Protocols (Physical/Data-Link Layer) - uni-rostock.de · · 2012-07-26Distributed Systems...
Transcript of Protocols (Physical/Data-Link Layer) - uni-rostock.de · · 2012-07-26Distributed Systems...
Distributed Systems Security
Dr. Dennis Pfisterer
Institut für Telematik, Universität zu Lübeck
http://www.itm.uni-luebeck.de/people/pfisterer
Protocols (Physical/Data-Link Layer)
• Security on Different Layers
• Security on Physical & Data-Link Layer
Overview
– Mostly security in wireless networks
– Example: Wireless LANs (IEEE 802.11a/b/g, 802.11i)
Security - 07 Physical/Data Link Layer #2
Security on Different LayersSecurity on Different Layers
Security - 04 Cryptology #3
• Where do we place security mechanisms? – Pros and cons on different protocol layers?
• Physical / Data-Link Layer– E.g., Bluetooth, WEP/WPA/WPA2 in WLAN
Security on Different Layers
WEPMAC
LLCIP
LLC/MACPHY
• Network Layer– E.g., IPSec, L2TP
• Transport Layer– E.g., SSL/TLS
• Application Layer– E.g., PGP, Kerberos
Security - 06 Protocols #4
HTTP FTP SMTPTCP/UDP
IPSec
HTTP FTP SMTP
TCP/UDPIP
SSL/TLS
HTTP SMTPTCP
IP
S-MIMEPGPSETKerberos
UDP
LLC/MAC
• Protection of (some) individual links
+ Transparent for upper layers (i.e., IP, TCP, and application)+ Minimal changes in protocol stack
– Security for single hops only
Security in Lower Layers (PHY, DL)
– Security for single hops only– No end-to-end security– Not flexibly controllable by applications
Security - 06 Protocols #5
directional radio
• Protection on the IP and/or TCP/UDP layer
+ Transparent for applications on network layer (IP � IPSec)
+ End-to-end security across unsecure infrastructures
+ Complete connections securable (e.g., using VPNs)
Security in Network/Transport Layer
+ Transport layer security controllable by /visible to applications (e.g., https
instead of http)
– IPSec not controllable by / visible to applications
– Transport layer (TCP over TLS) requires application changes
Security - 06 Protocols #6
directional radio
end-to-end connection securityAny application
layer protocolE.g., FTP, Web Apps, SMTP,
POP, IMAP, ...
• Application security provided by the application
+ Flexibly controllable by applications
– Each application has its own custom-tailored security services
– No synergy between different applications
Security in Application Layer
– No synergy between different applications
– E.G. Kerberos, S/MIME, PGP, GnuPG provide their own implementations
Security - 06 Protocols #7
directional radio
end-to-end connection securitySecure application
layer protocolE.g., PGP, S/MIME, SMTPs,
POPs, IMAPs, ...
Wireless LANWireless LAN
• Also known as WLAN and WiFi– Specifies layer 1&2 (physical & data-link layer)
• Standards– IEEE 802.11 (1997: 1 / 2 Mbps, 2.4Ghz)
Wireless LAN Standards
– IEEE 802.11 (1997: 1 / 2 Mbps, 2.4Ghz)
– IEEE 802.11a (1999: max. 54 Mbps, 5 Ghz)
– IEEE 802.11b (1999: 5,5 Mbps and 11 Mbps, 2.4 Ghz)
– IEEE 802.11g (2003: 54 Mbps, 2.4 Ghz)
– IEEE 802.11n (2009: 150 Mbps, 2.4 / 5 GHz)
– IEEE 802.11i (2004, enhanced security)
Security - 07 Physical/Data Link Layer #9
• Access Point (AP)
– Bridge between wireless and wired networks
– Composed of
• Radio interface
• Wired network
802.11 Infrastructure Mode
• Wired network interface (usually 802.3)
• Bridging software
– Aggregates access for multiple wireless stations to wired network
• Wireless station
Security - 07 Physical/Data Link Layer #10
Basic Service Set(BSS) – single cell
Extended Service Set (ESS) – multiple cells
Access Point
Station
• Wireless LAN uses radio signals– Not limited to physical buildings
Interception
BSS
• Signal weakened by Walls, Floors, and Interference
• Directional antenna allows interception over longer distances
Security - 07 Physical/Data Link Layer #11
