410 likes | 873 Views
Wireless Security. Speaker: Jerry Gao Ph.D. San Jose State University email: jerrygao@email.sjsu.edu URL: http://www.engr.sjsu.edu/gaojerry. Topic: Wireless Security. Presentation Outline.
E N D
Wireless Security Speaker: Jerry Gao Ph.D.San Jose State Universityemail: jerrygao@email.sjsu.eduURL: http://www.engr.sjsu.edu/gaojerry
Topic: Wireless Security Presentation Outline • Why IS Wireless Security Differ?- What the needs and challenges?- Wireless Threats and Security Problems - Basic Concepts in Security- WAP Wireless Security Solutions- Wireless LAN Security Solutions Jerry Gao Ph.D. 3/2004 All Rights Reserved
Why Is Wireless Security Different? Wireless networks are characterized by generally low quality service (QoS) due to small size devices, low power, and low bandwidth. There are four fundamental differences for wireless services: • Bandwidth • Allowable error rates • Latency and Variability • Power constraints Compared with wired networks, wireless networks are: • Relatively unreliable, as packet losses. • High latency and variability due to retransmissions. • Network limitations on communications and security protocols. Jerry Gao Ph.D. 3/2004 All Rights Reserved
Why Is Wireless Security Different? Other related issues: • Portable device limitations: • User expectations, limited computing power, and limited storage space. • >> limits to the cryptographic algorithms and solutions in a device • >> fundamental restrictions on bandwidth, error rate, latency, and variability. • Portable mobility causes issues: • Out of coverage, one-way coverage, unknown network connectivity, throughput overflow, protocol overhead and compression. Jerry Gao Ph.D. 3/2004 All Rights Reserved
What Are Needs and Challenges? Why Do We Need Wireless Security? Since most existing security solutions, standards, and technology are not well suited for wireless networking and wireless systems because of the following reasons: • They have too much overhead and tight timeout • They are too complex and need much for power, and storage • They are not efficient enough for mobile devices and wireless networks In a wireless network, security features greatly differ between each of the protocol stacks, and security policy implementation and enforcement is dependent on the carrier. Jerry Gao Ph.D. 3/2004 All Rights Reserved
What Are the Needs and Challenges? What are the challenges here? • Adaptation and integration of existing solutions and infrastructure • Promoting consistency and interoperability among a diverse spectrum of mobile and wireless devices. • Providing a high level of security without detrimental impact on the user experience. What are the needs? • New standards, technology, and solutions for wireless networking. • New standards, implementation, products and techniques for mobile commerce application systems. • Secured wireless communication protocols and channels • Secured wireless hardware solutions to protect physical layer network • Secured wireless user access experience • Secured wireless solutions to protect wireless servers and gateways. Jerry Gao Ph.D. 3/2004 All Rights Reserved
Wireless Threats Eavesdropping: - The primary threat is the potential for unauthorized parties to eavesdrop on radio signals sent between a wireless station and an access point (or user device). - Eavesdropping is a passive attack because an eavesdropper can listen to a message without altering the data, the sender and intended receiver of the message may not event be aware of the intrusion. -> the solution is to user Spread-Spectrum technology, which is resistant to eavesdropping. Unauthorized Access: - The potential for an intruder to enter a WLAN system disguised as an authorized user. Once inside, the intruder can violate the confidentiality and integrity of network traffic by sending, receiving, and altering or forging messages. - This is an active attack. -> the solution is to deploy authentication mechanisms to ensure only authorized users can access the network. Jerry Gao Ph.D. 3/2004 All Rights Reserved
Wireless Threats Interference and Jamming: (Denial of Service Attack) - The potential of radio interference that can seriously degrade bandwidth (data throughout). - If an attack has a powerful transmitter, he or she can generate a radio signal strong enough to overwhelm weaker signals, disrupting communications. This is known as jamming. -> the solution is to use Direction-finding equipment to detect the source of jamming signals. Man-in-the-middle-attacks: - This attack is more sophisticated than most attach and require a lot of information about the network - The attacker will intercept the connection when a user initiates a connection, and complete the connection to the intended resource and proxy all communication to the resource. Now, he can modify, eavesdrop, inject data on a session. Jerry Gao Ph.D. 3/2004 All Rights Reserved
