Download Security in Wireless LANs

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Computer security wikipedia , lookup

Policies promoting wireless broadband in the United States wikipedia , lookup

IEEE 802.11 wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Authentication wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript
Security in Wireless LANs
Presented by Raquel S.
Whittlesey-Harris
6/25/02
Contents







Wireless LANs, An Overview
Security Threats
Basic Definitions
HIPERLAN
802.11
Solutions
References
5/25/2017
2
Wireless LANs, An Overview

What is Wireless Local Area Network
technology (WLAN)?


A wireless (w/o wired cables) data
communication system that uses shared radio
waves or infrared light to transmit and receive
data
Provides freedom and flexibility to connect to a
network or internet w/o being physically
connected with a cable or modem
5/25/2017
3
Wireless LANs, An Overview

Communication is via air, walls, ceilings and
cement structures (throughout or between
buildings)




Can alleviate network deployment costs
Solve some installation problems of older structures
(asbestos)
Essentially an unlimited number of points for attacking
We will take a look at two standards


IEEE’s 802.11
ETSI’s HIPERLAN
5/25/2017
4
Wireless LANs, An Overview

Peer-to-Peer (Adhoc)

Wireless devices have no access point
connection and each device communicates with
each other directly
5/25/2017
5
Wireless LANs, An Overview

Client/Server (infrastructure networking)

Extends an existing wired LAN to wireless
devices by adding an access point (bridge and
central controller)
5/25/2017
6
Security

What is a secure environment?


No system is 100% secure
Generally applications, industries apply
their own set of security tolerances

5/25/2017
E.g., DHHA (Department of Health and Human
Services) has created a set of rules called the
HIPAA (Health Insurance Portability and
Accountability Act) to regulate the use and
discloser of protected health information
7
Security Threats

Denial-of-Service



The system or network becomes unavailable to
legitimate users or services are interrupted or delayed
(due to interference)
Equipment can be purchased from electronic stores
easily and prices are reasonable
Protection is expensive and difficult


Only total solution is to have the wireless network inside of the
faraday cage (applicable in rare cases)
Easy however to locate the transceiver used to
generate the interference
5/25/2017
8
Security Threats

Interception/Eavesdropping
(confidentiality)



Identity of a user is intercepted for use later to
masquerade as a legitimate user
Data stream is intercepted and decrypted for the
purpose of disclosing private information
Radio band transmissions are readily intercepted


There is no means to detect if a transmission has
been eavesdropped
Strong encryption is necessary to keep the contents
of intercepted signals from being disclosed
5/25/2017
9
Security Threats

The frequency band and transceiver power has a great
effect on the range where the transmission can be
heard

2-5 MHz radio band and 1 W transceiver power


W/o electromagnetic shielding the network transmissions may be
eavesdropped from outside of the building for which the network
is operating
Manipulation

Data has been compromised



Inserted, deleted or otherwise modified
Can occur during transmission or to stored data
E.g., a virus
5/25/2017
10
Security Threats

Masquerading



The act of an adversary posing as a legitimate user in
order to gain access to a wireless network or system
served by the network
Strong authentication is required to prevent such
attacks
Repudiation

User denies performing an action on the network



Sending a particular message
Accessing the network
Again strong authentication of user’s is required,
integrity assurance methods, and digital signatures
5/25/2017
11
Security Threats

Transitive Trust



Intrusion by fooling the LAN to trust the mobile
controlled by the intruder
Authentication again important
Infrastructure

These attacks are based on weaknesses in the system


Software, configuration, hardware failure, etc.
Protection almost impossible

5/25/2017
Best to just test the system as thoroughly as possible
12
Summary – Security Threats
Denial-of-Service
Interception/Eavesdropping
Manipulation
Masquerading
Repudiation
Transitive Trust
Infrastructure
5/25/2017
Faraday Cage
Encryption techniques
Authentication
Authentication
Authentication,
integrity assurance,
digital signatures
Authentication
Thorough Testing
13
Basic Definitions

Confidentiality


Integrity



Are you communicating with whom you think?
Is the data you are looking at correct or has it been
tampered with?
Availability


Are you the only one who is viewing information
specific to you or authorized users?
Are the required services there when you need them?
Authentication

Are you who you say you are?
5/25/2017
14
HIPERLAN



Developed by the European Telecommunications
Standards Institute (ETSI)
Similar to 802.11
HiperLAN/1


