Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems...

52
Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck http://www.itm.uni-luebeck.de/people/pfisterer Protocols (Physical/Data-Link Layer)

Transcript of Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems...

Page 1: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

Distributed Systems Security

Dr. Dennis Pfisterer

Institut für Telematik, Universität zu Lübeck

http://www.itm.uni-luebeck.de/people/pfisterer

Protocols (Physical/Data-Link Layer)

Page 2: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Security on Different Layers

• Security on Physical & Data-Link Layer

Overview

– Mostly security in wireless networks

– Example: Wireless LANs (IEEE 802.11a/b/g, 802.11i)

Security - 07 Physical/Data Link Layer #2

Page 3: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

Security on Different LayersSecurity on Different Layers

Security - 04 Cryptology #3

Page 4: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Where do we place security mechanisms? – Pros and cons on different protocol layers?

• Physical / Data-Link Layer– E.g., Bluetooth, WEP/WPA/WPA2 in WLAN

Security on Different Layers

WEPMAC

LLCIP

LLC/MACPHY

• Network Layer– E.g., IPSec, L2TP

• Transport Layer– E.g., SSL/TLS

• Application Layer– E.g., PGP, Kerberos

Security - 06 Protocols #4

HTTP FTP SMTPTCP/UDP

IPSec

HTTP FTP SMTP

TCP/UDPIP

SSL/TLS

HTTP SMTPTCP

IP

S-MIMEPGPSETKerberos

UDP

LLC/MAC

Page 5: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Protection of (some) individual links

+ Transparent for upper layers (i.e., IP, TCP, and application)+ Minimal changes in protocol stack

– Security for single hops only

Security in Lower Layers (PHY, DL)

– Security for single hops only– No end-to-end security– Not flexibly controllable by applications

Security - 06 Protocols #5

directional radio

Page 6: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Protection on the IP and/or TCP/UDP layer

+ Transparent for applications on network layer (IP � IPSec)

+ End-to-end security across unsecure infrastructures

+ Complete connections securable (e.g., using VPNs)

Security in Network/Transport Layer

+ Transport layer security controllable by /visible to applications (e.g., https

instead of http)

– IPSec not controllable by / visible to applications

– Transport layer (TCP over TLS) requires application changes

Security - 06 Protocols #6

directional radio

end-to-end connection securityAny application

layer protocolE.g., FTP, Web Apps, SMTP,

POP, IMAP, ...

Page 7: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Application security provided by the application

+ Flexibly controllable by applications

– Each application has its own custom-tailored security services

– No synergy between different applications

Security in Application Layer

– No synergy between different applications

– E.G. Kerberos, S/MIME, PGP, GnuPG provide their own implementations

Security - 06 Protocols #7

directional radio

end-to-end connection securitySecure application

layer protocolE.g., PGP, S/MIME, SMTPs,

POPs, IMAPs, ...

Page 8: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

Wireless LANWireless LAN

Page 9: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Also known as WLAN and WiFi– Specifies layer 1&2 (physical & data-link layer)

• Standards– IEEE 802.11 (1997: 1 / 2 Mbps, 2.4Ghz)

Wireless LAN Standards

– IEEE 802.11 (1997: 1 / 2 Mbps, 2.4Ghz)

– IEEE 802.11a (1999: max. 54 Mbps, 5 Ghz)

– IEEE 802.11b (1999: 5,5 Mbps and 11 Mbps, 2.4 Ghz)

– IEEE 802.11g (2003: 54 Mbps, 2.4 Ghz)

– IEEE 802.11n (2009: 150 Mbps, 2.4 / 5 GHz)

– IEEE 802.11i (2004, enhanced security)

Security - 07 Physical/Data Link Layer #9

Page 10: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Access Point (AP)

– Bridge between wireless and wired networks

– Composed of

• Radio interface

• Wired network

802.11 Infrastructure Mode

• Wired network interface (usually 802.3)

• Bridging software

– Aggregates access for multiple wireless stations to wired network

• Wireless station

Security - 07 Physical/Data Link Layer #10

Basic Service Set(BSS) – single cell

Extended Service Set (ESS) – multiple cells

Access Point

Station

Page 11: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Wireless LAN uses radio signals– Not limited to physical buildings

