Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Security and Cooperation in Wireless Networks Chapter 1 The security of existing wireless networks a. Security of cellular networks b. WiFi Security: WEP, WPA, and WPA2 Levente Buttyan and Jean-Pierre Hubaux [--Note: L. Lilien made changes to improve clarity and formatting of slides, including: (1) adding more levels for prioritization of text, (2) changing font to larger size for most slides, (3) splitting many slides into 2 or more slides (necessary due to the above changes) (4) adding emphasis by changing font color to blue (5) removing words that are superfluous in slides (6) improving consistency of slides and the textbook Modifications are © 2007-2009 by Leszek T. Lilien. Requests to use L. Lilien’s slides for nonprofit purposes will be gladly granted upon a written request.--] Why is security more of a concern in wireless? No inherent physical protection – Physical connections between devices are replaced by logical associations – Don’t need physical access to the network infrastructure (cables, hubs, routers, etc.) for xmitting messages Wireless broadcast transmissions /communications – Usually, wireless = radio => a broadcast nature – Can be overheard by anyone in range – Anyone can transmit • Received by other devices in range • Interferes with other nearby transmissions – Jamming may prevent correct reception 2 Security vulnerabilities for wireless networks eavesdropping is easy messages can be altered or bogus messsages injected by an attacker (it is an example of an active attack) easier to impersonate (= to cheat on identities) replaying previously recorded messages is easy illegitimate access to the network and its services is easy denial of service (DoS) is easily achieved by jamming 3 Security requirements for wireless communication Recall: classic CIA security requirements – CIA = confidentiality + integrity + availability – Req’s below include CIA (in a different order) ------------------------------------------ authentication – origin of received messages must be verified access control – limit access to network services to legitimate entities only – need permanent access control • checking the legitimacy of an entity only when it joins the network (and its logical associations are established) is not sufficient – bec. logical associations can be hijacked confidentiality – messages must be encrypted 4 Security requirements for wireless communication (2) integrity – malicious modification of messages is possible • Even if modifying on-the-fly (during radio transmission) is not so easy – integrity of received messages must be verified privacy – incl. location privacy • do not reveal the location of the user, nor the party with which she communicates – law enforcement agencies must have access to these two pieces of info non-repudiation – e.g., prevent possibility that a user, after getting a message/service, pretends that she did not 5 Security requirements for wireless communication (3) availability – in particular, guarantee a fair share of the radio resource • e.g., for all mobile users located in the same radio domain – provide higher priority for more important communications • e.g., an emergency call from a cellular phone other security req’s: – replay detection • freshness of received messages must be checked – protection against jamming 6 Securing wireless networks a. Security of cellular networks Security in European cellular nets (similar in US cell nets) - in GSM (Global System for Mobile Communications) - A European 2G - in UMTS (2-nd generation) cellular network (Universal Mobile Telecommunications System) - A European 3G (3-rd generation) cellular network 7 REFRESHER SLIDES (quick presentation till Slide 23) Introduction To Cellular Systems (see L. Lilien’s Section 1 and Section 9 slides for CS6910: Pervasive Computing – S’07) Washington, DC Cincinnati, OH [LTL:] User moves but phone # unchanged Maintaining the telephone number across geographical areas in a wireless and mobile system 8 Generations of Wireless Systems & Services 1G - First Generation – Primarily for voice communication – Using FDM (frequency division multiplexing) 2G - Second Generation – – – – Emphasis still on voice communication but allows for… … Data communication Using TDM (time division multiplexing) Indoor/outdoor and vehicular environment 3G - Third Generation – Integrated voice, data, and multimedia communication – Need for: • High volume of traffic / Real time data communication • Flexibility, incl. – Frequent Internet access – Multimedia data transfer • Compatibility with 2G – Using compression • Without compromising quality © 2007 by Leszek T. Lilien 9 Future: 4G 4G – Expected to implement all standards from 2G & 3G – Infrastructure only packet-based, all-IP – Some of the standards paving the way for 4G: • WiMax • WiBro (Korean) • 3GPP Long Term Evolution – Improves the UMTS mobile phone standard (Europe) • Work-in-progress technologies – E.g., HSOPA, a part of 3GPP Long Term Evolution © 2007 by Leszek T. Lilien 10 Coverage Aspect of Next Generation Mobile Communication Systems Satellite In-Building Urban Suburban Global Picocell Microcell Macrocell Global 11 Fundamentals of Cellular Systems Service area - Ideal cell area (2-10 km radius) (circle) Cell BS MS Alterative shape of a cell (square) MS Hexagonal cell area used in most models Illustration of a cell with a mobile station (MS) and a base station (BS) [LTL:] Cell shapes (above) Actually, cell may have a zigzag shape