Provides communications up to 20 Mbps in the 5-GHz
range of the radio frequency spectrum
HiperLAN/2


Provides communications up to 54 Mbps in the same
FR band
Compatible with 3G WLAN systems (data, images,
voice)
5/25/2017
15
HIPERLAN

Defines the MAC sublayer, Channel Access
Control (CAC) sublayer and the physical
layer

Currently the defined physical layers use 5.15 –
5.30 GHz frequency band and supports


Up to 2,048 Kbps synchronous traffic
Up to 25 Mbps asynchronous traffic
5/25/2017
16
HIPERLAN

Properties







Provides a service that is compatible with the ISO MAC service
definition in ISO/IEC 15 802-1
Compatible with the ISO MAC bridges specification ISO/IEC 10
038 for interconnection with other LANS
Ad-hoc or arranged topology possible
Supports mobility
May have coverage beyond the radio range limitation of a single
node
Supports asynchronous and time-bounded communication by
means of a Channel Access Mechanism (CAM) – priorities provide
hierarchical independence of performance
Power Management
5/25/2017
17
HIPERLAN

Defines an optional encryption-decryption
scheme

All HM-entities (HiperLAN MAC) use a common set
of shared keys (HIPERLAN key-set)


Plain text is ciphered by XOR operation with
random sequence generated by a confidential
algorithm

5/25/2017
Each has a unique key identifier
Uses the secret key and an initialization vector sent in
every MPDU (MAC Protocol Data Unit) as input
18
HIPERLAN

HiperLAN does not define any kind of
authentication
5/25/2017
19
802.11

Defined by IEEE to cover the physical layers
and MAC sublayers for WLANs

3 physical layers



Frequency Hopping Spread Spectrum (FHSS)
Direct Sequence Spread Spectrum (DSSS or DS-CDMA)
Baseband Infrared

DSSS is mostly used since FHSS cannot support
high speeds without violating FCC regulations
All physical layers offer2 Mbps data rate
Radio uses 2,400 – 2,483.5 MHz frequency band
MAC layer is common to all physical layers
5/25/2017
20



802.11

802.11 implementation
5/25/2017
21
802.11

Properties










Supports Isochronous and Asynchronous
Supports priority
Association/Disassociation to an AP in a BSS or ESS
Re-Association or Mobility Management to transfer of association
from one AP to another
Power Management (battery preservation)
Authentication to establish identity of terminals
Acknowledgement to ensure reliable wireless transmission
Timing synchronization to coordinate the terminals
Sequencing with duplication detection and recovery
Fragmentation/Re-assembly
5/25/2017
22
802.11

Defines two authentication schemes

Open System Authentication


All mobiles requesting access are accepted
Shared Key Authentication

Uses shared key cryptography to authenticate
5/25/2017
23
802.11
5/25/2017
24
802.11

Optional Wired Equivalent Privacy (WEP)
mechanism


Confidentiality and Integrity of traffic
Station-to-Station



No end-to-end security
Integrity Check (ICV)
Implements RC4 PRNG[8] algorithm


40 bit secret key
24 bit initialization vector (IV)
5/25/2017
25
802.11

RC4





Input: IV, Random Key, Plaintext
IV and key is input to E  keystream output
Keystream output is XORed with plain text  ciphertext
Keystream output is also fed back to I (to cause a variation as a function
of IV and key); must not use same keystream twice
IV sent as an unencrypted part of the ciphertext stream (integrity must
be assured)
5/25/2017
26
802.11

RC4

Supports variable length keys



Most commonly used are 40 bits for export controlled systems and 128 bits for
domestic applications
128 bit encryption (104 bits key)
Standard does not specify key management or distribution


Provide a globally shared array of 4 keys
Supports an additional array that associates a unique key with each user
station
5/25/2017
27
802.11

RC4

A CRC32 bit stream is appended to the plaintext message to
provide integrity

Does not ensure cryptographic integrity
5/25/2017
28
802.11

Vulnerabilities and Weaknesses

Authentication

Authentication and an association (binding between the station
and access point (AP)) is required before transmission


States
 Unauthenticated & unassociated
 Authenticated & unassociated
 Authenticated and associated
Two authentication methods mentioned earlier


5/25/2017
Open System Authentication (OSA)
Shared Key Authentication
29
802.11

OSA


Default authentication method
Two management frames exchanged


Station  station MAC address, identifier (authentication
request)  AP
AP  status field (authentication success or failure)