Interception

BSS

• Signal weakened by Walls, Floors, and Interference

• Directional antenna allows interception over longer distances

Security - 07 Physical/Data Link Layer #11

Station outsidebuilding perimeter

Page 12: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Software

– Netstumbler

– THC-Wardrive

– Kismet

– Wellenreiter

– VisStumbler

Wardriving

– VisStumbler

– inSSIDer

• Laptop with (optional) GPS for logging

– MAC address & channel

– Network name (SSID)

– Manufacturer

– Signal strength /noise

– Location

Security - 07 Physical/Data Link Layer #12

Page 13: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

Wardriving example

Security - 07 Physical/Data Link Layer #13

Page 14: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• APs send beacons (announce WiFi presence)– May include Service Set Identifier (SSID)– AP chosen on signal strength and observed error rates

• Client scans channels

Joining a BSS

• Client scans channels – Periodically or on weak signal– Check for stronger or more reliable APs– If one is found, it re-associates with new AP

• Open System Authentication– No authentication or encryption– Clients only specify SSID when requesting association

Security - 07 Physical/Data Link Layer #14

Page 15: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Access points have Access Control Lists (ACL)

• ACL is list of allowed MAC addresses– E.g. Allow access to:

MAC Address locking

– E.g. Allow access to:• 00:01:42:0E:12:1F

• 00:01:42:F1:72:AE

• 00:01:42:4F:E2:01

• MAC addresses are sniffable and spoofable– ACLs are ineffective security technique

Security - 07 Physical/Data Link Layer #15

Page 16: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

Wireless LANsWireless LANsWired Equivalent Privacy (WEP)

Page 17: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Goal: Equivalent security like in LANs– LAN security features?

• Security Features of 802.11b– Authentication, Confidentiality, and Integrity

– Wired Equivalence Privacy (WEP)

802.11b Security Services (Wired Equivalence Privacy)

Local Area Network (LAN)

Equivalent – Wired Equivalence Privacy (WEP)

• Authentication: Shared Key– Key shared by all APs and clients of an ESS

– 802.11b defines no key management strategy

– Nightmare in large wireless LANs

• Confidentiality: RC4 encryption of data

• Integrity: Integrity Check Vector

Security - 07 Physical/Data Link Layer #17

802.11 wireless network

Equivalent Privacy

Page 18: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Station requests association with Access Point

– Challenge-Response Scheme

• Procedure

WEP: Shared Key Authentication

1. AP sends random number to station

2. Station encrypts random number (using RC4, 40 bit shared key and 24 bit IV)

3. Encrypted random number sent to AP

4. AP decrypts received message (using the same key stream)

5. AP compares decrypted number with transmitted one (Step 1)

6. If numbers match, station knows shared secret key

Security - 07 Physical/Data Link Layer #18

Page 19: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Integrity: compute Integrity Check Vector (ICV)

– 32 bit Cyclic Redundancy Check appended to message to create plaintext

• Confidentiality: plaintext encrypted via RC4

– Plaintext XORed with key stream of pseudo random bits

WEP: Packet Transmission

– Plaintext XORed with key stream of pseudo random bits

– Key stream is function of 40-bit secret key and 24 bit initialization vector

Security - 07 Physical/Data Link Layer #19

PRNG

32 bit CRC

IV

Ciphertext

||

||Data

Secret key

Initialization Vector (IV)

Page 20: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Decryption: ciphertext decrypted via RC4– XORed with same key stream as sender – Generated from 40-bit secret key + 24 bit IV from packet– Key stream differs per packet (if different IV is used)

• Integrity: Compare received and decrypted ICV with CRC of received data

WEP: Packet Reception

Security - 07 Physical/Data Link Layer #20

PRNG

CRC

⊕IV

Ciphertext

||Secret key

Data

Compare

Plaintext

CRC

Page 21: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• IV must be different for every message– 802.11 standard doesn’t specify how IV is calculated

WEP: Initialization Vector

• Different implementations used– Simple incrementing counter for each message

– Alternating ascending and descending counters

– Some use a pseudo random IV generator

• Can be used for a variety of attacksSecurity - 07 Physical/Data Link Layer #21

Page 22: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Attack by extracting a single key stream