Wireless Vulnerabilities Interception/Ease of Interception: Individuals (other than the intended recipient) make illicit efforts to obtain wireless signals over the wireless network. -> There are generally simple countermeasures that can be taken to greatly reduce the risk of data interception. Interruption of Service: Accidents, constructions, and power outage … cause the interruption of services. Natural Hazards: Hurricanes, Tornadoes, Winter Storms, Flooding Fire, Earthquakes, Power Outages Jerry Gao Ph.D. 3/2004 All Rights Reserved
Wireless Vulnerabilities Unintentional Interruptions: These happen when network control was neglected or no control. In Jan. of 1990, the AT&T long-distance network with 114 switching centers on a Monday afternoon began to falter. In minutes, more than half of the callers were greeted by “All circuits are busy. Please try your call later”. Intentional Interruptions: The interconnection and interdependence of the national communications infrastructure presents a valuable and vulnerable target to terrorists. Our complex national infrastructures are vulnerable because of their increasing interdependence. Unintentional Interceptions: (Friends and Neighbors) Jerry Gao Ph.D. 3/2004 All Rights Reserved
Cell Phone Vulnerabilities • Jamming: • A cell phone jammer (or call blocker) is a device that transmits low-power radio signals that cut off communications between cellular handsets and cellular base stations. • For example, most jammers use a transmission method that confuses the decoding circuits of cellular handsets as if no cellular base station is within the service area. • Countermeasures to Jamming and Interception: • Countermeasures to Jamming have challenged engineers for many years. • Over the last 50 years, a class of modulation techniques, usually called Spread Spectrum, has been developed. Spread Spectrum signals are more difficult to jam than narrowband signals. Jerry Gao Ph.D. 3/2004 All Rights Reserved
Fraud and Countermeasures to Fraud • Fraud: • Cellular phone fraud is defined as the use of cellular services by deceptive means to avoid paying for the benefit of the services. • Theft prevention is a constant concern. • Countermeasures to Jamming and Interception: • Countermeasures to Jamming have challenged engineers for many years. • Over the last 50 years, a class of modulation techniques, usually called Spread Spectrum, has been developed. Spread Spectrum signals are more difficult to jam than narrowband signals. Jerry Gao Ph.D. 3/2004 All Rights Reserved
Framework for Dealing with Policy Issues Critical components for a secure media encryption system: • Trusted Encryption Algorithm • Pre-Encryption of Streaming Media • Adequate Key Lengths • Variable Key Lengths • Media Keys and Content Stored in Separate Locations • Decryption Occurs in the Media Player • Uniquely Encrypt Each Packet • A Public-Key Exchange System Jerry Gao Ph.D. 3/2004 All Rights Reserved
Security Information Systems Different types of security information systems: • Cryptographic systems • Digital Key Management Systems • Access control and authentication validation systems • Digital certification server and systems The primary key management functions: • Key receipt and identification • Key storage, allocation, and use • Key Zeroization • Key accounting • Rekey Jerry Gao Ph.D. 3/2004 All Rights Reserved
Wireless Security Solutions The four common solutions for wireless security are: • Authentication (no forgery). Verification that both parties in a transaction are who they say they are. This can be assured in multiple ways, including a simple password scheme, certificates, and a PKI scheme. Note: PKI usually add overhead to the system performance. • Integrity (no tampering): The content transferred on the network has not been altered by anyone. Requiring the content be signed using keys or certificates, commonly provides integrity. • Data privacy (no eavesdropping): The content transferred on the network cannot be seen by anyone. Privacy is provided by encryption, typically through SSL or WTLS. • Nonrepudiation. All parties to the transaction are noted. A user or a provider cannot deny having performed a transaction. Nonrepudiation is usually ensured by requiring that content be signed with public or private certificates. Jerry Gao Ph.D. 3/2004 All Rights Reserved