Authenticated and unassociated
Two frames to establish association

Most vendors implement a wireless access control mechanism
based on examining the station MAC address and blocking
unwanted stations from associating

5/25/2017
Requires that a list of authorized MAC addresses be loaded on
each AP
30
802.11

OSA Weaknesses


Loading and identifying MAC addresses is
manually intensive
Snoopers can get valid MAC addresses and
modify a station to use the valid address

Potential to create problems with 2 addresses using
the network at the same time
5/25/2017
31
802.11

Shared Key Authentication

Uses the optional WEP algorithm along with a
challenge response system to mutually
authenticate a station and an AP




APs  beacon (announce presence)
Station  beacon (AP address)
Station  management frame (seq #1)  AP
AP  authentication challenge (seq #2)  Station

5/25/2017
Psuedo-random number + shared key + random IV
 Unencrypted
32
802.11

SKA

Station  challenge



AP  frame




5/25/2017
Copies into a new frame which is encrypted (WEP)
 Shared key, new IV
 AP
Decrypts,
Checks CRC32
Checks challenge
Repeat to authenticate the AP
33
802.11
5/25/2017
34
802.11

Shared Key Authentication Weaknesses

Snoopers monitor the second (unencrypted
challenge) and third (encrypted challenge)
exchanges




5/25/2017
Plaintext of the original frame including the random
challenge
Encrypted frame containing the challenge
IV used to encrypt the challenge
XOR of plaintext, ciphertext  keystream to
encrypt the challenge response frame
35
802.11

Snooper does not have shared secret key
but with keystream can enter the network






5/25/2017
Requests authorization to the network
AP sends new challenge (new IV)
Compute a valid CRC-32 checksum
Encrypts the challenge with the keystream
acquired earlier
Appends IV used and sends the frame
Further penetration cannot be achieved
without the proper secret key
36
802.11

RC4 Encryption

WEP does not implement a secure version of RC4 and
violates several other cryptographic design and
implementation principles

Suggestions have been made to not only increase the key sizes
and strengthen key management,






5/25/2017
Replace encryption algorithm
Addition of a session key derivation algorithm
Lengthening the IV to 128 bits
Adding a sequence number in dynamic keyed implementations
Addition of 128 bit cryptographic integrity check
Additional encryption of other payload elements
37
802.11

Interception

802.11 specifies three physical layers,






Infrared (IR)
Frequency Hopping Spread Spectrum (FHSS)
Direct Sequence Spread Spectrum (DSSS)
Broadcasts 900 MHz, 2.4 GHz, 5 GHz
Commercial wireless devices is readily capable of
receiving all signals
It is also fairly simple to modify the device drivers or
flash memory to monitor all traffic
5/25/2017
38
802.11

Keystream Reuse

Standard recommends but does not require changing
the IV for every frame transmitted


No guidance is provided for selecting or initializing the IV
Two packets using the same IV and key allows a
snooper to discover plaintext

The XOR of two ciphertexts  the XOR of two plaintexts


Knowing one plaintext is all it takes
Berkeley indicates that some PCMCIA cards reset the
IV to zero when initialized and then increment the IV
by one for each packet transmitted
5/25/2017
39
802.11

Standard specifies the size of the IV field to be 3 octets
(24 bits)

IV will rollover mode 24


Since MAC frames range in size from 34 bytes to 2346 bytes




Reused after 224 packets
Min rollover occurs at 224 x 34 bytes (570 MB)
Max rollover occurs at 224 x 2346 bytes (40 GB)
Berkeley indicates a busy AP will rollover in about a half of a
day operating at half capacity
Reading the IV is trivial since it is transmitted
unencrypted
5/25/2017
40
802.11

Integrity Assurance

The ICV (Integrity Check Value)


Plaintext is concatenated with the ICV to form the
plaintext to be encrypted
CRC32 – linear function



Possible to change 1 or more bits in the original plaintext
and predict which bits in the CRC32 checksum to modify
Checksum is performed over the entire MAC packet
 Includes higher level protocol routing address and port
fields (can redirect message when changing IP
address)
32 bits (4 octets) in MAC frame
5/25/2017
41
Solutions


IEEE is working on upgrade of security standard
Vendors can implement key management
(external to the standard)


Limits choices (interoperability)
VPN (Virtual Private Network)

