The security of existing wireless networks (Ch. 1 of the SeCoWiNet book)

© Levente Buttyán and Jean-Pierre Hubaux

Security and Cooperation in Wireless Networks

http://secowinet.epfl.ch/

The security of existing wireless networks(Ch. 1 of the SeCoWiNet book)

Cellular networks:- GSM;- UMTS;- LTE;WiFi LANs;Bluetooth;

Mobile Networks – Module H1

Security and Cooperation in Wireless NetworksChapter 1: The security of existing wireless networks

Why is security more of a concern in wireless? no inherent physical protection

– physical connections between devices are replaced by logical associations

– sending and receiving messages do not need physical access to the network infrastructure (cables, hubs, routers, etc.)

broadcast communications– wireless usually means radio, which has a broadcast nature– transmissions can be overheard by anyone in range– anyone can generate transmissions,

• which will be received by other devices in range• which will interfere with other nearby transmissions and may prevent

their correct reception (jamming)

eavesdropping is easy injecting bogus messages into the network is easy replaying previously recorded messages is easy illegitimate access to the network and its services is easy denial of service is easily achieved by jamming

2/85


Wireless communication security requirements confidentiality

– messages sent over wireless links must be encrypted

authenticity– origin of messages received over wireless links must be verified

replay detection– freshness of messages received over wireless links must be checked

integrity– modifying messages on-the-fly (during radio transmission) is not so

easy, but possible …– integrity of messages received over wireless links must be verified

access control– access to the network services should be provided only to

legitimate entities– access control should be permanent

• it is not enough to check the legitimacy of an entity only when it joins the network and its logical associations are established, because logical associations can be hijacked

protection against jamming3/85


Chapter outline

1.3.1 Cellular networks1.3.2 WiFi LANs1.3.3 Bluetooth

4/85


GSM architecture

1.3.1 Cellular networksGSM security 5/85


GSM Security main security requirement

– subscriber authentication (for the sake of billing)• challenge-response protocol• long-term secret key shared between the subscriber and the

home network operator• supports roaming without revealing long-term key to the visited

networks

other security services provided by GSM– confidentiality of communications and signaling over the

wireless interface• encryption key shared between the subscriber and the visited

network is established with the help of the home network as part of the subscriber authentication protocol

– protection of the subscriber’s identity from eavesdroppers on the wireless interface• usage of short-term temporary identifiers



The SIM card (Subscriber Identity Module) Must be tamper-resistant Protected by a PIN code (checked locally by the SIM) Is removable from the terminal Contains all data specific to the end user which have

to reside in the Mobile Station:– IMSI: International Mobile Subscriber Identity (permanent

user’s identity)– PIN– TMSI (Temporary Mobile Subscriber Identity)– Ki : User’s secret key – Kc : Ciphering key – List of the last call attempts– List of preferred operators– Supplementary service data (abbreviated dialing, last short

messages received,...)



Cryptographic algorithms of GSM

R Ki

A3 A8

R S Kc Triplet

Random number User’s secret key

A5 Ciphering algorithm Authentication

Kc: ciphering keyS : signed resultA3: subscriber authentication (operator-dependent algorithm)A5: ciphering/deciphering (standardized algorithm)A8: cipher generation (operator-dependent algorithm)



Authentication principle of GSMMobile Station Visited network Home network

IMSI/TMSI

IMSI (or TMSI)A8 A3

Ki R

Kc S

IMSI

Triplets (Kc, R, S)

TripletsAuthenticate (R)

A8 A3

Ki R

Kc S’ Auth-ack(S’)S=S’?



Ciphering in GSM

A5

CIPHERINGSEQUENCE

PLAINTEXTSEQUENCE

Kc FRAME NUMBER

Sender(Mobile Station or Network)

Receiver(Network or Mobile Station)

CIPHERTEXTSEQUENCE

A5

CIPHERINGSEQUENCE

Kc FRAME NUMBER

PLAINTEXTSEQUENCE

1.3.1 Cellular networksGSM security

⊕ ⊕

10/85


Problems with GSM security Only provides access security – communications and

signaling traffic in the fixed network are not protected.

Does not address active attacks, whereby some network elements (e.g. BTS: Base Station)

Only as secure as the fixed networks to which they connect

Lawful interception only considered as an after-thought

Terminal identity cannot be trusted Difficult to upgrade the cryptographic mechanisms Lack of user visibility (e.g. doesn’t know if encrypted

or not) Cryptographic problems

– A3/A5/A8 algorithms



Attacks on GSM Eavesdropping. The required equipment is a

modified MS. Impersonation of a user. The required equipment

is a modified MS. Impersonation of the network. The required

equipment is modified BTS.– IMSI catcher

Man-in-the-middle. The required equipment is modified BTS in conjunction with a modified MS.