Station outsidebuilding perimeter
• Software
– Netstumbler
– THC-Wardrive
– Kismet
– Wellenreiter
– VisStumbler
Wardriving
– VisStumbler
– inSSIDer
• Laptop with (optional) GPS for logging
– MAC address & channel
– Network name (SSID)
– Manufacturer
– Signal strength /noise
– Location
Security - 07 Physical/Data Link Layer #12
Wardriving example
Security - 07 Physical/Data Link Layer #13
• APs send beacons (announce WiFi presence)– May include Service Set Identifier (SSID)– AP chosen on signal strength and observed error rates
• Client scans channels
Joining a BSS
• Client scans channels – Periodically or on weak signal– Check for stronger or more reliable APs– If one is found, it re-associates with new AP
• Open System Authentication– No authentication or encryption– Clients only specify SSID when requesting association
Security - 07 Physical/Data Link Layer #14
• Access points have Access Control Lists (ACL)
• ACL is list of allowed MAC addresses– E.g. Allow access to:
MAC Address locking
– E.g. Allow access to:• 00:01:42:0E:12:1F
• 00:01:42:F1:72:AE
• 00:01:42:4F:E2:01
• MAC addresses are sniffable and spoofable– ACLs are ineffective security technique
Security - 07 Physical/Data Link Layer #15
Wireless LANsWireless LANsWired Equivalent Privacy (WEP)
• Goal: Equivalent security like in LANs– LAN security features?
• Security Features of 802.11b– Authentication, Confidentiality, and Integrity
– Wired Equivalence Privacy (WEP)
802.11b Security Services (Wired Equivalence Privacy)
Local Area Network (LAN)
Equivalent – Wired Equivalence Privacy (WEP)
• Authentication: Shared Key– Key shared by all APs and clients of an ESS
– 802.11b defines no key management strategy
– Nightmare in large wireless LANs
• Confidentiality: RC4 encryption of data
• Integrity: Integrity Check Vector
Security - 07 Physical/Data Link Layer #17
802.11 wireless network
Equivalent Privacy
• Station requests association with Access Point
– Challenge-Response Scheme
• Procedure
WEP: Shared Key Authentication
1. AP sends random number to station
2. Station encrypts random number (using RC4, 40 bit shared key and 24 bit IV)
3. Encrypted random number sent to AP
4. AP decrypts received message (using the same key stream)
5. AP compares decrypted number with transmitted one (Step 1)
6. If numbers match, station knows shared secret key
Security - 07 Physical/Data Link Layer #18
• Integrity: compute Integrity Check Vector (ICV)
– 32 bit Cyclic Redundancy Check appended to message to create plaintext
• Confidentiality: plaintext encrypted via RC4
– Plaintext XORed with key stream of pseudo random bits
WEP: Packet Transmission
– Plaintext XORed with key stream of pseudo random bits
– Key stream is function of 40-bit secret key and 24 bit initialization vector
Security - 07 Physical/Data Link Layer #19
PRNG
32 bit CRC
⊕
IV
Ciphertext
||
||Data
Secret key
Initialization Vector (IV)
• Decryption: ciphertext decrypted via RC4– XORed with same key stream as sender – Generated from 40-bit secret key + 24 bit IV from packet– Key stream differs per packet (if different IV is used)
• Integrity: Compare received and decrypted ICV with CRC of received data
WEP: Packet Reception
Security - 07 Physical/Data Link Layer #20
PRNG
CRC
⊕IV
Ciphertext
||Secret key
Data
Compare
Plaintext
CRC
• IV must be different for every message– 802.11 standard doesn’t specify how IV is calculated
WEP: Initialization Vector
• Different implementations used– Simple incrementing counter for each message
– Alternating ascending and descending counters
– Some use a pseudo random IV generator
• Can be used for a variety of attacksSecurity - 07 Physical/Data Link Layer #21
• Attack by extracting a single key stream
– AP does not check if IV is reused