– AP does not check if IV is reused

• Attack Shared Key Authentication

WEP: Authentication Weaknesses

• Attack Shared Key Authentication

– Challenge and response provide plain and ciphertext

– M1 ⊕ C1 = M1 ⊕ M1 ⊕ RC4(IV,K)= RC4(IV,K)

– Attacker gets a valid key stream

• May be used for authentication and sending encrypted messages

Security - 07 Physical/Data Link Layer #22

Page 23: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• No mutual authentication

– Only client is authenticated

– APs are not authenticated

WEP: Authentication Weaknesses

• Allows man-in-the-middle attacks

– Build and run own AP with same name

– Client connects to AP with best signal

– Attacker forwards messages to real AP

Security - 07 Physical/Data Link Layer #23

Page 24: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• WEP dangerous due to wrong key usage– Not because of the algorithm

– RC4 securely used in SSL/TLS

WEP: Summary

• Recommended measures– WLAN cannot be trusted– WLAN outside the Intranet separated by Firewall– Use higher layer Security Protocols to secure communication• PPTP, IPSec, SSL, SSH, …

Security - 07 Physical/Data Link Layer #24

Page 25: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

Wireless LANsWireless LANsIEEE 802.11i (WPA & WPA2)

Page 26: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• After the collapse of WEP, IEEE started to develop a new

security architecture � 802.11i

• 802.11i novelties compared to WEP

Overview of 802.11i

– Access control model based on 802.1X

– Flexible authentication framework (using EAP)

• Authentication based on strong protocols (e.g., TLS)

• Authentication results in shared session key

– Different functions (encryption, integrity) use different keys derived

from the session key using a one-way function

– Improved encryption and integrity protection

Security - 07 Physical/Data Link Layer #26

Page 27: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• 802.11i defines concept of a Robust Security Network (RSN)– Integrity protection and encryption based on AES (not RC4 anymore)

– Good, but requires new hardware � no software update of routers possible

• For immediate security: updates to WEP – So-called pre-RSN networks

Overview of 802.11i

– So-called pre-RSN networks

– New protocol: Temporal Key Integrity Protocol (TKIP)

– Encryption based on RC4 but avoids WEP’s problems

– For integrity, a novel scheme is proposed (called Michael)

– Ugly solution, but runs on old hardware (after software upgrade)

• Industry names– TKIP �WPA (WiFi Protected Access)

– RSN �WPA2

Security - 07 Physical/Data Link Layer #27

Page 28: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

WEP TKIP (WPA) CCMP (WPA2)

Algorithm RC4 RC4 AES

Key Length 40 / 104 Bit 128 Bit (enc.)64 Bit (auth.)

128 bit

Initialization 24 Bit IV 48 Bit IV -

802.11i Security Solutions

Initialization

Vector

24 Bit IV 48 Bit IV -

Integrity

Data CRC32 Michael CCM(Counter with CBC-MAC)

Header none Michael CCM

Replay Protection none IV-Check IV-Check

Key Management none 802.11i 4-Way-Handshake

802.11i 4-Way-Handshake

Security - 07 Physical/Data Link Layer #28

Page 29: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

Wireless LANsWi-Fi Protected Access (WPA)

Wireless LANsWi-Fi Protected Access (WPA)

Temporal Key Integrity Protocol (TKIP)

Page 30: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Runs on old hardware

– Uses RC4 for encryption with WEP weaknesses corrected

• Improved message integrity scheme

– New protection mechanism called Michael

TKIP

– New protection mechanism called Michael

– Message Integrity Check (MIC) value is added at SDU level before fragmentation into PDUs

– Implemented in the device driver (in software)

• Improved confidentiality scheme

– Per-packet keys to prevent attacks based on weak keys

– Increases IV length to 48 Bits to prevent IV reuse

– Use IV as replay counter

Security - 07 Physical/Data Link Layer #30

Page 31: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

TKIP: Overview (High-Level)

Integrity Protection

Message

Security - 07 Physical/Data Link Layer #31

WEP Encryption

Encrypted and authenticated frames

Key Generation

WEP IV

WEP Key

Extended IV

Payload & MIC

Page 32: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

TKIP: Integrity Protection

Message

64 Bit Key

Security - 07 Physical/Data Link Layer #32

Michael Algorithm

Message MIC

Source MAC

Destination MAC

Priority

WEP Frame

MIC? MAC?

