500 likes | 510 Views
A comprehensive overview of the security concerns in wireless networks, covering topics such as eavesdropping, injection of bogus messages, and denial of service attacks. This article examines the differences between infrastructure and ad hoc networks and discusses the layers and functions of the IEEE 802.11 standard.
E N D
FELK 19: Security of Wireless Networks* MarioČagalj University of Split 2013/2014.
WiFi (In)Security – 1st part Assembled from different sources: Čapkun, Hubaux, Buttyan,... Produced by Mario Čagalj
Introduction • Classical wired networks • WLAN UTP cable Radio link
radio signal Wireless vs. classical nets • Novel security model closedenvironment closedenviroment attacker
Why security is more of a concern in wireless? • no inherent physical protection • physical connections between devices are replaced by logical associations • sending and receiving messages do not need physical access to the network infrastructure (cables, hubs, routers, etc.) • broadcast communications • wireless usually means radio, which (generally) has a broadcast nature • transmissions can be overheard by anyone in range • anyone can generate transmissions, • which will be received by other devices in range • which will interfere with other nearby transmissions and may prevent their correct reception (jamming) • eavesdropping is easy • injecting bogus messages into the network is easy • replaying previously recorded messages is easy • illegitimate access to the network and its services is easy • denial of service is easily achieved by jamming
Infrastructure vs. ad hoc networks infrastructure network AP: Access Point AP wired network AP AP ad hoc network
IEEE 802.11 - Architecture of an infrastructure network Portal Distribution System • Station (STA) • terminal with access mechanisms to the wireless medium and radio contact to the access point • Basic Service Set (BSS) • group of stations using the same radio frequency • Access Point • station integrated into the wireless LAN and the distribution system • Portal • bridge to other (wired) networks • Distribution System • interconnection network to form one logical network (ESS: Extended Service Set) based on several BSS • one ESS has one SSID (Service Set Identifier) 802.11 LAN 802.x LAN STA1 BSS1 Access Point Access Point ESS BSS2 STA2 STA3 802.11 LAN
IEEE 802.11 standard • Defined for WirelessLANs (WLANs) • IEEE 802.11 layers • physical layer • data link layer (Media Access Control - MAC, security) terminal mobile station Ethernet access point
PLCP (Physical Layer Convergence Protocol) clear channel assessment signal (carrier sense) PMD (Physical Medium Dependent) modulation, coding PHY Management channel selection, MIB Station Management coordination of all management functions MAC access mechanisms, fragmentation, encryption MAC Management synchronization, roaming, MIB (management information base), power management 802.11 - Layers and functions Station Management IP MAC MAC Management PLCP PHY Management PHY PMD
IEEE 802.11b/g: physical layer • 2.4 GHz (2.4–2.4835 GHz) 14 channels • Central frequencies shifted by 5 MHz • 13 in EU, 11 in USA • Based on spred spectrum (SS) modulation • Frequency Hopping (FHSS) • Direct Sequence (DSSS) • Maximal data rates depends on coding and modulation schemes selected (1, 2, 5.5, 11, + up to 54Mbps) • 802.11b at 11Mbps • Complementary Code Keying (CCK) • Differential Quadrature Phase Shift Keying (DQPSK) • 802.11g na 54Mbps • Orthogonal Frequency Division Multiplexing (OFDM) • Borrowed from 802.11a
Channel allocation (2-2.4835 GHz) 1 2 3 4 5 6 7 8 9 10 11 12 13
IEEE 802.11a - more robust • Uses robust Orthogonal Frequency Division Multiplexing (OFDM) • Uses 5GHz ISM band (as opposed to 2.4GHz) • Two non-continuous areas5.15GHz - 5.35GHz and 5.725GHz - 5.825GHz • A total of 12 (overlapping) channels spaced 20MHz (cover 300MHz)
