Wireless Data Network Security Dr. N. Usha Rani, VP, Development NMSWorks Software Pvt. Ltd. 2 Aug,...

Wireless Data Network Security

Dr. N. Usha Rani,VP, Development

NMSWorks Software Pvt. Ltd.2 Aug, 2007

Organization

• Introduction• WLAN technology• WiMax technology• Network security• Security issues in WLAN• Security issues in WiMax• Conclusions• References

Wireless Technologies for Data Networks

• Communications industry driven by largely by services

• Convenience inherent in wireless technology has seen the growth of– WLAN – Data services– Cellular – Predominantly voice service with data

service provided as add-on– WiMax – Data/voice services for wide area

User Expectations

• Eliminate physical and logical barriers– Eliminate house wiring– Eliminate tethering to outlets (access from

anywhere)– High speed

• Mobility– Anytime Anywhere Service

• Low cost communication– Affordable telephone, TV, PC, and appliances– Enable new applications

Challenges to growth of wireless

• Power• Bandwidth• Range• Reliability• QoS• Management• Interoperability • Economics• Security

Well known vulnerabilities

• “War (Wide Area Roaming) driving” and listening in on a WLAN connection – Access to a WLAN network is inherently

much easier than to a fixed network– Motorists, pedestrians access private

WLANS– Open source attack software (eg.,

NetStumbler)

• Denial of service attacks due to jamming

Security Attack Example

Some reasons

• Flaws in the standard design itself– Eavesdropping because rogue Access Points

are easily installed– Security specifications in the standard are

usually optional and can be turned off– Flaws in the security protocol

• Weakness in the cryptography used in the standard

Organization


WLAN Uses

• Key drivers are mobility and accessibility

• Easily change work locations in the office

• Internet access at airports, cafes, conferences, etc.

Source: LBL

Enterprise WLAN

InternetInternetLayer 2/3Switch

802.11802.3

IP

• Layer 2/3 switch is traditional Ethernet hub• AP (Access Point) performs security functions

AP

User

http://www.aironet.com/graphics/products/in_building/AP4820B.jpg



802.11 sublayers

PHY

MAC

Higher layers

802.11a802.11b802.11g

802.11d802.11e802.11h802.11i

802.11c802.11f

IEEE 802.11 Standards

802.11a 54 Mbps data rate 5 GHz

802.11b 11 Mbps data rate at 2.4 GHz

802.11e Addresses QoS issues

802.11f Addresses multi-vendor AP interoperability

802.11g Higher data rate extension to 54 Mbps in the 2.4 GHz

802.11h Dynamic frequency selection and transmit power control for operation of 5 GHz products

802.11i Addresses security issues

802.11j Addresses channelization in Japan’s 4.9 GHz band

802.11k Manages medium and network resources more efficiently

Standard

Frequency

Mechanism

Max Data Rate

Notes

802.11 2.4 GHz FHSS/DSSS

2 Mbps First std., limited rate

802.11a 5 GHz OFDM 54 Mbps Shortest range, more non-overlapping chls

802.11b 2.4 GHz DSSS 11 Mbps Widely used, low speeds

802.11g 2.4 GHz OFDM 54 Mbps Higher rates, higher range at 2.4 GHz

PHY Characteristics

Physical layer

• OFDM (Orthogonal Frequency Division Multiplexing)

• DSSS (Direct Sequence Spread Spectrum)

• FHSS (Frequency Hopping Spread Spectrum)

• Multiple channels each 20 MHz • Uses unlicensed frequency bands

Distance & Speed

• NLOS range – About 70 to 100 m depending on the PHY• LOS range with directional antennas

– Can be 10s of kms

MAC

• MAC similar to 802.3 Ethernet and 802.2 LLC• 802.3 – CSMA-CD, 802.11 – CSMA-CA• CSMA/CD

– Before transmit, listen for activity on the network– If medium busy, wait to transmit– On medium clear, start transmitting– During transmission, monitor for collision– If collision detected

• Abort• Wait for random time (backoff increases exponentially

with number of collisions)• Retransmit

CSMA/CA

• In wireless, can not transmit and receive at the same time – Instead of CD, on medium idle delay a

random amount of time (random backoff), then transmit

– To take care of wireless errors and collisions, receiver sends immediate ACK

CSMA/CA

Architecture

STA1STA2

STA3

STA1 STA2 STA1 STA2

AP APBSS BSS

IBSS

STA – Wireless clientCell – Coverage provided by APBSS – Stations + APIBSS – Stations operate in ad-hoc modeESS – Collection of cells in an infrastructure network