Page 33: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

TKIP: WEP Key Generation

MSB (32 Bit)LSB

(16 Bit)

Key Mixing (Phase 1)

Sequence Counter (48 Bit)

Source MAC(32 Bit)

WEP Key(128 Bit)

Security - 07 Physical/Data Link Layer #33

Key Mixing (Phase 2)

Fill ByteLow

Byte of Counter

High Byte of Counter

Packet-specific Key

80 Bit

Temporary WEP Key (128 Bit) used for encryption

Page 34: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

WEP and TKIP: Encryption (High-Level)

Payload + WPA-MICMessage

CRC-32 Algorithm

Security - 07 Physical/Data Link Layer #34

Temporary WEP Key

(128 Bit) used for

encryption

MessageWEP-ICV

RC4

PayloadWEP-ICV

EncryptedMessage

Page 35: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

TKIP: Overview (WEP Frame Details)

Integrity Protection

Message

Payload + MIC

Security - 07 Physical/Data Link Layer #35

WEP Encryption WEP-VerschlüsselungKey

Generation

IV + EIV

WEP IV

WEP Key

Payload + MIC

Encrypted and authenticated frames

MAC

Header

IV and

Key ID

EIV Payload MIC WEP ICV FCS

Page 36: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

Wireless LANsCounter Mode with Cipher Block Chaining

Message Authentication Code Protocol (CCMP)

Page 37: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

• Standard encryption protocol for use with the

CCMP and WPA2

• Standard encryption protocol for use with the WPA2 standard

• Replaces

– RC4 stream-cipher with AES block cipher

– WEP ICV with (CBC-)MAC value based on AES

Security - 04 Cryptology #37

Page 38: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Encryption

– Based on CTR mode (using AES); see chapter on cryptology

– Encrypts payload and MAC value to protect integrity and confidentiality

CCMP and WPA2

– Not encrypted: Headers of MAC (frame) and CCMP

• Integrity protection

– Cipher Block Chaining Message Authentication Code (CBC-MAC)

– Integrity protection based on CBC-MAC (using AES)

– See next slide

Security - 04 Cryptology #38

Page 39: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Uses a block cipher to create a message authentication code (MAC)

CBC-MAC: Cipher Block Chaining MAC

Security - 04 Cryptology #39

Plaintext chunk #1

Block CipherKey �

⊕⊕⊕⊕

Plaintext chunk #2

Block CipherKey �

⊕⊕⊕⊕

Plaintext chunk #3

Block CipherKey �

⊕⊕⊕⊕

MAC

Initialization Vector (IV)

Page 40: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• CBC-MAC computed over – MAC header

– CCMP header

– Payload

CCMP: Integrity

– Payload

• Mutable fields are set to zero

• Input is padded with zeros if length is not multiple of 128 Bits

Security - 04 Cryptology #40

Page 41: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

Wireless LANsWireless LANsIEEE 802.1X / EAP / PEAP

Page 42: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Access to resources after successful authentication– IEEE 802.1X: EAP over Ethernet/LAN (EAPOL)

– For details on EAP see chapter on AAA

Authentication via IEEE 802.1X

Security - 07 Physical/Data Link Layer #42

Client (Supplicant)

Authenticator(e.g., access

point)

Authentication Server

(e.g., RADIUS)

IEEE 802.1X: EAP over Ethernet Arbitrary Protocol

EAP Messages

Page 43: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• 802.11 association happens first– Open authentication– Provides access to the AP and allows an IP address to be supplied

Association and Authentication

• Access beyond the AP is still prohibited– AP drops non-EAP traffic

• Authentication conversation between supplicant and authentication server– Wireless NIC and AP are pass through devices

• After authentication, AP allows full trafficSecurity - 07 Physical/Data Link Layer #43

Page 44: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

Summary of the Protocol Architecturee.g., EAP-MS-CHAPv2

e.g., PEAP

EAP (RFC 3748)

Security - 07 Physical/Data Link Layer #44

Access Point Authentication ServerClient

EAPOL (802.1X)

802.11 (WiFi)

EAP over RADIUS (RFC 3579)

RADIUS protocol (RFC 2865)

