Transcript ECE/CS 4984: Lecture 11
Wireless Networks and Mobile Systems Lecture 12 Mobile Networks: Security in Wireless LANs and Mobile Networks
Lecture Objectives
● ● ●
Introduce security vulnerabilities and defenses Describe security functions in
■
Basic mechanisms
■
WiFi Protected Access (WPA)
■
IEEE 802.11i
Describe some other security issues Mobile Networks: Security in Wireless LANs and Mobile Networks 2
References
● ● ●
J. F. Kurose and K. W. Ross, Computer Networking: A Top-Down Approach Featuring the Internet, 2nd ed., Addison Wesley, 2003, Chapter 7.
T. Karygiannis and L. Owens, “Wireless Network Security: 802.11, Bluetooth, and Handheld Devices,” NIST Special Publication 800-48, Nov. 2002.
■
http://csrc.nist.gov/publications/nistpubs/ 800-48/NIST_SP_800-48.pdf
WiFi Protected Access (WPA)
■
http://www.wi-fi.org/OpenSection/protected_access.asp
Mobile Networks: Security in Wireless LANs and Mobile Networks 3
Agenda
● ● ● ● ● ●
Security vulnerabilities and objectives
Security mechanisms Basic security features in IEEE 802.11
Improving WLAN security Augmenting WLAN security Other security issues Mobile Networks: Security in Wireless LANs and Mobile Networks 4
Wireless Magnifies Exposure Vulnerability
● ●
Information going across the wireless link is exposed to anyone within radio range
■
RF may extend beyond a room or a building
■
Infrared limited to a room Traditional wireline networks benefit from physical security
■ ■
Access to the wire is required to gain information Switched networks further reduce exposure Sniffing is easy Mobile Networks: Security in Wireless LANs and Mobile Networks 5
Mobility Makes it Difficult to Establish Trust
● ●
A mobile user must connect to a network component (e.g., an access point) that is physically hidden
■
Problem on both home and foreign networks Mobility on foreign networks -- service providers are unknown and, perhaps, not trusted
■ ■ ■
Access points Foreign agents DHCP servers Is this my AP?
Mobile Networks: Security in Wireless LANs and Mobile Networks 6
Lack of Infrastructure
● ●
Lack of security infrastructure
■
Authentication servers
■
Certificate authorities Unknown nodes providing service
■
Intermediate nodes for ad hoc routing Can intermediate node be trusted?
Mobile Networks: Security in Wireless LANs and Mobile Networks 7
System Design Issues
● ● ●
Mobile form factor
■
Desire low power consumption
○
Minimize computation
○
Minimize network communication
■
Constrained by low processing capabilities
■
Constrained by limited link capacity Need cryptographic and other security-related algorithms to be simple Need to minimize communications overhead for security protocols Mobile Networks: Security in Wireless LANs and Mobile Networks 8
Secure Communications (1)
● ●
Privacy or confidentiality
■
The intended recipients know what was being sent but unintended parties cannot determine what was sent
■
Requires some form of encryption and decryption
○
Encryption at the sender
○
Decryption at the receiver using a public or private (secret) key to decode the encrypted information Authentication
■ ■
Confirms the identity of the other party in the communication Assures that
○
The claimed sender is the actual sender
○
The claimed receiver is the actual receiver Mobile Networks: Security in Wireless LANs and Mobile Networks 9
Secure Communications (2)
● ●
Message integrity and non-repudiation
■ ■
Data integrity – data is transmitted from source to destination without undetected alteration Non-repudiation – prove that a received message came from a claimed sender Availability and access control
■ ■
Ensures availability of resources for the intended users Controls access to resource Mobile Networks: Security in Wireless LANs and Mobile Networks 10
Link Versus End-to-End Security
End-to-End Security Link Security
● ●
End-to-end security
■
Provided by network (e.g., IPsec), transport (e.g., SSL), and/or application layer (e.g., application-specific) Link security
