Protocols (Physical/Data-Link Layer) - uni-luebeck.de€¦ · · 2015-05-05Protocols...
Transcript of Protocols (Physical/Data-Link Layer) - uni-luebeck.de€¦ · · 2015-05-05Protocols...
Distributed Systems Security
PD Dr. Dennis Pfisterer
Institut für Telematik, Universität zu Lübeck
http://www.itm.uni-luebeck.de/people/pfisterer
Protocols (Physical/Data-Link Layer)
• Security on Different Layers
• Security on Physical & Data-Link Layer
Overview
– Mostly security in wireless networks
– Bluetooth
– GSM / GPRS / UMTS
– Wireless LANs (IEEE 802.11a/b/g, 802.11i)
Security - 07 Physical/Data Link Layer #2
Security on Different LayersSecurity on Different Layers
Security - 04 Cryptology #3
• Where do we place security mechanisms? – Pros and cons on different protocol layers?
• Physical / Data-Link Layer– E.g., Bluetooth, WEP/WPA/WPA2 in WLAN
Security on Different Layers
WEPMAC
LLCIP
LLC/MACPHY
• Network Layer– E.g., IPSec, L2TP
• Transport Layer– E.g., SSL/TLS
• Application Layer– E.g., PGP, Kerberos
Security - 06 Protocols #4
HTTP FTP SMTPTCP/UDP
IPSec
HTTP FTP SMTP
TCP/UDPIP
SSL/TLS
HTTP SMTPTCP
IP
S-MIMEPGPSETKerberos
UDP
LLC/MAC
• Protection of (some) individual links
+ Transparent for upper layers (i.e., IP, TCP, and application)+ Minimal changes in protocol stack
– Security for single hops only
Security in Lower Layers (PHY, DL)
– Security for single hops only– No end-to-end security– Not flexibly controllable by applications
Security - 06 Protocols #5
directional radio
• Protection on the IP and/or TCP/UDP layer
+ Transparent for applications on network layer (IP � IPSec)
+ End-to-end security across unsecure infrastructures
+ Complete connections securable (e.g., using VPNs)
Security in Network/Transport Layer
+ Transport layer security controllable by /visible to applications (e.g., https
instead of http)
– IPSec not controllable by / visible to applications
– Transport layer (TCP over TLS) requires application changes
Security - 06 Protocols #6
directional radio
end-to-end connection securityAny application
layer protocolE.g., FTP, Web Apps, SMTP,
POP, IMAP, ...
• Application security provided by the application
+ Flexibly controllable by applications
– Each application has its own custom-tailored security services
– No synergy between different applications
Security in Application Layer
– No synergy between different applications
– E.G. Kerberos, S/MIME, PGP, GnuPG provide their own implementations
Security - 06 Protocols #7
directional radio
end-to-end connection securitySecure application
layer protocolE.g., PGP, S/MIME, SMTPs,
POPs, IMAPs, ...
BluetoothBluetooth
• Universal radio interface for ad-hoc wireless connectivity– Interconnect computers, peripherals, handhelds, smart phones, …
– Replacement of Infrared Data Association
Bluetooth (IEEE 802.15.1)
– Replacement of Infrared Data Association (IrDA) technology
• Embedded in other devices – Goal: less than 5€/device
– Short range (10 m)
– Low power consumption
– Voice and data transmission (~1 Mbit/s)
Security - 07 Physical/Data Link Layer #9
Bluetooth VersionsVersion Changes Year
1.0 /1.0B Non-standard, bad interoperability, never deployed at scale
1.1 Adds Received Signal Strength Indication (RSSI) 2002
1.2Less susceptible to noise due to adaptive frequency-
2003
Security - 04 Cryptology #10
1.2Less susceptible to noise due to adaptive frequency-hopping spread spectrum (AFH)
2003
2.0 + EDR Support for higher speeds (~2 Mbit/s) 2004
2.1 + EDRAdds secure simple pairing and support for quality of service
2007
3.0 + HS Discontinued 2009
4.0„Low Energy“ protocol stack and profiles (<5ms for connection setup), AES encryption
2009
• Time division multiplexing for send/receive separation
• Voice transmission– SCO (Synchronous Connection Oriented) traffic– FEC (forward error correction), no retransmission
Characteristics
– FEC (forward error correction), no retransmission– 64 kbit/s duplex, point-to-point, circuit switched
• Data transmission – ACL (Asynchronous ConnectionLess) traffic– Asynchronous, packet switched traffic support– 433.9 kbit/s symmetric traffic– 723.2 / 57.6 kbit/s asymmetric
Security - 04 Cryptology #11
• 2.4 GHz ISM band, 79 channels, 1 MHz spacing (2402…2480 MHz)
• Range / Device classes– class 1 (100mW); ~100m
– class 2 (2,5mW); ~10m
– class 3 (1mW); ~10cm
Characteristics
• Frequency hopping with 1600 hops/s– Hopping sequence in a pseudo random fashion, determined by a master
Security - 04 Cryptology #12
• Can it be used as a as security mechanism?
