- WPA: Communicate securely in a wireless local network
- DHCP: Get configurations when first connecting to a network
DHCP
- Layer: 2-3 (see below)
- Purpose: Get configurations when first connecting to a network
- Vulnerability: On-path attackers can see requests and send spoofed malicious responses
- Defense: Accept as a fact of life and rely on higher layers
initial network configuration,初始化链接时使用的
step for DHCP handshake
-
Client Discover: The client broadcasts a request for a configuration
-
DHCP Offer: Any DHCP server can respond with a configuration offer
- Usually only one DHCP server responds
- The offer includes an IP address for the client, the DNS server’s IP address, and the (gateway) router’s IP address
- The offer also has an expiration time (how long the user can use this configuration)
-
Client Request: The client broadcasts which configuration it has chosen
- If multiple DHCP servers made offers, the ones that were not chosen discard their offer
- The chosen DHCP server gives the offer to the client
-
DHCP Acknowledgement: The chosen server confirms that its configuration has been given to the client
ppt 上有动画示意图
DHCP attack
也是没法验证 response,只接受第一个 response(race condition),处于同一个 LAN 里。所以存在 MIMT attack 的可能性
ARP VS DHCP attck
都是:race condition,同一个 LAN
defense
也是难以防御,我们需要更高级的 layer 提供防御
Wireless Local Network
wi-fi
layer 2 protocol
Parts of a Wi-Fi network
- Access point: A machine that will help you connect to the network
- SSID (service set identifier): The name of the Wi-Fi network
- Password: Optionally, a password to secure Wi-Fi communications
WPA2
Wi-Fi Protected Access 2 (WPA2): A protocol for securing Wi-Fi network communications with cryptography
Design goals
- Everyone with the Wi-Fi password can join the network
- Messages sent over the network are encrypted with keys
- An attacker who does not know the Wi-Fi network cannot learn the keys
WPA handshake
草,这个地方有点乱...
-
Both sides derive secret keys for communication
- Wi-Fi password → PSK
- PSK + nonces + MAC addresses → PTK
- The PTK is used to encrypt and authenticate all future communication
- Note: The PTK is different for every user, because of the nonces
-
The access point encrypts and sends the GTK to the client
- The GTK is used for messages broadcast to the entire network
- Everyone on the network uses the same GTK
-
The optimized version of the handshake decreases the number of messages sent back and forth
优化版
attacks
rouge AP:假的 AP,提供 Anonce,进行 MIMT 攻击
bf:暴力猜测密码,因为 nonce 和 MAC 都是已知的公开的
no forward secrecy:PSK 已知,可以监听过去全部的信息
WPA 加密
核心问题是每个客户端都用同样的 PSK 生成 PTK——比如家用 wifi,所有人的密码都一样
在一些公共互联网中,使用随机生成的 KEY 而不是 PSK
attack on WPA enterprise
上述的 3 个攻击,加密都可以防御,但是在更高层的 ARP 或者 DHCP 仍然脆弱
BGP
Border Gateway Protocol
复习 IP 协议,还有 subnet
【视频真看不懂了呜呜,看课本吧】
Autonomous System
-
Once your system sends the packet to the gateway, the packet has to be routed through the Internet
-
The Internet is a network of networks, comprised of many autonomous systems (AS)
- Each AS handles its own internal routing
- Each AS is uniquely identified by its autonomous system number (ASN)
- Each AS is comprised of one or more LANs
- The AS can forward packet to other connected ASes
-
The protocol for communicating between different Autonomous Systems is Border Gateway Protocol (BGP)
- Each router announces what networks it can provide and the path onward from the router
- The most precise route with the shortest path and no loops is the preferred route
IP and BGP attack
-
Each AS implicitly trusts the surrounding ASes and accepts advertised routes
-
IP spoofing: Malicious clients can send IP packets with **==source IP==**** values set to a spoofed value**
- Edge ASes should block packets with source IPs set to the wrong value, but some don’t
- Enables packets that look like they’re coming from someone else!
- We rely on defenses provided by higher layers to further prevent this (“defense in depth”)
-
BGP hijacking: A malicious autonomous system can lie and **==claims itself to be responsible for a network which it isn’t==**
-
Example: AS3 broadcasts that it is responsible for 128.32.0.0/16
- Now, the malicious AS can act as a MITM for traffic to 128.32.0.0!
-
No real defenses on this level, so we rely on defenses from higher levels
-
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于