STA – StationBSS – Basic Svc SetIBSS – Independent BSSESS – Extended Svc Set



Operation of WiFi

• Access point links a wireless network to a wired network (via LAN, ADSL or WAN interface)

• Stations or clients are laptops, desktops or wireless handheld device with wireless NIC

• An AP has a “network name” or Service Set Identifier (SSID)

• AP periodically broadcasts SSID to advertise itself

• A client having the same SSID can connect to the network

Adhoc Mesh between villages

20 m

5 m

10 m

• Terrain and trees => tower in each village• Cost of tower >> cost of WiFi

5 m

Organization


WiMax - Introduction

• Ever increasing demand for broadband wireless access to compete with DSL, cable etc.

• Provides fixed, nomadic and mobile wireless broadband access with non-LOS

• High capacity (upto 96 Mbps) and high range (upto 3 kms NLOS)

WiMax - Applications

• Provide backhaul for proliferating WiFi hotspots and aggregating traffic to high speed internet backbone

• Provide telephone access in hard to reach rural areas and cellular backhaul

• Support nomadic and mobile subscribers

Capability and Reach

• Simultaneous support for hundreds of SMEs with E1 connectivity and thousands of homes/SOHOs with DSL connectivity

• Potential of low cost and flexibility• Scalable solution to meet increasing

bandwidth demands• Cost effective answer to requirements

ranging from– high end requirements such as triple play– Rural communities and businesses, for basic

broadband Internet access

What is WiMax?

• Worldwide Interoperability for Microwave Access

• Based on technology standard defined by IEEE (802.16) for broadband wireless access for MANs

• Non-profit industry body to promote the technology and ensure interoperability between different vendor products

WiMax Components

• Base station (BS) connected to public networks

• Subscriber station (SS) typically serves a building – office or residence

• BS serves several SSes with different QoS priorities etc. simultaneously

Architecture

802.16 standard

• Original standard based on DOCSIS/HFC in wireless domain

802.16- 2001

802.16a - 2003

802.16d- 2004

802.16e - 2005

802.16c - 2002

• Original fixed wireless broadband, • 10 – 66 GHz• LOS only• PMP applications

802.16 AmendmentWiMAX System Profiles

10 - 66 GHz

• Extension for 2-11 GHz: • non-line-of-sight• PMP applications

• Adds WiMAX System Profiles • Errata for 2-11 GHz

• Enhancements to support mobility

Channel characteristics• 10-66 GHz (millimetre microwave)

– Very weak multipath components (LOS is required)

– Rain attenuation is a major issue– Single-carrier PHY

• 2-11 GHz (centimetre microwave)– Multipath– NLOS– Single and multi-carrier PHYs

Physical layer characteristics

• Flexible Channel Sizes (1.75 MHz -- 20 MHz)

• Designed to support smart antenna systems – useful in reducing interference and increasing system gain

• Adaptive coding – QPSK, 16-QAM, 64-QAM for higher data rates depending on signal quality

• Data rate depends on channel size and coding

Licensed License-Exempt

Better QoS Fast Rollout

Better NLOS reception at lower frequencies

Lower Costs

Higher barriers for entrance

More worldwide options

Licensed vs Unlicensed spectrum

MAC layer• Supports challenging service delivery

environment– Efficient use of bandwidth– High bandwidth, 100s of users per channel– Continuous and bursty traffic

• Protocol independent (IP, ATM, Ethernet…)• Multiple PHYs• Security

MAC layer• Supports Point-To-Multipoint (PMP) and

Mesh (PP) topologies– PMP: Traffic flows between Base Station (BS)

and Subscriber Stations (SS)– Uplink connection from SS to BS– Downlink from BS to numerous SS’es– Mesh