Frequency Hopping
Security - 07 Physical/Data Link Layer #13
• Collection of devices connected in an ad-hoc fashion
• One unit acts as master – Others are slaves for the lifetime of the Piconet
Bluetooth Piconet
M
S
SP
PPiconet
– Up to 7 simultaneous slaves per Piconet (> 200 could be parked)
• Master determines hopping pattern, slaves have to synchronize– Each Piconet has a unique hopping pattern
– Participation in a Piconet = synchronization to hopping sequence
Security - 07 Physical/Data Link Layer #14
M
P
SBSB S
SBSB
M Master
S Slave
P Parked
SB Standby
Bluetooth Security
E2
link key (128 bit)
Authentication key generation(permanent storage)
PIN (1-16 byte)
User input
Pairing
Authentication
E2
link key (128 bit)
PIN (1-16 byte)
Security - 07 Physical/Data Link Layer #15
E3
encryption key (128 bit)
payload key
Keystream generator
Data Data
Encryption key generation(temporary storage)
Encryption
Ciphering
E3
encryption key (128 bit)
payload key
Keystream generator
• Description of an Attack against Bluetooth– Details: http://www.tomsguide.com/us/how-to-bluesniper-pt1,review-408-9.html
Bluetooth Rifle
pt1,review-408-9.html
• „Rifle“ enables communication across large distances ~1km with standard Bluetooth devices
• What kind of Attacks?
Security - 07 Physical/Data Link Layer #16Image source: http://www.tomsguide.com/us/how-to-bluesniper-pt1,review-408.html
How can we attack confidentiality? See Below! Does it ring a bell?
Security Issue Remark
Short PINs are allowed. Weak PINs, which are used for the generation of link and encryption keys, can be easily guessed. People tend to select short PINs.
Attempts for authentication are repeated.
A limiting feature needs to be incorporated in the specification to prevent unlimited requests. The Bluetooth specification currently requires a time-out period between repeated attempts that will increase exponentially.
Security - 07 Physical/Data Link Layer #17
• Prior to Bluetooth v2.1, encryption is not required and can be turned off at any time. Moreover, the encryption key is only good for approximately 23.5 hours; using a single encryption key longer than this time allows simple XOR attacks to retrieve the encryption key.– Turning off encryption is required for several normal operations, so it is problematic to detect if encryption is disabled for a valid reason or for a security attack.
Security Summary Bluetooth
security attack.– Bluetooth v2.1 addresses this in the following ways:
• Encryption is required for all non-SDP (Service Discovery Protocol) connections• A new Encryption Pause and Resume feature is used for all normal operations requiring encryption to be disabled. This enables easy identification of normal operation from security attacks.
– The encryption key is required to be refreshed before it expires.
• Link keys may be stored on the device file system, not on the Bluetooth chip itself. Many Bluetooth chip manufacturers allow link keys to be stored on the device; however, if the device is removable this means that the link key will move with the device.