Access point – station communication ch 2 • AP and station use one channel (e.g. ch 2) • Only one station communicates with AP at a given time (regulated by 802.11 MAC protocol) • Received signal is filtered (e.g., fc ± 22MHz for 802.11b/g) to reduce neighboring channels interference • Nevertheless, substantial interference remains • from neighboring channels (channels are only 5 MHz appart) • background noise and interference (e.g., microwave oven, ) • Spread spectrum techniques (DSSS) help to some extent in reducing the effect of interference (narrowband)
Direct Sequence Spread Spectrum (DSSS) DSSS Signal(RF link) Spreading Modulator Spreading Demodulator Spreading Code Spreading Code 14
Jamming IEEE 802.11b/g • Spreading techniques in 802.11 • spreading codes are publicly known • e.g. Barker sequence for 802.11b at 1Mbps and 2Mbps = “1 0 1 1 0 1 1 1 0 0 0” • spreading codes are the same for all channels • Spreading codes in 802.11 are not used for confidentiality • Jamming: • jammer knows the codes and therefore can jam any channel by transmitting symbols using the same codes ... • even if the attacker uses adjacent channels the throughput will be affected (there are only 3 non-overlapping channels) • there is no solution for this DoS attack on 802.11
zatvorena prostorija Sigurnosni problemi na fizičkoj razini • Denial-of-Service (DoS) napadi ometanjem radio singala (radio jamming) • Kod za raspršivanje signala je javan (dostupan napadaču) • Napadač ometa radio kanal tako da transmitira legitimne signale koristeći isti kod za raspršivanje • Da bi pojačao efekt ometanja, napadač koristi usmjeravajuće antene (ili mikrovalnu peć :-) napadač • IEEE 802.11 ne pružazaštituprotivaktivnogometanjasignala (radio jamming) • DoSputem radio ometanjačesto se zanemaruje (pogrešno)
IEEE 802.11b: Media Access Control (MAC) • MAC omogućava da više korisnika mogu transmitirati na istom kanalu (npr. spojiti se na istu pristupnu točku) • Osigurava “fair” raspodjelu raspoloživog kapaciteta kanala • Distributed Coordination Function (DCF) – osnovni protokol za pristup radio kanalu • DCF zasnovan na Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) paradigmi • Prije transmitiranja paketa na kanalu, mobilno računalo osluškuje da li je kanal već“zauzet” (npr., od strane drugog računala) • Izbjegavanje kolizija između paketa dva ili više računala putem randomiziranog “back-off” mehanizma Računalo A AP Računalo B
802.11 - MAC layer principles (1/2) • Traffic services • Asynchronous Data Service (mandatory) • exchange of data packets based on “best-effort” • support of broadcast and multicast • Time-Bounded Service (optional) • implemented using PCF (Point Coordination Function) • Access methods (called DFWMAC: Distributed Foundation Wireless MAC) • DCF CSMA/CA (mandatory) • collision avoidance via randomized „back-off“ mechanism • minimum distance between consecutive packets • ACK packet for acknowledgements (not for broadcasts) • DCF with RTS/CTS (optional) • avoids hidden terminal problem • PCF (optional) • access point polls terminals according to a list • DCF: Distributed Coordination Function • PCF: Point Coordination Function
802.11 - MAC layer principles (2/2) • Priorities • defined through different inter frame spaces • no guaranteed, hard priorities • SIFS (Short Inter Frame Spacing) • highest priority, for ACK, CTS, polling response • PIFS (PCF IFS) • medium priority, for time-bounded service using PCF • DIFS (DCF, Distributed Coordination Function IFS) • lowest priority, for asynchronous data service DIFS DIFS PIFS SIFS medium busy contention next frame t direct access if medium is free DIFS time slot Note : IFS durations are specific to each PHY