Compromising authentication vectors in the network. 1.3.1 Cellular networks

GSM security 12/85


Conclusion on GSM security Focused on the protection of the air interface No protection on the wired part of the network

(neither for privacy nor for confidentiality) The visited network has access to all data (except

the secret key of the end user) Generally robust, but a few successful attacks have

been reported:– faked base stations – cloning of the SIM card



3GPP Security Principles Reuse of 2nd generation security principles (GSM):

– Removable hardware security module • In GSM: SIM card• In 3GPP: USIM (User Services Identity Module)

– Radio interface encryption– Limited trust in the Visited Network– Protection of the identity of the end user (especially on the

radio interface)

Correction of the following weaknesses of the previous generation:– Possible attacks from a faked base station– Cipher keys and authentication data transmitted in clear

between and within networks– Encryption not used in some networks open to fraud– Data integrity not provided– …

1.3.1 Cellular networksUMTS security 14/85


UMTS vs. GSM security A change was made to defeat the false base station attack. The

security mechanismensures that the mobile can identify the network.

Key lengths were increased to allow for the possibility of stronger algorithms for encryption and integrity.

Mechanisms were included to support security within and between networks.

The presence of a sequence number in the challenge allows the USIM to verify the freshness of the cipher key to help guard against forced re-use of a compromised authentication vector.

A mandatory cipher mode command with message authentication and replay inhibition allows the mobile to verify that encryption has not been suppressed by an attacker.



Authentication in 3GPP

Generation of cryptographic material

Home EnvironmentVisited NetworkMobile StationSequence number (SQN) RAND(i)

Authentication vectors

K: User’ssecret key

IMSI/TMSIUser authentication request

Verify AUTN(i)Compute RES(i)

User authentication response RES(i)

Compare RES(i)and XRES(i)

Select CK(i)and IK(i)

Compute CK(i)and IK(i)

K

K

1.3.1 Cellular networksUMTS security

)(||)( iAUTNiRAND

17/85


Generation of the authentication vectors

Generate SQN

Generate RAND

f1 f2 f3 f4 f5

K

AMF

MAC (Message Authentication

Code)

XRES(Expected

Result)

CK(Cipher

Key)

IK(Integrity

Key)

AK(Anonymity

Key)

AMF: Authentication and Key Management FieldAUTN: Authentication Token

AV: Authentication Vector



User Authentication Function in the USIM

USIM: User Services Identity Module

f1 f2 f3 f4

K

XMAC (Expected MAC)

RES(Result)

CK(Cipher

Key)

IK(Integrity

Key)

f5

RAND

AK

SQN

AMF MAC

AUTN

• Verify MAC = XMAC• Verify that SQN is in the correct range


⊕

19/85


More about the authentication and key generation In addition to f1, f2, f3, f4 and f5, two more functions

are defined: f1* and f5*, used in case the authentication procedure gets desynchronized (detected by the range of SQN).

f1, f1*, f2, f3, f4, f5 and f5* are operator-specific However, 3GPP provides a detailed example of

algorithm set, called MILENAGE MILENAGE is based on the Rijndael block cipher In MILENAGE, the generation of all seven functions

f1…f5* is based on the Rijndael algorithm



rotateby r4

OPc

c4

EK

OPc

rotateby r2

OPc

c2

EK

OPc

rotateby r3

OPc

c3

EK

OPc

rotateby r5

OPc

c5

EK

OPc

rotateby r1

OPc

c1

EK

OPc

EK

SQN||AMF OPc

EKOP OPc

f1 f1* f5 f2 f3 f4 f5*

RAND

Authentication and key generation functions f1…f5*

OP: operator-specific parameterr1,…, r5: fixed rotation constantsc1,…, c5: fixed addition constants

EK : Rijndael block cipher with 128 bits text input and 128 bits key



Signalling integrity protection method

f9

MAC-I

IK

SIGNALLING MESSAGE

COUNT-I

FRESH

DIRECTION

Sender(Mobile Station or

Radio Network Controller)

f9

XMAC-I

IK

SIGNALLING MESSAGE

COUNT-I

FRESH

DIRECTION

Receiver(Radio Network Controller

or Mobile Station)

