Week 14, Comp [34]49, Dec 4 Newsham demo wpa-supplicant 802.1X, etc =========================================================================== Notes on java input project 3: java input done for you in readvalues(String filename) project 2: I added readstrings(String filename) to tester.java =========================================================================== md5demo As we change one bit, look at how completely the md5 digest changes course web page, files http://www.cs.luc.edu/pld/courses/449/fall08/md5demo.java http://www.cs.luc.edu/pld/courses/449/fall08/md5demo.out =========================================================================== Newsham: 21-bit problem Typically, in Pre-Shared Key (PSK) mode, a key is manually typed into each AP and STAtion. Newsham showed that very often the real entropy, or degree of randomness, is much smaller than you would hope for. Key-generation algorithm in hardware throws entropy away! Newsham obviously did some work to figure out how the values were being generated. Linear congruential PRNG: X(n+1) = (a*X(n) + c) mod m Typically m = 2^32 (or 2^16). From three successive values, X2, X1, and X0 (and m), we can figure out a and c. (At least if X1-X0 is relatively prime to m; that is, is odd if m is a power of 2) X2 = aX1 + c mod m X1 = aX0 + c mod m X2-X1 = a(X1-X0) mod m a = (X2-X1)*inverse(X1-X0) Now do mod-m division of both sides by (X1-X0) (this is where we need this relatively prime to m) Moral: LCGs are TRIVIAL to "break". Who are you trying to fool: the universe, or your enemies? Einstein: God is subtle, but he is not malicious ================================================================================ WPA-1 WPA: Two modes: PSK (Pre-shared Key, or "personal"), and authentication-server ("enterprise") mode First pass: WPA-1, or TKIP 128-bit key 1. The base_key is rebuilt each time the STA associates to an AP, using the secret key only for this purpose. 2. packet key: hash of (base_key, MAC_addr, serial # of packet) Part of the header includes a 48-bit packet serial number, incremented for each packet (this is the new IV). This ensures no packet_key reuse. If we reauthenticate (including having been disauthenticated by force), we generate a new base_key, so we can start IVs at 0 again safely. 3. Michael (MIC) 64-bit checksum that is NOT XOR-linear; that is, MIC(m1 xor m2) != MIC(m1) xor MIC(m2) in fact, no plausible replacement for the RHS xor is known. MIC is actually key-based; you can't compute the correct MIC value unless you know the key. The MIC key is generated along with all the other keys 4. Packets must be in sequence (stations keep seq counter, TSC; incremented on each packet; packets containing TSC field < counter are rejected) 5. 60-second rule MIC failure: good ICV, bad MIC 1 failure: send "MIC failure report frame" 2 in 60 seconds: shut down for 60 seconds and then renegotiate all keys Chop-chop attack of Tews & Beck: very slow 7 probes every 60 seconds (1 for each QoS level) ============================================================================== 802.1X: "port-based authentication" EAP/RADIUS server acts as "authenticator" Extensible Authentication Protocol Remote Authentication Dial In User Service 3 pieces: Client/Supplicant Authenticator (AP) Authentication Server AS (eg RADIUS) Supplicant: provides credentials to AP (eg Loyola UVID,Password) AP *forwards* to the AS AS may issue challenge, which the AP forwards to the client Client replies to AP, which forwards to AS AS says yes/no Until AS says yes, AP "blocks the port" to which the client is connected. Typically this means blocking that MAC address from any further communication. Wired networks: the "port" may be a physical switch port. Wireless networks: the "port" may be your MAC address Before you authenticate, at Loyola you get a "fake" dhcp reply, so you can use web-based authentication. EAP: Extensible Authentication Protocol: a generic mechanism for supporting authentication & challenges. * doesn't necessarily use IP * has own mechanisms for duplicate-elimination, retransmission, etc EAP-MD5: uses pre-shared key PSK AS sends a challenge message CM Client replies with MD5(IDENT^PSK^CM), where IDENT is a 1-byte identifier that changes with each CM sent. "In RADIUS/EAP, RADIUS is used to shuttle RADIUS-encapsulated EAP Packets between the NAS and an authentication server." - rfc 3579 ============================================================================== WPA-2: 128-bit AES (Advanced Encryption System, CCMP Counter mode with CBC-MAC Protocol CBC-MAC = Cipher Block Chaining Message Authentication Code How wpa_supplicant works /etc/wpa_supplicant/wpa.conf: network={ ssid="AGDhomenetwork" key_mgmt=WPA-PSK psk="here_is_the_passwd" } Then start wpa_supplicant. Note that it's *intended* to run in the background. Note also that it interacts with the driver, and sometimes needs to be told what the driver is. See Wikipedia 802.11i for diagrams of key sharing http://en.wikipedia.org/wiki/802.11i EAP exchange provides Pairwise Master Key PMK; lasts whole session. Both sides now create Pairwise Transient Key. Hash of PMK, ANonce, SNonce, MAC addrs of AP & STA Also generate Group Temporal Key for mcast/bcast traffic. 