Security - 07 Physical/Data Link Layer #18
GSM / GPRS / UMTSGSM / GPRS / UMTS
• Pan-European standard – From European Telecommunications Standardization Institute (ETSI)
• Many providers world-wide use GSM
Global System for Mobile Communication
• Many providers world-wide use GSM– 219 countries in Asia, Africa, Europe, Australia, and America
– >4,2 billion subscribers in >700 networks
– >75% of all digital mobile phones use GSM
– >29 billion SMS in Germany in 2008 (>10% of revenues of many operators)
– More information: http://www.gsma.com
Security - 07 Physical/Data Link Layer #20
• Goal of GSM– Replace analog telephony systems (e.g., A-/B-/C-networks in Germany)
– Create a „mobile ISDN“
– Digital mobile telephony system allowing Europe-wide user mobility
– Mobile data services
GSM: Goals and Features
• Features– Communication:mobile and wireless; support voice and data
– Mobility: international access, SIM enables use of different providers
– Worldwide connectivity (one number, network handles localization)
– High quality: high audio quality and uninterrupted phone calls
– Security: access control, authentication via chip-card and PIN
21
GSM: Architecture
Fixed Network
MSC MSC
GMSCOMC, EIR, AUC HLRNSSwith
OSS
VLR
(G)MSC: (Gateway) Mobile Switching CenterBSC: Base Station ControllerBTS: Base Transceiver StationHLR, VLR: Home/Visitor Location RegisterOMC: Operation and Maintenance CenterEIR: Equipment Identity RegisterAUC: Authentication CenterMS: Mobile Station
VLR
BSC
BSC
RSS
BTS
BTS
BTS
BTS
BTS
MS + SIM
• SIM: Subscriber Identity Module
– Stores International Mobile Subscriber Identity (IMSI) and
Unique Serial Number (ICCID)
– Contains key material to identify and authenticate subscribers
– Two passwords: personal identification number (PIN) and
Personal Unblocking Code (PUK) for PIN unlocking
SIM Card: Features
Personal Unblocking Code (PUK) for PIN unlocking
• Hardware
– 8 or 16 bit CPU with 10 MHz clock rate, 40-100 kByte ROM, 1-3
kByte RAM, 16-64 kByte EEPROM
• Software
– Simple file system (three types of files, directory tree)
– Special communication protocol for SIM card access specified
Security - 07 Physical/Data Link Layer #23
• GSM intended to be no more vulnerable than a fixed phone– It’s a phone not a “secure communications device”
• Access control and authentication– User � SIM: secret PIN (personal identification number)
– SIM � network: challenge response method
GSM Security
– SIM � network: challenge response method
• Confidentiality– Voice, data, and signaling traffic encrypted on the wireless link
• Anonymity– TMSI (Temporary Mobile Subscriber Identity) newly assigned after each
location update
– Avoids tracking the location of users
Security - 04 Cryptology #24
• Three algorithms specified in GSM
– A3 for authentication (“secret”, open interface)
– A5 for encryption (standardized)
– A8 for key generation (“secret”, open interface)
GSM Security: Algorithms
– A8 for key generation (“secret”, open interface)
• “Secrecy” of these algorithms
– Kind of “security through obscurity”
– A3 and A8 available via the Internet
• Network providers can use stronger mechanisms
Security - 04 Cryptology #25
• Currently defined: A5/1, A5/2 and A5/3
• A5 algorithms are standardized to ensure global interoperability
• GSM phones currently (2012) support A5/1 and A5/2– Most networks use A5/1, some use A5/2
GSM Security: A5 Algorithm
– Most networks use A5/1, some use A5/2– A5/1 considered unsecure, can be broken in real-time [gsm-a5-1]– A5/1 and A5/2 specifications have restricted distribution but the details have been discovered and cryptanalysis has been published
• A5/3 quite new and will be phased in over the next few years– A5/3 is a codename for the block cipher KASUMI– Only limited deployment in Europe [gsmmap]
Security - 04 Cryptology #26
GSM: Authentication
RANDKi RAND KiRAND
GSM network SIM
Security - 07 Physical/Data Link Layer #27
A3
RANDKi
128 bit 128 bit
SRES* 32 bit
A3
RAND Ki
128 bit 128 bit
SRES 32 bit
SRES* =? SRES SRESSRES
32 bit
Authentication Center
Mobile Switching Center (MSC)
SIM
Ki: individual subscriber authentication key; SRES: signed response
GSM: Key Generation and Encryption