• TDM/TDMA with scheduling of transmissions by BS

• Connection-oriented – a Connection Id (CID) assigned to each connection

• Supports QoS

WiMAX Operation

Feature 802.16a 802.11b 802.11 a/g

Application BWA Wireless LAN

Wireless LAN

Frequency band

2-11 GHz, licensed and unlicensed

2.4 Ghz unlicensed

2.4 GHz(g) 5 GHz (a) unlicensed

Channel bandwidth

1.25 to 20 MHz

20 MHz 20 MHz

Bw efficiency

~4.0 bps/Hz ~.44 bps/Hz ~2.7 bps/Hz

FEC Reed Solomon

None Convolutional code

Mobility 802.16e In development

In development

Mesh Yes Proprietary Proprietary

Encryption Mandatory Optional Optional

Organization


The need for security

• Prior to this “computer era”, information felt to be valuable was protected by physical

and administrative means

Acknowledged and known surveillance systems

• Carnivore is a network traffic interceptor • Is deployed at ISPs• The traffic of interest can be filtered out

from the mainstream traffic • Magic lantern is a key stroke logger• FBI motto:

In God we trust, the rest we monitor…….

Hacking no longer esoteric

• Hackers develop tools that are freely available, accessible and easy to use

• Anyone with browser access can download them from common sites like rootshell.com, securityfocus.com, insecure.org

Goals of security

• Provide confidentiality of sensitive information – only intended persons can see the information

• Authenticate legitimate entities – make sure they are who they claim to be• Provide access control - prevent

unauthorized entry to information systems

Goals of security

• Enforce non-repudiation of transactions – an entity cannot later disavow a transaction

• Ensure availability of systems and services to legitimate users

A classification of attacks

• Most security attacks can be classified into one of the following generic types– Interruption– Interception– Modification– Fabrication

Electronic security services and mechanisms

• Most mechanisms that provide the services of confidentiality, integrity, authentication, access control and non-repudiation are cryptography based

• Ensuring availability is difficult• Availability of systems and services

requires other mechanisms as well

Technologies to implement electronic

security services

• Identification, authentication: passwords, biometrics, cryptography based techniques

• Confidentiality: Cryptography• Access control: ACLs, Access control

matrices, cryptography based techniques, firewalls

• Integrity: Checksums, hash functions• Non-repudiation: Cryptography based

techniques

Ensuring availability

• Provision for alternate network paths• Provision for redundancy of critical servers and services

• Computing power• Storage

• Provision for redundancy of data and within data

Organization


Security attacks in WLANs

• Physical layer– Jamming

• MAC layer attacks• Security protocol design weaknesses• We shall consider mainly protocol

design weaknesses

Possible DoS attacks

• DOS attack on CSMA– Send small packets rapidly so that

legitimate users feel carrier is not available– Similar virtual sense carrier attack possible

• Deauthentication/Disassociation attack– Rogue AP can sit between AP and clients

and send de-authentication/disassociation messages

Wired Equivalent Privacy

• 802.11 specifies Wired Equivalent Privacy• Aims at providing

– Confidentiality• Uses RC4 (standard specifies 64 bit key)

– Access control– Integrity of data – Authentication

• Challenge-Response using same encryption primitive

• Unfortunately, as we shall see, none of the aims were achieved!


• Standard finalized in 1999• Soon after, in the year 2001 there were 3 major

papers that demonstrated great weaknesses in WEP

1. Intercepting Mobile Communications: The Insecurity of 802.11(Borisov, Goldberg, and Wagner 2001) (Berkeley paper)

2. Your 802.11 Wireless Network Has No Clothes(Arbaugh, Shankar, and Wan 2001) (Maryland paper)

3. Weaknesses in the Key Scheduling Algorithm of RC4(Fluhrer, Mantin, and Shamir 2001) (FMS attack)


• The Berkeley paper shows that even without the secret key, WEP security goals can be compromised– Discussed in detail in this presentation

• The Maryland paper mainly concentrates on weaknesses in 802.11 itself

• FMS is a devastating attack to recover the RC4 key itself from a knowledge of ciphertext and IV

• Implies that WEP is useless for secure use

Header Payload ICVPayload

802.11 Frame

WEP

ICV computed – 32-bit CRC of payload RC4, a stream cipher is applied on this

payload This is a well-known cipher, and the

designers were wise to choose it

CRC

32

ICV = Integrity Check Value

Concat

IV

Key

SeedRC4

Key stream

CRCPlaintext

Concat

ICV

Ciphertext

IV

WEP frame

IV – Initialization Vector, one per packetKey – Shared secret keyICV – Integrity check value