FRESH: random input



Ciphering method

f8

KEYSTREAM BLOCK

CK

BEARER

COUNT-C

LENGTH

DIRECTION

PLAINTEXTBLOCK

f8

KEYSTREAM BLOCK

CK

BEARER

COUNT-C

LENGTH

DIRECTION

PLAINTEXTBLOCK

CIPHERTEXTBLOCK

Sender(Mobile Station or

Radio Network Controller)

Receiver(Radio Network Controller

or Mobile Station)

BEARER: radio bearer identifierCOUNT-C: ciphering sequence counter


⊕ ⊕

23/85


KASUMI KASUMI KASUMI KASUMIKASUMICK KASUMICK KASUMICK KASUMICK

KASUMICK KM

KS[0]…KS[63]

Register

KS[64]…KS[127] KS[128]…KS[191]

BLKCNT=0 BLKCNT=1 BLKCNT=2 BLKCNT=BLOCKS-1

COUNT || BEARER || DIRECTION || 0…0

The keystream generator f8

KM: Key ModifierKS: Keystream



FL1 FO1

FO2 FL2

FO8 FL8

FO6 FL6

FO4 FL4

FL7 FO7

FL3 FO3

FL5 FO5

KL1

KO2 , KI2

KO3 , KI3

KO5 , KI5

KO6 , KI6

KO4, KI4

KO7 , KI7

KO8 , KI8

KO1 , KI1

KL2

KL3

KL4

KL5

KL6

KL7

KL8

L0

32R0

32

C

Fig. 1 : KASUMI

R8L8

FIi1

FIi2

FIi3

S9

S9

S7

S7

<<<<<<

Fig. 2 : FO Function Fig. 3 : FI Function

Zero-extend

truncate

Zero-extend

truncate

Bitwise AND operation

Bitwise OR operation

One bit left rotation<<<Fig. 4 : FL Function

KOi,3

KOi,2

KOi,1

KIi,1

KIi,2

KIi,3

KIi,j,1

KIi,j,2

64 32 1616 16 9 7

3216 16

KLi,1

KLi,2

Details of Kasumi KLi, KOi , KIi : subkeys used at ith roundS7, S9: S-boxes



Conclusion on 3GPP security Some improvement with respect to 2nd generation

– Cryptographic algorithms are published– Integrity of the signalling messages is protected

Quite conservative solution Privacy/anonymity of the user not completely

protected



LTE Evolution of UMTS Provides seamless Internet Protocol (IP) connectivity

between user equipment (UE) and the packet data network (PDN)

No disruption to the end users’ applications during mobility

System: Evolved packet system (EPS)– Evolved packet core (EPC) network

• Responsible for the overall control of the establishment of the bearers (set of network parameter that defines data specific treatment) and the UE

– Radio access network (E-UTRAN)• Responsible for all radio-related functions

Note: no questions on LTE security at the exam or at the quiz

Cellular networksLTE security 27/85


LTE Architecture



Logical nodes in the EPC (I) Policy Control and Charging Rules Function (PCRF)

responsible for – Policy control and decision-making, – Control of the flow-based charging functionalities, – QoS authorization provision

Home Subscriber Server (HSS) holds – Users subscription data, – Information about the PDNs, – Dynamic information the identity of the MME

PDN Gateway (P-GW) is responsible for – IP address allocation for the UE, – Filtering of downlink user IP packets into the different QoS-

based bearers, – QoS enforcement for guaranteed bit rate bearers



Logical nodes in the EPC (II) Serving Gateway (S-GW) serves as

– Local mobility anchor for the data bearers when the UE moves between eNodeBs

– Buffer of downlink data while the MME paging– Administrative functions

Mobility Management Entity (MME) is the control node that processes the signaling between the UE and the CN – Non Access Stratum (NAS) protocols running between the UE

and the CN – Functions related to bearer management– Functions related to connection management



LTE security - Overview Re-use of UMTS Authentication and Key Agreement

(AKA) Use of USIM required (GSM SIM excluded) Extended key hierarchy Possibility for longer keys Greater protection for backhaul Integrated interworking security for legacy and non-

3GPP networks Current keylength 128 bits

– Possibility to extend to 256 in the future (longer keys)



LTE key hierarchy

Cellular networksLTE security

AuC: Authentication centerCK: Encryption keyIK: integrity protection keyNAS: Non-access stratum, maintaining connectivity and active sessions with user equipment as the user movesRRC: Radio resource controlASME: Access Security Management Entity

32/85


LTE Security Architecture Network access security

– Provides the UEs with secure access to the EPC and protect against various attacks on the radio link

Network domain security– Protects against attacks on the wire line network and

enable nodes to exchange signaling data and user data in a secure manner

User domain security– Provides a mutual authentication between the USIM and the

MME Application domain security

– Enables applications in the UE and in the provider domain to securely exchange messages.

