280 likes | 367 Views
Security in Wireless Local Area Networks. by Sami Uskela Helsinki University of Technology. Introduction. Commercial Wireless LAN applications can be divided into 5 categories: LAN Extension – Indoor wire replacement. Inter-LAN Bridges – Outdoor wire replacement
E N D
Security in Wireless Local Area Networks bySami UskelaHelsinki University of Technology
Introduction • Commercial Wireless LAN applications can be divided into 5 categories: • LAN Extension – Indoor wire replacement. • Inter-LAN Bridges – Outdoor wire replacement • Campus Area Networks (CAN) – Wireless LANs with infrastructure. • Ad-hoc Networking – Wireless LANs without infrastructure. • Nomadic Access – A wireless LAN service. • Today’s applications aim at 4 areas (paper was last updated Dec 97): • Healthcare Industry. • Factory Floors. • Banking Industry. • Educational Institutions.
Introduction cont. • The wireless LAN environment faces all the security problems found in wired LAN, plus additional security issues. • Many of the security issues, which are manageable in the wired environment, become more severe or stressed when data is sent using radio transmissions. • Other recommended papers: • “Security Issues in Mobile Communications.” V. Bharghavan and C. V. Ramamoorthy, 1995. • “Secure Wireless LANs.” V. Bharghavan, 1994.
Threats and Vulnerabilities • Active attacks can be divided into the following categories: • Social Engineering • Impersonation • Exploits • Data Driven • Transitive Trust • Infrastructure • Denial of Service. • First 4 are similar in wired and wireless environments and were not discussed in the paper.
Eavesdropping • Very easy in the radio environment. • Equipment is inexpensive and requires little training. • Neither sender nor intended recipient have any means to detect the eavesdropping efforts. • If the wireless LAN is inside a building, the eavesdropping could actually occur from an external point. • Ease of eavesdropping justifies quite costly procedures to guarantee confidentiality of network traffic. • All wireless LAN standards attempt to handle this threat with some sort of link level ciphering done by MAC-entities, but this may not be sufficient for applications with higher security requirements.
Transitive Trust • Wireless LANs offer an interface to an attacker requiring no physical arrangements. • Wireless LAN could provide launch pad to transitive trust attack. • Attacker fools wireless LAN (base station) into trusting his mobile device. • Attacker uses same hardware. • Once trust is established, entire network is vulnerable to additional malicious activity (even behind a firewall). • Only defense is strong authentication mechanism. • Discovery of unsuccessful attacks relies on logging of unsuccessful logging attempts (complicated by unsuccessful attempt due to high Bit Error Rates and by mobiles belonging to another co-located wireless LAN).
Transitive Trust cont. • Attacker fools the mobile host into trusting a base station controlled by the attacker. • Mobile host tries to logon first with the base with the strongest signal. • Attacker may actually have the mobile host login to his network. Very difficult and requires a great deal of knowledge of mimicked network. • Attacker may just go thru the login process to steal passwords, secret keys, etc. • The second case is easier, just requiring compatible equipment. It is also very difficult to detect as mobiles usually do ot report unsuccessful logon attempts to upper layers and there are usually a large number of unsuccessful attempts under normal circumstances. • Only defense is an efficient authentication mechanism which allows the mobile host to authenticate without disclosing secret keys or passwords.
Infrastructure • Infrastructure attacks are based on weaknesses in the system; software bugs, configuration mistakes, hardware failures, etc. • Similar to problems in wired LANS. • Protection against this type of attacks is nearly impossible. Efforts should be made to minimize potential damage. • While not mentioned in the paper, one of the most serious potential attacks on the infrastructure is theft of resources. Physical security is far more difficult in wireless environments due to the mobile nature of the devices.
Denial of Service • As result of the nature of radio transmissions, wireless LANs are very vulnerable to DOS attacks. • With a powerful enough transceiver, an attacker can easily generate enough interference to jam communications. • Protection against this type of attack is very difficult and expensive. • The positive side, it is easy for authorities to locate source of jamming. • Of course, wired LANs have their own vulnerabilities. You can’t just cut a wire on a wireless LAN. • Paper did not address protocol vulnerabilities for use in DOS.
HIPERLAN • European Telecommunications Standards Institute’s (ETSI) wireless broadband access standard. • Defines the MAC sublayer, the Channel Access Control (CAC) sublayer, and the physical layer. • Specification defines an encryption-decryption based scheme for optional use in the HIPERLAN. • In this scheme, all HM-entities use a common set of shared keys referred to as a HIPERLAN key-set. Each key has a unique key identifier. • Plain text is ciphered by an XOR operation with random sequence generated by a CONFIDENTIAL algorithm which uses the a secret key and an initialization vector as an input for every MAC protocol data unit.. • ETSI claims that this scheme provides the same level of protection as a wired LAN.