■
Provided by link layer (e.g., IEEE 802.11 WEP, WPA, or IEEE 802.11i) Mobile Networks: Security in Wireless LANs and Mobile Networks 11
Security Objectives (1)
● ●
Major concerns at the link layer
■
Authentication (but, related to access control)
■
Privacy
■
Integrity Major concerns at the network layer (e.g., IPsec)
■ ■ ■
Authentication Privacy Integrity Mobile Networks: Security in Wireless LANs and Mobile Networks 12
Security Mechanisms (2)
●
Security mechanisms at the transport layer (e.g., SSL) and in applications may deal with all objectives
■
Authentication
■
Privacy
■
Integrity
■
Access control Mobile Networks: Security in Wireless LANs and Mobile Networks 13
Agenda
●
Security vulnerabilities and objectives
●
Security mechanisms
● ● ● ●
Basic security features in IEEE 802.11
Improving WLAN security Augmenting WLAN security Other security issues Mobile Networks: Security in Wireless LANs and Mobile Networks 14
Cryptography
Plaintext
K
A Encryption Ciphertext
K
B Decryption Plaintext
● ●
Symmetric (private) key cryptography
■
Sender and receiver keys are identical (K A = K B ) Asymmetric (public) key cryptography
■ ■
Sender (encryption) key (K A ) is public Receiver (decryption) key (K B
K A ) is private Mobile Networks: Security in Wireless LANs and Mobile Networks 15
Public Key Cryptography
●
Unlike a private key system, one can publish the key for encryption in a public key encryption system
K
B + Public key Plaintext m Encryption Ciphertext
K
B Private key Plaintext Decryption K B + (m) m = K B (K B + (m)) Mobile Networks: Security in Wireless LANs and Mobile Networks 16
Authentication with Private Key Cryptography
●
Authentication can be implemented with symmetric (private) key cryptography A B Claim “A” R Generate a one time “nonce” encrypt decrypt K(R) R
Mobile Networks: Security in Wireless LANs and Mobile Networks 17
Authentication with Public Key Cryptography
● ●
Use of public key avoids shared key problem Vulnerable to “man-in-the-middle” attack A B Claim “A” R K A (R) K A + : K A : A’s public key A’s private key Key Request K A + Sender must have used private key of A, so it is A Compute K A + (K A (R)) = R
Mobile Networks: Security in Wireless LANs and Mobile Networks 18
Agenda
● ●
Security vulnerabilities and objectives Security mechanisms
● ● ● ●
Basic security features in IEEE 802.11
■
Authentication
■
Privacy Improving WLAN security Augmenting WLAN security Other security issues Mobile Networks: Security in Wireless LANs and Mobile Networks 19
IEEE 802.11 Security
● ●
Security was not thoroughly addressed in the original IEEE 802.11 standard
■
Based on Wired Equivalent Privacy (WEP)
■
Objective is to not compromise security when compared to a standard wired LAN (e.g., Ethernet) – but what does this really mean?
Evolution
■ ■
Long-term: IEEE 802.11i
Short-term: WiFi Protected Access (WPA) Mobile Networks: Security in Wireless LANs and Mobile Networks 20
IEEE 802.11: Authentication (1)
● ● ●
IEEE 802.11 supports two authentication schemes
■
Open system “authentication”
■
Shared key authentication Authentication management frames used in a transaction to establish authentication
■ ■ ■
Authentication algorithm number Authentication transaction sequence number Status code Deauthentication management frame sent to terminate an association
■
Reason code Mobile Networks: Security in Wireless LANs and Mobile Networks 21
IEEE 802.11: Authentication (2)
● ● ●
Open system “authentication” is really just a placeholder for systems that do not wish to implement true authentication
■ ■
One station asserts its identity The other station responds with success Shared key authentication
■ ■
Both stations must have a copy of a WEP key Station proves identity by encrypting and returning challenge text
■
128-bit challenge text based on RC4 stream cipher Shared key authentication only authenticates the station to the AP, not the AP to the station!