Non 3GPP domain security– Enables the UEs to securely access to the EPC via non-3GPP

access networks and provides security protection on the radio access link



LTE - Network Access Security (I) LTE cellular security

– Mutual authentication between an UE and the EPC using Authentication and Key Agreement (AKA)• Serving network identity (SN ID) has been added to the EPS AKA

procedure to avoid attacks such as redirection attacks and false base station attacks

– Generates a ciphering key (CK) and an integrity key (IK) to derive different session keys for the encryption and the integrity protection• A new key hierarchy is introduced to protect the security of the signaling

and user data traffic– When an UE connects to the EPC over the E-UTRAN, the MME

asks the EPC to perform a mutual authentication with the UE by the EAP AKA

– For non-3GPP access, several different AKA procedures are implemented• EAP-AKA for trusted non-3GPP access network• IPsec tunnel establishment between UE and packet data gateway and

Internet Key Exchange Protocol for untrusted non-3GPP access networkCellular networksLTE security 34/85


LTE – Encryption and Integrity Protection in the Control Plane

LTE supports two levels on security on the control plane– The NAS traffic

between the MME and the UE is protected with NAS level keys

– The RRC connection traffic between the MME and the UE is protected with RRC level keys



LTE – Encryption and Integrity Protection in the User Plane

User plane data is encrypted with the KUPenc key



LTE - Network Access Security (II) LTE handover security

– The current eNB and the target eNB are managed by the same MME• In handovers, a new session key used between the UE and the target

eNB, derived from the active session key – Mobility between the E-UTRAN and UTRAN/GERAN (2G/3G)

• Handover from the E-UTRAN to the UTRAN or the GERAN– The target Service GPRS Supporting Node (SGSN) and the UE replace all stored parameters

with the ones received from MME to generate the session key.• Handover from the UTRAN/GERAN to the E-UTRAN

– UE and MME derive the same key via the target Service GPRS Supporting Node (SGSN)

– Mobility between E-UTRAN and non-3GPP access networks• Handovers from trusted or untrusted non-3GPP access networks to the E-

UTRAN• Handovers from the E-UTRAN to trusted or untrusted non-3GPP access

networks• The UE, the target access network and the EPC implements a full access

authentication procedure before the UE handovers to the new access network



LTE Vulnerabilities (I) The flat IP-based architecture of the LTE networks

results in more security risks (virus, worm, DoS attacks, etc.)

New risks exist due to several different mobility scenarios when an UE moves away from an eNB/HeNB to a new HeNB/eNB

The EPS-AKA scheme lacks a privacy protection (disclosure of IMSI at some instances, subject to MitM attack, etc.)– Several new AKA schemes proposed

DoS attacks cannot be prevented (MME forwards the UE’s requests to the HSS/AuC even before the UE is authenticated by the MME)



References

GSM Security– Helsinki University of Technology– http://www.netlab.tkk.fi/opetus/s38153/k2003/Lectures/

g42GSM_security.pdf

3GPP LTE Security Aspects– 3GPP Initiative– http://www.3gpp.org/ftp/information/presentations/presentations_20

11/2011_05_Bangalore/DZBangalore290511.pdf


http://www.netlab.tkk.fi/opetus/s38153/k2003/Lectures/g42GSM_security.pdf

http://www.netlab.tkk.fi/opetus/s38153/k2003/Lectures/g42GSM_security.pdf

http://www.3gpp.org/ftp/information/presentations/presentations_2011/2011_05_Bangalore/DZBangalore290511.pdf

http://www.3gpp.org/ftp/information/presentations/presentations_2011/2011_05_Bangalore/DZBangalore290511.pdf


Chapter outline


43/85


beacon- MAC header- timestamp- beacon interval- capability info- SSID (network name)- supported data rates- radio parameters- power slave flags

Reminder on WiFi

scanning on each channel

association request

association response

STA

AP

“connected”

1.3.2 WiFi LANs 44/85


Reminder on WiFi

APInternet

1.3.2 WiFi LANs 45/85


WEP – Wired Equivalent Privacy part of the IEEE 802.11 specification

goal– make a WiFi network at least as secure as a wired LAN (that

has no particular protection mechanisms)– WEP was never intended to achieve strong security

services– access control to the network– message confidentiality– message integrity

1.3.2 WiFi LANsWired Equivalent Privacy (WEP) 46/85


WEP – Access control before association, the STA needs to authenticate

itself to the AP

authentication is based on a simple challenge-response protocol:

STA AP: authenticate requestAP STA: authenticate challenge (r) // r is 128 bits long STA AP: authenticate response (eK(r))AP STA: authenticate success/failure

once authenticated, the STA can send an association request, and the AP will respond with an association response

if authentication fails, no association is possible1.3.2 WiFi LANsWired Equivalent Privacy (WEP) 47/85


WEP – Message confidentiality and integrity WEP encryption is based on RC4 (a stream cipher developed in

1987 by Ron Rivest for RSA Data Security, Inc.)– operation:

• for each message to be sent:– RC4 is initialized with the shared secret (between STA and AP)– RC4 produces a pseudo-random byte sequence (key stream)– this pseudo-random byte sequence is XORed to the message

• reception is analogous – it is essential that each message is encrypted with a different key

stream• the RC4 generator is initialized with the shared secret and an IV (initial

value) together– shared secret is the same for each message– 24-bit IV changes for every message

WEP integrity protection is based on an encrypted CRC value– operation:

• ICV (integrity check value) is computed and appended to the message• the message and the ICV are encrypted together



WEP – Message confidentiality and integrity

IV secret key RC4

message + ICV

message + ICVIV

IV secret key RC4

message + ICV

encode

decode

K

K

K: pseudo-random sequence



WEP – Keys two kinds of keys are allowed by the standard

– default key (also called shared key, group key, multicast key, broadcast key, key)

– key mapping keys (also called individual key, per-station key, unique key)

in practice, often only default keys are supported– the default key is manually installed in every STA and the AP– each STA uses the same shared secret key in principle, STAs can

decrypt each other’s messages

id:X | key:abc

id:Y | key:abc

id:Z | key:abc key:abc

id:X | key:def

id:Y | key:ghi

id:Z | key:jklid:X | key:defid:Y | key:ghiid:Z | key:jkl

default key key mapping key



WEP – Management of default keys the default key is a group key, and group keys need

to be changed when a member leaves the group– e.g., when someone leaves the company and shouldn’t have

access to the network anymore

it is practically impossible to change the default key in every device simultaneously

hence, WEP supports multiple default keys to help the smooth change of keys– one of the keys is called the active key– the active key is used to encrypt messages– any key can be used to decrypt messages – the message header contains a key ID that allows the

receiver to find out which key should be used to decrypt the message 1.3.2 WiFi LANs

Wired Equivalent Privacy (WEP) 51/85


WEP – The key change process

---def*

abcdef*

---def*

---def*

time

abc*---

abc*def

abcdef*

* active key


abc*---

abc*---


WEP flaws – Authentication and access control authentication is one-way only

– AP is not authenticated to STA– STA is at risk to associate to a rogue AP

the same shared secret key is used for authentication and encryption– weaknesses in any of the two protocols can be used to break

the key

no session key is established during authentication– access control is not continuous– once a STA has authenticated and associated to the AP, an

attacker send messages using the MAC address of STA– correctly encrypted messages cannot be produced by the

attacker, but replay of STA messages is still possible

STA can be impersonated– … next slide 1.3.2 WiFi LANs

Wired Equivalent Privacy (WEP) 53/85


WEP flaws – Authentication and access control recall that authentication is based on a challenge-

response protocol:…AP STA: rSTA AP: IV | r K…

where K is a 128 bit RC4 output on IV and the shared secret

an attacker can compute r (r K) = K

then it can use K to impersonate STA later:…AP attacker: r’attacker AP: IV | r’ K…

1.3.2 WiFi LANsWired Equivalent Privacy (WEP)

⊕

⊕⊕

⊕

54/85


WEP flaws – Integrity and replay protection There’s no replay protection

– IV is not mandated to be incremented after each message

The attacker can manipulate messages despite the ICV mechanism and encryption– CRC is a linear function wrt to XOR:

CRC(X Y) = CRC(X) CRC(Y) - attacker observes (M | CRC(M)) K where K is the RC4 output- for any M, the attacker can compute CRC( M) - hence, the attacker can compute:

1.3.2 WiFi LANsWired Equivalent Privacy (WEP)

⊕ ⊕⊕

55/85


WEP flaws – Confidentiality IV reuse

– IV space is too small• IV size is only 24 bits there are 16,777,216 possible IVs• after around 17 million messages, IVs are reused• a busy AP at 11 Mbps is capable for transmitting 700 packets per second

IV space is used up in around 7 hours– in many implementations IVs are initialized with 0 on startup

• if several devices are switched on nearly at the same time, they all use the same sequence of IVs

