1 / 52

Security in Wireless LANs

Security in Wireless LANs. Presented by Raquel S. Whittlesey-Harris 6/25/02. Contents. Wireless LANs, An Overview Security Threats Basic Definitions HIPERLAN 802.11 Solutions References. Wireless LANs, An Overview. What is Wireless Local Area Network technology (WLAN)?

nili
Télécharger la présentation

Security in Wireless LANs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in Wireless LANs Presented by Raquel S. Whittlesey-Harris 6/25/02

  2. Contents • Wireless LANs, An Overview • Security Threats • Basic Definitions • HIPERLAN • 802.11 • Solutions • References

  3. Wireless LANs, An Overview • What is Wireless Local Area Network technology (WLAN)? • A wireless (w/o wired cables) data communication system that uses shared radio waves or infrared light to transmit and receive data • Provides freedom and flexibility to connect to a network or internet w/o being physically connected with a cable or modem

  4. Wireless LANs, An Overview • Communication is via air, walls, ceilings and cement structures (throughout or between buildings) • Can alleviate network deployment costs • Solve some installation problems of older structures (asbestos) • Essentially an unlimited number of points for attacking • We will take a look at two standards • IEEE’s 802.11 • ETSI’s HIPERLAN

  5. Wireless LANs, An Overview • Peer-to-Peer (Adhoc) • Wireless devices have no access point connection and each device communicates with each other directly

  6. Wireless LANs, An Overview • Client/Server (infrastructure networking) • Extends an existing wired LAN to wireless devices by adding an access point (bridge and central controller)

  7. Security • What is a secure environment? • No system is 100% secure • Generally applications, industries apply their own set of security tolerances • E.g., DHHA (Department of Health and Human Services) has created a set of rules called the HIPAA (Health Insurance Portability and Accountability Act) to regulate the use and discloser of protected health information

  8. Security Threats • Denial-of-Service • The system or network becomes unavailable to legitimate users or services are interrupted or delayed (due to interference) • Equipment can be purchased from electronic stores easily and prices are reasonable • Protection is expensive and difficult • Only total solution is to have the wireless network inside of the faraday cage (applicable in rare cases) • Easy however to locate the transceiver used to generate the interference

  9. Security Threats • Interception/Eavesdropping (confidentiality) • Identity of a user is intercepted for use later to masquerade as a legitimate user • Data stream is intercepted and decrypted for the purpose of disclosing private information • Radio band transmissions are readily intercepted • There is no means to detect if a transmission has been eavesdropped • Strong encryption is necessary to keep the contents of intercepted signals from being disclosed

  10. Security Threats • The frequency band and transceiver power has a great effect on the range where the transmission can be heard • 2-5 MHz radio band and 1 W transceiver power • W/o electromagnetic shielding the network transmissions may be eavesdropped from outside of the building for which the network is operating • Manipulation • Data has been compromised • Inserted, deleted or otherwise modified • Can occur during transmission or to stored data • E.g., a virus

  11. Security Threats • Masquerading • The act of an adversary posing as a legitimate user in order to gain access to a wireless network or system served by the network • Strong authentication is required to prevent such attacks • Repudiation • User denies performing an action on the network • Sending a particular message • Accessing the network • Again strong authentication of user’s is required, integrity assurance methods, and digital signatures

  12. Security Threats • Transitive Trust • Intrusion by fooling the LAN to trust the mobile controlled by the intruder • Authentication again important • Infrastructure • These attacks are based on weaknesses in the system • Software, configuration, hardware failure, etc. • Protection almost impossible • Best to just test the system as thoroughly as possible

  13. Summary – Security Threats

  14. Basic Definitions • Confidentiality • Are you the only one who is viewing information specific to you or authorized users? • Integrity • Are you communicating with whom you think? • Is the data you are looking at correct or has it been tampered with? • Availability • Are the required services there when you need them? • Authentication • Are you who you say you are?

  15. HIPERLAN • Developed by the European Telecommunications Standards Institute (ETSI) • Similar to 802.11 • HiperLAN/1 • Provides communications up to 20 Mbps in the 5-GHz range of the radio frequency spectrum • HiperLAN/2 • Provides communications up to 54 Mbps in the same FR band • Compatible with 3G WLAN systems (data, images, voice)

  16. HIPERLAN • Defines the MAC sublayer, Channel Access Control (CAC) sublayer and the physical layer • Currently the defined physical layers use 5.15 – 5.30 GHz frequency band and supports • Up to 2,048 Kbps synchronous traffic • Up to 25 Mbps asynchronous traffic

  17. HIPERLAN • Properties • Provides a service that is compatible with the ISO MAC service definition in ISO/IEC 15 802-1 • Compatible with the ISO MAC bridges specification ISO/IEC 10 038 for interconnection with other LANS • Ad-hoc or arranged topology possible • Supports mobility • May have coverage beyond the radio range limitation of a single node • Supports asynchronous and time-bounded communication by means of a Channel Access Mechanism (CAM) – priorities provide hierarchical independence of performance • Power Management