Hexagon is a good approximation in practice Also, gives non-overlapping cells (used by clever bees for beehives) E.g., circles would either overlap, or would have gaps in between 12 MS, BS, BSC, MSC, and PSTN wired links PSTN Home phone … MSC … BSC BSC BSC … … … BS MS BS MS MSC BS MS BS MS BS MS … BSC … BS MS BS MS BS MS [LTL:] Several BSs connected via wireline links to one BSC (BS controller) Several BSCs connected via wireline links to one MSC (Mobile Switching Center) Several MSCs interconnected via wireline links to PSTN (Public Switched Telephone Network) and the ATM backbone 13 BS Structure BS consists of – Base Tranceiver System (BTS) • Includes tower & antenna – BSC • Contains all associated electronics © 2007 by Leszek T. Lilien 14 MSC Database Supporting MS Mobility & Incoming Call Scenario MSC database for supporting MS mobility 1) Home location register (HLR) for MS • Located at the “home MSC” for MS – Where MS is registered, billed, etc. • Indicates current location of MS – Could be within home MSC’s area OR – Could be in the area of any MSC in the world 2) Visitor location register (VLR) on each MSC • Contains info on all MSs visiting area of this MSC Incoming call scenario – Based on the called #, incoming call for an MS is directed to the HLR of the “home MSC” for this MS – HLR redirects the call to MSC/BSC/BS where the MS is now – VLR of the “current MSC” has info on MS (one of visiting MSs) © 2007 by Leszek T. Lilien 15 Control and Traffic Channels Note: Forward/reverse in the U.S., downlink/uplink elsewhere Mobile Station Base Station [LTL:] 4 simplex channels needed for control & traffic 2 control channels Exchange control msgs Forward channel & reverse channel 2 traffic channels For data Forward channel & reverse channel 16 Steps for a Call Setup from MS to BS [LTL:] Steps for a call setup from MS to BS When MS initiates a call BS MS 1. Need to establish path 2. Frequency/time slot/code assigned (FDMA/TDMA/CDMA) Time 3. Control information acknowledgement 4. Start communic. on assigned traffic channel 17 Steps for a Call Setup from BS to MS [LTL:] Steps for a call setup from BS to MS: When MS responds to a call (another MS calls this MS) BS MS 1. Call for MS # pending 2. Ready to establish a path 3. Use frequency / time slot / code (FDMA/TDMA/CDMA) Time 4. Ready for communication 5. Start communic on assigned traffic channel 18 9.2. Cellular System Infrastructure – cont. 1 The infrastructure in more detail 1) Discussed in Sec. 1 (“Pervasive Computing”): BTS = base transceiver system (tower + antenna) (tranceiver = transmitter + receiver) BSC = BS controller (all electronics controlling BTSs, even k*100 BTSs) BS = base station = BTS + BSC NOTE: We sometimes omit mentioning BTS, as if BTS + BSC were colocated & were an integrated BS Sometimes (as in the previous Figure) BTS is denoted as “BS” HLR = home location register VLR = visitor home location register 2) Not discussed yet: AUC = authentication center EIR = equipment identity register (Modified by LTL) 9.2. Cellular System Infrastructure – cont. 3 HLR and VLR used in a way analogous to mail forwarding by the U.S. Postal Service - fig. above (pp. 190/- 192) (Modified by LTL) 20 9.2. Cellular System Infrastructure – cont. 4 Unlike in the USPS example, in cellular need not only forward link (home MSC -> visiting MSC) Need also a backward link (visiting MSC -> home MSC ) – see fig. below for the bi-directional link Backward link needed for, e.g.: Billing - done only by home MSC (mobile switching center) Look at the list of access specifications – kept by home MSC Is MS active or not (e.g., delayed payment) Local calls only or long distance calls allowed or both Listing of calls made Listing of charges (Modified by LTL) 21 The end of the “Introduction to Cellular Systems” 22 GSM Security: The SIM card (Subscriber Identity Module) Security req’s for SIMs (SIMs implemented as smart cards) – Tamper-resistance – Protected by a PIN code (checked locally by the SIM) – Removable from the terminal – Contains all end-user-specific data required in the Mobile Station: • IMSI: International Mobile Subscriber Identity (permanent • • • • • • • user’s identity) PIN TMSI (Temporary Mobile Subscriber Identity) Ki : User’s secret key Kc : Ciphering key List of the most recent call attempts List of preferred operators Supplementary service data (abbreviated dialing, last short messages received,...) 23 Authentication principle of GSM * Uses challenge-response principle + Subscriber (her SIM card) receives a random # (RAND) as a challenge + 2 B authenticated, subscriber (SIM) must compute a correct response - Computed from the challenge (RAND) and long-term secret key (K) - K known only to Subsciber (her SIM) and the operator - RAND ensures freshness of response (w/o RAND, attacker could use old response) For more interesting case, consider auth’g subscriber in visited network (not in home network) – see Fig. 1.1 PRNG – (programmable) RAND # generator A3, A8 – algorithms from GSM specs SRES – correct response to the challenge CK – encr. key for mobile-to-visited net Communication SRES’ – response to chall. fr. mobile 24 Authentication principle of GSM (2) * Notes: VN = visited network, HN = home network + VN authenticates subscriber w/o knowing K (long term key) - Knows CK (encr. key for mobile-to-visited net communications) - VN needs not consult HN + HN needs not be contacted by VN each time subscriber must be authenticated - Bec. HN can send a few triplets (RAND, SRES, CK) each time it is contacted by VN + Subscriber identity hidden from eavesdroppers by using TMSI - IMSI used for 1st authentication - TMSI assigned to Subscriber by VN after 1st successful authentication - Encrypted with CK - Mobile uses TMSI to communicate w/ VN + When Subscriber moves to VN2 (another VN),: - VN2 contacts VN1 - VN1 sends TMSI to VN2 25 SKIP-Authentication principle of GSM (original sl.) Mobile Station Visited network Home network Ki IMSI/TMSI R IMSI (or TMSI) IMSI Triplets (Kc, R, S) Authenticate (R) Ki A8 A3 Kc S Triplets R A8 A3 Kc S’ Auth-ack(S’) S=S’? 