• if they all use the same default key (which is the common case), then IV collisions are readily available to an attacker

weak RC4 keys– for some seed values (called weak keys), the beginning of the RC4

output is not really random– if a weak key is used, then the first few bytes of the output reveals

a lot of information about the key breaking the key is made easier– for this reason, crypto experts suggest to always throw away the

first 256 bytes of the RC4 output, but WEP doesn’t do that– due to the use of IVs, eventually a weak key will be used, and the

attacker will know that, because the IV is sent in clear WEP encryption can be broken by capturing a few million

messages !!! 1.3.2 WiFi LANsWired Equivalent Privacy (WEP) 56/85


A network that is secured with WEP has been cracked in 3 minutes by the FBI

aircrack airsnort

– Both tools can reliably recover static WEP keys

aircrack often effective with as few as 75k packets!

Once enough traffic is captured, analysis is typically under 1 minute

WEP Attacks and Tools



WEP – Lessons learnt1. Engineering security protocols is difficult

– One can combine otherwise strong building blocks in a wrong way and obtain an insecure system at the end• Example 1:

– stream ciphers alone are OK– challenge-response protocols for entity authentication are OK– but they shouldn’t be combined

• Example 2:– encrypting a message digest to obtain an ICV is a good principle– but it doesn’t work if the message digest function is linear wrt to the

encryption function– Don’t do it alone (unless you are a security expert)

• functional properties can be tested, but security is a non-functional property it is extremely difficult to tell if a system is secure or not

– Using an expert in the design phase pays out (fixing the system after deployment will be much more expensive)• experts will not guarantee that your system is 100% secure• but at least they know many pitfalls• they know the details of crypto algorithms

2. Avoid the use of WEP1.3.2 WiFi LANsWired Equivalent Privacy (WEP) 58/85


Overview of 802.11i After the collapse of WEP, IEEE started to develop a

new security architecture 802.11i

Main novelties in 802.11i wrt to WEP– access control model is based on 802.1X– flexible authentication framework (based on EAP – Extensible

Authentication Protocol)– authentication can be based on strong protocols (e.g., TLS –

Transport Layer Security)– authentication process results in a shared session key (which

prevents session hijacking)– different functions (encryption, integrity) use different keys

derived from the session key using a one-way function– integrity protection is improved– encryption function is improved

1.3.2 WiFi LANsIEEE 802.11i 59/85


Overview of 802.11i 802.11i defines the concept of RSN (Robust Security Network)

– integrity protection and encryption is based on AES (and not on RC4 anymore)

– nice solution, but needs new hardware cannot be adopted immediately

802.11i also defines an optional protocol called TKIP (Temporal Key Integrity Protocol)– integrity protection is based on Michael (we will skip the details of

that)– encryption is based on RC4, but WEP’s problems have been avoided– ugly solution, but runs on old hardware (after software upgrade)

Industrial names– TKIP WPA (WiFi Protected Access)– RSN/AES WPA2

1.3.2 WiFi LANsIEEE 802.11i 60/85


802.1X authentication model

supplicant services authenticator authenticationserver

LAN

authenticator systemsupplicant sys auth server sys

port controls

the supplicant requests access to the services (wants to connect to the network)

the authenticator controls access to the services (controls the state of a port)

the authentication server authorizes access to the services– the supplicant authenticates itself to the authentication server– if the authentication is successful, the authentication server

instructs the authenticator to switch the port on– the authentication server informs the supplicant that access is

allowed1.3.2 WiFi LANsIEEE 802.11i 61/85


Mapping the 802.1X model to WiFi supplicant mobile device (STA) authenticator access point (AP) authentication server server application running on

the AP or on a dedicated machine port logical state implemented in software in the AP

one more thing is added to the basic 802.1X model in 802.11i:– successful authentication results not only in switching the

port on, but also in a session key between the mobile device and the authentication server

– the session key is sent to the AP in a secure way• this assumes a shared key between the AP and the auth server• this key is usually set up manually

1.3.2 WiFi LANsIEEE 802.11i 62/85


Protocols – EAP, EAPOL, and RADIUS EAP (Extensible Authentication Protocol) [RFC 3748]

– carrier protocol designed to transport the messages of “real” authentication protocols (e.g., TLS)

– very simple, four types of messages:• EAP request – carries messages from the supplicant to the authentication

server• EAP response – carries messages from the authentication server to the

supplicant• EAP success – signals successful authentication• EAP failure – signals authentication failure

– authenticator doesn’t understand what is inside the EAP messages, it recognizes only EAP success and failure

