Outline • Introduction • Thwarting malicious behavior • 802.11 Wireless Network Security
The Internet : something went wrong “The Internet is Broken”MIT Technology Review, Dec. 2005 – Jan. 2006 NSF FIND, GENI, etc. Network deployment Observationof new misdeeds (malicious or selfish) Install security patches (anti-virus, anti-spam, anti-spyware,anti-phishing, firewalls,…)
Where is this going ? The Economist, April 28, 2007 MIT Technology Review, Dec. 2005 – Jan. 2006 What if tomorrow’s wireless networks are even more unsafe than today’s Internet ?
Wireless networks are rapidly becoming pervasive. • How many of you have web-enabled cell phones? • How many of you have networked PDAs and Pocket PCs? • How many of you have laptops with wireless network cards? • How many of you have wireless networks at work? at home? • How many of you use wireless networks when you are out and about?
Of those of you who have wireless devices, how many of you: • protect your wireless device with a password? • encrypt the data in your wireless device? • employ any type of security with your wireless device? • employ security with your wireless network?
Upcoming wireless networks • New kinds of networks • Personal communications • Small operators, community networks • Cellular operators in shared spectrum • Mesh networks • Hybrid ad hoc networks (also called “Multi-hop cellular networks”) • “Autonomous” ad hoc networks • Personal area networks • Vehicular networks • Sensor and RFID networks • … • New wireless communication technologies • Cognitive radios • MIMO • Ultra Wide Band • Directional antennas • …
Upcoming wireless networks • New kinds of networks • Personal communications • Small operators, community networks • Cellular operators in shared spectrum • Mesh networks • Hybrid ad hoc networks (also called “Multi-hop cellular networks”) • “Autonomous” ad hoc networks • Personal area networks • Vehicular networks • Sensor and RFIDnetworks • … • New wireless communication technologies • Cognitive radios • MIMO • Ultra Wide Band • Directional antennas • …
Community networks Example: service reciprocation in community networks • A phenomenon of growing relevance, led by FON, http://en.fon.com/ • FON claims • to have raised a total of more than 30M$, notably from Google, Skype, and BT • that the number of “Foneros” is around 830’000
Mesh Networks Transit Access Point ( TAP )
Mesh Networks: jamming • More on mesh networks: • IEEE Wireless Communications, Special Issue on Wireless Mesh Networking, Vol. 13 No 2, April 2006
Vehicular networks: why? • Combat the awful side-effects of road traffic • In the EU, around 40’000 people die yearly on the roads; more than 1.5 millions are injured • Traffic jams generate a tremendous waste of time and of fuel • Most of these problems can be solved by providing appropriate information to the driver or to the vehicle
Example of attack : Generate “intelligent collisions” SLOW DOWN The way is clear For more information: http://ivc.epfl.ch http://www.sevecom.org • All carmakers are working on vehicular comm. • Vehicular networks will probably be the largest incarnation of mobile ad hoc networks
Sensor networks • Vulnerabilities: • Theft reverse engineered and compromised, replicated • Limited capabilities risk of DoS attack, restriction on cryptographic primitives to be used • Deployment can be random pre-configuration is difficult • Unattended some sensors can be maliciously moved around
RFID • RFID = Radio-Frequency Identification • RFID system elements • RFID tag + RFID reader + back-end database • RFID tag = microchip + RF antenna • microchip stores data (few hundred bits) • Active tags • have their own battery expensive • Passive tags • powered up by the reader’s signal • reflect the RF signal of the reader modulated with stored data RFID reader RFID tag reading signal tagged object back-end database ID ID detailed object information
Trends and challenges in wireless networks • From centralized to distributed to self-organized Security architectures must be redesigned • Increasing programmability of the devices increasing risk of attacks and of greedy behavior • Growing number of tiny, embedded devices Growing vulnerability, new attacks • From single-hopping to multi-hopping Increasing “security distance” between devices and infrastructure, increased temptation for selfish behavior • Miniaturization of devices Limited capabilities • Pervasiveness Growing privacy concerns … Yet, mobility and wireless can facilitate certain security mechanisms
Grand Challenge Prevent ubiquitous computing from becoming a pervasive nightmare