GSM network SIM
RANDKi RAND KiRAND
SIM
Security - 07 Physical/Data Link Layer #28Kc: cipher key
A8
128 bit 128 bit
Cipher Key Kc(64 Bit)
A8
128 bit 128 bit
SRESencrypteddata
Authentication Center
Broadcasting Subsystem (BSS)
SIM
A5
Kc
A5
Mobile Station (MS)
data data
• Based on a cheap mobile phone, laptop and free software
• Weakness in A5/1 encryption algorithm– Break into calls within minutes
– Decrypt and record calls with Temporary Mobile Subscriber
Attack on GSM (heise.de 12/2011)
– Decrypt and record calls with Temporary Mobile Subscriber Identity (TMSI) and secret key
• Can be used to impersonate a user’s identity– Initiate calls
– Send SMS
– User gets bill (including phone calls to premium services)
– Retrieve mailbox content
Security - 07 Physical/Data Link Layer #29
• Authentication– Only mobile station performs authentication – Network is not authenticated– Challenge-response procedure
• AUC generates challenge; VLR/MSC checks response from MS• Within network unencrypted transfer of data
GSM Security: Summary
• Within network unencrypted transfer of data
• Confidentiality– Only radio interface (between BTS and MS)– 64 Bit key length is quite small
• Between GSM-Providers– No security measures and standards defined
Security - 07 Physical/Data Link Layer #30
• Introduced to provide higher data speeds in GSM– Data transmission speeds of up to 171 kBit/s
– Packet switched instead of circuit switched data transmissions
– Requires new hardware (new radio transceivers at BTS, new backbone)
– Step towards UMTS
General Packet Radio Service (GPRS)
• Features– Uses sending slots only if data packets are to be transmitted
– E.g., for 50 kBit/s 4 slots are allocated temporarily
– Standardization 1998, introduction 2001
• Improvement: Enhanced Data Rates for GSM Evolution (EDGE)– Up to 384kbps; new radio technology
• GSN (GPRS Support Nodes): GGSN and SGSN
– GGSN (Gateway GSN): Interworking unit: GPRS and PDN (Packet Data Network)
– SGSN (Serving GSN): Supports the MS, performs location, billing, security, …
• GR (GPRS Register): user addresses (e.g., current IP, …)
GPRS architecture and interfaces
MS BSS GGSNSGSN
MSC
Um
EIR HLR/GRVLR
PDN
Gb Gn Gi
SGSN
Gn
• GPRS uses similar techniques like GSM
• Confidentiality, integrity, and authentication negotiated and initiated between MS and
GPRS Security
negotiated and initiated between MS and SGSN– Often, no security is negotiated
– Not visible to the user
• Users should use upper layer security solutions
Security - 04 Cryptology #33
• Universal Mobile Telecommunications System (UMTS)
– New radio network: UTRA (UMTS Terrestrial Radio Access)
– New backbone: UTRAN (UMTS Terrestrial Radio Access Network)
UMTS
– New SIM type: USIM (Universal Subscriber Identity Module)
– UMTS and GSM/EDGE share same core network (CN)
• Enhanced data rates
– UTMS: High Speed Packet Access (HSPA)• High Speed Downlink Packet Access (HSDPA): 337,5 Mbit/s
• High Speed Uplink Packet Access (HSUPA): 23 Mbit/s
Core Network: Architecture
BTS
Node B
BSC
Abis
BTS
BSS
MSC GMSC
VLR
Iu
PSTN
GSN GPRS Support NodesSGSN Service …GGSN Gateway …RNS Radio Network SubsystemRNC Radio Network Controller
Node BBTS
Node B
Node B
RNC
Iub
Node B
Node BSGSN GGSN
HLR
IuPS
IuCS
CN
EIR
GnGi
AuC
GR
RNS
• Builds on GSM security (inherits proven-to-be-good features)
• Correction of the GSM weaknesses
– Possible attacks from a faked base station
– Cipher keys and authentication data transmitted in clear between and
UMTS Security
– Cipher keys and authentication data transmitted in clear between and within networks
– Encryption not used in some networks � open to fraud
– Data integrity not provided
• Security features for 3G radio access networks and services
– Mutual Authentication
– Stronger Encryption
– Data Integrity
Security - 07 Physical/Data Link Layer #36
Wireless LANWireless LAN
• Also known as WLAN and WiFi– Specifies layer 1&2 (physical & data-link layer)
• Standards– IEEE 802.11 (1997: 1 / 2 Mbps, 2.4Ghz)
Wireless LAN Standards
– IEEE 802.11 (1997: 1 / 2 Mbps, 2.4Ghz)
– IEEE 802.11a (1999: max. 54 Mbps, 5 Ghz)
– IEEE 802.11b (1999: 5,5 Mbps and 11 Mbps, 2.4 Ghz)
