WirelessSecurity-Evi

5/2/2017Definition: Wireless Security “Wireless network security primarily protects a wireless network fromunauthorized and malicious access attempts.Wireless Security Typically, wireless network security is delivered through wireless devices(usually a wireless router/switch)Survey by Evi Bernitsas18-750 Wireless which encrypts and secures all wireless communication by default.”Wired Equivalent Privacy(WEP) AlgorithmCommon Security TypesWired Equivalent Privacy (WEP) Security algorithm for IEE 802.11 Part of original 802.11 ratified in1997 to provide confidentiality,which the traditional wired networkdid not provide WEP uses 40 or 104 bit keys. WEP has now been replaced by WiFi Protected Access (WPA) Uses RC4 stream cypher (nowunsafe) uses 40-bit key (WEP-40) andis concatenated with a 24-bitinitialization vector (IV) to formthe RC4 key This key stream is then used toencrypt the plain text usingXOR This produces the cipher textwhich is then sent.Wi-Fi Protected Access (WPA) Developed because of weaknessesfound in WEP WPA also referred to as IEEE 802.11istandard (WPA2 released in 2004) Instead of 40 or 104 bit keys, usesTemporal Key Integrity Protocol (TKIP) TKIP dynamically generates new128-bit key for each packet

5/2/2017Wi-Fi Protected Access(WPA/WPA2) Algorithm WPA uses Temporal Key IntegrityProtocol (TKIP) uses a unique keyfor each packet that is dynamicallygenerated (128 bits)WPA2 encrypts the network with a256-bit key and uses the encryptionmethod called AES (AdvancedEncryption Standard)A few Security Issueswith WPA/WPA2 Weak Password WPA packet decryption: injection attacks No forward secrecy: once an adverse person discovers the pre-sharedkey, they can decrypt all encrypted Wi-Fi packets transmitted in the futureand even past Predictable Group Temporal Key (GTK): The random number generatoris not entirely randomIncludes message integrity checkto prevent altering and resending ofdata packets.Wireless Security Publication #1:Keystroke Recognition Using Wi-Fi SignalsWireless Security Publication #1:Keystroke Recognition Using Wi-Fi Signals Keystroke privacy is critical WiFi signals can be exploited to recognize keystrokes While typing a certain key, your hands and fingers move in a certainformation and direction, which generates a unique pattern in the timeseries of Channel State Information (CSI) values. This produces a CSI waveform This paper proposes a system to recognize keystrokes called WiKey. WiKey uses simply a router (sender) and a laptop (receiver) andachieves 97.5% detection rate for detecting keystroke, and 93.5%accuracy for continuously typed sentences.Kamran Ali, Alex X. Liu, Wei Wang, Muhammad ShahzadDept. of Computer Science and Engineering, Michigan State University, USAState Key Laboratory for Novel Software Technology, Nanjing University, China

5/2/2017Typical keystrokerecognition approaches Acoustic emission: differentkeys produce different typingsounds OR sounds from keysarrive at surroundingsmartphones at different times. Electromagnetic emission:electromagnetic emanationsfrom the circuit underneath aredifferent for each key. Computer Vision: recognizekeystrokes with a camera.Definition: Channel State Information (CSI)In wireless communications, channel state information (CSI) refers to knownchannel properties of a communication link. This information describes how asignal propagates from the transmitter to the receiver and represents thecombined effect of, for example, scattering, fading, and power decay with distance.WiKey SystemTechnicalChallenges WiFi signals can be exploited based on how keystrokes affect how the signalpropagates (affects the Channel State Information (CSI))1. Finding the beginning and theend points of individual keystrokes They call this the CSI-waveform2. Distinguishing features for eachof the 37 keys Because of high data rates, WiFi cards provide enough CSI values within the duration ofa keystroke to construct a high resolution CSI-waveform for each keystroke Typical features such as power,mean amplitude, rate of changeand signal energy cannot beused because these are almostidentical between keys. Discrete Wavelet Transform(DWT) is used to reduce thenumber of samples but stillpreserve the shape.Classification is done based onshape of the wave.

5/2/2017Steps to filtering CSI-WaveformKeystroke Waveforms1. Channel State Information: All Information about the channel state2. Noise Removal: Low Pass Filtering1. Frequencies due to hand movements are between 3Hz and 80Hz3. Noise Removal: PCA Based Filtering1. maximizes variance of data2. minimizes mean squared distance4. Keystroke Extraction5. Feature ExtractionConclusion:Keystroke Recognition Using Wi-Fi Signals WiKey achieves 97.5% detection rate for detectingkeystroke, and 93.5% accuracy for continuously typedsentences. This only works in a controlled environment.Wireless Security Publication #2:Acoustic Eavesdropping through WirelessVibrometryTeng Wei, Shu Wang, Anfu Zhou and Xinyu Zhang Future testing will be conducted in harsher wirelessenvironments.University of Wisconsin - Madison, Institute of Computing Technology, Chinese Academy of Sciences