26 SKIP-Cryptographic algorithms of GSM Random number User’s secret key R Ki A3 A8 S Kc R Authentication A5 Triplet Ciphering algorithm Kc: ciphering key S : signed result A3: subscriber authentication (operator-dependent algorithm) A5: ciphering/deciphering (standardized algorithm) A8: cipher generation (operator-dependent algorithm) 27 Ciphering in GSM FRAME NUMBER Kc PLAINTEXT SEQUENCE FRAME NUMBER Kc A5 A5 CIPHERING SEQUENCE CIPHERING SEQUENCE Sender (MS or Network) CIPHERTEXT SEQUENCE PLAINTEXT SEQUENCE Receiver (Network or MS) Kc = ciphering key A5 = ciphering/deciphering (standardized algorithm) 28 Conclusion on GSM security Security services provided by GSM security architecture: – Focus on the protection of the air interface • No protection on the wired part of the network – Neither for privacy nor for confidentiality – Allow the visited network access to almost all data • Except the secret key of the end user – Generally robust… – … but a few successful attacks have been reported: • faking base stations • cloning SIM card 29 UMTS Security Architecture (1a) Motivation and goals – New kind of service providers • content providers, HLR only service providers,… – HLR = Home Location Register – – – – – Increased control for users over their service profiles Enhanced resistance to active attacks Increased importance of non-voice services Reuse GSM (2G) security principles … 30 UMTS Security Architecture (1b) Reusing GSM security principles (for GSM): – Removable hardware security module • In GSM (2G): SIM card • In UMTS (3G): USIM (User Services Identity Module) – Radio interface encryption – Limited trust in a visited network • K (long-term key) never revealed to it – Protection of the end user’s identity • Especially on the radio interface • Using TMSI instead of IMSI 31 UMTS Security Architecture (2a) Weaknesses of GSM security that require corrections: – Only unilateral authentication • Authenticates only MS (none in reverse) (mobile station) to BS (base station) in visited net => Allows for fake BSs • Then run MITM (man-in-the –middle) attacks from it – Using “IMSI catchers” (devices for protocol testing) • Facilitated by unability of subscriber to verify freshness of the received challenge – Lack of integrity protection for communication/ signalling over radio • Facilitates using fake BSs • Integrity not critical for voice communications (just some voice distortion) but ... ... Integrity critical for data communications (each bit matters!) 32 UMTS Security Architecture (2b) Weaknesses of GSM security that require corrections – cont. – Short length of encryption key – Weaknesses in implementations of the A3 and A8 algorithms • Allow compromising K (long-term key) – This allows cloning SIM – ... 33 UMTS Security Architecture (3) Principles for new security architecture in UMTS – Fix the weaknesses of GSM – Without changing general GSM security principles => Extending them • ‘Reverse’ authentication (BS to MS) • Integrity protection New security features in 3G – Address the weaknesses – Without changing general GSM security principles – Instead, extend GSM security principles • ‘Reverse’ authentication (BS to MS) • Integrity protection 34 Authentication in UMTS Details – GSM triplet (RAND, SRES, CK) replaced by a quintuple – the UMTS authentication vector : (RAND, XRES, CK, IK, AUTN) where: • RAND – as before • XRES – expected response to RAND • CK – as before • IK – integrity protection key • AUTN – token that: (a) authenticates HN (home net) to MS (b) Proves freshness of RAND 35 Authentication in UMTS (2) • Construction of authentication vector in UMTS standard • SQN = sequence # maintained synchronously by MS and HN • AK = anonymity key: to hide SQN value from eavesdroppers • AMF = auth. & key mngmt field: to pass parameters from HN to MS • MAC = message authentication code (nothing to do with MAC sublayer) • f1 – f5 = one-way (hashing) functions Notes: - - the XOR operation - SQN encoded with AK to protect privacy of MS (otherwise eavesdropper could associate different executions of authorization protocol with consecutive sequence #s to the same subscriber) 36 MS Authentication in UMTS-3GPP Visited Network Home Network SQN Generation of cryptographic material K (user’s secret key) K User authentication request RAND(i) || AUTN(i) IMSI/TMSI 1) Verify AUTN(i): (cf. next slide) - Generate AK - Decode SQN - Verify MAC - Verify SQN(i) 2) Compute RES(i) (next) RAND(i) <RAND(i), XRES(i), CK(i), IK(i), AUTN(i)> i-th Authentication vector Recall: • AK = anonymity key: to hide SQN value from eavesdroppers • SQN = sequence # maintained synchronously by MS and HN • MAC = message authentication code User authentication response RES(i) K 3) Compute CK(i) (next) 4) Compute IK(i) (next) Compare RES(i) and XRES(i) Select CK(i) and IK(i) From now on CK(i) & IK(i) used to protect 37 integrity & confidentiality of msgs User Authentication Function in the USIM AUTN(i) RAND(i) SQN AK