– IEEE 802.11g (2003: 54 Mbps, 2.4 Ghz)
– IEEE 802.11n (2009: 150 Mbps, 2.4 / 5 GHz)
– IEEE 802.11i (2004, enhanced security)
Security - 07 Physical/Data Link Layer #38
• Access Point (AP)
– Bridge between wireless and wired networks
– Composed of
• Radio interface
• Wired network
802.11 Infrastructure Mode
• Wired network interface (usually 802.3)
• Bridging software
– Aggregates access for multiple wireless stations to wired network
• Wireless station
Security - 07 Physical/Data Link Layer #39
Basic Service Set(BSS) – single cell
Extended Service Set (ESS) – multiple cells
Access Point
Station
• Wireless LAN uses radio signals– Not limited to physical buildings
Interception
BSS
• Signal weakened by Walls, Floors, and Interference
• Directional antenna allows interception over longer distances
Security - 07 Physical/Data Link Layer #40
Station outsidebuilding perimeter
• Software
– Netstumbler
– THC-Wardrive
– Kismet
– Wellenreiter
– VisStumbler
Wardriving
– VisStumbler
– inSSIDer
• Laptop with (optional) GPS for logging
– MAC address & channel
– Network name (SSID)
– Manufacturer
– Signal strength /noise
– Location
Security - 07 Physical/Data Link Layer #41
Wardriving example
Security - 07 Physical/Data Link Layer #42
• APs send beacons (announce WiFi presence)– May include Service Set Identifier (SSID)– AP chosen on signal strength and observed error rates
• Client scans channels
Joining a BSS
• Client scans channels – Periodically or on weak signal– Check for stronger or more reliable APs– If one is found, it re-associates with new AP
• Open System Authentication– No authentication or encryption– Clients only specify SSID when requesting association
Security - 07 Physical/Data Link Layer #43
• Access points have Access Control Lists (ACL)
• ACL is list of allowed MAC addresses– E.g. Allow access to:
MAC Address locking
– E.g. Allow access to:• 00:01:42:0E:12:1F
• 00:01:42:F1:72:AE
• 00:01:42:4F:E2:01
• MAC addresses are sniffable and spoofable– ACLs are ineffective security technique
Security - 07 Physical/Data Link Layer #44
Wireless LANsWireless LANsWired Equivalent Privacy (WEP)
• Goal: Equivalent security like in LANs– LAN security features?
• Security Features of 802.11b– Authentication, Confidentiality, and Integrity
– Wired Equivalence Privacy (WEP)
802.11b Security Services (Wired Equivalence Privacy)
Local Area Network (LAN)
Equivalent – Wired Equivalence Privacy (WEP)
• Authentication: Shared Key– Key shared by all APs and clients of an ESS
– 802.11b defines no key management strategy
– Nightmare in large wireless LANs
• Confidentiality: RC4 encryption of data
• Integrity: Integrity Check Vector
Security - 07 Physical/Data Link Layer #46
802.11 wireless network
Equivalent Privacy
• Station requests association with Access Point
– Challenge-Response Scheme
• Procedure
WEP: Shared Key Authentication
1. AP sends random number to station
2. Station encrypts random number (using RC4, 40 bit shared key and 24 bit IV)
3. Encrypted random number sent to AP
4. AP decrypts received message (using the same key stream)
5. AP compares decrypted number with transmitted one (Step 1)
6. If numbers match, station knows shared secret key
Security - 07 Physical/Data Link Layer #47
• Integrity: compute Integrity Check Vector (ICV)
– 32 bit Cyclic Redundancy Check appended to message to create plaintext
• Confidentiality: plaintext encrypted via RC4
– Plaintext XORed with key stream of pseudo random bits
WEP: Packet Transmission
– Plaintext XORed with key stream of pseudo random bits
– Key stream is function of 40-bit secret key and 24 bit initialization vector
Security - 07 Physical/Data Link Layer #48
PRNG
32 bit CRC
⊕
IV
Ciphertext
||
||Data
Secret key
Initialization Vector (IV)
• Decryption: ciphertext decrypted via RC4– XORed with same key stream as sender – Generated from 40-bit secret key + 24 bit IV from packet– Key stream differs per packet (if different IV is used)
• Integrity: Compare received and decrypted ICV with CRC of received data
WEP: Packet Reception
Security - 07 Physical/Data Link Layer #49
PRNG
CRC
⊕IV
Ciphertext
||Secret key
Data
Compare
Plaintext
CRC