4-way handshake STA AP | <--- ANonce -------- | construct | PTK | | | | --> SNonce + MIC --> | | | | construct | PTK | | | | | | | | | | PTK is 64 bytes. It's divided up as follows: 16 bytes EAPOL-Key: for sending other keys 16 bytes EAPOL confirmation key (used in MIC) 16 bytes Temporal Key: used as session key for unicast packets 8 bytes Michael MIC Transmit key 8 bytes MIC Receive key Actual encryption: AES/CCMP =================================================================================== =================================================================================== Wi-fi why two antennas? to avoid fast fading. Typically, one antenna won't be faded. =================================================================================== WiMAX & "Wireless local loop" WLL is a notion from the voice world. up to 75mbps broadband; up to 50 km range, BUT NOT BOTH SIMULTANEOUSLY! 10 Mbit at 10 km? In general, wimax is "slower than wi-fi", but also more mobile. 10-66 gHz (30mm-5mm) originally (802.16); now down to 2.5 gHz (802.16a) uses licensed spectrum fixed endpoints (originally, at least), which means they can use directional antennas Mobile wimax stations now exist, using omnidirectional antennae uses SCHEDULING ALGORITHM, not contention access. STAs are then given a time slot during which they can transmit. time-slots are variable-sized. Addressing is based on a 16-bit "connection id", generated at the time the station connects to the AP. Fig 11.17 Fresnel Zone: radius around the line-of-site path that must be unobstructed. Fig 11.9 Particularly by the ground. Also by trees. R = sqrt(lambda*S*D/(S+D)) | |R | A-----------S----------------|-----------------D-----B Example: S=D=10km, freq=2.4gHz (lambda=12 cm). Then R=17.7 m. If freq=28gHz, this drops to 3.1 m Most attenuation is caused by things within 0.6 R of the LOS path ========= Humidity, oxygen: see Fig 11.10 Rain Vegetation: mostly scattering Multipath is a problem =================================================================================== Satellite GEOs, MEOs, and LEOs Most satellite dishes point at a GEO (Geosynchronous Orbit), 35,863 km above the earth Typical transmitter: 1 watt, parabolic dish with area 0.7 sq meters RTT : 250 ms RTT if both legs must go up and down to the satellite: 500ms Typical measured RTT: 700-1000 ms Ku band: 12.5 - 18 gHz (HughesNet) Ka band: 26-40 GHz (wildblue) Also mobile satellite service: satphones same issues with atmosphere and rain as with wimax, only more so In rainy areas, the lower-frequency L (1-2gHZ) and C (4-8 gHz) bands are popular. FDMA or TDMA may be used for downlink. TDMA: each earth station is assigned a time slot, for uplink. Note that earth stations **cannot hear each other's transmissions** =================================================================================== Bluetooth core applications: modems LAN /IP file transfer (eg between phone and pc) cordless-phone headset peripherals A "piconet" is one master and 1-7 slave nodes. Overlapping piconets may form a scatternet; a node in two piconets might be master in one and slave in the other. slaves send only to the master Typical power: 100 mW down to 1 mW basic data rate: 1mbps Uses ISM band; divides it into 80 channels of 1MHz each Uses Frequency Hopping. Stallings defines the notion of an "FH Channel" to represent the frequency hopping used. Hop rate is 1600 hops/sec, for 625 microsec / hop. These are called SLOTS (different from wi-fi slot) A slot holds ~625 bits, or ~75 bytes Packet lengths 1 slot, 3 slots, or 5 slots In multislot packets, we do NOT hop during the transmission. We skip over the missed hop values. Basic two-way Time Division Duplex with more devices, this becomes TDMA This is important for one-chip applications; using FDMA on one chip usually leads to some CROSSTALK: transmitter interfering with receiver, even if they're on different frequencies nominally. With 80 channels, two nearby piconets are likely to choose the same hop frequency 1 time in 80, or ~1.25% of the time. This is easily handled by losing those slots, and recovering them with FEC (error-correcting codes). synchronous connection: pairs of slots at regularly scheduled intervals; used for, say, voice or other realtime data asynchronous: slaves can reply only if the previous packet was addressed to them. Thus, the master may need to implement POLLING. max rate 721 kbps master => slave, and 57kbps slave => master These numbers refer to the # of slots the sender gets. Optionally, each device may be configured with a "shared secret" passkey. Then the devices may automatically connect, may authenticate, and may *encrypt* the traffic. "touch-to-pair" creates a secure pairing simply by bringing the two devices really close. "bluejacking": sending bluetooth messages. This is just plain possible, if you are in range. (Not all bluetooth devices *accept* messages, but phones do.) traditionally, user intervention is necessary to accept connections, but sometimes not.