• Attack Shared Key Authentication
WEP: Authentication Weaknesses
• Attack Shared Key Authentication
– Challenge and response provide plain and ciphertext
– M1 ⊕ C1 = M1 ⊕ M1 ⊕ RC4(IV,K)= RC4(IV,K)
– Attacker gets a valid key stream
• May be used for authentication and sending encrypted messages
Security - 07 Physical/Data Link Layer #22
• No mutual authentication
– Only client is authenticated
– APs are not authenticated
WEP: Authentication Weaknesses
• Allows man-in-the-middle attacks
– Build and run own AP with same name
– Client connects to AP with best signal
– Attacker forwards messages to real AP
Security - 07 Physical/Data Link Layer #23
• WEP dangerous due to wrong key usage– Not because of the algorithm
– RC4 securely used in SSL/TLS
WEP: Summary
• Recommended measures– WLAN cannot be trusted– WLAN outside the Intranet separated by Firewall– Use higher layer Security Protocols to secure communication• PPTP, IPSec, SSL, SSH, …
Security - 07 Physical/Data Link Layer #24
Wireless LANsWireless LANsIEEE 802.11i (WPA & WPA2)
• After the collapse of WEP, IEEE started to develop a new
security architecture � 802.11i
• 802.11i novelties compared to WEP
Overview of 802.11i
– Access control model based on 802.1X
– Flexible authentication framework (using EAP)
• Authentication based on strong protocols (e.g., TLS)
• Authentication results in shared session key
– Different functions (encryption, integrity) use different keys derived
from the session key using a one-way function
– Improved encryption and integrity protection
Security - 07 Physical/Data Link Layer #26
• 802.11i defines concept of a Robust Security Network (RSN)– Integrity protection and encryption based on AES (not RC4 anymore)
– Good, but requires new hardware � no software update of routers possible
• For immediate security: updates to WEP – So-called pre-RSN networks
Overview of 802.11i
– So-called pre-RSN networks
– New protocol: Temporal Key Integrity Protocol (TKIP)
– Encryption based on RC4 but avoids WEP’s problems
– For integrity, a novel scheme is proposed (called Michael)
– Ugly solution, but runs on old hardware (after software upgrade)
• Industry names– TKIP �WPA (WiFi Protected Access)
– RSN �WPA2
Security - 07 Physical/Data Link Layer #27
WEP TKIP (WPA) CCMP (WPA2)
Algorithm RC4 RC4 AES
Key Length 40 / 104 Bit 128 Bit (enc.)64 Bit (auth.)
128 bit
Initialization 24 Bit IV 48 Bit IV -
802.11i Security Solutions
Initialization
Vector
24 Bit IV 48 Bit IV -
Integrity
Data CRC32 Michael CCM(Counter with CBC-MAC)
Header none Michael CCM
Replay Protection none IV-Check IV-Check
Key Management none 802.11i 4-Way-Handshake
802.11i 4-Way-Handshake
Security - 07 Physical/Data Link Layer #28
Wireless LANsWi-Fi Protected Access (WPA)
Wireless LANsWi-Fi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP)
• Runs on old hardware
– Uses RC4 for encryption with WEP weaknesses corrected
• Improved message integrity scheme
– New protection mechanism called Michael
TKIP
– New protection mechanism called Michael
– Message Integrity Check (MIC) value is added at SDU level before fragmentation into PDUs
– Implemented in the device driver (in software)
• Improved confidentiality scheme
– Per-packet keys to prevent attacks based on weak keys
– Increases IV length to 48 Bits to prevent IV reuse
– Use IV as replay counter
Security - 07 Physical/Data Link Layer #30
TKIP: Overview (High-Level)
Integrity Protection
Message
Security - 07 Physical/Data Link Layer #31
WEP Encryption
Encrypted and authenticated frames
Key Generation
WEP IV
WEP Key
Extended IV
Payload & MIC
TKIP: Integrity Protection
Message
64 Bit Key
Security - 07 Physical/Data Link Layer #32
Michael Algorithm
Message MIC
Source MAC
Destination MAC
Priority
WEP Frame
MIC? MAC?