802.11 - CSMA/CA principles contention window (randomized back-offmechanism) • station ready to send starts sensing the medium (Carrier Sense based on CCA, Clear Channel Assessment) • if the medium is free for the duration of an Inter-Frame Space (IFS), the station can start sending (IFS depends on service type) • if the medium is busy, the station has to wait for a free IFS, then the station must additionally wait a random back-off time (collision avoidance, multiple of slot-time) • if another station occupies the medium during the back-off time of the station, the back-off timer stops (to increase fairness) DIFS DIFS medium busy next frame t direct access if medium has been free for at least DIFS time slot
A zamrzava brojač i odgađa slanje DIFS Podaci NAV Backoff SIFS SIFS ACK ACK NAV Podaci Backoff B odgađa slanje IEEE 802.11b: Media Access Control (MAC) • Notacija: • DIFS: Distributed Inter-Frame Spacing • SIFS: Short Inter-Frame Spacing • Backoff: slučajan broj iz skupa {1,2,…, CW} – izražava se u kratkim vremenskim intervalima (time slot) • CW: maksimalno trajanje Backoff-a • NAV: Network Allocation Vector DIFS Računalo A Backoff Pristupna točka Računalo B vrijeme
= 802.11 – CSMA/CA broadcast DIFS DIFS DIFS DIFS boe bor boe bor boe busy station1 boe busy station2 busy station3 boe busy (detection by upper layer) station4 boe bor boe busy (detection by upper layer) station5 t Here St4 and St5 happen to havethe same back-off time busy boe medium not idle (frame, ack etc.) elapsed backoff time bor packet arrival at MAC residual backoff time The size of the contention window can be adapted (if more collisions, then increase the size) Note: broadcast is not acknowledged
802.11 - CSMA/CA unicast • Sending unicast packets • station has to wait for DIFS before sending data • receiver acknowledges at once (after waiting for SIFS) if the packet was received correctly (CRC) • automatic retransmission of data packets in case of transmission errors DIFS data sender SIFS ACK receiver DIFS data other stations t waiting time Contentionwindow The ACK is sent right at the end of SIFS(no contention)
Hidden terminal problem • A is hidden from C A B C D
Receiver informs interferers before transmission – MACA protocol • Sender B asks receiver C whether C is able to receive a transmissionRequest to Send (RTS) • Receiver C agrees, sends out a Clear to Send (CTS) • Potential interferers overhear either RTS or CTS and know about impending transmission and for how long it will last • Store this information in a Network Allocation Vector • B sends, C acks MACA protocol is in IEEE 802.11!
802.11 – DCF with RTS/CTS • Sending unicast packets • station can send RTS with reservation parameter after waiting for DIFS (reservation determines amount of time the data packet needs the medium) • acknowledgement via CTS after SIFS by receiver (if ready to receive) • sender can now send data at once, acknowledgement via ACK • other stations store medium reservations distributed via RTS and CTS DIFS RTS data sender SIFS SIFS SIFS CTS ACK receiver DIFS NAV (RTS) data other stations NAV (CTS) t defer access Contentionwindow RTS/CTS can be present forsome packets and not for other NAV: Network Allocation Vector
802.11 – Point Coordination Function (1/2) t0 t1 SuperFrame medium busy PIFS SIFS SIFS D1 D2 point coordinator SIFS SIFS U1 U2 wireless stations NAV stations‘ NAV contention free period • Purpose: provide a time-bounded service • Not usable for ad hoc networks • Direpresents the polling of station i • Uirepresents transmission of data from station i
802.11 – Point Coordination Function (2/2) t2 t3 t4 PIFS SIFS D3 D4 CFend point coordinator SIFS U4 wireless stations NAV stations‘ NAV contention free period t contention period In thisexample, station 3 has no data to send
DIFS Podaci Backoff SIFS SIFS ACK ACK Podaci NAV NAV B odgađa slanje B odgađa slanje Sigurnosni problemi na MAC razini: ‘virtual’ carrier sense attack DIFS • Notacija: • DIFS: Distributed Inter-Frame Spacing • SIFS: Short Inter-Frame Spacing • Backoff: slučajan broj iz skupa {1,2,…, CW} • CW: maksimalno trajanje Backoff-a • NAV: Network Allocation Vector Računalo A Backoff Pristupna točka Računalo B vrijeme