EAPOL (EAP over LAN) [802.1X]– used to encapsulate EAP messages into LAN protocols (e.g.,

Ethernet)– EAPOL is used to carry EAP messages between the STA and the AP

RADIUS (Remote Access Dial-In User Service) [RFC 2865-2869, RFC 2548]– used to carry EAP messages between the AP and the auth server– MS-MPPE-Recv-Key attribute is used to transport the session key

from the auth server to the AP– RADIUS is mandated by WPA and optional for RSN

1.3.2 WiFi LANsIEEE 802.11i 63/85


EAP in actionAPSTA auth server

EAP Request (Identity)

EAP Response (Identity) EAP Response (Identity)

EAP Request 1EAP Request 1

EAP Response 1 EAP Response 1

EAP SuccessEAP Success

EAP Request nEAP Request n

EAP Response n EAP Response n

... ...

embe

dded

aut

h. p

roto

col

EAPOL-Start

encapsulated in EAPOL

encapsulated in RADIUS

1.3.2 WiFi LANsIEEE 802.11i 64/85


Protocols – LEAP, EAP-TLS, PEAP, EAP-SIM LEAP (Light EAP)

– developed by Cisco– similar to MS-CHAP extended with session key transport

EAP-TLS (TLS over EAP)– only the TLS Handshake Protocol is used– server and client authentication, generation of master secret– TLS master secret becomes the session key– mandated by WPA, optional in RSN

PEAP (Protected EAP)– phase 1: TLS Handshake without client authentication– phase 2: client authentication protected by the secure channel established in

phase 1

EAP-SIM– extended GSM authentication in WiFi context– protocol (simplified) :

STA AP: EAP res ID ( IMSI / pseudonym )STA AP: EAP res ( nonce )AP: [gets two auth triplets from the mobile operator’s AuC]AP STA: EAP req ( 2*RAND | MIC2*Kc | {new pseudonym}2*Kc )STA AP: EAP res ( 2*SRES )AP STA: EAP success 1.3.2 WiFi LANs

IEEE 802.11i 65/85


Summary of the protocol architecture

TLS (RFC 2246)

EAP-TLS (RFC 2716)

EAP (RFC 3748)

EAPOL (802.1X)

802.11

EAP over RADIUS (RFC 3579)

RADIUS (RFC 2865)

TCP/IP

802.3 or else

mobile device AP auth server

1.3.2 WiFi LANsIEEE 802.11i 66/85


Key hierarchies

PMK (pairwise master key)

PTK (pairwise transient keys):- key encryption key- key integrity key- data encryption key- data integrity key

(128 bits each)

GTK (group transient keys):- group encryption key- group integrity key

802.1X authentication

key derivationin STA and AP

random generationin AP

GMK (group master key)

key derivationin AP

protection transportto every STA

unicast message trans.between STA and AP

broadcast messages trans.from AP to STAs

protection

protection

1.3.2 WiFi LANsIEEE 802.11i 67/85


Four-way handshake objective:

– prove that AP also knows the PMK (result of authentication)– exchange random values to be used in the generation of PTK

protocol: AP : generate ANonceAP STA : ANonce | KeyReplayCtr STA : generate SNonce and compute PTKSTA AP : SNonce | KeyReplayCtr | MICKIK AP : compute PTK, generate GTK, and verify MICAP STA : ANonce | KeyReplayCtr+1 | {GTK}KEK | MICKIK STA : verify MIC and install keysSTA AP : KeyReplayCtr+1 | MICKIK AP : verify MIC and install keys

MICKIK : Message Integrity Code (computed by the mobile device using the key-integrity key)KeyReplayCtr: used to prevent replay attacks1.3.2 WiFi LANs

IEEE 802.11i 68/85


TKIP runs on old hardware (supporting RC4), but … WEP weaknesses are corrected

– new message integrity protection mechanism called Michael• MIC value is added at SDU level before fragmentation into PDUs• implemented in the device driver (in software)

– use IV as replay counter– increase IV length to 48 bits in order to prevent IV reuse– per-packet keys to prevent attacks based on weak keys

1.3.2 WiFi LANsIEEE 802.11i 70/85


TKIP – Generating RC4 keys

IV data encryption key from PTK

key mix(phase 1)

key mix(phase 2)

lower16 bits

upper32 bits 128

bits

48 bits

MAC address

per-packet keyIV

3x8 = 24 bits 104 bit

IVd

dum

my

byte

RC4 seed value

1.3.2 WiFi LANsIEEE 802.11i 71/85


AES-CCMP CCMP means CTR mode (“counter mode”) and CBC-MAC

– integrity protection is based on CBC-MAC (using AES)– encryption is based on CTR mode (using AES)– (CBC: Cipher-Block Chaining)

