430 likes | 649 Vues
Wireless Networking Security. Wireless Technologies Comparison Chart. Cellular Network Security. Brief overview of how GSM and 3GPP/UMTS address these issues Potential additional security concerns in the "wireless Internet" Ways to address these concerns, and their implications.
E N D
Cellular Network Security • Brief overview of how GSM and 3GPP/UMTS address these issues • Potential additional security concerns in the "wireless Internet" • Ways to address these concerns, and their implications
GSM/GPRS security • Authentication • one-way authentication based on long-term shared key between user's SIM card and the home network • Charging • network operator is trusted to charge correctly; based on user authentication • Privacy • data • link-level encryption over the air; no protection in the core network • identity/location/movements, unlinkability • use of temporary identifiers (TMSI) reduce the ability of an eavedropper to track movements within a PLMN (Public land mobile network) • but network can ask the mobile to send its real identity (IMSI – International mobile subscriber identity): on synchronization failure, on database failure, or on entering a new PLMN • network can also page for mobiles using IMSI
3GPP/UMTS enhancements • Authentication • support for mutual authentication • Charging • same as in GSM • Privacy • data • some support for securing core network signaling data • increased key sizes • identity/location/movements, unlinkability • enhanced user identity confidentiality using "group keys" • a group key is shared by a group of users • Other improvements • integrity of signaling, cryptographic algorithms made public
Enhanced user identity confidentiality • IMSI is not sent in clear. Instead, it is encrypted by a static group key KG and the group identity IMSGI is sent in clear. Serving Node Home Environment USIM IMSI request IMSGI | E(KG, random bits| IMSI | redundancy bits) IMSI
What is different in the wireless Internet? • Potentially low cost of entry for ISPs supporting mobile access • Consequently, old trust assumptions as in cellular networks may not hold here • between user and home ISP • between user and visited ISP • between ISPs • Implications: potential need for • incontestable charging • increased level of privacy • Relevant even in cellular networks?
Incontestable charging • Required security service: unforgeability • Cannot be provided if symmetric key cryptography is used exclusively • hybrid methods may be used (e.g., based on hash chains) • Authorization protocol must support some notion of a "charging certificate" • used for local verification of subsequent authorization messages Visited domain Home domain Charging certificate User
Enhanced privacy • Stronger levels or privacy • temporary id = home-domain, E(K, random bits| real-id ) • using public key encryption • K is the public encryption key of the home-domain • using opaque tokens • K is a symmetric encryption key known only to the home-domain • no danger of loss of synchronization • Identity privacy without unlinkability is often not useful • static identities allow profiles to be built up over time • encryption of identity using a shared key is unsatisfactory: trades off performance vs. level of unlinkability
Enhanced privacy (contd.) • Release information on a need-to-know basis: e.g., does the visited domain need to know the real identity? • typically, the visited domain cares about being paid • require authentication only where necessary (e.g., home agent forwarding service in Mobile IP)
Summary • Trust assumptions are different in the Internet • Enhanced levels of security services may be necessary • Public-key cryptography can provide effective solutions • Try not to preclude future provision of improved security services
Bluetooth • Consortium: Ericsson, Intel, IBM, Nokia, Toshiba… • Scenarios: • connection of peripheral devices • loudspeaker, joystick, headset • support of ad-hoc networking • small devices, low-cost • bridging of networks • e.g., GSM via mobile phone - Bluetooth - laptop • Simple, cheap, replacement of IrDA, low range, lower data rates, low-power • Worldwide operation: 2.4 GHz • Resistance to jamming and selective frequency fading: • FHSS over 79 channels (of 1MHz each), 1600hops/s • Coexistence of multiple piconets: like CDMA • Links: synchronous connections and asynchronous connectionless • Interoperability: protocol stack supporting TCP/IP, OBEX, SDP • Range: 10 meters, can be extended to 100 meters • Documentation: over 1000 pages specification: www.bluetooth.com
Bluetooth Application Areas • Data and voice access points • Real-time voice and data transmissions • Cable replacement • Eliminates need for numerous cable attachments for connection • Low cost < $5 • Ad hoc networking • Device with Bluetooth radio can establish connection with another when in range
Protocol Architecture • Bluetooth is a layered protocol architecture • Core protocols • Cable replacement and telephony control protocols • Adopted protocols • Core protocols • Radio • Baseband • Link manager protocol (LMP) • Logical link control and adaptation protocol (L2CAP) • Service discovery protocol (SDP)