AMF MAC f5 AK(i) SQN(i) K f1 XMAC (i) (Expected MAC) f2 f3 f4 RES(i) (Result) CK(i) (Cipher Key) IK(i) (Integrity Key) • Verify MAC = XMAC (if yes, SQN originated in MS’s home network) • Verify that SQN(i) > most recent SQN stored by MS USIM: User Services Identity Module 38 Conclusion on UMTS security Some improvement w.r.t. 2G – Cryptographic algorithms are published – Integrity of the signalling messages is protected Quite conservative solution Privacy/anonymity of the user not completely protected Complicates 2G-3G interoperability – Might open security breaches 39 Securing wireless networks b. WiFi Security: WEP, WPA, & WPA2 - intro to WiFi - WEP - intro to WEP - WEP flaws - WEP – Lessons learnt - 802.11i - Summary of WiFi security b.1. Introduction to WiFi (1) STA = mobile STAtion AP = Access Point “connected” scanning on each channel STA association response association request AP beacon - MAC header timestamp beacon interval capability info SSID (network name) supported data rates radio parameters power slave flags 41 Introduction to WiFi (2) Internet AP 42 b.2. WEP b.2.1. Intro to WEP WEP = Wired Equivalent Privacy WEP is a part of the IEEE 802.11 specification goal – make WiFi net at least as secure as a wired LAN • that has no particular protection mechanisms – WEP was never intended to achieve strong security services – access control to the network – message confidentiality – message integrity 43 WEP – Access control before association, STA needs to authenticate itself to AP authentication is based on a simple challenge-response protocol: STA AP: authenticate request AP STA: authenticate challenge (r) r is 128 bits long STA AP: authenticate response (eK(r)) AP STA: authenticate success/failure if authentication fails, no association is possible if authentication succeeds: – STA sends an association request – AP respondS with an association response 44 WEP – Message confidentiality and integrity WEP encryption - based on RC4 (a stream cipher developed in 1987 by Ron Rivest for RSA Data Security, Inc.) – Operation: • Sending message: – RC4 generator is initialized with: » a shared secret (shared between STA & AP) » an initialization vector (IV) – 24 bits – RC4 produces a key stream (a pseudo-random byte sequence) – Key stream is XORed with the message • Msg reception is analogous – Essential: different key stream for each message – shared secret - the same for each message – IV - changes for every message WEP integrity protection - based on an encrypted CRC value – Operation: • Integrity check value (ICV) is computed and appended to the message 45 • the message and the ICV are encrypted together WEP – Message confidentiality and integrity (2) message || ICV IV secret key RC4 K ICV = CRC value for “message” K = key stream encode IV message || ICV Shaded means secret decode IV secret key RC4 K message || ICV Fig. 1.3. Encryption and decryption in WEP 46 WEP – Kinds of Keys WEP standard - two kinds of keys are allowed – Default key • Also called: shared key, group key, multicast key, broadcast key, key – Key-mapping keys • Also called: individual key, per-station key, unique key id:X | key:abc Default key id:Y | key:abc id:Z | key:abc id:X | key:def Key-mapping key id:Y | key:ghi key:abc id:Z | key:jkl id:X | key:def id:Y | key:ghi id:Z | key:jkl In practice, often only default keys are supported – Default key - manually installed in every STA & AP – Each STA uses the same shared secret key (see the “Default key” fig.) 47 => in principle, STAs can decrypt each other’s messages WEP – Management of default keys The default key is a group key – Group keys need to be changed when a member leaves the group • E.g., when someone leaves the company and shouldn’t have access to its network anymore Practically impossible to change the default key in every device simultaneously => WEP supports multiple default keys for smooth change of keys – One of the keys is the active key • Used currently to encrypt messages – Any default key can be used to decrypt messages • The message header contains a key ID – Allows the receiver to find out a key to decrypt the message (allows the receiver to know default keys – knowing one is enough) 48 WEP – The key change process time STA1 AP STA2 abc* --- a, b, c – default keys * indicates the active key abc* --- Note: * New STA can read msg encoded with c (since it abc* --- abc* def abc def* includes it as a deafult key) * AP can read msg encoded with f (since it includes it as a default key) --def* abc def* --def* --def* 49 b.2.2. WEP flaws WEP Flaws in Authentication & Access Control Flaw 1: Authentication is not mutual (one-way only) – AP is not authenticated by STA (mobile STAtion) • STA is at risk to associate with a rogue AP Flaw 2: The same shared secret key used for authentication & encryption • I authenticate X if X uses one of “my” group keys for encrypting her messages • I don’t authenticate Y if his msg can’t be decrypted using one of my group keys – Bad! Weaknesses in any of the two protocols can be used to break the key for the other protocol Flaw 3: STA authenticated only at connection time => Access control is not continuous – Once STA has authenticated with (& associated to) AP, an attacker can send messages using the MAC (medium access control) address of STA • Correctly encrypted messages cannot be produced by the attacker (does not know a group key)… • … But attacker can replay STA msgs (e.g., STA1 msg replayed as STA 5 msg) => STA can be impersonated (next slide) 50 WEP flaws in