Chapter 6 outline

1. 6.1 Introduction Wireless 6.3 IEEE 802.11 wireless LANs (“wi-fi”) 8.8 Securing wireless LANs Chapter 6 outline 6: Wireless and Mobile Networks

2. wireless hosts • laptop, PDA, IP phone • run applications • may be stationary (non-mobile) or mobile • wireless does not always mean mobility network infrastructure Elements of a wireless network 6: Wireless and Mobile Networks

3. base station • typically connected to wired network • relay - responsible for sending packets between wired network and wireless host(s) in its “area” • e.g., cell towers, 802.11 access points network infrastructure Elements of a wireless network 6: Wireless and Mobile Networks

4. network infrastructure Elements of a wireless network wireless link • typically used to connect mobile(s) to base station • multiple access protocol coordinates link access • various data rates, transmission distance 6: Wireless and Mobile Networks

5. Characteristics of selected wireless link standards 200 802.11n 54 802.11a,g 802.11a,g point-to-point data 5-11 802.11b 802.16 (WiMAX) 3G cellular enhanced 4 UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO Data rate (Mbps) 1 802.15 .384 3G UMTS/WCDMA, CDMA2000 2G .056 IS-95, CDMA, GSM Indoor 10-30m Outdoor 50-200m Mid-range outdoor 200m – 4 Km Long-range outdoor 5Km – 20 Km 6: Wireless and Mobile Networks

6. infrastructure mode • base station connects mobiles into wired network • handoff: mobile changes base station providing connection into wired network network infrastructure Elements of a wireless network 6: Wireless and Mobile Networks

7. Elements of a wireless network ad hoc mode • no base stations • nodes can only transmit to other nodes within link coverage • nodes organize themselves into a network: route among themselves 6: Wireless and Mobile Networks

8. Wireless network taxonomy multiple hops single hop host may have to relay through several wireless nodes to connect to larger Internet: mesh net host connects to base station (WiFi, WiMAX, cellular) which connects to larger Internet infrastructure (e.g., APs) no base station, no connection to larger Internet. May have to relay to reach other a given wireless node MANET, VANET no infrastructure no base station, no connection to larger Internet 6: Wireless and Mobile Networks

9. Wireless Link Characteristics (1) Differences from wired link …. • decreased signal strength: radio signal attenuates as it propagates through matter (path loss) • interference from other sources: standardized wireless network frequencies (e.g., 2.4 GHz) shared by other devices (e.g., phone); devices (motors) interfere as well • multipath propagation: radio signal reflects off objects ground, arriving ad destination at slightly different times …. make communication across (even a point to point) wireless link much more “difficult” 6: Wireless and Mobile Networks

10. Wireless Link Characteristics (2) 10-1 • SNR: signal-to-noise ratio • larger SNR – easier to extract signal from noise (a “good thing”) • SNR versus BER (bit error rate) tradeoffs • given physical layer: increase power -> increase SNR->decrease BER • given SNR: choose physical layer that meets BER requirement, giving highest thruput • SNR may change with mobility: dynamically adapt physical layer (modulation technique, rate) 10-2 10-3 10-4 BER 10-5 10-6 10-7 10 20 30 40 SNR(dB) QAM256 (8 Mbps) QAM16 (4 Mbps) BPSK (1 Mbps) 6: Wireless and Mobile Networks

11. B A C C C’s signal strength A’s signal strength B A space Wireless network characteristics Multiple wireless senders and receivers create additional problems (beyond multiple access): Hidden terminal problem • B, A hear each other • B, C hear each other • A, C can not hear each other means A, C unaware of their interference at B Signal attenuation: • B, A hear each other • B, C hear each other • A, C can not hear each other interfering at B 6: Wireless and Mobile Networks

12. 6.1 Introduction Wireless 6.3 IEEE 802.11 wireless LANs (“wi-fi”) 8.8 Securing wireless LANs Chapter 6 outline 6: Wireless and Mobile Networks

