000, AIX, OS/400, z/OS, Linux, Solaris
Develop a secure operating system for pervasive devices (smart card, GSM phone SIMs, USB tokens, etc)
use hardware to enforce the security
allow controlled sharing of data
Common Criteria security evaluation by an independent third party at a very high assurance level
Code written by companies who don't know or trust each other's programs (or programmers)
Interpreted and native OS interface to applications inside
Field loadable applications and applets
Joint development with Philips Semiconductors
Goals of IBM Research's Secure Embedded Operating System Project
Side-Channel Cryptanalysis
countermeasures that were provably resistant to power.
This is cryptanalysis using information leaked by a device during
the computation of cryptographic primitives.
Several researchers have published attacks based upon power or
timing attacks
In ’99 the team at Watson produced analysis attacks.
SPA - Simple Power Analysis
Code execution sequence is easily observable
If code is key dependent, then key can be read from a SINGLE power profile
For example, conditional jumps easy to detect
des_check_parity: � for (byte = 7; byte >=0; byte--) {� count=0; �
for (bit = 7; bit >= 0; bit--) {� if (parity(bit, byte)) � count++� }� }
SPA - Simple Power Analysis
802.11b defines two security featuresWEP encryptionShared Key authentication
Security IssuesManagementBroken Cryptography
802.11b Wireless LAN Security
WEP and Shared Key are OPTIONAL
Access points ship with both turned off
Intranet exposed to “drive by” hacking
Question:
what AP’s exist?
Are they configured correctly?
802.11 Management Issue
802.11 Cryptographic Issues
http://www.crypto.com/papers/others/rc4_ksaproc.ps
Recover WEP key in 5 - 6 Million packets
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
WEP encryption broken
simple passive eavesdropping attackshard active attacks
http://www.cs.umd.edu/~waa/attack/v3dcmnt.htm
added authentication attack,
extended passive attacks
Fixing 802.11Cryptography
802.1x providescallout to application provided per session keyingcan prevent recovering key
Cisco has LEAP per-card, per-session keying "now"
802.11g (WEP2)firmware only tweak to WEP (128 bit IV)
802.11i (AES/OCB)firmware/driver change on clienthardware change on AP
complete fix
VPN - harder/more expensive, but available/strong
Audit 802.11 Access Points forWEP configurationFirmware/driver revision
Thinkpad, or IPAQ based
Cisco/Intersil pcmcia card
IBM T23 Embedded 802.11 card
Linux
Wireless Auditor Project
Wireless Auditor Main Program
No policy violations seenInsufficient information
Policy violation
Out of range
Old firmware
Invalid AP
Source MAC address
Base station ID
“Network” ID
AP name
Policy violation
Insufficient data
(June, IBM Hawthorne, 3rd floor)
Wireless Auditor Detail
Back-up slides
Back-up slides
WEP Encapsulation
WEP Encapsulation Summary: Encryption Algorithm = RC4 Per-packet encryption key = 24-bit IV concatenated to a pre-shared key WEP allows IV to be reused with any frame, at sender’s choice
Data integrity provided by CRC-32 of the plaintext data (the “ICV”) Data and ICV are encrypted under the per-packet encryption key
Data
Data
802.11 Hdr
ICV
DecapsulateEncapsulate
IV802.11 Hdr
WEP encryption
The WEP encryption algorithm RC4 is a Vernam Cipher (One Time Pad). For each packet:
Pseudo-random number generator
(RC4)
Encryption Key KEncryption Key K
Plaintext data byte p
Plaintext data byte p
Random byte b
?
Random byte bRandom byte b
? Ciphertext data byte p
Ciphertext data byte p
Decryption works the same way: p = c ? b
Plaintext IV (24b)Plaintext IV (24b)
The WEP encryption algorithm RC4 is a Vernam Cipher (One Time Pad). For each packet :
Encryption Key
Plaintext
Random byte
Cypher Data byte
(24b)
Plaintext Data byte
Decryption works the same way : =
Pseudo-randomnumber generator
(RC4)
WEP encryption issues
Only 2^24 unique pads per K
Total codebook only 2^35 bytes
Duplicate IV in 2^12 packets (birthday paradox)frequent reuse of “one time” pad!
IV may be freely chosen
xor of two packets gives xor of plaintext
CRC is not cryptographically strong
known plaintext gives codebook
WEP Authentication
APAP
Shared secret distributed out of bandShared secret distributed out of bandShared secret distributed out of hand
Response (Nonce RC4 encrypted under shared key)
Challenge (Nonce)
Decrypted nonce OK ?
802.11 Authentication Summary: Authentication key distributed out-of-band Access Point generates a “randomly generated” challenge Station encrypts challenge using pre-shared secret
STA
Sniffed successful authentication givesplaintext, ciphertext, IV, pad
Given one IV, pad attacker canauthenticatesend (not receive) packets
WEP Authentication issues