5/2/2017Wireless Security Publication #2:Acoustic Eavesdropping through Wireless Vibrometry Acoustic eavesdropping is used to decode a lot of subtle acoustic sounds likekeystrokes and printers, but is only useful if the microphone is in closeproximity. Loudspeakers refer to anything from large entertainment systems to your PC orsmartphone loudspeakers Loudspeakers cause acoustic vibration This paper is based on decoding noises emitted by loudspeakers from adistance The vulnerability lies in the translation between acoustic vibration and radiosignal fluctuation. Contaminated radio waves can be captured by a receiver and decoded to findthe original sound coming from the loudspeakersEmissive VibrometryReflectiveVibrometry Adversary: pair of radiotransmitter and receiver Transmitter continuously sendsradio signals as receiver decodesthe sound vibration from thesignals disturbed by theloudspeaker vibrationBasic Audio-radio Transformation(ART) Algorithm Adversary: radio receiver Audio vibrations modulate theradio signal magnitude/phase Target loudspeaker is locatednear a WiFi radio on the sameplatform (smartphone) Harnesses the received signalstrength (RSS) and phaseinformation to “demodulate”acoustic signals from the targetloudspeaker. Loudspeaker’s motion causes tinyvariation in the WiFi radio’soutgoing signals, which is thenheard and recovered by thereceiver Isolates irrelevant radio signalcomponents extrapolates the audio signals projects them onto the timedomain (which is audible tohumans)

5/2/2017Demodulating Transformed Audio Get one audio sample from everym radio samples For each radio sample, wesegment it into S segmentscontaining m samples. FFT - time-frequency domaintranslation to get this closer tohuman hearing Bandpass filter to keep onlyfrequencies between 20 Hz and1500 Hz (range of human voice)Conclusion:Experimental Validation of Accuracy vs. MicrophoneWireless Security Publication #3:SafeSlinger: Easy-to-Use and Secure Public-Key ExchangeWireless Security Publication #3:SafeSlinger: Easy-to-Use and Secure Public-KeyExchangeMichael Farb - CyLab / CMUYue-Hsun Lin - CyLab / CMUTiffany Hyun-Jin Kim - CyLab / CMUJonathan McCune - Google Inc.Adrian Perrig- ETH Zürich, CyLab / CMU Security on the internet is entirely a leap of faith for users without moreadvanced knowledge SafeSlinger is a system currently on Android and iOS apps It allows users to exchange public keys between each other to supportsecure messaging and file exchange Also provides an API for importing applications’ public keys into the user’scontact information SafeSlinger proposes “secure introductions” to help ensure thatmessages sent between two people with the same public key are safe fromattackers https://www.youtube.com/watch?v IFXL8fUqNKY

5/2/2017 Comparable Security ProtocolsGoals of SafeSlingerSSL/TLS (Secure Socket Layer / Transport Layer Security) Scalable: can be done in groups Easy to use: usability of interface Portability: support heterogeneous platforms to enableinteractions among smartphones of different manufacturers andOS (operating systems) Authenticity: each user should be able to obtain correct contactinformation from other users Secrecy: contact information is only available to other groupmembers after the completion of a physical exchange toauthenticate Uses generated unique keys and TLS handshake protocol, and uses amessage authentication code (MAC) to prevent altered data. Drawbacks: Many known attacks including timing attacks on padding andRC4 (keystream) attacks. Security):PGP (Pretty Good Privacy) Encrypts data using random key, encrypts key using public key fromreceiver. Receiver decrypts random key using private key and uses that todecrypt the data. Drawbacks: Key maintenance is difficult administratively Organizations cannot secure large files this way No email receipt confirmation Cannot scan incoming PGP email with anti-virusPGPMulti-Value Commitments Cryptographic commitment protocol isused to lock an entity to the value Vwithout letting them know what V is Ex. C H(V,R) C is the commitment value, H is thecryptographic hash function that is oneway, collision free and has pseudorandom output if R is a random andunpredictable one-time use input V cannot be inferred from C Multi-Value: C H( H(V1) H(V2) ) ( concatenated with)Possible Attacks on SafeSlinger Malicious Bystander: someone who overhears thenon-digital agreement and can attack the protocol bycontrolling the local wireless communication performingMan-in-the-Middle attack Malicious Group Member: A member whoimpersonates someone else by injecting incorrectinformation for another user. Information Leakage after protocol abort: Adversarymay be able to cause a protocol abort and triggerleakage.

5/2/2017Secure Information Exchange SequenceWorks Cited1. Ali, Kamran, Alex Xiao Liu, Wei Wang, and Muhammad Shahzad. "Keystroke Recognition UsingWiFi Signals." Proceedings of the 21st Annual International Conference on Mobile Computing andNetworking - MobiCom '15 (2015): n. pag. Web.2. Wei, Teng, Shu Wang, Anfu Zhou, and Xinyu Zhang. "Acoustic Eavesdropping through WirelessVibrometry." Proceedings of the 21st Annual International Conference on Mobile Computing andNetworking - MobiCom '15 (2015): n. pag. Web.3. Farb, Michael, Yue-Hsun Lin, Tiffany Hyun-Jin Kim, Jonathan Mccune, and Adrian Perrig."SafeSlinger." Proceedings of the 19th annual international conference on Mobile computing &networking - MobiCom '13 (2013): n. pag. Web.4. "What is Wireless Network Security? - Definition from Techopedia." Techopedia.com. N.p., n.d.Web.5. "Limitations of Securing Email With PGP." CitizenTekk. N.p., 28 Sept. 2016. Web.6. https://www.cs.cmu.edu/ bapoczos/other presentations/PCA 24 10 2009.pdf7. "Wireless security." Wikipedia. Wikimedia Foundation, 27 Apr. 2017. Web.

encrypt the plain text using XOR This produces the cipher text which is then sent. 5/2/2017 . WPA2 encrypts the network with a 256-bit key and uses the encryption method called AES (Advanced Encryption Sta