Mobile Networks: Security in Wireless LANs and Mobile Networks 22
IEEE 802.11: Shared Key Authentication
●
Uses private key authentication scheme shown earlier STA AP identity assertion Encrypted using shared WEP key identity assertion/ challenge text 128-bit one-time nonce encrypted text success/failure Decrypted using shared WEP key Mobile Networks: Security in Wireless LANs and Mobile Networks 23
IEEE 802.11: Deauthentication
●
A station can terminate an authentication association with another station by sending that station a deauthentication frame
■
Contains just a reason code, e.g., sending station is leaving the BSS or ESS Mobile Networks: Security in Wireless LANs and Mobile Networks 24
IEEE 802.11: Privacy
● ● ● ● ●
Based on Wired Equivalent Privacy (WEP) MAC at sender encrypts frame body of data frames
■
Headers and non-data frames are not encrypted
■
Does not protect against data analysis attacks MAC at receiver decrypts and passes data to higher level protocol Uses RC4 symmetric stream cipher
■
Same key at sender and receiver
■
Can be applied to variable length data Key distribution not addressed in standard Mobile Networks: Security in Wireless LANs and Mobile Networks 25
WEP Data Encryption
● ● ●
Host/AP share 40-bit symmetric key
■
Semi-permanent WEP key
■
May be longer (e.g., 128 bits) Host appends 24-bit initialization vector (IV) for each frame to create a 64-bit key
■
152-bit key with 128-bit WEP key The 64-bit key is used to generate a stream of keys,
k
i IV , using RC4 private key stream cipher algorithm
■
Key k
○
c i
i IV
= d
is used to encrypt byte i, d
i
, in the frame
i
XOR k
i
IV (XOR is exclusive-or)
■
Initialization vector (IV) and the encrypted bytes, c
i
, are sent in the frame Mobile Networks: Security in Wireless LANs and Mobile Networks 26
WEP Encryption at the Sender
K S IV Key Sequence Generator
k
1 IV
d
1
k
2 IV
…
k N
IV
k
N+1 IV
…
k
N+4 IV
d
2
…
d N crc
1
…
crc
4
c
1
c
2
…
c N
c
N+1
…
c
N+4 K S = shared WEP key
Supports integrity
802.11
Header IV WEP-encrypted data and CRC Mobile Networks: Security in Wireless LANs and Mobile Networks 27
WEP Encryption Vulnerability
● ● ●
Initialization vectors are 24 bits in length and a new one is used each frame, so IVs are eventually reused IVs are transmitted in plaintext, so IV reuse can be detected just by packet sniffing Attack
■ ■ ■ ■ ■
An intruder causes a host to encrypt known plaintext, d 1 , d 2 ,
d
3 ,… The intruder sees c
i
= d
i
XOR k
i
IV The intruder knows c
i
and d
i
, so it can compute k
i
IV The intruder knows encrypting key sequence k 1 IV , k 2 IV , k 3 IV ,
k
4 IV , … The next time that the same IV is used, the intruder can decrypt Mobile Networks: Security in Wireless LANs and Mobile Networks 28
IEEE 802.11: Security Weaknesses (1)
●
WEP encryption is flawed, affecting privacy and authentication
■
Static WEP keys leave encryption vulnerable
■
Initialization vectors sent in the clear
■
Generation of IVs may be weak
○
Not specified in the standard
○
All NICs from a vendor may generate the same sequence of IVs or the IV may be a fixed value
■
Exposed IV (revealing part of key) plus weakness of RC4 make WEP vulnerable to analysis
■
Can be broken for a busy network by a contemporary personal computer – about 10 hours for sniffing and a few seconds to “guess” the key Mobile Networks: Security in Wireless LANs and Mobile Networks 29
IEEE 802.11: Security Weaknesses (2)
● ● ●
Integrity check based on CRC
■
Relatively weak compared to a hash or message authentication scheme
■
Introduces vulnerabilities for certain kinds of attacks Unilateral challenge-response used for authentication vulnerable to “man-in-the-middle” attack Asymmetric authentication
■ ■
Station cannot authenticate AP Key management is not addressed by the standard
○
Very complex task, especially for a large network Mobile Networks: Security in Wireless LANs and Mobile Networks 30
IEEE 802.11: Security Weaknesses (3)
●
“Out-of-the-box” default is usually no security
■
Ease of deployment and ease of operation for users
■
Lots of WLANs with no security configured!
Mobile Networks: Security in Wireless LANs and Mobile Networks 31
Agenda
● ● ●
Security vulnerabilities and objectives Security mechanisms Basic security features in IEEE 802.11
● ● ●
Improving WLAN security
Augmenting WLAN security Other security issues Mobile Networks: Security in Wireless LANs and Mobile Networks 32
Improving IEEE 802.11 Security
● ● ●
RSA Security’s Fast Packet Rekeying WiFi Alliance’s WiFi Protected Access (WPA) IEEE 802.11 Technical Group i (IEEE 802.11i) Mobile Networks: Security in Wireless LANs and Mobile Networks 33
Fast Packet Rekeying
● ● ●
Generates a unique key to encrypt each network packet on the WLAN Hashing technique used to rapidly generates per packet keys The IEEE 802.11 group has approved fast packet rekeying as a fix for WEP security weaknesses Mobile Networks: Security in Wireless LANs and Mobile Networks 34