13. AP AP Internet 802.11 LAN architecture • wireless host communicates with base station • base station = access point (AP) • Basic Service Set (BSS) (aka “cell”) in infrastructure mode contains: • wireless hosts • access point (AP): base station • ad hoc mode: hosts only hub, switch or router BSS 1 BSS 2 6: Wireless and Mobile Networks

14. 802.11: Channels, association • 802.11b: 2.4GHz-2.485GHz spectrum divided into 11 channels at different frequencies • AP admin chooses frequency for AP • interference possible: channel can be same as that chosen by neighboring AP! • host: must associate with an AP • scans channels, listening for beacon frames containing AP’s name (SSID) and MAC address • selects AP to associate with • may perform authentication [Chapter 8] • will typically run DHCP to get IP address in AP’s subnet 6: Wireless and Mobile Networks

15. 4 2 2 2 3 3 1 1 1 802.11: passive/active scanning BBS 1 BBS 1 BBS 2 BBS 2 AP 1 AP 1 AP 2 AP 2 H1 H1 • Active Scanning: • Probe Request frame broadcast from H1 • Probes response frame sent from APs • Association Request frame sent: H1 to selected AP • Association Response frame sent: H1 to selected AP • Passive Scanning: • beacon frames sent from APs • association Request frame sent: H1 to selected AP • association Response frame sent: H1 to selected AP 6: Wireless and Mobile Networks

16. B A C C C’s signal strength A’s signal strength B A space IEEE 802.11: multiple access • avoid collisions: 2+ nodes transmitting at same time • 802.11: CSMA - sense before transmitting • don’t collide with ongoing transmission by other node • 802.11: no collision detection! • difficult to receive (sense collisions) when transmitting due to weak received signals (fading) • can’t sense all collisions in any case: hidden terminal, fading • goal: avoid collisions: CSMA/C(ollision)A(voidance) 6: Wireless and Mobile Networks

17. DIFS data SIFS ACK IEEE 802.11 MAC Protocol: CSMA/CA 802.11 sender 1 if sense channel idle for DIFSthen transmit entire frame (no CD) 2 ifsense channel busy then start random backoff time timer counts down while channel idle transmit when timer expires if no ACK, increase random backoff interval, repeat 2 802.11 receiver - if frame received OK return ACK after SIFS (ACK needed due to hidden terminal problem) sender receiver 6: Wireless and Mobile Networks

18. Avoiding collisions (more) idea: allow sender to “reserve” channel rather than random access of data frames: avoid collisions of long data frames • sender first transmits small request-to-send (RTS) packets to BS using CSMA • RTSs may still collide with each other (but they’re short) • BS broadcasts clear-to-send CTS in response to RTS • CTS heard by all nodes • sender transmits data frame • other stations defer transmissions avoid data frame collisions completely using small reservation packets! 6: Wireless and Mobile Networks

19. RTS(B) RTS(A) reservation collision RTS(A) CTS(A) CTS(A) DATA (A) ACK(A) ACK(A) Collision Avoidance: RTS-CTS exchange B A AP defer time 6: Wireless and Mobile Networks

20. 6 4 2 2 6 6 6 2 0 - 2312 frame control duration address 1 address 2 address 3 address 4 payload CRC seq control 802.11 frame: addressing Address 4: used only in ad hoc mode Address 1: MAC address of wireless host or AP to receive this frame Address 3: MAC address of router interface to which AP is attached Address 2: MAC address of wireless host or AP transmitting this frame 6: Wireless and Mobile Networks

21. router AP Internet R1 MAC addr H1 MAC addr source address dest. address 802.3frame AP MAC addr H1 MAC addr R1 MAC addr address 3 address 2 address 1 802.11 frame 802.11 frame: addressing H1 R1 6: Wireless and Mobile Networks

22. 6 4 2 2 6 6 6 2 0 - 2312 frame control duration address 1 address 2 address 3 address 4 payload CRC seq control 2 2 4 1 1 1 1 1 1 1 1 Protocol version Type Subtype To AP From AP More frag Retry Power mgt More data WEP Rsvd 802.11 frame: more frame seq # (for RDT) duration of reserved transmission time (RTS/CTS) frame type (RTS, CTS, ACK, data) 6: Wireless and Mobile Networks