Sigurnosni problemi na MAC razini: ‘real’ carrier sense attack • Exploits the need of a wireless station to receive the "clear channel assessment (CCA)“ before accessing the channel • affects IEEE 802.11b/g networks only • CCA – how to sense a channel clear • energy level is above a threshold • can detect a 802.11 signal/symbol • use both • if signal present/energy above the predefined threshold detect channel busy and wait
DIFS Podaci Backoff SIFS SIFS ACK ACK NAV NAV Podaci Backoff B zamrzava brojač i odgađa slanje B zamrzava brojač i odgađa slanje Sigurnosni problemi na MAC razini: backoff manipulation DIFS • Notacija: • DIFS: Distributed Inter-Frame Spacing • SIFS: Short Inter-Frame Spacing • Backoff: slučajan broj iz skupa {1,2,…, CW} • CW: maksimalno trajanje Backoff-a • NAV: Network Allocation Vector Računalo A Backoff Pristupna točka Računalo B Backoff vrijeme
Računalo A Računalo B Brzina komunikacije [Mbps] CW (Backoff) računala A Sigurnosni problemi na MAC razini • Primjer: manipulacija Backoff vrijednostima • Jednostavna implementacija (jedna linija koda kod bežičnih adaptera koji koriste Atheros radio čipove, npr. Proxim Orinoco) • IEEE 802.11e sa QoS (Quality of Service) podrškom omogućava manipulaciju Backoff-a, DIFS-a, SIFS-a! AP UDP Računalo A UDP Računalo B
Sigurnosni problemi na MAC razini: rezime • Manipulacijom parametara protokola za pristup kanalu (CSMA/CA) moguće je, na jednostavan način, potpuno “okupirati” radio kanal • Maliciozni napadač može lako izvršiti DoS napad • Sebični korisnici mogu ostvariti veći dio raspoloživog kapaciteta • IEEE 802.11 ne pruža zaštitu protiv ovakvih manipulacija • Postoje određena rješenja pomoću kojih je moguće detektirati neke kategorije manipulacija, no… • Ostaje otvoreno pitanje: Što napraviti nakon detekcije takvih manipulacija?
Selfish behavior in hotspots • DOMINO • http://lcawww.epfl.ch/Domino/Edomino.htm
STA association request association response beacon • MAC header • timestamp (for synchronization) • beacon interval • capability info • SSID (network name) • supported data rates • radio parameters • power slave flags Introduction to WiFi scanning on each channel “connected” AP
Access mechanisms Open network (no protection) • assumption: there are no unauthorized users in the range of the network • problems: range is hard to determine (unpredictable propagation of the signals, directional antennas, ...) Closed network • using SSIDs for authentication (Service Set Identifier) • MAC filtering • shared keys • authentication servers
MAC filtering • MAC address filtering • only devices with certain MAC addresses are allowed to associate • needs pre-registration of all device at the AP • MAC can be sniffed and forged • sent in clear text in each packet (can be sniffed) • can be forged
Overcoming MAC filtering in 3 steps • Put your card in promiscuous mode (accepts all packets). • Sniff the traffic and find out which MAC addresses are accepted by the AP • Change your MAC address (need a card that can do that) Ethereal
SSID-based access control • SSID = Service Set IDentifier (network name) • a 32-character unique identifier • found in the header of packets • acts as a password when a mobile device tries to connect to the WLAN • SSID differentiates one WLAN from another • all devices attempting to connect to a specific WLAN must use the same SSID
SSID-based access control • SSIDs can be sniffed (e.g. using Wireshark) • advertised by the APs • contained in SSID response frames • Overcomming SSID-based access control • Sniff SSID (either sent by the clients or advertised by the AP) • Set your SSID to the same value ... • MAC/SSID access control: not a bad protection from unskilled neighbors (much better than no authentication/protection)
Disassociation Attacks • Generate fake disassociation frames with the victim’s MAC address as the destination and the real AP MAC as the source • Send this repeatedly • aircrack-ng • Works even with the latest IEEE 802.11i standard! Why?