• IV must be different for every message– 802.11 standard doesn’t specify how IV is calculated
WEP: Initialization Vector
• Different implementations used– Simple incrementing counter for each message
– Alternating ascending and descending counters
– Some use a pseudo random IV generator
• Can be used for a variety of attacksSecurity - 07 Physical/Data Link Layer #50
• Attack by extracting a single key stream
– AP does not check if IV is reused
• Attack Shared Key Authentication
WEP: Authentication Weaknesses
• Attack Shared Key Authentication
– Challenge and response provide plain and ciphertext
– M1 ⊕ C1 = M1 ⊕ M1 ⊕ RC4(IV,K)= RC4(IV,K)
– Attacker gets a valid key stream
• May be used for authentication and sending encrypted messages
Security - 07 Physical/Data Link Layer #51
• No mutual authentication
– Only client is authenticated
– APs are not authenticated
WEP: Authentication Weaknesses
• Allows man-in-the-middle attacks
– Build and run own AP with same name
– Client connects to AP with best signal
– Attacker forwards messages to real AP
Security - 07 Physical/Data Link Layer #52
• WEP dangerous due to wrong key usage– Not because of the algorithm
– RC4 securely used in SSL/TLS
WEP: Summary
• Recommended measures– WLAN cannot be trusted– WLAN outside the Intranet separated by Firewall– Use higher layer Security Protocols to secure communication• PPTP, IPSec, SSL, SSH, …
Security - 07 Physical/Data Link Layer #53
Wireless LANsWireless LANsIEEE 802.11i (WPA & WPA2)
• After the collapse of WEP, IEEE started to develop a new
security architecture � 802.11i
• 802.11i novelties compared to WEP
Overview of 802.11i
– Access control model based on 802.1X
– Flexible authentication framework (using EAP)
• Authentication based on strong protocols (e.g., TLS)
• Authentication results in shared session key
– Different functions (encryption, integrity) use different keys derived
from the session key using a one-way function
– Improved encryption and integrity protection
Security - 07 Physical/Data Link Layer #55
• 802.11i defines concept of a Robust Security Network (RSN)– Integrity protection and encryption based on AES (not RC4 anymore)
– Good, but requires new hardware � no software update of routers possible
• For immediate security: updates to WEP – So-called pre-RSN networks
Overview of 802.11i
– So-called pre-RSN networks
– New protocol: Temporal Key Integrity Protocol (TKIP)
– Encryption based on RC4 but avoids WEP’s problems
– For integrity, a novel scheme is proposed (called Michael)
– Ugly solution, but runs on old hardware (after software upgrade)
• Industry names– TKIP �WPA (WiFi Protected Access)
– RSN �WPA2
Security - 07 Physical/Data Link Layer #56
WEP TKIP (WPA) CCMP (WPA2)
Algorithm RC4 RC4 AES
Key Length 40 / 104 Bit 128 Bit (enc.)64 Bit (auth.)
128 bit
Initialization 24 Bit IV 48 Bit IV -
802.11i Security Solutions
Initialization
Vector
24 Bit IV 48 Bit IV -
Integrity
Data CRC32 Michael CCM(Counter with CBC-MAC)
Header none Michael CCM
Replay Protection none IV-Check IV-Check
Key Management none 802.11i 4-Way-Handshake
802.11i 4-Way-Handshake
Security - 07 Physical/Data Link Layer #57
Wireless LANsWi-Fi Protected Access (WPA)
Wireless LANsWi-Fi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP)
• Runs on old hardware
– Uses RC4 for encryption with WEP weaknesses corrected
• Improved message integrity scheme
– New protection mechanism called Michael
TKIP
– New protection mechanism called Michael
– Message Integrity Check (MIC) value is added at SDU level before fragmentation into PDUs
– Implemented in the device driver (in software)
• Improved confidentiality scheme
– Per-packet keys to prevent attacks based on weak keys
– Increases IV length to 48 Bits to prevent IV reuse
– Use IV as replay counter
Security - 07 Physical/Data Link Layer #59
TKIP: Overview (High-Level)
Integrity Protection
Message
Security - 07 Physical/Data Link Layer #60
WEP Encryption
Encrypted and authenticated frames
Key Generation
WEP IV
WEP Key
Extended IV
Payload & MIC
TKIP: Integrity Protection
Message
64 Bit Key
Security - 07 Physical/Data Link Layer #61
Michael Algorithm
Message MIC
Source MAC
Destination MAC
Priority
WEP Frame
MIC? MAC?