Wireless Security Solutions Basic requirements for wireless security solutions for wireless applications systems include: • The solution should be interoperate seamlessly. • The solution should be work end-to-end. • The solution should be efficient and cost-effective for mobile devices. • The solution should be reliable. Three levels of wireless security services: • At level 1, users simply view information, such as a bank account information. They cannot exchange information. • In level 2, closed transactions would be acceptable. For example, information can be exchanged or money can be transferred within the same institution. • At level 3, the highest level of security, end-to-end encryption allows uses to exchange information without other companies or transfer money between financial institutions. Jerry Gao Ph.D. 3/2004 All Rights Reserved
Wireless Security Solutions The steps to add security to your wireless-based systems: • Step#1: secure a connection between the server and the mobile device client. • Step#2: provide the certification of the sever. • Step#3: provide the certification of the client. Four basic steps to protect your data from being misused: • Use a secure air carrier like CDMA. You cannot reply on GSM signal security alone. • Deliver content in a micro-browser and store as little as possible on the mobile devices. Browsers keep all sensitive data resident the server. You can design sessions to clear data caches on the mobile devices. • Use two-way certificates. In this approach, the client must authenticate the server before the password is transmitted over the air. The server then returns an authentication check. • Add an additional layer of encryption for highly secure networks. CDMA has strong native security. Cellular Digital Packet Data(CDPD), Mobitex, and Motient typically need to run an application layer on top of their native security. Jerry Gao Ph.D. 3/2004 All Rights Reserved
Security Information Systems Basic functions in Cryptographic information systems: • Initialization, termination, operation support. • Boot, instantiation, run-time, abnormal/normal termination. • Security management, configuration, policy, enforcement • Encryption, Decryption, TRANSEC, integrity, authentication. • RED/BLACK isolation • Communicator Data, Radio Control/Status • Keystream functions, algorithm, and management • Cryptographic channel instantiation • Cryptographic control, status, and interface • Cryptographic bypass Jerry Gao Ph.D. 3/2004 All Rights Reserved
Security Information Systems The primary functions within the crytographic subsystem are: • Cryptographic Keystream generation capability • Encryption and decryption of communicator information • Signature generation and validation, high grade integrity checking • Controlled bypass of communicator and radio information Jerry Gao Ph.D. 3/2004 All Rights Reserved
Architectures of Security Information Systems User Terminal CRYPTO Comm. Device BYPASS In this Traditional Secure Communication Environment, the security is achieved by: • Physical access control to user terminal • Hard-wired connections for each channel • High-grade hardware cryptography in a discrete box • Very limited bypass capability within communicator channel or manual ancillary device • System high application Jerry Gao Ph.D. 3/2004 All Rights Reserved
Architectures of Security Information Systems User Terminal CRYPTO Comm. Device BYPASS In this Embedded cryptographic equipment, the security is achieved by: • Physical access control to user terminal • Hard-wired connections for each channel • High-grade hardware cryptography within the box • Very limited bypass capability within communicator channel or manual ancillary device • System high application • Limited TED user application processing Jerry Gao Ph.D. 3/2004 All Rights Reserved
Architectures of Security Information Systems CRYPTO Wireless Device Other Network Nodes BYPASS In this wide area networks in a wireless domain, the security is achieved by: • Hard-grade hardware cryptography within the communication device. • Hard-wired internal connections or computer bus for the single wireless channel configuration. • Bypass requirement further increased to handle protocols and network information. • Separation of data classification and types performed by network, wireless system high. • Multiple access methods for the communicator networks • Interconnection of networks at multiple communicator sites Jerry Gao Ph.D. 3/2004 All Rights Reserved