napadač IEEE 802.11b: sigurnosni ciljevi • Osim funkcija fizičke i MAC razine IEEE 802.11 standard definira i implementira skup sigurnosnih mehanizama s ciljem • Osiguranja privatnosti podataka (ekvivalentno žičanim mrežama) • Simuliranja fizičke kontrole pristupa neautoriziranih računala • (Inicijalni, IEEE 802.11b) sigurnosnimehanizmi • Algoritamzazaštitupodataka:Wired Equivalent Privacy (WEP) • Protokolzaautentikacijukorisnika: Shared Key Authentication • Na žalost, katastrofalandizajn!!! • Rješenje u IEEE 802.11i
Wired Equivalent Privacy (WEP) • WEP algoritam - slijedna šifra (stream chiper) zasnovana na RC4 enkripcijskom algoritmu (Ron Rivest, RSA) • Tajnost podataka, integritet podataka, kontrola pristupa inicijalizacijski vektor v tajni ključ k 802.11 hdr v Podaci CRC 802.11 hdr Podaci Dodaj CRC = CRC32(Podaci) RC4(k,v) 802.11 hdr Podaci CRC 802.11 hdr Podaci CRC Provjeri CRC = CRC32(Podaci) RC4(k,v) 802.11 hdr Podaci 802.11 hdr v Podaci CRC CRC: Cyclic Redundancy Check
Stream Cipher RC4 Operation • RC4 is a stream cipher • given a short input key, it produces a pseudorandom sequence (key stream) • the key stream is always the same for the same key • The output of the key stream is XORed with the plaintext to obtain a ciphertext vkey RC4 key stream plaintext ciphertext
C1 = P1 RC4(k,v) C2 = P2 RC4(k,v) WEP ne osigurava tajnost podataka C1 C2 = (P1 RC4(k,v)) (P2 RC4(k,v)) = P1P2 • Inicijalizacijski vektor (v) se mijenja za svaki transmitirani paket • Ali v je “dug” samo 24 bita (IEEE 802.11 standard) • Ako se v generira na slučajan način, dva paketa će imati istu vrijednost nakon samo 5000 paketa (“birthday paradox”) • Ako se v jednostavno inkrementira počevši od 0, dva računala koja transmitiraju konstantno će generirati pakete sa istom vrijednošću v • Napadač pohrani 2^24 parova (vi, RC4(k,vi)) – otprilike 24 GB • Kada napadač “vidi” šifrirani paket Ci, pogleda u memoriju (vrijednost vi nije enkriptirana) i nađe odgovarajući par (vi, RC4(k,vi)) • Pi = Ci RC4(k,vi) • RC4 “slabi” ključevi (Airsnort program pronalazi ključ u par sati)
WEP ne osigurava integritet podataka • Za provjeru integriteta i autentičnosti poruke, WEP koristi šifrirani CRC (checksum) ili Integrity Check Value (IVC) • CRC je linearna funkcija: CRC(P1P2) = CRC(P1) CRC(P2) • Napadač: • Posjeduje C = RC4(k,v) P, CRC(P) (ne zna P i k) • Želi generirati poruku P’ = P , koju će prihvatiti AP kao autentičnu • Generira: 802.11 hdr v Podaci CRC C’ = C , CRC() = RC4(k,v) P, CRC(P), CRC() = RC4(k,v) P , CRC(P) CRC() = RC4(k,v) P’, CRC(P ) = RC4(k,v) P’, CRC(P’)
napadač (ne zna ključ) RC4(k,v) = RC4(k,v) RN, CRC(RN) RN, CRC(RN) Request Challenge RN’ RC4(k,v) RN’, CRC(RN’) Success WEP ne osigurava kontrolu pristupa tajni ključ k tajni ključ k • Katastrofalan dizajn! Request Challenge RN RN: Random Number RC4(k,v) RN, CRC(RN) Success
Nužna nova sigurnosna arhitektura • WPA (WiFi Protected Access) • Prijelazno rješenje, kompatibilno s postojećim hardverom • IEEE 802.11i standard (ili WPA2) • Dugoročno rješenje, ali zahtjeva promjenu hardvera TKIP: Temporal Key Integrity Protocol AES: Advanced Encryption Standard MIC: Message Integrity Code MAC: Message Authentication Code EAP: Extensible Authentication Protocol TLS: Transport Layer Security LEAP: Light EAP (Cisco)