Wireless Security

1. Wireless Security 2005. 04. 19 교육대학원 분산시스템특론 인천대학교 민병준 032-770-8497, 011-9913-8497, bjmin@incheon.ac.kr

2. Contents • Introduction to Wireless • Wireless World • Wireless Threats • Wireless Security Protocols and Cryptography • Security Considerations for Wireless Devices • Wireless Technologies and Applications • Cellular Networks • Wireless Data Networks • Wireless Standards and Technologies • Wireless Deployment Strategies • Implementing Wireless LANs : Security Considerations • Enabling Secure Wireless Access to Data • Real Examples from the Wireless World • The Wireless Future • Accessing Wireless LANs

3. Cellular Networks (1/4) • 3 Methods for Spectrum Allocation : provides access to a given frequency for multiple users • Frequency Division Multiple Access (FDMA) • Time Division Multiple Access (TDMA) • Code Division Multiple Access (CDMA) • FDMA • used on the initial analog Advanced Mobile Phone System (AMPS) • available spectrum divided into channels; each channel used for a single conversation • FDMA assigns channels even if no conversations are taking place - less efficient • only for voice transmission • 2G wireless technologies • GSM : 80%, CDMA : 11%, PDC : 5%, traditional TDMA : 2%, iDEN : 1% • TDMA • digitizes the voice signal and turns the signal into a series of short packets • uses a single-frequency channel for a very short time and migrates to another channel • voice packets can occupy different time slots in different frequency ranges at the same time • digital signal, better frequency allocation, support for multiple data types • Global System for Mobile Communications (GSM) basis

4. Cellular Networks (2/4) • CDMA • frequency hopping spread spectrum in 1940s - utilizing a wider frequency range • increases signal quality and connections • more secure, decrease the risk of the signal being detected by unauthorized parties • rather than dividing spectrum by time or frequency, adds a unique code onto each packet before transmission • the same code is used at the receiving end to enable the conversation to be reconstructed • stronger security, better (8-10 time than FDMA, 5 time than TDMA) frequency allocation, improved call quality, simplified system planning (by using the same frequency in every sector of every cell) • TDMA versus CDMA • TDMA advantages • longer battery life (less transmitter power), less expensive infrastructure, widest deployment (GSM), international roaming (GSM), data security (GSM's Subscriber Identity Module cart) • TDMA disadvantages • hard roaming handoffs, distortion (lower signal-to-noise ratio) • CDMA advantages • bandwidth efficiency, soft roaming handoffs (polls various cells and switches to the cell that offers the best signal and coverage), less distortion, strong voice security • CDMA disadvantage • more expensive, no international roaming, no SIM card • PDC (Personal Digital Cellular) • based on TDMA in 800MHz and 1500MHz • bandwidth efficiency, packet data, only in Japan • iDEN (integrated Dispatch Enhanced Network) by Nextel • wireless market called specialized mobile radio (SMR), walkie-talkie with a cellular phone,

5. Cellular Networks (3/4) • Security Threats • Network Operator's Security Goals • Authentication, Privacy, Data and voice integrity, Performance • Security Risks and Threats • Network and systems availability (DoS), Physical protection, Fraud (cloned or pirated handsets) • Types of Cellular Fraud • theft of handsets, sign up for services using false id, handset cloning, • Combating Fraud • encryption (Electronic Serial Number), blacklist (track the ESNs of stolen phones), traffic analysis, legislation • General Security Principles • Encryption - size of key : 56-bit in DES • GSM • handsets with SIM card (smart card with 32K/64K EEPROM) • base transceiver station • base station controller • mobile switching center • authentication center • home location register / visitor location register • operating and maintenance center • GSM security • authentication algorithm for handset (A3) • block cipher algorithm to encrypt voice and data (A5/1 or A5/2) • key generation algorithm (A8)

6. Cellular Networks (4/4) • CDMA • a 64-bit symmetric key (called A-Key) for authentication, no SIM card • why not public keys - hardware limitation, infrastructure requirements • Authentication • encryption algorithm CAVE (cellular authentication and voice encryption) • to minimize the risk of intercepting the A-Key in the air, dynamic value called shared secret data • steps • commence a call; MSC retrieve subscriber info from HLR, MSC generates 24-bit random number for unique challenge (RANDU); RANDU is transmitted to the phone, phone generate 18-bit AUTHU, MSC calculates AUTU which should match • Confidentiality • 64-bit Signaling Message Encryption Key (SMEKEY) • Shortcomings • no mutual authentication • poor security algorithms (replacing CAVE with SHA-1) • no consistent SIM card mechanism on handset for key storage • voice encryption not always

7. Wireless Data Networks (1/3) • General Demands • faster throughput • more global roaming capabilities • interoperability with internet • Wireless Data Networks • Cellular Digital Packet Data (CDPD) • Mobitex • General packet Radio Service (GPRS) • Cellular Digital Packet Data (CDPD) • standard developed in US in 1990s • offering wireless data services using AMPS (Advanced Mobile Phone Service) infrastructure • advantages • speed (19.2 Kbps), TCP/IP based (compatible with Internet), quick call setup • architecture • similar to wireless voice networks • mobile end system ... mobile database stations - mobile data intermediate system - Internet (firewall) • security • similar to wireless voice network (CDMA) : unique id called NEI (Network Entity Identifier) • no tamper-resistant hardware such as SIM • Diffie-Hellman key exchange • vulnerabilities • no mutual authentication, local key storage (no SIM to store NEI)

8. Wireless Data Networks (2/3) • Mobitex • wireless data technology developed by Ericsson in 1980s • operate in one of 4 frequency families (80MHz, 400MHz, 800MHz, 900MHz) • 8Kbps rate, 512-bytpe block transmission • royalty-free license • architecture • peer-to-peer ... base station - local switch - regional switch - national switch / Internet • application of the network : Blackberry wireless e-mail pager offered by Canadian-based Research in Motion (RIM) • RIM device (32-bit Intel 386 processor, 2MB flash mem, 304Kb static RAM) security model focused on MS outlook & Lotus cc:Mail • RIM security architecture • desktop - mail server - firewall - Internet - mobile network ... RIM handheld • Mobitex vs. CDPD (Mobitex will outlast CDPD) • network infrastructure (eliminating AMPS hardware), strong industry association (Mobitex Operators Association led by Ericsson), greater coverage

9. Wireless Data Networks (3/3) • General Packet Radio Service (GPRS) • GSM developed in 1990s • packet-based • compatibility with the Internet • always-on connection • efficient networks • higher throughput • use many time slots in parallel • data split into chunks and sent simultaneously on multiple channels to a handset • handsets • Class A terminal (support GPRS and GSM and the simultaneous operation of both, e.g., email + voice) • Class B terminal (support GPRS and GSM but not simultaneously) • Class C terminal (only GPRS) • architecture • base station - base station controller - SGSN - HLR / GGSN - Internet • SGSN : data router (service GPRS service node) • GGSN : gateway GPRS Support Node • other network components : charging gateway, border gateway, DNS, lawful interception gateway, firewall and network management stations • security issues • DoS against GGSN • IP address spoofing • GGSN - Internet - VPN server - corporate LAN • not end-to-end security(SGSN-GGSN), added cost(VPN), trust issue (enterprise - mobile operator)