TKIP: WEP Key Generation
MSB (32 Bit)LSB
(16 Bit)
Key Mixing (Phase 1)
Sequence Counter (48 Bit)
Source MAC(32 Bit)
WEP Key(128 Bit)
Security - 07 Physical/Data Link Layer #62
Key Mixing (Phase 2)
Fill ByteLow
Byte of Counter
High Byte of Counter
Packet-specific Key
80 Bit
Temporary WEP Key (128 Bit) used for encryption
WEP and TKIP: Encryption (High-Level)
Payload + WPA-MICMessage
CRC-32 Algorithm
Security - 07 Physical/Data Link Layer #63
Temporary WEP Key
(128 Bit) used for
encryption
MessageWEP-ICV
RC4
PayloadWEP-ICV
EncryptedMessage
TKIP: Overview (WEP Frame Details)
Integrity Protection
Message
Payload + MIC
Security - 07 Physical/Data Link Layer #64
WEP Encryption WEP-VerschlüsselungKey
Generation
IV + EIV
WEP IV
WEP Key
Payload + MIC
Encrypted and authenticated frames
MAC
Header
IV and
Key ID
EIV Payload MIC WEP ICV FCS
Wireless LANsCounter Mode with Cipher Block Chaining
Message Authentication Code Protocol (CCMP)
• Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
• Standard encryption protocol for use with the
CCMP and WPA2
• Standard encryption protocol for use with the WPA2 standard
• Replaces
– RC4 stream-cipher with AES block cipher
– WEP ICV with (CBC-)MAC value based on AES
Security - 04 Cryptology #66
• Encryption
– Based on CTR mode (using AES); see chapter on cryptology
– Encrypts payload and MAC value to protect integrity and confidentiality
CCMP and WPA2
– Not encrypted: Headers of MAC (frame) and CCMP
• Integrity protection
– Cipher Block Chaining Message Authentication Code (CBC-MAC)
– Integrity protection based on CBC-MAC (using AES)
– See next slide
Security - 04 Cryptology #67
• Uses a block cipher to create a message authentication code (MAC)
CBC-MAC: Cipher Block Chaining MAC
Security - 04 Cryptology #68
Plaintext chunk #1
Block CipherKey �
⊕⊕⊕⊕
Plaintext chunk #2
Block CipherKey �
⊕⊕⊕⊕
Plaintext chunk #3
Block CipherKey �
⊕⊕⊕⊕
MAC
Initialization Vector (IV)
• CBC-MAC computed over – MAC header
– CCMP header
– Payload
CCMP: Integrity
– Payload
• Mutable fields are set to zero
• Input is padded with zeros if length is not multiple of 128 Bits
Security - 04 Cryptology #69
Wireless LANsWireless LANsIEEE 802.1X / EAP / PEAP
• Access to resources after successful authentication– IEEE 802.1X: EAP over Ethernet/LAN (EAPOL)
– For details on EAP see chapter on AAA
Authentication via IEEE 802.1X
Security - 07 Physical/Data Link Layer #71
Client (Supplicant)
Authenticator(e.g., access
point)
Authentication Server
(e.g., RADIUS)
IEEE 802.1X: EAP over Ethernet Arbitrary Protocol
EAP Messages
• 802.11 association happens first– Open authentication– Provides access to the AP and allows an IP address to be supplied
Association and Authentication
• Access beyond the AP is still prohibited– AP drops non-EAP traffic
• Authentication conversation between supplicant and authentication server– Wireless NIC and AP are pass through devices
• After authentication, AP allows full trafficSecurity - 07 Physical/Data Link Layer #72
Summary of the Protocol Architecturee.g., EAP-MS-CHAPv2
e.g., PEAP
EAP (RFC 3748)
Security - 07 Physical/Data Link Layer #73
Access Point Authentication ServerClient
EAPOL (802.1X)
802.11 (WiFi)
EAP over RADIUS (RFC 3579)
RADIUS protocol (RFC 2865)
TCP/IP
802.11, 802.1X, EAP (with CHAP + RADIUS)Supplicant
(WiFi Client)Supplicant
(WiFi Client)Authenticator(Access Point)
AuthenticationServer
802.11 association
EAPOL Start
EAP request for identity
Security - 07 Physical/Data Link Layer #74
EAP-response (identity)
EAP-request (challenge)
EAP-response (response)
EAP-succcess
EAPOW-key (WEP/CCMP)
Access-request
RADIUS-challenge
RADIUS-access-request
RADIUS-access-accept
Secure authenticated connection
• Authenticator and Client negotiate a private unicast key – Prevents other associated clients from eavesdropping on the communication
• Authenticator also provides a broadcast key
Result of successful authentication
• Authenticator also provides a broadcast key – For broadcast communication amongst all associated clients
Security - 04 Cryptology #75
802.11 AP802.11 Client 802.11 Client
Private Unicast Key Private Unicast Key
Shared Broadcast Key
• Users can roam to university-run Wi-Fis worldwide
Example: Eduroam (Germany)
• Authentication by home organization
Security - 07 Physical/Data Link Layer #76
• Requests are routed to the user’s home organization’s authentication server– Based on “realm”: username@realm
– E.g., [email protected]
Example: Eduroam (Germany)
– E.g., [email protected]
• Authentication– Uses a secure PEAP (TLS) tunnel to the server
– Server provides certificate to avoid man-in-the-middle attacks
– Authenticate using some EAP-method (e.g., MS-CHAPv2 at Lübeck)
Security - 07 Physical/Data Link Layer #77
1. Lübeck‘s RADIUS requests identity– Dennis replies with dennis@uni-
heidelberg.de
2. Realm is unknown to RADIUS server– Forwards all EAP packets to DFN central
RADIUS server
Example: Dennis visits Lübeck
Berlin
Lübeck
2.