Protocol Architecture • Cable replacement protocol • RFCOMM • Telephony control protocol • Telephony control specification – binary (TCS BIN: Telephony Control Specification-Binary) • Adopted protocols • PPP • TCP/UDP/IP • OBEX • WAE/WAP
Application TCP/UDP OBEX AT Commands PPP RFCOMM TCS SDP L2CAP HCI Audio Link Manager (LMP) Baseband Bluetooth Radio Protocol Architecture • BT Radio (2.4 GHZ Freq. Band): • Modulation: Gaussian Frequency Shift Keying • Baseband: FH-SS (79 carriers), CDMA (hopping sequence from the node MAC address) • Audio: interfaces directly with the baseband. Each voice connection is over a 64Kbps SCO link. The voice coding scheme is the Continuous Variable Slope Delta (CVSD) • Link Manager Protocol (LMP): link setup and control, authentication and encryption • Host Controller Interface: provides a uniform method of access to the baseband, control registers, etc through USB, PCI, or UART • Logical Link Control and Adaptation Layer (L2CAP): higher protocols multiplexing, packet segmentation/reassembly, QoS • Service Discover Protocol (SDP): protocol of locating services provided by a Bluetooth device • Telephony Control Specification (TCS): defines the call control signaling for the establishment of speech and data calls between Bluetooth devices • RFCOMM: provides emulation of serial links (RS232). Upto 60 connections OBEX: OBject EXchange (e.g., vCard)
Usage Models • File transfer • Internet bridge • LAN access • Synchronization • Three-in-one phone • Headset
Piconets and Scatternets • Piconet • Basic unit of Bluetooth networking • Master and one to seven slave devices • Master determines channel and phase • Scatternet • Device in one piconet may exist as master or slave in another piconet • Allows many devices to share same area • Makes efficient use of bandwidth
Network Topology Piconet 1 Piconet 2 • Piconet = set of Bluetooth nodes synchronized to a master node • The piconet hopping sequence is derived from the master MAC address (BD_ADDR IEEE802 48 bits compatible address) • Scatternet = set of piconet • Master-Slaves can switch roles • A node can only be master of one piconet. Why? Slave Master Master Scatternet
Scatternets • Each piconet has one master and up to 7 slaves • Master determines hopping sequence, slaves have to synchronize • Participation in a piconet = synchronization to hopping sequence • Communication between piconets = devices jumping back and forth between the piconets piconets
Radio Specification • Classes of transmitters • Class 1: Outputs 100 mW for maximum range • Power control mandatory • Provides greatest distance • Class 2: Outputs 2.4 mW at maximum • Power control optional • Class 3: Nominal output is 1 mW • Lowest power • Frequency Hopping in Bluetooth • Provides resistance to interference and multipath effects • Provides a form of multiple access among co-located devices in different piconets
Frequency Hopping • Total bandwidth divided into 1MHz physical channels • FH occurs by jumping from one channel to another in pseudorandom sequence • Hopping sequence shared with all devices on piconet • Piconet access: • Bluetooth devices use time division duplex (TDD) • Access technique is TDMA • FH-TDD-TDMA
Physical Links • Synchronous connection oriented (SCO) • Allocates fixed bandwidth between point-to-point connection of master and slave • Master maintains link using reserved slots • Master can support three simultaneous links • Asynchronous connectionless (ACL) • Point-to-multipoint link between master and all slaves • Only single ACL link can exist
Bluetooth Packet Fields • Access code – used for timing synchronization, offset compensation, paging, and inquiry • Header – used to identify packet type and carry protocol control information • Payload – contains user voice or data and payload header, if present
f(k+7) f(k) f(k+1) f(k+2) f(k+3) f(k+4) f(k+4) f(k+4) Master Slave 1 Slave 2 Bluetooth Piconet MAC • Each node has a Bluetooth Device Address (BD_ADDR). The master BD_ADDR determines the sequence of frequency hops • Compared to 802.11 MAC
BlueTooth Security Constraints • Limited battery power • Computational power • Small amount of memory • Small range • Ad-hoc network • Not always I/O-interface
Color Convention • XXX = public value • XXX = secret value • XXX = sent in clear • XXX = sent encrypted
Protocols in Bluetooth • Generation of unit key • Generation of initialization key • Generation of link key • Mutual authentication • Generation of encryption key • Generation of key stream • Encryption of data
E21 1. Generation unit key ADDRA RANDA KA
2. Generation initialization key IN_RAND IN_RAND IN_RAND PIN PIN E22 E22 L L Kinit Kinit
3. Generation link key (1) Kinit Kinit K KA=Klink KA=Klink
3. Generation link key (2) LK_RANDA LK_RANDB ADDRA ADDRB LK_RANDA LK_RANDB E21 E21 LKA LKB KAB =Klink KAB =Klink LKB LKA LK_RANDB LK_RANDB E21 E21 ADDRB ADDRA
4. Mutual authentication ADDRB AU_RAND ADDRB ADDRB E1 E1 Klink Klink AU_RAND AU_RAND SRES ACO SRES ACO SRES
5. Generation encryption key EN_RAND EN_RAND EN_RAND E3 E3 Klink Klink ACO ACO KC KC
6. Generation key stream ADDRA ADDRA E0 E0 clockMASTER clockMASTER KC KC KCIPHER KCIPHER
7. Encryption of data KCIPHER KCIPHER DATA DATA KCIPHER KCIPHER DATA DATA