23. H1 remains in same IP subnet: IP address can remain same switch: which AP is associated with H1? self-learning (Ch. 5): switch will see frame from H1 and “remember” which switch port can be used to reach H1 router 802.11: mobility within same subnet hub or switch BBS 1 AP 1 AP 2 H1 BBS 2 6: Wireless and Mobile Networks

24. P P P P P M M Master device Slave device Parked device (inactive) S S S S 802.15: personal area network (WPAN) • less than 10 m diameter • replacement for cables (mouse, keyboard, headphones) • ad hoc: no infrastructure • master/slaves: • slaves request permission to send (to master) • master grants requests • 802.15: evolved from Bluetooth specification • 2.4-2.5 GHz radio band • up to 721 kbps radius of coverage 6: Wireless and Mobile Networks

25. 802.16: WiMAX point-to-point • like 802.11 & cellular: base station model • transmissions to/from base station by hosts with antenna • base station-to-base station with point-to-point antenna • unlike 802.11: • range ~ 6 miles (“city rather than coffee shop”) • ~14 Mbps point-to-multipoint 6: Wireless and Mobile Networks

26. 6.1 Introduction Wireless 6.3 IEEE 802.11 wireless LANs (“wi-fi”) 8.8 Securing wireless LANs Chapter 6 outline 6: Wireless and Mobile Networks

27. IEEE 802.11 security • war-driving: drive around Bay area, see what 802.11 networks available? • More than 9000 accessible from public roadways • 85% use no encryption/authentication • packet-sniffing and various attacks easy! • securing 802.11 • encryption, authentication • first attempt at 802.11 security: Wired Equivalent Privacy (WEP): a failure • current attempt: 802.11i 6: Wireless and Mobile Networks

28. Wired Equivalent Privacy (WEP): • authentication as in protocol ap4.0 • host requests authentication from access point • access point sends 128 bit nonce • host encrypts nonce using shared symmetric key • access point decrypts nonce, authenticates host • no key distribution mechanism • authentication: knowing the shared key is enough 6: Wireless and Mobile Networks

29. WEP data encryption • host/AP share 40 bit symmetric key (semi-permanent) • host appends 24-bit initialization vector (IV) to create 64-bit key • 64 bit key used to generate stream of keys, kiIV • kiIV used to encrypt ith byte, di, in frame: ci = diXORkiIV • IV and encrypted bytes, ci sent in frame Fundamental problem: kiIV should never be reused WEP is based on RC4 that is secure if keys are used just once 6: Wireless and Mobile Networks

30. 802.11 WEP encryption Sender-side WEP encryption 6: Wireless and Mobile Networks

31. Breaking 802.11 WEP encryption security hole: • IV and kiIV per frame, -> eventually reused • IV transmitted in plaintext -> IV reuse detected • attack: • Trudy causes Alice to encrypt known plaintext d1 d2 d3 d4 … • Trudy sees: ci = diXORkiIV • Trudy knows cidi, so can compute kiIV • Trudy knows encrypting key sequence k1IV k2IV k3IV … • Next time IV is used, Trudy can decrypt! 6: Wireless and Mobile Networks

32. 802.11i: improved security • numerous (stronger) forms of encryption possible • provides key distribution • uses authentication server separate from access point 6: Wireless and Mobile Networks

33. 1 Discovery of security capabilities 3 2 3 4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity 802.11i: four phases of operation AP: access point STA: client station AS: Authentication server wired network STA and AS mutually authenticate, together generate Master Key (MK). AP servers as “pass through” STA derives Pairwise Master Key (PMK) AS derives same PMK, sends to AP 6: Wireless and Mobile Networks

34. EAP: extensible authentication protocol • EAP: end-end client (mobile) to authentication server protocol • EAP sent over separate “links” • mobile-to-AP (EAP over LAN) • AP to authentication server (RADIUS over UDP) wired network EAP TLS EAP RADIUS EAP over LAN (EAPoL) IEEE 802.11 UDP/IP 6: Wireless and Mobile Networks