http://www.gcn.com/vol1_no1/daily-updates/23053-1.html
08/06/03 Wireless network attacks get a public airing By William Jackson GCN Staff Federal grants are funding research by some very bright investigators in the computer science departments of our nation's universities to probe the vulnerabilities of wired and wireless networks. Some of the results of that research were presented today at the Security Symposium in Washington sponsored by the USENIX Association of Berkeley, Calif. A team from Stanford University, in one example, used a timing attack to extract a private encryption key from a server across a network. In another, researchers at the University of California at San Diego perfected denial-of-service attacks against 802.11 wireless networks. Timing attacks are used to uncover secret information by observing the time it takes a system to respond to various queries, said David Brumley, of Stanford. While such attacks have been used to get private keys from hardware security tokens such as smart cards, it has been believed that the variety of processes running on general purpose servers would make such attacks ineffective in that environment. "We successfully mounted our timing attack between two machines on our campus network," Brumley said. "The attack machine and the server were in different buildings with three routers and multiple switches between them." The work was funded by a National Science Foundation grant. Using a series of mathematical functions too complex for a layman to follow, Brumley and a partner, Dan Boneh, were able to extract an OpenSSL private key on an Apache Web server. The process was not simple. It took about two hours and from 350,000 to 1.4 million queries to obtain the key, but that is a small fraction of the time it would take to obtain a key through a brute force attack, the criteria generally used for determining the security of an encryption scheme. The attack can be defended against by a process known as blinding, which modifies an encryption exponent with a random number. It is easy to launch denial of service attacks against wireless networks by jamming or flooding the radio frequencies they use for communication. But in a program funded by the Defense Advanced Research Projects Agency and the National Institute of Standards and Technology, a pair of researchers at UC San Diego exploited vulnerabilities in the 802.11 protocols itself. John Bellardo demonstrated the process, shutting down traffic to a targeted notebook computer that was using the wireless network provided for the conference. He then interrupted traffic to most of the other notebooks in the conference room. He blocked the traffic by spoofing deauthentication packets, which are used to break connections between a user node and a wireless access point. Once a deauthentication request has been received from an authenticated user, the access point will no longer process data from that user. The attack can be defended against by patching access points to have them "hold" a deauthentication packet for several seconds before acting on it. If the user that supposedly requested deauthentication immediately sends data, the access point ignores the request. "The deauthentication packet is probably the most immediate concern," in a wireless denial-of-service attack, Bellardo said. There are many other threats in wireless networking, he said, but "you have to start one hole at a time."