WEP encryption

Concat

IV

Key

SeedRC4

Key stream

Plaintext

IV

IV – Initialization Vector, one per packetKey – Shared secret keyICV – Integrity check value

Ciphertext

ICV

CRCPlaintextICV’

If ICV’ = ICV, integritypreserved

WEP decryption

Stream ciphers – some pitfalls• C = P KS• Key streams must never be reused

– C1 C2 = (P1 KS) (P2 KS) = P1 P2• => if a part of one plaintext is known, corresponding part of

the other can be obtained

• Forgery is easy – Bit flip attack– If P2 = P1 X– Then C2 = C1 X

• WEP solution to above– ICV – Prevents forgery

• Checksum on the data prevents bit flipping– IV – Prevents key reuse

• Each packet a new key that starts a new stream is used

Points to ponder• The keystream for WEP is RC4(IV,K), which depends

only on IV and K– k is a fixed shared secret - every user in WLAN shares the

same k

• So the keystream depends only on IV– If two packets ever get transmitted with the same value of IV

means keystream reuse

• Since IV gets transmitted in the clear for each packet, the adversary can even easily tell when a value of IV is reused (a "collision").

• At most 2^24, or about 16 million possible values of IV• After 16 million packets, you have to repeat one!

In practice

• Many 802.11 cards reset their IV counter to 0 every time they were activated, and incremented by 1 for each packet transmitted

• This means that low IV values get reused at the beginning of every wireless session

• IV collisions possible between packets sent by different people!

Dictionary attack• Suppose the adversary knows both the

ciphertext and the plaintext for some packets encrypted with a given IV v

• Reveals the keystream RC4(k,v) by XORing the plaintext and the ciphertext

• Keystream can be stored in a table, indexed by IV

• The next time a packet with an IV stored in the table is seen, just look up the keystream, XOR it against the packet, and read the data!

• Vulnerability to attack independent of key size

Weaknesses in data integrity check

• CRC is a poor choice– Used to detect random errors; they are useless

against malicious errors.

• CRC-32 has two main properties of importance here:– It is independent of the shared secret and the IV– It is linear: crc(M XOR D) = crc(M) XOR crc(D)

• Can be exploited to modify/inject messages undetected

WEP Authentication• The goal is for the AP to verify that a client joining

the network really knows the shared secret key k• The AP sends a challenge string to the client• The client sends back the challenge, WEP-

encrypted with the shared secret k• The base station checks if the challenge is

correctly encrypted, and if so, accepts the client=> the adversary has now just seen both the

plaintext and the ciphertext of this challenge!• This is enough not only to inject packets (as in

the previous attack), but to execute the authentication protocol

Shortcomings of WEP

• Encryption wasn’t being used properly.• There was no means to prevent message forgeries• Encryption keys were reused, allowing others to

read data without knowing the encryption key.• Authentication didn’t work, transmitting in the

open everything needed for an attacker to authenticate

Learnings

• Designing security protocols is hard!

• Better to reuse old designs where possible– PPTP had some of the same problems as WEP– IPSec had to deal with many of the same issues

• The design process should be public and inviting review

WPA

• Wi-Fi Protected Access (WPA™) was an interim standard adopted by the Wi-Fi Alliance

• WPA supports – authentication through 802.1X (known as WPA

Enterprise) or with a preshared key (known as WPA Personal)

– a new encryption algorithm known as the Temporal Key Integrity Protocol (TKIP)

– a new integrity algorithm known as Michael

802.11i

• IEEE 802.11i standard formally replaces Wired Equivalent Privacy (WEP) and the other security features of the original IEEE 802.11 standard

• Two basic subsystems:– Data privacy mechanism

• TKIP (a protocol patching WEP), applies to legacy systems• AES-based protocol (long term), needs new hardware

– Security association management• RSN negotiation procedures, to establish a security context• IEEE 802.1X authentication, replacing IEEE 802.11

authentication• IEEE 802.1X key management, to provide cryptographic keys

Data Privacy Summary WEP TKIP CCMP

Cipher RC4 RC4 AES Key Size 40 or 104 bits 128 bits 128 bits

encryption,64 bit auth

Key Life 24-bit IV, wrap 48-bit IV 48-bit IVPacket Key Concat. Mixing Fn Not NeededData Integrity CRC-32 Michael CCMHeader integrity None Michael CCMReplay None Use IV Use IVKey Mgmt. None EAP-based EAP-based