Architectures of Security Information Systems Wireless Device User Processing and Networks Multi-channel CRYPTO assets Multi-channel wireless assets BYPASS Security Features: • Multi-channel/multi-communicator wireless operation • Access control to network and wireless services governed by software • that allows to multiple communicators to hare a single physical connection • Virtual internal connections for each wireless communicator port and radio channel. • Single RED bus architecture • High-grade programmable cryptography embedded within the wireless device • Bypass requirement further increased to handle internal radio control • Radio functions programmable for all processes • Use of commercial software products. Jerry Gao Ph.D. 3/2004 All Rights Reserved
Wireless LAN Security Solutions • Authentication : • Authentication is used to establish the identity of stations to each other. • IEEE 802.11 requires mutually acceptable ,successful authentication before a station can establish an association with an AP. • Open System authentication • Shared key authentication • De-authentication: • - This service is invoked whenever an existing authentication is to be terminated. • Privacy: • - WEP encryption is used to prevent the contents of messages from being read by other than the intended recipient. Jerry Gao Ph.D. 3/2004 All Rights Reserved
WLAN Security Solutions Mobile station Access point Authentication request “Open system” Authentication response “open system” Open System Authentication Jerry Gao Ph.D. 3/2004 All Rights Reserved
Mobile station(A) Access point(B) Authentication request “shared key” Challenge text “shared key” Challenge Response (Encrypted challenge Text) “shared key” Authentication result “shared key” WLAN Security Solutions Shared Key Authentication Jerry Gao Ph.D. 3/2004 All Rights Reserved
WLAN Security Solutions WEP Encryption: IEEE 802.11 incorporates WEP to provide modest level of security.WEP uses encryption algorithm based on the RC4 encryption algorithm. Jerry Gao Ph.D. 3/2004 All Rights Reserved
WLAN Security Solutions WEP Decryption: A XOR-based Shared-Key Decryption process. Jerry Gao Ph.D. 3/2004 All Rights Reserved
Wireless LAN (802.11) Vulnerabilities • There are several vulnerabilities: • Service Set ID problem: • SSID is an identification value programmed in the access point or group of access points to identify the local wireless subnet. • An eavesdropper can easily determine the SSID with the use of an 802.11 wireless LAN packet analyzer and gain access to the network. • The weakness of Shared Key Authentication: • How to secure the exchange of the shared key before communications? • The process of exchanging the challenge text occurs over the wireless link and is vulnerable to a man-in-the-middle attack. • WEP XOR-based encryption algorithm has a problem due to the fact that: Plaintext XOR Ciphertext -> key stream. Jerry Gao Ph.D. 3/2004 All Rights Reserved
i-mode Security HTTPS Layer Pass-Through cHTML cHTML HTTPS HTTPS Transport Transport TCP Transport TCP Transport PDC-P PDC-P IP PDC-P IP PDC-P L2 L2 L1 L1 Mobile BaseStation Gateway Mobile Terminal Mobile Terminal Jerry Gao Ph.D. 3/2004 All Rights Reserved
WAP Security Solutions - Reencryption WTLS is based on TLS,which is an refinement of Secure Socket Layer(SSL) SSL WTLS WML-Based Client WAP gateway WEB Server Application Server Internet Wireless Network UP.Link server Web Phone UP.Browser Wireless Network Wired Network Jerry Gao Ph.D. 3/2004 All Rights Reserved
WTLS Record Protocol WTLS Handshake protocol WTLS change Cipher protocol WTLS Alert protocol WTP WTLS RP-provides basic security services to higher layer protocols WAP Security Solutions - WTLS WTLS protocol stack Jerry Gao Ph.D. 3/2004 All Rights Reserved
User data Compress Add MAC Encrypt Append WTLS record header WAP Security Solutions - WTLS WTLS Record Protocol Operation Jerry Gao Ph.D. 3/2004 All Rights Reserved
R C S L Sequence number Content type Record length Plain text (optionally compressed) encrypted MAC (0,16or 20 bytes) WAP Security Solutions – WTLS (Record Format) - Takes care of integrity and authentication R = reserved C=cipher spec indicator S=sequence number field indicator L=record length field indicator MAC=message authentication code Jerry Gao Ph.D. 3/2004 All Rights Reserved
Secret key M || MDm H message message MDm message compare H 1.MDm=H(Sab || M) MDm Hash code(MDm) MAC - Message Authentication Code Jerry Gao Ph.D. 3/2004 All Rights Reserved