TKIP: WEP Key Generation
MSB (32 Bit)LSB
(16 Bit)
Key Mixing (Phase 1)
Sequence Counter (48 Bit)
Source MAC(32 Bit)
WEP Key(128 Bit)
Security - 07 Physical/Data Link Layer #33
Key Mixing (Phase 2)
Fill ByteLow
Byte of Counter
High Byte of Counter
Packet-specific Key
80 Bit
Temporary WEP Key (128 Bit) used for encryption
WEP and TKIP: Encryption (High-Level)
Payload + WPA-MICMessage
CRC-32 Algorithm
Security - 07 Physical/Data Link Layer #34
Temporary WEP Key
(128 Bit) used for
encryption
MessageWEP-ICV
RC4
PayloadWEP-ICV
EncryptedMessage
TKIP: Overview (WEP Frame Details)
Integrity Protection
Message
Payload + MIC
Security - 07 Physical/Data Link Layer #35
WEP Encryption WEP-VerschlüsselungKey
Generation
IV + EIV
WEP IV
WEP Key
Payload + MIC
Encrypted and authenticated frames
MAC
Header
IV and
Key ID
EIV Payload MIC WEP ICV FCS
Wireless LANsCounter Mode with Cipher Block Chaining
Message Authentication Code Protocol (CCMP)
• Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
• Standard encryption protocol for use with the
CCMP and WPA2
• Standard encryption protocol for use with the WPA2 standard
• Replaces
– RC4 stream-cipher with AES block cipher
– WEP ICV with (CBC-)MAC value based on AES
Security - 04 Cryptology #37
• Encryption
– Based on CTR mode (using AES); see chapter on cryptology
– Encrypts payload and MAC value to protect integrity and confidentiality
CCMP and WPA2
– Not encrypted: Headers of MAC (frame) and CCMP
• Integrity protection
– Cipher Block Chaining Message Authentication Code (CBC-MAC)
– Integrity protection based on CBC-MAC (using AES)
– See next slide
Security - 04 Cryptology #38
• Uses a block cipher to create a message authentication code (MAC)
CBC-MAC: Cipher Block Chaining MAC
Security - 04 Cryptology #39
Plaintext chunk #1
Block CipherKey �
⊕⊕⊕⊕
Plaintext chunk #2
Block CipherKey �
⊕⊕⊕⊕
Plaintext chunk #3
Block CipherKey �
⊕⊕⊕⊕
MAC
Initialization Vector (IV)
• CBC-MAC computed over – MAC header
– CCMP header
– Payload
CCMP: Integrity
– Payload
• Mutable fields are set to zero
• Input is padded with zeros if length is not multiple of 128 Bits
Security - 04 Cryptology #40
Wireless LANsWireless LANsIEEE 802.1X / EAP / PEAP
• Access to resources after successful authentication– IEEE 802.1X: EAP over Ethernet/LAN (EAPOL)
– For details on EAP see chapter on AAA
Authentication via IEEE 802.1X
Security - 07 Physical/Data Link Layer #42
Client (Supplicant)
Authenticator(e.g., access
point)
Authentication Server
(e.g., RADIUS)
IEEE 802.1X: EAP over Ethernet Arbitrary Protocol
EAP Messages
• 802.11 association happens first– Open authentication– Provides access to the AP and allows an IP address to be supplied
Association and Authentication
• Access beyond the AP is still prohibited– AP drops non-EAP traffic
• Authentication conversation between supplicant and authentication server– Wireless NIC and AP are pass through devices
• After authentication, AP allows full trafficSecurity - 07 Physical/Data Link Layer #43
Summary of the Protocol Architecturee.g., EAP-MS-CHAPv2
e.g., PEAP
EAP (RFC 3748)
Security - 07 Physical/Data Link Layer #44
Access Point Authentication ServerClient
EAPOL (802.1X)
802.11 (WiFi)
EAP over RADIUS (RFC 3579)
RADIUS protocol (RFC 2865)
TCP/IP
802.11, 802.1X, EAP (with CHAP + RADIUS)Supplicant
(WiFi Client)Supplicant
(WiFi Client)Authenticator(Access Point)
AuthenticationServer