Reasons to trust organizations and individuals } Will lose relevance Scalability challenge Can be misleading • Moral values • Culture + education, fear of bad reputation • Experience about a given party • Based on previous interactions • Rule enforcement organization • Police or spectrum regulator • Usual behavior • Based on statistical observation • Rule enforcement mechanisms • Prevent malicious behavior (by appropriate security mechanisms) and encourage cooperative behavior
Upcoming networks vs. mechanisms Cooperation Security Rule enforcement mechanisms Securing neighbor discovery Upcoming wireless networks Naming and addressing Enforcing PKT FWing Security associations Discouraginggreedy op. Enforcing fair MAC Behaviorenforc. Secure routing Privacy Small operators, community networks Cellular operators in shared spectrum Mesh networks Hybrid ad hoc networks Self-organized ad hoc networks Vehicular networks Sensor networks RFID networks
6.2 Thwarting malice: security mechanisms 2. Thwarting malice: security mechanisms 2.1 Naming and addressing 2.2 Establishment of security associations 2.3 Secure neighbor discovery 2.4 Secure routing in multi-hop wireless networks 2.5 Privacy protection 2.6 Secure positioning
2.1 Naming and addressing • Typical attacks: • Sybil: the same node has multiple identities • Replication: the attacker captures a node and replicates it several nodes share the same identity • Distributed protection technique in IPv6: Cryptographically Generated Addresses (T. Aura, 2003; RFC 3972) only a partial solution to the problem For higher security (hash function outputbeyond 64 bits), hashextension can be used Public key Hash function Interface ID Subnet prefix 64 bits 64 bits IPv6 address Parno, Perrig, and Gligor. Detection of node replication attacks in sensor networks. IEEE Symposium on Security and Privacy, 2005
2.2 Pairwise key establishment in sensor networks 2. Deployment Probability for any 2 nodes to have a common key: Do we have a common key? 1. Initialization m (<<k) keys in each sensor (“key ring of the node”) Keyreservoir(k keys)
Probability for two sensors to have a common key • Eschenauer and Gligor, ACM CCS 2002 • See also: • Karlof, Sastry, Wagner: TinySec, Sensys 2004 • Westhoff et al.: On Digital Signatures in Sensor Networks, ETT 2005
2.3 Securing Neighbor Discovery:Thwarting Wormholes • Routing protocols will choose routes that contain wormhole links • typically those routes appear to be shorter • Many of the routes (e.g., discovered by flooding based routing protocols such as DSR and Ariadne) will go through the wormhole • The adversary can then monitor traffic or drop packets (DoS)
Wormholes are not specific to ad hoc networks access control system: gate equipped with contactless smart card reader contactless smart card wormhole contactless smart card emulator fast connection smart card reader emulator Hu, Perrig, and Johnson Packet leashes: a defense against wormhole attacks in wireless networks INFOCOM 2003 user may be far away from the building
2.4 Secure routing in wireless ad hoc networks D B G A E H C F Exchange of messages in Dynamic Source Routing (DSR): A *: [req,A,H; -] B, C, D, E B *: [req,A,H; B] A C *: [req,A,H; C] A D *: [req,A,H; D] A, E, G E *: [req,A,H; E] A, D, G, F F *: [req,A,H; E,F] E, G, H G *: [req,A,H; D,G] D, E, F, H H A: [H,F,E,A; rep; E,F] • Routing disruption attacks • routing loop • black hole / gray hole • partition • detour • wormhole • Resource consumption attacks • injecting extra data packets in the network • injecting extra control packets in the network
Operation of Ariadne illustrated D B G A E H C F A *: [req, A, H, MACKAH, (), ()] E *: [req, A, H, h(E|MACKAH), (E), (MACKE,i)] F *: [req, A, H, h(F|h(E|MACKAH)), (E, F), (MACKE,i, MACKF,i)] H F: [rep, H, A, (E, F), (MACKE,i, MACKF,i), MACKHA, ()] F E: [rep, H, A, (E, F), (MACKE,i, MACKF,i), MACKHA, (KF,i)] E A: [rep, H, A, (E, F), (MACKE,i, MACKF,i), MACKHA, (KF,i, KE,i)]
Secure route discovery with the Secure Routing Protocol (SRP) QSEQ: Query Sequence Number QID : Query Identifier
More on secure routing Hu, Perrig, and Johnson: Ariadne, Sept. 2002, SEAD, Jun. 2002 Sangrizi, Dahill, Levine, Shields, and Royer: ARAN, Nov. 2002 Papadimitratos and Haas: Secure Routing Protocol (SRP), Jan. 2002 Secure Route Discovery Zapata and Asokan: S-AODV, Sept. 2002 All above proposals are difficult to assess G. Ács, L. Buttyán, and I. Vajda: Provably Secure On-demand Source Routing IEEE Transactions on Mobile Computing, Nov. 2006 Papadimitratos and Haas: Secure Single Path (SSP) and Secure Multi-path (SMT) protocols, Jul./Sept. 2003, Feb. 2006 Secure Data Communication Cross-layerattacks Aad, Hubaux, Knightly: Jellyfish attacks, 2004