TCP/IP

Page 45: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

802.11, 802.1X, EAP (with CHAP + RADIUS)Supplicant

(WiFi Client)Supplicant

(WiFi Client)Authenticator(Access Point)

AuthenticationServer

802.11 association

EAPOL Start

EAP request for identity

Security - 07 Physical/Data Link Layer #45

EAP-response (identity)

EAP-request (challenge)

EAP-response (response)

EAP-succcess

EAPOW-key (WEP/CCMP)

Access-request

RADIUS-challenge

RADIUS-access-request

RADIUS-access-accept

Secure authenticated connection

Page 46: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Authenticator and Client negotiate a private unicast key – Prevents other associated clients from eavesdropping on the communication

• Authenticator also provides a broadcast key

Result of successful authentication

• Authenticator also provides a broadcast key – For broadcast communication amongst all associated clients

Security - 04 Cryptology #46

802.11 AP802.11 Client 802.11 Client

Private Unicast Key Private Unicast Key

Shared Broadcast Key

Page 47: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Users can roam to university-run Wi-Fis worldwide

Example: Eduroam (Germany)

• Authentication by home organization

Security - 07 Physical/Data Link Layer #47

Page 48: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Requests are routed to the user’s home organization’s authentication server– Based on “realm”: username@realm

– E.g., [email protected]

Example: Eduroam (Germany)

– E.g., [email protected]

• Authentication– Uses a secure PEAP (TLS) tunnel to the server

– Server provides certificate to avoid man-in-the-middle attacks

– Authenticate using some EAP-method (e.g., MS-CHAPv2 at Lübeck)

Security - 07 Physical/Data Link Layer #48

Page 49: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

1. Lübeck‘s RADIUS requests identity– Dennis replies with dennis@uni-

heidelberg.de

2. Realm is unknown to RADIUS server– Forwards all EAP packets to DFN central

RADIUS server

Example: Dennis visits Lübeck

Berlin

Lübeck

2.

4.

3. Berlin knows mapping <realm, RADIUS server> – Forwards packets to Heidelberg

4. Virtual EAP connection between Dennis’ computer and Heidelberg RADIUS server– Dennis authenticates against this server– Server presents certificate to authenticate

towards Dennis

5. After authentication, access is granted locally

Security - 04 Cryptology #49

Heidelberg

Berlin

3.

4.

Page 50: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

Visitor from SF comes to Lübeck

Lübeck

New York Berlin

Security - 04 Cryptology #50

San FranciscoNew York Berlin

Page 51: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• Security has always been considered important for WiFi

– Early solution based on WEP seriously flawed

• New security standard for WiFi: 802.11i

– TKIP (WPA)

Summary on WiFi Security

– TKIP (WPA)• Uses RC4 � runs on old hardware

• Corrects WEP’s flaws

• Mandatory in WPA, optional in WPA2

– CCMP (WPA2)• Access control model based on 802.1X and EAP � Improved key management

• Uses AES in CCMP mode (CTR mode and CBC-MAC)

• Needs new hardware that supports AES

Security - 07 Physical/Data Link Layer 51/60

Page 52: Protocols (Physical/Data-Link Layer) - uni-rostock.de ·  · 2012-07-26Distributed Systems Security Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck Protocols

• War Driving Tools http://www.wardrive.net/wardriving/tools/

• J. Schiller. Mobile Communications. 2. Auflage, Addison-Wesley, 2003 IEEE 802.11a/b/g/i Standards. http://standards.ieee.org/getieee802/802.11.html

• Nikita Borisov, Ian Goldberg, David Wagner. Intercepting mobile

Literature

• Nikita Borisov, Ian Goldberg, David Wagner. Intercepting mobile communications: the insecurity of 802.11. MOBICOM 2001, pp180-189.

• Scott R. Fluhrer, Itsik Mantin, Adi Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. Selected Areas in Cryptography 2001: pp1-24.

• Clint Chaplin, Emily Qi, Henry Ptasinski, Jesse Walker, Sheung Li. 802.11i Overview. IEEE 802.11-04/0123r1, Februar 2005

• The Unofficial 802.11 Security Web Page http://www.drizzle.com/~aboba/IEEE/

Security - 07 Physical/Data Link Layer #52