Authentication and Access Control (2a) Flaw 4: Using RC4 for encrypting random challenge – Recall: Authentication based on a challenge-response protocol: … AP STA: C STA receives C, calculates response: K = a 128-bit key stream (RC4 output) C IV secret key RC4 C = challenge K STA encodes IV C K STA AP: IV || ( C K ) … 51 WEP flaws in Authentication and Access Control (2b) – An attacker can: • Capture challenge C - when sent from AP to STA • Capture challenge encrypted in response R = (C K) - when sent from STA to AP • Compute key stream: K = C (C K) – Later, attacker can use key stream K to impersonate a legitimate STA: … AP attacker: C’ C’ – any challenge! attacker AP: IV || ( C’ K ) - correct attacker’s response to any … challenge Note: IV does not help to prevent the attack - Since selected by the sender – i.e., the attacker 52 WEP Flaws in Replay Protection & Integrity Replay protection: none at all – IV not mandated to be incremented after each msg Integrity: Attackers can manipulate msgs despite the ICV mechanism & encryption – ICV appended to clear message M (see Fig. 1.3) is the CRC value for M (CRC = cyclic redundancy code) – CRC is a linear function w.r.t. XOR: CRC(X Y) = CRC(X) CRC(Y) - WEP-encrypted message M (cf. Fig. 1.3): (M || CRC(M)) K 53 WEP Flaws in Replay Protection & Integrity (2) Integrity: Attackers can manipulate msgs despite the ICV mechanism & encryption – cont. - Attacker observes encrypted message M: (M || CRC(M)) K DM = changes that attacker wants to make in M - Unforunately , the attacker can compute CRC(DM) for any DM - Hence, the attacker can also compute encrypted message (M DM) as follows: Captured encrypted message M encrypted DM = Att. uses captured ( (M || CRC(M)) K) (DM || CRC(DM) ) = encrypted msg, then adds the last component (that ((M DM) || (CRC(M) CRC(DM))) K = includes no K! -- so needs NOT know K!) ((M DM) || CRC(M DM)) K - encrypted By rules of math, the effect is AS IF the att. knew K (even so message (M DM) does NOT know K) 54 WEP Flaws in Confidentiality Flaw 1: IV reuse – IV space is too small - only 24 bits => there are about 17 million (16,777,216) possible IVs - IV reused after about 17 million msgs – WiFi device xmits approx. 500 full-length frames per sec. => => IV space is used up in a few hours => Repeating IVs means repeating key streams (pseudorandom sequences) used for encryption 55 WEP Flaws in Confidentiality (2) Flaw 2: IV initialization & incrementing – Many implementations initialize IV with 0 on startup & incremented by 1 for each next msg • If several devices are switched nearly simultaneously, all use the same sequence of IVs • If they all use the same secret key (which is the common case for a default key for a group of devices under a single AP), then same key streams (pseudo-random sequences) used for encryption => An attacker does not need to wait for msgs using repeated key streams (due to using up all IV values) • Gets messages encrypted with the same key stream immediately 56 WEP flaws in Confidentiality (3) Flaw 3 (total collapse of WEP): Weak RC4 keys – For weak keys (some seed values), the beginning of the RC4 output is not really random • One can infer the bits of the seed from the first few bytes of the RC4 output => breaking the key is made easier – Crypto experts suggest: always throw away the first 256 bytes of the RC4 output… – … but WEP doesn’t do that 57 WEP flaws in Confidentiality (4) Flaw 3 (total collapse of WEP): Weak RC4 keys – cont. – Due to the use of ever-changing IV values, eventually a weak key will be used • Attacker will know that – Because IVs are sent in the clear (see Fig. 1.3) - WEP encryption can be broken: - by automatic key-cracking tools! - after eavesdropping on only k * 100,000 of msgs! – This is the most serious flaw • Since breaking WEP means finding out the secret key! (see Fig. 1.3) – Can read and fake messages at will 58 b.2.3. WEP – Lessons learnt 1. Engineering security protocols is difficult – One can combine otherwise strong building blocks in a wrong way & obtain an insecure system at the end • Example 1: – Stream ciphers (e.g., RC4) alone are OK – Challenge-response protocols for authentication are OK – But they shouldn’t be combined (as in WEP) • Example 2: – Encrypting a msg digest (such as CRC) to obtain an ICV is a good principle – But it doesn’t work if the message digest function is linear w.r.t. the encryption function (as is the case for CRC, which is linear w.r.t. the XOR function used for encryption in WEP) 59 WEP – Lessons learnt 1. Engineering security protocols is difficult – cont. – Use help of a security expert — don’t do it alone (unless you are a security expert) • Functional properties can be tested... • ...but security can’t be tested - it is a non-functional property => it is extremely difficult to tell if a system is secure or not – Using an expert in the design phase pays out (fixing the system after deployment will be much more expensive) • experts will not guarantee that your system is 100% secure... • ...but at least they know many pitfalls • they know the details of crypto algorithms 2. Avoid the use of WEP (as much as possible) 60 b.3. Overview of 802.11i After the collapse of WEP => IEEE started to develop a new security architecture => 802.11i & Robust Security Network (RSN) Main novelties in 802.11i w.r.t. WEP – access control model is based on 802.1X – flexible authentication framework • based on EAP – Extensible Authentication Protocol – authentication can be based on strong protocols • e.g., TLS – Transport Layer Security – authentication process results in a shared session key • prevents session hijacking – different functions (encryption, integrity) use different keys derived from the session key using a one-way (hashing) function – improved integrity protection – improved encryption 61 b.3. Overview of 802.11i (2) 802.11i defines RSN (Robust Security Network) – integrity protection & encryption based on AES • not on RC4 anymore – nice solution ... – ... but needs new hardware => can’t be adopted quickly In addition to RSN, 802.11i also defines an optional protocol called TKIP (Temporal Key Integrity Protocol) – ugly solution ... ... but no new hardware required • runs on old hardware after a software upgrade – confidentiality: encryption based on RC4 • but WEP’s problems have been avoided – integrity protection based on Michael (more on it later) – authentication, access control, key management — same as in RSN 62 b.3. Overview of 802.11i (3) Industrial names (industry, eager to fix WEP’s flaws, didn’t wait till 802.11i architecture was finalized by IEEE. It quickly produced its own specs, hence had to use different names.) – For TKIP: WPA (WiFi Protected Access) – For RSN: WPA2 Chronology [Wikipedia] – WEP security specification is a part of the IEEE 802.11 standard ratified in Sept. 1999 – RSN & TKIP are defined in IEEE 802.11i, draft standard ratified in June 2004 63 b.3.1. Authentication and access control in 802.11i Authentication and access control in 802.11i – Borrowed from the 802.1X standard • 802.1x originally for wired LANs 802.1X authentication & access control model – next slide 64 802.1X authentication model supplicant sys supplicant authenticator system services port authenticator auth server sys authentication server controls LAN the supplicant requests access to the services network) (wants to connect to the the authenticator controls access to the services (controls the state of a port) the authentication server authorizes access to the services – the supplicant authenticates itself to the authentication server (via the authenticator) – if the authentication is successful: • the authentication server instructs the authenticator to switch the port on • the authentication server informs the supplicant that access is allowed 65 Mapping the 802.1X model to WiFi Mapping 802.1X to WiFi : – supplicant = STA (mobile device) – authenticator = AP (access point) – authentication server = server application running on AP or on a dedicated machine – port = logical state implemented in software in the AP One more thing added to the basic 802.1X model in 802.11i: – successful authentication results not only in switching the port on – also in defining a session key between STA (supplicant) and the authentication server • the session key is sent to the AP (authenticator) in a secure way – using a shared key between the AP and the authentication server – this key is usually set up manually 66 Protocols – RADIUS, EAPOL, and EAP RADIUS = Remote Access Dial-In User Service [RFC 2865-2869, RFC 2548] – to carry EAP messages (next) between auth server & AP (next) • MS-MPPE-Recv-Key attribute is used to transport the session key from auth server to AP – RADIUS is mandatory for WPA & optional for RSN EAPOL = EAP over LAN [802.1X] – to carry EAP messages (next) between STA & AP – to encapsulate EAP messages into LAN protocols • e.g., into Ethernet protocols 67 Summary of the protocol architecture TLS (RFC 2246) EAP-TLS (RFC 2716) EAP (RFC 3748) EAPOL (802.1X) EAP over RADIUS (RFC 3579) 802.11 RADIUS (RFC 2865) TCP/IP 802.3 or else STA AP auth server IEEE 802.3 - collection of IEEE standards defining the physical layer and the media access control (MAC) sublayer of the data link layer of wired Ethernet. This is generally a LAN technology with some WAN applications. [Wikipedia, “IEEE 802.3“] 68 Protocols – RADIUS, EAPOL, and EAP (2) EAP = Extensible Authentication Protocol [RFC 3748] – carrier protocol - to transport the messages of “real” authentication protocols (e.g., TLS) – very simple, with four types of messages: • EAP request – carries messages from the supplicant to the authentication server • EAP response – carries messages from the authentication server to the supplicant • EAP success – signals successful authentication • EAP failure – signals authentication failure – authenticator (AP) doesn’t understand what is inside the EAP messages • it recognizes only EAP success and EAP failure 69 Summary of the protocol architecture TLS (RFC 2246) EAP-TLS (RFC 2716) EAP (RFC 3748) EAPOL (802.1X) EAP over RADIUS (RFC 3579) 802.11 RADIUS (RFC 2865) TCP/IP 802.3 or else STA AP auth server IEEE 802.3 - collection of IEEE standards defining the physical layer and the media access control (MAC) sublayer of the data link layer of wired Ethernet. This is generally a LAN technology with some WAN applications. [Wikipedia, “IEEE 802.3“] 70 Protocols – RADIUS, EAPOL, and EAP(3) EAP-TLS = TLS over EAP [RFC 2716] – for server & client authentication, generation of master secret – only the TLS Handshake Protocol is used – TLS master secret becomes the session key – mandatory for WPA & optional for RSN 71 Summary of the protocol architecture TLS (RFC 2246) EAP-TLS (RFC 2716) EAP (RFC 3748) EAPOL (802.1X) EAP over RADIUS (RFC 3579) 802.11 RADIUS (RFC 2865) TCP/IP 802.3 or else STA AP auth server IEEE 802.3 - collection of IEEE standards defining the physical layer and the media access control (MAC) sublayer of the data link layer of wired