802.11i Operational Phases

Data protection

802.1X authentication

802.1X key management RADIUS-based key distribution

Security capabilities discovery

Authentication Server

Access Point

Station

Purpose of each phase Discovery

Determine promising parties with whom to communicate AP advertises network security capabilities to STAs

802.1X authentication Centralize network admission policy decisions at the AS STA determines whether it does indeed want to

communicate Mutually authenticate STA and AS Generate Master Key as a side effect of authentication Use master key to generate session keys = authorization

token

Three roles- supplicant, authenticator, authentication server

802.1x authentication

802_11i_states.png

Derive pairwise transient keys

Derive pairwise transient keys

Key management

• 802.11i specifies a key hierarchy - different keys for different purposes– Pairwise Master Key (PMK), which is the same as

the pre-shared key or is created during authentication

– For unicast transmissions, unicast keys are defined for authentication, encryption, and integrity

• Derived from a PMK

– Group keys are used for the communication among a group of devices

• RADIUS-based key distribution– AS moves (not copies) session key (Pairwise Master Key)

to STA’s AP

Data Protection: AES - CCMP• 802.11i requires support for the AES Counter Mode-

Cipher Block Chaining Message Authentication Code Protocol (CCMP)

• AES Counter Mode - block cipher that encrypts 128-bit blocks of data at a time with a 128-bit encryption key

• The CBC-MAC algorithm produces a message integrity code (MIC) that provides data origin authentication and data integrity for the wireless frame.

• Packet Number field in the wireless frame provides replay protection

Challenges ahead

• Important to protect the control messages in a wireless network

• 802.11i keying and authentication are too slow to support real-time applications such as voice - the 802.11r task group has been created to solve this problem

• The Wi-Fi Alliance initiative to properly certify 802.11i referred to as WPA2

Summary

• Not all the security features advertised in the retail boxes of the 802.11 devices are effective

• The WEP protocol has several important weaknesses

• Many vendors offer software upgrade to WPA in their 802.11 products line

• Current and future wireless network users need to use 802.11i

• Treat WLAN network as being in untrusted Internet!

Organization


Threats in WiMAX • Service availability

– Rain– Jamming

• MAC layer– Sniffing– Masquerading– Content alteration– DOS attacks

• Next node in a mesh architecture is trusted

Security sublayer of MAC

• The main focus of the Privacy Sublayer is on protecting service providers against theft of service

• Privacy layer only protects data at the Open System Interconnection (OSI) layer two level (not end-to-end encryption of user data)

• Both physical and higher layer security technologies would need to be integrated

Authentication

• SS’es have manufacturer supplied digital certificates

• These are sent by SS to BS in Authorization Request and Authentication messages– Authorization request also contains SS’es

cryptographic capability

• If SS is authorized to join network, BS sends an Authorization Key encrypted with SS’es public key

Security Associations (SA)

• SA maintains security state relevant to a connection

• Data SA type and authorization SA type• Only data SA type explicitly defined

– A 16-bit SA identifier, or SAID.– A cipher (DES, CBC) to protect the data exchanged over

the connection. – Two traffic encryption keys (TEKs) to encrypt data: the

current operational key and a TEK for when the current key expires.

– Two 2-bit key identifiers, one for each TEK.– A TEK lifetime. – A 64-bit initialization vector for each TEK. – An indication of the type of data SA. Primary SAs are

established during link initialization; static SAs are configured on the BS; and dynamic SAs

Authorization SA

• An X.509 certificate identifying the SS• A 160-bit authorization key (AK). • A 4-bit quantity to identify the AK.• An AK lifetime, ranging from one to 70

days• A key encryption key (a 112-bit Triple-

DES key) for distributing TEKs• Downlink HMAC key• Uplink HMAC key• List of data SA’s

Data privacy• After exchange of Authentication Key, traffic

encryption keys (TEKs) are exchanged

KEK = Truncate-128(SHA1(((AK| 044) xor 5364)

Downlink HMAC key = SHA1((AK|044) xor 3A64)

Uplink HMAC key = SHA1((AK|044) xor 5C64)

Data Key Exchange

• Traffic Encryption Key (TEK)• TEK is generated by BS randomly• TEK is encrypted with one of

– Triple-DES (use 128 bits KEK)– RSA (use SS’s public key)– AES (use 128 bits KEK)

• Key Exchange message is authenticated by HMAC-SHA1 – (provides Message Integrity and AK confirmation)

Replay protection

• The BS is responsible for maintaining keying information for all Sas

• BS always prepared to send an AK to an SS upon request.