4.
3. Berlin knows mapping <realm, RADIUS server> – Forwards packets to Heidelberg
4. Virtual EAP connection between Dennis’ computer and Heidelberg RADIUS server– Dennis authenticates against this server– Server presents certificate to authenticate
towards Dennis
5. After authentication, access is granted locally
Security - 04 Cryptology #78
Heidelberg
Berlin
3.
4.
Visitor from SF comes to Lübeck
Lübeck
New York Berlin
Security - 04 Cryptology #79
San FranciscoNew York Berlin
• Security has always been considered important for WiFi
– Early solution based on WEP seriously flawed
• New security standard for WiFi: 802.11i
– TKIP (WPA)
Summary on WiFi Security
– TKIP (WPA)• Uses RC4 � runs on old hardware
• Corrects WEP’s flaws
• Mandatory in WPA, optional in WPA2
– CCMP (WPA2)• Access control model based on 802.1X and EAP � Improved key management
• Uses AES in CCMP mode (CTR mode and CBC-MAC)
• Needs new hardware that supports AES
Security - 07 Physical/Data Link Layer 80/60
• Bluetooth
– Guide to Bluetooth Security, Recommendations of the National Institute of Standards and Technology Karen Scarfone, John Padgette 2008. http://csrc.nist.gov/publications/nistpubs/800-121/SP800-121.pdf
• GSM
– [28C3] Neue Angriffe auf GSM-Handys und Schutzmechanismen Heise Security. http://www.heise.de/security/meldung/28C3-Neue-Angriffe-auf-GSM-Handys-und-Schutzmechanismen-1401633.html
– [gsmmap] GSM security map: http://gsmmap.org; see also http://www.heise.de/security/meldung/SIGINT-Kaum-
Literature
– [gsmmap] GSM security map: http://gsmmap.org; see also http://www.heise.de/security/meldung/SIGINT-Kaum-Fortschritte-bei-der-GSM-Sicherheit-1579566.html
– [gsm-a5-1] Karsten Nohl and Chris Paget: GSM: SRSLY? http://events.ccc.de/congress/2009/Fahrplan/attachments/1519_26C3.Karsten.Nohl.GSM.pdf
• WiFi
– War Driving Tools http://www.wardrive.net/wardriving/tools/
– J. Schiller. Mobile Communications. 2. Auflage, Addison-Wesley, 2003 IEEE 802.11a/b/g/i Standards. http://standards.ieee.org/getieee802/802.11.html
– Nikita Borisov, Ian Goldberg, David Wagner. Intercepting mobile communications: the insecurity of 802.11. MOBICOM 2001, pp180-189.
– Scott R. Fluhrer, Itsik Mantin, Adi Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. Selected Areas in Cryptography 2001: pp1-24.
– Clint Chaplin, Emily Qi, Henry Ptasinski, Jesse Walker, Sheung Li. 802.11i Overview. IEEE 802.11-04/0123r1, Februar 2005
– The Unofficial 802.11 Security Web Page http://www.drizzle.com/~aboba/IEEE/
Security - 07 Physical/Data Link Layer #81