802.11 association
EAPOL Start
EAP request for identity
Security - 07 Physical/Data Link Layer #45
EAP-response (identity)
EAP-request (challenge)
EAP-response (response)
EAP-succcess
EAPOW-key (WEP/CCMP)
Access-request
RADIUS-challenge
RADIUS-access-request
RADIUS-access-accept
Secure authenticated connection
• Authenticator and Client negotiate a private unicast key – Prevents other associated clients from eavesdropping on the communication
• Authenticator also provides a broadcast key
Result of successful authentication
• Authenticator also provides a broadcast key – For broadcast communication amongst all associated clients
Security - 04 Cryptology #46
802.11 AP802.11 Client 802.11 Client
Private Unicast Key Private Unicast Key
Shared Broadcast Key
• Users can roam to university-run Wi-Fis worldwide
Example: Eduroam (Germany)
• Authentication by home organization
Security - 07 Physical/Data Link Layer #47
• Requests are routed to the user’s home organization’s authentication server– Based on “realm”: username@realm
– E.g., [email protected]
Example: Eduroam (Germany)
– E.g., [email protected]
• Authentication– Uses a secure PEAP (TLS) tunnel to the server
– Server provides certificate to avoid man-in-the-middle attacks
– Authenticate using some EAP-method (e.g., MS-CHAPv2 at Lübeck)
Security - 07 Physical/Data Link Layer #48
1. Lübeck‘s RADIUS requests identity– Dennis replies with dennis@uni-
heidelberg.de
2. Realm is unknown to RADIUS server– Forwards all EAP packets to DFN central
RADIUS server
Example: Dennis visits Lübeck
Berlin
Lübeck
2.
4.
3. Berlin knows mapping <realm, RADIUS server> – Forwards packets to Heidelberg
4. Virtual EAP connection between Dennis’ computer and Heidelberg RADIUS server– Dennis authenticates against this server– Server presents certificate to authenticate
towards Dennis
5. After authentication, access is granted locally
Security - 04 Cryptology #49
Heidelberg
Berlin
3.
4.
Visitor from SF comes to Lübeck
Lübeck
New York Berlin
Security - 04 Cryptology #50
San FranciscoNew York Berlin
• Security has always been considered important for WiFi
– Early solution based on WEP seriously flawed
• New security standard for WiFi: 802.11i
– TKIP (WPA)
Summary on WiFi Security
– TKIP (WPA)• Uses RC4 � runs on old hardware
• Corrects WEP’s flaws
• Mandatory in WPA, optional in WPA2
– CCMP (WPA2)• Access control model based on 802.1X and EAP � Improved key management
• Uses AES in CCMP mode (CTR mode and CBC-MAC)
• Needs new hardware that supports AES
Security - 07 Physical/Data Link Layer 51/60
• War Driving Tools http://www.wardrive.net/wardriving/tools/
• J. Schiller. Mobile Communications. 2. Auflage, Addison-Wesley, 2003 IEEE 802.11a/b/g/i Standards. http://standards.ieee.org/getieee802/802.11.html
• Nikita Borisov, Ian Goldberg, David Wagner. Intercepting mobile
Literature
• Nikita Borisov, Ian Goldberg, David Wagner. Intercepting mobile communications: the insecurity of 802.11. MOBICOM 2001, pp180-189.
• Scott R. Fluhrer, Itsik Mantin, Adi Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. Selected Areas in Cryptography 2001: pp1-24.
• Clint Chaplin, Emily Qi, Henry Ptasinski, Jesse Walker, Sheung Li. 802.11i Overview. IEEE 802.11-04/0123r1, Februar 2005
• The Unofficial 802.11 Security Web Page http://www.drizzle.com/~aboba/IEEE/
Security - 07 Physical/Data Link Layer #52