• BS has two active AKs during an AK transition period - the two active keys have overlapping lifetimes.

• Responsibility of SS to initiate rekeying request

TEK rekeying

• The BS maintains two sets of active TEKs per SA ID

• The two generations of TEKs have overlapping lifetimes determined by TEK Lifetime

• The newer TEK has a key sequence number one greater (modulo 4) than that of the older TEK.

• Each TEK becomes active halfway through the lifetime of its predecessor and expires halfway through the lifetime of its successor.

• It is the responsibility of the SS to update its keys in a timely fashion

Key life times

Some flaws

• Only one-way authentication– SS authenticates to BS– No protection against rogue BS

• Authentication key generation purely from BS side – no contribution of SS

• TEK uses 2-bit sequence number– Sequence number repeated every 4 keys!

• Increases vulnerability to replay

Recommendations

• Use AES CCMP mode• Two-way authentication using EAP • Low cost re-authentication during

roaming

WEP 802.11i 802.16

Authentication

Two-way,weak, shared key

Two-way, strong, shared key

One way, strong, based on public key

Crypto RC4 AES CCMP DES

Message integrity

CRC CCM HMAC

Replay None IV Periodic rekeying

Key mgmt None EAP based PKM

Organization


Conclusions

• Wireless - A spectrum of opportunities• WiFi

– Simple, mature, inexpensive, widely deployed– Useful for hotspots, building WLANs– Very inefficient use of frequency and bandwidth– Four security options – no security, WEP, WPA, WPA2

(802.11i) In most networks, weakest link= no security

• WiMAX– Flexible, evolving, expensive, experimental– Useful for WLANs and WMANs – Good for broadband and voice in rural areas – More efficient use of frequency and bandwidth– Security built in from the start– Expected to be inexpensive in 2-3 years

Open issues

• Performance impact of security– Even lightweight WEP degrades

performance

• Architecture for strong security in heterogeneous WiFi network– use of security gateway which grants access

based on level of station’s security?

• Mutual authentication between SS and BS based on Identity based cryptography?

References

• Wireless Communications and Networks (William Stallings, 2002)

• Intercepting Mobile Communications: The Insecurity of 802.11(Borisov, Goldberg, and Wagner 2001)

• Your 802.11 Wireless Network Has No Clothes (Arbaugh, Shankar, and Wan 2001)

• Weaknesses in the Key Scheduling Algorithm of RC4(Fluhrer, Mantin, and Shamir 2001)

• The IEEE 802.11b Security Problem, Part 1 (Joseph Williams,2001 IEEE)

• An IEEE 802.11 Wireless LAN Security White Paper (Jason S. King, 2001)

References• IEEE Std. 802.16-2001, IEEE Standard for Local and

Metropolitan Area Networks, part 16, “Air Interface for Fixed Broadband Wireless Access Systems,” IEEE Press, 2001.

• FIPS PUB 197, Advanced Encryption Standard (AES), Nat’l Inst. of Standards and Technology, Nov. 2001, http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.

• L. Blunk and J. Vollbrecht, “PPP Extensible Authentication Protocol (EAP),” RFC 3748, Internet Eng. Task Force, 2004.

• D. Whiting, R. Housley, and N. Ferguson, “Counter with CBC-MAC (CCM),” RFC 3610, Internet Eng. Task Force, Sept. 2003.

• R. Housley, “Advanced Encryption Standard (AES) Key Wrap Algorithm,” RFC 3394, IETF, Sept. 2002.

Wireless Data Network Security Dr. N. Usha Rani, VP, Development NMSWorks Software Pvt. Ltd. 2 Aug,...

Documents

Transcript of Wireless Data Network Security Dr. N. Usha Rani, VP, Development NMSWorks Software Pvt. Ltd. 2 Aug,...