HIPERLAN Evaluation • Impossible to evaluate the protection offered by the HIPERLAN Wired Equivalent Privacy (WEP) because the algorithms are proprietary and unavailable. • Lack of independent or public analysis casts doubt on the strength of the algorithm. • HIPERLAN standard does not define any kind of authentication which is strange for this type of system. • “Choosing a proprietary system is like going to a doctor who has no medical degree and whose novel treatments (which he refuses to explain) have no support by the American Medical Association. Sure, it’s possible (although highly unlikely) that he’s discovered a totally new branch of medicine, but do you want to be the guinea pig?” Bruce Shneier – Secrets and Lies, 2000. • “Anyone who creates his or her own cryptographic primitive is either a genius or a fool. Given the genius/fool ratio for our species, the odds aren’t very good.” Bruce Shneier – Secrets and Lies, 2000.
IEEE 802.11 • IEEE 802.11 standard defines the physical layers and MAC sublayers for wireless LANs. • IEEE 802.11 defines 2 authentication schemes • Open System Authentication – null authentication. All mobiles requesting access are accepted into the network. • Shared Key Authentication – shared key cryptography is used to authenticate the mobile host. • The base sends a 128 octet long random number to the mobile host encrypted with the shared key. • Mobile decrypts the random number using the same shared key and sends it back to the base. • If the number is correct, the host is admitted. • All mobiles are admitted using same shared key, so the base is able to verify that a mobile belongs to the group, but is not able to identify the particular mobile.
IEEE 802.11 cont. • IEEE 802.11 does not define any key management functions. • An optional Wired Equivalent Privacy (WEP) mechanism to implement confidentiality and end-to-end security is defined. • The IEEE 802.11 WEP uses the RC4 pseudo random number generator algorithm based on a 40 bit secret key and a 24 bit initialization vector (IV) which is sent with data. It also transmits an integrity check vector. • One MPDU frame contains the clear text IV and ICV and the cipher text data block. The receiver is always able to decrypt the cipher block and test the integrity.
IEEE 802.11 Evaluation • The RC4 algorithm from RSA Inc. is not public, but has been studied in independent research laboratories under nondisclosure agreements. No weaknesses have yet been reported. • Secret key is only 40 bits long which is very vulnerable to brute force attack. • Paper states that it “…can be solved by brute-force attack in 2 seconds with $100,000 hardware and 0.2 seconds with $1,000,000 hardware according to 1995 figures;” • The protection level of the WEP cannot be considered strong enough for sensitive applications. • The shared key authentication scheme could be easily fooled using a play-back attack, so an additional authentication method is needed regardless.
Secure Solution – Design Goals • Major requirement – seamless integration into existing wired networks. • Different alternatives to securing a connection: • End-to end security at the application level. • End-to-end security at the transport layer. • Link security at the link layer. • There are only a few commonly used end-to-end schemes (SSL and SSH), so link security is the only applicable approach, if we don’t want to alter existing network.. • Dropping end-to-end mechanisms rules out user authentication leaving station-to-station authentication. • Two-way authentication. It is important that both base and mobile host authenticate each other. • Authentication should allow identification of mobile hosts. • Allow flexibility to utilize future advances and allow interoperability between all versions of wireless products.
Secure Solution – Design Overview • Solution described in paper requires several modifications for current wireless LAN products and standards. • As a result, implementation of this solution is not currently feasible (at time paper was written). • Hybrid solution: authentication is done using public key cryptography and ciphering of transmission done using shared key cryptography. • Shared keys are created during authentication and may be changed during subsequent transmissions. • Actual cryptographic algorithms are not defined.
Secure Solution – Authorization Nomenclatures E(X,Y) Encryption of Y under key X MD(X) Message Digest of X Pub_CA Public Key of Certification Authority Priv_CA Private Key of Certification Authority Pub_Mobile Public key of Mobile Host Priv_Mobile Private Key of Mobile Host Pub_Base Public key of Base Station Priv_Base Private Key of Base Station Cert_Mobile Certificate of Mobile Host Cert_Base Certificate of Base Station Sig(X,Y) Signature of Y with key X where Sig(X,Y) = E(X, MD(Y)) Signed(X,Y) Resulting signed message {Y, Sig(X,Y)}
Secure Solution - Authorization • Authorization mechanism uses certificates formatted according to CCITT X.509. • Certificate contains the following: {Serial number, Validity Period, Machine Name, Machine Public Key, CA Name}. • Certificates are signed by certificate authority (CA).