WAP - Encryption • MAC code is encrypted using symmetric encryption algorithm: • -DES,RC5,IDEA • DES DES is the Data Encryption Standard is a mathematical algorithm in the encrypting and decrypting of binary information. The system consists of an algorithm and a key. • RC5 RC5 encrypts blocks of plain text of length 32,64,or 128 bits into blocks of ciphertext of the same length.It is a variable length key and intented to provide high security • - IDEA IDEA is a block cipher that uses 128-bit key to encrypt data in blocks of 64 bits. • Key-64 bits (of this 6 bits are parity). Even with just fifty six bits there are over seventy quadrillion possible keys (simply 2^56). The digits in the key must be independently determined to take full advantage of seventy quadrillion possible keys. • The government claims that short of trying all seventy quadrillion combinations • there is no way to break the DES algorithm. Jerry Gao Ph.D. 3/2004 All Rights Reserved
WAP - Change Cipher Spec protocol • The change cipher spec message is sent by both the client and server to notify the • receiving party that subsequent records will be protected under the just-negotiated • CipherSpec and keys. • The protocol consists of a single message, which is encrypted and compressed under • the current CipherSpec. The message consists of a single byte of value 1. • Separate read and write states are maintained by both the SSL client and server. • When the client or server receives a change cipher spec message, it copies the pending • read state into the current read state. When the client or server writes a change cipher • spec message, it copies the pending write state into the current write state. • The client sends a change cipher spec message following handshake key exchange • and the server sends one after successfully processing the key exchange message it • received from the client. Jerry Gao Ph.D. 3/2004 All Rights Reserved
WAP - Alter Protocol Alert Protocol is used to convey WTLS-related alerts to the peer entity. As with other applications,alert messages are compressed and encrypted as specified by the current state consists of two bytes. 1st byte- warning or critical or fatal 2st byte- specific alerts fatal alerts- If the level is fatal, WTLS immediately terminates the connection. Ex: unexpected_message, bad_record_mac, decompression_failure, handshake_failure..etc., Nonfatal alerts bad_certificate, unsupported_certificate, certificate_revoked..etc., Jerry Gao Ph.D. 3/2004 All Rights Reserved
WAP - Hand Shake Protocol • This protocol allows the server and the client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in a WTLS record. • Phase I - Used to initiate logical function and establish security capabilities. • Phase II -Used for server authentication and key exchange • Phase III -Used for client authentication and key exchange • Phase IV - Completes the secure connection. Jerry Gao Ph.D. 3/2004 All Rights Reserved
WAP GAP - The WAP architecture is based on a wireless gateway (WAP gateway) that translates data from the wireless formats defined by WAP (such as WML) to the Internet formats used by Web servers (e.g. HTML). - To make the translation, the WAP gateway needs access to the unsecured, plaintext data being transmitted. While many WAP gateways don't do any data translation, the deployed security protocols are defined on the basis that they do. Therefore, the WAP gateway still accesses the plaintext data. The resulting architecture does secure all transport. - The WAP WTLS specification provides strong security between a WAP client and the gateway, and the gateway uses some other secure mechanism (e.g. SSL) to connect to the content server. In between those two connections, for a very brief time (milliseconds), the data is (temporarily) unsecured. This is the so-called "WAP gap." Solution: Have the company’s own gateway End-to-end security will be an option in the next version of WAP. Jerry Gao Ph.D. 3/2004 All Rights Reserved
WAP WML In order to provide the user of the WML browser a secure and unique identity, the WAP specification has added a identity Module.(used for bank transaction) The WAP Identity Module (WIM) -> store the cryptographic keys used in WTLS and in the application layer. All operations using these keys should be performed within the WIM so that the keys are never exposed outside the secure environment. These operations include: (1) Signing in the application layer. (2) Decryption when setting up a shared key as part of a secure session in WTLS. (3) MAC computation and verification as part of securing messages in WTLS. (4 ) Conventional encryption and decryption as part of securing messages in WTLS. Ideally, the WIM should be implemented as an additional application on the GSM SIM card. Such enhanced SIM cards are expected on the market in the near future. Jerry Gao Ph.D. 3/2004 All Rights Reserved