280 likes | 419 Views
IE MS5710 Mobile and W ireless Network Security. 1 9 March 20 1 3 Prof. CHAN Yuen-Yan, Rosanna Department of Information Engineering The Chinese University of Hong Kong. Wi-Fi Alliance. IEEE 802 committee for LAN standards IEEE 802.11 formed in 1990’s
E N D
IEMS5710Mobile and Wireless Network Security 19 March2013 Prof. CHAN Yuen-Yan, Rosanna Department of Information Engineering The Chinese University of Hong Kong
Wi-Fi Alliance IEMS5710 - Lecture 9 • IEEE 802 committee for LAN standards • IEEE 802.11 formed in 1990’s • charter to develop a protocol & transmission specifications for wireless LANs (WLANs) • 802.11b first broadly accepted standard • Wireless Ethernet Compatibility Alliance (renamed into the Wi-Fi Alliance) industry consortium formed 1999 • to assist interoperability of products • created a test suite to certify interoperability • initially for 802.11b, later extended to 802.11g • concerned with a range of WLANs markets, including enterprise, home, and hot spots
IEEE 802 Protocol Architecture IEMS5710 - Lecture 9
Network Components & Architecture IEMS5710 - Lecture 9
802.11 Wireless LAN Security IEMS5710 - Lecture 9 • wireless traffic can be monitored by any radio in range, not physically connected • original 802.11 spec had security features • Wired Equivalent Privacy (WEP) algorithm • but found this contained major weaknesses • 802.11i task group developed capabilities to address WLAN security issues • Wi-Fi Alliance Wi-Fi Protected Access (WPA) • final 802.11i Robust Security Network (RSN) (WPA2)
WEP • Wired Equivalent Privacy • is the original wireless security protocol for the 802.11 standard. • uses the RC4 stream cipher, using a 64-bit key consisting of: • A 24-bit master key • A 40-bit initialization vector (IV) • It also employs a CRC (Cyclic Redundancy Check) integrity checksum IEMS5710 - Lecture 9
WEP • WEP Encryption • The IV and master key areapplied to an RC4 stream cipher to generate a keystream • The keystream is XOR’ed with the plaintext and checksum to produce the ciphertext. IEMS5710 - Lecture 9
WEP – Security Issue • Master keys are unlikely to be changed due to key management issues • Key must be updated manually • (most device allow the users to enter phrases to generate the key) • 24 bits of IV are not sufficient to avoid collisions • If IVs are assigned randomly, collisions can be expected after 5000 packets IEMS5710 - Lecture 9
WEP – Security Issue • Issues: • Because RC4 is a stream cipher, the same traffic key must never be used twice (Whenever the same IV is used with the same master key, the keystream will be the same as well). • The purpose of an IV, which is transmitted as plain text, is to prevent any repetition • But collisions of IV can happens. Packets with same IV can be identified because IVs are transmitted in plain text (p.7) (also, the master key of the device is unlikely to change) • To recover the plaintext from two ciphers encrypted with same keystream: IEMS5710 - Lecture 9
WPA • Uses TKIP (Temporal Key Integrity Protocol) for cryptography and authentication • Still uses RC4 • Key management is improved • Uses 802.1x (Extensible Authentication Protocol) for authentication • Adds MIC (Message integrity check) and frame counter • Can operate in two different modes: PSK and Enterprise • Pre-Shared Key Mode • Does not require authentication server • “Shared Secret” is used for authentication to Access Point • suffers from similar key-management difficulties to WEP • Enterprise Mode • Requires an authentication server • Uses RADIUS (Remote Authentication Dial In User Service) protocols for authentication and key distribution • Centralizes management of user credentials IEMS5710 - Lecture 9
WPA • How WPA Addresses the WEP Vulnerabilities • 1. Extended 48-bit IV and IV Sequencing Rules • 248 is a large number! More than 500 trillion • Sequencing rules specify how IVs are selected and verified • 2. A Message Integrity Code (MIC) called Michael • Designed for deployed hardware • Requires use of active countermeasures • 3. Key Derivation and Distribution • Initial random number exchanges defeat man-in-the-middle attacks • 4. Temporal Key Integrity Protocol generates per-packet keys IEMS5710 - Lecture 9
Wi-Fi Protected Access 2 – WPA2 • Uses the Advanced Encryption Standard (AES) • Symmetric-key block cipher using 128-bit keys. • Generates CCM Protocol (CCMP): • CCMP = CTR + CBC + MAC • CTR = Counter Mode Encryption • CBC/MAC = Cipher Block Chaining/Message Authentication Code IEMS5710 - Lecture 9
802.11i RSN (Robust Security Network) Services and Protocols (WPA2) IEMS5710 - Lecture 9