  18. HIPERLAN • Defines an optional encryption-decryption scheme • All HM-entities (HiperLAN MAC) use a common set of shared keys (HIPERLAN key-set) • Each has a unique key identifier • Plain text is ciphered by XOR operation with random sequence generated by a confidential algorithm • Uses the secret key and an initialization vector sent in every MPDU (MAC Protocol Data Unit) as input

  19. HIPERLAN • HiperLAN does not define any kind of authentication

  20. 802.11 • Defined by IEEE to cover the physical layers and MAC sublayers for WLANs • 3 physical layers • Frequency Hopping Spread Spectrum (FHSS) • Direct Sequence Spread Spectrum (DSSS or DS-CDMA) • Baseband Infrared • DSSS is mostly used since FHSS cannot support high speeds without violating FCC regulations • All physical layers offer2 Mbps data rate • Radio uses 2,400 – 2,483.5 MHz frequency band • MAC layer is common to all physical layers

  21. 802.11 • 802.11 implementation

  22. 802.11 • Properties • Supports Isochronous and Asynchronous • Supports priority • Association/Disassociation to an AP in a BSS or ESS • Re-Association or Mobility Management to transfer of association from one AP to another • Power Management (battery preservation) • Authentication to establish identity of terminals • Acknowledgement to ensure reliable wireless transmission • Timing synchronization to coordinate the terminals • Sequencing with duplication detection and recovery • Fragmentation/Re-assembly

  23. 802.11 • Defines two authentication schemes • Open System Authentication • All mobiles requesting access are accepted • Shared Key Authentication • Uses shared key cryptography to authenticate

  24. 802.11

  25. 802.11 • Optional Wired Equivalent Privacy (WEP) mechanism • Confidentiality and Integrity of traffic • Station-to-Station • No end-to-end security • Integrity Check (ICV) • Implements RC4 PRNG[8] algorithm • 40 bit secret key • 24 bit initialization vector (IV)

  26. 802.11 • RC4 • Input: IV, Random Key, Plaintext • IV and key is input to E  keystream output • Keystream output is XORed with plain text  ciphertext • Keystream output is also fed back to I (to cause a variation as a function of IV and key); must not use same keystream twice • IV sent as an unencrypted part of the ciphertext stream (integrity must be assured)

  27. 802.11 • RC4 • Supports variable length keys • Most commonly used are 40 bits for export controlled systems and 128 bits for domestic applications • 128 bit encryption (104 bits key) • Standard does not specify key management or distribution • Provide a globally shared array of 4 keys • Supports an additional array that associates a unique key with each user station

  28. 802.11 • RC4 • A CRC32 bit stream is appended to the plaintext message to provide integrity • Does not ensure cryptographic integrity

  29. 802.11 • Vulnerabilities and Weaknesses • Authentication • Authentication and an association (binding between the station and access point (AP)) is required before transmission • States • Unauthenticated & unassociated • Authenticated & unassociated • Authenticated and associated • Two authentication methods mentioned earlier • Open System Authentication (OSA) • Shared Key Authentication

  30. 802.11 • OSA • Default authentication method • Two management frames exchanged • Station  station MAC address, identifier (authentication request)  AP • AP  status field (authentication success or failure) • Authenticated and unassociated • Two frames to establish association • Most vendors implement a wireless access control mechanism based on examining the station MAC address and blocking unwanted stations from associating • Requires that a list of authorized MAC addresses be loaded on each AP

  31. 802.11 • OSA Weaknesses • Loading and identifying MAC addresses is manually intensive • Snoopers can get valid MAC addresses and modify a station to use the valid address • Potential to create problems with 2 addresses using the network at the same time

  32. 802.11 • Shared Key Authentication • Uses the optional WEP algorithm along with a challenge response system to mutually authenticate a station and an AP • APs  beacon (announce presence) • Station  beacon (AP address) • Station  management frame (seq #1)  AP • AP  authentication challenge (seq #2)  Station • Psuedo-random number + shared key + random IV • Unencrypted

  33. 802.11 • SKA • Station  challenge • Copies into a new frame which is encrypted (WEP) • Shared key, new IV •  AP • AP  frame • Decrypts, • Checks CRC32 • Checks challenge • Repeat to authenticate the AP

  34. 802.11

  35. 802.11 • Shared Key Authentication Weaknesses • Snoopers monitor the second (unencrypted challenge) and third (encrypted challenge) exchanges • Plaintext of the original frame including the random challenge • Encrypted frame containing the challenge • IV used to encrypt the challenge • XOR of plaintext, ciphertext  keystream to encrypt the challenge response frame

  36. 802.11 • Snooper does not have shared secret key but with keystream can enter the network • Requests authorization to the network • AP sends new challenge (new IV) • Compute a valid CRC-32 checksum • Encrypts the challenge with the keystream acquired earlier • Appends IV used and sends the frame • Further penetration cannot be achieved without the proper secret key

  37. 802.11 • RC4 Encryption • WEP does not implement a secure version of RC4 and violates several other cryptographic design and implementation principles • Suggestions have been made to not only increase the key sizes and strengthen key management, • Replace encryption algorithm • Addition of a session key derivation algorithm • Lengthening the IV to 128 bits • Adding a sequence number in dynamic keyed implementations • Addition of 128 bit cryptographic integrity check • Additional encryption of other payload elements