CBC-MAC– CBC-MAC is computed over the MAC header, CCMP header, and the MPDU –

Mac Protocol Data Unit (fragmented data)– mutable fields are set to zero– input is padded with zeros if length is not multiple of 128 (bits)– CBC-MAC initial block:

• flag (8)• priority (8)• source address (48)• packet number (48)• data length (16)

– final 128-bit block of CBC encryption is truncated to (upper) 64 bits to get the CBC-MAC value

CTR mode encryption– MPDU and CBC-MAC value is encrypted, MAC and CCMP headers are not– format of the counter is similar to the CBC-MAC initial block

• “data length” is replaced by “counter”• counter is initialized with 1 and incremented after each encrypted block

1.3.2 WiFi LANsIEEE 802.11i 72/85


WPA/WPA2 Vulnerabilities (2003-2004) Pre-Shared Key (PSK)

– WPA-PSK (Pre-shared key) mode, it is designed for home and small office networks and doesn't require an authentication server

– Vulnerable to eavesdropping and dictionary attack– Use IEEE 802.1x based authentication (WPA-Enterprise)

(2008) Protected Extensible Authentication Protocol (PEAP)– Caused by an improperly configured PEAP authentication

component which fails to validate the server certificate on clients

(2008) Temporal Key Integrity Protocol (TKIP)– Allows attacker to guess IP address of subnet and inject

small size frames to cause network disruption (2010) Group Temporal Key (GTK)

– Hole 196– Malicious authorized client injecting spoofed GTK-encrypted

packets– An insider (authorized user) can sniff and decrypt data from

other authorized users as well as scan their Wi-Fi devices for vulnerabilities

1.3.2 WiFi LANsIEEE 802.11i 73/85


Public WiFi Hotspots Security solutions based on a common group key

(e.g., WEP) is inappropriate for the public setting Network behind WiFi LAN cannot be trusted

– Use higher layer security services (e.g., VPN) Many contracts with ISPs specify that the connection

may not be shared with other persons In some countries (including Germany), persons

providing an open access point may be made (partially) liable for any illegal activity conducted via this access point

1.3.2 WiFi LANsIEEE 802.11i 74/85


Summary on WiFi security security has always been considered important for

WiFi early solution was based on WEP

– seriously flawed– not recommended to use

the new security standard for WiFi is 802.11i– access control model is based on 802.1X– flexible authentication based on EAP and upper layer

authentication protocols (e.g., TLS, GSM authentication)– improved key management– TKIP

• uses RC4 runs on old hardware• corrects WEP’s flaws• mandatory in WPA, optional in RSN (WPA2)

– AES-CCMP• uses AES in CCMP mode (CTR mode and CBC-MAC)• needs new hardware that supports AES

1.3.2 WiFi LANsIEEE 802.11i 75/85


Chapter outline


76/85


Bluetooth Short-range communications, master-slave principle

Eavesdropping is difficult:– Frequency hopping– Communication is over a few meters only

Security issues:– Authentication of the devices to each other– Confidential channel

Based on secret link key

1.3.3 Bluetooth 77/85


Bluetooth When two devices communicate for the first time:

– Set up the temporary initialization key.



Bluetooth Setting up the link key:



Bluetooth The authentication protocol:

1.3.3 Bluetooth

ACO: Authenticated Cipher Offset

80/85


Bluetooth Generation of the encryption key and the key stream:



Weaknesses The strength of the whole system is based on the

strength of the PIN:– PIN: 4-digit number, easy to try all 10000 possible values.– PIN can be cracked off-line.– many devices use the default PIN.

For memory-constrained devices: the link key = the long-

term unit key of the device.

Fixed and unique device addresses: privacy problem.

Weaknesses in the E0 stream cipher.



Non-traditional and Emerging Networks Wireless printers Copiers

– “When Firmware Modifications Attack: A Case Study of Embedded Exploitation” – NDSS’13 (US DoD Printers)

Mobile patient monitoring …

83/85


Conclusion Security issues of wireless networks:

– wireless channel: easy to eavesdrop on, jam, overuse– Users: usually mobile

Classical requirements:– authentication, confidentiality, integrity, availability

Location privacy: unique to mobile networks

Mobile devices:– Limited resources– Lack of physical protection

84/85


85/85

The security of existing wireless networks (Ch. 1 of the SeCoWiNet book)

Documents

Transcript of The security of existing wireless networks (Ch. 1 of the SeCoWiNet book)