Ethernet. This is generally a LAN technology with some WAN applications. [Wikipedia, “IEEE 802.3“] 72 SKIP- Summary of the 802.11i protocol architecture 73 EAP in action STA encapsulated in EAPOL EAPOL-Start AP auth server encapsulated in EAP over RADIUS EAP Response (Identity) EAP Response (Identity) EAP Request 1 EAP Request 1 EAP Response 1 EAP Response 1 ... ... embedded auth. protocol EAP Request (Identity) EAP Request n EAP Request n EAP Response n EAP Response n EAP Success EAP Success 74 b.3.2. Key management Pairwise master key (PMK) = the session key established between STA & AP as a result of the authentication procedure – “Pairwise” since known only to STA & AP • Known also to auth server (AS) - not counted since AS is a trusted entity – “Master” bec. not used directly – used to generate encryption & integrity keys Four keys derived from PMK are called the pairwise transient key (PTK) (in singular!) – Data-encryption key (DEK) – Data-integrity key (DIK) – Key-encryption key (KEK) – Key-integrity key (KIK) 75 b.3.2. Key management (2) Special case: AES-CCMP – used in RSN (more on it later) – Three keys only in its PTK (pairwise transient key) • DEK = DIK • KEK • KIK 76 Four-way handshake protocol Objective: – AP & STA exchange their random #s • to be used in PTK generation – Proves to AP/STA that the other party also knows PMK (result of authentic’n) 77 Four-way handshake protocol (2) The protocol: (its msgs are carried by EAPOL) AP: generate Anonce (nonce is a random #) 1) AP STA: ANonce | KeyReplayCtr (Ctr = counter) STA: generate SNonce and compute PTK 2) STA AP: SNonce | KeyReplayCtr | MICKIK (above msg includes info needed by AP for computing PTK) AP: compute PTK, generate GTK & verify MIC (using KIK to verify MIC) (a successful MIC verific proves to AP that STA has PMK) 3) AP STA: ANonce | KeyReplayCtr+1 | {GTK}KEK | MICKIK STA: verify MIC and install keys (a successful MIC verific proves to STA that AP has PMK; also, this msg signals that AP is ready to install the keys => ready for encrypting subsequent packets) 4) STA AP: KeyReplayCtr+1 | MICKIK (ACK to AP that STA got the msg (3) from AP AP: verify MIC and install keys MICKIK = Message Integrity Code (computed by the mobile device using KIK) KeyReplayCtr = a counter used to prevent replay attacks 78 Four-way handshake protocol (3) From now on, data packets sent between STA and AP are protected by DEK & DIK They don’t protect msgs broadcast by AP to “its” STAs – Bec. keys for broadcast msgs must be known to all STAs to which AP wants to broadcast => need group transient key (GTK) (next) 79 Group transient key (GTK) Group transient key (GTK) – GTK includes: • group-encryption key (GEK) • group-integrity key (GIK) – GTK sent to each STA separately • encrypted with KEK of this single STA 80 Key hierarchies (summary) random generation in AP 802.1X authentication PMK (pairwise master key) GMK (group master key) key derivation in STA and AP key derivation in AP unicast message transmitted between STA and AP GTK (group transient keys): - group encryption key - group integrity key transport to every STA protection protection (128 bits each) protection PTK (pairwise transient keys): - key encryption key - key integrity key - data encryption key - data integrity key broadcast messages transmitted from AP to STAs 81 b.3.3. TKIP and AES-CCMP Recall: 1) 802.11i specs define security architectures: * Old sec architecture (flawed) - protocol: WEP WEP security specification is a part of the IEEE 802.11 standard (Sept.’99 ) [Wikipedia] * New sec architecture - protocols: Supersedes WEP, defined as IEEE 802.11i, draft standard ratified in June’04, [Wikipedia] + RSN - uses AES cipher (instead of RC4 cipher) - needs new h/w + TKIP (optional protocol) - uses RC4 cipher - uses old h/w 2) Industry specs define security architectures: + WPA (WiFi Protected Access) - based on TKIP + WPA2 - name used for RSN by many WiFi manufacturers 82 TKIP and AES-CCMP Summary: AES used in RSN (=WPA2) RC4 used in TKIP & WPA 83 TKIP TKIP runs on old hardware (that supports RC4), but ... ...WEP weaknesses are corrected by TKIP – TKIP fix for integrity: Michael - new msg integrity protection mechanism • MIC (Message Integrity Code) value is added at SDU level (service data unit level) before fragmentation into PDUs - that is, MIC value added to data received by MAC layer from higher layers before these data are fragmented • implemented in the device driver (in software) 84 TKIP (2) – TKIP fix for confidentiality: replay counter) (recall: IV used as a • to fix IV reuse problem: increase IV length to 48 bits (from 24 bits) • to fix weak keys problem: use per-packet keys (prevents attacker from observing a sufficient # of msgs encrypted with the same, potentially weak, key) next sl.: new IV mechanism & generation of msg keys 85 TKIP – Generating RC4 keys Recall: - IV size in TKIP is increa-sed from 24 to 48 bits. 48 bits IV upper lower 32 bits 16 bits - This creates difficulty: the old WEP hardware still expects a 128-bit RC4 seed value. => 48-bit IV & 104-bit key must be compressed into 128 bits. 128 bits key mix (phase 1) dummy byte The figure shows how this is done, that is shows generating RC4 seed values keys DEK (data encryption key) from PTK MAC address key mix (phase 2) IV d IV per-packet key 3x8 = 24 bits 104 bit RC4 seed value (128 bits) 86 AES-CCMP (used in RSN) AES = AES cipher algorithm CCMP = CTR mode + CBC-MAC – encryption based on CTR mode (using AES – next slide) – integrity protection based on