WiFi Protected Access
● ●
WiFi Protected Access (WPA) is intended as a near term solution to the IEEE 802.11 security problem
■
Software-only updates – requires update to AP firmware and NIC driver
■
A subset of the more extensive IEEE 802.11i techniques Based on two main functions
■ ■
802.1x port-based access control Temporal Key Integrity Protocol (TKIP) Mobile Networks: Security in Wireless LANs and Mobile Networks 35
IEEE 802.1x Port-Based Access Control
● ●
Allows use of upper-layer authentication protocols
■ ■ ■
AP and station can authenticate each other Integrates with IETF’s Extensible Authentication Protocol (EAP)
○
See RFC 2284 Authentication can be…
○
On the AP
○
Use a backend server, e.g., with RADIUS Allows use of session keys
■
802.1x keys can be changed each session
■
Standard WEP keys are semi-permanent Mobile Networks: Security in Wireless LANs and Mobile Networks 36
Temporal Key Integrity Protocol
● ● ● ●
Extends the initialization vector (IV) space beyond 24 bits Uses key construction for each packet Improves cryptographic integrity check beyond CRC used in WEP Supports key derivation and distribution Mobile Networks: Security in Wireless LANs and Mobile Networks 37
IEEE 802.11i
● ● ●
IEEE 802.11i also known as Robust Security Network (RSN)
■
Longer-term solution (but should be available very soon)
■
Requires hardware replacements for APs and NICs Superset of WPA – includes…
■ ■
IEEE 802.1x port-based access control Temporal Key Integrity Protocol (TKIP) Includes support for Advanced Encryption Standard (AES) for confidentiality and integrity Mobile Networks: Security in Wireless LANs and Mobile Networks 38
Advanced Encryption Standard
● ● ●
The Advanced Encryption Standard (AES) is published by NIST as the successor to Data Encryption Standard (DES) Operation
■ ■
128-byte blocks of data (cleartext) 128-, 192-, or 256-bit symmetric keys NIST estimates that a machine that can break 56-bit DES key in 1 second would take about 149 trillion years to crack a 128-bit AES key (unless someone is very lucky) Mobile Networks: Security in Wireless LANs and Mobile Networks 39
Agenda
● ● ● ●
Security vulnerabilities and objectives Security mechanisms Basic security features in IEEE 802.11
Improving WLAN security
●
Augmenting WLAN security
●
Other security issues Mobile Networks: Security in Wireless LANs and Mobile Networks 40
Mitigating Risk*
● ● ●
Management countermeasures
■
For example, standardizing AP settings and controlling use of WLANs within an organization Operational countermeasures
■
For example, controlling coverage area of APs Technical countermeasures
■
Access point configuration
■
Firmware and software updates
■
Personal firewalls
■
Intrusion detection systems (IDS)
■
Maximizing WEP key length
■
Security audits * Karygiannis and Owens, 2002
■
Virtual private networks Mobile Networks: Security in Wireless LANs and Mobile Networks 41
Virtual Private Networks
VPN Tunnel Link Security VPN Server
●
Using a VPN (e.g., based on IPsec) above the WLAN provides the security present in the environment of the VPN server Mobile Networks: Security in Wireless LANs and Mobile Networks 42
Agenda
● ● ● ● ●
Security vulnerabilities and objectives Security mechanisms Basic security features in IEEE 802.11
Improving WLAN security Augmenting WLAN security
●
Other security issues
Mobile Networks: Security in Wireless LANs and Mobile Networks 43
Bluetooth
● ●
While generally more secure than IEEE 802.11, there are vulnerabilities More information…
■ ■
C. T. Hager and S. F. Midkiff, “Demonstrating Vulnerabilities in Bluetooth Security,” IEEE Global Telecommunications Conference (GLOBECOM), Vol. 3, Dec. 1-5, 2003, pp. 1420 1424. C. T. Hager and S. F. Midkiff, “An Analysis of Bluetooth Security Vulnerabilities,” IEEE Wireless Communications and Networking Conference, Vol. 3, March 16-20, 2003, pp. 1825-1831. Mobile Networks: Security in Wireless LANs and Mobile Networks 44
Mobile Networks
● ●
Security vulnerabilities in Mobile IP
■
Rogue Foreign Agents
■
Impersonating a Home Agent
■ ■
Impersonating a Mobile Host to redirect traffic Reducing security to enable Mobile IP – router at foreign network Security vulnerabilities in mobile ad hoc networks (MANETs)
■
Generating faulty routing information
■
Snooping on relayed traffic
■
Refusing to route
■
Power-oriented attacks Mobile Networks: Security in Wireless LANs and Mobile Networks 45
Summary
● ● ● ● ●
Examined the basic objectives of security and fundamental approaches to cryptography and authentication IEEE 802.11 security features (which are flawed)
■
Authentication
■
Privacy and integrity Solutions to IEEE 802.11’s security problems
■ ■
WiFi Protected Access (WPA) IEEE 802.11i – Robust Security Network (RSN) Higher layer security methods can also address WLAN security problems Other security issues in wireless and mobile systems Mobile Networks: Security in Wireless LANs and Mobile Networks 46