  38. 802.11 • Interception • 802.11 specifies three physical layers, • Infrared (IR) • Frequency Hopping Spread Spectrum (FHSS) • Direct Sequence Spread Spectrum (DSSS) • Broadcasts 900 MHz, 2.4 GHz, 5 GHz • Commercial wireless devices is readily capable of receiving all signals • It is also fairly simple to modify the device drivers or flash memory to monitor all traffic

  39. 802.11 • Keystream Reuse • Standard recommends but does not require changing the IV for every frame transmitted • No guidance is provided for selecting or initializing the IV • Two packets using the same IV and key allows a snooper to discover plaintext • The XOR of two ciphertexts  the XOR of two plaintexts • Knowing one plaintext is all it takes • Berkeley indicates that some PCMCIA cards reset the IV to zero when initialized and then increment the IV by one for each packet transmitted

  40. 802.11 • Standard specifies the size of the IV field to be 3 octets (24 bits) • IV will rollover mode 24 • Reused after 224 packets • Since MAC frames range in size from 34 bytes to 2346 bytes • Min rollover occurs at 224 x 34 bytes (570 MB) • Max rollover occurs at 224 x 2346 bytes (40 GB) • Berkeley indicates a busy AP will rollover in about a half of a day operating at half capacity • Reading the IV is trivial since it is transmitted unencrypted

  41. 802.11 • Integrity Assurance • The ICV (Integrity Check Value) • Plaintext is concatenated with the ICV to form the plaintext to be encrypted • CRC32 – linear function • Possible to change 1 or more bits in the original plaintext and predict which bits in the CRC32 checksum to modify • Checksum is performed over the entire MAC packet • Includes higher level protocol routing address and port fields (can redirect message when changing IP address) • 32 bits (4 octets) in MAC frame

  42. Solutions • IEEE is working on upgrade of security standard • Vendors can implement key management (external to the standard) • Limits choices (interoperability) • VPN (Virtual Private Network) • Provides a secure and dedicated channel over an un-trusted network • Provides authentication and full encryption

  43. Solutions • A solution • Requirement – seamless integration into existing wired networks • link layer security is selected over end-to-end (machine-to-machine) • Requirement – two-way authentication • Requirement – flexibility to utilize the future advances in cryptography

  44. Solutions • Authentication – public key cryptography • Certificates contain • {serial number, validity period, machine name, machine public key, CA name} • Mobile  {Cert_Mobile, CH1, Kist of SKCSs}  Base • CH1 is a random generated number • SKCSs is transmitted to negotiate algorithm used • Algorithm and key size are transmitted in list • Base  verify signature on Cert_Mobile • Proves the public key in the certificate belongs to a certified mobile host • Not sure if the certificate belongs to the mobile • If certificate is invalid • Reject connection

  45. Solutions • Base  {Cert_Base, E(Pub_Mobile, RN1), Chosen SKCS, Sig(Priv_Base, {E(Pub_Mobile, RN1), Chosen SKCS, SH1, List of SKCSs}}  Mobile • Save RN1 for later use • Chosen SKCS is most secure from those supported by both • Mobile  validates Cert_Base, verify signature of message (using public key of Base) • If CH1 and List of SKCS match those sent by mobile to base • Authenticate base • Mobile  {E(Pub_Base, RN2), Sig{Priv_Mobile,{E(Pub_Base, RN2), E(Pub_Mobile, RN1)}}}  Base • RN2 is randomly generated by mobile • RN1 XOR RN2 is used as a session key for all communications remaining

  46. Solutions • Base  verifies the signature of the message using Pub_Mobile • Authenticate mobile if valid • Decrypt E(Pub_Base, RN2) with private key • Form session key RN1 XOR RN2 • Session key formed in two parts sent in different messages for better protection • Compromising the private key does not compromise the traffic • Need to know both RN1 and RN2 • These transactions are to occur at the MAC layer prior to network access

  47. Solutions

  48. Solutions • Confidentiality can be achieved using an existing symmetric cryptography algorithm • IDEA – International Data Encryption Algorithm • Uses Block Cipher with a 128-bit key • DES – Data Encryption Standard • Private key encryption (72 quadrillion possible keys) • Restricted for exportation by US Government • Shared key is agreed using mechanism above • Integrity can be achieved using a fingerprint generated by a one-way hash function • MD5 • SHA

  49. Solutions • Key Change Protocol • Initialized by base or mobile • E.g., • Base  Signed(Priv_Base,{E(Pub_Mobile, New_RN1), E(Pub_Mobile,RN1) })  Mobile • Mobile  Signed(Priv_Mobile,{E(Pub_Base, New_RN2), E(Pub_Base, RN2) })  Base • New RN1 XOR RN2 value is used

  50. Solutions • Key Management • One possible solution is to use the smart card technology • CA creates the private and public keys inside the smart card • Private key never readable from card • CA signs the public key with his private key and stores the public key to the smart card • Smart card is given to the end user to use in any wireless LAN mobile

More Related