Secure Solution – Authorization Process • Mobile node sends a message to base containing {Cert_Mobile, CH1, List of Shared Key Cryptographic Systems (SKCSs)}. List of SKCSs allows for negotiation of algorithm. CH1 is randomly generated number. • Base attempts to verify the signature on Cert_Mobile. A valid signature proofs the public key in the certificate belongs to a certified mobile host, but is not sure if the certificate belongs to the host that submitted it. • If valid, base replies by sending a message containing {Cert_Base, {E(Pub_Mobile, RN1), Chosen SKCS, Sig(Priv_Base, {E(Pub_Mobile, RN1), Chosen SKCS, CH1, List of SKCSs}}}. RN1 is a randomly generated number. • The mobile host validates Cert_Base using the public key of the base. Signature is valid and the base authenticated if the CH1 and the list of SKCSs matches those sent by the mobile to the base. Including the list of SKCSs prevents an attacker from jamming the original message and sending his own list of weaker list of SKCSs.
Secure Solution – Authorization Process cont. • Mobile now sends to the base a message containing {E(Pub_Base, RN2), Sig{Priv_Mobile,, {E(Pub_Base, RN2), E(Pub_Mobile, RN1)}}}. RN2 is a random number generated by the mobile host. It will use RN1 XOR RN2 as a session key from now on. • The base verifies the signature of the message using Pub_Mobile obtained from Cert_Mobile in the first message. If the signature is valid, the mobile is authenticated and the base decrypts E(Pub_Base, RN2) with its own private key. Now the base can form the session key RN1 XOR RN2. • Session key if formed from 2 RNs sent in 2 messages to gain better protection. As a result, compromising the mobile node’s private key does not compromise all the traffic between the base and the mobile. • Since both keys are random and equal length, knowing either RN1 or RN2 tells you nothing about the session key.
Secure Solution – Authorization Process • Authentication should be done at the MAC layer before access is granted to the mobile host. • If access is granted before authentication, it may be used as a launch pad even if the authentication request is rejected.
Secure Solution – Integrity and Confidentiality • Confidentiality can be achieved by using some existing symmetric cryptography algorithm (IDEA, DES, etc.) and the session key that has been agreed upon. • The high bit error rate on the radio link may set some limitations on the selected algorithm. • Integrity is achieved by a fingerprint generated by a one-way hash function (MD5, SHA, etc.). • There should be a fingerprint in each MPDU message due to the high packet loss rate in the wireless environment. • There should be some link level ciphering in any case. • To defend against traffic analysis, we mush cipher the network layer headers as well.
Secure Solution – Key Change Protocol • Key exchange may be intiated by either end of the communication. • Base initiates: • Base sends a message: Signed(Priv_Base, {E(Pub_Mobile, New_RN1), E(Pub_Mobile, RN1)}). • Mobile responds with message: Signed(Priv_Mobile, {E(Pub_Base, New_RN2), E(Pub_Base, RN2)}). • Mobile host initiates: • Mobile sends to base: Signed(Priv_Mobile, {E(Pub_Base, New_RN2), E(Pub_Base, RN2)}). • Base responds: Signed(Priv_Base, {E(Pub_Mobile, New_RN1), E(Pub_Mobile, RN1)}).
Secure Solution – Key Change Protocol • New value of RN1 XOR RN2 is used as session key. • RN1 is the number generated by the base and RN2 is the number generated by the mobile host. • The old values of RN1 and RN2 are verified against saved values and if they do not match then the key exchange is ignored. • Key exchanges cannot be played back and sequence numbers do not need to be saved.
Secure Solution – Key Management • Key management is tough to implement in a convenient way. • One possible procedure using smart card technology: • CA creates the private and public keys inside the smart card in a manner that the private key is never readable from the smart card. • CA signs the public key with his private key and stored the signed public key on the smart card. • The smart card is given to the end user, who may use the smart card in any wireless LAN mobile host. • In order to avoid reading the private key from the smart card the public key cryptography must be run inside the card. Therefore, the calculation power of the smart cards sets limitations on the efficiency of this approach. • Other methods for key management exist.
Secure Solution – Solution Analysis • The authentication mechanism succeeds in implementing mutual authentication. • Negotiation of the symmetric cryptography algorithm provides some flexibility and allows future enhancements. • Concept does not require any modifications to existing networks. • Solution is designed for maximum security which may limit performance of the network. • There is no end-to-end security offered and this must be handled by upper layers. • Time used for authentication is critical during handover between base stations. • Concept does not support multiple CAs. • Concept has no support for ciphered multicast.