CBC-MAC (using AES - below) SKIP- Calculation of CBC-MAC – CBC-MAC is computed over the MAC header, CCMP header, and the MPDU (fragmented data) – mutable fields are set to zero – input is padded with zeros if length is not multiple of 128 (bits) – CBC-MAC initial block: • flag (8) • priority (8) • source address (48) • packet number (48) • data length (16) – final 128-bit block of CBC encryption is truncated to 87 (upper) 64 bits to get the CBC-MAC value AES-CCMP SKIP- CTR mode encryption – MPDU and CBC-MAC value is encrypted, MAC and CCMP headers are not – format of the counter is similar to the CBC-MAC initial block • “data length” replaced by “counter” • counter initialized with 1 and incremented after each encrypted block 88 SKIP- b.3.3. Bluetooth P. 27 - 31 89 b.4. Summary of WiFi security Security always considered important for WiFi Early solution based on WEP – seriously flawed – not recommended to use 802.11i - the new security standard for WiFi – access control model based on 802.1X – flexible authentication based on: • EAP • upper layer authentication protocols (e.g., TLS, GSM authentication) – improved key management – TKIP • uses RC4 => runs on old hardware… • … but corrects WEP’s flaws • mandatory in WPA, optional in RSN (=WPA2) – AES-CCMP • uses AES in CCMP mode (CTR mode and CBC-MAC) 90 • needs new hardware that supports AES Recommended books V. Niemi and K. Nyberg. UMTS Security. Wiley, 2003 J. Edney, W. Arbaugh. Real 802.11 Security: WiFi Protected Access and 802.11i. Addison-Wesley, 2004. Caution: books describing standards age very quickly (especially in this field) ! 91 THE END 92 93 94 SKIP- Generation of the authentication vectors (by the Home Environment) Generate SQN Generate RAND AMF K f1 f2 f3 f4 f5 MAC (Message Authentication Code) XRES (Expected Result) CK (Cipher Key) IK (Integrity Key) AK (Anonymity Key) 〓 〓 〓 : RAND XRES CK IK AUTN 〓 Authentication vector: AV 〓 〓 Authentication token: AUTN : ( SQN AK ) AMF MAC AMF: Authentication and Key Management Field 95 SKIP- More about the authentication and key generation function In addition to f1, f2, f3, f4 and f5, two more functions are defined: f1* and f5*, used in case the authentication procedure gets desynchronized (detected by the range of SQN). f1, f1*, f2, f3, f4, f5 and f5* are operator-specific However, 3GPP provides a detailed example of algorithm set, called MILENAGE MILENAGE is based on the Rijndael block cipher In MILENAGE, the generation of all seven functions f1…f5* is based on the Rijndael algorithm 96 SKIP- Authentication and key generation functions f1…f5* RAND SQN||AMF OP OPc EK OPc EK OPc OPc OPc rotate by r1 c1 rotate by r2 c2 EK f1 rotate by r3 c3 EK OPc OPc f1* OPc f5 f2 OP: operator-specific parameter r1,…, r5: fixed rotation constants c1,…, c5: fixed addition constants OPc rotate by r4 c4 EK OPc c5 EK OPc f3 rotate by r5 EK OPc f4 f5* EK : Rijndael block cipher with 128 bits text input and 128 bits key 97 SKIP- f9 integrity function COUNT || FRESH || KASUMI ||DIRECTION||1|| 0…0 IK KASUMI • KASUMI: block cipher (64 bits input, 64 bits output; key: 128 bits) • PS: Padded String • KM: Key Modifier PSBLOCKS-1 PS2 PS1 PS0 IK MESSAGE IK IK KASUMI IK KM KASUMI KASUMI MAC-I (left 32-bits) 98 SKIP- Ciphering method LENGTH BEARER COUNT-C CK COUNT-C DIRECTION f8 CK KEYSTREAM BLOCK PLAINTEXT BLOCK Sender (Mobile Station or Radio Network Controller) LENGTH BEARER DIRECTION f8 KEYSTREAM BLOCK CIPHERTEXT BLOCK PLAINTEXT BLOCK Receiver (Radio Network Controller or Mobile Station) BEARER: radio bearer identifier COUNT-C: ciphering sequence counter 99 SKIP- f8 keystream generator COUNT || BEARER || DIRECTION || 0…0 KM: Key Modifier KS: Keystream CK KASUMI KM Register BLKCNT=0 CK BLKCNT=1 KASUMI KS[0]…KS[63] CK BLKCNT=2 KASUMI CK BLKCNT=BLOCKS-1 KASUMI CK KASUMI KS[64]…KS[127] KS[128]…KS[191] 10 0 SKIP- Detail of Kasumi L0 32 R0 32 64 KL1 32 16 FO1 FO2 Zero-extend KL2 FL2 S7 KOi,2 FL3 KIi,j,2 KIi,j,1 FO3 KO4, KI4 FO4 KL4 S9 KOi,3 FL4 Zero-extend KIi,3 FIi3 FL5 truncate KIi,2 FIi2 KO3 , KI3 KL3 7 S9 KIi,1 FIi1 KO2 , KI2 16 9 KOi,1 KO1 , KI1 FL1 16 KO5 , KI5 KL5 FO5 S7 truncate KO6 , KI6 FO6 KL6 FL6 Fig. 2 : FO Function KO7 , KI7 KL7 FL7 Fig. 3 : FI Function 32 FO7 16 16 KLi,1 KO8 , KI8 FO8 <<< KL8 FL8 KLi,2 <<< L8 R8 Fig. 4 : FL Function C Fig. 1 : KASUMI Bitwise AND operation KLi, KOi , KIi : subkeys used at ith round S7, S9: S-boxes Bitwise OR operation <<< One bit left rotation 10 1 SKIP- Signaling integrity protection method SIGNALLING MESSAGE SIGNALLING MESSAGE FRESH FRESH COUNT-I IK COUNT-I DIRECTION f9 MAC-I Sender (MS or Radio Network Controller) IK DIRECTION f9 XMAC-I Receiver (Radio Network Controller or MS) FRESH = random input 10 2 SKIP- Protocols – LEAP, EAP-TLS, PEAP, EAPSIM LEAP (Light EAP) EAP-TLS (TLS over EAP) PEAP (Protected EAP) EAP-SIM – developed by Cisco – similar to MS-CHAP extended with session key transport – – – – only the TLS Handshake Protocol is used server and client authentication, generation of master secret TLS maser secret becomes the session key mandated by WPA, optional in RSN – phase 1: TLS Handshake without client authentication – phase 2: client authentication protected by the secure channel established in phase 1 – extended GSM authentication in WiFi context – protocol (simplified) : STA AP: EAP res ID ( IMSI / pseudonym ) STA AP: EAP res ( nonce ) AP: [gets two auth triplets from the mobile operator’s AuC] AP STA: EAP req ( 2*RAND | MIC2*Kc | {new pseudonym}2*Kc ) STA AP: EAP res ( 2*SRES ) AP STA: EAP success 103