802.11i RSN Cryptographic Algorithms IEMS5710 - Lecture 9
802.11i Phases of Operation IEMS5710 - Lecture 9
5 Phases of Operation • Discovery: • An AP uses messages (Beacons) and Probe Responses to advertise its IEEE 802.11i security policy • The STA (wireless station) uses these to identify an AP for a WLAN with which it wishes to communicate • The STA associates with the AP, which it uses to select the cipher suite and authentication mechanism when the Beasons and Probe Responses present a choice • Authentication: • the STA and AS prove their identities to each other • The AP blocks non-authentication traffic between the STA and AS until the authentication transaction is successful IEMS5710 - Lecture 9
5 Phases of Operation (Cont’) • Key generation and distribution • The AP and the STA perform several operations that cause cryptographic keys to be generated and placed on the AP and the STA • Protected data transfer • Frames are exchanged between the STA and the end station through the AP • Connection termination • The AP and STA exchange frames • During this phase, the secure connection is torn down and the connection is restored to the original state IEMS5710 - Lecture 9
802.11i Discovery and Authent-ication Phases IEMS5710 - Lecture 9
IEEE 802.1X Access Control Approach Distribution system IEMS5710 - Lecture 9
802.11i Key Manage-ment Phase IEMS5710 - Lecture 9
802.11iKey hierarchy IEMS5710 - Lecture 9
802.11i Protected Data Transfer Phase IEMS5710 - Lecture 9 • A 64-bit Michael message integrity code (MIC) is calculated using CBC-MAC • Have two schemes for protecting data • Temporal Key Integrity Protocol (TKIP) • Use RC4 stream cipher for encryption • encrypts the data unit plus MIC value using RC4 • Requires only software changes for older WEP devices • Counter Mode-CBC MAC Protocol (CCMP) • Uses AES (in CRT block cipher mode) for encryption • The MIC is used for integrity
UMTS AKA • Universal Mobile Telecommunications System (UMTS) is the third generation (3G) mobile communications standard • Its specification includes the Authentication and Key Agreement (AKA) for authentication and key exchange • Entities • Home Environment (HE) • Provides a set of services to users associated with a subscription • At the HE side, the AKA procedure is carried out by the home location register (HLR) • Subscriber • An entity that has an association with a home environment and is responsible for the payment of charges to that home environment • A subscriber uses a mobile station (MS) to access network services • Serving Network (SN) • Provides mobile communication services on behalf of home environments • At the SN side, the AKA procedure is carried out by the visitor location register (VLR) (a base station) IEMS5710 - Lecture 9
UMTS Security Architecture IEMS5710 - Lecture 9
AKA UMTS AKA • UMTS Entities SN HE VLR HLR MS Eavesdroppers IEMS5710 - Lecture 9
UMTS AKA • Goal of UMTS AKA • To achieve the following between the VLR and MS • (MS and the HE has shared secret, K; HE offers MS the expected values derived from K) • Mutual authentication (based on values derived with K) • VLR corroborates the user identity of the MS • MS corroborates that itself is connected to an SN authorized by its HE • Key Establishment • Establishment of cipher key (CK) for data confidentiality • Establishment of integrity key (IK) for message integrity • The MS and HLR shares a long term secret key • Has 5 key generation functions to generate temporary CKs and IKs IEMS5710 - Lecture 9
UMTS AKA • Two Main Procedures • Distribution of Authentication Data from HE to SN • Take place when MS first visit an SN and register, or when all previously generated Authentication vectors AVs (which include the cipher keys [CKs] and integrity keys [IKs]) of a registered MS have been used up • HLR provides the VLR an array of fresh AVs to perform a number of subsequent MS authentications • VLR generates a TMSI (Temporary mobile subscriber identity) to MS • Authentication and Key Agreement • Take place when mutual authentication, and common cipher key and integrity key between MS and VLR is required • Needs Distribution of Authentication Data from HE to SN • MS and VLR mutually authenticate each others • Establish pair keys: CK and IK IEMS5710 - Lecture 9
References • William Stallings, Cryptography and Network Security Principles and Practices, 5/e, Pearson • Chapter 17 • J.W. Pope,“WEP and 802.11i”, 5/6/2004 • 3GPP Specification (3rd Generation Partnership (3GPP); Technical Specification Group (TSG) SA; 3G Security; Security Architecture, v6.0.0, September 2003) IEMS5710 - Lecture 9