2.5 Privacy: the case of RFID • RFID = Radio-Frequency Identification • RFID system elements • RFID tag + RFID reader + back-end database • RFID tag = microchip + RF antenna • microchip stores data (few hundred bits) • Active tags • have their own battery expensive • Passive tags • powered up by the reader’s signal • reflect the RF signal of the reader modulated with stored data RFID reader RFID tag reading signal tagged object back-end database ID ID detailed object information
RFID privacy problems • RFID tags respond to reader’s query automatically, without authenticating the reader clandestine scanning of tags is a plausible threat • Two particular problems: 1. Inventorying: a reader can silently determine what objects a person is carrying • books • medicaments • banknotes • underwear • … • Tracking: set of readers can determine where a given person is located • tags emit fixed unique identifiers • even if tag response is not unique it is possible to track a set of particular tags suitcase: Samsonite watch: Casio jeans: Lee Cooper book:Wireless Security shoes: Nike Juels A., RFID Security and Privacy: A Research Survey, IEEE JSAC, Feb. 2006
Who is malicious? Who is selfish? Harm everyone: viruses,… Big brother Selective harm: DoS,… Spammer Cyber-gangster: phishing attacks, trojan horses,… Greedy operator Selfish mobile station There is no watertight boundary between malice and selfishness Both security and game theory approaches can be useful
Conclusion • Upcoming wireless networks bring formidable challenges in terms of security • The proper treatment requires a thorough understanding of upcoming wireless networks, of security
■In this lecture, we shall discuss three standards for securing wireless networks. - WEP (Wired Equivalent Privacy) - WPA (Wireless Protected Access) - WPA2 ■ Actually, they are a family, called IEEE 802.11. ■The corresponding commercial specifications are certified by Wi-Fi Alliance.
WEP (Wired Equivalent Privacy) ■Specified by IEEE Standard 802.11a, 1997. ■ Aimed to make wireless as secure as wired networks. ■ Security flaws were identified before the ink was dry. ■ Most serious attacks can recover the the WEP key by analysing a few million encrypted packets. ■ In 2005, a group from FBI showed a demo to break a WEP protected wireless network within 3 minutes by using publicly available tools. ■ Open Source utilities: aircrack-ng, weplab, WEPCrack, …
How WEP works? ■WEP uses RC4 to encrypt each packet M. ■ A WEP key K is shared among AP and all clients. ■ More specifically, the ciphertext C is generated by C=(M||ICV)RC4(IV||K). ICV: (non-cryptographic) checksum. IV: a per-packet initialization value (3 bytes=24 bits). K: from 5 to 16 bytes. ■ Finally, IV||C is transferred to the receiver.
Illustration of WEP: data 802.11 Hdr || ICV CRC-32 WEP Key Per-Frame Key RC4 Encryption K || 802.11 Hdr IV Data ICV
Weaknesses in WEP: ■ Key management and key size The same shared secret key is used for both authentication and encryption ■ Authentication Only one-way authentication. That is, AP is not authenticated to the client. ■ Integrity It is possible to modify some bits in a message so that the resulting message still passes the ICV test.
■Confidentiality - WEP RC4 can be compromised easily by passively analysing several millions of packets. - IV is short, reused, and not encrypted. - RC4 has some weaknesses. - Technical details can be found in the following paper. A. Stubblefield, J. Ioannidis, and A. D. Rubin. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. 2001. http://citeseer.ist.psu.edu/stubblefield01using.html
WPA (Wireless Protected Access) or WEP2: ■An interim solution to replace WEP. ■ Aimed to work well with hardware designed for WEP. ■ Still use RC4 for encryption. ■ Several new elements were introduced: - TKIP (Temporal Key Integrity Protocol). - MIC (message integrity code) for preventing forgery. - IV=48 bits for preventing replay attack. - A mixing function for generating per-frame key.
Illustration of WPA (or WEP2): data 802.11 Hdr TKIP MIC Function || MIC WEP Key Per-Frame Key RC4 Encryption Mixing Function K K’ Integrity Key 802.11 Hdr IV Data MIC
WPA2: ■A long term solution specified by IEEE 802.11i in 2004. ■ Aimed to work with new hardware. ■ Use AES (in a new mode called CCM) for encryption. ■ Several new elements were introduced: - The base key K=128 bits. - MIC is 64 bits for preventing forgery. - IV=48 bits for preventing replay attack. - Packet sequence number is used to generate IV.
Format of WAP2: IV Key ID Encrypted by AES 802.11 Hdr 802.11i Hdr Data MIC FCS Authenticated by MIC - FCS: Frame Check Sequence - Check here for some nice diagrams for Wi-Fi Encryption: http://xirrus.gcsmarket.com/pdfs/Xirrus_WiFiEncryption.pdf