Provides a secure and dedicated channel over an untrusted network

Provides authentication and full encryption
5/25/2017
42
Solutions

A solution

Requirement – seamless integration into
existing wired networks



link layer security is selected over end-to-end
(machine-to-machine)
Requirement – two-way authentication
Requirement – flexibility to utilize the future
advances in cryptography
5/25/2017
43
Solutions

Authentication – public key cryptography

Certificates contain


Mobile  {Cert_Mobile, CH1, Kist of SKCSs}  Base



{serial number, validity period, machine name, machine public
key, CA name}
CH1 is a random generated number
SKCSs is transmitted to negotiate algorithm used
 Algorithm and key size are transmitted in list
Base  verify signature on Cert_Mobile


5/25/2017
Proves the public key in the certificate belongs to a certified
mobile host
 Not sure if the certificate belongs to the mobile
If certificate is invalid
 Reject connection
44
Solutions

Base  {Cert_Base, E(Pub_Mobile, RN1), Chosen SKCS,
Sig(Priv_Base, {E(Pub_Mobile, RN1), Chosen SKCS, SH1, List
of SKCSs}}  Mobile



Mobile  validates Cert_Base, verify signature of message
(using public key of Base)


Save RN1 for later use
Chosen SKCS is most secure from those supported by both
If CH1 and List of SKCS match those sent by mobile to base
 Authenticate base
Mobile  {E(Pub_Base, RN2), Sig{Priv_Mobile,{E(Pub_Base,
RN2), E(Pub_Mobile, RN1)}}}  Base


5/25/2017
RN2 is randomly generated by mobile
RN1 XOR RN2 is used as a session key for all communications
remaining
45
Solutions

Base  verifies the signature of the message using
Pub_Mobile




Session key formed in two parts sent in different
messages for better protection



Authenticate mobile if valid
Decrypt E(Pub_Base, RN2) with private key
Form session key RN1 XOR RN2
Compromising the private key does not compromise the traffic
Need to know both RN1 and RN2
These transactions are to occur at the MAC layer prior
to network access
5/25/2017
46
Solutions
5/25/2017
47
Solutions

Confidentiality can be achieved using an existing
symmetric cryptography algorithm

IDEA – International Data Encryption Algorithm


DES – Data Encryption Standard




Uses Block Cipher with a 128-bit key
Private key encryption (72 quadrillion possible keys)
Restricted for exportation by US Government
Shared key is agreed using mechanism above
Integrity can be achieved using a fingerprint generated
by a one-way hash function


MD5
SHA
5/25/2017
48
Solutions

Key Change Protocol


Initialized by base or mobile
E.g.,



Base  Signed(Priv_Base,{E(Pub_Mobile, New_RN1),
E(Pub_Mobile,RN1) })  Mobile
Mobile  Signed(Priv_Mobile,{E(Pub_Base, New_RN2),
E(Pub_Base, RN2) })  Base
New RN1 XOR RN2 value is used
5/25/2017
49
Solutions

Key Management

One possible solution is to use the smart card
technology



5/25/2017
CA creates the private and public keys inside the smart
card
 Private key never readable from card
CA signs the public key with his private key and stores the
public key to the smart card
Smart card is given to the end user to use in any wireless
LAN mobile
50
References




Uskela, Sami, Security in Wireless Local Area Networks,
Department of Electrical and Communications
Engineering, Helsinki University of Technology, December
1997
Mahan, Robert, Security in Wireless Networks, SANS
Institute, November 2001
Laing, Alicia, The Security Mechanism for IEEE 802.11
Wireless Networks, SANS Institute, November 2001
Ellingson, Jorgen, Layers One & Two of 802.11 WLAN
Security, SANS Institute, August 2001
5/25/2017
51
References






Fidler, Beau, Mobile Medicine. SANS Institute, August 2001
Hurley, Chad, Isolating and Securing Wireless LANs, SANS Institute,
October 2001
Conn, Dale, Security Aspects of Mobile IP, SANS Institute, December
2001
Voorhees, James, The Limits on Wireless Security: 802.11 in early
2002, SANS Institute, January 2002
McAleer, Sean, A Defense-in-Depth Approach for Securing Mobile
Devices and Wireless LANs, SANS Institute, January 24, 2001
Ow, Eng Tiong, IEEE 802.11b Wireless LAN: Security Risks, SANS
Institute, September 2001
5/25/2017
52